Re: unknown proxy ? part 2
Alex Radetsky <[EMAIL PROTECTED]> wrote: > So, if radius got packet from remote server with configured source_ip and > port, radiusd marks it as active. > > But in my case, radius got packet from configured source_ip, but another > port. > > What does it mean? It means that the server you're proxying the request to is broken. > PS. I can rewrite this code to create workaround. But I do not know, may > be it will not correct. It will be wrong. You should contact the people running the other server, and tell them to fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown proxy ?
Alex Radetsky <[EMAIL PROTECTED]> wrote: > I'm using freeradius-0.7.1. I'm trying to configure this freeradius > as proxy server to remote. Upgrade to 0.9.3. Please. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown proxy ?
I have noticed you have configured naslist, clients and clients.conf. The clients.conf file is all you need, and should probably move or remove the clients and naslist files since the are deprecated and may conflict. I have not looked into the source to find out what happens when you have both sets of files, but you should notice the informational messages warning you about these files in your log file. Also, whats up with the ports? It looks like you have two different radius servers running, maybe your problem is that you are looking at the wrong config files. Alex Radetsky wrote: On Wed, Dec 10, 2003 at 03:11:42PM +0100, Thomas MARCHESSEAU wrote: Hi Alex, did u check clients.conf ? [EMAIL PROTECTED] bin]# grep "195.123.5.10" /usr/local/radius-proxy/etc/raddb/* clients: 195.123.5.10 123 clients.conf: client 195.123.5.10 { proxy.conf: authhost = 195.123.5.10:1812 proxy.conf: accthost = 195.123.5.10:1645 Yes, I do. Ok, I'll search this message in sources and will find what I got to do. Thanks! ;) -- Guy Fraser Network Administrator - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unknown proxy ? part 2
Hello! I found this in files.c : -- REALM *cl; /* * Note that we do NOT check for inactive realms! * * If we get a packet from an end server, then we mark it * as active, and return the realm. */ for(cl = realms; cl != NULL; cl = cl->next) if ((ipaddr == cl->ipaddr) && (port == cl->auth_port)) { cl->active = TRUE; return cl; } else if ((ipaddr == cl->acct_ipaddr) && (port == cl->acct_port)) { cl->acct_active = TRUE; return cl; } return NULL; -- So, if radius got packet from remote server with configured source_ip and port, radiusd marks it as active. But in my case, radius got packet from configured source_ip, but another port. What does it mean? Does some one proxy exist between my and remote radius? Is it correct? PS. I can rewrite this code to create workaround. But I do not know, may be it will not correct. -- Alex Radetsky AR2657-RIPE RAD-UANIC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown proxy ?
On Wed, Dec 10, 2003 at 04:18:30PM +0200, Alexey Balabushevich wrote: > > > > I'm using freeradius-0.7.1. I'm trying to configure this freeradius > > as proxy server to remote. > > > > -- > > rad_recv: Access-Reject packet from host 195.123.5.10:1288, id=1, length=48 > > Ignoring request from unknown proxy 195.123.5.10:1288 > > -- > > > > Host 195.123.5.10 was configured in proxy.conf > > In naslist too. > > > > Tell me, please, what I forgot to do? ;) > > what about clients ? clients conf configured. Please see latest message. > > -- > Alexey Balabushevich > nic-hdl: AB433-RIPE Wow. Very glad to see you. :) -- Alex Radetsky AR2657-RIPE RAD-UANIC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown proxy ?
On Wed, Dec 10, 2003 at 03:11:42PM +0100, Thomas MARCHESSEAU wrote: > Hi Alex, > > did u check clients.conf ? > > [EMAIL PROTECTED] bin]# grep "195.123.5.10" /usr/local/radius-proxy/etc/raddb/* clients: 195.123.5.10 123 clients.conf: client 195.123.5.10 { proxy.conf: authhost= 195.123.5.10:1812 proxy.conf: accthost= 195.123.5.10:1645 Yes, I do. Ok, I'll search this message in sources and will find what I got to do. Thanks! ;) > Thomas . > > > Alex Radetsky wrote: > > >Hello, Collegues! > > > >I'm using freeradius-0.7.1. I'm trying to configure this freeradius > >as proxy server to remote. > > > >-- > >rad_recv: Access-Reject packet from host 195.123.5.10:1288, id=1, length=48 > >Ignoring request from unknown proxy 195.123.5.10:1288 > >-- > > > >Host 195.123.5.10 was configured in proxy.conf > >In naslist too. > > > >Tell me, please, what I forgot to do? ;) > > -- Alex Radetsky AR2657-RIPE RAD-UANIC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown proxy ?
On Wed, Dec 10, 2003 at 03:56:45PM +0200, Alex Radetsky wrote: > > Hello, Collegues! > > I'm using freeradius-0.7.1. I'm trying to configure this freeradius > as proxy server to remote. > > -- > rad_recv: Access-Reject packet from host 195.123.5.10:1288, id=1, length=48 > Ignoring request from unknown proxy 195.123.5.10:1288 > -- > > Host 195.123.5.10 was configured in proxy.conf > In naslist too. > > Tell me, please, what I forgot to do? ;) what about clients ? -- Alexey Balabushevich nic-hdl: AB433-RIPE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown proxy ?
Hi Alex, did u check clients.conf ? Thomas . Alex Radetsky wrote: Hello, Collegues! I'm using freeradius-0.7.1. I'm trying to configure this freeradius as proxy server to remote. -- rad_recv: Access-Reject packet from host 195.123.5.10:1288, id=1, length=48 Ignoring request from unknown proxy 195.123.5.10:1288 -- Host 195.123.5.10 was configured in proxy.conf In naslist too. Tell me, please, what I forgot to do? ;) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unknown proxy ?
Hello, Collegues! I'm using freeradius-0.7.1. I'm trying to configure this freeradius as proxy server to remote. -- rad_recv: Access-Reject packet from host 195.123.5.10:1288, id=1, length=48 Ignoring request from unknown proxy 195.123.5.10:1288 -- Host 195.123.5.10 was configured in proxy.conf In naslist too. Tell me, please, what I forgot to do? ;) -- Alex Radetsky AR2657-RIPE RAD-UANIC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: filtering attributes in proxy
Until I get a working solution, i am using attr_rewrite in preacct. The attribute is always filtered, not only in requests to be proxied. I do not know if it suits well for you. Sergio. > -Mensaje original- > De: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] nombre de denz > Enviado el: miércoles, 10 de diciembre de 2003 7:37 > Para: [EMAIL PROTECTED] > Asunto: Re: filtering attributes in proxy > > > > Have you tried with pre-proxy and attr_rewrite? I?m trying but > attr_rewrite > > module is not called (/usr/sbin/freeradius -x). I don?t know why. > > No I haven't. > use -X instead -x, it'll show lot of things > and have u included that in the preproxy section in radiusd.conf > > > > > Sergio. > > > > > > > > but when I start the server I get this message ant the > > > end, and server > > > > > > > exits. > > > > > > > > > > > > > > Module: Instantiated attr_filter (attr_filter) > > > > > > > radiusd.conf: "attr_filter" modules aren't allowed in > 'pre-proxy' > > > > > > > sections -- they have no such method. > > > > > > > > > > > > Edit the source code for attr_filter to include > > > a pre-proxy > > > > > >section. > > > > > > > > > > This is done in the latest CVS for post-proxy. I've got a patch > we've > > > > > used internally for pre-proxy. I'll commit it today. > > > > > > > >Has it been commited to cvs ? I just downloaded. Couldn't see > > > the preproxy > > > >method in rlm_attr_filter. I'd appreciate it very much right now. > > > > > > No, I'm still working on cleaning the patch up, as well as adding > > > accounting > > > methods for the module. > > > > > > I'll post to the list when it is in CVS, which should > hopefully be later > > > today. > > > > > > -Chris > > > -- > > > \\\|||/// \ StarNet Inc. \ Chris Parker > > > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > > > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > > > > oOo---(_)---oOo--\-- > > >\ Wholesale Internet Services - > http://www.megapop.net > > > > > > > > > > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: filtering attributes in proxy
> Have you tried with pre-proxy and attr_rewrite? I?m trying but attr_rewrite > module is not called (/usr/sbin/freeradius -x). I don?t know why. No I haven't. use -X instead -x, it'll show lot of things and have u included that in the preproxy section in radiusd.conf > > Sergio. > > > > > > but when I start the server I get this message ant the > > end, and server > > > > > > exits. > > > > > > > > > > > > Module: Instantiated attr_filter (attr_filter) > > > > > > radiusd.conf: "attr_filter" modules aren't allowed in 'pre-proxy' > > > > > > sections -- they have no such method. > > > > > > > > > > Edit the source code for attr_filter to include > > a pre-proxy > > > > >section. > > > > > > > > This is done in the latest CVS for post-proxy. I've got a patch we've > > > > used internally for pre-proxy. I'll commit it today. > > > > > >Has it been commited to cvs ? I just downloaded. Couldn't see > > the preproxy > > >method in rlm_attr_filter. I'd appreciate it very much right now. > > > > No, I'm still working on cleaning the patch up, as well as adding > > accounting > > methods for the module. > > > > I'll post to the list when it is in CVS, which should hopefully be later > > today. > > > > -Chris > > -- > > \\\|||/// \ StarNet Inc. \ Chris Parker > > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > > oOo---(_)---oOo--\-- > >\ Wholesale Internet Services - http://www.megapop.net > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: filtering attributes in proxy
Have you tried with pre-proxy and attr_rewrite? I?m trying but attr_rewrite module is not called (/usr/sbin/freeradius -x). I don?t know why. Sergio. > -Mensaje original- > De: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] nombre de Chris > Parker > Enviado el: martes, 09 de diciembre de 2003 16:32 > Para: [EMAIL PROTECTED] > Asunto: Re: filtering attributes in proxy > > > At 11:59 PM 12/8/2003, denz wrote: > > > > > but when I start the server I get this message ant the > end, and server > > > > > exits. > > > > > > > > > > Module: Instantiated attr_filter (attr_filter) > > > > > radiusd.conf: "attr_filter" modules aren't allowed in 'pre-proxy' > > > > > sections -- they have no such method. > > > > > > > > Edit the source code for attr_filter to include > a pre-proxy > > > >section. > > > > > > This is done in the latest CVS for post-proxy. I've got a patch we've > > > used internally for pre-proxy. I'll commit it today. > > > >Has it been commited to cvs ? I just downloaded. Couldn't see > the preproxy > >method in rlm_attr_filter. I'd appreciate it very much right now. > > No, I'm still working on cleaning the patch up, as well as adding > accounting > methods for the module. > > I'll post to the list when it is in CVS, which should hopefully be later > today. > > -Chris > -- > \\\|||/// \ StarNet Inc. \ Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\-- >\ Wholesale Internet Services - http://www.megapop.net > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: filtering attributes in proxy
