Re: unknown proxy ? part 2

[Alan DeKok]

Alex Radetsky <[EMAIL PROTECTED]> wrote:
>  So, if radius got packet from remote server with configured source_ip and 
>  port, radiusd marks it as active. 
> 
>  But in my case, radius got packet from configured source_ip, but another 
>  port. 
> 
>  What does it mean?

  It means that the server you're proxying the request to is broken.

>  PS. I can rewrite this code to create workaround. But I do not know, may 
>  be it will not correct. 

  It will be wrong.  You should contact the people running the other
server, and tell them to fix it.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unknown proxy ?

[Alan DeKok]

Alex Radetsky <[EMAIL PROTECTED]> wrote:
>  I'm using freeradius-0.7.1. I'm trying to configure this freeradius 
> as proxy server to remote. 

  Upgrade to 0.9.3.  Please.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unknown proxy ?

[Guy Fraser]

I have noticed you have configured naslist, clients and clients.conf.

The clients.conf file is all you need, and should probably move or remove
the clients and naslist files since the are deprecated and may conflict.
I have not looked into the source to find out what happens when you have 
both sets
of files, but you should notice the informational messages warning you 
about
these files in your log file.

Also, whats up with the ports?

It looks like you have two different radius servers running, maybe your
problem is that you are looking at the wrong config files.
Alex Radetsky wrote:

On Wed, Dec 10, 2003 at 03:11:42PM +0100, Thomas MARCHESSEAU wrote:

Hi Alex,

did u check clients.conf ?


[EMAIL PROTECTED] bin]# grep "195.123.5.10" /usr/local/radius-proxy/etc/raddb/*
clients: 195.123.5.10 123
clients.conf: client 195.123.5.10 {
proxy.conf: authhost = 195.123.5.10:1812
proxy.conf: accthost = 195.123.5.10:1645
Yes, I do.

Ok, I'll search this message in sources and will find what I got to do.
Thanks! ;)
--
Guy Fraser
Network Administrator


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

unknown proxy ? part 2

[Alex Radetsky]

Hello! 

 I found this in files.c :

--
REALM *cl;
 
/*
 *  Note that we do NOT check for inactive realms!
 *
 *  If we get a packet from an end server, then we mark it
 *  as active, and return the realm.
 */
for(cl = realms; cl != NULL; cl = cl->next)
if ((ipaddr == cl->ipaddr) && (port == cl->auth_port)) {
cl->active = TRUE;
return cl;
} else if ((ipaddr == cl->acct_ipaddr) && (port == cl->acct_port)) {
cl->acct_active = TRUE;
return cl;
}
 
return NULL;
-- 

 So, if radius got packet from remote server with configured source_ip and 
 port, radiusd marks it as active. 

 But in my case, radius got packet from configured source_ip, but another 
 port. 

 What does it mean? Does some one proxy exist between my and remote radius? 
 Is it correct? 

 PS. I can rewrite this code to create workaround. But I do not know, may 
 be it will not correct. 

-- 
Alex Radetsky   
AR2657-RIPE
RAD-UANIC


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unknown proxy ?

[Alex Radetsky]

On Wed, Dec 10, 2003 at 04:18:30PM +0200, Alexey Balabushevich wrote:
> > 
> >  I'm using freeradius-0.7.1. I'm trying to configure this freeradius 
> > as proxy server to remote. 
> > 
> > --
> > rad_recv: Access-Reject packet from host 195.123.5.10:1288, id=1, length=48
> > Ignoring request from unknown proxy 195.123.5.10:1288
> > --
> > 
> > Host 195.123.5.10 was configured in proxy.conf 
> > In naslist too. 
> > 
> > Tell me, please, what I forgot to do? ;) 
> 
> what about clients ?

 clients conf configured. Please see latest message. 

> 
> -- 
> Alexey Balabushevich
>   nic-hdl: AB433-RIPE

Wow. Very glad to see you. :) 


-- 
Alex Radetsky   
AR2657-RIPE
RAD-UANIC


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unknown proxy ?

[Alex Radetsky]

On Wed, Dec 10, 2003 at 03:11:42PM +0100, Thomas MARCHESSEAU wrote:
> Hi Alex,
> 
> did u check clients.conf ?
> 
> 

[EMAIL PROTECTED] bin]# grep "195.123.5.10" /usr/local/radius-proxy/etc/raddb/*
 clients:   195.123.5.10  123
 clients.conf:  client 195.123.5.10 {
 proxy.conf:   authhost= 195.123.5.10:1812
 proxy.conf:   accthost= 195.123.5.10:1645

Yes, I do.  

 Ok, I'll search this message in sources and will find what I got to do. 
 Thanks! ;) 


> Thomas .
> 
> 
> Alex Radetsky wrote:
> 
> >Hello, Collegues! 
> >
> >I'm using freeradius-0.7.1. I'm trying to configure this freeradius 
> >as proxy server to remote. 
> >
> >--
> >rad_recv: Access-Reject packet from host 195.123.5.10:1288, id=1, length=48
> >Ignoring request from unknown proxy 195.123.5.10:1288
> >--
> >
> >Host 195.123.5.10 was configured in proxy.conf 
> >In naslist too. 
> >
> >Tell me, please, what I forgot to do? ;) 
> >

-- 
Alex Radetsky   
AR2657-RIPE
RAD-UANIC


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unknown proxy ?

[Alexey Balabushevich]

On Wed, Dec 10, 2003 at 03:56:45PM +0200, Alex Radetsky wrote:
> 
>  Hello, Collegues! 
> 
>  I'm using freeradius-0.7.1. I'm trying to configure this freeradius 
> as proxy server to remote. 
> 
> --
> rad_recv: Access-Reject packet from host 195.123.5.10:1288, id=1, length=48
> Ignoring request from unknown proxy 195.123.5.10:1288
> --
> 
> Host 195.123.5.10 was configured in proxy.conf 
> In naslist too. 
> 
> Tell me, please, what I forgot to do? ;) 

what about clients ?

-- 
Alexey Balabushevich
nic-hdl: AB433-RIPE

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unknown proxy ?

[Thomas MARCHESSEAU]

Hi Alex,

did u check clients.conf ?

Thomas .

Alex Radetsky wrote:

Hello, Collegues! 

I'm using freeradius-0.7.1. I'm trying to configure this freeradius 
as proxy server to remote. 

--
rad_recv: Access-Reject packet from host 195.123.5.10:1288, id=1, length=48
Ignoring request from unknown proxy 195.123.5.10:1288
--
Host 195.123.5.10 was configured in proxy.conf 
In naslist too. 

Tell me, please, what I forgot to do? ;) 

 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

unknown proxy ?

[Alex Radetsky]

 Hello, Collegues! 

 I'm using freeradius-0.7.1. I'm trying to configure this freeradius 
as proxy server to remote. 

--
rad_recv: Access-Reject packet from host 195.123.5.10:1288, id=1, length=48
Ignoring request from unknown proxy 195.123.5.10:1288
--

Host 195.123.5.10 was configured in proxy.conf 
In naslist too. 

Tell me, please, what I forgot to do? ;) 


-- 
Alex Radetsky   
AR2657-RIPE
RAD-UANIC


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: filtering attributes in proxy

[Sergio Molina]

Until I get a working solution, i am using attr_rewrite in preacct. The
attribute is always filtered, not only in requests to be proxied. I do not
know if it suits well for you.

Sergio.

> -Mensaje original-
> De: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] nombre de denz
> Enviado el: miércoles, 10 de diciembre de 2003 7:37
> Para: [EMAIL PROTECTED]
> Asunto: Re: filtering attributes in proxy
>
>
> > Have you tried with pre-proxy and attr_rewrite? I?m trying but
> attr_rewrite
> > module is not called (/usr/sbin/freeradius -x). I don?t know why.
>
> No I haven't.
> use -X instead -x, it'll show lot of things
> and have u included that in the preproxy section in radiusd.conf
>
> >
> > Sergio.
>
> > > > > > > but when I start the server I get this message ant the
> > > end, and server
> > > > > > > exits.
> > > > > > >
> > > > > > > Module: Instantiated attr_filter (attr_filter)
> > > > > > > radiusd.conf: "attr_filter" modules aren't allowed in
> 'pre-proxy'
> > > > > > > sections -- they have no such method.
> > > > > >
> > > > > > Edit the source code for attr_filter to include
> > > a pre-proxy
> > > > > >section.
> > > > >
> > > > > This is done in the latest CVS for post-proxy.  I've got a patch
> we've
> > > > > used internally for pre-proxy.  I'll commit it today.
> > > >
> > > >Has it been commited to cvs ?  I just downloaded. Couldn't see
> > > the preproxy
> > > >method in rlm_attr_filter. I'd appreciate it very much right now.
> > >
> > > No, I'm still working on cleaning the patch up, as well as adding
> > > accounting
> > > methods for the module.
> > >
> > > I'll post to the list when it is in CVS, which should
> hopefully be later
> > > today.
> > >
> > > -Chris
> > > --
> > > \\\|||///  \  StarNet Inc.  \ Chris Parker
> > > \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
> > > | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
> > >
> oOo---(_)---oOo--\--
> > >\ Wholesale Internet Services -
> http://www.megapop.net
> > >
> > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: filtering attributes in proxy

[denz]

> Have you tried with pre-proxy and attr_rewrite? I?m trying but
attr_rewrite
> module is not called (/usr/sbin/freeradius -x). I don?t know why.

No I haven't.
use -X instead -x, it'll show lot of things
and have u included that in the preproxy section in radiusd.conf

>
> Sergio.

> > > > > > but when I start the server I get this message ant the
> > end, and server
> > > > > > exits.
> > > > > >
> > > > > > Module: Instantiated attr_filter (attr_filter)
> > > > > > radiusd.conf: "attr_filter" modules aren't allowed in
'pre-proxy'
> > > > > > sections -- they have no such method.
> > > > >
> > > > > Edit the source code for attr_filter to include
> > a pre-proxy
> > > > >section.
> > > >
> > > > This is done in the latest CVS for post-proxy.  I've got a patch
we've
> > > > used internally for pre-proxy.  I'll commit it today.
> > >
> > >Has it been commited to cvs ?  I just downloaded. Couldn't see
> > the preproxy
> > >method in rlm_attr_filter. I'd appreciate it very much right now.
> >
> > No, I'm still working on cleaning the patch up, as well as adding
> > accounting
> > methods for the module.
> >
> > I'll post to the list when it is in CVS, which should hopefully be later
> > today.
> >
> > -Chris
> > --
> > \\\|||///  \  StarNet Inc.  \ Chris Parker
> > \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
> > | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
> > oOo---(_)---oOo--\--
> >\ Wholesale Internet Services -
http://www.megapop.net
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: filtering attributes in proxy

[Sergio Molina]

Have you tried with pre-proxy and attr_rewrite? I?m trying but attr_rewrite
module is not called (/usr/sbin/freeradius -x). I don?t know why.

Sergio.

