On Tue, 24 May 2005 [EMAIL PROTECTED] wrote: > On Tue, 24 May 2005, Dustin Doris wrote: > > > DEFAULT NAS-IP-Address == 10.0.0.1, Huntgroup-Name != testgroup, > > Auth-Type := Reject > > Fall-Through = no > > > > DEFAULT Auth-Type := Kerberos > > ... > > Thanks for your quick reply, Dustin. I gave the above a try, and > unfortunately it still didn't work. > > However.... > > I went back to look at the debugging log I had set up to see if I missed > anything. In a case of missing the forest through the trees, I didn't > even notice this before: > > Tue May 24 13:15:03 2005 : Debug: Thread 1 handling request 0, (1 handled so > far) > User-Name = "myusername" > User-Password = "mypasswd" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 0 > Tue May 24 13:15:03 2005 : Debug: modcall: entering group authorize > Tue May 24 13:15:03 2005 : Debug: modcall[authorize]: module "preprocess" > returns ok > > For some reason, it's seeing the requests coming from "NAS-IP-Address = > 255.255.255.255" versus the ip address I think it should be coming from. > Sooooo, I made these changes to my configuration: > > huntgroups: > > testgroup NAS-IP-Address == 255.255.255.255 > User-Name == randomuser, > > users: > > DEFAULT NAS-IP-Address == 255.255.255.255, Huntgroup-Name == testgroup, > Auth-Type := Kerberos > Fall-Through = No > > DEFAULT Auth-Type := Kerberos > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-Routing = Broadcast-Listen, > Framed-MTU = 1500, > Framed-Compression = Van-Jacobson-TCP-IP > > Rerun radtest from my test client and I'm rejected. If I add myusername > to huntgroups, I'm accepted. From the log, I get: > > User-Name = "myusername" > User-Password = "mypasswd" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 0 > .... > Tue May 24 13:26:42 2005 : Debug: huntgroups: Matched testgroup at 47 > Tue May 24 13:26:42 2005 : Debug: users: Matched DEFAULT at 8 > > So it appears that that configuration works, but only if I set the > NAS-IP-address to 255.255.255.255. Obviously, this isn't the way it's > supposed to work, because the server sees /every/ NAS as 255.255.255.255, > even when I run radtest from localhost. I suspected it might have > something to do with the client and server being on different VLANs on the > router, but I wouldn't expect it to do the same thing from itself. > > Brian
Glad the config is working for you. I think radius doesn't actually see that NAS as 255.255.255.255, its being sent over as that in the packet. If you did a tcpdump and captured the radius packet and then viewed it with ethereal, you'd see. But you can do this for testing if you'd like. either create a file, say its called test User-Name = myusername User-Password = mypasswd NAS-IP-Address = 10.0.0.1 NAS-Port = 0 and run radclient -f test localhost auth yoursecret or just pipe it printf "User-Name = myusername\nUser-Password = mypasswd\nNAS-IP-Address = 10.0.0.1\nNAS-Port = 0\n" | radclient localhost auth yoursecret Actually, I think you can do it with radtest adding nasname as well. This will make sure it sends over the right nas-ip. At least you know that config will work when you can get the right nas-ip over. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
