Proxy Setup
I want any username like [EMAIL PROTECTED] to be proxied to an existing radius server. I have added realm mydomain.net { type = radius authhost = 192.168.69.10:1645 accthost = 192.168.69.10:1646 secret = ascend } to my proxy.conf file. It still tries to authenticate locally. I was told not to put anything in my realms file. What am I missing?
Re: Proxy Setup
Anson Rinesmith [EMAIL PROTECTED] wrote: to my proxy.conf file. It still tries to authenticate locally. I was told not to put anything in my realms file. What am I missing? Read the output of radiusd -X. It will tell you WHY it is, or is not, proxying. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy setup
Hello, New to the list, but Ive read everything that I could possibly read, maybe I just dont understand. What Im trying to do. Use a STAROS using Hotspot to authenticate with our radius server. Ive installed and setup freeradius on a machine we use for mirroring, and if I do the radtest to our windows radius server it goes through ok so I know it works. I setup the proxy, but two questions. Do I have the hotspot send auth and acct to the default port of 1814? Or 1812 and 1813? Also, My error I get in the radius log is Wed Oct 22 14:39:22 2003 : Error: Ignoring request from unknown home server 65.117.AAA.XX:1032 Wed Oct 22 14:39:37 2003 : Error: Ignoring request from unknown home server 65.117.AAA.XX:1032 Wed Oct 22 14:40:18 2003 : Error: Ignoring request from unknown client 65.117.AAA.XX:1033 Wed Oct 22 14:40:33 2003 : Error: Ignoring request from unknown client 65.117.AAA.XX:1033 Wed Oct 22 14:40:48 2003 : Error: Ignoring request from unknown client 65.117.AAA.XX:1033 I get the unknown client when I have the server setup in the clients.conf page, As: client 65.117.AAA.XX { secret = MySecret shortname = Mac } Any help would be grealy appreciated. Thanks, Jason LRBCG.Com, Inc.
Re: Proxy Setup
Artur, Thanks. I still get the same behavior. To make it specific let me describe my configuration. Environment requirement: All requests from Radius server A(machine named redhat) will be proxy to Radius Server B(machine named jenhwa). (1) In machine A I have in my proxy.conf the following realms defined. realm jenhwa { type = radius authhost= 10.1.1.77 accthost = 10.1.1.77 secret = jenhwa nostrip } where 10.1.1.77 is IP address of Radius Server B. and also in the radiusd.conf I can see $INCLUDE proxy.conf there. But not sure it is active, assuming $INCLUDE will do so. it said the proxy_requests = yes #INCLUDE ${confdir}/proxy.conf (2) In machine B I have the following entry in the proxy.conf realm jenhwa { type = radius authhost = LOCAL accthost = LOCAL } and clients.conf I have client 10.1.1.6 { secret = jenhwa shortname = redhat } where 10.1.1.6 is the IP address of radius server A. (3) Bring up both radius server A and B using /usr/local/sbin/radiusd -x (4) I run radtest on machine A as follows and see the request get executed at Radius Server A not B. radtest popo@jenhwa none 10.1.1.6 101 jenhwa whathint jenhwa I then see on radius server A screen showing request get processed with user-name = popo@jenhwa and not forward to Radius server A at all. I think I am missing the key part which is, how does a Radisu server tell a user is suppose to get proxyed? Do I have to define something in the proxy.conf to let radius server to know which format to use such as popo@jenhwa? If so, how is that accomplished? or else? Any help again is appreciated, -Jenhwa On Thursday 04 April 2002 01:25 am, you wrote: hi I am trying to setup two radius server namely A and B and A will be used as a proxy server just forward all the request to B and have B do the job. I have setup realms and also play around the proxy.conf and can't seem to get it to work. My realms basically defines the following snip And what happened all the user authentication request still get process inside A and not forward to B. I seems to me the question is how does radius server tell the difference whether a user is a remote or local? Any name like [EMAIL PROTECTED]? or else? I tried to use [EMAIL PROTECTED] as the user to get it authenticated but it still get processed at machine A. What am I missing? yes, a kind of. you can configure your realm module (in radiusd.conf) to use almost every format you want. in particular user@A or user@B are suitable formats for your case (but also A/user, B/user, etc.). you should configure and activate at least one of those realm-formats. you should add A in the clients.conf of the B server, since A will