At 11:59 PM 12/8/2003, denz wrote: > > > but when I start the server I get this message ant the end, and server > > > exits. > > > > > > Module: Instantiated attr_filter (attr_filter) > > > radiusd.conf: "attr_filter" modules aren't allowed in 'pre-proxy' > > > sections -- they have no such method. > > > > Edit the source code for attr_filter to include a pre-proxy > >section. > > This is done in the latest CVS for post-proxy. I've got a patch we've > used internally for pre-proxy. I'll commit it today. Has it been commited to cvs ? I just downloaded. Couldn't see the preproxy method in rlm_attr_filter. I'd appreciate it very much right now. No, I'm still working on cleaning the patch up, as well as adding accounting methods for the module. I'll post to the list when it is in CVS, which should hopefully be later today. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: filtering attributes in proxy
> > > but when I start the server I get this message ant the end, and server > > > exits. > > > > > > Module: Instantiated attr_filter (attr_filter) > > > radiusd.conf: "attr_filter" modules aren't allowed in 'pre-proxy' > > > sections -- they have no such method. > > > > Edit the source code for attr_filter to include a pre-proxy > >section. > > This is done in the latest CVS for post-proxy. I've got a patch we've > used internally for pre-proxy. I'll commit it today. Has it been commited to cvs ? I just downloaded. Couldn't see the preproxy method in rlm_attr_filter. I'd appreciate it very much right now. > > -Chris > -- > \\\|||/// \ StarNet Inc. \ Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\-- >\ Wholesale Internet Services - http://www.megapop.net > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Setup
>From: "Anson Rinesmith" <[EMAIL PROTECTED]>>To: <[EMAIL PROTECTED]> >Subject: Proxy Setup >Date: Fri, 5 Dec 2003 11:57:00 -0600>Reply-To: [EMAIL PROTECTED]>>I want any username like [EMAIL PROTECTED] to be proxied to an existing>radius server.>>I have added>>realm mydomain.net {>> type = radius>> authhost = 192.168.69.10:1645>> accthost = 192.168.69.10:1646>> secret = ascend>>}>to my proxy.conf file. It still tries to authenticate locally. I was told>not to put anything in my realms file.>What am I missing? If using SQL: Probably something like this: mysql> select * from radgroupcheck; ++---++++| id | GroupName | Attribute | op | Value |++---++++| 1 | dial | Proxy-To-Realm | := | mydomain.net |++---++++ mysql> select * from usergroup limit 1;++--+---+| id | UserName | GroupName |++--+---+| 1 | username | dial |++--+---+ You can put it in radcheck as wel per user base or if prefer using groups (which I guess you will if you have more than 1 existing radius servers behind the proxy) do it as described. One more thing, when running radiusd with -X you will still see it that it says to go to NULL realm but in reality it is going to the correct realm. I don't know why the logs show this but I found this out the hard way using 0.9.2 that it was doing it correctly. Glenn
Re: Automatically proxy?
Gary Algier <[EMAIL PROTECTED]> wrote: > I am trying to figure out how to automatically proxy based upon criteri > in the users file. Use the Proxy-To-Realm attribute: bob Proxy-To-Realm := "realm" > I can see how I can check the NAS-IP-Address, but then > I don't know how to control where the actual auth gets > done. Don't use NAS-IP-Address. It can lie. Use Client-IP-Address. > In case you are wondering, the "other" radius server is a > SecureID ACE server. I want to use a FreeRadius server as > a frontend for better control and accounting. Of course. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Automatically proxy?
Hi: I am trying to figure out how to automatically proxy based upon criteri in the users file. For example: I have a user "gary" who logs in on a particular NAS (let us say on IP 192.168.1.1). When he does so, his authentication should be passed off to the radius server at 192.168.2.1. If the same user tries to use the NAS at 192.168.1.2, he should be rejected by this radius server. If "nancy" uses either NAS, it should be handled locally. All other users should be rejected on NAS 192.168.1.1., while all requests for the rest of these users from the NAS at 192.168.1.2 should be passed off to the radius server at 192.168.2.1. How can I do this? I can see how I can check the NAS-IP-Address, but then I don't know how to control where the actual auth gets done. In case you are wondering, the "other" radius server is a SecureID ACE server. I want to use a FreeRadius server as a frontend for better control and accounting. -- Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758 Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033 Nielsen's First Law of Computer Manuals: People don't read documentation voluntarily. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Setup
"Anson Rinesmith" <[EMAIL PROTECTED]> wrote: > to my proxy.conf file. It still tries to authenticate locally. I was told > not to put anything in my realms file. > > What am I missing? Read the output of radiusd -X. It will tell you WHY it is, or is not, proxying. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Setup
I want any username like [EMAIL PROTECTED] to be proxied to an existing radius server. I have added realm mydomain.net { type = radius authhost = 192.168.69.10:1645 accthost = 192.168.69.10:1646 secret = ascend } to my proxy.conf file. It still tries to authenticate locally. I was told not to put anything in my realms file. What am I missing?
synchronous proxy and fail-over
Hello, I have found that the backup server of my client is never used when the his main server is down. Another strange behaviour is that the reject is not answered on a timeout but on receipt of the next authentication request, even if it comes one hour after ! To solve the problem I have changed synchronous to "no". Synchronous mode is broken ? (I use 0.9.3) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: filtering attributes in proxy
At 10:43 AM 12/4/2003, Alan DeKok wrote: "denz" <[EMAIL PROTECTED]> wrote: > but when I start the server I get this message ant the end, and server > exits. > > Module: Instantiated attr_filter (attr_filter) > radiusd.conf: "attr_filter" modules aren't allowed in 'pre-proxy' > sections -- they have no such method. Edit the source code for attr_filter to include a pre-proxy section. This is done in the latest CVS for post-proxy. I've got a patch we've used internally for pre-proxy. I'll commit it today. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: filtering attributes in proxy
"denz" <[EMAIL PROTECTED]> wrote: > but when I start the server I get this message ant the end, and server > exits. > > Module: Instantiated attr_filter (attr_filter) > radiusd.conf: "attr_filter" modules aren't allowed in 'pre-proxy' > sections -- they have no such method. Edit the source code for attr_filter to include a pre-proxy section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: filtering attributes in proxy
> > I need to remove the attribute > > Calling-Station-Id = xxx > > from the requests before passing it to the remote radius server. > > Use rlm_attr_filter in pre-proxy. I modified the radiusd.conf as suggested, pre-proxy { attr_filter # If you want to have a log of packets proxied to a home # server, un-comment the following line, and the # 'detail pre_proxy_log' section, above. # pre_proxy_log } but when I start the server I get this message ant the end, and server exits. radius-log -- Module: Loaded attr_filter attr_filter: attrsfile = "/usr/local/radiusd/etc/raddb/attrs" Module: Instantiated attr_filter (attr_filter) radiusd.conf: "attr_filter" modules aren't allowed in 'pre-proxy' sections -- they have no such method. > > > And while doing that I need to run some script and put those > > Calling-station-id to a DB. Can we achieve this. > > Yes. Use rlm_exec in pre-proxy, before rlm_attr_filter. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: proxy
When I remove the realms entry, it tries to authenticate locally, when watching 'radiusd -X' -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, December 03, 2003 3:38 PM To: [EMAIL PROTECTED] Subject: Re: proxy "Anson Rinesmith" <[EMAIL PROTECTED]> wrote: > I added > realm bigrivertel.net { > type= radius > authhost= 192.168.69.10:1645 > accthost= 192.168.69.10:1646 > secret = ascend > } > > With the same errors, should I remove my entry from realms that I added > earlier? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy
"Anson Rinesmith" <[EMAIL PROTECTED]> wrote: > I added > realm bigrivertel.net { > type= radius > authhost= 192.168.69.10:1645 > accthost= 192.168.69.10:1646 > secret = ascend > } > > With the same errors, should I remove my entry from realms that I added > earlier? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: proxy
I added realm bigrivertel.net { type= radius authhost= 192.168.69.10:1645 accthost= 192.168.69.10:1646 secret = ascend } With the same errors, should I remove my entry from realms that I added earlier? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, December 03, 2003 2:56 PM To: [EMAIL PROTECTED] Subject: Re: proxy "Anson Rinesmith" <[EMAIL PROTECTED]> wrote: > I have put my realm in the realms file: bigrivertel.net > 192.168.69.10 You've also got to list it in the 'clients' file, OR use the "proxy.conf" file. > /usr/local/etc/raddb/realms[28]: Cannot find 'clients' file entry of remote > server 209.16.220.10 for realm "bigrivertel.net" Yup. The reason is that the "realms" file doesn't have room for a shared secret, which is required. "proxy.conf" has it. Use that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy
"Anson Rinesmith" <[EMAIL PROTECTED]> wrote: > I have put my realm in the realms file: bigrivertel.net > 192.168.69.10 You've also got to list it in the 'clients' file, OR use the "proxy.conf" file. > /usr/local/etc/raddb/realms[28]: Cannot find 'clients' file entry of remote > server 209.16.220.10 for realm "bigrivertel.net" Yup. The reason is that the "realms" file doesn't have room for a shared secret, which is required. "proxy.conf" has it. Use that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy
I have put my realm in the realms file: bigrivertel.net 192.168.69.10 When I run ‘radiusd –X’, I get the following error: /usr/local/etc/raddb/realms[28]: Cannot find 'clients' file entry of remote server 209.16.220.10 for realm "bigrivertel.net" Errors reading realms Errors reading radiusd.conf Any help?
