artur,
Still the same problem, I think I have all the configuration correct.
Please see my comment below.
On Thursday 04 April 2002 11:58 am, you wrote:
> hello
>
> please see comments inline
>
> > Environment requirement: All requests from Radius server A(machine named
> > redhat) will be proxy to Radius Server B(machine named jenhwa).
> >
> > (1) In machine A I have in my proxy.conf the following realms defined.
> >
> > realm jenhwa {
> > type = radius
> > authhost= 10.1.1.77
> > accthost = 10.1.1.77
> > secret = jenhwa
> > nostrip
> > }
> >
> > where 10.1.1.77 is IP address of Radius Server B.
> > and also in the radiusd.conf I can see $INCLUDE proxy.conf there. But
> > not sure it is active, assuming $INCLUDE will do so.
>
> this is fine so far, if 10.1.1.77 is "jenhwa". but: i'm not sure if you
> can omit the ports (developers? can you? i.e. would it take the ports
> from /etc/services or what?)
>
Yes it is defined in my /etc/services file with the following entries
radius 1812/tcp
radius 1812/udp
radius-acct 1813/tcp
radius-acct 1813/udp
> > it said the
> > proxy_requests = yes
> > #INCLUDE ${confdir}/proxy.conf
>
> ^^^^
> THIS IS A COMMENTED LINE. it should be $INCLUDE ${confdir}/proxy.conf.
> well, i presume that it was a typo.
It is a typo it is $
>
> > (2) In machine B I have the following entry in the proxy.conf
> >
> > realm jenhwa {
> > type = radius
> > authhost = LOCAL
> > accthost = LOCAL
> > }
> >
> > and clients.conf I have
> > client 10.1.1.6 {
> > secret = jenhwa
> > shortname = redhat
> > }
> >
> > where 10.1.1.6 is the IP address of radius server A.
>
> yes, fine, A == redhat
>
YES. A == redhat
> > (3) Bring up both radius server A and B using /usr/local/sbin/radiusd -x
>
> i would append a "-s"
>
Yes, I am using -s -x this time.
> > (4) I run radtest on machine A as follows and see the request get
> > executed at Radius Server A not B.
> >
> > radtest popo@jenhwa none 10.1.1.6 101 jenhwa whathint jenhwa
>
> hmm, if you run it on A for A, why don't you run it for "localhost"?
> well, it doesn't matter much but it's a kind of confusing :-)
Well, I know. I am just testing the network also works.
>
> > I then see on radius server A screen showing request get processed with
> > user-name = "popo@jenhwa" and not forward to Radius server A at all.
>
> it should forward to B, doesn't it? please let be precise. using names
> like A and B doesn't let a lot of space for imagination. you have to be
> formal!!!
>
Let me rephase
I then see on radius server on redhat's screen showing request get processed
with user-name = "popo@jenhwa" and not forward to Radius server jenhwa at
all.
>
> > I think I am missing the key part which is, how does a Radisu server tell
> > a user is suppose to get proxyed? Do I have to define something in the
>
> by checking it's configured realm part. in your case, using
> "popo@jenhwa" is separated into three parts:
> 1. user: popo
> 2. delimiter: @
> 3. realm: jenhwa
>
> the server which you are talking about will then try to find a mathing
> entry for this realm in the proxy.conf (once you've activated it :-),
> that's the problem here as it seems to me). if it finds an entry telling
> something about another host, it will play a client and re-send the
> packages almost in the same way, the NAS does. if it finds a matching
> entry with a LOCAL keyword in it, it's gonna feel responsible for this
> realm and process it itself.
>
> > proxy.conf to let radius server to know which format to use such as
> > popo@jenhwa? If so, how is that accomplished? or else?
>
> indeed, you have to! but not in the proxy.conf, these values are
> currently stored in the radiusd.conf (well, since proxy.conf is
> included, it doesn't matter much, it's just a question of organisation).
> so, in the radiusd.conf, you have something like:
>
> realm suffix {
> format = suffix
> delimiter = "@"
> }
>
Yes, I found this out at radiusd.conf and it is defined already as default
configuration.
> this is the right syntax for the used format. and, having defined it
> like that, you should have activated the module called "suffix" (see
> above) in your Authorization and perhaps Pre-Accounting sections at the
> end of the same file.
>
>
> does it work now? :-)
No, I haven't change anything, my current configuration is exactly the same
as you suggested. Now, I am assuming I should see radius server B(jenhwa)
get the User-Name = "popo@jenhwa" and processed it but not in this case,
instead it is Radius Server A get it processed. In addition here is my
"raddb/users" setting at both Radius Server A(redhat) and Radius Server
B(jenhwa) I am not sure this will trigger any problem.
DEFAULT Auth-Type := ACCEPT
Fall-Through = yes,
Exec-Program = "/usr/local/sbin/myprogram %u %n %f %i"
where myprogram just simply a shell program dump out the User-Name,
NAS-IP-Address, Framed-IP-Address and Calling-Station-ID into a file.
It looks like
#! /bin/sh
echo `/bin/date` " User-Name = " $1 NAS IP = " $2 "Framed-IP = " $3
"Calling-Station-ID = " $4 >> /tmp/myprogramlog
And I have encounter a problem with the display of Framed-IP-Address on the
server it does show 0.0.0.100(the data passed in) but in the log I am getting
?.?.?.?. I am using r
adclient -q -s -f mytest 10.1.1.7 auth jenhwa
where mytest contains
User-Name=popo@jenhwa,
User-Password=pci,Framed-IP-Address=100,Calling-Station-Id=jfwkdfgkdfwefwefdwd
I do see Framed-IP-Address 100 shows on Server A(redhat) but when it dump to
my log it shows ?.?.?.?
Anyway, I have two problems at hand now. One is to get proxy to work and the
other one is to make sure I can get Framed-IP-Address dump out to a log file
correctly. Please help.
Thanks again.
-Jenhwa
>
> artur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
