Multiple Authentication REALMS - I hope in Plain Text

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

Multiple Authentication REALMS - I hope in Plain Text

Shepherd, Dave
Hi,

  It's been a long time, as the freeRADIUS software I've being using for
the last 3 years hasn't needed looking at since installation.

  So a big thank you to the development team J

  However, as with most things it's so good I've now got to redesign and
re-implement to encompass more of our infrastructure, and I'm having
problems.

  I have a number of settings in the _users_ file that are based on the
_Called_Station_ID_ then proxy the requests to a specified REALM.

  i.e.

     DEFAULT     Called-Station-Id == "<a telephone number>",
Proxy-To-Realm := "NULL"
                Fall-Through = Yes

     DEFAULT    Called-Station-Id == "<another telephone number>",
Proxy-To-Realm := "NULL"
                Fall-Through = Yes

     DEFAULT    Called-Station-Id == "<yet another number>",
Proxy-To-Realm := "SPECIAL"
                Fall-Through = Yes

Now, the NULL realm is defined in the proxy.conf file as:

    realm NULL {
        type    = radius
        authhost        = radiusserver.some.domain:1645
        accthost        = radiusserver.some.domain:1646
        Secret  = radiussecret
      }

This works and actually points to a MS IAS server going against an NT4
Domain.

Now I need to authenticate a different set of users (who dial a
different number) against an LDAP repository, so as you can see from my
_users_ file I direct them at the "SPECIAL" realm, which I have set as
follows in proxy.conf:

    realm SPECIAL {
        type    = radius
        authhost        = LOCAL
        accthost        = LOCAL
    }

My plan was for this to then use the local radius server, which has an
_ldap_ module configure, which from what I can make out is working:

    ldap {
        server = "127.0.0.1"
        basedn = "dc=some,dc=domain,dc=co,dc=uk"
        filter = "(uid=%u)"
        start_tls = no
        dictionary_mapping = ${raddbdir}/ldap.attrmap
        ldap_connections_number = 5
        timeout = 4
        timelimit = 3
        net_timeout = 1
    }

And then in the authorize and authenticate sections simply include
_ldap_

    authorize {
        preprocess
        chap
        eap
        ldap
        files
        mschap
    }
    authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type {
                mschap
        }
        unix
        ldap
        eap
    }

Now all I see when using NTRadping, and sending the additional
_Called_Station_Id_ attribute set to the required number is the
following in my _radius.log_

    Error: Dropping packet from client Dave_Test:2328 - ID: 2 due to
dead request 5018

When I run the radiusd with the -X flag (bearing in mind it's an
Production Service) I can make out the call being made to my LDAP server
and a "rlm_ldap authorize", but then the request just finishes without
giving me and Access-Accept packet, and the relevant settings from the
_radreply_ table in the Postgres Database?

rad_recv: Access-Request packet from host xx.xx.xx.xx:2796, id=4,
length=62
        User-Name = "unextest20"
        User-Password = "nexus"
        Called-Station-Id = "xxxxxxxxxx"
rad_lowerpair:  User-Name now 'unextest20'
modcall: entering group authorize for request 14
  modcall[authorize]: module "preprocess" returns ok for request 14
  modcall[authorize]: module "chap" returns noop for request 14
  modcall[authorize]: module "eap" returns noop for request 14
    rlm_realm: No '@' in User-Name = "unextest20", looking up realm NULL
    rlm_realm: Found realm "NULL"
    rlm_realm: Adding Stripped-User-Name = "unextest20"
    rlm_realm: Proxying request from user unextest20 to realm NULL
    rlm_realm: Adding Realm = "NULL"
    rlm_realm: Preparing to proxy authentication request to realm "NULL"