Re: filtering attributes in proxy
"denz" <[EMAIL PROTECTED]> wrote: > I need to remove the attribute > Calling-Station-Id = xxx > from the requests before passing it to the remote radius server. Use rlm_attr_filter in pre-proxy. > And while doing that I need to run some script and put those > Calling-station-id to a DB. Can we achieve this. Yes. Use rlm_exec in pre-proxy, before rlm_attr_filter. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.5 to 0.9.3 upgrade breaks auth-proxy
Alan DeKok <[EMAIL PROTECTED]> wrote: >Ben Hockenhull <[EMAIL PROTECTED]> wrote: >> Under 0.9.3, only the first AVPair is sent back. I'm not sure why. > > Read the 'man' page for the 'users' file. I think it's also in the >FAQ. > > Try '+=', instead of '='. Ah ha. That did it. I didn't see mention of that in the FAQ, but it was in the man pages. Thanks. Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
filtering attributes in proxy
hi! I'm using freeradius cvs(Nov 25 -2003) as a radius proxy. And as a remote radius server I got another copy of freeradius running. For my application enviorenment I need my radius-proxy server to pass all requests to the remote server. But under one condition. i.e. I need to remove the attribute Calling-Station-Id = xxx from the requests before passing it to the remote radius server. And while doing that I need to run some script and put those Calling-station-id to a DB. Can we achieve this. Here's the log at radius-proxy rad_recv: Access-Request packet from host 192.168.0.93:3551, id=15, length=75 User-Name = "[EMAIL PROTECTED]" User-Password = "testing" NAS-IP-Address = 192.168.0.93 Framed-Protocol = PPP Calling-Station-Id = "94733442946" Sending Access-Request of id 1 to 192.168.0.171:1812 User-Name = "steve" User-Password = "testing" NAS-IP-Address = 192.168.0.93 Framed-Protocol = PPP Calling-Station-Id = "94722442946" Service-Type = Framed-User Proxy-State = 0x3135 rad_recv: Access-Accept packet from host 192.168.0.171:1812, id=1, length=36 Service-Type = Framed-User Framed-Protocol = PPP Proxy-State = 0x3135 Sending Access-Accept of id 15 to 192.168.0.93:3551 Service-Type = Framed-User Framed-Protocol = PPP here's the log at remote radius -- rad_recv: Access-Request packet from host 192.168.3.4:1814, id=1, length=80 User-Name = "steve" User-Password = "testing" NAS-IP-Address = 192.168.0.93 Framed-Protocol = PPP Calling-Station-Id = "94733442946" Service-Type = Framed-User Proxy-State = 0x3135 rlm_chap: Could not find proper Chap-Password attribute in request Sending Access-Accept of id 1 to 192.168.3.4:1814 Service-Type = Framed-User Framed-Protocol = PPP Proxy-State = 0x3135 rad_recv: Access-Request packet from host 192.168.3.4:1814, id=2, length=62 User-Name = "steve" User-Password = "testing" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Proxy-State = 0x323131 rlm_chap: Could not find proper Chap-Password attribute in request Sending Access-Accept of id 2 to 192.168.3.4:1814 Service-Type = Framed-User Framed-Protocol = PPP Proxy-State = 0x323131 U can see that every attributes is passed as they are. It get authenticated alright but my requirement is not to pass the above mentioned Atrribute to the remote server. denz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
strip user name for proxy
For example of proxy configuration... let say login as [EMAIL PROTECTED] , Is it possible for Freeradius to strip the username (user1) and proxied to other radius server using "abc.com.my" only... thanks.. --haizam
Re: 0.5 to 0.9.3 upgrade breaks auth-proxy
Make sure when you install the new server you get the new man pages as well. Alan DeKok wrote: Ben Hockenhull <[EMAIL PROTECTED]> wrote: Under 0.9.3, only the first AVPair is sent back. I'm not sure why. Read the 'man' page for the 'users' file. I think it's also in the FAQ. Try '+=', instead of '='. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.5 to 0.9.3 upgrade breaks auth-proxy
Ben Hockenhull <[EMAIL PROTECTED]> wrote: > Under 0.9.3, only the first AVPair is sent back. I'm not sure why. Read the 'man' page for the 'users' file. I think it's also in the FAQ. Try '+=', instead of '='. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
0.5 to 0.9.3 upgrade breaks auth-proxy
Hi there, I'm doing testing in preparation to upgrade a server from 0.5 to 0.9.3, and I've run into an issue with Cisco's auth-proxy feature. Under 0.5, it's been working. Upon successful authentication, the radius server sends back the proper Cisco-AVpairs for a temporary ACL. I have a debug from the router and from the 0.5 radiusd at http://www.jpj.net/~benh/rad5.txt Under 0.9.3, only the first AVPair is sent back. I'm not sure why. The radius users file is identical, and the config on the router is identical. the only variable seems to be the version of FreeRADIUS. I have a debug from the router and from the 0.9.3 radiusd at http://www.jpj.net/~benh/rad9.txt. Here's the users file in question: hunter1Auth-Type := Local, Password == "student1" Cisco-AVPair = "auth-proxy:priv-lvl=15", Cisco-AVPair = "auth-proxy:proxyacl#1=deny ip any 192.168.0.0 0.0.0.255", Cisco-AVPair = "auth-proxy:proxyacl#2=permit ip any any" Leaving aside the question of why it's taken so long to upgrade this server, does anyone have any ideas? Thanks Ben -- Ben Hockenhull [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius in proxy mode
"denz" <[EMAIL PROTECTED]> wrote: > I've got a radius sever(some Old radius server) configured with a > NAS. I want to pass MSISDN from NAS to radius. But the problem is when I > pass that attribute, the Authentication process stops. I doubt that very much. Read the FAQ about posting questions to the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius in proxy mode
hi everyone! The Curent problem : I've got a radius sever(some Old radius server) configured with a NAS. I want to pass MSISDN from NAS to radius. But the problem is when I pass that attribute, the Authentication process stops. Solution I'm thinking of running a freeradius in proxy mode, so that it will manipulate the access requests having Extra attribs, do some extra work(eg: - record MSISDNs in a DB) and forward those filtered requests to a remote server. How could we achive this purpose. Can somebody point me to a good documentation ? denzel.
proxy sending extra info
Hi, Radius Server 1 --> Free Radius --> Radius Server 2 I control the Free Radius server, which serves as a proxy. I need to modify a radius attribute value that is incoming from Radius Server 1 before it is being send to Radius Server 2. How can I do that? I'm using rlm_perl, so if it can be done in there that would be nice. Greets, Laurens - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limiting access at a proxy server based on Called-Station-ID
I think this can also be achieved by writing a function/procedure in database which return the values after doing the checking. Deepak Singhal - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, November 20, 2003 3:28 AM Subject: Re: Limiting access at a proxy server based on Called-Station-ID > Mark Moody <[EMAIL PROTECTED]> wrote: > > We need to limit their users access based on Called-Station-ID. > > When the Auth request comes in from the NAS, I need to be able to > > consult a (possibly large) list of access numbers and determine if > > the user called an approved number, if so allow the request to > > proceed to the home server. If not, return an Access-Reject to the > > NAS. > > You're probably going to have to write a module yourself to do that > work. It shouldn't be too large. Use a database to store the list of > access numbers, and it should be easy to manage, too. > > The issue is that most modules in the server are written to find > some small amount of configuration in a database for a user, and then > allow other modules to use that configuration to do things. > > What you want is to check the users request against a large number > of things in a database. I'm not sure how that would be possible in > the current server. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limiting access at a proxy server based on Called-Station-ID
Mark Moody <[EMAIL PROTECTED]> wrote: > We need to limit their users access based on Called-Station-ID. > When the Auth request comes in from the NAS, I need to be able to > consult a (possibly large) list of access numbers and determine if > the user called an approved number, if so allow the request to > proceed to the home server. If not, return an Access-Reject to the > NAS. You're probably going to have to write a module yourself to do that work. It shouldn't be too large. Use a database to store the list of access numbers, and it should be easy to manage, too. The issue is that most modules in the server are written to find some small amount of configuration in a database for a user, and then allow other modules to use that configuration to do things. What you want is to check the users request against a large number of things in a database. I'm not sure how that would be possible in the current server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limiting access at a proxy server based on Called-Station-ID
I've been asked if the following is possible. We operate a pair of radius servers that proxy several realms to their respective home servers. We need to limit their users access based on Called-Station-ID. When the Auth request comes in from the NAS, I need to be able to consult a (possibly large) list of access numbers and determine if the user called an approved number, if so allow the request to proceed to the home server. If not, return an Access-Reject to the NAS. I've experimented with the DEFAULT entries in the users file, and looked at pre-proxy as well. So far I haven't come up with a good way to do this. If anyone is currently doing something like this could you let me know how you're doing it? Keep in mind the potential list of Called-Station-IDs is potentially very large, management of and updates to this list need to be straight forward. Any help will be most appreciated. -- Mark Moody - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to insert an attribuite into a proxy-reply packet ?
