RE: cannot return access accept from proxy to client

2005-10-07 Thread Wilson Lie 
Hi Alan,

for Q2, doc/Post-Auth-type don't have information to support branching by  
realm ?  

-Original Message-
From: Alan DeKok [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 04, 2005 8:23 AM
To: FreeRadius users mailing list
Subject: Re: cannot return access accept from proxy to client 


Wilson Lie [EMAIL PROTECTED] wrote:
 Q1. Any method such that host B won't goes into  [post-auth] when it is 
 receiving result from another server ?

  I'm not sure what you mean here.  Perhaps you could try using
complete sentences.

  I *think* the answer is source code edits.

 Q2. In case host B cannot bypass [post-auth]  when receiving  result from 
 another server,  how can I define multiple
   sql section in [post-auth]  ?   As I cannot find any rule that I can 
 set in [post-auth] such that it can  go to  [sql1]
   for realm A and [sql2] for realm B

  doc/Post-Auth-Type.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




(c) 2005 Interactive Technology Holdings Limited Group.
All rights reserved.

CONFIDENTIALITY: This communication and any attachment(s)
is intended solely for the person or organisation to which
it is addressed and it may be confidential.  This
communication may contain confidential or legally privileged
material and may not be copied, redistributed or published
(in whole or in part) without our prior written consent.
This communication may have been intercepted, partially
destroyed, arrive late, incomplete or contain viruses and no
liability is accepted by any member of the Interactive
Technology Holdings Limited Group as a result.  If you are
not the intended recipient, employee or agent responsible
for delivering the message to the intended recipient you
must not copy, disclose, distribute or take any action in
reliance on it.  If you have received this communication in
error, please immediately reply and highlight the error to
the sender immediately and destroy the original from your
computer.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: cannot return access accept from proxy to client

2005-10-03 Thread Wilson Lie 

Dear Alan,

Thanks for your help. Maybe I should ask the question in another way.
Host B acted as both proxy/server.  for realm A , - proxy  to other server
for realm B -  process locally

When the auth-accept  is returned to proxy ( Host B) ,  it will process section
[post-auth]   in radiusd.conf  no matter what host B receive.

Q1. Any method such that host B won't goes into  [post-auth] when it is 
receiving result from another server ?

Q2. In case host B cannot bypass [post-auth]  when receiving  result from 
another server,  how can I define multiple
  sql section in [post-auth]  ?   As I cannot find any rule that I can set 
in [post-auth] such that it can  go to  [sql1]
  for realm A and [sql2] for realm B

Many thanks!

-Original Message-
From: Alan DeKok [mailto:[EMAIL PROTECTED]
Sent: Friday, September 23, 2005 1:10 AM
To: FreeRadius users mailing list
Subject: Re: cannot return access accept from proxy to client 


Wilson Lie [EMAIL PROTECTED] wrote:
 But I'm afraid that you misunderstood the question.

  I understood it fine.  My response should have been clear.

 Yes, for normal Access-Accept if Host B act as server , the
 access-accept can be sent back to client

  The problem has NOTHING to do with host B or Access-Accept.

 But when access-accept is sent from host A -  Host B , from host B debug 
 log, it can be seen that
 as user-name is missing,  the [sql]  module cannot be run ,

  No, the SQL module *is* run, but it is telling you that the query
YOU CONFIGURED did not return any matches.

 freeradius return failed in [sql] 
 where [sql]  refers to post-auth query in this case and the statement 
 contains  User-name attribute 
 (e.g.  update xxx set xxx where username=attribute ) 

  The post-auth query is updating the SQL database with data from the
Access-Request packet.  If that Access-Request packet does not contain
a User-name, then the SQL query will not work.

  This has nothing to do with Access-Accept, or host A, or host B.

 So I would like to ask if any special handling  by freeradius in this case ? 

  I can't parse that sentence.

 As the post-auth [sql] section is configured in sql.conf  and it should be 
 same because only one post-auth query 
 can be configured.   

  You can configure multiple SQL modules, where one has a
postauth_query and the other does not.  See the documentation.

