problem matching realms - for local auth not proxy

Alan DeKok aland at deployingradius.com
Wed Apr 1 18:15:49 CEST 2009 

Seamus Bridgeman wrote:
> Using freeradius2.1.3 for seperate Auth and Acct servers in DSL/PPPoE
> n/w. Using CHAP auth only and lookup via dbm file with users.txt fallback.
> Can successfully authenticate/authorise against specific user profiles
> in users dbm/txt but problems when trying to match realms.

  Why are you using the DBM files?

> We are not proxying to remote servers but do local auth on matching
> realms. Am I missing some step/module which imports the proxy.conf
> file - or the order of modules in authorise{} This issue occurs
> regardless dbm or files based lookup and in realms module.

  No.  The default configuration loads the proxy.conf file.

> If I remove proxy.conf radius does not complain.

  Because it's not required in all configurations.

> Added to dbm file:
> /usr/local/freeradius/bin/rlm_dbm_cat -f

  Don't use rlm_dbm.  Just use the normal "users" file.  It works, and
it's fast.

> [3] radiusd.conf includes reference to realm module and includes in
> authorise {} section. Also not including policy.conf which denies realms
> by default.

  No, it doesn't.  As the comments in that file should make clear, those
are SAMPLE policies.  They aren't used until you tell the server to use
them.

> authorize {
...
> }

  Great.  You've completely butchered the "authorize" section, and
removed all references to the "realms" module.

  Can you explain WHY you did this?  What documentation led you to
conclude that deleting the majority of that section was a good idea?

  The recommendation here is simple:

	DO NOT BUTCHER THE DEFAULT INSTALL

  The default installation WORKS.  If you had simple added a realm, and
added entries in the "users" file... it would have WORKED.

  Instead, you spent a great deal of effort editing the configuration,
breaking it, and then trying to debug it.  Almost all of that work was
wasted.

   The default installation works.  Don't butcher it.  Read "man
radiusd" for instructions on how to edit the configuration without
breaking it.

  Alan DeKok.

More information about the Freeradius-Users mailing list