I am not sure how to achieve this using rlm_attr_rewrite (probably others can help), but you can write your own "post-proxy" method. Add that module in the "post-proxy" section of radius.conf, so that your post-proxy method is called whenever the Radius server receives a reply for the proxied request. In that post-proxy method you can have whatever case you need based on your requirements. -Original Message- From: Allen Chung [mailto:[EMAIL PROTECTED] Sent: Sunday, November 16, 2003 6:16 PM To: [EMAIL PROTECTED] Subject: Re: How to insert an attribuite into a proxy-reply packet ? Sorry, I don't know how to make it work. Could you tell me more about it ? I use freeradius to be a proxy server.A <===> MySite <=> B I want each Auth-Reply to be one of below cases. 1. If the Session-Timeout is defined and the value is great than 0, proxy the reply-packet without change. 2. If the Session-Timeout is undefined, proxy the reply-packet without change. 3. If the Session-Timeout is defined BUT the value is 0, set the value to be 36000 before sending it. Thanks a lot ... - Original Message - From: Liyan Tan <mailto:[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Sent: Thursday, November 13, 2003 8:00 PM Subject: Re: How to insert an attribuite into a proxy-reply packet ? rlm_attr_filters may work? Liyan Tan [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 2003-11-13 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to insert an attribuite into a proxy-reply packet ?
Sorry, I don't know how to make it work. Could you tell me more about it ? I use freeradius to be a proxy server. A <===> MySite <=> B I want each Auth-Reply to be one of below cases. 1. If the Session-Timeout is defined and the value is great than 0, proxy the reply-packet without change. 2. If the Session-Timeout is undefined, proxy the reply-packet without change. 3. If the Session-Timeout is defined BUT the value is 0, set the value to be 36000 before sending it. Thanks a lot ... - Original Message - From: Liyan Tan To: [EMAIL PROTECTED] Sent: Thursday, November 13, 2003 8:00 PM Subject: Re: How to insert an attribuite into a proxy-reply packet ? rlm_attr_filters may work? Liyan Tan [EMAIL PROTECTED] 2003-11-13
strip both prefix and suffix with proxy
hello all i have a problem which i can't still solve. maybe there is solution, but i can't find it:( situation: i must use suffix @blabla for every accounts. for some accounts i want use prefix too - because auth proxying. i'm planning use prefixes only for non-local accounts, but there is special group of users which want duplicate his accounting info to non local server, but authorize locally. i create prefix for this group and i add it into proxy configuration with two accthost entries. now i need strip suffix for this special group before authorization, because i don't want store usernames with suffixes into my backend (which is currently ldap). but when realm aaa is matched, imho, i can strip only this realm. example: username: [EMAIL PROTECTED] proxy: realm aaa { accthost host1:1813 accthost LOCAL nostrip/strip // only one from this } users: DEFAULT Auth-Type := LDAP, Ldap-Group == "aaa-group", Suffix == "@blabla" ... thanks -- member of Advanced InternetWorks group -> http://www.ainetworks.sk professional home page -> http://tibor.pittich.sk personal home page -> http://c0re.phuture.sk pgp0.pgp Description: PGP signature
Re: How to insert an attribuite into a proxy-reply packet ?
rlm_attr_filters may work? Liyan Tan [EMAIL PROTECTED] 2003-11-13
How to insert an attribuite into a proxy-reply packet ?
Hello~ May I add an attribute "session-time" into a proxy-reply packet if the value of "session-timeout" is not assigned before I reply it to another radiusd server ? Thanks a lot ~
Re: Proxy doesn't send acct packets to other radius (correct proxy.conf)
ok looking at your radiusd.conf file, i wonder if you have to add a preacct section with a suffix module in it in order to look up the realms. otherwise it seems ok to me. ciao artur I made a mistake editing that mail last night. realm dimapel.com.br { type= radius authhost= 200.180.55.65:1812 accthost= 200.180.55.65:1813 secret = teste - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy doesn't send acct packets to other radius (correct proxy.conf)
Artur I made a mistake editing that mail last night. 200.193.87.129 has no relation to problem related. It's another server for tests. my problem is: the proxy server doesn't send acct (accounting) packets to 200.180.55.65 server. Justo know: 200.180.22.15 is the RAS that consult only 200.180.22.9 (the proxy). The correct proxy.conf is: $ cat proxy.conf | grep -v "#" $$$ proxy server { synchronous = no retry_delay = 5 retry_count = 3 dead_time = 120 servers_per_realm = 15 default_fallback = yes } realm dimapel.com.br { type= radius authhost= 200.180.55.65:1812 accthost= 200.180.55.65:1813 secret = teste } Artur Hecker em 29-10-2003 07:11 disse: hi looking at your proxy.conf file: realm dimapel.com.br { type= radius authhost= 200.193.87.129:1812 accthost= 200.193.87.129:1813 secret = teste } now looking at the proxied Access Request out of your debug output: modcall: group authorize returns updated Sending Access-Request of id 3 to 200.180.55.65:1812 User-Name = "dumes" User-Password = "D\277\255\261\350~V\037\005\240\331\360^\330\206u" Service-Type = Framed-User Framed-Protocol = PPP NAS-IP-Address = 200.180.22.15 NAS-Port = 108 Calling-Station-Id = "475211600" Called-Station-Id = "12110482815300" Connect-Info = "34000/28800_K56_/LAPM/V42BIS" Proxy-State = "73" --- Walking the entire request list --- i strongly doubt that the proxy.conf file you are editing is relevant to this server. (it should proxy to 200.193.87.129:1812 but it does to 200.180.55.65:1812). unless of course you have a WEIRD host file ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy doesn't send acct packets to other radius
hi looking at your proxy.conf file: realm dimapel.com.br { type= radius authhost= 200.193.87.129:1812 accthost= 200.193.87.129:1813 secret = teste } now looking at the proxied Access Request out of your debug output: modcall: group authorize returns updated Sending Access-Request of id 3 to 200.180.55.65:1812 User-Name = "dumes" User-Password = "D\277\255\261\350~V\037\005\240\331\360^\330\206u" Service-Type = Framed-User Framed-Protocol = PPP NAS-IP-Address = 200.180.22.15 NAS-Port = 108 Calling-Station-Id = "475211600" Called-Station-Id = "12110482815300" Connect-Info = "34000/28800_K56_/LAPM/V42BIS" Proxy-State = "73" --- Walking the entire request list --- i strongly doubt that the proxy.conf file you are editing is relevant to this server. (it should proxy to 200.193.87.129:1812 but it does to 200.180.55.65:1812). unless of course you have a WEIRD host file ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy doesn't send acct packets to other radius
Sorry Alan I'm so tired that I forgot those important details. First, my Freeradius is 0.8. I don't remember what options I used with configure but I'm sure I used ldap and mysql (cause they works fine). I think relevant config file and logs are reproduced below. They are: - proxy.conf - radiusd.conf - console out of radiusd -X (of proxy server) Obs.: I didn't put radiusd -X console out of realm server. Because I used iptraf -i on the realm server and theres's no acct packet comming from proxy server. $ cat proxy.conf | grep -v "#" $$$ proxy server { synchronous = no retry_delay = 5 retry_count = 3 dead_time = 120 servers_per_realm = 15 default_fallback = yes } realm soft { type= radius authhost= 200.193.87.129:1812 accthost= 200.193.87.129:1813 secret = teste } realm dimapel.com.br { type= radius authhost= 200.193.87.129:1812 accthost= 200.193.87.129:1813 secret = teste } $ cat radiusd.conf | grep -v "#" $$$ prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = 200.193.87.150 port = 0 hostname_lookups = no regular_expressions = yes extended_expressions= yes log_stripped_names = no log_auth = yes log_auth_badpass = yes log_auth_goodpass = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { ldap { server = "ldapserver.softhouse.com.br" basedn = "dc=softhouse.com.br,o=softhouse" filter = "(&(objectClass=radiusprofile)(uid=%u))" groupname_attribute = cn default_profile = "cn=normal,ou=radius,o=softhouse" profile_attribute = "radiusProfileDN" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 15 timeout = 4 timelimit = 3 net_timeout = 1 } realm suffix { format = suffix delimiter = "@" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp perm = 0600 callerid = "yes" } attr_filter { attrsfile = ${confdir}/attrs } checkval callerid-check{ item-name = "Calling-Station-Id" check-name = "Calling-Station-Id" data-type = "string" } } authorize { suffix ldap callerid-check } authenticate { authtype LDAP { ldap } } accounting { radutmp sql } session { radutmp } Proxy LOG (radiusd -X)$ Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: bind_address = 200.193.87.150 IP address [200.193.87.150] main: user = "(null)&q
Re: Proxy doesn't send acct packets to other radius
=?ISO-8859-1?Q?Jefferson_D=FCmes?= <[EMAIL PROTECTED]> wrote: > I'm not an "radius expert", but I already used a cistron (patched to log > in mysql) and icradius. In this two server, I just say to do proxy to > some server and it does it (auth ant acct). FreeRADIUS does that, too. > I'm looking for the solution to this problem for months. I'm looking on > "The Freeradius-Users Archives". But no Answer. No answer in FAQ too. You still haven't said what you're doing. You haven't said what configuration files you're editing. You haven't included debugging messages as suggested in the FAQ and README. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy doesn't send acct packets to other radius
Hi Alan Would you show me where is some kind of reference of the problem I reported ??? I'm not an "radius expert", but I already used a cistron (patched to log in mysql) and icradius. In this two server, I just say to do proxy to some server and it does it (auth ant acct). I agree that freeradius is more flexible and so, freeradius needs that I say it exactly what I want it does.It's realy great. I'm looking for the solution to this problem for months. I'm looking on "The Freeradius-Users Archives". But no Answer. No answer in FAQ too. Alan DeKok wrote: =?ISO-8859-1?Q?Jefferson_D=FCmes?= <[EMAIL PROTECTED]> wrote: Freeradius 0.8 doesn't send account packet's to other freeradius. It does if you've configured it correctly. No erros in log files. Someone give me an idea. Since you haven't followed the directions in the FAQ for problem solving, I suggest that you start there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy doesn't send acct packets to other radius
=?ISO-8859-1?Q?Jefferson_D=FCmes?= <[EMAIL PROTECTED]> wrote: > Freeradius 0.8 doesn't send account packet's to other freeradius. It does if you've configured it correctly. > No erros in log files. > > Someone give me an idea. Since you haven't followed the directions in the FAQ for problem solving, I suggest that you start there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy doesn't send acct packets to other radius
Freeradius 0.8 doesn't send account packet's to other freeradius. There's no firewall rules between the servers. No erros in log files. Someone give me an idea. thanks. details: Freeradius 0.8 compiled with ldap auth an mysql account support. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy help question
On Fri, 24 Oct 2003, CW wrote: > Is it possible to have ONE radius server query TWO databases in the same > server for requests for different realms? > > For example if I had two realms > > > dialup.someisp.net > adsl.someisp.net > > and both realms came into the same radius server, and I had two mysql > databases with two different customer bases for two differnt services. > (dialup and adsl) > > Is it possible for me to instruct the radius server to query different > databases for different domains? > > > Cheers, > Craig > Sure thing, just check out doc/Autz-Type - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy help question
(B (B (BIs it possible to have ONE radius (Bserver query TWO databases in the same server for requests for different (Brealms? (B (BFor example if I had two (Brealms (B (B (Bdialup.someisp.net (Badsl.someisp.net (B (Band both realms came into the same radius (Bserver, and I had two mysql databases with two different customer bases (Bfor two differnt services. (dialup and adsl) (B (BIs it possible for me to instruct the (Bradius server to query different databases for different (Bdomains? (B (B (BCheers,Craig (B
Proxy setup
Hello, New to the list, but Ive read everything that I could possibly read, maybe I just don’t understand. What I’m trying to do. Use a STAROS using Hotspot to authenticate with our radius server. I’ve installed and setup freeradius on a machine we use for mirroring, and if I do the radtest to our windows radius server it goes through ok so I know it works. I setup the proxy, but two questions. Do I have the hotspot send auth and acct to the default port of 1814? Or 1812 and 1813? Also, My error I get in the radius log is Wed Oct 22 14:39:22 2003 : Error: Ignoring request from unknown home server 65.117.AAA.XX:1032 Wed Oct 22 14:39:37 2003 : Error: Ignoring request from unknown home server 65.117.AAA.XX:1032 Wed Oct 22 14:40:18 2003 : Error: Ignoring request from unknown client 65.117.AAA.XX:1033 Wed Oct 22 14:40:33 2003 : Error: Ignoring request from unknown client 65.117.AAA.XX:1033 Wed Oct 22 14:40:48 2003 : Error: Ignoring request from unknown client 65.117.AAA.XX:1033 I get the unknown client when I have the server setup in the clients.conf page, As: client 65.117.AAA.XX { secret = MySecret shortname = Mac } Any help would be grealy appreciated. Thanks, Jason LRBCG.Com, Inc.