 Or user-name attribute can never be included  in the post-auth query in 
 this case ? ( i.e. Host B acts as both proxy and auth-server)

  It's up to YOU to decide that.  That's why the queries are
configurable.  If the queries aren't doing what you want, edit them.
If the server isn't doing what you want, edit the configuration files.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




(c) 2005 Interactive Technology Holdings Limited Group.
All rights reserved.

CONFIDENTIALITY: This communication and any attachment(s)
is intended solely for the person or organisation to which
it is addressed and it may be confidential.  This
communication may contain confidential or legally privileged
material and may not be copied, redistributed or published
(in whole or in part) without our prior written consent.
This communication may have been intercepted, partially
destroyed, arrive late, incomplete or contain viruses and no
liability is accepted by any member of the Interactive
Technology Holdings Limited Group as a result.  If you are
not the intended recipient, employee or agent responsible
for delivering the message to the intended recipient you
must not copy, disclose, distribute or take any action in
reliance on it.  If you have received this communication in
error, please immediately reply and highlight the error to
the sender immediately and destroy the original from your
computer.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: cannot return access accept from proxy to client

2005-09-22 Thread Wilson Lie 
Hi , Thanks for your help.  I'm not sure that I can tell the case clear enough.
But I'm afraid that you misunderstood the question.
 
Kindly help me again or correct me if I'm really wrong. 
 
  No.  FreeRADIUS doesn't care about User-Name's in Access-Accept.
Yes, for normal Access-Accept if Host B act as server ,  the access-accept can 
be sent back to client
But when access-accept is sent from host A -  Host B , from host B debug log, 
it can be seen that
as user-name is missing,  the [sql]  module cannot be run , freeradius return 
failed in [sql] 
where [sql]  refers to post-auth query in this case and the statement contains  
User-name attribute 
(e.g.  update xxx set xxx where username=attribute ) 
 
So I would like to ask if any special handling  by freeradius in this case ? 
As the post-auth [sql] section is configured in sql.conf  and it should be same 
because only one post-auth query 
can be configured.   
 
Or user-name attribute can never be included  in the post-auth query in this 
case ? ( i.e. Host B acts as both proxy and auth-server)
Many thanks!
 
 
 

 Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 3
radius_xlat:  
'/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921'
rlm_detail: 
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d 
expands to 
/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921
  modcall[post-auth]: module reply_log returns ok for request 3
rlm_sql (sql): Processing sql_postauth
radius_xlat:  ''
  modcall[post-auth]: module sql returns fail for request 3
modcall: group post-auth returns fail for request 3
Delaying request 3 for 1 seconds
Finished request 3
=

-Original Message- 
From: Alan DeKok [mailto:[EMAIL PROTECTED] 
Sent: 2005/9/22 [星期四] 下午 11:19 
To: FreeRadius users mailing list 
Cc: 
Subject: Re: cannot return access accept from proxy to client 



Wilson Lie [EMAIL PROTECTED] wrote:
 I suspect that the freeradius will return failed at once when
 username attribute is not found and because the username attribute
 won't be included in the access-accept' packet .

  No.  FreeRADIUS doesn't care about User-Name's in Access-Accept.

 The sql  can be executed successfully when host B acts as
 authentication server.=20

  Look at the differences between the two queries.  They ARE different.

 So  maybe I should ask can freeradius   be configured   as both
 authentication server  and proxy server at the same host ?

  Yes.  Many, many people have configured this successfully.  If your
site doesn't work, it's because something is going wrong in your local
config, and debug mode will tell you.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html






(c) 2005 Interactive Technology Holdings Limited Group.
All rights reserved.

