Proxy Setup
I want any username like [EMAIL PROTECTED] to be proxied to
an existing radius server.
I have added
realm mydomain.net {
type = radius
authhost = 192.168.69.10:1645
accthost = 192.168.69.10:1646
secret = ascend
}
to my proxy.conf file. It still tries to authenticate
locally. I was told not to put anything in my realms file.
What am I missing?
Re: Proxy Setup
Anson Rinesmith [EMAIL PROTECTED] wrote: to my proxy.conf file. It still tries to authenticate locally. I was told not to put anything in my realms file. What am I missing? Read the output of radiusd -X. It will tell you WHY it is, or is not, proxying. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy setup
Hello, New to the list, but Ive
read everything that I could possibly read, maybe I just dont understand.
What Im trying to do.
Use a STAROS using Hotspot to authenticate with our radius
server. Ive installed and
setup freeradius on a machine we use for mirroring,
and if I do the radtest to our windows radius server
it goes through ok so I know it works.
I setup the proxy, but two questions. Do I have the hotspot send auth and acct
to the default port of 1814? Or 1812 and 1813?
Also, My error I get in the radius
log is
Wed Oct 22 14:39:22 2003 : Error: Ignoring request from unknown home server
65.117.AAA.XX:1032
Wed Oct 22 14:39:37 2003 : Error: Ignoring request from unknown home server
65.117.AAA.XX:1032
Wed Oct 22 14:40:18 2003 : Error: Ignoring request from unknown client 65.117.AAA.XX:1033
Wed Oct 22 14:40:33 2003 : Error: Ignoring request from unknown client 65.117.AAA.XX:1033
Wed Oct 22 14:40:48 2003 : Error: Ignoring request from unknown client 65.117.AAA.XX:1033
I get the unknown client when I have the server setup in the
clients.conf page,
As:
client 65.117.AAA.XX
{
secret
= MySecret
shortname = Mac
}
Any help would
be grealy appreciated.
Thanks,
Jason
LRBCG.Com, Inc.
Re: Proxy Setup
Artur,
Thanks. I still get the same behavior. To make it specific let me describe
my configuration.
Environment requirement: All requests from Radius server A(machine named
redhat) will be proxy to Radius Server B(machine named jenhwa).
(1) In machine A I have in my proxy.conf the following realms defined.
realm jenhwa {
type = radius
authhost= 10.1.1.77
accthost = 10.1.1.77
secret = jenhwa
nostrip
}
where 10.1.1.77 is IP address of Radius Server B.
and also in the radiusd.conf I can see $INCLUDE proxy.conf there. But not
sure it is active, assuming $INCLUDE will do so.
it said the
proxy_requests = yes
#INCLUDE ${confdir}/proxy.conf
(2) In machine B I have the following entry in the proxy.conf
realm jenhwa {
type = radius
authhost = LOCAL
accthost = LOCAL
}
and clients.conf I have
client 10.1.1.6 {
secret = jenhwa
shortname = redhat
}
where 10.1.1.6 is the IP address of radius server A.
(3) Bring up both radius server A and B using /usr/local/sbin/radiusd -x
(4) I run radtest on machine A as follows and see the request get executed
at Radius Server A not B.
radtest popo@jenhwa none 10.1.1.6 101 jenhwa whathint jenhwa
I then see on radius server A screen showing request get processed with
user-name = popo@jenhwa and not forward to Radius server A at all.
I think I am missing the key part which is, how does a Radisu server tell a
user is suppose to get proxyed? Do I have to define something in the
proxy.conf to let radius server to know which format to use such as
popo@jenhwa? If so, how is that accomplished? or else?
Any help again is appreciated,
-Jenhwa
On Thursday 04 April 2002 01:25 am, you wrote:
hi
I am trying to setup two radius server namely A and B and A will be used
as a proxy server just forward all the request to B and have B do the
job. I have setup realms and also play around the proxy.conf and can't
seem to get it to work. My realms basically defines the following snip
And what happened all the user authentication request still get process
inside A and not forward to B. I seems to me the question is how does
radius server tell the difference whether a user is a remote or local?