Re: Problem with Proxy
Thanks for your advise. It works for Authentication, but Accounting. If I want to proxy accounting packets with these rulers, what should I do ? 1.proxy accounting packets which realm ends with ".us" to serverATus. 2. proxy accounting packets which realm ends with ".jp" to serverATjp. Thanks a lot ~ - Original Message - From: "Chris van Meerendonk" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 07, 2003 7:41 PM Subject: Re: Problem with Proxy > Allen, > > You could try to put the following in the users file: > DEFAULT Realm =~ "\.us$", Proxy-To-Realm += "us" > DEFAULT Realm =~ "\.jp$", Proxy-To-Realm += "jp" > > In proxy.conf you can put something like: > realm us { > type= radius > authhost= 123.123.234.234:1812 > accthost= 123.123.234.234:1813 > secret = authkey > nostrip > } > > realm jp { > type= radius > authhost= 123.123.234.235:1812 > accthost= 123.123.234.235:1813 > secret = authkey > nostrip > } > > Chris > > On Mon, 2003-10-06 at 07:12, Allen Chung wrote: > > Hello~ > > > > I have a question about Proxy. > > > > I would like to > > > > 1.proxy realms which end with ".us" to serverATus. > > 2. proxy realm which end with ".jp" to serverATjp. > > > > What should I define in the proxy.conf ? > > > > Thanks a lot ... > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy and "No such realm NULL"
Josh, I don't really deal with the NULL realm, so I'm not 100% sure of a certain configuration option's actions with said realm, but you might want to try setting 'wake_all_if_all_dead = yes' in the proxy.conf file. Assuming that wake_all_if_all_dead works with the NULL realm, this would at least help you test your hypothesis. HTH, Chris At 10:57 AM 10/16/2003, you wrote: I have a proxy server configured to proxy to the NULL realm. This has worked fine until recently when it has started to silently drop RADIUS requests rather than forward them. The NAS does not recieve any response and so rejects users. My hypothesis is that the RADIUS server it is proxying to becomes unresponsive temporarily, and so the proxy server marks it dead. Thus, when the next RADIUS requests comes along it has no server to proxy it to, thus it returns an error about the realm. Would this hypothesis be consistent with the "No such realm NULL" error? A possible flaw in this hypothesis is that the "dead time" is configured at ten minutes (dead_time = 600) yet the server continues to drop RADIUS packets beyond this time. I would be interested in any ideas or suggestions to fix this. many thanks, josh. -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy and "No such realm NULL"
I have a proxy server configured to proxy to the NULL realm. This has worked fine until recently when it has started to silently drop RADIUS requests rather than forward them. The NAS does not recieve any response and so rejects users. My hypothesis is that the RADIUS server it is proxying to becomes unresponsive temporarily, and so the proxy server marks it dead. Thus, when the next RADIUS requests comes along it has no server to proxy it to, thus it returns an error about the realm. Would this hypothesis be consistent with the "No such realm NULL" error? A possible flaw in this hypothesis is that the "dead time" is configured at ten minutes (dead_time = 600) yet the server continues to drop RADIUS packets beyond this time. I would be interested in any ideas or suggestions to fix this. many thanks, josh. -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy fail-over
At 09:58 PM 10/15/2003, you wrote: I tried to set the Radius server (0.9.1 on Red Hat 9) so it can do proxy. I use the sql module for authentication (mysql). I have two users, [EMAIL PROTECTED]' and 'alex_chen'. in the DB. I setup the proxy.conf like the followings so that if the proxy server 192.168.1.12 fails, it will try to authenticate locally. (Following the sample in proxy.conf for round-robin proxy.) proxy server { synchronous = yes From /path/to/src/radiusd/raddb/proxy.conf: "If this [synchrounous] is set to 'No', then we send the retries on our own schedule..." "If you want to have the server send proxy retries ONLY when the NAS sends its retries to the server, then set this to 'yes', and the other proxy configuration parameters to 0 (zero)". So, try setting synchronous to 'no' and see if you still have problems with the failover. HTH, Chris retry_delay = 5 retry_count = 3 dead_time = 120 default_fallback = yes post_proxy_authorize = no } realm myhome.com { type= radius authhost= 192.168.1.12:1812 accthost= 192.168.1.12:1813 secret = testing123 } # # The fail-over server # realm myhome.com { type= radius authhost= LOCAL accthost= LOCAL } But when I run the radius with -X flag, I got the following message: .. Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 User-Name = "[EMAIL PROTECTED]" User-Password = "alextest" NAS-IP-Address = 192.168.2.1 NAS-Port = 1 NAS-Port-Id = "gateway" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_eap: EAP-Message not found modcall[authorize]: module "eap" returns noop rlm_realm: Looking up realm "myhome.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "myhome.com" rlm_realm: Adding Stripped-User-Name = "alex_chen" rlm_realm: Proxying request from user alex_chen to realm myhome.com rlm_realm: Adding Realm = "myhome.com" rlm_realm: Preparing to proxy authentication request to realm "myhome.com" modcall[authorize]: module "suffix" returns updated radius_xlat: 'alex_chen' ... ... modcall: group authorize returns updated Sending Access-Request of id 1 to 192.168.1.12:1812 User-Name = "alex_chen" User-Password = "alextest" NAS-IP-Address = 192.168.2.1 NAS-Port = 1 NAS-Port-Id = "gateway" Proxy-State = "228" Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 224 with timestamp 3f8de7df Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinish
Proxy to Radius Servers Cluster
Dear All: I have 2 Radius Servers, R1, R2, and each server maintains its own user data. I hope to use the realm "@myrealm" for each user. I built a proxy server with freeradiusd 0.9.0 to be a dispatcher. The trouble is I can't identify a user is belong to R1or R2. So I use the ldflag = round-robin in my proxy.conf. In this case, there are 50% to fail. May I setup the proxy ruler to maping "@myrealm" to both R1 and R2. And when the request [EMAIL PROTECTED] is received, the proxy server will proxy to both R1 and R2. If one of them response Access-Accept, then proxy server replies Access-Accept ,too. Thanks a lot ...
Proxy fail-over
I tried to set the Radius server (0.9.1 on Red Hat 9) so it can do proxy. I use the sql module for authentication (mysql). I have two users, [EMAIL PROTECTED]' and 'alex_chen'. in the DB. I setup the proxy.conf like the followings so that if the proxy server 192.168.1.12 fails, it will try to authenticate locally. (Following the sample in proxy.conf for round-robin proxy.) proxy server { synchronous = yes retry_delay = 5 retry_count = 3 dead_time = 120 default_fallback = yes post_proxy_authorize = no } realm myhome.com { type= radius authhost= 192.168.1.12:1812 accthost= 192.168.1.12:1813 secret = testing123 } # # The fail-over server # realm myhome.com { type= radius authhost= LOCAL accthost= LOCAL } But when I run the radius with -X flag, I got the following message: .. Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 User-Name = "[EMAIL PROTECTED]" User-Password = "alextest" NAS-IP-Address = 192.168.2.1 NAS-Port = 1 NAS-Port-Id = "gateway" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_eap: EAP-Message not found modcall[authorize]: module "eap" returns noop rlm_realm: Looking up realm "myhome.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "myhome.com" rlm_realm: Adding Stripped-User-Name = "alex_chen" rlm_realm: Proxying request from user alex_chen to realm myhome.com rlm_realm: Adding Realm = "myhome.com" rlm_realm: Preparing to proxy authentication request to realm "myhome.com" modcall[authorize]: module "suffix" returns updated radius_xlat: 'alex_chen' ... ... modcall: group authorize returns updated Sending Access-Request of id 1 to 192.168.1.12:1812 User-Name = "alex_chen" User-Password = "alextest" NAS-IP-Address = 192.168.2.1 NAS-Port = 1 NAS-Port-Id = "gateway" Proxy-State = "228" Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 224 with timestamp 3f8de7df Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=228, length=89 Dropping conflicting packet from client localhost:1025 - ID: 228 due to unfinished request 1 On the client side, I got the following message. (I use radclient to send the packets) Sending User-Name = [EMAIL PROTECTED], User-Password = "alextest", NAS-IP-Address = 192.168.2.1, NAS-Port = 1, NAS-Port-Id = gateway to /usr/local/bin/radclient -S secret_file localhost auth radclient: no response from server - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy where a single server is marked dead?