be acting as a client during proxying. you also have to specify a password in the B configuration for the client A. you should then change to the A configuration and verify that the line $INCLUDE proxy.conf is active in its (A's) radiusd.conf and add the used realm(s) to the proxy.conf. such a realm would typically look something like this: (at the A side) realm B { type = radius authhost = B-address:port accthost = B-address:port+1 secret = secret_specified_in_the_B_clients.conf nostrip } please note the parameter nostrip. if you want B to take care of user@B like addresses and you give nostrip in A's proxy.conf, then you should probably configure B to treat those addresses as local ones by adding in the B's proxy.conf (activate it!) something like: realm B { type = radius authhost = LOCAL accthost = LOCAL } if you use strip instead of nostrip in the given A's example, then A will throw away any recongnized extension, so B would never even know about @B. it's up to you to decide what you consider being better for your case. you can then test this config by doing radtest for different users from A directly to B (since A is in the clients' list, it will work) and then to the localhost (i.e. A), hoping that you will see all the information how the request is being proxyied to B. hope that helps! artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Setup
hello please see comments inline Environment requirement: All requests from Radius server A(machine named redhat) will be proxy to Radius Server B(machine named jenhwa). (1) In machine A I have in my proxy.conf the following realms defined. realm jenhwa { type = radius authhost= 10.1.1.77 accthost = 10.1.1.77 secret = jenhwa nostrip } where 10.1.1.77 is IP address of Radius Server B. and also in the radiusd.conf I can see $INCLUDE proxy.conf there. But not sure it is active, assuming $INCLUDE will do so. this is fine so far, if 10.1.1.77 is jenhwa. but: i'm not sure if you can omit the ports (developers? can you? i.e. would it take the ports from /etc/services or what?) it said the proxy_requests = yes #INCLUDE ${confdir}/proxy.conf THIS IS A COMMENTED LINE. it should be $INCLUDE ${confdir}/proxy.conf. well, i presume that it was a typo. (2) In machine B I have the following entry in the proxy.conf realm jenhwa { type = radius authhost = LOCAL accthost = LOCAL } and clients.conf I have client 10.1.1.6 { secret = jenhwa shortname = redhat } where 10.1.1.6 is the IP address of radius server A. yes, fine, A == redhat (3) Bring up both radius server A and B using /usr/local/sbin/radiusd -x i would append a -s (4) I run radtest on machine A as follows and see the request get executed at Radius Server A not B. radtest popo@jenhwa none 10.1.1.6 101 jenhwa whathint jenhwa hmm, if you run it on A for A, why don't you run it for localhost? well, it doesn't matter much but it's a kind of confusing :-) I then see on radius server A screen showing request get processed with user-name = popo@jenhwa and not forward to Radius server A at all. it should forward to B, doesn't it? please let be precise. using names like A and B doesn't let a lot of space for imagination. you have to be formal!!! I think I am missing the key part which is, how does a Radisu server tell a user is suppose to get proxyed? Do I have to define something in the by checking it's configured realm part. in your case, using popo@jenhwa is separated into three parts: 1. user: popo 2. delimiter: 3. realm: jenhwa the server which you are talking about will then try to find a mathing entry for this realm in the proxy.conf (once you've activated it :-), that's the problem here as it seems to me). if it finds an entry telling something about another host, it will play a client and re-send the packages almost in the same way, the NAS does. if it finds a matching entry with a LOCAL keyword in it, it's gonna feel responsible for this realm and process it itself. proxy.conf to let radius server to know which format to use such as popo@jenhwa? If so, how is that accomplished? or else? indeed, you have to! but not in the proxy.conf, these values are currently stored in the radiusd.conf (well, since proxy.conf is included, it doesn't matter much, it's just a question of organisation). so, in the radiusd.conf, you have something like: realm suffix { format = suffix delimiter = } this is the right syntax for the used format. and, having defined it like that, you should have activated the module called suffix (see above) in your Authorization and perhaps Pre-Accounting sections at the end of the same file. does it work now? :-) artur -- hecker[at]enst.fr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Setup
