Re: fail-over configration
Thanks for your reply. Alan. You showed the follow process. 1.Checking users file If the User-Name is not found, go to Checking SQL(Mysql) DataBase. Check the Calling-Station-Id. if the Calling-Station-Id is correct, continue to authenticate if the Calling-Station-Id is incorrect,reject the user. 2.Checking SQL(Mysql) DataBase. If the User-Name is not found, reject the user. Check the Calling-Station-Id. if the Calling-Station-Id is correct, continue to authenticate if the Calling-Station-Id is incorrect,reject the user. In authenticate, check the User-password. If correct, the user is authenticated. if the User-Password is incorrect,reject the user Then, I have a question. What means, the User-Name is not found? I thought the User-Name value in resquest is not found in users file. But the freeradius does not operate such. It looks like follow. case 1 (this case is OK(found!)) User-Name(value) in Users file equals User-Name(value) in Access-Request. and User-Password(value) in Users file equals User-Password(value) in Access-Request. and Calling-Station-Id(value) in Users file equals Calling-Station-Id(value) in Access-Request. case 2 (this case is not found) User-Name(value) in Users file equals User-Name(value) in Access-Request. and User-Password(value) in Users file do not equal User-Password(value) in Access-Request. and Calling-Station-Id(value) in Users file equals Calling-Station-Id(value) in Access-Request. case 3 (this case is not found) User-Name(value) in Users file equals User-Name(value) in Access-Request. and User-Password(value) in Users file equals User-Password(value) in Access-Request. and Calling-Station-Id(value) in Users file do not equal Calling-Station-Id(value) in Access-Request. case 4 (this case is not found) User-Name(value) in Users file equals User-Name(value) in Access-Request. and User-Password(value) in Users file do not equal User-Password(value) in Access-Request. and Calling-Station-Id(value) in Users file do not equal Calling-Station-Id(value) in Access-Request. Does The User-Name is not found mean what all the radius attributes that should be compared are matched?, not only the User-Name value does not matched? IF that is right, does checking the User-Password in authenticate always succeed? -- Access-Request: User-Name = testusr User-Password = usrpass00 NAS-Port = 1 NAS-IP-Address = 192.168.100.20 Framed-Protocol = PPP Service-Type = Framed-User NAS-Port-Type = ISDN Calling-Station-Id = 0123456789 -- Users file: testusr Auth-Type := Local, User-Password == usrpass, Calling-Station-Id ==0123456789 User-Service = Framed-User , Framed-Protocol = PPP , Framed-IP-Address = 10.0.0.1 , Framed-IP-Netmask = 255.255.255.255 , Ascend-Idle-Limit = 600 , Ascend-Data-Filter = ip in forward dstip 10.0.1.0/24 , Ascend-Data-Filter += ip in forward dstip 172.16.1.0/24 , Ascend-Data-Filter += ip in drop dstip 0.0.0.0 , Ascend-Data-Filter += ip out forward sorry for my poor english regards -- baffy200y [EMAIL PROTECTED] __ Do You Yahoo!? http://bb.yahoo.co.jp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: fail-over configration
baffy200y [EMAIL PROTECTED] wrote: 1.Checking users file If the User-Name is found,check the User-Password. The server can't do that. The authorize section doesn't do any authentication. I would re-write your request as: 1.Checking users file If the User-Name is not found, go to Checking SQL(Mysql) DataBase. Check the Calling-Station-Id. if the Calling-Station-Id is correct, continue to authenticate if the Calling-Station-Id is incorrect,reject the user. 2.Checking SQL(Mysql) DataBase. If the User-Name is not found, reject the user. Check the Calling-Station-Id. if the Calling-Station-Id is correct, continue to authenticate if the Calling-Station-Id is incorrect,reject the user. In authenticate, check the User-password. If correct, the user is authenticated. if the User-Password is incorrect,reject the user The server can do this. See doc/configurable_failover for how to configure the authorize section to do check files, if not found, check sql. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
fail-over configration
Hi,all. I want to set up freeradius which use users file and sql database for user authenticating. But I can not set up well. Can I set up freeradius as follow? 1.Checking users file If the User-Name is found,check the User-Password. if the User-Password is correct,check the Calling-Station-Id. if the Calling-Station-Id is correct,the user is authenticated. if the Calling-Station-Id is incorrect,reject the user. if the User-Password is incorrect,reject the user If the User-Name is not found, go to "Checking SQL(Mysql) DataBase." 2.Checking SQL(Mysql) DataBase. If the User-Name is found,check the User-Password. if the User-Password is correct,check the Calling-Station-Id. if the Calling-Station-Id is correct,the user is authenticated. if the Calling-Station-Id is incorrect,reject the user. if the User-Password is incorrect,reject the user If the User-Name is not found, reject the user. My image process figure -- Start | +++ | |user found | users +---+ | file | | +++ | |user not found | || || +++ | | |user found | | sql +---+ | (MySql) | | +++ | |user not found +++ | | |false reject | Password+-reject | check | +++ |ok | ++---+ | Calling- |false | Station-Id +--reject | check | ++---+ |ok | user authenticated figure 1 -- my authorize section in radiusd.conf is below -- authorize { preprocess group { files { ok = return } sql { ok = return } } } my users file -- test Auth-Type := Local, User-Password == "test", Calling-Station-Id=="00" User-Service = Framed-User , Framed-Protocol = PPP , Framed-IP-Address = 10.0.0.1 , Framed-IP-Netmask = 255.255.255.255 Result I tested. -- |User-Name|User-Password|Calling-Station-Id| --+-+-+--+ (1)|○ | × | - | --+-+-+--+ (2)|○ | ○ | × | --+-+-+--+ ○:correct ×:incorrect Case (1) files(rlm_files) returns notfound but reject. and sql db has been checked. and group returns notfound but reject. case (2) files(rlm_files) returns notfound but reject. and sql db has been checked. and group returns notfound but reject. sorry for my poor english regards -- baffy200y [EMAIL PROTECTED] __ Do You Yahoo!? http://bb.yahoo.co.jp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html