> -Mensaje original-
> De: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] nombre de Chris
> Parker
> Enviado el: martes, 09 de diciembre de 2003 16:32
> Para: [EMAIL PROTECTED]
> Asunto: Re: filtering attributes in proxy
>
>
> At 11:59 PM 12/8/2003, denz wrote:
> > > > > but when I start the server I get this message ant the
> end, and server
> > > > > exits.
> > > > >
> > > > > Module: Instantiated attr_filter (attr_filter)
> > > > > radiusd.conf: "attr_filter" modules aren't allowed in 'pre-proxy'
> > > > > sections -- they have no such method.
> > > >
> > > > Edit the source code for attr_filter to include
> a pre-proxy
> > > >section.
> > >
> > > This is done in the latest CVS for post-proxy.  I've got a patch we've
> > > used internally for pre-proxy.  I'll commit it today.
> >
> >Has it been commited to cvs ?  I just downloaded. Couldn't see
> the preproxy
> >method in rlm_attr_filter. I'd appreciate it very much right now.
>
> No, I'm still working on cleaning the patch up, as well as adding
> accounting
> methods for the module.
>
> I'll post to the list when it is in CVS, which should hopefully be later
> today.
>
> -Chris
> --
> \\\|||///  \  StarNet Inc.  \ Chris Parker
> \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
> | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
> oOo---(_)---oOo--\--
>\ Wholesale Internet Services - http://www.megapop.net
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: filtering attributes in proxy

[Chris Parker]

At 11:59 PM 12/8/2003, denz wrote:
> > > but when I start the server I get this message ant the end, and server
> > > exits.
> > >
> > > Module: Instantiated attr_filter (attr_filter)
> > > radiusd.conf: "attr_filter" modules aren't allowed in 'pre-proxy'
> > > sections -- they have no such method.
> >
> > Edit the source code for attr_filter to include a pre-proxy
> >section.
>
> This is done in the latest CVS for post-proxy.  I've got a patch we've
> used internally for pre-proxy.  I'll commit it today.
Has it been commited to cvs ?  I just downloaded. Couldn't see the preproxy
method in rlm_attr_filter. I'd appreciate it very much right now.
No, I'm still working on cleaning the patch up, as well as adding accounting
methods for the module.
I'll post to the list when it is in CVS, which should hopefully be later
today.
-Chris
--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: filtering attributes in proxy

[denz]

> > > but when I start the server I get this message ant the end, and server
> > > exits.
> > >
> > > Module: Instantiated attr_filter (attr_filter)
> > > radiusd.conf: "attr_filter" modules aren't allowed in 'pre-proxy'
> > > sections -- they have no such method.
> >
> > Edit the source code for attr_filter to include a pre-proxy
> >section.
>
> This is done in the latest CVS for post-proxy.  I've got a patch we've
> used internally for pre-proxy.  I'll commit it today.

Has it been commited to cvs ?  I just downloaded. Couldn't see the preproxy
method in rlm_attr_filter. I'd appreciate it very much right now.

>
> -Chris
> --
> \\\|||///  \  StarNet Inc.  \ Chris Parker
> \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
> | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
> oOo---(_)---oOo--\--
>\ Wholesale Internet Services - http://www.megapop.net
>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy Setup

[Glenn Plas]

  
  

  >From: "Anson Rinesmith" 
  <[EMAIL PROTECTED]>>To: 
  <[EMAIL PROTECTED]>
  >Subject: Proxy Setup
  >Date: Fri, 5 Dec 2003 11:57:00 
  -0600>Reply-To: [EMAIL PROTECTED]>>I 
  want any username like [EMAIL PROTECTED] to be proxied to an 
  existing>radius server.>>I have 
  added>>realm mydomain.net 
  {>>    
  type    = 
  radius>>    
  authhost    = 
  192.168.69.10:1645>>    
  accthost    = 
  192.168.69.10:1646>>    
  secret  = 
  ascend>>}>to my proxy.conf file. It still tries 
  to authenticate locally. I was told>not to put anything in my 
  realms file.>What am I missing?
  If using SQL: Probably something like this:
   
  mysql> select * from radgroupcheck; 
  ++---++++| id | 
  GroupName | Attribute  | op | 
  Value      
  |++---++++|  
  1 | dial  | Proxy-To-Realm | := | 
  mydomain.net    
  |++---++++
  mysql> select * from usergroup limit 
  1;++--+---+| id | UserName | GroupName 
  |++--+---+|  1 | username 
  | dial  
  |++--+---+
   
  You can put it in radcheck as wel per user base or if prefer using 
  groups (which I guess you will if you have more than 1 existing radius 
  servers behind the proxy) do it as described.
   
  One more thing, when running radiusd with -X you will still see it 
  that it says to go to NULL realm but in reality it is going to the correct 
  realm.   I don't know why the logs show this but I found this 
  out the hard way using 0.9.2 that it was doing it correctly.
   
  Glenn

Re: Automatically proxy?

[Alan DeKok]

Gary Algier <[EMAIL PROTECTED]> wrote:
> I am trying to figure out how to automatically proxy based upon criteri
> in the users file.

  Use the Proxy-To-Realm attribute:

bob   Proxy-To-Realm := "realm"


> I can see how I can check the NAS-IP-Address, but then
> I don't know how to control where the actual auth gets
> done.

  Don't use NAS-IP-Address.  It can lie.  Use Client-IP-Address.

> In case you are wondering, the "other" radius server is a
> SecureID ACE server.  I want to use a FreeRadius server as
> a frontend for better control and accounting.

Of course.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Automatically proxy?

[Gary Algier]

Hi:

I am trying to figure out how to automatically proxy based upon criteri
in the users file.
For example:

I have a user "gary" who logs in on a particular NAS (let us say
on IP 192.168.1.1).  When he does so, his authentication should
be passed off to the radius server at 192.168.2.1.
If the same user tries to use the NAS at 192.168.1.2, he should
be rejected by this radius server.
If "nancy" uses either NAS, it should be handled locally.

All other users should be rejected on NAS 192.168.1.1.,
while all requests for the rest of these users from
the NAS at 192.168.1.2 should be passed off to the radius
server at 192.168.2.1.
How can I do this?

I can see how I can check the NAS-IP-Address, but then
I don't know how to control where the actual auth gets
done.
In case you are wondering, the "other" radius server is a
SecureID ACE server.  I want to use a FreeRadius server as
a frontend for better control and accounting.
--
Gary Algier, WB2FWZ  gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054  Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy Setup

[Alan DeKok]

"Anson Rinesmith" <[EMAIL PROTECTED]> wrote:
> to my proxy.conf file. It still tries to authenticate locally. I was told
> not to put anything in my realms file.
> 
> What am I missing?

  Read the output of radiusd -X.  It will tell you WHY it is, or is
not, proxying. 

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy Setup

[Anson Rinesmith]

I want any username like [EMAIL PROTECTED] to be proxied to
an existing radius server.

 

I have added

realm mydomain.net {

    type    = radius

    authhost    = 192.168.69.10:1645

    accthost    = 192.168.69.10:1646

    secret  = ascend

}

 

to my proxy.conf file. It still tries to authenticate
locally. I was told not to put anything in my realms file.

What am I missing?

 

synchronous proxy and fail-over

[Pascal Séguy]

Hello,

I have found that the backup server of my client is never used when the his
main server is down.

Another strange behaviour is that the reject is not answered on a timeout
but on receipt of the next authentication request, even if it comes one hour
after !

To solve the problem I have changed synchronous to "no".

Synchronous mode is broken ?  (I use 0.9.3)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: filtering attributes in proxy

[Chris Parker]

At 10:43 AM 12/4/2003, Alan DeKok wrote:
"denz" <[EMAIL PROTECTED]> wrote:
> but when I start the server I get this message ant the end, and server
> exits.
>
> Module: Instantiated attr_filter (attr_filter)
> radiusd.conf: "attr_filter" modules aren't allowed in 'pre-proxy'
> sections -- they have no such method.
Edit the source code for attr_filter to include a pre-proxy
section.
This is done in the latest CVS for post-proxy.  I've got a patch we've
used internally for pre-proxy.  I'll commit it today.
-Chris
--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: filtering attributes in proxy

[Alan DeKok]

"denz" <[EMAIL PROTECTED]> wrote:
> but when I start the server I get this message ant the end, and server
> exits.
> 
> Module: Instantiated attr_filter (attr_filter)
> radiusd.conf: "attr_filter" modules aren't allowed in 'pre-proxy'
> sections -- they have no such method.

Edit the source code for attr_filter to include a pre-proxy
section.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: filtering attributes in proxy

[denz]

> > I need to remove the attribute
> > Calling-Station-Id = xxx
> > from the requests before passing it to the remote radius server.
>
>   Use rlm_attr_filter in pre-proxy.

I modified the radiusd.conf as suggested,

pre-proxy {
attr_filter

#  If you want to have a log of packets proxied to a home
#  server, un-comment the following line, and the
#  'detail pre_proxy_log' section, above.
#  pre_proxy_log
}

but when I start the server I get this message ant the end, and server
exits.

radius-log
--
Module: Loaded attr_filter
 attr_filter: attrsfile = "/usr/local/radiusd/etc/raddb/attrs"
Module: Instantiated attr_filter (attr_filter)
radiusd.conf: "attr_filter" modules aren't allowed in 'pre-proxy'
sections -- they have no such method.


>
> > And while doing that I need to run some script and put those
> > Calling-station-id to a DB. Can we achieve this.
>
>   Yes.  Use rlm_exec in pre-proxy, before rlm_attr_filter.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: proxy

[Anson Rinesmith]

When I remove the realms entry, it tries to authenticate locally, when
watching 'radiusd -X'

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Wednesday, December 03, 2003 3:38 PM
To: [EMAIL PROTECTED]
Subject: Re: proxy 

"Anson Rinesmith" <[EMAIL PROTECTED]> wrote:
> I added
> realm bigrivertel.net {
> type= radius
> authhost= 192.168.69.10:1645
> accthost= 192.168.69.10:1646
> secret  = ascend
> }
> 
> With the same errors, should I remove my entry from realms that I added
> earlier?

  Yes.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy

[Alan DeKok]

"Anson Rinesmith" <[EMAIL PROTECTED]> wrote:
> I added
> realm bigrivertel.net {
> type= radius
> authhost= 192.168.69.10:1645
> accthost= 192.168.69.10:1646
> secret  = ascend
> }
> 
> With the same errors, should I remove my entry from realms that I added
> earlier?

  Yes.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: proxy

[Anson Rinesmith]

I added
realm bigrivertel.net {
type= radius
authhost= 192.168.69.10:1645
accthost= 192.168.69.10:1646
secret  = ascend
}

With the same errors, should I remove my entry from realms that I added
earlier?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Wednesday, December 03, 2003 2:56 PM
To: [EMAIL PROTECTED]
Subject: Re: proxy 

"Anson Rinesmith" <[EMAIL PROTECTED]> wrote:
> I have put my realm in the realms file: bigrivertel.net
> 192.168.69.10

  You've also got to list it in the 'clients' file, OR use the
"proxy.conf" file.

> /usr/local/etc/raddb/realms[28]: Cannot find 'clients' file entry of
remote
> server 209.16.220.10 for realm "bigrivertel.net"

  Yup.

  The reason is that the "realms" file doesn't have room for a shared
secret, which is required.

  "proxy.conf" has it.  Use that.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy

[Alan DeKok]

"Anson Rinesmith" <[EMAIL PROTECTED]> wrote:
> I have put my realm in the realms file: bigrivertel.net
> 192.168.69.10

  You've also got to list it in the 'clients' file, OR use the
"proxy.conf" file.

> /usr/local/etc/raddb/realms[28]: Cannot find 'clients' file entry of remote
> server 209.16.220.10 for realm "bigrivertel.net"

  Yup.

  The reason is that the "realms" file doesn't have room for a shared
secret, which is required.

