Great stuff Alan. Thank you. I deleted my entry in radgroupcheck in MySQL that had "Auth-Type := Local", and now: 1) Valid user-names and passwords result in Access-Accept (as desired) 2) Invalid user-names (regardless of password) get proxied (as desired) Cool.
Now the only thing that the configurable failover isn't doing for me is in the authenticate stage, which I can't see how to do since the authenticate section in radiusd.conf doesn't support a configurable failover section, as far as I can tell. What I want to happen is that any failed authentication be proxied as well. Anyone? Thanks in advance, Daniel -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Sunday, June 27, 2004 11:22 AM To: [EMAIL PROTECTED] Subject: Re: Problems with configurable_failover "Roy, Daniel" <[EMAIL PROTECTED]> wrote: > Yes, mschap is just above the group and it is not commented out. If I > comment out the group and restart the radius server and send an > access-request, it does indeed do an mschap authorization and then an > mschap authentication (as per the output when running in debug mode), > proving that mschap is indeed there and active. But somehow, when I > insert a group without a mschap section within the group (as indicated > in my previous email), mschap does not occur correctly. So the problem is within that group. > Fri Jun 25 14:53:42 2004 : Debug: modsingle[authorize]: calling mschap > (rlm_mschap) for request 7 > Fri Jun 25 14:53:42 2004 : Debug: rlm_mschap: Found MS-CHAP > attributes. Setting 'Auth-Type := MS-CHAP' That looks good. > Fri Jun 25 14:53:42 2004 : Debug: rad_check_password: Found Auth-Type > Local That doesn't look good. I'd say that one of your SQL qeuries returns "Auth-Type := Local", and that's breaking MS-CHAP. > Fri Jun 25 14:53:42 2004 : Debug: auth: type Local > Fri Jun 25 14:53:42 2004 : Debug: auth: No User-Password or > CHAP-Password attribute in the request > Fri Jun 25 14:53:42 2004 : Debug: auth: Failed to validate the user. Yup. MS-CHAP doesn't contain PAP or CHAP passwords, so "Local" won't work. > What you state is in fact the case in my radiusd.conf, but it doesn't = > seem to be working the way you (or I) expect it to work. But it's doing what you told it to do, which is often a problem. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
