Re: proxy authentication
stambazzi andrea <[EMAIL PROTECTED]> wrote: > The cause may be because i use radclient and not radiusd? No. You have a loop, as Frank said. > > What are you confused about? > Because i have disabled snmp ... i don't understand why it try otherwise to > connect in snmp!!! Then you didn't disable SNMP, did you? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy authentication
> > marking authentication server 192.168.1.25:1812 for realm pbc dead > > The home server is dead. The cause may be because i use radclient and not radiusd? > > Now .. anyone know why radiusd try to connect with SNMP with SMUX > > Because it supportssome SNMP management. Don't worry about it. > > > Because i don't know i'm really confuse about this PLEASE ANYONE > > HELP ME > > What are you confused about? Because i have disabled snmp ... i don't understand why it try otherwise to connect in snmp!!! -- Stambazzi Andrea P.B. COMMUNICATIONS s.r.l. Strada dei censiti n°1/B 47891 - Rovereta - R.S.M. Tel 0549-908000 Fax 0549-909132 Email [EMAIL PROTECTED] Web http://www.pbcommunications.sm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy authentication
On Tue, 8 Jul 2003, stambazzi andrea wrote: > this is my network configuration: > > NAS ---> PROXY ---> MY RADIUS > > PROXY: 192.168.1.25 > MY RADIUS : 192.168.1.5 (snip) > rad_recv: Access-Request packet from host 192.168.1.25:49404, id=224, length=34 (snip) > rlm_realm: Found realm pbc > rlm_realm: Adding Stripped-User-Name = "ES_PROVA" > rlm_realm: Proxying request from user ES_PROVA to realm pbc > rlm_realm: Adding Realm = "pbc" > rlm_realm: Preparing to proxy authentication request to realm pbc (snip) > Sending Access-Request of id 1 to 192.168.1.25:1812 You're receiving an Access-Request from PROXY on MY RADIUS, and then proxying it back to PROXY. I doubt this is the desired behavior. Remove the realm from proxy.conf on MY RADIUS, or set the authhost and accthost to LOCAL. Franklin -- Franklin Trumpy, NFA, MNGS, GSc | The wound of peace is surety, Sr. UNIX Systems Administrator | Surety secure; but modest doubt is called Lighthouse Communications | The beacon of the wise, the tent that searches [EMAIL PROTECTED] | To th' bottom of the worst. (515)244-1115 | (888)953-3278 |William Shakespeare http://www.lh.net |Troilus and Cressida (II, ii) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy authentication
stambazzi andrea <[EMAIL PROTECTED]> wrote: > I'm trying to authenticate user from a proxy radius to my radius but > i have some problem. ... > marking authentication server 192.168.1.25:1812 for realm pbc dead The home server is dead. > Now .. anyone know why radiusd try to connect with SNMP with SMUX Because it supportssome SNMP management. Don't worry about it. > Because i don't know i'm really confuse about this PLEASE ANYONE > HELP ME What are you confused about? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy authentication
PLEASE ANYONE HELP ME I'm trying to authenticate user from a proxy radius to my radius but i have some problem. this is my network configuration: NAS ---> PROXY ---> MY RADIUS PROXY: 192.168.1.25 MY RADIUS : 192.168.1.5 now ... to try the authentication procedure i use radclient on PROXY machine to authenticate on MY RADIUS like the sequent: echo "User-Name = [EMAIL PROTECTED]" | radclient 192.168.1.5 auth wb5 ( IMPORTANT: if i try to authenticate on local machine MY RADIUS with the seem user name without realm @pbc all gone ok ). the sequent is the report of radiusd -X on the machine MY RADIUS: rad_recv: Access-Request packet from host 192.168.1.25:49404, id=224, length=34 User-Name = "[EMAIL PROTECTED]" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm pbc for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm pbc rlm_realm: Adding Stripped-User-Name = "ES_PROVA" rlm_realm: Proxying request from user ES_PROVA to realm pbc rlm_realm: Adding Realm = "pbc" rlm_realm: Preparing to proxy authentication request to realm pbc modcall[authorize]: module "suffix" returns updated modcall[authorize]: module "files" returns notfound radius_xlat: 'ES_PROVA' rlm_sql (sql): sql_set_user escaped user --> 'ES_PROVA' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'ES_PROVA' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'ES_PROVA' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'ES_PROVA' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'ES_PROVA' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok modcall: group authorize returns updated Sending Access-Request of id 1 to 192.168.1.25:1812 User-Name = "ES_PROVA" NAS-IP-Address = 192.168.1.25 Proxy-State = "224" SMUX connect try 2 Can't connect to SNMP agent with SMUX: Connection refused --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.25:49404, id=224, length=34 Dropping conflicting packet from client webfive:49404 - ID: 224 due to unfinished request 0 SMUX connect try 3 Can't connect to SNMP agent with SMUX: Connection refused --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Re-sending Access-Request of id 1 to 192.168.1.25:1812 User-Name = "ES_PROVA" NAS-IP-Address = 192.168.1.25 Client-IP-Address = 192.168.1.25 Realm = "pbc" Realm = "pbc" Proxy-State = "224" Waking up in 5 seconds... rad_recv: Access-Request packet from host 192.168.1.25:49404, id=224, length=34 Dropping conflicting packet from client webfive:49404 - ID: 224 due to unfinished request 0 rl_next: returning NULL Waking up in 5 seconds... rad_recv: Access-Request packet from host 192.168.1.25:49404, id=224, length=34 Dropping conflicting packet from client webfive:49404 - ID: 224 due to unfinished request 0 --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Re-sending Access-Request of id 1 to 192.168.1.25:1812 User-Name = "ES_PROVA" NAS-IP-Address = 192.168.1.25 Client-IP-Address = 192.168.1.25 Realm = "pbc" Realm = "pbc" Proxy-State = "224" Waking up in 5 seconds... rad_recv: Access-Request packet from host 192.168.1.25:49404, id=224, length=34 Dropping conflicting packet from client webfive:49404 - ID: 224 due to unfinished request 0 --- Walking the entire request list --- Waking up in 4 seconds... rad_recv: Access-Request packet from host 192.168.1.25:49404, id=224, length=34 Dropping conflicting packet from client webfive:49404 - ID: 224 due to unfinished request 0 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Server rejecting request 0. marking authentication server 192.168.1.25:1812 for realm pbc dead Waking up in 0 seconds... --- Walking the entire request list --- Sending Access-Reject of id 224 to
Re: Question regarding Proxy Authentication
At 06:56 PM 6/30/2003, you wrote: Hi, Is it possible to make Proxy Authentication decisions (i.e whether to forward Auth-Request to another RADIUS or Not) based on Username\Part_of_username instead of Realms ? Yes. Use the Proxy-To-Realm attribute. Here are some posts that explain: http://www.mail-archive.com/[EMAIL PROTECTED]/msg14671.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg14363.html HTH, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question regarding Proxy Authentication
Hi, Is it possible to make Proxy Authentication decisions (i.e whether to forward Auth-Request to another RADIUS or Not) based on Username\Part_of_username instead of Realms ? Regards \\ Naman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Authentication Override
We have a proxied customer that uses DNIS as part of their authentication sequence; however Qwest and UUNET do not supply DNIS as part of their tests. Is there a way to create a user [EMAIL PROTECTED] and have him locally authenticate against a users file while allowing everything else to proxy...or asked in a different way, can a failed proxied request get changed into a success via some manner? I already run access.deny and know how to turn a success into a failure, but my attempts at reversal are not successful. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Local Authorization, Proxy Authentication question
Greetings. I am interested in setting up my Freeradius-0.5 server to authorize users locally before sending the authentication request to the main radius system here on campus. In other words, if they are not in my user list, I don't even bother proxying their username & password to the main system. Anyone know of a nice, clean way to do it? Thanks, Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: returned attributes and proxy-authentication, RFC compliance (was: attr_rewrite functions)
Michael Hare <[EMAIL PROTECTED]> wrote: > With a production Merit 4.1.1E radius server (yeah, old).. We're proxying > out for our authentication, but returning value pairs are based on the > local users file.. So, the question is, which behavior is RFC compliant, > passing on the attributes from the proxy'd server or passing on the local > attributes? Neither. The attributes returned to the NAS are completely under the control of the proxy server. > Does anyone know what the current radius RFC is? (is it still > 2138)? I dunno... look at www.freeradius.org, there's a list of supported RFC's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
returned attributes and proxy-authentication, RFC compliance (was: attr_rewrite functions)
I was searcing through the groups message archives and found a question/answer session of exactly what I was trying to ask in my last confusing message. With a production Merit 4.1.1E radius server (yeah, old).. We're proxying out for our authentication, but returning value pairs are based on the local users file.. So, the question is, which behavior is RFC compliant, passing on the attributes from the proxy'd server or passing on the local attributes? Does anyone know what the current radius RFC is? (is it still 2138)? -Michael >Philippe Joyez <[EMAIL PROTECTED]> wrote: > > I mean, when the freeradius server is configured for proxying, returned > > attributes are those from the final radius server...I would like to > > return only those configured in my freeradius one. >Right now, no, it's not possible. It would be a nice feature to have, >though. Alan DeKok. /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Michael Hare UW-Madison Network Engineering / Hostmaster WiscNet Network Engineering My phone: 608-262-5236 24-Hour NOC: 608-263-4188 WiscNet: 608-265-6761 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html