Hi,

  Its been a long time, as the freeRADIUS software Ive being using for the last 3 years hasnt needed looking at since installation.

  So a big thank you to the development team J

  However, as with most things its so good Ive now got to redesign and re-implement to encompass more of our infrastructure, and Im having problems.

  I have a number of settings in the _users_ file that are based on the _Called_Station_ID_ then proxy the requests to a specified REALM.

  i.e.

    DEFAULT     Called-Station-Id == <a telephone number>, Proxy-To-Realm := NULL

                Fall-Through = Yes

     DEFAULT    Called-Station-Id == <another telephone number>, Proxy-To-Realm := NULL

                Fall-Through = Yes

     DEFAULT    Called-Station-Id == <yet another number>, Proxy-To-Realm := SPECIAL

                Fall-Through = Yes

Now, the NULL realm is defined in the proxy.conf file as:

    realm NULL {

        type    = radius

        authhost        = radiusserver.some.domain:1645

        accthost        = radiusserver.some.domain:1646

        Secret  = radiussecret

      }

This works and actually points to a MS IAS server going against an NT4 Domain.

Now I need to authenticate a different set of users (who dial a different number) against an LDAP repository, so as you can see from my _users_ file I direct them at the SPECIAL realm, which I have set as follows in proxy.conf:

    realm SPECIAL {

        type    = radius

        authhost        = LOCAL

        accthost        = LOCAL

    }

 

My plan was for this to then use the local radius server, which has an _ldap_ module configure, which from what I can make out is working:

    ldap {

        server = 127.0.0.1

        basedn = dc=some,dc=domain,dc=co,dc=uk

        filter = (uid=%u)

        start_tls = no

        dictionary_mapping = ${raddbdir}/ldap.attrmap

        ldap_connections_number = 5

        timeout = 4

        timelimit = 3

        net_timeout = 1

    }

And then in the authorize and authenticate sections simply include _ldap_

    authorize {

        preprocess

        chap

        eap

        ldap

        files

        mschap

    }

    authenticate {

        Auth-Type PAP {

                pap

        }

        Auth-Type CHAP {

                chap

        }

        Auth-Type {

                mschap

        }

        unix

        ldap

        eap

    }

Now all I see when using NTRadping, and sending the additional _Called_Station_Id_ attribute set to the required number is the following in my _radius.log_

    Error: Dropping packet from client Dave_Test:2328 ID: 2 due to dead request 5018

When I run the radiusd with the X flag (bearing in mind its an Production Service) I can make out the call being made to my LDAP server and a rlm_ldap authorize, but then the request just finishes without giving me and Access-Accept packet, and the relevant settings from the _radreply_ table in the Postgres Database?

rad_recv: Access-Request packet from host xx.xx.xx.xx:2796, id=4, length=62

        User-Name = "unextest20"

        User-Password = "nexus"

        Called-Station-Id = "xxxxxxxxxx"

rad_lowerpair:  User-Name now 'unextest20'

modcall: entering group authorize for request 14

  modcall[authorize]: module "preprocess" returns ok for request 14

  modcall[authorize]: module "chap" returns noop for request 14

  modcall[authorize]: module "eap" returns noop for request 14

    rlm_realm: No '@' in User-Name = "unextest20", looking up realm NULL

    rlm_realm: Found realm "NULL"

    rlm_realm: Adding Stripped-User-Name = "unextest20"

    rlm_realm: Proxying request from user unextest20 to realm NULL

    rlm_realm: Adding Realm = "NULL"

    rlm_realm: Preparing to proxy authentication request to realm "NULL"

  modcall[authorize]: module "suffix" returns updated for request 14

radius_xlat:  'unextest20'

rlm_sql (sql): sql_set_user escaped user --> 'unextest20'

radius_xlat:  'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'unextest20' ??ORDER BY id'

rlm_sql (sql): Reserving sql socket id: 8

rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'unextest20' ??ORDER BY id

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: affected rows =

radius_xlat:  'SELECT radgroupcheck.id, radgroupcheck.GroupName, ??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup ??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id'

rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, ??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup ??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: affected rows =

radius_xlat:  'SELECT id, UserName, Attribute, Value, Op ??FROM radreply ??WHERE Username = 'unextest20' ??ORDER BY id'

rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radreply ??WHERE Username = 'unextest20' ??ORDER BY id

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: affected rows =

radius_xlat:  'SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName = radgroupreply.GroupName ??ORDER BY radgroupreply.id'

rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName = radgroupreply.GroupName ??ORDER BY radgroupreply.id

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: affected rows =

rlm_sql (sql): Released sql socket id: 8

  modcall[authorize]: module "sql" returns ok for request 14

rlm_ldap: - authorize

rlm_ldap: performing user authorization for unextest20

radius_xlat:  '(uid=unextest20)'

radius_xlat:  'dc=some,dc=domain,dc=co,dc=uk'

ldap_get_conn: Got Id: 0

rlm_ldap: performing search in dc=some,dc=domain,dc=co,dc=uk, with filter (uid=unextest20)

rlm_ldap: looking for check items in directory...

rlm_ldap: looking for reply items in directory...

rlm_ldap: user unextest20 authorized to use remote access

ldap_release_conn: Release Id: 0

  modcall[authorize]: module "ldap" returns ok for request 14

    users: Matched DEFAULT at 90

  modcall[authorize]: module "files" returns ok for request 14

  modcall[authorize]: module "mschap" returns noop for request 14

modcall: group authorize returns updated for request 14

Finished request 14

Im kinda lost and going round in circles at the minute.

If one of you guys has had to do something similar, or can see any glaring omissions in my config (which I seem to think there is) could you please point me in the right direction.

TIA

Dave Shepherd