  "proxy.conf" has it.  Use that.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

proxy

[Anson Rinesmith]

I have put my realm in the realms file: bigrivertel.net
192.168.69.10

 

When I run ‘radiusd –X’, I get the
following error:

/usr/local/etc/raddb/realms[28]: Cannot find 'clients' file
entry of remote server 209.16.220.10 for realm "bigrivertel.net"

Errors reading realms

Errors reading radiusd.conf

 

Any help?

Re: filtering attributes in proxy

[Alan DeKok]

"denz" <[EMAIL PROTECTED]> wrote:
> I need to remove the attribute
> Calling-Station-Id = xxx
> from the requests before passing it to the remote radius server.

  Use rlm_attr_filter in pre-proxy.

> And while doing that I need to run some script and put those
> Calling-station-id to a DB. Can we achieve this.

  Yes.  Use rlm_exec in pre-proxy, before rlm_attr_filter.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.5 to 0.9.3 upgrade breaks auth-proxy

[Ben Hockenhull]

Alan DeKok <[EMAIL PROTECTED]> wrote:

>Ben Hockenhull <[EMAIL PROTECTED]> wrote:
>> Under 0.9.3, only the first AVPair is sent back.  I'm not sure why.
>
>  Read the 'man' page for the 'users' file.  I think it's also in the
>FAQ.
>
>  Try '+=', instead of '='.

Ah ha.  That did it.  I didn't see mention of that in the FAQ, but it was
in the man pages.  Thanks.

Ben



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

filtering attributes in proxy

[denz]

hi!

I'm using freeradius cvs(Nov 25 -2003) as a radius proxy. And as a remote
radius server I got another copy of freeradius running.
For my application enviorenment I need my radius-proxy server to pass all
requests to the remote server. But under one condition.
i.e.
I need to remove the attribute
Calling-Station-Id = xxx
from the requests before passing it to the remote radius server. And
while doing that I need to run some script and put those Calling-station-id
to a DB. Can we achieve this.


Here's the log at radius-proxy


rad_recv: Access-Request packet from host 192.168.0.93:3551, id=15,
length=75
User-Name = "[EMAIL PROTECTED]"
User-Password = "testing"
NAS-IP-Address = 192.168.0.93
Framed-Protocol = PPP
Calling-Station-Id = "94733442946"
Sending Access-Request of id 1 to 192.168.0.171:1812
User-Name = "steve"
User-Password = "testing"
NAS-IP-Address = 192.168.0.93
Framed-Protocol = PPP
Calling-Station-Id = "94722442946"
Service-Type = Framed-User
Proxy-State = 0x3135
rad_recv: Access-Accept packet from host 192.168.0.171:1812, id=1, length=36
    Service-Type = Framed-User
Framed-Protocol = PPP
Proxy-State = 0x3135
Sending Access-Accept of id 15 to 192.168.0.93:3551
Service-Type = Framed-User
Framed-Protocol = PPP



here's the log at remote radius
--
rad_recv: Access-Request packet from host 192.168.3.4:1814, id=1, length=80
User-Name = "steve"
User-Password = "testing"
NAS-IP-Address = 192.168.0.93
Framed-Protocol = PPP
Calling-Station-Id = "94733442946"
Service-Type = Framed-User
Proxy-State = 0x3135
rlm_chap: Could not find proper Chap-Password attribute in request
Sending Access-Accept of id 1 to 192.168.3.4:1814
Service-Type = Framed-User
Framed-Protocol = PPP
Proxy-State = 0x3135
rad_recv: Access-Request packet from host 192.168.3.4:1814, id=2, length=62
User-Name = "steve"
User-Password = "testing"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
Proxy-State = 0x323131
rlm_chap: Could not find proper Chap-Password attribute in request
Sending Access-Accept of id 2 to 192.168.3.4:1814
Service-Type = Framed-User
Framed-Protocol = PPP
Proxy-State = 0x323131


U can see that every attributes is passed as they are. It get authenticated
alright but my requirement is not to pass the above mentioned Atrribute to
the remote server.


denz.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

strip user name for proxy

[Rohaizam Abu Bakar]

For example of proxy configuration... let say login 
as [EMAIL PROTECTED] , Is it possible 
for Freeradius to strip the username (user1) and proxied to other radius server 
using "abc.com.my" only...
 
thanks..
 
--haizam

Re: 0.5 to 0.9.3 upgrade breaks auth-proxy

[Joe Maimon]

Make sure when you install the new server you get the new man pages as well.

Alan DeKok wrote:

Ben Hockenhull <[EMAIL PROTECTED]> wrote:
 

Under 0.9.3, only the first AVPair is sent back.  I'm not sure why.
   

 Read the 'man' page for the 'users' file.  I think it's also in the
FAQ.
 Try '+=', instead of '='.

 Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.5 to 0.9.3 upgrade breaks auth-proxy

[Alan DeKok]

Ben Hockenhull <[EMAIL PROTECTED]> wrote:
> Under 0.9.3, only the first AVPair is sent back.  I'm not sure why.

  Read the 'man' page for the 'users' file.  I think it's also in the
FAQ.

  Try '+=', instead of '='.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

0.5 to 0.9.3 upgrade breaks auth-proxy

[Ben Hockenhull]

Hi there,

I'm doing testing in preparation to upgrade a server from 0.5 to 0.9.3,
and I've run into an issue with Cisco's auth-proxy feature.  Under 0.5,
it's been working.  Upon successful authentication, the radius server
sends back the proper Cisco-AVpairs for a temporary ACL.  I have a debug
from the router and from the 0.5 radiusd at http://www.jpj.net/~benh/rad5.txt

Under 0.9.3, only the first AVPair is sent back.  I'm not sure why.  The
radius users file is identical, and the config on the router is identical.
the only variable seems to be the version of FreeRADIUS.

I have a debug from the router and from the 0.9.3 radiusd at
http://www.jpj.net/~benh/rad9.txt.

Here's the users file in question:

hunter1Auth-Type := Local, Password == "student1"
Cisco-AVPair = "auth-proxy:priv-lvl=15",
Cisco-AVPair = "auth-proxy:proxyacl#1=deny ip any 192.168.0.0 0.0.0.255",
Cisco-AVPair = "auth-proxy:proxyacl#2=permit ip any any"


Leaving aside the question of why it's taken so long to upgrade this
server, does anyone have any ideas?

Thanks

Ben

--
Ben Hockenhull
[EMAIL PROTECTED]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius in proxy mode

[Alan DeKok]

"denz" <[EMAIL PROTECTED]> wrote:
> I've got a radius sever(some Old  radius server) configured with a
> NAS. I want to pass MSISDN from NAS to radius. But the problem is when I
> pass that attribute, the Authentication process stops.

  I doubt that very much.

  Read the FAQ about posting questions to the list.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius in proxy mode

[denz]

hi everyone!
    
 The Curent problem :
    I've got a radius sever(some 
Old  radius server) configured with a NAS. I want to pass MSISDN from NAS 
to radius. But the problem is when I pass that attribute, the Authentication 
process stops.
 
Solution
    I'm thinking of running a 
freeradius in proxy mode, so that it will manipulate the access requests having 
Extra attribs, do some extra work(eg: - record MSISDNs in a DB) and forward 
those filtered requests to a remote server.
 
How could we achive this purpose. Can somebody 
point me to a good documentation ?
 
 
 
denzel. 

proxy sending extra info

[Laurens Pit]

Hi,

Radius Server 1 --> Free Radius --> Radius Server 2

I control the Free Radius server, which serves as a proxy. I need to modify
a radius attribute value that is incoming from Radius Server 1 before it is
being send to Radius Server 2. How can I do that?

I'm using rlm_perl, so if it can be done in there that would be nice.



Greets,
Laurens




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Limiting access at a proxy server based on Called-Station-ID

[Deepak Singhal]

I think this can also be achieved by writing a function/procedure in
database which return the values after doing the checking.

Deepak Singhal
- Original Message -
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 20, 2003 3:28 AM
Subject: Re: Limiting access at a proxy server based on Called-Station-ID


> Mark Moody <[EMAIL PROTECTED]> wrote:
> > We need to limit their users access based on Called-Station-ID.
> > When the Auth request comes in from the NAS, I need to be able to
> > consult a (possibly large) list of access numbers and determine if
> > the user called an approved number, if so allow the request to
> > proceed to the home server.  If not, return an Access-Reject to the
> > NAS.
>
>   You're probably going to have to write a module yourself to do that
> work.  It shouldn't be too large.  Use a database to store the list of
> access numbers, and it should be easy to manage, too.
>
>   The issue is that most modules in the server are written to find
> some small amount of configuration in a database for a user, and then
> allow other modules to use that configuration to do things.
>
>   What you want is to check the users request against a large number
> of things in a database.  I'm not sure how that would be possible in
> the current server.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Limiting access at a proxy server based on Called-Station-ID

[Alan DeKok]

Mark Moody <[EMAIL PROTECTED]> wrote:
> We need to limit their users access based on Called-Station-ID.
> When the Auth request comes in from the NAS, I need to be able to
> consult a (possibly large) list of access numbers and determine if
> the user called an approved number, if so allow the request to
> proceed to the home server.  If not, return an Access-Reject to the
> NAS.

  You're probably going to have to write a module yourself to do that
work.  It shouldn't be too large.  Use a database to store the list of
access numbers, and it should be easy to manage, too.

  The issue is that most modules in the server are written to find
some small amount of configuration in a database for a user, and then
allow other modules to use that configuration to do things.

  What you want is to check the users request against a large number
of things in a database.  I'm not sure how that would be possible in
the current server.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Limiting access at a proxy server based on Called-Station-ID

[Mark Moody]

I've been asked if the following is possible. We operate a pair of
radius servers that proxy several realms to their respective home
servers.  We need to limit their users access based on
Called-Station-ID.  When the Auth request comes in from the NAS, I need
to be able to consult a (possibly large) list of access numbers and
determine if the user called an approved number, if so allow the request
to proceed to the home server.  If not, return an Access-Reject to the
NAS.  I've experimented with the DEFAULT entries in the users file, and
looked at pre-proxy as well.  So far I haven't come up with a good way
to do this.  If anyone is currently doing something like this could you
let me know how you're doing it?  Keep in mind the potential list of
Called-Station-IDs is potentially very large, management of and updates
to this list need to be straight forward.  Any help will be most
appreciated. 

-- 
Mark Moody 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How to insert an attribuite into a proxy-reply packet ?

[Sudhagar Chinnaswamy]

I am not sure how to achieve this using rlm_attr_rewrite (probably
others can help), but you can write your own "post-proxy" method. Add
that module in the "post-proxy" section of radius.conf, so that your
post-proxy method is called whenever the Radius server receives a reply
for the proxied request.  
 
In that post-proxy method you can have whatever case you need based on
your requirements.

-Original Message-
From: Allen Chung [mailto:[EMAIL PROTECTED]
Sent: Sunday, November 16, 2003 6:16 PM
To: [EMAIL PROTECTED]
Subject: Re: How to insert an attribuite into a proxy-reply packet ?


Sorry, I don't know how to make it work. Could you tell me more about it
?
 
I use freeradius to be a proxy server.A <===> MySite <=> B
I want each Auth-Reply to be one of below cases.
 
1. If the Session-Timeout is defined and the value is great than 0,
proxy the reply-packet without change.
2. If the Session-Timeout is undefined, proxy the reply-packet without
change.
3. If the Session-Timeout is defined BUT the value is  0, set the value
to be 36000 before sending it.
 
