cannot return access accept from proxy to client
Wilson Lie
wilson.lie at ithlgroup.com
Thu Sep 22 17:39:20 CEST 2005
Hi , Thanks for your help. I'm not sure that I can tell the case clear enough.
But I'm afraid that you misunderstood the question.
Kindly help me again or correct me if I'm really wrong.
>> No. FreeRADIUS doesn't care about User-Name's in Access-Accept.
Yes, for normal Access-Accept if Host B act as server , the access-accept can be sent back to client
But when access-accept is sent from host A -> Host B , from host B debug log, it can be seen that
as user-name is missing, the [sql] module cannot be run , freeradius return failed in [sql]
where [sql] refers to post-auth query in this case and the statement contains "User-name" attribute
(e.g. update xxx set xxx where username=attribute )
So I would like to ask if any special handling by freeradius in this case ?
As the post-auth [sql] section is configured in sql.conf and it should be same because only one post-auth query
can be configured.
Or "user-name" attribute can never be included in the post-auth query in this case ? ( i.e. Host B acts as both proxy and auth-server)
Many thanks!
====================
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 3
radius_xlat: '/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921
modcall[post-auth]: module "reply_log" returns ok for request 3
rlm_sql (sql): Processing sql_postauth
radius_xlat: ''
modcall[post-auth]: module "sql" returns fail for request 3
modcall: group post-auth returns fail for request 3
Delaying request 3 for 1 seconds
Finished request 3
=====================
-----Original Message-----
From: Alan DeKok [mailto:aland at ox.org]
Sent: 2005/9/22 [星期四] 下午 11:19
To: FreeRadius users mailing list
Cc:
Subject: Re: cannot return access accept from proxy to client
"Wilson Lie" <wilson.lie at ithlgroup.com> wrote:
> I suspect that the freeradius will return failed at once when
> "username" attribute is not found and because the username attribute
> won't be included in the "access-accept' packet .
No. FreeRADIUS doesn't care about User-Name's in Access-Accept.
> The "sql" can be executed successfully when host B acts as
> authentication server.=20
Look at the differences between the two queries. They ARE different.
> So maybe I should ask can freeradius be configured as both
> authentication server and proxy server at the same host ?
Yes. Many, many people have configured this successfully. If your
site doesn't work, it's because something is going wrong in your local
config, and debug mode will tell you.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
____________________________________________________________
(c) 2005 Interactive Technology Holdings Limited Group.
All rights reserved.
CONFIDENTIALITY: This communication and any attachment(s)
is intended solely for the person or organisation to which
it is addressed and it may be confidential. This
communication may contain confidential or legally privileged
material and may not be copied, redistributed or published
(in whole or in part) without our prior written consent.
This communication may have been intercepted, partially
destroyed, arrive late, incomplete or contain viruses and no
liability is accepted by any member of the Interactive
Technology Holdings Limited Group as a result. If you are
not the intended recipient, employee or agent responsible
for delivering the message to the intended recipient you
must not copy, disclose, distribute or take any action in
reliance on it. If you have received this communication in
error, please immediately reply and highlight the error to
the sender immediately and destroy the original from your
computer.
More information about the Freeradius-Users
mailing list