  modcall[authorize]: module "suffix" returns updated for request 14
radius_xlat:  'unextest20'
rlm_sql (sql): sql_set_user escaped user --> 'unextest20'
radius_xlat:  'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck
??WHERE Username = 'unextest20' ??ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 8
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
??FROM radcheck ??WHERE Username = 'unextest20' ??ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat:  'SELECT radgroupcheck.id, radgroupcheck.GroupName,
??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM
radgroupcheck, usergroup ??WHERE usergroup.Username = 'unextest20' AND
usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY
radgroupcheck.id'
rlm_sql_postgresql: query: SELECT radgroupcheck.id,
radgroupcheck.GroupName, ??radgroupcheck.Attribute,
radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup
??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName =
radgroupcheck.GroupName ??ORDER BY radgroupcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat:  'SELECT id, UserName, Attribute, Value, Op ??FROM radreply
??WHERE Username = 'unextest20' ??ORDER BY id'
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
??FROM radreply ??WHERE Username = 'unextest20' ??ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat:  'SELECT radgroupreply.id, radgroupreply.GroupName,
radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM
radgroupreply,usergroup ??WHERE usergroup.Username = 'unextest20' AND
usergroup.GroupName = radgroupreply.GroupName ??ORDER BY
radgroupreply.id'
rlm_sql_postgresql: query: SELECT radgroupreply.id,
radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value,
radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE
usergroup.Username = 'unextest20' AND usergroup.GroupName =
radgroupreply.GroupName ??ORDER BY radgroupreply.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
rlm_sql (sql): Released sql socket id: 8
  modcall[authorize]: module "sql" returns ok for request 14
rlm_ldap: - authorize
rlm_ldap: performing user authorization for unextest20
radius_xlat:  '(uid=unextest20)'
radius_xlat:  'dc=some,dc=domain,dc=co,dc=uk'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=some,dc=domain,dc=co,dc=uk, with
filter (uid=unextest20)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user unextest20 authorized to use remote access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 14
    users: Matched DEFAULT at 90
  modcall[authorize]: module "files" returns ok for request 14
  modcall[authorize]: module "mschap" returns noop for request 14
modcall: group authorize returns updated for request 14
Finished request 14

I'm kinda lost and going round in circles at the minute.

If one of you guys has had to do something similar, or can see any
glaring omissions in my config (which I seem to think there is) could
you please point me in the right direction.

TIA

Dave Shepherd

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Multiple Authentication REALMS - I hope in Plain Text

Shawn K. O'Shea
>From what you've provided, I believe what is happening is that your
requests that you *want* to go to local LDAP are still being proxied to
your IAS server, and for some reason IAS isn't sending an Access-Reject
so you get that error about a "dead request".

Realm "NULL" is a special realm that means "there is no realm as part of
the username as per any definitions of the realm module in
radiusd.conf". It appears from your debug output that you have the realm
for @ defined (suffix realm, anything after an @ symbol is the realm).
Since your new Called-Station-Id still has a user with no realm, it's
proxied to NULL as your debug shows:

    rlm_realm: No '@' in User-Name = "unextest20", looking up realm NULL
    rlm_realm: Found realm "NULL"
    rlm_realm: Adding Stripped-User-Name = "unextest20"
    rlm_realm: Proxying request from user unextest20 to realm NULL
    rlm_realm: Adding Realm = "NULL"
    rlm_realm: Preparing to proxy authentication request to realm "NULL"

I *believe* the behaviour you truly want is something more like this:

     DEFAULT     Called-Station-Id == "<a telephone
number>",Proxy-To-Realm := "msias"
                Fall-Through = Yes

     DEFAULT    Called-Station-Id == "<another telephone
number>",Proxy-To-Realm := "msias"
                Fall-Through = Yes

     DEFAULT    Called-Station-Id == "<yet another
number>",Proxy-To-Realm := "localldap"
                Fall-Through = Yes

And in proxy.conf:
    realm msias  {
        type    = radius
        authhost        = radiusserver.some.domain:1645
        accthost        = radiusserver.some.domain:1646
        Secret  = radiussecret
      }

        realm localldap {
           type = radius
           authhost = LOCAL
           accthost = LOCAL
      }

Also, I'd just make sure what line in your users file is being matched.
Your debug output says a DEFAULT entry at line 90.