Thanks a lot ...
 

- Original Message - 
From: Liyan Tan <mailto:[EMAIL PROTECTED]>  
To: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>  
Sent: Thursday, November 13, 2003 8:00 PM
Subject: Re: How to insert an attribuite into a proxy-reply packet ?

rlm_attr_filters may work?
 
　　Liyan Tan
   [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 
　2003-11-13
 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to insert an attribuite into a proxy-reply packet ?

[Allen Chung]

Sorry, I don't know how to make it work. Could you 
tell me more about it ?
 
I use freeradius to be a proxy 
server.    A <===> MySite 
<=> B
I want each Auth-Reply to be one of below 
cases.
 
1. If the Session-Timeout is defined and the value 
is great than 0, proxy the reply-packet without change.
2. If the Session-Timeout is undefined, proxy the 
reply-packet without change.
3. If the Session-Timeout is defined BUT the 
value is  0, set the value to be 36000 before sending it.
 
Thanks a lot ...
 

  - Original Message - 
  From: 
  Liyan Tan 
  To: [EMAIL PROTECTED] 
  
  Sent: Thursday, November 13, 2003 8:00 
  PM
  Subject: Re: How to insert an attribuite 
  into a proxy-reply packet ?
  
  
  rlm_attr_filters may work?
   
  　　Liyan Tan
    [EMAIL PROTECTED]　2003-11-13
   

strip both prefix and suffix with proxy

[Tibor Pittich]

hello all

i have a problem which i can't still solve. maybe there is solution,
but i can't find it:(

situation:
i must use suffix @blabla for every accounts. for some accounts i want
use prefix too - because auth proxying.
i'm planning use prefixes only for non-local accounts, but there is
special group of users which want duplicate his accounting info to non
local server, but authorize locally. i create prefix for this group and
i add it into proxy configuration with two accthost entries.

now i need strip suffix for this special group before authorization,
because i don't want store usernames with suffixes into my backend
(which is currently ldap). but when realm aaa is matched, imho, i can
strip only this realm.

example:
username: [EMAIL PROTECTED]
proxy: realm aaa {

accthost host1:1813
accthost LOCAL
nostrip/strip   // only one from this
}
users:
DEFAULT Auth-Type := LDAP, Ldap-Group == "aaa-group", Suffix == "@blabla"
...

thanks
-- 
member of Advanced InternetWorks group  -> http://www.ainetworks.sk
professional home page  -> http://tibor.pittich.sk
personal home page  -> http://c0re.phuture.sk


pgp0.pgp
Description: PGP signature

Re: How to insert an attribuite into a proxy-reply packet ?

[Liyan Tan]

rlm_attr_filters may work?
 
　　Liyan Tan
  [EMAIL PROTECTED]　2003-11-13
 

How to insert an attribuite into a proxy-reply packet ?

[Allen Chung]

Hello~
 
        May I  add an 
attribute "session-time" into a proxy-reply packet if the value of 
"session-timeout" is not assigned 
        before I reply it to 
another radiusd server ?
            
      
 
        Thanks a lot 
~

Re: Proxy doesn't send acct packets to other radius (correct proxy.conf)

[Artur Hecker]

ok

looking at your radiusd.conf file, i wonder if you have to add a preacct 
section with a suffix module in it in order to look up the realms. 
otherwise it seems ok to me.

ciao
artur


I made a mistake editing that mail last night.

realm dimapel.com.br {
type= radius
authhost= 200.180.55.65:1812
accthost= 200.180.55.65:1813
secret  = teste


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy doesn't send acct packets to other radius (correct proxy.conf)

[Jefferson Dümes]

Artur

I made a mistake editing that mail last night.

200.193.87.129 has no relation to problem related. It's another server 
for tests.

my problem is: the proxy server doesn't send acct (accounting) packets 
to 200.180.55.65 server.

Justo know:
200.180.22.15 is the RAS that consult only 200.180.22.9 (the proxy).
The correct proxy.conf is:

$ cat proxy.conf | grep -v "#" $$$
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 120
servers_per_realm = 15
default_fallback = yes
}
realm dimapel.com.br {
type= radius
authhost= 200.180.55.65:1812
accthost= 200.180.55.65:1813
secret  = teste
}



Artur Hecker em 29-10-2003 07:11 disse:
hi

looking at your proxy.conf file:

realm dimapel.com.br {
type= radius
authhost= 200.193.87.129:1812
accthost= 200.193.87.129:1813
secret  = teste
}


now looking at the proxied Access Request out of your debug output:

modcall: group authorize returns updated
Sending Access-Request of id 3 to 200.180.55.65:1812
User-Name = "dumes"
User-Password = 
"D\277\255\261\350~V\037\005\240\331\360^\330\206u"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-IP-Address = 200.180.22.15
NAS-Port = 108
Calling-Station-Id = "475211600"
Called-Station-Id = "12110482815300"
    Connect-Info = "34000/28800_K56_/LAPM/V42BIS"
Proxy-State = "73"
--- Walking the entire request list ---


i strongly doubt that the proxy.conf file you are editing is relevant to 
this server. (it should proxy to 200.193.87.129:1812 but it does to 
200.180.55.65:1812). unless of course you have a WEIRD host file

ciao
artur
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy doesn't send acct packets to other radius

[Artur Hecker]

hi

looking at your proxy.conf file:

realm dimapel.com.br {
type= radius
authhost= 200.193.87.129:1812
accthost= 200.193.87.129:1813
secret  = teste
}
now looking at the proxied Access Request out of your debug output:

modcall: group authorize returns updated
Sending Access-Request of id 3 to 200.180.55.65:1812
User-Name = "dumes"
User-Password = "D\277\255\261\350~V\037\005\240\331\360^\330\206u"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-IP-Address = 200.180.22.15
NAS-Port = 108
Calling-Station-Id = "475211600"
Called-Station-Id = "12110482815300"
Connect-Info = "34000/28800_K56_/LAPM/V42BIS"
Proxy-State = "73"
--- Walking the entire request list ---
i strongly doubt that the proxy.conf file you are editing is relevant to 
this server. (it should proxy to 200.193.87.129:1812 but it does to 
200.180.55.65:1812). unless of course you have a WEIRD host file

ciao
artur
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy doesn't send acct packets to other radius

[Jefferson Dümes]

Sorry Alan

I'm so tired that I forgot those important details.

First, my Freeradius is 0.8. I don't remember what options I used with 
configure but I'm sure I used ldap and mysql (cause they works fine).

I think relevant config file and logs are reproduced below.

They are:
- proxy.conf
- radiusd.conf
- console out of radiusd -X (of proxy server)
Obs.: I didn't put radiusd -X console out of realm server. Because I 
used iptraf -i on the realm server and theres's no acct packet comming 
from proxy server.

$ cat proxy.conf | grep -v "#" $$$
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 120
servers_per_realm = 15
default_fallback = yes
}
realm soft {
type= radius
authhost= 200.193.87.129:1812
accthost= 200.193.87.129:1813
secret  = teste
}
realm dimapel.com.br {
type= radius
authhost= 200.193.87.129:1812
accthost= 200.193.87.129:1813
secret  = teste
}

$ cat radiusd.conf | grep -v "#" $$$
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = 200.193.87.150
port = 0
hostname_lookups = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
ldap {
server = "ldapserver.softhouse.com.br"
basedn = "dc=softhouse.com.br,o=softhouse"
filter = "(&(objectClass=radiusprofile)(uid=%u))"
groupname_attribute = cn
default_profile = "cn=normal,ou=radius,o=softhouse"
profile_attribute = "radiusProfileDN"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 15
timeout = 4
timelimit = 3
net_timeout = 1
}
realm suffix {
format = suffix
delimiter = "@"
}
$INCLUDE  ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
perm = 0600
callerid = "yes"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
checkval callerid-check{
item-name = "Calling-Station-Id"
check-name = "Calling-Station-Id"
data-type = "string"
}
}
authorize {
suffix
ldap
callerid-check
}
authenticate {
authtype LDAP {
ldap
}
}
accounting {
radutmp
sql
}
session {
radutmp
}

 Proxy LOG (radiusd -X)$
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/usr/local/var"
 main: logdir = "/usr/local/var/log/radius"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/usr/local/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/usr/local/var/log/radius/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = no
 main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
 main: bind_address = 200.193.87.150 IP address [200.193.87.150]
 main: user = "(null)&q

Re: Proxy doesn't send acct packets to other radius

[Alan DeKok]

=?ISO-8859-1?Q?Jefferson_D=FCmes?= <[EMAIL PROTECTED]> wrote:
> I'm not an "radius expert", but I already used a cistron (patched to log 
> in mysql) and icradius. In this two server, I just say to do proxy to 
> some server and it does it (auth ant acct).

  FreeRADIUS does that, too.

> I'm looking for the solution to this problem for months. I'm looking on 
> "The Freeradius-Users Archives". But no Answer. No answer in FAQ too.

  You still haven't said what you're doing.  You haven't said what
configuration files you're editing.  You haven't included debugging
messages as suggested in the FAQ and README.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy doesn't send acct packets to other radius

[Jefferson Dümes]

Hi Alan

Would you show me where is some kind of reference of the problem I 
reported ???

I'm not an "radius expert", but I already used a cistron (patched to log 
in mysql) and icradius. In this two server, I just say to do proxy to 
some server and it does it (auth ant acct).

I agree that freeradius is more flexible and so, freeradius needs that I 
say it exactly what I want it does.It's realy great.

I'm looking for the solution to this problem for months. I'm looking on 
"The Freeradius-Users Archives". But no Answer. No answer in FAQ too.

Alan DeKok wrote:
=?ISO-8859-1?Q?Jefferson_D=FCmes?= <[EMAIL PROTECTED]> wrote:

Freeradius 0.8 doesn't send account packet's to other freeradius.


  It does if you've configured it correctly.


No erros in log files.

Someone give me an idea.


  Since you haven't followed the directions in the FAQ for problem
solving, I suggest that you start there.
  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy doesn't send acct packets to other radius

[Alan DeKok]

=?ISO-8859-1?Q?Jefferson_D=FCmes?= <[EMAIL PROTECTED]> wrote:
> Freeradius 0.8 doesn't send account packet's to other freeradius.

  It does if you've configured it correctly.

> No erros in log files.
> 
> Someone give me an idea.

  Since you haven't followed the directions in the FAQ for problem
solving, I suggest that you start there.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy doesn't send acct packets to other radius

[Jefferson Dümes]

Freeradius 0.8 doesn't send account packet's to other freeradius.

There's no firewall rules between the servers.

No erros in log files.

Someone give me an idea.

thanks.

details:
Freeradius 0.8 compiled with ldap auth an mysql account support.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy help question

[Dustin Doris]

On Fri, 24 Oct 2003, CW wrote:

> Is it possible to have ONE radius server query TWO databases in the same
> server for requests for different realms?
>
> For example if I had two realms
>
>
> dialup.someisp.net
> adsl.someisp.net
>
> and both realms came into the same radius server, and I had two mysql
> databases with two different customer bases for two differnt services.
> (dialup and adsl)
>
> Is it possible for me to instruct the radius server to query different
> databases for different domains?
>
>
> Cheers,
> Craig
>

Sure thing, just check out doc/Autz-Type



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

proxy help question

[CW]

(B
(B
(BIs it possible to have ONE radius 
(Bserver query TWO databases in the same server for requests for different 
(Brealms?
(B 
(BFor example if I had two 
(Brealms
(B 
(B 
(Bdialup.someisp.net
(Badsl.someisp.net
(B 
(Band both realms came into the same radius 
(Bserver, and I had two mysql databases with two different customer bases 
(Bfor two differnt services. (dialup and adsl)
(B 
(BIs it possible for me to instruct the 
(Bradius server to query different databases for different 
(Bdomains?
(B 
(B 
(BCheers,Craig  
(B

Proxy setup

[Jason Sehlmeyer]

Hello, New to the list, but Ive
read everything that I could possibly read, maybe I just don’t understand.