CONFIDENTIALITY: This communication and any attachment(s)
is intended solely for the person or organisation to which
it is addressed and it may be confidential.  This
communication may contain confidential or legally privileged
material and may not be copied, redistributed or published
(in whole or in part) without our prior written consent.
This communication may have been intercepted, partially
destroyed, arrive late, incomplete or contain viruses and no
liability is accepted by any member of the Interactive
Technology Holdings Limited Group as a result.  If you are
not the intended recipient, employee or agent responsible
for delivering the message to the intended recipient you
must not copy, disclose, distribute or take any action in
reliance on it.  If you have received this communication in
error, please immediately reply and highlight the error to
the sender immediately and destroy the original from your
computer.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

cannot return access accept from proxy to client

2005-09-21 Thread Wilson Lie 



Hi 
all,

I encountered a 
problem during authentication request. Would you give me a hand 
?
Many 
thanks!

Configuration:
Host A 
(Radius server)
Host 
B( proxy all requests to host A )


Problem:
1) 
Access-Request is sent to Host B from client
2) Host B proxy 
request to Host A
3) Host A sends 
Access-Accept to Host B
4) Host B receive 
Access-Accept from Host A
5) 
Host B sends Access-Reject to client ( log 
message comes below)

*My question is how can I set radius such that it can send 
the access-accept to client ?

rad_recv: 
Access-Accept packet from host xxx.xxx.xxx.xxx:1812, id=3, 
length=156
Processing the 
authorize section of radiusd.confmodcall: entering group authorize for 
request 3 hints: Matched DEFAULT at 81 modcall[authorize]: 
module "preprocess" returns ok for request 3radius_xlat: 
'/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/auth-detail-20050921'rlm_detail: 
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to 
/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/auth-detail-20050921 
modcall[authorize]: module "auth_log" returns ok for request 
3 rlm_realm: Proxy reply, or no User-Name. 
Ignoring. modcall[authorize]: module "suffix" returns noop for request 
3 users: Matched entry DEFAULT at line 168 
modcall[authorize]: module "files" returns ok for request 3modcall: group 
authorize returns ok for request 3 rad_check_password: Found 
Auth-Type SQL rad_check_password: Auth-Type = Accept, accepting the 
userLogin OK: [EMAIL PROTECTED]/8F4Lf0T] (from client ivrs port 0 cli 
00-0C-41-2F-00-71) Processing the post-auth section of 
radiusd.confmodcall: entering group post-auth for request 
3radius_xlat: 
'/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921'rlm_detail: 
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d 
expands to 
/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921 
modcall[post-auth]: module "reply_log" returns ok for request 3rlm_sql 
(sql): Processing sql_postauthradius_xlat: '' 
modcall[post-auth]: module "sql" returns fail for request 3modcall: group 
post-auth returns fail for request 3Delaying request 3 for 1 
secondsFinished request 
3===


___(c) 2005 Interactive Technology Holdings Limited Group.All rights reserved.CONFIDENTIALITY: This communication and any attachment(s)is intended solely for the person or organisation to whichit is addressed and it may be confidential.  Thiscommunication may contain confidential or legally privilegedmaterial and may not be copied, redistributed or published(in whole or in part) without our prior written consent.This communication may have been intercepted, partiallydestroyed, arrive late, incomplete or contain viruses and noliability is accepted by any member of the InteractiveTechnology Holdings Limited Group as a result.  If you arenot the intended recipient, employee or agent responsiblefor delivering the message to the intended recipient youmust not copy, disclose, distribute or take any action inreliance on it.  If you have received this communication inerror, please immediately reply and highlight the error tothe sender immediately and destroy the original from yourcomputer.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: cannot return access accept from proxy to client

2005-09-21 Thread Wilson Lie 
Yes, as Host B is used as both proxy and also authentication server depending 
on the realm received.
 
When host B acts  as  a authentication server, the [sql] in post-auth is used 
to log some message for 
that particular username.
 
When host B acts as a proxy, the [sql] failed as the username from 
access-accept is missing.
 
Therefore, any method that can avoid the case such that [sql] won't be invoked 
when host B acts as a proxy ? 

-Original Message- 
From: Paolo Rotela [mailto:[EMAIL PROTECTED] 
Sent: 2005/9/21 [星期三] 下午 08:28 
To: FreeRadius users mailing list 
Cc: 
Subject: Re: cannot return access accept from proxy to client


Seeing your output, it says that it's failing because post-auth 
module is failing due to the fail of the sql module invoked. Lookup your 
radiusd.conf file, and see why you are using sql in post-auth, and see if this 
setup is correct.

