OK. I still haven't managed to get the damn solution working, even with
the helpful hints from Chris and Alan, and even after trying very hard I
still get proxy calls (and subsequent Access-Reject) for people who
shouldn't trigger them. Here is what I finally put in radgroupcheck :
mysql> SELECT * FROM radgroupcheck WHERE GroupName='internix';
+----+-----------+-------------------+-------+------+
| id | GroupName | Attribute | Value | op |
+----+-----------+-------------------+-------+------+
| 6 | internix | No-Such-Attribute | | := |
| 23 | internix | Auth-Type | Local | := |
| 25 | internix | Fall-Through | No | := |
+----+-----------+-------------------+-------+------+
3 rows in set (0.00 sec)
I think at least here, I've got nothing wrong. Now, onto the users
file :
# This one is special for one of our customers
DEFAULT Service-Type == Call-Check, Auth-Type += Accept
# This is the one that should be triggering the proxying. Note I was
# under the impression from Alan's message that telling the program that
# the Auth-Type was Local and there was no fall-through would be enough
# but since it didn't work, I added that condition (without success :-(
DEFAULT Auth-Type != Local, Proxy-To-Realm += "alien"
The proxy.conf has only one realm :
alien {
type = radius
authhost = xxx.xx.xxx.xx:1812
accthost = xxx.xx.xxx.xx:1813
secret = xxxxxxxxx
}
And the 'authorize' section in radiusd.conf is like :
authorize {
preprocess
sql
files
suffix
}
And here is what happens when I try to authenticate a local user with
that configuration :
rad_recv: Access-Request packet from host 194.79.150.4:43827, id=237, length=59
User-Name = "xxxxxxxxxx"
User-Password = "xxxxxx"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "0"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
radius_xlat: 'xxxxxxxxxx'
rlm_sql (sql): sql_set_user escaped user --> 'xxxxxxxxxx'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE UserName =
'xxxxxxxxxx' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.UserName = 'xxxxxxxxxx' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE UserName =
'xxxxxxxxxx' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.UserName = 'xxxxxxxxxx' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql: check items
User-Password == "xxxxxx"
No-Such-Attribute := ""
Auth-Type := Local
^^^^^^^^^^^^^^^^^^
Here, Auth-Type is clearly set to Local...
Fall-Through := No
^^^^^^^^^^^^^^^^^^
and without a fall-through...
rlm_sql: reply items
Idle-Timeout = 1800
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 255.255.255.254
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
Reply-Message = "Welcome to Monaco Internet dial-up server"
Simultaneous-Use = 1
Port-Limit = 1
Ascend-Maximum-Channels = 1
No-Such-Attribute := ""
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok
users: Matched DEFAULT at 216
modcall[authorize]: module "files" returns ok
rlm_realm: No '@' in User-Name = "xxxxxxxxxx", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
modcall: group authorize returns ok
Sending Access-Request of id 1 to xxx.xx.xxx.xx:1812
^^^^^^^^^^^^^^^^^^
... but the software insists to proxy
the request anyway (?!?!?).
User-Name = "xxxxxxxxxx"
User-Password = "7\030YCkY9\265\345\226an\303(\256}"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "0"
Proxy-State = "237"
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Reject packet from host xxx.xx.xxx.xx:1812, id=1, length=25
^^^^^^^^^^^^^
Of course, this doesn't work as expected.
Proxy-State = 0x323337
Login incorrect (Home Server says so): [xxxxxxxxxx/xxxxxx] (from client dev900 port 0)
Delaying request 0 for 1 seconds
Finished request 0
I'm clearly missing something. But what ? I tried all sort of weird
things to avoid this problem (a Proxy-To-Realm attribute pointing all
group members to a fake realm with a LOCAL authhost, for example),
all to no avail (except if � no response � is more of a success than
� access rejected �, but I doubt it :-)
Hope I've exposed the problem (and my attempts at solving it) clearly
enough...
Cheers,
--
[ Jacques Caruso <[EMAIL PROTECTED]> D�veloppeur PHP ]
[ Monaco Internet http://monaco-internet.mc/ ]
[ T�l : (+377) 93 10 00 43 Cl� PGP : 0x41F5C63D ]
[ -+- Support bacteria! They're the only culture some people have. -+- ]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
