Proxy configuration with Free Radius

sumi sumi.rs at gmail.com
Thu Jul 28 07:46:04 CEST 2005 

Hi ,
 Could you Plz help me to resolve this issue.. ?
 The issue is..
 CASE 1:
 Step 1: Im using free radius latest version. I have two radius servers 
running in the same network. One is configured as direct authentication 
server and this primary server forwards(proxy's) the request to the second 
radius server.
 Primary radius servers radius.conf file... has the configuration... in the 
authorize module as ,
 authorize {
 preprocess
 eap
 mschap
 suffix
 # ldap
}
 Step 2 : Im sending an authentication request to the primary server which 
inturn forwards the request to the second server ( basically proxy's the 
request)
 Result : Authentication success. And the user got connected to the WLAN - 
X.
 CASE 2:
 Im changing the authorize module of primary server to .. 
STEP 1 :
 authorize {
 preprocess
 eap
 mschap
 suffix
 # Im uncommenting ldap 
 ldap
 }
 STEP 2: Same as previous..
 LDAP is not connected to the primary server.
 Result : 
   
rad_recv: Access-Request packet from host
192.168.0.1:12590<http://192.168.0.1:12590>,
id=90, length=177

User-Name = "anonymous at symbol.com"

Called-Station-Id = "00:a0:f8:bc:b4:3c"

Calling-Station-Id = "00:0f:66:4f:54:41"

NAS-Port = 1

NAS-Port-Type = Wireless-802.11

Framed-MTU = 1400

NAS-IP-Address = 192.168.0.1 <http://192.168.0.1>

NAS-Identifier = "WS2000"

Vendor-388-Attr-2 = 0x73756d695f72616474657374

EAP-Message = 0x0201001901616e6f6e796d6f75734073796d626f6c2e636f6d

Message-Authenticator = 0xf2ffcd4c14e14277dde2bf1d7b66e41f

Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 23

modcall[authorize]: module "preprocess" returns ok for request 23

modcall[authorize]: module "chap" returns noop for request 23

modcall[authorize]: module "mschap" returns noop for request 23

rlm_realm: Looking up realm "symbol.com <http://symbol.com>" for User-Name = 
"anonymous at symbol.com" rlm_realm: Found realm "symbol.com<http://symbol.com>
"

rlm_realm: Proxying request from user anonymous to realm
symbol.com<http://symbol.com>

rlm_realm: Adding Realm = "symbol.com <http://symbol.com>"

rlm_realm: Preparing to proxy authentication request to realm
"symbol.com<http://symbol.com>
"

modcall[authorize]: module "suffix" returns updated for request 23

rlm_eap: Request is supposed to be proxied to Realm
symbol.com<http://symbol.com>.
Not doing EAP.

modcall[authorize]: module "eap" returns noop for request 23

users: Matched entry anonymous at symbol.com at line 96

modcall[authorize]: module "files" returns ok for request 23

rlm_ldap: - authorize

rlm_ldap: performing user authorization for anonymous at symbol.com

radius_xlat: '(uid=anonymous at symbol.com)'

radius_xlat: 'o=My Org,c=UA'

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: attempting LDAP reconnection

rlm_ldap: (re)connect to ldap.your.domain:389, authentication 0

rlm_ldap: bind as / to ldap.your.domain:389

rlm_ldap: bind to ldap.your.domain:389 failed: Can't contact LDAP server

rlm_ldap: (re)connection attempt failed

rlm_ldap: search failed

rlm_ldap: ldap_release_conn: Release Id: 0

modcall[authorize]: module "ldap" returns fail for request 23

modcall: group authorize returns fail for request 23

Sending Access-Request of id 8 to
157.235.206.67:1812<http://157.235.206.67:1812>

User-Name = "anonymous at symbol.com"

Called-Station-Id = "00:a0:f8:bc:b4:3c"

Calling-Station-Id = "00:0f:66:4f:54:41"

NAS-Port = 1

NAS-Port-Type = Wireless-802.11

Framed-MTU = 1400

NAS-IP-Address = 192.168.0.1 <http://192.168.0.1>

NAS-Identifier = "WS2000"

Vendor-388-Attr-2 = 0x73756d695f72616474657374

EAP-Message = 0x0201001901616e6f6e796d6f75734073796d626f6c2e636f6d

Message-Authenticator = 0x00000000000000000000000000000000

Proxy-State = 0x3930

--- Walking the entire request list ---

Waking up in 6 seconds...

rad_recv: Access-Request packet from host
192.168.0.1:12590<http://192.168.0.1:12590>,
id=90, length=177

Dropping conflicting packet from client ws2k:12590 - ID: 90 due to 
unfinished request 23

--- Walking the entire request list ---

Waking up in 2 seconds...

