proxy setup questions
freeradius version: 1.0.1 (Centos4) I have the need to proxy requests based on @domain.com to different radius servers. I thought this would be fairly simple after reading proxy.conf, but I must be missing something! Here's the relevant portion of my proxy.conf: realm test.com { type = radius authhost = 10.19.3.8:1812 accthost = LOCAL secret = testing123 } realm test2.com { type = radius authost = 10.19.3.9:1812 accthost = LOCAL secret = testing123 } When testing via radtest using t...@test.com the expected behavior happens - I see the request proxied to 1.1.1.1: SNIP rad_recv: Access-Request packet from host 127.0.0.1:53468, id=229, length=65 User-Name = t...@test.com User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 123 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_realm: Looking up realm test.com for User-Name = t...@test.com rlm_realm: Found realm test.com rlm_realm: Adding Stripped-User-Name = test rlm_realm: Proxying request from user test to realm test.com rlm_realm: Adding Realm = test.com rlm_realm: Preparing to proxy authentication request to realm test.com SNIP Sending Access-Request of id 0 to 10.19.3.8:1812 User-Name = test User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 123 Proxy-State = 0x323239 Great! Now I try it with t...@test2.com: rad_recv: Access-Request packet from host 127.0.0.1:53482, id=7, length=66 User-Name = t...@test2.com User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 123 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_realm: Looking up realm test2.com for User-Name = t...@test2.com rlm_realm: Found realm test2.com rlm_realm: Adding Stripped-User-Name = test rlm_realm: Proxying request from user test to realm test2.com rlm_realm: Adding Realm = test2.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 Why would it make the Authentication realm LOCAL? If I move the realm test2.com above test.com in proxy.conf then test2.com works test.com doesn't. Can someone point me in the right direction? I've read included doc/proxy, proxy.conf the online wiki sections on proxy. It seems so simple, yet I can't seem to figure it out! Thanks in advance. -dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
Dallas Helquist dal...@oldbrownjeep.net wrote: freeradius version: 1.0.1 (Centos4) http://freeradius.org/getting.html 2004, a fine vintage... Cheers -- Alexander Clouter .sigmonster says: Sex is like air. It's only a big deal if you can't get any. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
On 2/4/09 19:22, Alexander Clouter wrote: Dallas Helquistdal...@oldbrownjeep.net wrote: freeradius version: 1.0.1 (Centos4) http://freeradius.org/getting.html 2004, a fine vintage... Cheers You know a guy at NW was making a good point when he said that a lot of the enterprise Linux stuff runs with packages of software *years* out of date, and how it was annoying that users on the FR list would only shout UPGRADE when presented with a version anything older than the latest point release. But hell if you can't figure out how to set up a compiler and build the thing from source, should you really be managing such a complex bit of software :). -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
Alexander Clouter wrote: Dallas Helquist dal...@oldbrownjeep.net wrote: freeradius version: 1.0.1 (Centos4) http://freeradius.org/getting.html 2004, a fine vintage... Agreed, but I try to avoid using packages not included with whatever distribution a machine is running. Not opposed to using src when necessary, makes it more of a pita to maintain long term for me. Does anyone know for sure whether proxy is borked in the 1.0.1 (Redhat EL 4/Centos 4)? I can't find any conclusive searches saying it is..so I'm more inclined to think I've screwed up something somewhere! -dallas SNIP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
Arran Cudbard-Bell wrote: You know a guy at NW was making a good point when he said that a lot of the enterprise Linux stuff runs with packages of software *years* out of date, and how it was annoying that users on the FR list would only shout UPGRADE when presented with a version anything older than the latest point release. Tough. If he's chosen to run software that's no longer supported, that's his problem. If he's buying support for an enterprise Linux distribution then THEY can support the old version of the server. If he's willing to pay, he can click on the support link on freeradius.org. Otherwise... upgrade. But hell if you can't figure out how to set up a compiler and build the thing from source, should you really be managing such a complex bit of software :). The official story for not upgrading is usually either lack of support, or consistency of the system. The responses are: a) Great! Buy support from someone (OS vendor, etc.) If not, good luck getting the problem fixed. b) Live with a system that's consistent, but doesn't do what you want, and isn't supported. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
Dallas Helquist wrote: Agreed, but I try to avoid using packages not included with whatever distribution a machine is running. Not opposed to using src when necessary, makes it more of a pita to maintain long term for me. Huh? The server comes with sample spec files. You can create your own packages, and install those. Does anyone know for sure whether proxy is borked in the 1.0.1 (Redhat EL 4/Centos 4)? I can't find any conclusive searches saying it is..so I'm more inclined to think I've screwed up something somewhere! Proxying works in 1.0.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
Hi, Here's the relevant portion of my proxy.conf: although old, proxying works in 1.0.1. the bit that doesnt work here is when you say 'relevant portion' - no, its not the relevant portion at all - you've got something else going on in proxy.conf please supply rhe whole file - I dont care if you obfuscate IP addresses, realms and secrets. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
Dallas Helquist wrote: Agreed, but I try to avoid using packages not included with whatever distribution a machine is running. Not opposed to using src when necessary, makes it more of a pita to maintain long term for me. Huh? The server comes with sample spec files. You can create your own packages, and install those. http://wiki.freeradius.org/Red_Hat_FAQ#How_to_build_an_SRPM Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
a.l.m.bu...@lboro.ac.uk wrote: Hi, Here's the relevant portion of my proxy.conf: although old, proxying works in 1.0.1. the bit that doesnt work here is when you say 'relevant portion' - no, its not the relevant portion at all - you've got something else going on in proxy.conf please supply rhe whole file - I dont care if you obfuscate IP addresses, realms and secrets. Here is the full proxy.conf file. A few minor changes from what I posted earlier (realm names changed, accthost changed). ## begin proxy.conf proxy server { synchronous = yes retry_delay = 5 retry_count = 3 dead_time = 60 default_fallback = no post_proxy_authorize = yes } realm test.com { type = radius authhost = 10.19.3.8:1812 accthost = 10.19.3.8:1813 secret = testing123 } realm blah.com { type = radius authost = 10.19.3.9:1812 accthost = 10.19.3.9:1813 secret = testing123 } realm LOCAL { type= radius authhost= LOCAL accthost= LOCAL } ## end proxy.conf alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html