Missing Realm when entering second authorization group

Xiwen Cheng xcheng at math.leidenuniv.nl
Mon Jun 15 10:50:50 CEST 2009 

Version & OS:
Freeradius-2.0.5
Gentoo

It appears that during the second iteration in authorize section, the Realm has become NULL. We rely on checking the Realm to choose the appropriate Auth-Type to authenticate local users and proxy everybody else to an external network.
...
+- entering group authorize
++[preprocess] returns ok
    rlm_realm: Looking up realm "math.leidenuniv.nl" for User-Name = "testuser at math.leidenuniv.nl"
    rlm_realm: Found realm "math.leidenuniv.nl"
    rlm_realm: Adding Stripped-User-Name = "testuser"
    rlm_realm: Adding Realm = "math.leidenuniv.nl"
    rlm_realm: Proxying request from user testuser to realm math.leidenuniv.nl
    rlm_realm: Preparing to proxy authentication request to realm "math.leidenuniv.nl"
++[suffix] returns updated
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
    users: Matched entry DEFAULT at line 292
++[files] returns ok
...
+- entering group pre-proxy
...

+- entering group authorize
++[preprocess] returns ok
++[auth_log] returns ok
    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user 
auth: Failed to validate the user.
  Found Post-Auth-Type Reject
...

NOTE: ... means stripped normal behaviour/output.

From the verbose output, the first part is correct. The request is proxied to the correct server. But when it arrives in the authentication server it fails to extract the Realm from the proxied request. In ``users'' we have:

DEFAULT Realm == "math.leidenuniv.nl", Auth-Type := PAM
        Reply-Message = "math here",
        Fall-Through = no

But as the log says, which is correct, there's no Auth-Type for that Realm. If the Realm == "math.leidenuniv.nl" condition is removed, which results in Auth-Type = PAM for everybody, authentication succeeds for local users; which is to be expected. Our config worked perfectly in freeradius-1.1.7.

Now I wonder, why is the Realm equal to NULL? I see suffix updated the request, why isn't the second iteration seeing that update? 

Best regards,
Xiwen


-- 
--
Xiwen Cheng
System Administrator		;" Enthusiasm is contagious,
Mathematical Institute		;  but hype is a disease. "
Leiden University		;E-mail: xcheng at math.leidenuniv.nl
Niels Bohrweg 1 K210		;Office: (+31) 715277134
2333 CA Leiden			;Mobile: (+31) 611119991
The Netherlands			;GPG Key id: 194F572B
++
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090615/52b4a922/attachment.pgp>

More information about the Freeradius-Users mailing list