simple accounting proxy setup.

Matthew Newton mcn4 at leicester.ac.uk
Wed Oct 3 00:40:06 CEST 2012 

On Tue, Oct 02, 2012 at 12:27:48PM -0500, Bill Schoolfield wrote:
> To be clear, remove the line below???
> 
> virtual_server = copy-acct-to-home-server

Yes - read the documentation in proxy.conf that explains what this
line does. You don't want to relay the packet back to yourself.

> Does the "update control { Proxy-To-Realm := 'home_realm' }
> section handle this association for us?

When the packet drops off the bottom of the preacct (and
authorize, if used for auth) section, the Proxy-To-Realm config
attribute tells the server not to process it locally any more, but
to proxy it to the relevant realm configured in proxy.conf.


On Tue, Oct 02, 2012 at 01:58:59PM -0500, Bill Schoolfield wrote:
> I removed this line. Started up the server and I can see that the
> packets are being sent to the other server. However. I get...
> 
> > Detail listener /var/log/radius/radacct/relay-detail state running signalled 0 waiting 1.094676 sec
> > Waking up in 0.9 seconds.
> > rad_recv: Accounting-Request packet from host 192.168.111.55 port 1814, id=54, length=278
> > Received Accounting-Request packet from client 192.168.111.55 with invalid signature!  (Shared secret is incorrect.) Dropping packet without response.
> > Going to the next request
> 
> so the shared secret is wrong. But I have checked the secret on both

That's the shared secret between your NAS and this radius server,
not the secret between this server and the remote log destination
server. Check the shared secret on the NAS and in your
clients.conf.

Relayed packets will have debug output like

  Detail listener /var/log/radius/radacct/relay-detail state replied signalled 0 waiting 0.000000 sec
  detail_recv: Read packet from /var/log/radius/radacct/relay-detail.work

and not something indicating it came in over the network, like

  rad_recv: Accounting-Request packet from host ... port ...

> sides and it is the same. What else could it be? I'm a little
> unclear on the remote server's client entry for this relay. Should
> it be the ip of the freeradius server or should it match the ip of
> the originating NAS? I have set up both to no avail.

The client for the remote server is this proxy server, so the
client entry on that server should be the (outgoing, if it has
more than one) IP address of this server (the client entry secret
on the remote server should match the secret on this proxying
server's proxy.conf file).

e.g.

NAS - secret = A

this server - clients.conf (NAS IP) secret = A
              proxy.conf (remote server) secret = B

remote server - clients.conf (this server IP) secret = B

Cheers,

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list