proxy setup questions
freeradius version: 1.0.1 (Centos4)
I have the need to proxy requests based on @domain.com to different
radius servers. I thought this would be fairly simple after reading
proxy.conf, but I must be missing something!
Here's the relevant portion of my proxy.conf:
realm test.com {
type = radius
authhost = 10.19.3.8:1812
accthost = LOCAL
secret = testing123
}
realm test2.com {
type = radius
authost = 10.19.3.9:1812
accthost = LOCAL
secret = testing123
}
When testing via radtest using t...@test.com the expected behavior
happens - I see the request proxied to 1.1.1.1:
SNIP
rad_recv: Access-Request packet from host 127.0.0.1:53468, id=229, length=65
User-Name = t...@test.com
User-Password = test
NAS-IP-Address = 255.255.255.255
NAS-Port = 123
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
rlm_realm: Looking up realm test.com for User-Name = t...@test.com
rlm_realm: Found realm test.com
rlm_realm: Adding Stripped-User-Name = test
rlm_realm: Proxying request from user test to realm test.com
rlm_realm: Adding Realm = test.com
rlm_realm: Preparing to proxy authentication request to realm
test.com
SNIP
Sending Access-Request of id 0 to 10.19.3.8:1812
User-Name = test
User-Password = test
NAS-IP-Address = 255.255.255.255
NAS-Port = 123
Proxy-State = 0x323239
Great!
Now I try it with t...@test2.com:
rad_recv: Access-Request packet from host 127.0.0.1:53482, id=7, length=66
User-Name = t...@test2.com
User-Password = test
NAS-IP-Address = 255.255.255.255
NAS-Port = 123
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
rlm_realm: Looking up realm test2.com for User-Name = t...@test2.com
rlm_realm: Found realm test2.com
rlm_realm: Adding Stripped-User-Name = test
rlm_realm: Proxying request from user test to realm test2.com
rlm_realm: Adding Realm = test2.com
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
Why would it make the Authentication realm LOCAL? If I move the realm
test2.com above test.com in proxy.conf then test2.com works test.com
doesn't.
Can someone point me in the right direction? I've read included
doc/proxy, proxy.conf the online wiki sections on proxy. It seems so
simple, yet I can't seem to figure it out!
Thanks in advance.
-dallas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
Dallas Helquist dal...@oldbrownjeep.net wrote: freeradius version: 1.0.1 (Centos4) http://freeradius.org/getting.html 2004, a fine vintage... Cheers -- Alexander Clouter .sigmonster says: Sex is like air. It's only a big deal if you can't get any. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
On 2/4/09 19:22, Alexander Clouter wrote: Dallas Helquistdal...@oldbrownjeep.net wrote: freeradius version: 1.0.1 (Centos4) http://freeradius.org/getting.html 2004, a fine vintage... Cheers You know a guy at NW was making a good point when he said that a lot of the enterprise Linux stuff runs with packages of software *years* out of date, and how it was annoying that users on the FR list would only shout UPGRADE when presented with a version anything older than the latest point release. But hell if you can't figure out how to set up a compiler and build the thing from source, should you really be managing such a complex bit of software :). -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
Alexander Clouter wrote: Dallas Helquist dal...@oldbrownjeep.net wrote: freeradius version: 1.0.1 (Centos4) http://freeradius.org/getting.html 2004, a fine vintage... Agreed, but I try to avoid using packages not included with whatever distribution a machine is running. Not opposed to using src when necessary, makes it more of a pita to maintain long term for me. Does anyone know for sure whether proxy is borked in the 1.0.1 (Redhat EL 4/Centos 4)? I can't find any conclusive searches saying it is..so I'm more inclined to think I've screwed up something somewhere! -dallas SNIP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
Arran Cudbard-Bell wrote: You know a guy at NW was making a good point when he said that a lot of the enterprise Linux stuff runs with packages of software *years* out of date, and how it was annoying that users on the FR list would only shout UPGRADE when presented with a version anything older than the latest point release. Tough. If he's chosen to run software that's no longer supported, that's his problem. If he's buying support for an enterprise Linux distribution then THEY can support the old version of the server. If he's willing to pay, he can click on the support link on freeradius.org. Otherwise... upgrade. But hell if you can't figure out how to set up a compiler and build the thing from source, should you really be managing such a complex bit of software :). The official story for not upgrading is usually either lack of support, or consistency of the system. The responses are: a) Great! Buy support from someone (OS vendor, etc.) If not, good luck getting the problem fixed. b) Live with a system that's consistent, but doesn't do what you want, and isn't supported. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
Dallas Helquist wrote: Agreed, but I try to avoid using packages not included with whatever distribution a machine is running. Not opposed to using src when necessary, makes it more of a pita to maintain long term for me. Huh? The server comes with sample spec files. You can create your own packages, and install those. Does anyone know for sure whether proxy is borked in the 1.0.1 (Redhat EL 4/Centos 4)? I can't find any conclusive searches saying it is..so I'm more inclined to think I've screwed up something somewhere! Proxying works in 1.0.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
Hi, Here's the relevant portion of my proxy.conf: although old, proxying works in 1.0.1. the bit that doesnt work here is when you say 'relevant portion' - no, its not the relevant portion at all - you've got something else going on in proxy.conf please supply rhe whole file - I dont care if you obfuscate IP addresses, realms and secrets. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
Dallas Helquist wrote: Agreed, but I try to avoid using packages not included with whatever distribution a machine is running. Not opposed to using src when necessary, makes it more of a pita to maintain long term for me. Huh? The server comes with sample spec files. You can create your own packages, and install those. http://wiki.freeradius.org/Red_Hat_FAQ#How_to_build_an_SRPM Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Here's the relevant portion of my proxy.conf:
although old, proxying works in 1.0.1.
the bit that doesnt work here is when you say
'relevant portion' - no, its not the relevant portion
at all - you've got something else going on in proxy.conf
please supply rhe whole file - I dont care if you obfuscate
IP addresses, realms and secrets.
Here is the full proxy.conf file. A few minor changes from what I
posted earlier (realm names changed, accthost changed).
## begin proxy.conf
proxy server {
synchronous = yes
retry_delay = 5
retry_count = 3
dead_time = 60
default_fallback = no
post_proxy_authorize = yes
}
realm test.com {
type = radius
authhost = 10.19.3.8:1812
accthost = 10.19.3.8:1813
secret = testing123
}
realm blah.com {
type = radius
authost = 10.19.3.9:1812
accthost = 10.19.3.9:1813
secret = testing123
}
realm LOCAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
## end proxy.conf
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
