Hi, is it possible to configure freeradius to do something like "repeat until success". Im trying to authenticate local users at the same system freeradius is running on and I proxy requests to another radius server. I want to do this _without_ using realms. So if asking for local user and no success I want to continue proxying requests to another radius server. Is this possible in some way? Thanks for any advice Michael
Yes, I'm also interested in this feature. It's something like CISCO ACS does with the 'unknown user policy', where you can define other radius servers to ask if a user is not in the local radius. We are mantaining 2 ACSs because this feature, and we'd like to shut these servers down. Regards 2006/9/28, Proft, Michael <Proft@medizin.uni-leipzig.de>:
Hi,
is it possible to configure freeradius to do something like "repeat until success". Im trying to authenticate local users at the same system freeradius is running on and I proxy requests to another radius server. I want to do this _without_ using realms. So if asking for local user and no success I want to continue proxying requests to another radius server. Is this possible in some way?
Thanks for any advice
Michael
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Proft, Michael" <Proft@medizin.uni-leipzig.de> wrote:
is it possible to configure freeradius to do something like "repeat until success". Im trying to authenticate local users at the same system freeradius is running on and I proxy requests to another radius server. I want to do this _without_ using realms. So if asking for local user and no success I want to continue proxying requests to another radius server. Is this possible in some way?
That sounds more like "look up in /etc/passwd, and if not found, proxy to X". That should be easy. Configure the "passwd" module to read /etc/passwd. Read "doc/configurable_failover" to see how to run the "files" module only if the "passwd" module returns "notfound". Then in the "users" file, do: DEFAULT Proxy-To-Realm := "realm" Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
-----Original Message----- From: freeradius-users-bounces+proft=medizin.uni- leipzig.de@lists.freeradius.org [mailto:freeradius-users- bounces+proft=medizin.uni-leipzig.de@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, September 28, 2006 6:43 PM To: FreeRadius users mailing list Subject: Re: repeat until success?
"Proft, Michael" <Proft@medizin.uni-leipzig.de> wrote:
is it possible to configure freeradius to do something like "repeat until success". Im trying to authenticate local users at the same system freeradius is running on and I proxy requests to another radius server. I want to do this _without_ using realms. So if asking for local user and no success I want to continue proxying requests to another radius server. Is this possible in some way?
That sounds more like "look up in /etc/passwd, and if not found, proxy to X". That should be easy.
Configure the "passwd" module to read /etc/passwd. Read "doc/configurable_failover" to see how to run the "files" module only if the "passwd" module returns "notfound". Then in the "users" file, do:
Hmm.... i cant get it to work :( How would the configuration part for passwd module look (linux) ? I read the configurable_failover but cant get this to work, or I just don't understand. Could you give some example Alan? Thanks
DEFAULT Proxy-To-Realm := "realm"
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Proft, Michael" <Proft@medizin.uni-leipzig.de> wrote:
Hmm.... i cant get it to work :( How would the configuration part for passwd module look (linux) ?
Why not post what you did here? That would be the easiest way to solve the problem. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok schrieb:
"Proft, Michael" <Proft@medizin.uni-leipzig.de> wrote:
Hmm.... i cant get it to work :( How would the configuration part for passwd module look (linux) ?
Why not post what you did here? That would be the easiest way to solve the problem.
I guess there are many things wrong in my config, got almost no radiusd config expirience at all. Well at least radiusd starts with the conf.... i did the following, no idea if that format string makes any sense.... radiusd.conf, modules section: passwd passwd { filename = /etc/shadow format = "*User-Name:*User-Password:::::" hashsize = 50 delimiter = ":" } authorize looks like: authorize { preprocess redundant { passwd notfound = return } group { passwd { fail = 1 notfound = 2 noop = return ok = return updated = return reject = return userlock = return invalid = return handled = return } } in users file i got: DEFAULT Proxy-To-Realm := mrz in proxy.conf i got: realm mrz { type = radius authhost = xxx.xxx.xxx.xxx:1645 accthost = xxx.xxx.xxx.xxx:1646 secret = **** nostrip }
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Michael Proft <proft@medizin.uni-leipzig.de> wrote:
passwd passwd { filename = /etc/shadow format = "*User-Name:*User-Password:::::"
You've got two fields marked as key. See "man rlm_passwd".
authorize looks like:
authorize { preprocess redundant { passwd notfound = return }
Huh? Why are you doing that? The documentation does not have *any* example that looks like that. And the documentation explains how to create real "redundant" sections that work. It explains what they do, too.
group { passwd {
Again, why? I have no idea what you think you're doing here.
in users file i got:
And you didn't list "files" in "authorize", so the "users" file is never used. Stop making massing changes to the config. Start with the default configuration, and work from there. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (4)
-
Alan DeKok -
Michael Proft -
Proft, Michael -
R.L. Nevot