Using freeradius 1.1.6: I'm trying to establish a sequential auth order, but it seems I'm missing the boat on something. The goal is the following auth order, in iteration: 1) Check for local users in MySQL table 2) Proxy the request to another server 3) Use the local 'users' file (that is to permit all users, by default) In the 'authorize' clause, I have tried several configurations, but none seem to work as expected. In its most basic form, it was: authorize { preprocess sql suffix files } I have also tried modifying the clause using the 'redundant' and 'group' token: authorize { preprocess redundant { sql { notfound = 4 fail = 4 } suffix { notfound = 1 reject = 2 updated = 3 fail = 4 } } files } And lots of variations thereof. What seems to happen consistently, is that the 'suffix' clause supersedes the 'files' module, that is configured to permit all by default. Below is the debug: rad_recv: Access-Request packet from host 127.0.0.1:44323, id=85, length=59 User-Name = "xyzuser" User-Password = "foo" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall: entering group redundant for request 0 radius_xlat: 'xyzuser' rlm_sql (sql): sql_set_user escaped user --> 'xyzuser' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'xyzuser' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): User xyzuser not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'xyzuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'xyzuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User xyzuser not found in radgroupcheck rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): User not found modcall[authorize]: module "sql" returns notfound for request 0 rlm_realm: No '@' in User-Name = "xyzuser", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "xyzuser" rlm_realm: Proxying request from user xyzuser to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Preparing to proxy authentication request to realm "NULL" modcall[authorize]: module "suffix" returns updated for request 0 modcall: leaving group redundant (returns notfound) for request 0 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 Sending Access-Request of id 0 to [DELETED] port 1645 User-Name = "xyzuser" User-Password = "foo" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Proxy-State = 0x3835 --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Reject packet from host [DELETED]:1645, id=0, length=73 Nortel-Attr-1 = 0x00000000 Nortel-Attr-2 = 0x756e6b6e6f776e5f7573657220 Nortel-Attr-4 = 0x4e6f20737563682075736572 Login incorrect (Home Server says so): [xyzuser/foo] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request If I move the 'files' module before the 'suffix' module in the 'authorize' clause, it works fine. Again, it seems that the proxy over-rides any further processing, despite changing the priorities. Could anyone provide some idea as to what I'm missing, or how to make this work? Thank you in advance for any help! - Chris
Christopher Fournier wrote:
Using freeradius 1.1.6: I'm trying to establish a sequential auth order, but it seems I'm missing the boat on something. The goal is the following auth order, in iteration:
1) Check for local users in MySQL table 2) Proxy the request to another server 3) Use the local 'users' file (that is to permit all users, by default)
It doesn't work that way. Proxying is really an authentication step, and the "users" file gets run during the authorization step. Also, if the home server returns reject, then that's pretty much it. You can't then go accept the user. I suggest changing the rules to: 1) check for local users in MySQL 2) if notfound, check for realms A, B, C, D && proxy to another server 3) else accept the user Alan DeKok.
participants (2)
-
Alan DeKok -
Christopher Fournier