Any name like [EMAIL PROTECTED]? or else? I tried to use
[EMAIL PROTECTED] as the user to get it authenticated but it still
get processed at machine A. What am I missing?
yes, a kind of. you can configure your realm module (in radiusd.conf) to
use almost every format you want. in particular user@A or user@B are
suitable formats for your case (but also A/user, B/user, etc.). you
should configure and activate at least one of those realm-formats.
you should add A in the clients.conf of the B server, since A will be
acting as a client during proxying. you also have to specify a password
in the B configuration for the client A. you should then change to the A
configuration and verify that the line $INCLUDE proxy.conf is active in
its (A's) radiusd.conf and add the used realm(s) to the proxy.conf.
such a realm would typically look something like this: (at the A side)
realm B {
type = radius
authhost = B-address:port
accthost = B-address:port+1
secret = secret_specified_in_the_B_clients.conf
nostrip
}
please note the parameter nostrip. if you want B to take care of
user@B like addresses and you give nostrip in A's proxy.conf, then you
should probably configure B to treat those addresses as local ones by
adding in the B's proxy.conf (activate it!) something like:
realm B {
type = radius
authhost = LOCAL
accthost = LOCAL
}
if you use strip instead of nostrip in the given A's example, then A
will throw away any recongnized extension, so B would never even know
about @B. it's up to you to decide what you consider being better for
your case.
you can then test this config by doing radtest for different users from
A directly to B (since A is in the clients' list, it will work) and then
to the localhost (i.e. A), hoping that you will see all the information
how the request is being proxyied to B.
hope that helps!
artur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Setup
hello
please see comments inline
Environment requirement: All requests from Radius server A(machine named
redhat) will be proxy to Radius Server B(machine named jenhwa).
(1) In machine A I have in my proxy.conf the following realms defined.
realm jenhwa {
type = radius
authhost= 10.1.1.77
accthost = 10.1.1.77
secret = jenhwa
nostrip
}
where 10.1.1.77 is IP address of Radius Server B.
and also in the radiusd.conf I can see $INCLUDE proxy.conf there. But not
sure it is active, assuming $INCLUDE will do so.
this is fine so far, if 10.1.1.77 is jenhwa. but: i'm not sure if you
can omit the ports (developers? can you? i.e. would it take the ports
from /etc/services or what?)
it said the
proxy_requests = yes
#INCLUDE ${confdir}/proxy.conf
THIS IS A COMMENTED LINE. it should be $INCLUDE ${confdir}/proxy.conf.
well, i presume that it was a typo.
(2) In machine B I have the following entry in the proxy.conf
realm jenhwa {
type = radius
authhost = LOCAL
accthost = LOCAL
}
and clients.conf I have
client 10.1.1.6 {
secret = jenhwa
shortname = redhat
}
where 10.1.1.6 is the IP address of radius server A.
yes, fine, A == redhat
(3) Bring up both radius server A and B using /usr/local/sbin/radiusd -x
i would append a -s
(4) I run radtest on machine A as follows and see the request get executed
at Radius Server A not B.
radtest popo@jenhwa none 10.1.1.6 101 jenhwa whathint jenhwa
hmm, if you run it on A for A, why don't you run it for localhost?
well, it doesn't matter much but it's a kind of confusing :-)
I then see on radius server A screen showing request get processed with
user-name = popo@jenhwa and not forward to Radius server A at all.
it should forward to B, doesn't it? please let be precise. using names
like A and B doesn't let a lot of space for imagination. you have to be
formal!!!
I think I am missing the key part which is, how does a Radisu server tell a
user is suppose to get proxyed? Do I have to define something in the
by checking it's configured realm part. in your case, using
popo@jenhwa is separated into three parts:
1. user: popo
2. delimiter:
3. realm: jenhwa
the server which you are talking about will then try to find a mathing
entry for this realm in the proxy.conf (once you've activated it :-),
that's the problem here as it seems to me). if it finds an entry telling
something about another host, it will play a client and re-send the
packages almost in the same way, the NAS does. if it finds a matching
entry with a LOCAL keyword in it, it's gonna feel responsible for this
realm and process it itself.
proxy.conf to let radius server to know which format to use such as
popo@jenhwa? If so, how is that accomplished? or else?
indeed, you have to! but not in the proxy.conf, these values are
currently stored in the radiusd.conf (well, since proxy.conf is
included, it doesn't matter much, it's just a question of organisation).
so, in the radiusd.conf, you have something like:
realm suffix {
format = suffix
delimiter =
}
this is the right syntax for the used format. and, having defined it
like that, you should have activated the module called suffix (see
above) in your Authorization and perhaps Pre-Accounting sections at the
end of the same file.
does it work now? :-)
artur
--
hecker[at]enst.fr
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Setup
artur,
Still the same problem, I think I have all the configuration correct.