Check your IAS event log to see if it's getting proxied requests. I
usually run radiusd with -Xxx for extra debuging when a request gets
proxied, you should see something like this:

Fri Jun 10 15:02:47 2005 : Debug:  proxy: creating 0d02a8c0:1812
Fri Jun 10 15:02:47 2005 : Debug:  proxy: allocating 0d02a8c0:1812 0
Sending Access-Request of id 0 to a.b.c.d:1812

And a list of attributes.

Hope this helps.

-Shawn
~~~~~~~~~~~~~~~~~~~~~~~~~
Shawn O'Shea
Network Engineer
Airpath Wireless, Inc.
"Clearing the Way"
781-250-3500-office
781-250-3535-direct
781-250-3503-fax
[hidden email]
http://www.airpath.com
~~~~~~~~~~~~~~~~~~~~~~~~~
 
CONFIDENTIALITY STATEMENT
This electronic message contains information from Airpath Wireless,
Inc., and may be confidential or privileged. The information is intended
to be for the use of the individual or entity named above. If you are
not the intended recipient, be aware that any disclosure, copying,
distribution or use of the contents of this message is prohibited. If
you have received this electronic message in error, please notify the
sender immediately by reply e-mail [hidden email] or telephone at
(781) 250-3500.
 

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On
> Behalf Of Shepherd, Dave
> Sent: Tuesday, June 14, 2005 9:49 AM
> To: [hidden email]
> Subject: Multiple Authentication REALMS - I hope in Plain Text
>
> Hi,
>
>   It's been a long time, as the freeRADIUS software I've
> being using for the last 3 years hasn't needed looking at
> since installation.
>
>   So a big thank you to the development team J
>
>   However, as with most things it's so good I've now got to
> redesign and re-implement to encompass more of our
> infrastructure, and I'm having problems.
>
>   I have a number of settings in the _users_ file that are
> based on the _Called_Station_ID_ then proxy the requests to a
> specified REALM.
>
>   i.e.
>
>      DEFAULT     Called-Station-Id == "<a telephone number>",
> Proxy-To-Realm := "NULL"
>                 Fall-Through = Yes
>
>      DEFAULT    Called-Station-Id == "<another telephone number>",
> Proxy-To-Realm := "NULL"
>                 Fall-Through = Yes
>
>      DEFAULT    Called-Station-Id == "<yet another number>",
> Proxy-To-Realm := "SPECIAL"
>                 Fall-Through = Yes
>
> Now, the NULL realm is defined in the proxy.conf file as:
>
>     realm NULL {
>         type    = radius
>         authhost        = radiusserver.some.domain:1645
>         accthost        = radiusserver.some.domain:1646
>         Secret  = radiussecret
>       }
>
> This works and actually points to a MS IAS server going
> against an NT4 Domain.
>
> Now I need to authenticate a different set of users (who dial
> a different number) against an LDAP repository, so as you can
> see from my _users_ file I direct them at the "SPECIAL"
> realm, which I have set as follows in proxy.conf:
>
>     realm SPECIAL {
>         type    = radius
>         authhost        = LOCAL
>         accthost        = LOCAL
>     }
>
> My plan was for this to then use the local radius server,
> which has an _ldap_ module configure, which from what I can
> make out is working:
>
>     ldap {
>         server = "127.0.0.1"
>         basedn = "dc=some,dc=domain,dc=co,dc=uk"
>         filter = "(uid=%u)"
>         start_tls = no
>         dictionary_mapping = ${raddbdir}/ldap.attrmap
>         ldap_connections_number = 5
>         timeout = 4
>         timelimit = 3
>         net_timeout = 1
>     }
>
> And then in the authorize and authenticate sections simply
> include _ldap_
>
>     authorize {
>         preprocess
>         chap
>         eap
>         ldap
>         files
>         mschap
>     }
>     authenticate {
>         Auth-Type PAP {
>                 pap
>         }
>         Auth-Type CHAP {
>                 chap
>         }
>         Auth-Type {
>                 mschap
>         }
>         unix
>         ldap
>         eap
>     }
>
> Now all I see when using NTRadping, and sending the
> additional _Called_Station_Id_ attribute set to the required
> number is the following in my _radius.log_
>
>     Error: Dropping packet from client Dave_Test:2328 - ID: 2
> due to dead request 5018
>
> When I run the radiusd with the -X flag (bearing in mind it's
> an Production Service) I can make out the call being made to
> my LDAP server and a "rlm_ldap authorize", but then the
