Artur,
Thanks. I still get the same behavior. To make it specific let me describe
my configuration.
Environment requirement: All requests from Radius server A(machine named
redhat) will be proxy to Radius Server B(machine named jenhwa).
(1) In machine A I have in my proxy.conf the following realms defined.
realm jenhwa {
type = radius
authhost= 10.1.1.77
accthost = 10.1.1.77
secret = jenhwa
nostrip
}
where 10.1.1.77 is IP address of Radius Server B.
and also in the radiusd.conf I can see $INCLUDE proxy.conf there. But not
sure it is active, assuming $INCLUDE will do so.
it said the
proxy_requests = yes
#INCLUDE ${confdir}/proxy.conf
(2) In machine B I have the following entry in the proxy.conf
realm jenhwa {
type = radius
authhost = LOCAL
accthost = LOCAL
}
and clients.conf I have
client 10.1.1.6 {
secret = jenhwa
shortname = redhat
}
where 10.1.1.6 is the IP address of radius server A.
(3) Bring up both radius server A and B using /usr/local/sbin/radiusd -x
(4) I run radtest on machine A as follows and see the request get executed
at Radius Server A not B.
radtest popo@jenhwa none 10.1.1.6 101 jenhwa whathint jenhwa
I then see on radius server A screen showing request get processed with
user-name = "popo@jenhwa" and not forward to Radius server A at all.
I think I am missing the key part which is, how does a Radisu server tell a
user is suppose to get proxyed? Do I have to define something in the
proxy.conf to let radius server to know which format to use such as
popo@jenhwa? If so, how is that accomplished? or else?
Any help again is appreciated,
-Jenhwa
On Thursday 04 April 2002 01:25 am, you wrote:
> hi
>
> > I am trying to setup two radius server namely A and B and A will be used
> > as a proxy server just forward all the request to B and have B do the
> > job. I have setup realms and also play around the proxy.conf and can't
> > seem to get it to work. My realms basically defines the following <snip>
> >
> > And what happened all the user authentication request still get process
> > inside A and not forward to B. I seems to me the question is how does
> > radius server tell the difference whether a user is a remote or local?
> > Any name like [EMAIL PROTECTED]? or else? I tried to use
> > [EMAIL PROTECTED] as the user to get it authenticated but it still
> > get processed at machine A. What am I missing?
>
> yes, a kind of. you can configure your realm module (in radiusd.conf) to
> use almost every format you want. in particular user@A or user@B are
> suitable formats for your case (but also A/user, B/user, etc.). you
> should configure and activate at least one of those realm-formats.
>
> you should add A in the clients.conf of the B server, since A will be
> acting as a client during proxying. you also have to specify a password
> in the B configuration for the client A. you should then change to the A
> configuration and verify that the line $INCLUDE proxy.conf is active in
> its (A's) radiusd.conf and add the used realm(s) to the proxy.conf.
>
> such a realm would typically look something like this: (at the A side)
>
> realm B {
> type = radius
> authhost = <B-address>:<port>
> accthost = <B-address>:<port+1>
> secret = <secret_specified_in_the_B_clients.conf>
> nostrip
> }
>
> please note the parameter "nostrip". if you want B to take care of
> user@B like addresses and you give "nostrip" in A's proxy.conf, then you
> should probably configure B to treat those addresses as local ones by
> adding in the B's proxy.conf (activate it!) something like:
>
> realm B {
> type = radius
> authhost = LOCAL
> accthost = LOCAL
> }
>
> if you use "strip" instead of "nostrip" in the given A's example, then A
> will throw away any recongnized extension, so B would never even know
> about @B. it's up to you to decide what you consider being better for
> your case.
>
>
> you can then test this config by doing radtest for different users from
> A directly to B (since A is in the clients' list, it will work) and then
> to the localhost (i.e. A), hoping that you will see all the information
> how the request is being proxyied to B.
>
>
> hope that helps!
>
> artur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