Please see my comment below.
On Thursday 04 April 2002 11:58 am, you wrote:
hello
please see comments inline
Environment requirement: All requests from Radius server A(machine named
redhat) will be proxy to Radius Server B(machine named jenhwa).
(1) In machine A I have in my proxy.conf the following realms defined.
realm jenhwa {
type = radius
authhost= 10.1.1.77
accthost = 10.1.1.77
secret = jenhwa
nostrip
}
where 10.1.1.77 is IP address of Radius Server B.
and also in the radiusd.conf I can see $INCLUDE proxy.conf there. But
not sure it is active, assuming $INCLUDE will do so.
this is fine so far, if 10.1.1.77 is jenhwa. but: i'm not sure if you
can omit the ports (developers? can you? i.e. would it take the ports
from /etc/services or what?)
Yes it is defined in my /etc/services file with the following entries
radius 1812/tcp
radius 1812/udp
radius-acct 1813/tcp
radius-acct 1813/udp
it said the
proxy_requests = yes
#INCLUDE ${confdir}/proxy.conf
THIS IS A COMMENTED LINE. it should be $INCLUDE ${confdir}/proxy.conf.
well, i presume that it was a typo.
It is a typo it is $
(2) In machine B I have the following entry in the proxy.conf
realm jenhwa {
type = radius
authhost = LOCAL
accthost = LOCAL
}
and clients.conf I have
client 10.1.1.6 {
secret = jenhwa
shortname = redhat
}
where 10.1.1.6 is the IP address of radius server A.
yes, fine, A == redhat
YES. A == redhat
(3) Bring up both radius server A and B using /usr/local/sbin/radiusd -x
i would append a -s
Yes, I am using -s -x this time.
(4) I run radtest on machine A as follows and see the request get
executed at Radius Server A not B.
radtest popo@jenhwa none 10.1.1.6 101 jenhwa whathint jenhwa
hmm, if you run it on A for A, why don't you run it for localhost?
well, it doesn't matter much but it's a kind of confusing :-)
Well, I know. I am just testing the network also works.
I then see on radius server A screen showing request get processed with
user-name = popo@jenhwa and not forward to Radius server A at all.
it should forward to B, doesn't it? please let be precise. using names
like A and B doesn't let a lot of space for imagination. you have to be
formal!!!
Let me rephase
I then see on radius server on redhat's screen showing request get processed
with user-name = popo@jenhwa and not forward to Radius server jenhwa at
all.
I think I am missing the key part which is, how does a Radisu server tell
a user is suppose to get proxyed? Do I have to define something in the
by checking it's configured realm part. in your case, using
popo@jenhwa is separated into three parts:
1. user: popo
2. delimiter: @
3. realm: jenhwa
the server which you are talking about will then try to find a mathing
entry for this realm in the proxy.conf (once you've activated it :-),
that's the problem here as it seems to me). if it finds an entry telling
something about another host, it will play a client and re-send the
packages almost in the same way, the NAS does. if it finds a matching
entry with a LOCAL keyword in it, it's gonna feel responsible for this
realm and process it itself.
proxy.conf to let radius server to know which format to use such as
popo@jenhwa? If so, how is that accomplished? or else?
indeed, you have to! but not in the proxy.conf, these values are
currently stored in the radiusd.conf (well, since proxy.conf is
included, it doesn't matter much, it's just a question of organisation).
so, in the radiusd.conf, you have something like:
realm suffix {
format = suffix
delimiter = @
}
Yes, I found this out at radiusd.conf and it is defined already as default
configuration.
this is the right syntax for the used format. and, having defined it
like that, you should have activated the module called suffix (see
above) in your Authorization and perhaps Pre-Accounting sections at the
end of the same file.
does it work now? :-)
No, I haven't change anything, my current configuration is exactly the same
as you suggested. Now, I am assuming I should see radius server B(jenhwa)
get the User-Name = popo@jenhwa and processed it but not in this case,
instead it is Radius Server A get it processed. In addition here is my
raddb/users setting at both Radius Server A(redhat) and Radius Server
B(jenhwa) I am not sure this will trigger any problem.