> request just finishes without giving me and Access-Accept
> packet, and the relevant settings from the _radreply_ table
> in the Postgres Database?
>
> rad_recv: Access-Request packet from host xx.xx.xx.xx:2796, id=4,
> length=62
>         User-Name = "unextest20"
>         User-Password = "nexus"
>         Called-Station-Id = "xxxxxxxxxx"
> rad_lowerpair:  User-Name now 'unextest20'
> modcall: entering group authorize for request 14
>   modcall[authorize]: module "preprocess" returns ok for request 14
>   modcall[authorize]: module "chap" returns noop for request 14
>   modcall[authorize]: module "eap" returns noop for request 14
>     rlm_realm: No '@' in User-Name = "unextest20", looking up
> realm NULL
>     rlm_realm: Found realm "NULL"
>     rlm_realm: Adding Stripped-User-Name = "unextest20"
>     rlm_realm: Proxying request from user unextest20 to realm NULL
>     rlm_realm: Adding Realm = "NULL"
>     rlm_realm: Preparing to proxy authentication request to
> realm "NULL"
>
>   modcall[authorize]: module "suffix" returns updated for request 14
> radius_xlat:  'unextest20'
> rlm_sql (sql): sql_set_user escaped user --> 'unextest20'
> radius_xlat:  'SELECT id, UserName, Attribute, Value, Op
> ??FROM radcheck ??WHERE Username = 'unextest20' ??ORDER BY id'
> rlm_sql (sql): Reserving sql socket id: 8
> rlm_sql_postgresql: query: SELECT id, UserName, Attribute,
> Value, Op ??FROM radcheck ??WHERE Username = 'unextest20'
> ??ORDER BY id
> rlm_sql_postgresql: Status: PGRES_TUPLES_OK
> rlm_sql_postgresql: affected rows =
> radius_xlat:  'SELECT radgroupcheck.id,
> radgroupcheck.GroupName, ??radgroupcheck.Attribute,
> radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck,
> usergroup ??WHERE usergroup.Username = 'unextest20' AND
> usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY
> radgroupcheck.id'
> rlm_sql_postgresql: query: SELECT radgroupcheck.id,
> radgroupcheck.GroupName, ??radgroupcheck.Attribute,
> radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck,
> usergroup ??WHERE usergroup.Username = 'unextest20' AND
> usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY
> radgroupcheck.id
> rlm_sql_postgresql: Status: PGRES_TUPLES_OK
> rlm_sql_postgresql: affected rows =
> radius_xlat:  'SELECT id, UserName, Attribute, Value, Op
> ??FROM radreply ??WHERE Username = 'unextest20' ??ORDER BY id'
> rlm_sql_postgresql: query: SELECT id, UserName, Attribute,
> Value, Op ??FROM radreply ??WHERE Username = 'unextest20'
> ??ORDER BY id
> rlm_sql_postgresql: Status: PGRES_TUPLES_OK
> rlm_sql_postgresql: affected rows =
> radius_xlat:  'SELECT radgroupreply.id,
> radgroupreply.GroupName, radgroupreply.Attribute,
> ??radgroupreply.Value, radgroupreply.Op ??FROM
> radgroupreply,usergroup ??WHERE usergroup.Username =
> 'unextest20' AND usergroup.GroupName =
> radgroupreply.GroupName ??ORDER BY radgroupreply.id'
> rlm_sql_postgresql: query: SELECT radgroupreply.id,
> radgroupreply.GroupName, radgroupreply.Attribute,
> ??radgroupreply.Value, radgroupreply.Op ??FROM
> radgroupreply,usergroup ??WHERE usergroup.Username =
> 'unextest20' AND usergroup.GroupName =
> radgroupreply.GroupName ??ORDER BY radgroupreply.id
> rlm_sql_postgresql: Status: PGRES_TUPLES_OK
> rlm_sql_postgresql: affected rows =
> rlm_sql (sql): Released sql socket id: 8
>   modcall[authorize]: module "sql" returns ok for request 14
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for unextest20
> radius_xlat:  '(uid=unextest20)'
> radius_xlat:  'dc=some,dc=domain,dc=co,dc=uk'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=some,dc=domain,dc=co,dc=uk,
> with filter (uid=unextest20)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user unextest20 authorized to use remote access
> ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 14
>     users: Matched DEFAULT at 90
>   modcall[authorize]: module "files" returns ok for request 14
>   modcall[authorize]: module "mschap" returns noop for request 14
> modcall: group authorize returns updated for request 14
> Finished request 14
>
> I'm kinda lost and going round in circles at the minute.
>
> If one of you guys has had to do something similar, or can
> see any glaring omissions in my config (which I seem to think
> there is) could you please point me in the right direction.
>
> TIA
>
> Dave Shepherd
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Multiple Authentication REALMS - I hope in Plain Text