artur, Still the same problem, I think I have all the configuration correct. Please see my comment below. On Thursday 04 April 2002 11:58 am, you wrote: hello please see comments inline Environment requirement: All requests from Radius server A(machine named redhat) will be proxy to Radius Server B(machine named jenhwa). (1) In machine A I have in my proxy.conf the following realms defined. realm jenhwa { type = radius authhost= 10.1.1.77 accthost = 10.1.1.77 secret = jenhwa nostrip } where 10.1.1.77 is IP address of Radius Server B. and also in the radiusd.conf I can see $INCLUDE proxy.conf there. But not sure it is active, assuming $INCLUDE will do so. this is fine so far, if 10.1.1.77 is jenhwa. but: i'm not sure if you can omit the ports (developers? can you? i.e. would it take the ports from /etc/services or what?) Yes it is defined in my /etc/services file with the following entries radius 1812/tcp radius 1812/udp radius-acct 1813/tcp radius-acct 1813/udp it said the proxy_requests = yes #INCLUDE ${confdir}/proxy.conf THIS IS A COMMENTED LINE. it should be $INCLUDE ${confdir}/proxy.conf. well, i presume that it was a typo. It is a typo it is $ (2) In machine B I have the following entry in the proxy.conf realm jenhwa { type = radius authhost = LOCAL accthost = LOCAL } and clients.conf I have client 10.1.1.6 { secret = jenhwa shortname = redhat } where 10.1.1.6 is the IP address of radius server A. yes, fine, A == redhat YES. A == redhat (3) Bring up both radius server A and B using /usr/local/sbin/radiusd -x i would append a -s Yes, I am using -s -x this time. (4) I run radtest on machine A as follows and see the request get executed at Radius Server A not B. radtest popo@jenhwa none 10.1.1.6 101 jenhwa whathint jenhwa hmm, if you run it on A for A, why don't you run it for localhost? well, it doesn't matter much but it's a kind of confusing :-) Well, I know. I am just testing the network also works. I then see on radius server A screen showing request get processed with user-name = popo@jenhwa and not forward to Radius server A at all. it should forward to B, doesn't it? please let be precise. using names like A and B doesn't let a lot of space for imagination. you have to be formal!!! Let me rephase I then see on radius server on redhat's screen showing request get processed with user-name = popo@jenhwa and not forward to Radius server jenhwa at all. I think I am missing the key part which is, how does a Radisu server tell a user is suppose to get proxyed? Do I have to define something in the by checking it's configured realm part. in your case, using popo@jenhwa is separated into three parts: 1. user: popo 2. delimiter: @ 3. realm: jenhwa the server which you are talking about will then try to find a mathing entry for this realm in the proxy.conf (once you've activated it :-), that's the problem here as it seems to me). if it finds an entry telling something about another host, it will play a client and re-send the packages almost in the same way, the NAS does. if it finds a matching entry with a LOCAL keyword in it, it's gonna feel responsible for this realm and process it itself. proxy.conf to let radius server to know which format to use such as popo@jenhwa? If so, how is that accomplished? or else? indeed, you have to! but not in the proxy.conf, these values are currently stored in the radiusd.conf (well, since proxy.conf is included, it doesn't matter much, it's just a question of organisation). so, in the radiusd.conf, you have something like: realm suffix { format = suffix delimiter = @ } Yes, I found this out at radiusd.conf and it is defined already as default configuration. this is the right syntax for the used format. and, having defined it like that, you should have activated the module called suffix (see above) in your Authorization and perhaps Pre-Accounting sections at the end of the same file. does it work now? :-) No, I haven't change anything, my current configuration is exactly the same as you suggested. Now, I am assuming I should see radius server B(jenhwa) get the User-Name = popo@jenhwa and processed it but not in this case, instead it is Radius Server A get it processed. In addition here is my raddb/users setting at both Radius Server A(redhat) and Radius Server B(jenhwa) I am not sure this will trigger any problem. DEFAULT Auth-Type := ACCEPT Fall-Through = yes, Exec-Program = /usr/local/sbin/myprogram %u %n %f %i where myprogram just simply a shell program dump out the User-Name, NAS-IP-Address, Framed-IP-Address and
