On Tue, Oct 02, 2012 at 12:27:48PM -0500, Bill Schoolfield wrote: > To be clear, remove the line below??? > > virtual_server = copy-acct-to-home-server
Yes - read the documentation in proxy.conf that explains what this line does. You don't want to relay the packet back to yourself. > Does the "update control { Proxy-To-Realm := 'home_realm' } > section handle this association for us? When the packet drops off the bottom of the preacct (and authorize, if used for auth) section, the Proxy-To-Realm config attribute tells the server not to process it locally any more, but to proxy it to the relevant realm configured in proxy.conf. On Tue, Oct 02, 2012 at 01:58:59PM -0500, Bill Schoolfield wrote: > I removed this line. Started up the server and I can see that the > packets are being sent to the other server. However. I get... > > > Detail listener /var/log/radius/radacct/relay-detail state running > > signalled 0 waiting 1.094676 sec > > Waking up in 0.9 seconds. > > rad_recv: Accounting-Request packet from host 192.168.111.55 port 1814, > > id=54, length=278 > > Received Accounting-Request packet from client 192.168.111.55 with invalid > > signature! (Shared secret is incorrect.) Dropping packet without response. > > Going to the next request > > so the shared secret is wrong. But I have checked the secret on both That's the shared secret between your NAS and this radius server, not the secret between this server and the remote log destination server. Check the shared secret on the NAS and in your clients.conf. Relayed packets will have debug output like Detail listener /var/log/radius/radacct/relay-detail state replied signalled 0 waiting 0.000000 sec detail_recv: Read packet from /var/log/radius/radacct/relay-detail.work and not something indicating it came in over the network, like rad_recv: Accounting-Request packet from host ... port ... > sides and it is the same. What else could it be? I'm a little > unclear on the remote server's client entry for this relay. Should > it be the ip of the freeradius server or should it match the ip of > the originating NAS? I have set up both to no avail. The client for the remote server is this proxy server, so the client entry on that server should be the (outgoing, if it has more than one) IP address of this server (the client entry secret on the remote server should match the secret on this proxying server's proxy.conf file). e.g. NAS - secret = A this server - clients.conf (NAS IP) secret = A proxy.conf (remote server) secret = B remote server - clients.conf (this server IP) secret = B Cheers, Matthew -- Matthew Newton, Ph.D. <m...@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html