On Tue, 2003-10-14 at 15:22, Alan DeKok wrote: > Josh Howlett <[EMAIL PROTECTED]> wrote: > > My reading of the source suggests to me that it will get dropped > > silently, but I would appreciate an educated opinion! > > Pretty much. Sending a reject request may be friendlier, though. Yes. It would be useful if this were implemented. josh. -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy where a single server is marked dead?
Josh Howlett <[EMAIL PROTECTED]> wrote: > My reading of the source suggests to me that it will get dropped > silently, but I would appreciate an educated opinion! Pretty much. Sending a reject request may be friendlier, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy where a single server is marked dead?
On Tue, 2003-10-14 at 12:18, Josh Howlett wrote: > Can someone please briefly indicate the expected behaviour of FreeRADIUS > where a realm has a single instance of a {auth|acct}host is specified, > but this server has been marked dead owing to inactivity? > > My reading of the source suggests to me that it will get dropped > silently, but I would appreciate an educated opinion! By "it" I mean a RADIUS packet that the proxy FreeRADIUS server has recieved. josh. -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy where a single server is marked dead?
Can someone please briefly indicate the expected behaviour of FreeRADIUS where a realm has a single instance of a {auth|acct}host is specified, but this server has been marked dead owing to inactivity? My reading of the source suggests to me that it will get dropped silently, but I would appreciate an educated opinion! best regards, josh. -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with proxy if TTLS is used
"Roman Janos" <[EMAIL PROTECTED]> wrote: > Actually the question is other. Are there any plans to implement (or > it is already implemented?) proxying functionality for EAP-TTLS > tunneled authentication method (e.g. EAP-MD5,PAP, ) ? No. > If not the TTLS implementation makes no sense. I disagree. If you care so much, then submit a patch to implement it. If you're not willing to submit a patch, or to pay someone else to write a patch, then I guess you'll just have to wait for a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with proxy if TTLS is used
Actually the question is other. Are there any plans to implement (or it is already implemented?) proxying functionality for EAP-TTLS tunneled authentication method (e.g. EAP-MD5,PAP, ) ? If not the TTLS implementation makes no sense. I speak about the bindings between the old authentication methods that can be deployed on whatever legacy RADIUS server and use of FREERADIUS as a proxy to take advantage about security in shared media environments. Pleas comment. Regards Roman > -Puvodní zpráva- > Od: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] uivatele Alan DeKok > Odesláno: 8. októbra 2003 19:06 > Komu: [EMAIL PROTECTED] > Predmet: Re: Problems with proxy if TTLS is used > > > fastbyte <[EMAIL PROTECTED]> wrote: > > Is there any plans to implement proxying for EAP/TTLS in near future? > > No. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with proxy if TTLS is used
fastbyte <[EMAIL PROTECTED]> wrote: > Is there any plans to implement proxying for EAP/TTLS in near future? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting trouble + proxy
Hi Chris, Chris Parker wrote: At 08:18 AM 10/8/2003, Thomas MARCHESSEAU wrote: Hi all, I would like to know if there is a special tricks to have "accthost" working on freeradius 0.9.1 in proxy mode : My accounting request are not forwarded by the proxy to my radius server . What modules do you have enabled in the 'preacct' stanza of your config? oops , none :/ but now i have added , "suffix" , and it works fine Thx Thomas MARCHESSEAU -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting trouble + proxy
At 08:18 AM 10/8/2003, Thomas MARCHESSEAU wrote: Hi all, I would like to know if there is a special tricks to have "accthost" working on freeradius 0.9.1 in proxy mode : My accounting request are not forwarded by the proxy to my radius server . What modules do you have enabled in the 'preacct' stanza of your config? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting trouble + proxy
Hi all, I would like to know if there is a special tricks to have "accthost" working on freeradius 0.9.1 in proxy mode : My accounting request are not forwarded by the proxy to my radius server . --- proxy.conf (working fine on 0.8.1) realm myrealm.net { type= radius authhost= 172.16.129.4:1812 accthost= 172.16.129.4:1813 secret = testing123 ldflag = round_robin nostrip } realm myrealm.net { type= radius authhost= 172.16.129.5:1812 accthost= 172.16.129.5:1813 secret = testing123 ldflag = round_robin nostrip } --- end To have a fonctionnal accounting process , im using radrelay , but i cant understand why it was working on freeradius 0.8.1 and not anymore on 0.9.x !!! Specs: 2 Freeradius 0.9.1 proxy (sharing a VIP) 2 Freeradius server running on Woody . Regards Thomas MARCHESSSEAU - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy with PAP?
On Tue, 07 Oct 2003 13:00:27 -0400 "Alan DeKok" <[EMAIL PROTECTED]> wrote: > Masaru Yoshihama <[EMAIL PROTECTED]> wrote: > > I boot up FreeRadius with debug mode and I try authenticate, But it > > always send "CHAP" Packets. > > No. The NAS is sending the CHAP packets, and FreeRADIUS just > proxies them as-is. Thank you for your suitable reply. I have try it and make sure it behavior. There is no problem when i send PAP auth. > > finally, I try to read src file (proxy.c) and it seemed to be > > support only CHAP protocol(But i have no confidence). > > I have no clue how you decided that from reading proxy.c. The > server can proxy any authentication method used by the NAS. Thank you again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with proxy if TTLS is used
Hello, Is there any plans to implement proxying for EAP/TTLS in near future? Sergio Alan DeKok wrote: "Roman Janos" <[EMAIL PROTECTED]> wrote: I try to make TTLS authentication. This is gone with PAP/EAP-MD5 in tunneled mode but only if the PAP/EAP-MD5 credentials were on the same maschine. If I try to put the user credentials on other freeradius server and try to make proxing it don't go any more. The tunneled authentication request cannot currently be proxied to another server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with proxy if TTLS is used
"Roman Janos" <[EMAIL PROTECTED]> wrote: > I try to make TTLS authentication. This is gone with PAP/EAP-MD5 in tunneled > mode but only if the PAP/EAP-MD5 credentials > were on the same maschine. > > If I try to put the user credentials on other freeradius server and try to > make proxing it don't go any more. The tunneled authentication request cannot currently be proxied to another server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with proxy if TTLS is used
Hi all, I use freeradius-snapshot-20031003 version of FREERADIUS for testing EAP-TTLS with it. I try to make TTLS authentication. This is gone with PAP/EAP-MD5 in tunneled mode but only if the PAP/EAP-MD5 credentials were on the same maschine. If I try to put the user credentials on other freeradius server and try to make proxing it don't go any more. There seems be a problem with proxing becouse no proxy request isn't send to other radius server. Below is useful listing (end part with eror and proxy setting). On other second RADIUS server is TTLS radius server configured as client. Please help. -- rad_recv: Access-Request packet from host 10.0.0.173:1645, id=44, length=237 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0007.85b3.63ac" Calling-Station-Id = "000b.5f63.c145" Message-Authenticator = 0xcf583fe883a5aa08b4aeadbd25ba0764 EAP-Message = 0x020600571580004d1703010048a022a4a5787533a644314a6f27a481deea37b5269793 31f24828f73e5b0791d0a73115ba87baee9ba7011c1f3ea98a14e497e6961991099590a610e9 78f1b72f68ee7f9034d820ce NAS-Port-Type = Virtual NAS-Port = 497 State = 0xd6c081b0b2fbf275d73554a94fbab8e9 NAS-IP-Address = 10.0.0.173 NAS-Identifier = "System_room_5510_AP1200" modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 rlm_eap: EAP packet type response id 6 length 87 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request User-Name = "[EMAIL PROTECTED]" User-Password = "kasslatter" Freeradius-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = "[EMAIL PROTECTED]" User-Password = "kasslatter" Freeradius-Proxied-To = 127.0.0.1 modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 5 rlm_realm: Looking up realm "servprov.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "servprov.com" rlm_realm: Adding Stripped-User-Name = "fritz" rlm_realm: Proxying request from user fritz to realm servprov.com rlm_realm: Adding Realm = "servprov.com" rlm_realm: Preparing to proxy authentication request to realm "servprov.com" modcall[authorize]: module "suffix" returns updated for request 5 modcall[authorize]: module "mschap" returns noop for request 5 modcall: group authorize returns updated for request 5 TTLS: Got tunneled reply RADIUS code 0 TTLS: Rejecting tunneled user rlm_eap: Handler failed in EAP type 21 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user. Delaying request 5 for 1 seconds Finished request 5 Going to the next request proxy.conf: realm servprov.com { type= radius authhost= 10.0.0.20:1812 accthost= 10.0.0.20:1813 secret = radius_proxy strip } -- regards Roman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy with PAP?