 

What I’m trying to do.

 

Use a STAROS using Hotspot to authenticate with our radius
server.  I’ve installed and
setup freeradius on a machine we use for mirroring,
and if I do the radtest to our windows radius server
it goes through ok so I know it works. 
I setup the proxy, but two questions.  Do I have the hotspot send auth and acct
to the default port of 1814? Or 1812 and 1813?

 

Also, My error I get in the radius
log is 

 

Wed Oct 22 14:39:22 2003 : Error: Ignoring request from unknown home server
65.117.AAA.XX:1032

Wed Oct 22 14:39:37 2003 : Error: Ignoring request from unknown home server
65.117.AAA.XX:1032

Wed Oct 22 14:40:18 2003 : Error: Ignoring request from unknown client 65.117.AAA.XX:1033

Wed Oct 22 14:40:33 2003 : Error: Ignoring request from unknown client 65.117.AAA.XX:1033

Wed Oct 22 14:40:48 2003 : Error: Ignoring request from unknown client 65.117.AAA.XX:1033

 

 

I get the unknown client when I have the server setup in the
clients.conf page, 

As:

 

client 65.117.AAA.XX
{

    secret   
 = MySecret

    shortname   = Mac

}

 

 Any help would
be grealy appreciated.

 

Thanks,
Jason

LRBCG.Com, Inc.

 

Re: Problem with Proxy

[Allen Chung]

Thanks for your advise.

It works for Authentication, but Accounting.

If I want to proxy accounting packets with these rulers, what should I do ?

1.proxy accounting packets which realm ends with ".us" to serverATus.
2. proxy accounting packets which realm ends with ".jp" to serverATjp.

Thanks a lot ~


- Original Message - 
From: "Chris van Meerendonk" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 07, 2003 7:41 PM
Subject: Re: Problem with Proxy


> Allen,
>
> You could try to put the following in the users file:
> DEFAULT Realm =~ "\.us$", Proxy-To-Realm += "us"
> DEFAULT Realm =~ "\.jp$", Proxy-To-Realm += "jp"
>
> In proxy.conf you can put something like:
> realm us {
> type= radius
> authhost= 123.123.234.234:1812
> accthost= 123.123.234.234:1813
> secret  = authkey
> nostrip
> }
>
> realm jp {
> type= radius
> authhost= 123.123.234.235:1812
> accthost= 123.123.234.235:1813
> secret  = authkey
> nostrip
> }
>
> Chris
>
> On Mon, 2003-10-06 at 07:12, Allen Chung wrote:
> > Hello~
> >
> > I have a question about Proxy.
> >
> > I would like to
> >
> > 1.proxy realms which end with ".us" to serverATus.
> > 2. proxy realm which end with ".jp" to serverATjp.
> >
> > What should I define in the proxy.conf  ?
> >
> > Thanks a lot ...
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy and "No such realm NULL"

[Chris Brotsos]

Josh,

I don't really deal with the NULL realm, so I'm not 100% sure of a certain 
configuration option's actions with said realm, but you might want to try 
setting 'wake_all_if_all_dead = yes' in the proxy.conf file. Assuming that 
wake_all_if_all_dead works with the NULL realm, this would at least help 
you test your hypothesis.

HTH,

Chris
At 10:57 AM 10/16/2003, you wrote:
I have a proxy server configured to proxy to the NULL realm.

This has worked fine until recently when it has started to silently drop
RADIUS requests rather than forward them. The NAS does not recieve any
response and so rejects users.
My hypothesis is that the RADIUS server it is proxying to becomes
unresponsive temporarily, and so the proxy server marks it dead. Thus,
when the next RADIUS requests comes along it has no server to proxy it
to, thus it returns an error about the realm.
Would this hypothesis be consistent with the "No such realm NULL" error?

A possible flaw in this hypothesis is that the "dead time" is configured
at ten minutes (dead_time = 600) yet the server continues to drop RADIUS
packets beyond this time.
I would be interested in any ideas or suggestions to fix this.

many thanks, josh.



--
---
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy and "No such realm NULL"

[Josh Howlett]

I have a proxy server configured to proxy to the NULL realm.

This has worked fine until recently when it has started to silently drop
RADIUS requests rather than forward them. The NAS does not recieve any
response and so rejects users.

My hypothesis is that the RADIUS server it is proxying to becomes
unresponsive temporarily, and so the proxy server marks it dead. Thus,
when the next RADIUS requests comes along it has no server to proxy it
to, thus it returns an error about the realm.

Would this hypothesis be consistent with the "No such realm NULL" error?

A possible flaw in this hypothesis is that the "dead time" is configured
at ten minutes (dead_time = 600) yet the server continues to drop RADIUS
packets beyond this time.

I would be interested in any ideas or suggestions to fix this.

many thanks, josh.



-- 
---
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy fail-over

[Chris Brotsos]

At 09:58 PM 10/15/2003, you wrote:
I tried to set the Radius server (0.9.1 on Red Hat 9) so it can do
proxy. I use the sql module for authentication (mysql).
I have two users, [EMAIL PROTECTED]' and 'alex_chen'. in the DB.

I setup the proxy.conf like the followings so that if the proxy server
192.168.1.12 fails, it will try to authenticate locally. (Following the
sample in proxy.conf for round-robin proxy.)
proxy server {
  synchronous = yes
From /path/to/src/radiusd/raddb/proxy.conf:

"If this [synchrounous] is set to 'No', then we send the retries on our own 
schedule..."
"If you want to have the server send proxy retries ONLY when the NAS sends 
its retries to the server, then set this to 'yes', and the other proxy 
configuration parameters to 0 (zero)".

So, try setting synchronous to 'no' and see if you still have problems with 
the failover.

HTH,

Chris

retry_delay = 5
retry_count = 3
dead_time = 120
default_fallback = yes
post_proxy_authorize = no
}
realm myhome.com {
type= radius
authhost= 192.168.1.12:1812
accthost= 192.168.1.12:1813
secret  = testing123
}
#
# The fail-over server
#
realm myhome.com {
type= radius
authhost= LOCAL
accthost= LOCAL
}
But when I run the radius with -X flag, I got the following message:

..
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
User-Name = "[EMAIL PROTECTED]"
User-Password = "alextest"
NAS-IP-Address = 192.168.2.1
NAS-Port = 1
NAS-Port-Id = "gateway"
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_eap: EAP-Message not found
  modcall[authorize]: module "eap" returns noop
rlm_realm: Looking up realm "myhome.com" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "myhome.com"
rlm_realm: Adding Stripped-User-Name = "alex_chen"
rlm_realm: Proxying request from user alex_chen to realm myhome.com
rlm_realm: Adding Realm = "myhome.com"
rlm_realm: Preparing to proxy authentication request to realm
"myhome.com"
  modcall[authorize]: module "suffix" returns updated
radius_xlat:  'alex_chen'
...
...
modcall: group authorize returns updated
Sending Access-Request of id 1 to 192.168.1.12:1812
User-Name = "alex_chen"
User-Password = "alextest"
NAS-IP-Address = 192.168.2.1
NAS-Port = 1
NAS-Port-Id = "gateway"
Proxy-State = "228"
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
Dropping conflicting packet from client localhost:1025 - ID: 228 due to
unfinished request 1
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 224 with timestamp 3f8de7df
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
Dropping conflicting packet from client localhost:1025 - ID: 228 due to
unfinished request 1
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
Dropping conflicting packet from client localhost:1025 - ID: 228 due to
unfinished request 1
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
Dropping conflicting packet from client localhost:1025 - ID: 228 due to
unfinished request 1
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
Dropping conflicting packet from client localhost:1025 - ID: 228 due to
unfinished request 1
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
Dropping conflicting packet from client localhost:1025 - ID: 228 due to
unfinished request 1
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
Dropping conflicting packet from client localhost:1025 - ID: 228 due to
unfinished request 1
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
Dropping conflicting packet from client localhost:1025 - ID: 228 due to
unfinished request 1
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
Dropping conflicting packet from client localhost:1025 - ID: 228 due to
unfinish

Proxy to Radius Servers Cluster

[Allen Chung]

Dear All:
 
        I have 2 Radius 
Servers,  R1, R2, and each server maintains its own user data.
    I hope to use the 
realm "@myrealm" for each user.
 
        I built a proxy server 
with freeradiusd 0.9.0 to be a dispatcher.
        The trouble is I can't 
identify a user is belong to R1or R2.
        So I use the ldflag = 
round-robin in my proxy.conf.
    In this case, there 
are 50% to fail.
 
        May I setup the proxy 
ruler to maping "@myrealm" to both R1 and R2.
    And when the 
request [EMAIL PROTECTED] is received, the proxy 
server will proxy to both R1 and R2.
        If one of them response 
Access-Accept, then proxy server replies Access-Accept ,too. 
 
    Thanks a lot 
...
        
 
 
 

Proxy fail-over

[Alex Chen]

I tried to set the Radius server (0.9.1 on Red Hat 9) so it can do
proxy. I use the sql module for authentication (mysql).

I have two users, [EMAIL PROTECTED]' and 'alex_chen'. in the DB.

I setup the proxy.conf like the followings so that if the proxy server
192.168.1.12 fails, it will try to authenticate locally. (Following the
sample in proxy.conf for round-robin proxy.)

proxy server {
  synchronous = yes
retry_delay = 5
retry_count = 3
dead_time = 120
default_fallback = yes
post_proxy_authorize = no
}

realm myhome.com {
type= radius
authhost= 192.168.1.12:1812
accthost= 192.168.1.12:1813
secret  = testing123
}

#
# The fail-over server
#
realm myhome.com {
type= radius
authhost= LOCAL
accthost= LOCAL
}


But when I run the radius with -X flag, I got the following message:

..
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
User-Name = "[EMAIL PROTECTED]"
User-Password = "alextest"
NAS-IP-Address = 192.168.2.1
NAS-Port = 1
NAS-Port-Id = "gateway"
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_eap: EAP-Message not found
  modcall[authorize]: module "eap" returns noop
rlm_realm: Looking up realm "myhome.com" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "myhome.com"
rlm_realm: Adding Stripped-User-Name = "alex_chen"
rlm_realm: Proxying request from user alex_chen to realm myhome.com
rlm_realm: Adding Realm = "myhome.com"
rlm_realm: Preparing to proxy authentication request to realm
"myhome.com"
  modcall[authorize]: module "suffix" returns updated
radius_xlat:  'alex_chen'
...
...
modcall: group authorize returns updated
Sending Access-Request of id 1 to 192.168.1.12:1812
User-Name = "alex_chen"
User-Password = "alextest"
NAS-IP-Address = 192.168.2.1
NAS-Port = 1
NAS-Port-Id = "gateway"
Proxy-State = "228"
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
Dropping conflicting packet from client localhost:1025 - ID: 228 due to
unfinished request 1
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 224 with timestamp 3f8de7df
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
Dropping conflicting packet from client localhost:1025 - ID: 228 due to
unfinished request 1
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
Dropping conflicting packet from client localhost:1025 - ID: 228 due to
unfinished request 1
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
Dropping conflicting packet from client localhost:1025 - ID: 228 due to
unfinished request 1
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
Dropping conflicting packet from client localhost:1025 - ID: 228 due to
unfinished request 1
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
Dropping conflicting packet from client localhost:1025 - ID: 228 due to
unfinished request 1
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
Dropping conflicting packet from client localhost:1025 - ID: 228 due to
unfinished request 1
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
Dropping conflicting packet from client localhost:1025 - ID: 228 due to
unfinished request 1
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89
Dropping conflicting packet from client localhost:1025 - ID: 228 due to
unfinished request 1


On the client side, I got the following message. (I use radclient to send
the packets)

Sending User-Name = [EMAIL PROTECTED], User-Password = "alextest",
NAS-IP-Address = 192.168.2.1, NAS-Port = 1, NAS-Port-Id = gateway to
/usr/local/bin/radclient -S secret_file localhost auth
radclient: no response from server






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy where a single server is marked dead?

