proxy fallback?

Christopher Fournier christf1 at nortel.com
Thu Jun 21 16:38:46 CEST 2007


Using freeradius 1.1.6: I'm trying to establish a sequential auth order,
but it seems I'm missing the boat on something. The goal is the
following auth order, in iteration:

1) Check for local users in MySQL table
2) Proxy the request to another server
3) Use the local 'users' file (that is to permit all users, by default)

In the 'authorize' clause, I have tried several configurations, but none
seem to work as expected. In its most basic form, it was:

authorize {
 preprocess
 sql
 suffix
 files
}

I have also tried modifying the clause using the 'redundant' and 'group'
token:

authorize {
        preprocess
        redundant {
                sql {
                        notfound = 4
                        fail = 4
                }
                suffix {
                        notfound = 1
                        reject = 2
                        updated = 3
                        fail = 4
                }
        }
        files 
}

And lots of variations thereof. What seems to happen consistently, is
that the 'suffix' clause supersedes the 'files' module, that is
configured to permit all by default. Below is the debug: 


rad_recv: Access-Request packet from host 127.0.0.1:44323, id=85,
length=59
        User-Name = "xyzuser"
        User-Password = "foo"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
modcall: entering group redundant  for request 0
radius_xlat:  'xyzuser'
rlm_sql (sql): sql_set_user escaped user --> 'xyzuser'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM
radcheck           WHERE Username = 'xyzuser'           ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): User xyzuser not found in radcheck
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'xyzuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'xyzuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): User xyzuser not found in radgroupcheck
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): User not found
  modcall[authorize]: module "sql" returns notfound for request 0
    rlm_realm: No '@' in User-Name = "xyzuser", looking up realm NULL
    rlm_realm: Found realm "NULL"
    rlm_realm: Adding Stripped-User-Name = "xyzuser"
    rlm_realm: Proxying request from user xyzuser to realm NULL
    rlm_realm: Adding Realm = "NULL"
    rlm_realm: Preparing to proxy authentication request to realm "NULL"
  modcall[authorize]: module "suffix" returns updated for request 0
modcall: leaving group redundant  (returns notfound) for request 0
    users: Matched entry DEFAULT at line 1
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
Sending Access-Request of id 0 to [DELETED] port 1645
        User-Name = "xyzuser"
        User-Password = "foo"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
        Proxy-State = 0x3835
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Reject packet from host [DELETED]:1645, id=0, length=73
        Nortel-Attr-1 = 0x00000000
        Nortel-Attr-2 = 0x756e6b6e6f776e5f7573657220
        Nortel-Attr-4 = 0x4e6f20737563682075736572
Login incorrect (Home Server says so): [xyzuser/foo] (from client
localhost port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request


If I move the 'files' module before the 'suffix' module in the
'authorize' clause, it works fine. Again, it seems that the proxy
over-rides any further processing, despite changing the priorities. 

Could anyone provide some idea as to what I'm missing, or how to make
this work? Thank you in advance for any help!

- Chris







More information about the Freeradius-Users mailing list