Access proxied, Accounting not proxied

Mr. K dbuschiazzo at gmail.com
Thu May 28 22:52:02 CEST 2009


Hi all, 

I am trying to use a FreeRadius server as a proxy server using the realm.
Apparently my configuration is working for the Access-Request messages, but
not for the Accounting-request messages.

The proxy.conf is very simple:

realm test.com {
        type        = radius
        authhost    = NNN.NNN.NN5.7:1812
        accthost    = NNN.NNN.NN5.7:1813
        secret      = ******
        ldflag      = round_robin
        nostrip
}

With this configuration, the access request messages are sent to the proper
server, as you can see in the next radiusd –X output:

We receive the message from the PDSN:

Waking up in 1 seconds...
rad_recv: Access-Request packet from host 172.17.7.214:32786, id=6,
length=337
        Calling-Station-Id = "310008172268681"
        User-Name = "8177899857 at test.com"
        NAS-IP-Address = 172.17.7.214
        NAS-Identifier = "bws"

The radius sent it to the proper server:

Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
radius_xlat: 
'/usr/freeRadius/log/radius/radacct/172.17.7.214/auth-detail-20090528'
rlm_detail:
/usr/freeRadius/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/freeRadius/log/radius/radacct/172.17.7.214/auth-detail-20090528
  modcall[authorize]: module "auth_log" returns ok for request 2
  rlm_chap: Setting 'Auth-Type := CHAP'
  modcall[authorize]: module "chap" returns ok for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '/' in User-Name = "8177899857 at test.com", looking up realm
NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "IPASS" returns noop for request 2
    rlm_realm: Looking up realm "test.com" for User-Name
="8177899857 at test.com"
    rlm_realm: Found realm "test.com"
    rlm_realm: Proxying request from user 8177899857 to realm test.com
    rlm_realm: Adding Realm = "test.com"
    rlm_realm: Preparing to proxy authentication request to realm "test.com" 
  modcall[authorize]: module "suffix" returns updated for request 2
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 2
radius_xlat:  '8177899857 at test.com'
rlm_sql (sql): sql_set_user escaped user --> '8177899857 at test.com'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM
radcheck           WHERE Username = '8177899857 at test.com'           ORDER BY
id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
FROM radgroupcheck,usergroup WHERE usergroup.Username =
'8177899857 at test.com' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY usergroup.priority, radgroupcheck.id'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM
radreply           WHERE Username = '8177899857 at test.com'           ORDER BY
id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE usergroup.Username =
'8177899857 at test.com' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY usergroup.priority, radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
  Processing the pre-proxy section of radiusd.conf
modcall: entering group pre-proxy for request 2
radius_xlat: 
'/usr/freeRadius/log/radius/radacct/172.17.7.214/pre-proxy-detail-20090528'
rlm_detail:
/usr/freeRadius/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
expands to
/usr/freeRadius/log/radius/radacct/172.17.7.214/pre-proxy-detail-20090528
  modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 2
modcall: leaving group pre-proxy (returns ok) for request 2
Sending Access-Request of id 1 to NNN.NNN.NN5.7 port 1812
        Calling-Station-Id = "310008172268681"
        User-Name = "8177899857 at test.com"
        NAS-IP-Address = 172.17.7.214


The problem arises, when the same PDSN ask for an Accounting-Request and the
server. The server replies that the shared-key is not correct.

Waking up in 2 seconds...
rad_recv: Accounting-Request packet from host 172.17.7.214:32786, id=7,
length=735
Received Accounting-Request packet from 172.17.7.214 with invalid signature! 
(Shared secret is incorrect.) Dropping packet without response.
Finished request 3


The shared key configured is one per node in both the radius and the PDSN;
so it is difficult for me to understand this behavior. Is there any
configuration missing?

Is it possible that the freeradius server is not checking shared key when
sending the access-request message to it’s destination and checking the key
while processing the accounting-request?

Regards, 
K

-- 
View this message in context: http://www.nabble.com/Access-proxied%2C-Accounting-not-proxied-tp23769897p23769897.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.





More information about the Freeradius-Users mailing list