[Josh Howlett]

On Tue, 2003-10-14 at 15:22, Alan DeKok wrote:
> Josh Howlett <[EMAIL PROTECTED]> wrote:
> > My reading of the source suggests to me that it will get dropped
> > silently, but I would appreciate an educated opinion!
> 
>   Pretty much.  Sending a reject request may be friendlier, though.

Yes. It would be useful if this were implemented.

josh.

-- 
---
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy where a single server is marked dead?

[Alan DeKok]

Josh Howlett <[EMAIL PROTECTED]> wrote:
> My reading of the source suggests to me that it will get dropped
> silently, but I would appreciate an educated opinion!

  Pretty much.  Sending a reject request may be friendlier, though.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy where a single server is marked dead?

[Josh Howlett]

On Tue, 2003-10-14 at 12:18, Josh Howlett wrote:
> Can someone please briefly indicate the expected behaviour of FreeRADIUS
> where a realm has a single instance of a {auth|acct}host is specified,
> but this server has been marked dead owing to inactivity?
> 
> My reading of the source suggests to me that it will get dropped
> silently, but I would appreciate an educated opinion!

By "it" I mean a RADIUS packet that the proxy FreeRADIUS server has
recieved.

josh.

-- 
---
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy where a single server is marked dead?

[Josh Howlett]

Can someone please briefly indicate the expected behaviour of FreeRADIUS
where a realm has a single instance of a {auth|acct}host is specified,
but this server has been marked dead owing to inactivity?

My reading of the source suggests to me that it will get dropped
silently, but I would appreciate an educated opinion!

best regards, josh.

-- 
---
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems with proxy if TTLS is used

[Alan DeKok]

"Roman Janos" <[EMAIL PROTECTED]> wrote:
> Actually the question is other. Are there any plans to implement (or
> it is already implemented?) proxying functionality for EAP-TTLS
> tunneled authentication method (e.g. EAP-MD5,PAP,…) ?

  No.

> If not the TTLS implementation makes no sense.

  I disagree.

  If you care so much, then submit a patch to implement it.  If you're
not willing to submit a patch, or to pay someone else to write a
patch, then I guess you'll just have to wait for a patch.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Problems with proxy if TTLS is used

[Roman Janos]

Actually the question is other. Are there any plans to implement (or it is
already implemented?) proxying functionality for EAP-TTLS tunneled
authentication method (e.g. EAP-MD5,PAP,…) ?

If not the TTLS implementation makes no sense. I speak about the bindings
between the old authentication methods that can be deployed on whatever
legacy RADIUS server and use of FREERADIUS as a proxy to take advantage
about security in shared media environments.

Pleas comment.

Regards

Roman

> -Puvodní zpráva-
> Od: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] uživatele Alan DeKok
> Odesláno: 8. októbra 2003 19:06
> Komu: [EMAIL PROTECTED]
> Predmet: Re: Problems with proxy if TTLS is used
>
>
> fastbyte <[EMAIL PROTECTED]> wrote:
> > Is there any plans to implement proxying for EAP/TTLS in near future?
>
>   No.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems with proxy if TTLS is used

[Alan DeKok]

fastbyte <[EMAIL PROTECTED]> wrote:
> Is there any plans to implement proxying for EAP/TTLS in near future?

  No.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accounting trouble + proxy

[Thomas MARCHESSEAU]

Hi Chris,

Chris Parker wrote:

At 08:18 AM 10/8/2003, Thomas MARCHESSEAU wrote:

Hi all,

I would like to know if there is a special tricks to have "accthost" 
working on freeradius 0.9.1 in proxy mode :
My accounting request are not forwarded by the proxy to my radius 
server .


What modules do you have enabled in the 'preacct' stanza of your config?
oops , none :/
but now i have added , "suffix" , and it works fine
Thx

Thomas MARCHESSEAU

-Chris

--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net


- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accounting trouble + proxy

[Chris Parker]

At 08:18 AM 10/8/2003, Thomas MARCHESSEAU wrote:
Hi all,

I would like to know if there is a special tricks to have "accthost" 
working on freeradius 0.9.1 in proxy mode :
My accounting request are not forwarded by the proxy to my radius server .
What modules do you have enabled in the 'preacct' stanza of your config?

-Chris

--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Accounting trouble + proxy

[Thomas MARCHESSEAU]

Hi all,

I would like to know if there is a special tricks to have "accthost" 
working on freeradius 0.9.1 in proxy mode :
My accounting request are not forwarded by the proxy to my radius server .

--- proxy.conf  (working fine on 0.8.1)
realm myrealm.net   {
   type= radius
   authhost= 172.16.129.4:1812
   accthost= 172.16.129.4:1813
   secret  = testing123
   ldflag  = round_robin
   nostrip
   }
realm myrealm.net  {
  type= radius
  authhost= 172.16.129.5:1812
  accthost= 172.16.129.5:1813
  secret  = testing123
  ldflag  = round_robin
  nostrip
  }
--- end

To have a fonctionnal accounting process , im using radrelay , but i 
cant understand why it was working on freeradius 0.8.1 and not anymore 
on 0.9.x !!!

Specs:
2 Freeradius 0.9.1 proxy (sharing a VIP)
2  Freeradius server
running on Woody .
Regards
Thomas MARCHESSSEAU


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy with PAP?

[Masaru Yoshihama]

On Tue, 07 Oct 2003 13:00:27 -0400
"Alan DeKok" <[EMAIL PROTECTED]> wrote:

> Masaru Yoshihama <[EMAIL PROTECTED]> wrote:
> > I boot up FreeRadius with debug mode and I try authenticate, But it 
> > always send "CHAP" Packets.
> 
>   No.  The NAS is sending the CHAP packets, and FreeRADIUS just
> proxies them as-is.

 Thank you for your suitable reply. I have try it and make sure it behavior.
There is no problem when i send PAP auth.

> >  finally, I try to read src file (proxy.c) and it seemed to be
> > support only CHAP protocol(But i have no confidence).
> 
>   I have no clue how you decided that from reading proxy.c.  The
> server can proxy any authentication method used by the NAS.

Thank you  again.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems with proxy if TTLS is used

[fastbyte]

Hello,

Is there any plans to implement proxying for EAP/TTLS in near future?

Sergio

Alan DeKok wrote:

"Roman Janos" <[EMAIL PROTECTED]> wrote:
 

I try to make TTLS authentication. This is gone with PAP/EAP-MD5 in tunneled
mode but only if the PAP/EAP-MD5 credentials
were on the same maschine.
If I try to put the user credentials on other freeradius server and try to
make proxing it don't go any more.
   

 The tunneled authentication request cannot currently be proxied to
another server.
 Alan DeKok.
 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems with proxy if TTLS is used

[Alan DeKok]

"Roman Janos" <[EMAIL PROTECTED]> wrote:
> I try to make TTLS authentication. This is gone with PAP/EAP-MD5 in tunneled
> mode but only if the PAP/EAP-MD5 credentials
> were on the same maschine.
> 
> If I try to put the user credentials on other freeradius server and try to
> make proxing it don't go any more.

  The tunneled authentication request cannot currently be proxied to
another server.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problems with proxy if TTLS is used

[Roman Janos]

Hi all,

I use freeradius-snapshot-20031003 version of FREERADIUS for testing
EAP-TTLS with it.
I try to make TTLS authentication. This is gone with PAP/EAP-MD5 in tunneled
mode but only if the PAP/EAP-MD5 credentials
were on the same maschine.

If I try to put the user credentials on other freeradius server and try to
make proxing it don't go any more.
There seems be a problem with proxing becouse no proxy request isn't send to
other radius server.

Below is useful listing (end part with eror and proxy setting). On other
second RADIUS server is TTLS radius server configured as client.

Please help.

--
rad_recv: Access-Request packet from host 10.0.0.173:1645, id=44, length=237
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "0007.85b3.63ac"
Calling-Station-Id = "000b.5f63.c145"
Message-Authenticator = 0xcf583fe883a5aa08b4aeadbd25ba0764
EAP-Message =
0x020600571580004d1703010048a022a4a5787533a644314a6f27a481deea37b5269793
31f24828f73e5b0791d0a73115ba87baee9ba7011c1f3ea98a14e497e6961991099590a610e9
78f1b72f68ee7f9034d820ce
NAS-Port-Type = Virtual
NAS-Port = 497
State = 0xd6c081b0b2fbf275d73554a94fbab8e9
NAS-IP-Address = 10.0.0.173
NAS-Identifier = "System_room_5510_AP1200"
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  modcall[authorize]: module "chap" returns noop for request 5
  rlm_eap: EAP packet type response id 6 length 87
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 5
  modcall[authorize]: module "mschap" returns noop for request 5
modcall: group authorize returns updated for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 5
  rlm_eap: Request found, released from the list
  rlm_eap: EAP_TYPE - ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  eaptls_process returned 7
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled
attributes.
  TTLS: Got tunneled request
User-Name = "[EMAIL PROTECTED]"
User-Password = "kasslatter"
Freeradius-Proxied-To = 127.0.0.1
  TTLS: Sending tunneled request
User-Name = "[EMAIL PROTECTED]"
User-Password = "kasslatter"
Freeradius-Proxied-To = 127.0.0.1
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  modcall[authorize]: module "chap" returns noop for request 5
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 5
rlm_realm: Looking up realm "servprov.com" for User-Name =
"[EMAIL PROTECTED]"
    rlm_realm: Found realm "servprov.com"
rlm_realm: Adding Stripped-User-Name = "fritz"
rlm_realm: Proxying request from user fritz to realm servprov.com
rlm_realm: Adding Realm = "servprov.com"
rlm_realm: Preparing to proxy authentication request to realm
"servprov.com"
  modcall[authorize]: module "suffix" returns updated for request 5
  modcall[authorize]: module "mschap" returns noop for request 5
modcall: group authorize returns updated for request 5
  TTLS: Got tunneled reply RADIUS code 0
  TTLS: Rejecting tunneled user
 rlm_eap: Handler failed in EAP type 21
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 5
modcall: group authenticate returns invalid for request 5
auth: Failed to validate the user.
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request



proxy.conf:

realm servprov.com {
type= radius
authhost= 10.0.0.20:1812
accthost= 10.0.0.20:1813
secret  = radius_proxy
strip
}

--

regards

Roman


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy with PAP?

