At 06:14 PM 9/18/2001 -0700, you wrote:
>Hi all,
>
>I have been using Cistron for several years (a modified version of Cistron)
>and I am now attempting to try FreeRadius but I need to maintain the
>existing Cistron installation for a time while migrating users to the new
>server/radius.
>
>I have never done proxying of any sort in radius so I wanted to pose a
>couple questions here before I dig into learning radius all over again.
>
>1) Does the radius proxying the request from the NAS to a remote server look
>like a NAS to the remote server? I mean does the remote sever know about the
>originating NAS or is the request rewritten so the proxy is acting like a
>NAS?
There are two variables. Client-IP-Address, and NAS-IP-Address. The
NAS-IP-Address follows all the way through to your radius server from the
proxy; however, the Client-IP-Address is where your server see's the
request coming from. Hence; in your clients file, you need to have the
Proxy server's IP and secret in there, not the NAS ips.
>2) If the proxy looks like a NAS to the remote server then I would assume
>that the remote server needs a client entry/secret for the proxy and not the
>NAS..is this correct?
See above. You only need a client entry for the proxy radius server, not
all the NAS's. The proxy radius server is what needs to have the client
files for all the NASs.
>3) If the remote server knows about the originating NAS (if #2 is false)
>then the remote server needs a client entry/secret for the originating
>NAS??...correct?
>
>4) Does the remote server need to have anything configured regarding
>proxying or does it see the request just as a normal NAS packet even though
>it is passing through another radius?
It see's it as a normal request coming from a single source, your proxy
radius. In turn, the NASs then see the request coming from your proxy
server and not your regular radius. The proxy is just the middleman.
>Once I understand the above then I can debug a little more and determine why
>my remote server (original, currently operating radius) mangles the
>password...watching the log on the remote server I see the password
>mangled...I know, I know...check the secrets..done it, but I am a little
>confused as to what secret needs to be where...the proxy? NAS?...
Definitely your shared secret is wrong. Make sure your proxy server has a
client entry with a secret for your regular radius server, and your regular
radius needs to have the proxy IP and the same password in it's clients file.
>If someone feels really helpful...;) The next thing is figuring out how to
>proxy/not proxy requests.
>
>I want to point my NAS's to the new FreeRadius installation and auth/acct
>requests for users with a realm/domain such as [EMAIL PROTECTED], which should
>be authed/acct'd on the new FreeRadius install (not stripped either,
>usernames include the domain on this box), but normal user requests such as
>"bob" should be proxied to the original Cistron installation.
Freeradius supports this with the NULL identifier in the proxy.conf
file. Read the section in your proxy.conf, it is extremely easy to setup.
>I kind of have an idea on how that will work....but any info would be very
>much appreciated.
>
>
>Thanks,
>
>-Dave
>
>
>
>
>
>
>
>
>
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
----------------------------------
Nathan Miller
Visp Systems Administration
Voice: 541-476-5352 ext. 4
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