Alan DeKok
In reply to this post by Shepherd, Dave
"Shepherd, Dave" <[hidden email]> wrote:
>     realm SPECIAL {
>         type    = radius
>         authhost        = LOCAL
>         accthost        = LOCAL
>     }

  In the latest versions, this is realm "LOCAL", but that doesn't make
too much difference.

>         Auth-Type {
>                 mschap
>         }

  Are you sure?  How about "Auth-Type mschap {" ...

> modcall: group authorize returns updated for request 14
> Finished request 14

  Hmm... something is marking the request as done, without calling the
"authenticate" section.  I have no idea why, and I don't recall ever
seeing anything like that.

> If one of you guys has had to do something similar, or can see any
> glaring omissions in my config (which I seem to think there is) could
> you please point me in the right direction.

  As always, start with the default configuration: it works.

  Then, gradually add your edits, testing after every edit, to be sure
that it still works.  Once you're done, you should have your local
configuration , and it should still work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Multiple Authentication REALMS - I hope in Plain Text

Shepherd, Dave
In reply to this post by Shepherd, Dave
Alan,

   Thanks for the advice;

        "As always, start with the default configuration: it works"

   As I've now got it working for my standard config.

   However, I still seem to be getting the request marked as complete
after the authorize section:-

Thread 1 handling request 0, (1 handled so far)
Waking up in 5 seconds...
        User-Name = "unextest20"
        User-Password = "*****"
        Called-Station-Id = "**********"
rad_lowerpair:  User-Name now 'unextest20'
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
    users: Matched DEFAULT at 21
  modcall[authorize]: module "files" returns ok for request 0
radius_xlat:  'unextest20'
rlm_sql (sql): sql_set_user escaped user --> 'unextest20'
radius_xlat:  'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck
??WHERE Username = 'unextest20' ??ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 9
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
??FROM radcheck ??WHERE Username = 'unextest20' ??ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat:  'SELECT radgroupcheck.id, radgroupcheck.GroupName,
??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM
radgroupcheck, usergroup ??WHERE usergroup.Username = 'unextest20' AND
usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY
radgroupcheck.id'
rlm_sql_postgresql: query: SELECT radgroupcheck.id,
radgroupcheck.GroupName, ??radgroupcheck.Attribute,
radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup
??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName =
radgroupcheck.GroupName ??ORDER BY radgroupcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat:  'SELECT id, UserName, Attribute, Value, Op ??FROM radreply
??WHERE Username = 'unextest20' ??ORDER BY id'
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
??FROM radreply ??WHERE Username = 'unextest20' ??ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat:  'SELECT radgroupreply.id, radgroupreply.GroupName,
radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM
radgroupreply,usergroup ??WHERE usergroup.Username = 'unextest20' AND
usergroup.GroupName = radgroupreply.GroupName ??ORDER BY
radgroupreply.id'
rlm_sql_postgresql: query: SELECT radgroupreply.id,
radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value,
radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE
usergroup.Username = 'unextest20' AND usergroup.GroupName =
radgroupreply.GroupName ??ORDER BY radgroupreply.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
rlm_sql (sql): Released sql socket id: 9
  modcall[authorize]: module "sql" returns ok for request 0
modcall: group authorize returns ok for request 0
Finished request 0

This only occurs when I match the following in my users file:

# NexUS RAS
DEFAULT Called-Station-Id == "********", Proxy-To-Realm := "sloxldap"
        Fall-Through = No

If I match on my other statements, the user authenticates as expected.

