Hello I use freeradius 3.0.9 , PAM module and RSA server (strong authenticator server) I have a user with a realm (user_realm), with the proxy function and the PAM module on my radius server, I want to forward the request on my RSA server. I have a problem because the incoming user on my RSA server is user_realm and not user only As belong my config - radiusd.conf original config with adding proxy_requests = yes $INCLUDE proxy.conf - proxy.conf original config with adding realm rsa { authhost = LOCAL accthost = LOCAL } - sites-enabled/default original config with adding authorize { .... underscore arobase .... } authenticate { .... Auth-Type PAMRSA { pam-rsa } ... } preacct { .... underscore arobase .. } - mods-enabled/pam pam pam-rsa{ pam_auth = rsasecurid } - mods-enabled/realm realm underscore { format = suffix delimiter = "_" } realm arobase { format = suffix delimiter = "@" } My error radius.log (0) Received Access-Request Id 124 from h.j.k.l:35867 to v.w.x.y :1812 length 115 (0) User-Name = " user_rsa " (0) User-Password = "xxxxx" (0) NAS-Port = 1 (0) NAS-Port-Id = "tty1" (0) NAS-Port-Type = Virtual (0) Calling-Station-Id = "a.b.c.d" (0) NAS-IP-Address = e.f.g.h (0) Event-Timestamp = "Aug 20 2015 17:34:04 CEST" (0) Message-Authenticator = 0xc1a0732bc8b62562111e7479ca859ee0 (0) Proxy-State = 0x313339 (0) # Executing section authorize from file /opt/freeradius-3.0.9/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (!&User-Name) { (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) { (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = " user_rsa ", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) sql1: EXPAND %{User-Name} (0) sql1: --> user_rsa (0) sql1: SQL-User-Name set to 'a0327_rsa' rlm_sql (sql1): Reserved connection (1) (0) sql1: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql1: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = ' user_rsa ' ORDER BY id (0) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = ' user_rsa ' ORDER BY id (0) sql1: User found in radcheck table (0) sql1: Conditional check items matched, merging assignment check items (0) sql1: Expiration := "Dec 30 2035 00:00:00 CET" (0) sql1: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql1: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = ' user_rsa ' ORDER BY id (0) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = ' user_rsa ' ORDER BY id (0) sql1: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql1: --> SELECT groupname FROM radusergroup WHERE username = ' user_rsa ' ORDER BY priority (0) sql1: Executing select query: SELECT groupname FROM radusergroup WHERE username = ' user_rsa ' ORDER BY priority (0) sql1: User found in the group table (0) sql1: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{sql1-SQL-Group}' ORDER BY id (0) sql1: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Rebontux_RSA' ORDER BY id (0) sql1: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Rebontux_RSA' ORDER BY id (0) sql1: Group "Rebontux_RSA": Conditional check items matched (0) sql1: Group "Rebontux_RSA": Merging assignment check items (0) sql1: Auth-Type := PAMRSA (0) sql1: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{sql1-SQL-Group}' ORDER BY id (0) sql1: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Rebontux_RSA' ORDER BY id (0) sql1: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Rebontux_RSA' ORDER BY id (0) sql1: Group "Rebontux_RSA": Merging reply items (0) sql1: Service-Type = Authenticate-Only rlm_sql (sql1): Released connection (1) rlm_sql (sql1): 0 of 6 connections in use. Need more spares rlm_sql (sql1): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on radiustux1-a.l.infra via TCP/IP, server version 5.6.24-enterprise-commercial-advanced-log, protocol version 10 (0) [sql1] = ok (0) expiration: Account will expire at 'Dec 30 2035 00:00:00 CET' (0) [expiration] = ok (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = PAMRSA (0) # Executing group from file /opt/freeradius-3.0.9/etc/raddb/sites-enabled/default (0) Auth-Type PAMRSA { (0) pam-rsa: Using pamauth string "rsasecurid" for pam.conf lookup (0) pam-rsa: ERROR: pam_authenticate failed: Authentication failure (0) [pam-rsa] = reject (0) } # Auth-Type PAMRSA = reject (0) Failed to authenticate the user (0) Login incorrect (pam-rsa: pam_authenticate failed: Authentication failure): [ user_rsa ] (0) Using Post-Auth-Type Reject My error rsa.log unknow user ' user_rsa ' - -- Eric TANGUY Réseaux et Infrastructures Informatique DTI 1, rue Louis Lichou 29480 Le Relecq-Kerhuon www.arkea.com T. +33(0)298003671 -- Ce message et toutes les pieces jointes (ci-apres le "message") sont confidentiels et etablis a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee est interdite. Tout message etant susceptible d'alteration, l'emetteur decline toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie. ----------------------------------- This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. As e-mails are susceptible to alteration, the issuer shall not be liable for the message if altered, changed or falsified.