- Original Message - 
From: Wilson Lie mailto:[EMAIL PROTECTED]  
To: freeradius-users@lists.freeradius.org 
Sent: Wednesday, September 21, 2005 5:58 AM
Subject: cannot return access accept from proxy to client

Hi all,
 
I encountered a problem during authentication request. Would 
you give me a hand ?
Many thanks!
 
Configuration:
Host A   ( Radius server)
Host B   ( proxy all requests to host A )
 
 
Problem:
1) Access-Request  is sent to  Host B from client
2) Host B proxy request to Host A
3) Host A sends Access-Accept  to Host B
4) Host B receive Access-Accept from Host A
5)   Host B sends Access-Reject   to  client( log message 
comes below)
 
*My question is how can I set radius such that it can send the 
access-accept to client ?

rad_recv: Access-Accept packet from host xxx.xxx.xxx.xxx:1812, 
id=3, length=156

Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  hints: Matched DEFAULT at 81
  modcall[authorize]: module preprocess returns ok for 
request 3
radius_xlat:  
'/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/auth-detail-20050921'
rlm_detail: 
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to 
/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/auth-detail-20050921
  modcall[authorize]: module auth_log returns ok for request 3
rlm_realm: Proxy reply, or no User-Name.  Ignoring.
  modcall[authorize]: module suffix returns noop for request 3
users: Matched entry DEFAULT at line 168
  modcall[authorize]: module files returns ok for request 3
modcall: group authorize returns ok for request 3
  rad_check_password:  Found Auth-Type SQL
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [EMAIL PROTECTED]/8F4Lf0T] (from client ivrs port 0 
cli 00-0C-41-2F-00-71)
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 3
radius_xlat:  
'/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921'
rlm_detail: 
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d 
expands to 
/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921
  modcall[post-auth]: module reply_log returns ok for request 
3
rlm_sql (sql): Processing sql_postauth
radius_xlat:  ''
  modcall[post-auth]: module sql returns fail for request 3
modcall: group post-auth returns fail for request 3
Delaying request 3 for 1 seconds
Finished request 3

===
 
 
 

 
 
___
(c) 2005 Interactive Technology Holdings Limited Group.
All rights reserved.

CONFIDENTIALITY: This communication and any attachment(s)
is intended solely for the person or organisation to which
it is addressed and it may be confidential. This
communication may contain confidential

RE: cannot return access accept from proxy to client

2005-09-21 Thread Wilson Lie 




  Isuspect that the freeradius will return failed at once when 
  "username" attribute is not found
  and because the username attribute won't be included in the 
  "access-accept' packet . 
  
  The "sql" can be executed successfully when host B acts as 
  authentication server. 
  So maybe I should ask can freeradius be 
  configured as both authentication server and proxy 
  server at the same host ? 
  
  Hope someone can help on this. Many thanks!
  
  
  
  
  You should make the SQL query 
  so that it won't make an error when certainattributes are not present or 
  empty.See the example sql.conf file.Turn sql traces on and run in 
  debug mode to see what queries are done.Check why they are failing and 
  correct the queries.--Groeten, Regards, 
Salutations,___(c) 2005 Interactive Technology Holdings Limited Group.All rights reserved.CONFIDENTIALITY: This communication and any attachment(s)is intended solely for the person or organisation to whichit is addressed and it may be confidential.  Thiscommunication may contain confidential or legally privilegedmaterial and may not be copied, redistributed or published(in whole or in part) without our prior written consent.This communication may have been intercepted, partiallydestroyed, arrive late, incomplete or contain viruses and noliability is accepted by any member of the InteractiveTechnology Holdings Limited Group as a result.  If you arenot the intended recipient, employee or agent responsiblefor delivering the message to the intended recipient youmust not copy, disclose, distribute or take any action inreliance on it.  If you have received this communication inerror, please immediately reply and highlight the error tothe sender immediately and destroy the original from yourcomputer.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html