Our situation was we har purchased another ISP who used a proprietary LDAP patch to cistron radius. So we had to have it fallback to the BSD Cistron Radius box. I found the keys were chaning the number of attempts to 1 in the fallback settings, incresing the Radius timeout at the router, and making sure you have the client definition for the BSD Radius server set to ROAMER. Once I did all these things it seemed to work. VOP Radius first hits our MSSQL main database looking for a user, if it can't find them, it contacts the BSD radius server and looks. This is a great solution for ISP's to have a temporary fix when they buy a new ISP between when they buy and import the users into their own master database. Would also like to say Yves was very helpful in pointing out my problem with the whole thing. Cisco NAS's like more than just ACK back.
Scott Wolf - [EMAIL PROTECTED]
Network Engineer / VP
Aginet - http://www.aginet.com
Lewis Watson wrote:
* This is the VOP Radius mailing list *
Hey Scott,
I am working on a backup radius server using BSD/ freeRadius. I just started
with it this afternoon/ evening and am wondering what BSD based Radius you
are running over there. FreeRadius seems to be really feature packed.
Thanks.
Lewis
----- Original Message -----
From: "Scott Wolf" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, December 23, 2002 11:14 AM
Subject: [VOP RADIUS] Fallback
* This is the VOP Radius mailing list *Server",
We have gotten VOP Radius to fallback to the BSD based radius server on
user not found. Radius server type had to be set to ROAMER. I can see in
the BSD logs that a user is AUTH'd ok. Appears to make it back to the
VOP Radius server. But the user ends up getting disconnected. Attached
is what I see at the NAS Server end. The line that appears to be the
error is "Dec 23 17:10:09.296 UTC: RADIUS: no appropriate authorization
type for user." Anyone have any ideas. Thanks,
Scott Wolf
Aginet
Scott Wolf wrote:
* This is the VOP Radius mailing list *
I have retries set to 1 as I thought that could be a problem. I load
up voptest, set it to 3 tries (simulate the nas) and it will
authenticate users in the main source (ODBC - rodopi), but it just
times out if I try a user in the fallback source. I can check the logs
of the fallback radius server and not requests are sent to it. To do
some testing I set the primary method to radius server and it did
sucessfully proxy the requests over to the second server (wanted to
verify passwords and connectivity). If this issue is beyond basic
support, just send me an e-mail off the list. I realise we have no
support contract and this is an old version.
Scott Wolf
Customer Support wrote:
* This is the VOP Radius mailing list *
Scott,
In the RADIUS => Cache/Fallback panel, you have to make sure you
specify ONE
retry only. Also, it depends on your primary authentication method.
For
instance, fallback doesn't work with NT/SAM authentication as the
primary
authentication. Fallback occurs only after the n+2'd retry where
n=value of
the retries. So your NAS (or VOPTest) has to send n+2 packets before
the
fallback kicks in.
--
Yves Lacombe
SPAM Fighting team &
Technical Support
----- Original Message -----
From: "Scott Wolf" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 20, 2002 9:23 PM
Subject: [VOP RADIUS] Fallback
* This is the VOP Radius mailing list *
I am having problems trying to do fallback authentication to another
radius server running on BSD. I have the method set to "Radius
****the ip address of the BSD radius server in the ip box, the "Apply**
method
if user not found box" is checked also. I also have the seconday box
set
up in clients with the password. I can see in the log file where it
forces backup authentication, but it never seems to try it. The BSD
server never shows any attempts to contact it. Seems very off.
Wondering
if this is a known issue (we are running an old version 2.2.211).
Thought someone out there might have some idea. I have given up.
**
To leave this list, send an email to [EMAIL PROTECTED]
and put the word "LEAVE" in the BODY of the email.
To leave this list, send an email to [EMAIL PROTECTED]
and put the word "LEAVE" in the BODY of the email.
To leave this list, send an email to [EMAIL PROTECTED]
and put the word "LEAVE" in the BODY of the email.
To leave this list, send an email to [EMAIL PROTECTED]
and put the word "LEAVE" in the BODY of the email.
**
To leave this list, send an email to [EMAIL PROTECTED]
and put the word "LEAVE" in the BODY of the email.
** To leave this list, send an email to [EMAIL PROTECTED] and put the word "LEAVE" in the BODY of the email.