Proxy Setup
Hi, I am trying to setup two radius server namely A and B and A will be used as a proxy server just forward all the request to B and have B do the job. I have setup realms and also play around the proxy.conf and can't seem to get it to work. My realms basically defines the following NOREALM B.mobileradius.com nostrip And what happened all the user authentication request still get process inside A and not forward to B. I seems to me the question is how does radius server tell the difference whether a user is a remote or local? Any name like [EMAIL PROTECTED]? or else? I tried to use [EMAIL PROTECTED] as the user to get it authenticated but it still get processed at machine A. What am I missing? Any help is appreciated, -Jenhwa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup help
[EMAIL PROTECTED] wrote: Duncan Drennan [EMAIL PROTECTED] wrote: I am running free-radius 0.4 on Suse Linux 7.3. We want to allow certain access to our network for processing. Our (ISDN) clients dial into our ISP. If they dial in with a certain user name, then the ISP must authenticate with our radius server and allow them to log in. That's what realms our for. The clients should log into the ISP as 'user@your_domain'. That ISP then configures their server to check for the '@your_domain', and to forward the requests to you. They should also be able to strip off the '@your_domain', so it looks to *you* like someone local is requesting authentication/ The ISP has a radius server. I've been looking at the config files and it seems that this is done using the proxy file and clients or users files. I'm not really sure how to do this, because I haven't ever worked with radius before. I'd suggest asking your ISP for help, as you *will* have to interact with them, and set up compatible configurations. What needs to be done on our server to allow access for out clients? We want this setup so that we can have control over the access without having to go through our ISP for admin. They should proxy requests to you, and you should authenticate them. I presume that all I need to authenticate is add the info into the users config file?? Alan DeKok. DeKok? Where are you from? Sound very South African (my home) :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup help
Duncan Drennan [EMAIL PROTECTED] wrote: I presume that all I need to authenticate is add the info into the users config file?? Yes. DeKok? Where are you from? Sound very South African (my home) :) No, before that. The name comes from Holland, I was born in Canada. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup help
Duncan Drennan [EMAIL PROTECTED] wrote: I am running free-radius 0.4 on Suse Linux 7.3. We want to allow certain access to our network for processing. Our (ISDN) clients dial into our ISP. If they dial in with a certain user name, then the ISP must authenticate with our radius server and allow them to log in. That's what realms our for. The clients should log into the ISP as 'user@your_domain'. That ISP then configures their server to check for the '@your_domain', and to forward the requests to you. They should also be able to strip off the '@your_domain', so it looks to *you* like someone local is requesting authentication/ The ISP has a radius server. I've been looking at the config files and it seems that this is done using the proxy file and clients or users files. I'm not really sure how to do this, because I haven't ever worked with radius before. I'd suggest asking your ISP for help, as you *will* have to interact with them, and set up compatible configurations. What needs to be done on our server to allow access for out clients? We want this setup so that we can have control over the access without having to go through our ISP for admin. They should proxy requests to you, and you should authenticate them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Setup.
Hi I have 2 radius servers running, Freeradius in the front, and another one in the backend I want the Freeradius to append some settings in addition to the settings coming from the one in the backend Depending on the profile the user have in usergroup in MYSQL. Basically I had to do this, since in a proxy setup you can't pass Tunnel Attributes. 2- I'm using usernames similar to this, 151000 , in hints, can I do this DEFAULT Prefix=151*. Best Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html