Hello,
I'm having trouble getting Freeradius to work with
my prefix and suffix realms. What I need
it to do is:
1) check for a prefix
2) if prefix exists, strip it
3) check for a suffix
4) if no suffix exists, use NULL directive
5) if suffix exists, use specific realm directive, or DEFAULT
Here's what I have so far:
FreeBSD 4.8-STABLE
FreeRADIUS 0.8.1 ("make install" from ports-current)
** acct_users (empty)
** hints (empty)
** huntgroups (empty)
** preproxy_users (empty)
** users (empty)
__________________________
** clients.conf
client 1.1.1.1 {
secret = secret
shortname = rad1
}
client 2.2.2.2 {
secret = secret
shortname = rad2
}
client 3.3.3.3 {
secret = secret
shortname = radtest
}
__________________________
** proxy.conf
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 60
servers_per_realm = 15
default_fallback = yes
}
realm suffix {
type = radius
authhost = 1.1.1.1:1645
accthost = 1.1.1.1:1646
nostrip
secret = secret
}
realm NULL {
type = radius
authhost = 1.1.1.1:1645
accthost = 1.1.1.1:1646
secret = secret
}
realm DEFAULT {
type = radius
authhost = 2.2.2.2:1645
accthost = 2.2.2.2:1646
secret = secret
}
__________________________
** radiusd.conf
** Only including what I think are relevants parts.
** Let me know if I left something important out.
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
modules {
realm suffix {
format = suffix
delimiter = "@"
}
realm prefix {
format = prefix
delimiter = "/"
}
authorize {
preprocess
chap
prefix
suffix
files
}
__________________________
** radtest prefix/[EMAIL PROTECTED] test 4.4.4.4 10 secret
rad_recv: Access-Request packet from host 3.3.3.3:60693, id=99, length=70
Thread 2 assigned request 389
--- Walking the entire request list ---
Cleaning up request 387 ID 60 with timestamp 3f47e604
Waking up in 3 seconds...
Thread 2 handling request 389, (77 handled so far)
User-Name = "prefix/[EMAIL PROTECTED]"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
rlm_realm: Looking up realm prefix for User-Name = "prefix/[EMAIL PROTECTED]"
rlm_realm: Found realm DEFAULT
rlm_realm: Adding Stripped-User-Name = "[EMAIL PROTECTED]"
rlm_realm: Proxying request from user [EMAIL PROTECTED] to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Preparing to proxy authentication request to realm DEFAULT
modcall[authorize]: module "prefix" returns updated
rlm_realm: Request already proxied. Ignoring.
modcall[authorize]: module "suffix" returns noop
modcall[authorize]: module "files" returns notfound
modcall: group authorize returns updated
Sending Access-Request of id 191 to 2.2.2.2:1645
User-Name = "[EMAIL PROTECTED]"
User-Password = "W\304a\270\375&[EMAIL PROTECTED]"
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
Proxy-State = "99"
Thread 2 waiting to be assigned a request
rad_recv: Access-Reject packet from host 2.2.2.2:1645, id=191, length=50
Thread 3 assigned request 389
Waking up in 3 seconds...
Thread 3 handling request 389, (77 handled so far)
Proxy-State = 0x3939
Reply-Message = "Invalid UserID/Password!"
Login incorrect (Home Server says so): [prefix/[EMAIL PROTECTED]/test] (from client
test port 10)
Delaying request 389 for 1 seconds
Finished request 389
__________________________
The DEFAULT realm is chosen based on the prefix,
and the suffix is ignored. I'm at a loss. Any help will
be greatly appreciated!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html