Here's what I am trying to get freeradius-0.8.1 to do:

1. Request comes in looking like: FREDSISP#[EMAIL PROTECTED]
2. if exist (prefix), strip suffix and proxy
3. if not exist (prefix), proxy via suffix
4. if no match for suffix in proxy.conf, auth locally

Freeradius has support to do all this.. but here's where I keep slamming my head against bricks. When it is setup to auth prefix before suffix, it ignores the suffix's if there is no prefix. ie.. login with just [EMAIL PROTECTED] is authenticated as if it is destined for local authentication.

The authorize {} section:
authorize {
preprocess
prefix
suffix
files
}

My suffix/prefix sections:
realm suffix {
format = suffix
delimiter = "@"
}
realm prefix {
format = prefix
delimiter = "#"
}

proxy.conf sections:
realm anotherisp.com {
type = radius
authhost = 208.33.7.42:1812
accthost = 208.33.7.42:1813
secret = secret
nostrip
}

realm FREDSISP {
type = radius
authhost = 208.8.184.11:1645
accthost = 208.8.184.11:1646
secret = secret
}

Now the debug (-x -x -x) data:
Tue Jan 28 12:16:03 2003 : Debug: modcall: entering group authorize
Tue Jan 28 12:16:03 2003 : Debug: modcall[authorize]: module "preprocess" returns ok
Tue Jan 28 12:16:03 2003 : Debug: rlm_realm: No '#' in User-Name = "[EMAIL PROTECTED]", looking up realm NULL
Tue Jan 28 12:16:03 2003 : Debug: rlm_realm: Found realm NULL
Tue Jan 28 12:16:03 2003 : Debug: rlm_realm: Adding Stripped-User-Name = "[EMAIL PROTECTED]"
Tue Jan 28 12:16:03 2003 : Debug: rlm_realm: Proxying request from user [EMAIL PROTECTED] to realm NULL
Tue Jan 28 12:16:03 2003 : Debug: rlm_realm: Adding Realm = "NULL"
Tue Jan 28 12:16:03 2003 : Debug: rlm_realm: Authentication realm is LOCAL.


Maybe I'm missing something.. but I've gone over it too many times. =o To me it looks like when it doesn't match "prefix" realm, it automatically looks for NULL instead of moving to the next step in authorize{} which should be to look for the "suffix" realm.

Idea popped into my head right here to try and remove NULL as an option because my config can live without NULL entry. Doing so produced this result:
Tue Jan 28 12:48:56 2003 : Debug: modcall: entering group authorize
Tue Jan 28 12:48:56 2003 : Debug: modcall[authorize]: module "preprocess" returns ok
Tue Jan 28 12:48:56 2003 : Debug: rlm_realm: No '#' in User-Name = "[EMAIL PROTECTED]", looking up realm NULL
Tue Jan 28 12:48:56 2003 : Debug: rlm_realm: Found realm DEFAULT
Tue Jan 28 12:48:56 2003 : Debug: rlm_realm: Proxying request from user [EMAIL PROTECTED] to realm DEFAULT
Tue Jan 28 12:48:56 2003 : Debug: rlm_realm: Adding Realm = "DEFAULT"
Tue Jan 28 12:48:56 2003 : Debug: rlm_realm: Authentication realm is LOCAL.

Now I can live w/o NULL, but I can't live w/o DEFAULT entry.. should the default behavior of rlm_realms be changed to check for all items in authorize prior to dropping back to NULL or DEFAULT entries? Or am I just doing something wrong?

Thanks
- Nate



- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to