--- Walking the entire request list ---

Re-sending Access-Request of id 8 to
157.235.206.67:1812<http://157.235.206.67:1812>

User-Name = "anonymous at symbol.com"

Called-Station-Id = "00:a0:f8:bc:b4:3c"

Calling-Station-Id = "00:0f:66:4f:54:41"

NAS-Port = 1

NAS-Port-Type = Wireless-802.11

Framed-MTU = 1400

NAS-IP-Address = 192.168.0.1 <http://192.168.0.1>

NAS-Identifier = "WS2000"

Vendor-388-Attr-2 = 0x73756d695f72616474657374

EAP-Message = 0x0201001901616e6f6e796d6f75734073796d626f6c2e636f6d

Message-Authenticator = 0x00000000000000000000000000000000

Client-IP-Address = 192.168.0.1 <http://192.168.0.1>

Realm = "symbol.com <http://symbol.com>"

EAP-Type = Identity

Realm = "symbol.com <http://symbol.com>"

Proxy-State = 0x3930

Waking up in 5 seconds...

rad_recv: Access-Request packet from host
192.168.0.1:12590<http://192.168.0.1:12590>,
id=90, length=177

Dropping conflicting packet from client ws2k:12590 - ID: 90 due to 
unfinished request 23

--- Walking the entire request list ---

Waking up in 2 seconds...

--- Walking the entire request list ---

Re-sending Access-Request of id 8 to
157.235.206.67:1812<http://157.235.206.67:1812>

User-Name = "anonymous at symbol.com"

Called-Station-Id = "00:a0:f8:bc:b4:3c"

Calling-Station-Id = "00:0f:66:4f:54:41"

NAS-Port = 1

NAS-Port-Type = Wireless-802.11

Framed-MTU = 1400

NAS-IP-Address = 192.168.0.1 <http://192.168.0.1>

NAS-Identifier = "WS2000"

Vendor-388-Attr-2 = 0x73756d695f72616474657374

EAP-Message = 0x0201001901616e6f6e796d6f75734073796d626f6c2e636f6d

Message-Authenticator = 0x00000000000000000000000000000000

Client-IP-Address = 192.168.0.1 <http://192.168.0.1>

Realm = "symbol.com <http://symbol.com>"

EAP-Type = Identity

Realm = "symbol.com <http://symbol.com>"

Proxy-State = 0x3930

Waking up in 5 seconds...

--- Walking the entire request list ---

Server rejecting request 23.

marking authentication server
157.235.206.67:1812<http://157.235.206.67:1812>for realm
symbol.com <http://symbol.com> dead

Waking up in 0 seconds...

--- Walking the entire request list ---

Sending Access-Reject of id 90 to 192.168.0.1:12590<http://192.168.0.1:12590>

Cleaning up request 23 ID 90 with timestamp 42e83888

Nothing to do. Sleeping until we see a request.

rad_recv: Access-Request packet from host
192.168.0.1:12591<http://192.168.0.1:12591>,
id=91, length=177

User-Name = "anonymous at symbol.com"

Called-Station-Id = "00:a0:f8:bc:b4:3c"

Calling-Station-Id = "00:0f:66:4f:54:41"

NAS-Port = 1

NAS-Port-Type = Wireless-802.11

Framed-MTU = 1400

NAS-IP-Address = 192.168.0.1 <http://192.168.0.1>

NAS-Identifier = "WS2000"

Vendor-388-Attr-2 = 0x73756d695f72616474657374

EAP-Message = 0x0201001901616e6f6e796d6f75734073796d626f6c2e636f6d

Message-Authenticator = 0x9e6c2754c62012077fa29b7696d5755e

Processing the authorize section of radiusd.conf

My doubt is why do we need to have an ldap setting for the proxy requests??? 
The secondary server when it gets the request for the first time it says..

Access Accept.. But for the next time onwards it rejects the user.

Plz help me on this regard. Awaiting for your earliest reply.

Thanks & Regards

Sumi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20050728/c3d72f91/attachment.html>

More information about the Freeradius-Devel mailing list