hi
> I am trying to setup two radius server namely A and B and A will be used as a
> proxy server just forward all the request to B and have B do the job. I have
> setup realms and also play around the proxy.conf and can't seem to get it to
> work. My realms basically defines the following <snip>
>
> And what happened all the user authentication request still get process
> inside A and not forward to B. I seems to me the question is how does radius
> server tell the difference whether a user is a remote or local? Any name like
> [EMAIL PROTECTED]? or else? I tried to use [EMAIL PROTECTED] as
> the user to get it authenticated but it still get processed at machine A.
> What am I missing?
yes, a kind of. you can configure your realm module (in radiusd.conf) to
use almost every format you want. in particular user@A or user@B are
suitable formats for your case (but also A/user, B/user, etc.). you
should configure and activate at least one of those realm-formats.
you should add A in the clients.conf of the B server, since A will be
acting as a client during proxying. you also have to specify a password
in the B configuration for the client A. you should then change to the A
configuration and verify that the line $INCLUDE proxy.conf is active in
its (A's) radiusd.conf and add the used realm(s) to the proxy.conf.
such a realm would typically look something like this: (at the A side)
realm B {
type = radius
authhost = <B-address>:<port>
accthost = <B-address>:<port+1>
secret = <secret_specified_in_the_B_clients.conf>
nostrip
}
please note the parameter "nostrip". if you want B to take care of
user@B like addresses and you give "nostrip" in A's proxy.conf, then you
should probably configure B to treat those addresses as local ones by
adding in the B's proxy.conf (activate it!) something like:
realm B {
type = radius
authhost = LOCAL
accthost = LOCAL
}
if you use "strip" instead of "nostrip" in the given A's example, then A
will throw away any recongnized extension, so B would never even know
about @B. it's up to you to decide what you consider being better for
your case.
you can then test this config by doing radtest for different users from
A directly to B (since A is in the clients' list, it will work) and then
to the localhost (i.e. A), hoping that you will see all the information
how the request is being proxyied to B.
hope that helps!
artur
--
Artur Hecker Groupe Acc�s et Mobilit�
[EMAIL PROTECTED] D�partement Informatique et R�seaux
+33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr ENST Paris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
