Hi all,
Well, I've gotten a little further (thanks Alan) and I'm understanding
configurable_failover a lot more now. Here's some background and the current problem
I'm having.
Problem description:
====================
As per my use cases, I'd like to proxy any Access-Request packets that fail
authorization or authentication to another RADIUS server. Packets that pass
authorization and authentication I'd like freeRADIUS to respond normally with
Access-Accept. To date I've gotten the following results from various configurations
in radiusd.conf, none of which solve my problem: all Access-Requests proxied; failed
authorizations are proxied but passed authentications reply with Access-Reject; or
passed authentications reply with Access-Accept but failed
authorizations/authentications reply with Access-Reject.
My use cases:
=============
1) valid userid and password should authorize and authenticate against SQL and MSCHAP
ok;
2) valid userid but wrong password should authorize ok against SQL but fail
authentication against MSCHAP; I want to configure freeRADIUS to proxy this failed
Access-Request to another RADIUS server/service;
3) invalid userid (regardless of password) should return "notfound" when authorizing
against SQL; again I want to configure freeRADIUS to proxy this failed Access-Request
to another RADIUS server/service.
What I've tried:
================
I'm using configurable_failover with the following:
1) A "files" module called MyProxy with:
DEFAULT Proxy-To-Realm := <ipaddress>
2) radiusd.conf with:
...
authorize {
...
group {
sql {
reject = 1
noop = 1
fail = 1
invalid = 1
notfound = 1
handled = return
userlock = return
updated = return
}
MyProxy
}
...
}
...
The above correctly proxies for wrong userids, but it unexpectedly proxies for correct
userids and passwords (i.e. it proxies everything). sql returns "ok" and the above
config doesn't tell it to return so it invokes MyProxy.
So I added "ok = return":
...
authorize {
...
group {
sql {
reject = 1
noop = 1
fail = 1
invalid = 1
notfound = 1
ok = return
handled = return
userlock = return
updated = return
}
MyProxy
}
...
}
...
This one correctly proxies for wrong userids, but it unexpectedly replies with
Access-Reject for correct userids and passwords even though sql returned "ok". I
figured out freeRADIUS does this because my client is using mschap and radius doesn't
find a User-Password or CHAP-Password attribute in the request.
So I changed "ok = return" to "ok = 1" and added an mschap section to authorize:
...
authorize {
...
group {
sql {
reject = 1
noop = 1
fail = 1
invalid = 1
notfound = 1
ok = 1
handled = return
userlock = return
updated = return
}
mschap {
reject = 1
noop = 1
fail = 1
invalid = 1
notfound = 1
ok = return
handled = return
userlock = return
updated = return
}
MyProxy
}
...
}
...
This sets the "Auth-Type := MS-CHAP" within authorize so that when authentication
hits, it finds MS-CHAP and authenticates correctly. So now my valid userids and
passwords authenticate correctly. But now my incorrect userids (authorization
failures) and passwords (authentication failures) are not proxied because:
1) authorization always returns "ok" because MS-CHAP is found; even though sql returns
"not found"
2) authentication doesn't pass through the above group (it's in the authorize section
and not the authenticate section).
I tried:
- changing the sql ACTIONS from 1 to 2 to make its results more "desirable" as the
group's result, but to no avail. MSCHAP's "ok" prevails with its "return".
- adding a similar group to the "authenticate" section but it doesn't support a
"files" module like MyProxy. I get the radiusd error message: "Error: radisud.conf:
"files" modules aren't allowed in 'authenticate' sections -- they have no such
method." Or worse yet I get a Segmentation fault when I try to add a group within the
"authenticate" section.
Anyone have any ideas on how I can solve this problem ?
Thanks in advance,
Daniel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
