hello
please see comments inline
> Environment requirement: All requests from Radius server A(machine named
> redhat) will be proxy to Radius Server B(machine named jenhwa).
>
> (1) In machine A I have in my proxy.conf the following realms defined.
>
> realm jenhwa {
> type = radius
> authhost= 10.1.1.77
> accthost = 10.1.1.77
> secret = jenhwa
> nostrip
> }
>
> where 10.1.1.77 is IP address of Radius Server B.
> and also in the radiusd.conf I can see $INCLUDE proxy.conf there. But not
> sure it is active, assuming $INCLUDE will do so.
this is fine so far, if 10.1.1.77 is "jenhwa". but: i'm not sure if you
can omit the ports (developers? can you? i.e. would it take the ports
from /etc/services or what?)
> it said the
> proxy_requests = yes
> #INCLUDE ${confdir}/proxy.conf
^^^^
THIS IS A COMMENTED LINE. it should be $INCLUDE ${confdir}/proxy.conf.
well, i presume that it was a typo.
> (2) In machine B I have the following entry in the proxy.conf
>
> realm jenhwa {
> type = radius
> authhost = LOCAL
> accthost = LOCAL
> }
>
> and clients.conf I have
> client 10.1.1.6 {
> secret = jenhwa
> shortname = redhat
> }
>
> where 10.1.1.6 is the IP address of radius server A.
yes, fine, A == redhat
> (3) Bring up both radius server A and B using /usr/local/sbin/radiusd -x
i would append a "-s"
> (4) I run radtest on machine A as follows and see the request get executed
> at Radius Server A not B.
>
> radtest popo@jenhwa none 10.1.1.6 101 jenhwa whathint jenhwa
hmm, if you run it on A for A, why don't you run it for "localhost"?
well, it doesn't matter much but it's a kind of confusing :-)
> I then see on radius server A screen showing request get processed with
> user-name = "popo@jenhwa" and not forward to Radius server A at all.
it should forward to B, doesn't it? please let be precise. using names
like A and B doesn't let a lot of space for imagination. you have to be
formal!!!
> I think I am missing the key part which is, how does a Radisu server tell a
> user is suppose to get proxyed? Do I have to define something in the
by checking it's configured realm part. in your case, using
"popo@jenhwa" is separated into three parts:
1. user: popo
2. delimiter: @
3. realm: jenhwa
the server which you are talking about will then try to find a mathing
entry for this realm in the proxy.conf (once you've activated it :-),
that's the problem here as it seems to me). if it finds an entry telling
something about another host, it will play a client and re-send the
packages almost in the same way, the NAS does. if it finds a matching
entry with a LOCAL keyword in it, it's gonna feel responsible for this
realm and process it itself.
> proxy.conf to let radius server to know which format to use such as
> popo@jenhwa? If so, how is that accomplished? or else?
indeed, you have to! but not in the proxy.conf, these values are
currently stored in the radiusd.conf (well, since proxy.conf is
included, it doesn't matter much, it's just a question of organisation).
so, in the radiusd.conf, you have something like:
realm suffix {
format = suffix
delimiter = "@"
}
this is the right syntax for the used format. and, having defined it
like that, you should have activated the module called "suffix" (see
above) in your Authorization and perhaps Pre-Accounting sections at the
end of the same file.
does it work now? :-)
artur
--
hecker[at]enst.fr
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
