Here's what I am trying to get freeradius-0.8.1 to do:
1. Request comes in looking like: FREDSISP#[EMAIL PROTECTED]
2. if exist (prefix), strip suffix and proxy
3. if not exist (prefix), proxy via suffix
4. if no match for suffix in proxy.conf, auth locally
Freeradius has support to do all this.. but here's where I keep slamming my
head against bricks. When it is setup to auth prefix before suffix, it
ignores the suffix's if there is no prefix. ie.. login with just
[EMAIL PROTECTED] is authenticated as if it is destined for local
authentication.
The authorize {} section:
authorize {
preprocess
prefix
suffix
files
}
My suffix/prefix sections:
realm suffix {
format = suffix
delimiter = "@"
}
realm prefix {
format = prefix
delimiter = "#"
}
proxy.conf sections:
realm anotherisp.com {
type = radius
authhost = 208.33.7.42:1812
accthost = 208.33.7.42:1813
secret = secret
nostrip
}
realm FREDSISP {
type = radius
authhost = 208.8.184.11:1645
accthost = 208.8.184.11:1646
secret = secret
}
Now the debug (-x -x -x) data:
Tue Jan 28 12:16:03 2003 : Debug: modcall: entering group authorize
Tue Jan 28 12:16:03 2003 : Debug: modcall[authorize]: module "preprocess"
returns ok
Tue Jan 28 12:16:03 2003 : Debug: rlm_realm: No '#' in User-Name =
"[EMAIL PROTECTED]", looking up realm NULL
Tue Jan 28 12:16:03 2003 : Debug: rlm_realm: Found realm NULL
Tue Jan 28 12:16:03 2003 : Debug: rlm_realm: Adding Stripped-User-Name
= "[EMAIL PROTECTED]"
Tue Jan 28 12:16:03 2003 : Debug: rlm_realm: Proxying request from user
[EMAIL PROTECTED] to realm NULL
Tue Jan 28 12:16:03 2003 : Debug: rlm_realm: Adding Realm = "NULL"
Tue Jan 28 12:16:03 2003 : Debug: rlm_realm: Authentication realm is LOCAL.
Maybe I'm missing something.. but I've gone over it too many times. =o To
me it looks like when it doesn't match "prefix" realm, it automatically
looks for NULL instead of moving to the next step in authorize{} which
should be to look for the "suffix" realm.
Idea popped into my head right here to try and remove NULL as an option
because my config can live without NULL entry. Doing so produced this result:
Tue Jan 28 12:48:56 2003 : Debug: modcall: entering group authorize
Tue Jan 28 12:48:56 2003 : Debug: modcall[authorize]: module "preprocess"
returns ok
Tue Jan 28 12:48:56 2003 : Debug: rlm_realm: No '#' in User-Name =
"[EMAIL PROTECTED]", looking up realm NULL
Tue Jan 28 12:48:56 2003 : Debug: rlm_realm: Found realm DEFAULT
Tue Jan 28 12:48:56 2003 : Debug: rlm_realm: Proxying request from user
[EMAIL PROTECTED] to realm DEFAULT
Tue Jan 28 12:48:56 2003 : Debug: rlm_realm: Adding Realm = "DEFAULT"
Tue Jan 28 12:48:56 2003 : Debug: rlm_realm: Authentication realm is LOCAL.
Now I can live w/o NULL, but I can't live w/o DEFAULT entry.. should the
default behavior of rlm_realms be changed to check for all items in
authorize prior to dropping back to NULL or DEFAULT entries? Or am I just
doing something wrong?
Thanks
- Nate
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- Re: rlm_realm - prefix auth error Nathan Miller
- Re: rlm_realm - prefix auth error Chris Parker
- Re: rlm_realm - prefix auth error Nathan Miller
- Re: rlm_realm - prefix auth error Chris Parker
- Re: rlm_realm - prefix auth error Nathan Miller
- Re: rlm_realm - prefix auth error Nathan Miller
- Re: rlm_realm - prefix auth error Chris Parker
- Re: rlm_realm - prefix auth error Chris Parker
- Re: rlm_realm - prefix auth er... Nathan Miller
- Re: rlm_realm - prefix auth er... Chris Parker
