cannot return access accept from proxy to client

Alan DeKok aland at ox.org
Thu Sep 22 19:10:17 CEST 2005


"Wilson Lie" <wilson.lie at ithlgroup.com> wrote:
> But I'm afraid that you misunderstood the question.

  I understood it fine.  My response should have been clear.

> Yes, for normal Access-Accept if Host B act as server , the
> access-accept can be sent back to client

  The problem has NOTHING to do with host B or Access-Accept.

> But when access-accept is sent from host A ->  Host B , from host B debug log, it can be seen that
> as user-name is missing,  the [sql]  module cannot be run ,

  No, the SQL module *is* run, but it is telling you that the query
YOU CONFIGURED did not return any matches.

> freeradius return failed in [sql] 
> where [sql]  refers to post-auth query in this case and the statement contains  "User-name" attribute 
> (e.g.  update xxx set xxx where username=attribute ) 

  The post-auth query is updating the SQL database with data from the
Access-Request packet.  If that Access-Request packet does not contain
a User-name, then the SQL query will not work.

  This has nothing to do with Access-Accept, or host A, or host B.

> So I would like to ask if any special handling  by freeradius in this case ? 

  I can't parse that sentence.

> As the post-auth [sql] section is configured in sql.conf  and it should be same because only one post-auth query 
> can be configured.   

  You can configure multiple SQL modules, where one has a
postauth_query and the other does not.  See the documentation.

> Or "user-name" attribute can never be included  in the post-auth query in this case ? ( i.e. Host B acts as both proxy and auth-server)

  It's up to YOU to decide that.  That's why the queries are
configurable.  If the queries aren't doing what you want, edit them.
If the server isn't doing what you want, edit the configuration files.

  Alan DeKok.



More information about the Freeradius-Users mailing list