Masaru Yoshihama <[EMAIL PROTECTED]> wrote: > I boot up FreeRadius with debug mode and I try authenticate, But it > always send "CHAP" Packets. No. The NAS is sending the CHAP packets, and FreeRADIUS just proxies them as-is. > finally, I try to read src file (proxy.c) and it seemed to be > support only CHAP protocol(But i have no confidence). I have no clue how you decided that from reading proxy.c. The server can proxy any authentication method used by the NAS. > Q. Does FreeRadius support proxy setting with PAP authentication? Yes, if the NAS sends RADIUS requests with PAP passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Proxy
Allen, You could try to put the following in the users file: DEFAULT Realm =~ "\.us$", Proxy-To-Realm += "us" DEFAULT Realm =~ "\.jp$", Proxy-To-Realm += "jp" In proxy.conf you can put something like: realm us { type= radius authhost= 123.123.234.234:1812 accthost= 123.123.234.234:1813 secret = authkey nostrip } realm jp { type= radius authhost= 123.123.234.235:1812 accthost= 123.123.234.235:1813 secret = authkey nostrip } Chris On Mon, 2003-10-06 at 07:12, Allen Chung wrote: > Hello~ > > I have a question about Proxy. > > I would like to > > 1.proxy realms which end with ".us" to serverATus. > 2. proxy realm which end with ".jp" to serverATjp. > > What should I define in the proxy.conf ? > > Thanks a lot ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy with PAP?
Hello all. I have some problem with Freeradius-0.9.1 with proxy setting. I have some company who provide AccessPoint's each other by roaming setting. Almost of company is pretty good working, But only one is problem. This Admin says his radius server is little old and it only suppory with PAP authentication. So I read document and try some setting, But I can't solv it. I had try to add below in uses file |DEFAULTSuffix == "@sample.roaming.net", Auth-Type := PAP I had try some setting with "proxy.conf" and other setting i can imagine. I boot up FreeRadius with debug mode and I try authenticate, But it always send "CHAP" Packets. finally, I try to read src file (proxy.c) and it seemed to be support only CHAP protocol(But i have no confidence). Would someone advice me? Q. Does FreeRadius support proxy setting with PAP authentication? Q. if it support PAP, would you tell me point of informarion. (URL or document name is usefull) |I can imagine, proxy with PAP via internet is very dangerous. |But they say it need. -- --- masaru yoshihama - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Proxy
Hello~ I have a question about Proxy. I would like to 1.proxy realms which end with ".us" to serverATus. 2. proxy realm which end with ".jp" to serverATjp. What should I define in the proxy.conf ? Thanks a lot ...
Re: Proxy Issue
"Ivan Meic" <[EMAIL PROTECTED]> wrote: > I'm not using a 'round robin' method, so I really > was expecting that it will send accounting packets to > all servers specified in the list. That isn't the way it's intended to work. > Ok, I can understand how to use radrelay, but than I have another problem. > I have around 50 different gateways sending the accounting data to this > radius server. > Each gateway has it's own radacct sub-directory. Do I need to keep running > 50 different instances of radrelay, or is there a more convenient way ? For now, you run 50 copies. It's ugly, but it works. With a few code patches, it should be possible to run one copy of radrelay, which would read 50 files. But that does require source code patches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
works with a ppphint, but how to insert this into my proxy for someone?
I am proxying auth from my server (freeradius, .8.1) to another server (cistron radius) and when running radtest, I can only get correct answers if I add the '1' to radtest to turn the Framed-Protocol = PPP on How do I insert that into a auth request on the regular proxy? Or, should I just have the other server correct itself in some manner? Examples of my radtesting are below, names are changed to protect the guilty. THIS ONE FAILS: $ radtest [EMAIL PROTECTED] userpass localhost 1 testing123 Sending Access-Request of id 142 to 127.0.0.1:1812 User-Name = "[EMAIL PROTECTED]" User-Password = "e\024c\311\221cN\226\245\302HO\261\n+a" NAS-IP-Address = auth-1.myhost.com NAS-Port = 1 Re-sending Access-Request of id 142 to 127.0.0.1:1812 User-Name = "[EMAIL PROTECTED]" User-Password = "e\024c\311\221cN\226\245\302HO\261\n+a" NAS-IP-Address = auth-1.myhost.com NAS-Port = 1 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=142, length=20 THIS ONE WORKS $ radtest [EMAIL PROTECTED] userpass localhost 1 testing123 1 Sending Access-Request of id 186 to 127.0.0.1:1812 User-Name = "[EMAIL PROTECTED]" User-Password = "\035~\275RG\314Y9\327\2607\276;D\371\016" NAS-IP-Address = auth-1.myhost.com NAS-Port = 1 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=186, length=56 Framed-IP-Netmask = 255.255.255.0 Framed-MTU = 576 Session-Timeout = 14400 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP My proxy stanza for this looks something like: realm domain.net { type= radius authhost= 192.168.1.1:1812 accthost= 192.168.1.1:1813 secret = supersecret nostrip } Thank you. j -- == + It's simply not | John Keimel+ + RFC1149 compliant!| [EMAIL PROTECTED]+ + | http://www.keimel.com + == - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy Issue
"Alan DeKok" <[EMAIL PROTECTED]> wrote: > Huh? You have *two* NULL realms, and two DEFAULT realms? I don't >expect that to work at all. > > In fact, it's intendend to NOT work. > :) I can guarantee to you that it is working. I'm not using a 'round robin' method, so I really was expecting that it will send accounting packets to all servers specified in the list. > > In this case it works fine, but if I want to proxy it > > to one additional server it doesn't work. > > The proxy only sends the accounting data to the first server on the list > > and leaves one copy for itself. > > See 'radrelay'. It's designed to copy requests to another server. Ok, I can understand how to use radrelay, but than I have another problem. I have around 50 different gateways sending the accounting data to this radius server. Each gateway has it's own radacct sub-directory. Do I need to keep running 50 different instances of radrelay, or is there a more convenient way ? (Possibly make all gateways write to one detail file ?) Thanks in advance. Regards, Ivan Meic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Issue
"Ivan Meic" <[EMAIL PROTECTED]> wrote: > Also I'm using proxy features to be able to send the accounting data > to one more server, just to have another copy. Ok.. > realm NULL { >type= radius >authhost= 80.253.170.52:1812 >accthost= 80.253.170.52:1813 >secret = rad213bmf > } > realm NULL { >type= radius >authhost= LOCAL >accthost= LOCAL > } Huh? You have *two* NULL realms, and two DEFAULT realms? I don't expect that to work at all. In fact, it's intendend to NOT work. > In this case it works fine, but if I want to proxy it > to one additional server it doesn't work. > The proxy only sends the accounting data to the first server on the list > and leaves one copy for itself. See 'radrelay'. It's designed to copy requests to another server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Issue
Hi, I'm using FreeRADIUS v0.8.1 on RedHat 7.1. I'm using it strictly for accounting purposes with MySQL running in the background. Also I'm using proxy features to be able to send the accounting data to one more server, just to have another copy. --- proxy.conf --- proxy server { synchronous = no retry_delay = 5 retry_count = 10 dead_time = 120 servers_per_realm = 15 default_fallback = yes } realm NULL { type= radius authhost= 80.253.170.52:1812 accthost= 80.253.170.52:1813 secret = rad213bmf } realm NULL { type= radius authhost= LOCAL accthost= LOCAL } realm DEFAULT { type= radius authhost= 80.253.170.52:1812 accthost= 80.253.170.52:1813 secret = rad213bmf } realm DEFAULT { type= radius authhost= LOCAL accthost= LOCAL } In this case it works fine, but if I want to proxy it to one additional server it doesn't work. The proxy only sends the accounting data to the first server on the list and leaves one copy for itself. Why is this happening ? What can I do regarding this issue ? Thanks in advance. Regards, Ivan Meic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy based on NAS-IP-Address / Client-IP-Address or NAS-Identifier
Currently using freeradius-0.9.1 running over Freebsd v4.8. Is it possible to do proxy authentication and accounting based on NAS-IP-Address / Client-IP-Address or NAS-Identifier instead or realms? Regards
Proxy (accounting) based on any attribute!!
I read in the freradius specification that it is capable of doing proxy authentication and/or accounting forwarding based on any attribute. Traditionally, Proxy was only applicable through Realms/Suffixes. Suppose I want to do accounting forwarding based on NAS-IP address, how I would do so? What files do I have to modify? Do I need to compile any modules? Regards.