Any thoughts as to why this might be happening.

I'm on version 0.9.3.

TIA

Dave Shepherd

> -----Original Message-----
> From: [hidden email]
[mailto:freeradius-

> [hidden email]] On Behalf Of Alan DeKok
> Sent: 14 June 2005 18:33
> To: FreeRadius users mailing list
> Subject: Re: Multiple Authentication REALMS - I hope in Plain Text
>
> "Shepherd, Dave" <[hidden email]> wrote:
> >     realm SPECIAL {
> >         type    = radius
> >         authhost        = LOCAL
> >         accthost        = LOCAL
> >     }
>
>   In the latest versions, this is realm "LOCAL", but that doesn't make
> too much difference.
>
> >         Auth-Type {
> >                 mschap
> >         }
>
>   Are you sure?  How about "Auth-Type mschap {" ...
>
> > modcall: group authorize returns updated for request 14
> > Finished request 14
>
>   Hmm... something is marking the request as done, without calling the
> "authenticate" section.  I have no idea why, and I don't recall ever
> seeing anything like that.
>
> > If one of you guys has had to do something similar, or can see any
> > glaring omissions in my config (which I seem to think there is)
could

> > you please point me in the right direction.
>
>   As always, start with the default configuration: it works.
>
>   Then, gradually add your edits, testing after every edit, to be sure
> that it still works.  Once you're done, you should have your local
> configuration , and it should still work.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Multiple Authentication REALMS - I hope in Plain Text

Alan DeKok
"Shepherd, Dave" <[hidden email]> wrote:
>    As I've now got it working for my standard config.

  Good.

>    However, I still seem to be getting the request marked as complete
> after the authorize section:-
...
> This only occurs when I match the following in my users file:
>
> # NexUS RAS
> DEFAULT Called-Station-Id == "********", Proxy-To-Realm := "sloxldap"
>         Fall-Through = No
>
> If I match on my other statements, the user authenticates as expected.

  Do you have proxying turned off?

> I'm on version 0.9.3.

  Bleah.  You should really upgrade.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Multiple Authentication REALMS - I hope in Plain Text

Shepherd, Dave
In reply to this post by Shepherd, Dave
OK, got it working.

I removed the "Proxy-To-Realm" attribute, and set Auth-Type = ldap. I
assume because I'm actually going against the local RADIUS server that I
don't need to proxy.

Wood for trees scenario.

On upgrading, I'd love to but I run a supported SLES8 server, and it's
already got a custom 0.9.3 install, as base is only 0.5 !!! in fact even
SLES9 only has 0.9.3. Maybe I need a chat with SuSE/Novell and ask them
to release updates to freeRADIUS on a more regular basis......

Thanks for the help. :-)

Dave Shepherd

> -----Original Message-----
> From: [hidden email]
[mailto:freeradius-

> [hidden email]] On Behalf Of Alan DeKok
> Sent: 20 June 2005 19:02
> To: FreeRadius users mailing list
> Subject: Re: Multiple Authentication REALMS - I hope in Plain Text
>
> "Shepherd, Dave" <[hidden email]> wrote:
> >    As I've now got it working for my standard config.
>
>   Good.
>
> >    However, I still seem to be getting the request marked as
complete
> > after the authorize section:-
> ...
> > This only occurs when I match the following in my users file:
> >
> > # NexUS RAS
> > DEFAULT Called-Station-Id == "********", Proxy-To-Realm :=
"sloxldap"
> >         Fall-Through = No
> >
> > If I match on my other statements, the user authenticates as
expected.

>
>   Do you have proxying turned off?
>
> > I'm on version 0.9.3.
>
>   Bleah.  You should really upgrade.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html