multiple Autz-Type

To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org>
Subject: multiple Autz-Type
From: wekz <fbl.list@gmail.com>
Date: Mon, 5 Jun 2006 13:56:17 +0200
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=WNJMrQf6pK1trO2IZcglei/iCELmreSwlUM540hJF+lFZSMAIKgUHKCMJB69EgNrZTknHIlv2QNLLdR9LDzPFCpQfC0KeG0VPCuFcoLpKOQG6KOH3uSlF5M9KTgHo+872P71L8TIRTIY4Y8iMISqk9QQ+wau8UB5wpxRhDtN0qM=
Reply-to: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>

Hello everybody. I'll tell you what i wanna do and the problem i get so you could either fix my configuration or give me some new ideas.

First, I´m using freeradius 1.1.1 + ldap.

What I have is this: I have three radius working in different placement of one organization, these radius authorize against three subtrees of the ldap. When a user is not found they do proxy to another radius. This work quite well.

What I want: I want to have another radius ( only one ) to acct as a backup of these servers ( for configuring my ciscos with two servers ). This radius has the complete tree but it must look in each subtree depending on the NAS-IP, not in the whole ldap. If the user is not found in the corresponding subtree it must do proxy to the central radius.

I don't know if I have explain it correctly, if I haven't just tell me ( I'm not an english speaker )

For this configuration I've defined three ldaps in radiusd.conf:
module{
    ldap ldap1{
    }
    ldap ldap2{
    }
    ldap ldap3{
    }
}
...
authorize{
...
     autztype customer1{
                redundant {
                        group {
                                ldap1 {
                                        notfound = return
                                        fail = return
                                }
                                files
                                mschap
                                eap
                                notfound = 1
                                fail = 1
                        }
                        files
                }
        }
       Autz-Type customer2{
           [ similar configuration as above ]
       }
       Autz-Type customer3{
           [ similar configuration as above ]
       }
}

My hints file:

DEFAULT NAS-IP-Address == "192.168.51.220"
        Autz-Type := customer1
DEFAULT NAS-IP-Address == "192.168.51.221"
        Autz-Type := customer2
DEFAULT NAS-IP-Address == "192.168.51.222"
        Autz-Type := customer3

Users:
DEFAULT Proxy-to-realm := wickwar_central

The problem is that it doesn't execute any of Autz-Type sections.

The logs:
rad_recv: Access-Request packet from host 192.168.51.221:1645, id=200, length=160
        User-Name = "cadiz"
        Framed-MTU = 1400
        Called-Station-Id = " 0011.9215.c490"
        Calling-Station-Id = "0004.238d.4b0e"
        Cisco-AVPair = "ssid=perfil_tipo_a"
        Service-Type = Login-User
        Message-Authenticator = 0x27c966f01f1de90c836066e2a019c553
        EAP-Message = 0x0202000a01636164697a
        NAS-Port-Type = Wireless-802.11
        Cisco-NAS-Port = "395"
        NAS-Port = 395
        NAS-IP-Address = 192.168.51.221
        NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
hints: Matched DEFAULT at 59
modcall[authorize]: module "preprocess" returns ok for request 1
    rlm_realm: No '/' in User-Name = "cadiz", looking up realm NULL
    rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 1
radius_xlat: '/opt/radius_LOCAL/var/log/radius/radacct/192.168.51.221/auth-detail-20060605'
rlm_detail: /opt/radius_LOCAL/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /opt/radius_LOCAL/var/log/radius/radacct/192.168.51.221/auth-detail-20060605
modcall[authorize]: module "auth_log" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [cadiz/<no User-Password attribute>] (from client ap port 395 cli 0004.238d.4b0e)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 200 to 192.168.51.221 port 1645
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 200 with timestamp 44840b82
Nothing to do. Sleeping until we see a request.

If anyone could give my a hand. I would be grateful.
Thanks.

Follow-Ups:
- Re: multiple Autz-Type
  - From: Phil Mayers <p.mayers@imperial.ac.uk>

Previous by Date: Re: Freeradius-Users Digest, Vol 14, Issue 15
Next by Date: RADIUS Problems
Previous by Thread: Re: Multiple attributes for single user in radreply and mysql
Next by Thread: Re: multiple Autz-Type
Freeradius-Users June 2006 archives indexes sorted by: [ thread ] [ subject ] [ author ] [ date ]
Freeradius-Users list archive Table of Contents
More information about the Freeradius-Users mailing list

This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.