Hi Alan Dekok or anyone, I haven't got a reply on this one yet... I was able to do it before but not anymore... I'm really curious to know why...
Thank you! Difan ________________________________ From: freeradius-users-bounces+difan.zhao=guest-tek....@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek....@lists.freeradius.org] On Behalf Of Difan Zhao Sent: March-02-11 9:01 AM To: FreeRadius users mailing list Subject: Use Hint file to proxy Hi experts, Long time no talk! I have another dilemma. For some reasons I want to try to use the hints file to do Proxy (the normal way of configuring realm and proxy.conf file works). So the following is my config: =============== hints =================== DEFAULT User-Name =~ "^host\/.*\.gtcorp\.com$" Hint = "Marriott" =============== users =================== DEFAULT Hint == "Marriott", Proxy-To-Realm := "~\.gtcorp\.com$" =============== proxy.conf =================== .... realm "~\.gtcorp\.com$" { nostrip auth_pool = Marriott_Auth_Pool acct_pool = Marriott_Acct_Pool } ============== module/realm ================ realm Marriott { format = suffix delimiter = "/" } Then I commented out the "Marriott" realm in the "authorize" section in the default server so the settings in the "realm" file shouldn't do anything. ============= sites-available/default ============== authorize { ... # Marriott ... } In the radius -X log I do see the requests are sent to the proxy server but I also see the following abnormal logs. The complete log is also attached. [eap] No pre-existing handler found ... rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. So is it possible to use the hints file to do proxy or I'm totally out of my mind?? If it's possible where I could do wrong? Thanks a lot! [cid:[email protected]]Difan Zhao M.Eng | CCNA CCNP CCSP | Network Engineer T: 403-509-1010 ext 3048 | M: 403-689-7514 | F: 403.509.1011 [email protected]<mailto:[email protected]> | www.guest-tek.com<http://www.guest-tek.com> The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies.
<<inline: image002.gif>>
<<inline: image003.gif>>
<<inline: image001.gif>>
rad_recv: Access-Request packet from host 10.143.115.6 port 1645, id=163,
length=194
User-Name = "host/NetEng-D410.gtcorp.com"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "AC-A0-16-0E-9E-11"
Calling-Station-Id = "00-14-22-FD-DD-98"
EAP-Message =
0x0201002001686f73742f4e6574456e672d443431302e6774636f72702e636f6d
Message-Authenticator = 0x47efeb7485cf2f710b658ba828be5735
NAS-Port-Type = Ethernet
NAS-Port = 50117
NAS-Port-Id = "GigabitEthernet1/0/17"
NAS-IP-Address = 10.143.115.6
+- entering group authorize {...}
[preprocess] expand: %{User-Name} -> host/NetEng-D410.gtcorp.com
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 1 length 32
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: Empty section. Using default return values.
Sending Access-Request of id 218 to 10.26.105.105 port 1812
User-Name = "host/NetEng-D410.gtcorp.com"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "AC-A0-16-0E-9E-11"
Calling-Station-Id = "00-14-22-FD-DD-98"
EAP-Message =
0x0201002001686f73742f4e6574456e672d443431302e6774636f72702e636f6d
Message-Authenticator = 0x00000000000000000000000000000000
NAS-Port-Type = Ethernet
NAS-Port = 50117
NAS-Port-Id = "GigabitEthernet1/0/17"
NAS-IP-Address = 10.143.115.6
Proxy-State = 0x313633
Proxying request 0 to home server 10.26.105.105 port 1812
Sending Access-Request of id 218 to 10.26.105.105 port 1812
User-Name = "host/NetEng-D410.gtcorp.com"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "AC-A0-16-0E-9E-11"
Calling-Station-Id = "00-14-22-FD-DD-98"
EAP-Message =
0x0201002001686f73742f4e6574456e672d443431302e6774636f72702e636f6d
Message-Authenticator = 0x00000000000000000000000000000000
NAS-Port-Type = Ethernet
NAS-Port = 50117
NAS-Port-Id = "GigabitEthernet1/0/17"
NAS-IP-Address = 10.143.115.6
Proxy-State = 0x313633
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Challenge packet from host 10.26.105.105 port 1812, id=218,
length=69
EAP-Message = 0x010200061920
Message-Authenticator = 0x7abdaa6fe15ef1c04eef592da305896a
State = 0x1c559d961c578475dc9c2542f1f8a48c
Proxy-State = 0x313633
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Sending Access-Challenge of id 163 to 10.143.115.6 port 1645
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1c559d961c578475dc9c2542f1f8a48c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.143.115.6 port 1645, id=164,
length=267
User-Name = "host/NetEng-D410.gtcorp.com"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "AC-A0-16-0E-9E-11"
Calling-Station-Id = "00-14-22-FD-DD-98"
EAP-Message =
0x0202005719800000004d16030100480100004403014d6e647c9daae1b84c03485e6ffec3692a9b8639f5edec58b0044e402c83200500001600040005000a0009006400620003000600130012006301000005ff01000100
Message-Authenticator = 0x7f3997066e7d58d1300fd80cd79b3226
NAS-Port-Type = Ethernet
NAS-Port = 50117
NAS-Port-Id = "GigabitEthernet1/0/17"
State = 0x1c559d961c578475dc9c2542f1f8a48c
NAS-IP-Address = 10.143.115.6
+- entering group authorize {...}
[preprocess] expand: %{User-Name} -> host/NetEng-D410.gtcorp.com
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 2 length 87
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [host/NetEng-D410.gtcorp.com/<via Auth-Type = EAP>] (from
client 10.143.115.0/24 port 50117 cli 00-14-22-FD-DD-98)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
host/NetEng-D410.gtcorp.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 164 to 10.143.115.6 port 1645
Waking up in 3.9 seconds.
Cleaning up request 0 ID 163 with timestamp +10
Waking up in 1.0 seconds.
Cleaning up request 1 ID 164 with timestamp +10
Ready to process requests.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
