Version & OS:
Freeradius-2.0.5
Gentoo
It appears that during the second iteration in authorize section, the Realm has
become NULL. We rely on checking the Realm to choose the appropriate Auth-Type
to authenticate local users and proxy everybody else to an external network.
...
+- entering group authorize
++[preprocess] returns ok
rlm_realm: Looking up realm "math.leidenuniv.nl" for User-Name =
"[email protected]"
rlm_realm: Found realm "math.leidenuniv.nl"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Adding Realm = "math.leidenuniv.nl"
rlm_realm: Proxying request from user testuser to realm math.leidenuniv.nl
rlm_realm: Preparing to proxy authentication request to realm
"math.leidenuniv.nl"
++[suffix] returns updated
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
users: Matched entry DEFAULT at line 292
++[files] returns ok
...
+- entering group pre-proxy
...
+- entering group authorize
++[preprocess] returns ok
++[auth_log] returns ok
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
rlm_pap: WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
auth: Failed to validate the user.
Found Post-Auth-Type Reject
...
NOTE: ... means stripped normal behaviour/output.
From the verbose output, the first part is correct. The request is proxied to
the correct server. But when it arrives in the authentication server it fails
to extract the Realm from the proxied request. In ``users'' we have:
DEFAULT Realm == "math.leidenuniv.nl", Auth-Type := PAM
Reply-Message = "math here",
Fall-Through = no
But as the log says, which is correct, there's no Auth-Type for that Realm. If
the Realm == "math.leidenuniv.nl" condition is removed, which results in
Auth-Type = PAM for everybody, authentication succeeds for local users; which
is to be expected. Our config worked perfectly in freeradius-1.1.7.
Now I wonder, why is the Realm equal to NULL? I see suffix updated the request,
why isn't the second iteration seeing that update?
Best regards,
Xiwen
--
--
Xiwen Cheng
System Administrator ;" Enthusiasm is contagious,
Mathematical Institute ; but hype is a disease. "
Leiden University ;E-mail: [email protected]
Niels Bohrweg 1 K210 ;Office: (+31) 715277134
2333 CA Leiden ;Mobile: (+31) 611119991
The Netherlands ;GPG Key id: 194F572B
++
pgp8E0gtErwod.pgp
Description: PGP signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