[Alan DeKok]

Masaru Yoshihama <[EMAIL PROTECTED]> wrote:
> I boot up FreeRadius with debug mode and I try authenticate, But it 
> always send "CHAP" Packets.

  No.  The NAS is sending the CHAP packets, and FreeRADIUS just
proxies them as-is.

>  finally, I try to read src file (proxy.c) and it seemed to be
> support only CHAP protocol(But i have no confidence).

  I have no clue how you decided that from reading proxy.c.  The
server can proxy any authentication method used by the NAS.

> Q. Does FreeRadius support proxy setting with PAP authentication?

  Yes, if the NAS sends RADIUS requests with PAP passwords.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with Proxy

[Chris van Meerendonk]

Allen,

You could try to put the following in the users file:
DEFAULT Realm =~ "\.us$", Proxy-To-Realm += "us"
DEFAULT Realm =~ "\.jp$", Proxy-To-Realm += "jp"

In proxy.conf you can put something like:
realm us {
type= radius
authhost= 123.123.234.234:1812
accthost= 123.123.234.234:1813
secret  = authkey
nostrip
}

realm jp {
type= radius
authhost= 123.123.234.235:1812
accthost= 123.123.234.235:1813
secret  = authkey
nostrip
}

Chris

On Mon, 2003-10-06 at 07:12, Allen Chung wrote:
> Hello~
>  
> I have a question about Proxy.
>  
> I would like to 
>  
> 1.proxy realms which end with ".us" to serverATus.
> 2. proxy realm which end with ".jp" to serverATjp.
>  
> What should I define in the proxy.conf  ?
>  
> Thanks a lot ...


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy with PAP?

[Masaru Yoshihama]

Hello all.

I have some problem with Freeradius-0.9.1 with proxy setting.
I have some company who provide AccessPoint's each other by roaming setting.
Almost of company is pretty good working, But only one is problem.

This Admin says his radius server is little old and it only suppory with PAP
authentication. So I read document and try some setting, But I can't solv it.

I had try to add below in uses file

|DEFAULTSuffix == "@sample.roaming.net", Auth-Type := PAP

I had try some setting with "proxy.conf" and other setting i can imagine.
I boot up FreeRadius with debug mode and I try authenticate, But it 
always send "CHAP" Packets. finally, I try to read src file (proxy.c) and
it seemed to be support only CHAP protocol(But i have no confidence).
Would someone advice me?

Q. Does FreeRadius support proxy setting with PAP authentication?
Q. if it support PAP, would you tell me point of informarion.
   (URL or document name is usefull)

|I can imagine, proxy with PAP via internet is very dangerous.
|But they say it need.

-- 
---
masaru yoshihama

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem with Proxy

[Allen Chung]

Hello~
 
    I have a question 
about Proxy.
 
    I would like to 

 
        1.proxy realms which end 
with ".us" to serverATus.
        2. proxy realm which end 
with ".jp" to serverATjp.
 
What should I 
define in the proxy.conf  ?
 
        Thanks a lot 
...

Re: Proxy Issue

[Alan DeKok]

"Ivan Meic" <[EMAIL PROTECTED]> wrote:
> I'm not using a 'round robin' method, so I really
> was expecting that it will send accounting packets to
> all servers specified in the list.

  That isn't the way it's intended to work.

> Ok, I can understand how to use radrelay, but than I have another problem.
> I have around 50 different gateways sending the accounting data to this
> radius server.
> Each gateway has it's own radacct sub-directory. Do I need to keep running
> 50 different instances of radrelay, or is there a more convenient way ?

  For now, you run 50 copies.  It's ugly, but it works.

  With a few code patches, it should be possible to run one copy of
radrelay, which would read 50 files.  But that does require source
code patches.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

works with a ppphint, but how to insert this into my proxy for someone?

[John Keimel]

I am proxying auth from my server (freeradius, .8.1) to another server
(cistron radius) and when running radtest, I can only get correct
answers if I add the '1' to radtest to turn the Framed-Protocol = PPP on

How do I insert that into a auth request on the regular proxy? Or,
should I just have the other server correct itself in some manner? 

Examples of my radtesting are below, names are changed to protect the
guilty.

THIS ONE FAILS: 

$ radtest [EMAIL PROTECTED] userpass localhost 1 testing123 
Sending Access-Request of id 142 to 127.0.0.1:1812
User-Name = "[EMAIL PROTECTED]"
User-Password = "e\024c\311\221cN\226\245\302HO\261\n+a"
NAS-IP-Address = auth-1.myhost.com
NAS-Port = 1
Re-sending Access-Request of id 142 to 127.0.0.1:1812
User-Name = "[EMAIL PROTECTED]"
User-Password = "e\024c\311\221cN\226\245\302HO\261\n+a"
NAS-IP-Address = auth-1.myhost.com
NAS-Port = 1
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=142,
length=20

THIS ONE WORKS

$ radtest [EMAIL PROTECTED] userpass localhost 1 testing123  1
Sending Access-Request of id 186 to 127.0.0.1:1812
User-Name = "[EMAIL PROTECTED]"
User-Password = "\035~\275RG\314Y9\327\2607\276;D\371\016"
NAS-IP-Address = auth-1.myhost.com
NAS-Port = 1
Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=186,
length=56
Framed-IP-Netmask = 255.255.255.0
Framed-MTU = 576
Session-Timeout = 14400
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP


My proxy stanza for this looks something like:

realm   domain.net {
type= radius
authhost= 192.168.1.1:1812
accthost= 192.168.1.1:1813
secret  = supersecret
nostrip
}


Thank you. 

j
-- 

==
+ It's simply not   | John Keimel+
+ RFC1149 compliant!| [EMAIL PROTECTED]+
+   | http://www.keimel.com  +
==

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Proxy Issue

[Ivan Meic]

"Alan DeKok" <[EMAIL PROTECTED]> wrote:

>  Huh?  You have *two* NULL realms, and two DEFAULT realms?  I don't
>expect that to work at all.
>
>  In fact, it's intendend to NOT work.
>

:) I can guarantee to you that it is working.
I'm not using a 'round robin' method, so I really
was expecting that it will send accounting packets to
all servers specified in the list.

> > In this case it works fine, but if I want to proxy it
> > to one additional server it doesn't work.
> > The proxy only sends the accounting data to the first server on the list
> > and leaves one copy for itself.
>
>  See 'radrelay'.  It's designed to copy requests to another server.

Ok, I can understand how to use radrelay, but than I have another problem.
I have around 50 different gateways sending the accounting data to this
radius server.
Each gateway has it's own radacct sub-directory. Do I need to keep running
50 different instances of radrelay, or is there a more convenient way ?
(Possibly make all gateways write to one detail file ?)

Thanks in advance.

Regards,
Ivan Meic



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy Issue

[Alan DeKok]

"Ivan Meic" <[EMAIL PROTECTED]> wrote:
> Also I'm using proxy features to be able to send the accounting data
> to one more server, just to have another copy.

  Ok..

> realm NULL {
>type= radius
>authhost= 80.253.170.52:1812
>accthost= 80.253.170.52:1813
>secret  = rad213bmf
> }
> realm NULL {
>type= radius
>authhost= LOCAL 
>accthost= LOCAL 
> }

  Huh?  You have *two* NULL realms, and two DEFAULT realms?  I don't
expect that to work at all.

  In fact, it's intendend to NOT work.

> In this case it works fine, but if I want to proxy it 
> to one additional server it doesn't work.
> The proxy only sends the accounting data to the first server on the list
> and leaves one copy for itself.

  See 'radrelay'.  It's designed to copy requests to another server.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy Issue

[Ivan Meic]

Hi,

I'm using FreeRADIUS v0.8.1 on RedHat 7.1.
I'm using it strictly for accounting purposes with
MySQL running in the background.

Also I'm using proxy features to be able to send the accounting data
to one more server, just to have another copy.
--- proxy.conf ---
proxy server {
synchronous = no
retry_delay = 5
retry_count = 10
dead_time = 120
servers_per_realm = 15
default_fallback = yes
}
realm NULL {
   type= radius
   authhost= 80.253.170.52:1812
   accthost= 80.253.170.52:1813
   secret  = rad213bmf
}
realm NULL {
   type= radius
   authhost= LOCAL 
   accthost= LOCAL 
}
realm DEFAULT {
   type= radius
   authhost= 80.253.170.52:1812
   accthost= 80.253.170.52:1813
   secret  = rad213bmf  
}
realm DEFAULT {
   type= radius
   authhost= LOCAL 
   accthost= LOCAL
}

In this case it works fine, but if I want to proxy it 
to one additional server it doesn't work.
The proxy only sends the accounting data to the first server on the list
and leaves one copy for itself.

Why is this happening ? What can I do regarding this issue ?

Thanks in advance.

Regards,
Ivan Meic
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy based on NAS-IP-Address / Client-IP-Address or NAS-Identifier

[Pavlos Demosthenous]

Currently using freeradius-0.9.1 running over Freebsd
v4.8.

 

Is it possible to do proxy authentication and
accounting based on NAS-IP-Address / Client-IP-Address or  NAS-Identifier
instead or realms?

 

Regards

Proxy (accounting) based on any attribute!!

[Pavlos Demosthenous]

I read in the freradius specification that it is 
capable of doing proxy authentication and/or accounting forwarding based on any 
attribute. Traditionally, Proxy was only applicable through 
Realms/Suffixes.
 
Suppose I want to do accounting forwarding based on 
NAS-IP address, how I would do so?
What files do I have to modify? Do I need to 
compile any modules?
 
Regards.

Combining proxy and remote radius

[Zoilo]

Can I use a combination of a (local) radius proxy and a (remote) radius 
server?

Whenever a client tries to authenticate himself:
=> I first want to check against a local radius-server
=> if that failed, I want to check with a remote radius server instead.
I am not looking for local caching, the two databases are entirely 
different.

Of course, I can implement this using a script with two separate NAS 
calls, one to the local server, followed by one to the remote server if 
the first one failed.

But is there a more elegant way?

Z.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy Auth

[Brandilis]

Hello,

I would like freeradius to accept both user & [EMAIL PROTECTED] for valid
authentication via an access server.  I have tried to do this via proxy
realms, but cannot seem to get it working.  I get the following error:

Thread 5 handling request 4, (1 handled so far)
NAS-IP-Address = x.x.x.x
NAS-Port = 163
Attr-589826 = 0x7474723423633
NAS-Port-Type = Async
User-Name = "[EMAIL PROTECTED]"
Called-Station-Id = "x"
Calling-Station-Id = "x"
User-Password = "password"
rad_lowerpair:  User-Name now '[EMAIL PROTECTED]'
rad_rmspace_pair:  User-Name now '[EMAIL PROTECTED]'
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
  modcall[authorize]: module "chap" returns noop
  modcall[authorize]: module "files" returns notfound
modcall: group authorize returns ok
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/password] (from client nas-as5300 port
163 cli x)

Does anyone have any pointers?


Thanks,


Brandilis


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy/realm stripping question

[Thor Spruyt]

> I am going to get the following data from a user:
>
> [EMAIL PROTECTED]
>
> I need to parse off bar.com and have Freeradius pass [EMAIL PROTECTED] to the
> proper radius server for auth.

Well, I don't much about proxying yet, but maybe you can accomplish to let
the username change in [EMAIL PROTECTED]@bar.com, which might be easier to
process.

