Proxy failure
Axel Seguin
axel.seguin at icfo.es
Wed Apr 26 16:48:05 CEST 2006
Hello,
I set up FreeRadius in order to proxy certain realm to another Radius
server (which is not under my control at all). The shared secret is
the same. I put the address of the other Radius server in the
proxy.conf file.
My Radius sends the request 5 times to the other Radius server and
then gives up marking the server dead (but it is not).
This is what comes out :
Cleaning up request 104 ID 0 with timestamp 444f845d
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 10.3.1.60:2050, id=0,
length=147
User-Name = "testyyyy at xxxx.es"
NAS-IP-Address = 10.3.1.60
Called-Station-Id = "0014bfef3609"
Calling-Station-Id = "001124a87bc6"
NAS-Identifier = "0014bfef3609"
NAS-Port = 21
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200001601746573746963666f4063657363612e6573
Message-Authenticator = 0xb82a0c651648b9bab3d9860388e081db
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 105
modcall[authorize]: module "preprocess" returns ok for request 105
radius_xlat: '/usr/local/var/log/radius/radacct/10.3.1.60/auth-
detail-20060426'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/
auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/
10.3.1.60/auth-detail-20060426
modcall[authorize]: module "auth_log" returns ok for request 105
rlm_realm: Looking up realm "xxxx.es" for User-Name =
"testyyyy at xxxx.es"
rlm_realm: Found realm "DEFAULT"
rlm_realm: Proxying request from user testyyyy to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Preparing to proxy authentication request to realm
"DEFAULT"
modcall[authorize]: module "suffix" returns updated for request 105
rlm_eap: Request is supposed to be proxied to Realm DEFAULT. Not
doing EAP.
modcall[authorize]: module "eap" returns noop for request 105
users: Matched entry DEFAULT at line 161
modcall[authorize]: module "files" returns ok for request 105
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testyyyy at xxxx.es
radius_xlat: '(uid=testyyyy at xxxx.es)'
radius_xlat: 'ou=People, dc=yyyy, dc=es'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People, dc=yyyy, dc=es, with filter
(uid=testyyyy at xxxx.es)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns notfound for request 105
modcall: leaving group authorize (returns updated) for request 105
Processing the pre-proxy section of radiusd.conf
modcall: entering group pre-proxy for request 105
radius_xlat: '/usr/local/var/log/radius/radacct/10.3.1.60/pre-proxy-
detail-20060426'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/
pre-proxy-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/
10.3.1.60/pre-proxy-detail-20060426
modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 105
modcall: leaving group pre-proxy (returns ok) for request 105
Sending Access-Request of id 12 to aa.bb.cc.dd port 1812
User-Name = "testyyyy at xxxx.es"
NAS-IP-Address = 10.3.1.60
Called-Station-Id = "0014bfef3609"
Calling-Station-Id = "001124a87bc6"
NAS-Identifier = "0014bfef3609"
NAS-Port = 21
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200001601746573746963666f4063657363612e6573
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x30
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.3.1.60:2050, id=0,
length=147
Dropping conflicting packet from client APtest:2050 - ID: 0 due to
unfinished request 105
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Re-sending Access-Request of id 12 to aa.bb.cc.dd port 1812
User-Name = "testyyyy at xxxx.es"
NAS-IP-Address = 10.3.1.60
Called-Station-Id = "0014bfef3609"
Calling-Station-Id = "001124a87bc6"
NAS-Identifier = "0014bfef3609"
NAS-Port = 21
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200001601746573746963666f4063657363612e6573
Message-Authenticator = 0x00000000000000000000000000000000
Client-IP-Address = 10.3.1.60
Realm = "DEFAULT"
EAP-Type = Identity
Module-Failure-Message = "rlm_ldap: User not found"
Realm = "DEFAULT"
Proxy-State = 0x30
Waking up in 5 seconds...
--- Walking the entire request list ---
Re-sending Access-Request of id 12 to aa.bb.cc.dd port 1812
User-Name = "testyyyy at xxxx.es"
NAS-IP-Address = 10.3.1.60
Called-Station-Id = "0014bfef3609"
Calling-Station-Id = "001124a87bc6"
NAS-Identifier = "0014bfef3609"
NAS-Port = 21
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200001601746573746963666f4063657363612e6573
Message-Authenticator = 0x00000000000000000000000000000000
Client-IP-Address = 10.3.1.60
Realm = "DEFAULT"
EAP-Type = Identity
Module-Failure-Message = "rlm_ldap: User not found"
Realm = "DEFAULT"
Proxy-State = 0x30
Waking up in 5 seconds...
--- Walking the entire request list ---
Server rejecting request 105.
marking authentication server aa.bb.cc.dd:1812 for realm DEFAULT dead
Waking up in 0 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 0 to 10.3.1.60 port 2050
Cleaning up request 105 ID 0 with timestamp 444f84d5
Nothing to do. Sleeping until we see a request.
Why is there a "Module-Failure-Message = "rlm_ldap: User not found""?
Of course the user won't be found in the local ldap database since
this realm is supposed to be proxied.
The radius server is obviously looking in the local ldap database
with the unstriped username before proxying this request. Is there
not a way, in case the realm of the username has to be proxied not to
look for it locally in the ldap database fisrt?
If anyone has an idea why i don't get any answer, i would be gratefull.
Thank you.
More information about the Freeradius-Users
mailing list