Combining proxy and remote radius
Can I use a combination of a (local) radius proxy and a (remote) radius server? Whenever a client tries to authenticate himself: => I first want to check against a local radius-server => if that failed, I want to check with a remote radius server instead. I am not looking for local caching, the two databases are entirely different. Of course, I can implement this using a script with two separate NAS calls, one to the local server, followed by one to the remote server if the first one failed. But is there a more elegant way? Z. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Auth
Hello, I would like freeradius to accept both user & [EMAIL PROTECTED] for valid authentication via an access server. I have tried to do this via proxy realms, but cannot seem to get it working. I get the following error: Thread 5 handling request 4, (1 handled so far) NAS-IP-Address = x.x.x.x NAS-Port = 163 Attr-589826 = 0x7474723423633 NAS-Port-Type = Async User-Name = "[EMAIL PROTECTED]" Called-Station-Id = "x" Calling-Station-Id = "x" User-Password = "password" rad_lowerpair: User-Name now '[EMAIL PROTECTED]' rad_rmspace_pair: User-Name now '[EMAIL PROTECTED]' modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop modcall[authorize]: module "files" returns notfound modcall: group authorize returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/password] (from client nas-as5300 port 163 cli x) Does anyone have any pointers? Thanks, Brandilis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy/realm stripping question
> I am going to get the following data from a user: > > [EMAIL PROTECTED] > > I need to parse off bar.com and have Freeradius pass [EMAIL PROTECTED] to the > proper radius server for auth. Well, I don't much about proxying yet, but maybe you can accomplish to let the username change in [EMAIL PROTECTED]@bar.com, which might be easier to process. Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: proxy/realm stripping question
> From: Erik Denny > Sent: Saturday, 23 August 2003 2:24 PM > I'm running .8 on Redhat 7.3, on a machine that is essentially acting as a > radius server traffic cop. > > I am going to get the following data from a user: > > [EMAIL PROTECTED] > > I need to parse off bar.com and have Freeradius pass [EMAIL PROTECTED] to the > proper radius server for auth. > Now, we ALSO will be getting requests for simply [EMAIL PROTECTED] as well. > So, I have to have rules for both scenarios. > I want them both to exist and work, is that possible? If you're just looking to strip bar.com, have a look at the rewrite module. Make it run before the realm module. As long as you don't need to differentiate between @foo.com.bar.com and @foo.com -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy/realm stripping question
I'm running .8 on Redhat 7.3, on a machine that is essentially acting as a radius server traffic cop. I am going to get the following data from a user: [EMAIL PROTECTED] I need to parse off bar.com and have Freeradius pass [EMAIL PROTECTED] to the proper radius server for auth. I've fiddled with changing the order in radiusd.conf. Currently, in the "Realm Module", the order is @ . / and % Obviously, the packet comes in, it sees the @ as the deliminator, and it sucks off foo.com.bar.com and then has to figure out what to do with user. Now, we ALSO will be getting requests for simply [EMAIL PROTECTED] as well. So, I have to have rules for both scenarios. If I change the order so . is first, nothing works because it wants to strip each segment of the realm. I want them both to exist and work, is that possible? Or I have just succeeded in confusing people? :) ..erik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 0.8.1 Radius Proxy
Hi, I have one FR 0.8.1 runing as Radius Proxy (radius A). I got 3 kind of auth packet from one NAS (1) userid (2) abc/[EMAIL PROTECTED] (3) [EMAIL PROTECTED] I would like auth case (1) locally(radius A) , case (2) should be fwd to radius B case (3) should be fwd to radius C So I config my proxy.conf in Raidus A realm Null { type = radius authhost= LOCAL:1645 accthost = LOCAL:1646 } realm abc { type = radius authhost= radius B:1645 accthost = radius B:1646 secret nostrip } realm DEFAULT { type = radius authhost= radius C:1645 accthost = radius C:1646 secret nostrip } My radius.conf authorize { preprocess # counter # attr_filter realmslash suffix files } The problem I have is Radius A always tread case (1) and case (3) as realm = Null So case (3) can not being properly proxy to Radius C. It seems "suffix" does not work, only "realmslash" work. Anybody can help me look at it, how to config my Radius Proxy (radius A). Thks, ChenShu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sample config on Redhat with proxy
Hi All, I'm frist time try the radius server. May I ask who can post the freeradius on redhat here? Or where can I find the details study manuel? Thanks
Re: Sample config on Redhat with proxy
Dick Lau wrote: > Hi All, > > I'm frist time try the radius server. May I ask who can post the > freeradius on redhat here? Or where can I find the details study manuel? > > Thanks I found this http://people.redhat.com/twoerner/SRPMS/freeradius-0.8.1-6.src.rpm It's handy, though is not up date version. You could use the rpm to base a build from new source. Cheers, Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-proxy attr_filter?
Chris van Meerendonk <[EMAIL PROTECTED]> wrote: > Is it possible to filter attributes that are sent by using radius proxy > to the home-server? Something like attr_filter in the pre-proxy stage? If attr_filter doesn't already have a pre-proxy stage, it should be ~2 minutes to add one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-proxy attr_filter?
Hi Chris, I'm having problems finding your mail in the mailinglist history. It could be too warm here to think about a good keyword to search for... Can you post it again please? Thanks, Chris On Fri, 2003-08-08 at 16:28, Chris Brotsos wrote: > At 09:15 AM 8/8/2003, you wrote: > >On Fri, 2003-08-08 at 15:48, Alan DeKok wrote: > > > Chris van Meerendonk <[EMAIL PROTECTED]> wrote: > > > > Is it possible to filter attributes that are sent by using radius proxy > > > > to the home-server? Something like attr_filter in the pre-proxy stage? > > > > > > If attr_filter doesn't already have a pre-proxy stage, it should be > > > ~2 minutes to add one. > >With freeradius 0.9.0 it says: > >radiusd.conf: "attr_filter" modules aren't allowed in 'pre-proxy' > >sections -- they have no such method. > > > >I've found the relevant code, will probable be ~2 hours to add (Sorry, > >I'm not that quick ;-) I'll give it a try. > > Awhile ago, I sent somebody on the list the post-proxy function for > rlm_attr_filter. Take a look at what I changed, and you'll see that it is > probably nothing more than taking the authorize function and modifying what > reply_items points to for creating a valid pre-proxy function. The only > semi-tricky mod to attr_filter was making an accounting function ;o). > > HTH, > > Chris Brotsos > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 0.8.1 Radius Proxy
I have one FR 0.8.1 runing as Radius Proxy (radius A). I got 3 kind of auth packet from one NAS (1) userid (2) abc/[EMAIL PROTECTED] (3) [EMAIL PROTECTED] I would like auth case (1) locally(radius A) , case (2) should be fwd to radius B case (3) should be fwd to radius C So I config my proxy.conf realm Null { type = radius authhost= LOCAL:1645 accthost = LOCAL:1646 } realm abc { type = radius authhost= radius B:1645 accthost = radius B:1646 secret nostrip } realm DEFAULT { type = radius authhost= radius C:1645 accthost = radius C:1646 secret nostrip } My radius.conf authorize { preprocess # counter # attr_filter realmslash suffix files } The problem I have is Radius A always tread case (1) and case (3) as realm = Null So case (3) can not being properly proxy to Radius C. It seems "suffix" does not work, only "realmslash" work. Who got any suggestion , how to config my Radius Proxy (radius A). Thks, ChenShu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-proxy attr_filter?
At 08:06 AM 8/11/2003, you wrote: On Fri, 2003-08-08 at 15:48, Alan DeKok wrote: > Chris van Meerendonk <[EMAIL PROTECTED]> wrote: > > Is it possible to filter attributes that are sent by using radius proxy > > to the home-server? Something like attr_filter in the pre-proxy stage? > > If attr_filter doesn't already have a pre-proxy stage, it should be > ~2 minutes to add one. I'm doing something terribly wrong. Can you help me out? I've copied the attr_filter_authorize routine and renamed it to attr_filter_preproxy. Debug shows it is passing the routine. Also I put in some extra DEBUG2 lines to verify. It finds the correct realm, compares the entries against the entries in the users file instead of the data comming from the NAS. Probably as a result of this, the data is passed whatever the results of the check are. Can you give me a hint what I'm doing wrong? (Your 2-minute patch would be great also ;-) I sent the post-proxy patch...you probably hadn't received it by the time you sent this. I included a patch this time with the post-proxy() and accounting() functions. Pay attention to the accounting function as it will mirror what you are trying to do (unlike authorize()). rlm_attr_filter was not really made to work on the VPS coming back from the NAS (it was intended to work on VPS going to the NAS), so copying the authorize() function is not going to do what you wanted. The module will work on whichever pairs you tell it to. So, for example, you probably have reply_items = &request->reply->vps. The attributes from the NAS are not in request->reply->vps, but the attributes added from rlm_files or rlm_fastusers are. If you are trying to modify the NAS VPs, then you need to work with the request->packet->vps. So I go through a loop, for (send_item = request_pairs...) { while (check) { } if (fail ==0 && pass > 0) { mypairappend(send_item, &send_tmp); } } pairfree(&request->packet->vps); request->packet->vps = send_tmp; HTH, Chris Brotsos Thanks, Chris > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Index: rlm_attr_filter.c === RCS file: /source/radiusd/src/modules/rlm_attr_filter/rlm_attr_filter.c,v retrieving revision 1.13 diff -u -r1.13 rlm_attr_filter.c --- rlm_attr_filter.c 7 Jul 2003 19:04:05 - 1.13 +++ rlm_attr_filter.c 11 Aug 2003 13:21:51 - @@ -3,7 +3,7 @@ * before sending reply to the NAS/Server that sent * it to us. * - * Version: $Id: rlm_attr_filter.c,v 1.13 2003/07/07 19:04:05 aland Exp $ + * Version: $Id: rlm_attr_filter.c,v 1.12 2002/08/24 16:54:56 aland Exp $ * * This program is is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License, version 2 if the @@ -41,7 +41,7 @@ #include "radiusd.h" #include "modules.h" -static const char rcsid[] = "$Id: rlm_attr_filter.c,v 1.13 2003/07/07 19:04:05 aland Exp $"; +static const char rcsid[] = "$Id: rlm_attr_filter.c,v 1.12 2002/08/24 16:54:56 aland Exp $"; struct attr_filter_instance { @@ -152,10 +152,6 @@ int rcode; inst = rad_malloc(sizeof *inst); - if (!inst) { - return -1; - } - memset(inst, 0, sizeof(*inst)); if (cf_section_parse(conf, inst, module_config) < 0) { free(inst); @@ -173,7 +169,193 @@ *instance = inst; return 0; } +/* Find the named realm in the database. Create the + * set of attribute-value pairs to check and forward with + * for this realm from the database. + */ +static int attr_filter_accounting(void *instance, REQUEST *request) +{ + struct attr_filter_instance *inst = instance; + VALUE_PAIR *request_pairs; + VALUE_PAIR *send_item; + VALUE_PAIR *send_tmp = NULL; + VALUE_PAIR *check_item; + PAIR_LIST *pl; + int found = 0; + int compare; + int pass, fail; +#ifdef HAVE_REGEX_H + regex_t reg; +#endif + VALUE_PAIR *realmpair; + REALM *realm; + char*realmname; + /* +* Accounting is a bit different from the other functions. +* Here we are concerned with what we are going to forward to +* the remote server as opposed to concerns with what we will send +* to the NAS based on a proxy reply to an auth request. +*/ + request_pairs = request->packet->vps; + if (request->packet->code != PW_ACCOUNT