Thor.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: proxy/realm stripping question

[Paul Hampson]

> From: Erik Denny
> Sent: Saturday, 23 August 2003 2:24 PM

> I'm running .8 on Redhat 7.3, on a machine that is essentially acting as a 
> radius server traffic cop.
> 
> I am going to get the following data from a user:
> 
> [EMAIL PROTECTED]
> 
> I need to parse off bar.com and have Freeradius pass [EMAIL PROTECTED] to the 
> proper radius server for auth.

> Now, we ALSO will be getting requests for simply [EMAIL PROTECTED] as well.
> So, I have to have rules for both scenarios.

> I want them both to exist and work, is that possible?

If you're just looking to strip bar.com, have a look at the
rewrite module. Make it run before the realm module.

As long as you don't need to differentiate between @foo.com.bar.com
and @foo.com

--
=
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

This is a one line proof...if we start
sufficiently far to the left.
-- Cambridge University Math Department
-
Random signature generator 3.0 by Paul "TBBle" Hampson
=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

proxy/realm stripping question

[Erik Denny]

I'm running .8 on Redhat 7.3, on a machine that is essentially acting as a 
radius server traffic cop.

I am going to get the following data from a user:

[EMAIL PROTECTED]

I need to parse off bar.com and have Freeradius pass [EMAIL PROTECTED] to the 
proper radius server for auth.

I've fiddled with changing the order in radiusd.conf.

Currently, in the "Realm Module", the order is @ . / and %

Obviously, the packet comes in, it sees the @ as the deliminator, and it 
sucks off foo.com.bar.com and then has to figure out what to do with user.

Now, we ALSO will be getting requests for simply [EMAIL PROTECTED] as well.  
So, I have to have rules for both scenarios.

If I change the order so . is first, nothing works because it wants to 
strip each segment of the realm.

I want them both to exist and work, is that possible?

Or I have just succeeded in confusing people? :)

..erik




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FR 0.8.1 Radius Proxy

[chenshu]

Hi,

I have one FR 0.8.1 runing as Radius Proxy (radius A).
I got 3 kind of auth packet from one NAS
(1) userid
(2) abc/[EMAIL PROTECTED]
(3) [EMAIL PROTECTED]

 I would like auth case (1) locally(radius A) ,
  case (2) should be fwd to radius B
 case (3) should be fwd to radius C

 So I config my proxy.conf in Raidus A

 realm Null {
  type = radius
  authhost= LOCAL:1645
  accthost = LOCAL:1646
 }

 realm abc {
 type = radius
 authhost= radius B:1645
 accthost = radius B:1646
  secret
 nostrip
 }

 realm DEFAULT {
 type = radius
 authhost= radius C:1645
 accthost = radius C:1646
  secret
 nostrip
 }

 My radius.conf

 authorize {
 preprocess
 #   counter
 #   attr_filter
 realmslash
 suffix
 files
 }

 The problem I have is Radius A always tread case (1) and case (3) as realm
=
 Null
 So case (3) can not being properly proxy to Radius C.
 It seems "suffix" does not work, only "realmslash" work.

Anybody can help me look at it, how to config my Radius Proxy (radius A).

Thks,

 ChenShu



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Sample config on Redhat with proxy

[Dick Lau]

Hi All,
 
I'm frist time try the radius server. May I ask who can post 
the freeradius on redhat here? Or where can I find the details study 
manuel?
 
Thanks

Re: Sample config on Redhat with proxy

[Michael Kearey]

Dick Lau wrote:
> Hi All,
>  
> I'm frist time try the radius server. May I ask who can post the 
> freeradius on redhat here? Or where can I find the details study manuel?
>  
> Thanks

I found this
http://people.redhat.com/twoerner/SRPMS/freeradius-0.8.1-6.src.rpm

It's handy, though is not up date version. You could use the rpm to
base a build from new source.

Cheers,
Michael


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-proxy attr_filter?

[Alan DeKok]

Chris van Meerendonk <[EMAIL PROTECTED]> wrote:
> Is it possible to filter attributes that are sent by using radius proxy
> to the home-server? Something like attr_filter in the pre-proxy stage?

  If attr_filter doesn't already have a pre-proxy stage, it should be
~2 minutes to add one.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-proxy attr_filter?

[Chris van Meerendonk]

Hi Chris,

I'm having problems finding your mail in the mailinglist history. It
could be too warm here to think about a good keyword to search for...
Can you post it again please? 

Thanks,

Chris

On Fri, 2003-08-08 at 16:28, Chris Brotsos wrote:
> At 09:15 AM 8/8/2003, you wrote:
> >On Fri, 2003-08-08 at 15:48, Alan DeKok wrote:
> > > Chris van Meerendonk <[EMAIL PROTECTED]> wrote:
> > > > Is it possible to filter attributes that are sent by using radius proxy
> > > > to the home-server? Something like attr_filter in the pre-proxy stage?
> > >
> > >   If attr_filter doesn't already have a pre-proxy stage, it should be
> > > ~2 minutes to add one.
> >With freeradius 0.9.0 it says:
> >radiusd.conf: "attr_filter" modules aren't allowed in 'pre-proxy'
> >sections -- they have no such method.
> >
> >I've found the relevant code, will probable be ~2 hours to add (Sorry,
> >I'm not that quick ;-) I'll give it a try.
> 
> Awhile ago, I sent somebody on the list the post-proxy function for 
> rlm_attr_filter. Take a look at what I changed, and you'll see that it is 
> probably nothing more than taking the authorize function and modifying what 
> reply_items points to for creating a valid pre-proxy function. The only 
> semi-tricky mod to attr_filter was making an accounting function ;o).
> 
> HTH,
> 
> Chris Brotsos
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FR 0.8.1 Radius Proxy

[chenshu]

I have one FR 0.8.1 runing as Radius Proxy (radius A).
I got 3 kind of auth packet from one NAS
(1) userid
(2) abc/[EMAIL PROTECTED]
(3) [EMAIL PROTECTED]

I would like auth case (1) locally(radius A) ,
 case (2) should be fwd to radius B
case (3) should be fwd to radius C

So I config my proxy.conf

realm Null {
 type = radius
 authhost= LOCAL:1645
 accthost = LOCAL:1646
}

realm abc {
type = radius
authhost= radius B:1645
accthost = radius B:1646
 secret
nostrip
}

realm DEFAULT {
type = radius
authhost= radius C:1645
accthost = radius C:1646
 secret
nostrip
}

My radius.conf

authorize {
preprocess
#   counter
#   attr_filter
realmslash
suffix
files
}

The problem I have is Radius A always tread case (1) and case (3) as realm =
Null
So case (3) can not being properly proxy to Radius C.
It seems "suffix" does not work, only "realmslash" work.

Who got any suggestion , how to config my Radius Proxy (radius A).

Thks,

ChenShu


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pre-proxy attr_filter?

[Chris Brotsos]

At 08:06 AM 8/11/2003, you wrote:
On Fri, 2003-08-08 at 15:48, Alan DeKok wrote:
> Chris van Meerendonk <[EMAIL PROTECTED]> wrote:
> > Is it possible to filter attributes that are sent by using radius proxy
> > to the home-server? Something like attr_filter in the pre-proxy stage?
>
>   If attr_filter doesn't already have a pre-proxy stage, it should be
> ~2 minutes to add one.
I'm doing something terribly wrong. Can you help me out? I've copied the
attr_filter_authorize routine and renamed it to attr_filter_preproxy.
Debug shows it is passing the routine. Also I put in some extra DEBUG2
lines to verify. It finds the correct realm, compares the entries
against the entries in the users file instead of the data comming from
the NAS. Probably as a result of this, the data is passed whatever the
results of the check are.
Can you give me a hint what I'm doing wrong? (Your 2-minute patch would
be great also ;-)
I sent the post-proxy patch...you probably hadn't received it by the time 
you sent this.

I included a patch this time with the post-proxy() and accounting() 
functions. Pay attention to the accounting function as it will mirror what 
you are trying to do (unlike authorize()). rlm_attr_filter was not really 
made to work on the VPS coming back from the NAS (it was intended to work 
on VPS going to the NAS), so copying the authorize() function is not going 
to do what you wanted.

The module will work on whichever pairs you tell it to. So, for example, 
you probably have reply_items = &request->reply->vps. The attributes from 
the NAS are not in request->reply->vps, but the attributes added from 
rlm_files or rlm_fastusers are.

If you are trying to modify the NAS VPs, then you need to work with the 
request->packet->vps. So I go through a loop,

for (send_item = request_pairs...) {

while (check) {

}
if (fail ==0 && pass > 0) {
mypairappend(send_item, &send_tmp);
}
}
pairfree(&request->packet->vps);
request->packet->vps = send_tmp;
HTH,

Chris Brotsos

Thanks,

Chris

>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
>



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Index: rlm_attr_filter.c
===
RCS file: /source/radiusd/src/modules/rlm_attr_filter/rlm_attr_filter.c,v
retrieving revision 1.13
diff -u -r1.13 rlm_attr_filter.c
--- rlm_attr_filter.c   7 Jul 2003 19:04:05 -   1.13
+++ rlm_attr_filter.c   11 Aug 2003 13:21:51 -
@@ -3,7 +3,7 @@
  *  before sending reply to the NAS/Server that sent
  *  it to us.
  *
- * Version:  $Id: rlm_attr_filter.c,v 1.13 2003/07/07 19:04:05 aland Exp $
+ * Version:  $Id: rlm_attr_filter.c,v 1.12 2002/08/24 16:54:56 aland Exp $
  *
  *   This program is is free software; you can redistribute it and/or modify
  *   it under the terms of the GNU General Public License, version 2 if the
@@ -41,7 +41,7 @@
 #include   "radiusd.h"
 #include   "modules.h"
 
-static const char rcsid[] = "$Id: rlm_attr_filter.c,v 1.13 2003/07/07 19:04:05 aland 
Exp $";
+static const char rcsid[] = "$Id: rlm_attr_filter.c,v 1.12 2002/08/24 16:54:56 aland 
Exp $";
 
 struct attr_filter_instance {
 
@@ -152,10 +152,6 @@
int rcode;
 
 inst = rad_malloc(sizeof *inst);
-   if (!inst) {
-   return -1;
-   }
-   memset(inst, 0, sizeof(*inst));
 
 if (cf_section_parse(conf, inst, module_config) < 0) {
 free(inst);
@@ -173,7 +169,193 @@
 *instance = inst;
 return 0;
 }
+/* Find the named realm in the database. Create the 
+ * set of attribute-value pairs to check and forward with
+ * for this realm from the database.
+ */
+static int attr_filter_accounting(void *instance, REQUEST *request)
+{
+   struct attr_filter_instance *inst = instance;
+   VALUE_PAIR  *request_pairs;
+   VALUE_PAIR  *send_item;
+   VALUE_PAIR  *send_tmp = NULL;
+   VALUE_PAIR  *check_item;
+   PAIR_LIST   *pl;
+   int found = 0;
+   int compare;
+   int pass, fail;
+#ifdef HAVE_REGEX_H
+   regex_t reg;
+#endif
+   VALUE_PAIR  *realmpair;
+   REALM   *realm;
+   char*realmname;
+   /*
+* Accounting is a bit different from the other functions.
+* Here we are concerned with what we are going to forward to
+* the remote server as opposed to concerns with what we will send
+* to the NAS based on a proxy reply to an auth request.
+*/
+   request_pairs = request->packet->vps;
+   if (request->packet->code != PW_ACCOUNT