DEFAULT Auth-Type := ACCEPT
Fall-Through = yes,
Exec-Program = /usr/local/sbin/myprogram %u %n %f %i
where myprogram just simply a shell program dump out the User-Name,
NAS-IP-Address, Framed-IP-Address and
Proxy Setup
Hi, I am trying to setup two radius server namely A and B and A will be used as a proxy server just forward all the request to B and have B do the job. I have setup realms and also play around the proxy.conf and can't seem to get it to work. My realms basically defines the following NOREALM B.mobileradius.com nostrip And what happened all the user authentication request still get process inside A and not forward to B. I seems to me the question is how does radius server tell the difference whether a user is a remote or local? Any name like [EMAIL PROTECTED]? or else? I tried to use [EMAIL PROTECTED] as the user to get it authenticated but it still get processed at machine A. What am I missing? Any help is appreciated, -Jenhwa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup help
[EMAIL PROTECTED] wrote: Duncan Drennan [EMAIL PROTECTED] wrote: I am running free-radius 0.4 on Suse Linux 7.3. We want to allow certain access to our network for processing. Our (ISDN) clients dial into our ISP. If they dial in with a certain user name, then the ISP must authenticate with our radius server and allow them to log in. That's what realms our for. The clients should log into the ISP as 'user@your_domain'. That ISP then configures their server to check for the '@your_domain', and to forward the requests to you. They should also be able to strip off the '@your_domain', so it looks to *you* like someone local is requesting authentication/ The ISP has a radius server. I've been looking at the config files and it seems that this is done using the proxy file and clients or users files. I'm not really sure how to do this, because I haven't ever worked with radius before. I'd suggest asking your ISP for help, as you *will* have to interact with them, and set up compatible configurations. What needs to be done on our server to allow access for out clients? We want this setup so that we can have control over the access without having to go through our ISP for admin. They should proxy requests to you, and you should authenticate them. I presume that all I need to authenticate is add the info into the users config file?? Alan DeKok. DeKok? Where are you from? Sound very South African (my home) :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup help
Duncan Drennan [EMAIL PROTECTED] wrote: I presume that all I need to authenticate is add the info into the users config file?? Yes. DeKok? Where are you from? Sound very South African (my home) :) No, before that. The name comes from Holland, I was born in Canada. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup help
Duncan Drennan [EMAIL PROTECTED] wrote: I am running free-radius 0.4 on Suse Linux 7.3. We want to allow certain access to our network for processing. Our (ISDN) clients dial into our ISP. If they dial in with a certain user name, then the ISP must authenticate with our radius server and allow them to log in. That's what realms our for. The clients should log into the ISP as 'user@your_domain'. That ISP then configures their server to check for the '@your_domain', and to forward the requests to you. They should also be able to strip off the '@your_domain', so it looks to *you* like someone local is requesting authentication/ The ISP has a radius server. I've been looking at the config files and it seems that this is done using the proxy file and clients or users files. I'm not really sure how to do this, because I haven't ever worked with radius before. I'd suggest asking your ISP for help, as you *will* have to interact with them, and set up compatible configurations. What needs to be done on our server to allow access for out clients? We want this setup so that we can have control over the access without having to go through our ISP for admin. They should proxy requests to you, and you should authenticate them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Setup.
Hi I have 2 radius servers running, Freeradius in the front, and another one in the backend I want the Freeradius to append some settings in addition to the settings coming from the one in the backend Depending on the profile the user have in usergroup in MYSQL. Basically I had to do this, since in a proxy setup you can't pass Tunnel Attributes. 2- I'm using usernames similar to this, 151000 , in hints, can I do this DEFAULT Prefix=151*. Best Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
