cannot return access accept from proxy to client

Wilson Lie wilson.lie at ithlgroup.com
Wed Sep 21 16:57:39 CEST 2005


Yes, as Host B is used as both proxy and also authentication server depending on the realm received.
 
When host B acts  as  a authentication server, the [sql] in post-auth is used to log some message for 
that particular username.
 
When host B acts as a proxy, the [sql] failed as the username from access-accept is missing.
 
Therefore, any method that can avoid the case such that [sql] won't be invoked when host B acts as a proxy ? 

	-----Original Message----- 
	From: Paolo Rotela [mailto:paolo.rotela at bluetelecom.com] 
	Sent: 2005/9/21 [星期三] 下午 08:28 
	To: FreeRadius users mailing list 
	Cc: 
	Subject: Re: cannot return access accept from proxy to client
	
	
	Seeing your output, it says that it's failing because "post-auth" module is failing due to the fail of the "sql" module invoked. Lookup your radiusd.conf file, and see why you are using sql in post-auth, and see if this setup is correct.

		----- Original Message ----- 
		From: Wilson Lie <mailto:wilson.lie at ithlgroup.com>  
		To: freeradius-users at lists.freeradius.org 
		Sent: Wednesday, September 21, 2005 5:58 AM
		Subject: cannot return access accept from proxy to client

		Hi all,
		 
		I encountered a problem during authentication request. Would you give me a hand ?
		Many thanks!
		 
		Configuration:
		Host A   ( Radius server)
		Host B   ( proxy all requests to host A )
		 
		 
		Problem:
		1) Access-Request  is sent to  Host B from client
		2) Host B proxy request to Host A
		3) Host A sends Access-Accept  to Host B
		4) Host B receive Access-Accept from Host A
		5)   Host B sends Access-Reject   to  client    ( log message comes below)
		 
		*My question is how can I set radius such that it can send the access-accept to client ?
		================================================================
		rad_recv: Access-Accept packet from host xxx.xxx.xxx.xxx:1812, id=3, length=156
		
		Processing the authorize section of radiusd.conf
		modcall: entering group authorize for request 3
		  hints: Matched DEFAULT at 81
		  modcall[authorize]: module "preprocess" returns ok for request 3
		radius_xlat:  '/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/auth-detail-20050921'
		rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/auth-detail-20050921
		  modcall[authorize]: module "auth_log" returns ok for request 3
		    rlm_realm: Proxy reply, or no User-Name.  Ignoring.
		  modcall[authorize]: module "suffix" returns noop for request 3
		    users: Matched entry DEFAULT at line 168
		  modcall[authorize]: module "files" returns ok for request 3
		modcall: group authorize returns ok for request 3
		  rad_check_password:  Found Auth-Type SQL
		  rad_check_password: Auth-Type = Accept, accepting the user
		Login OK: [99009900 at realm/8F4Lf0T] (from client ivrs port 0 cli 00-0C-41-2F-00-71)
		  Processing the post-auth section of radiusd.conf
		modcall: entering group post-auth for request 3
		radius_xlat:  '/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921'
		rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921
		  modcall[post-auth]: module "reply_log" returns ok for request 3
		rlm_sql (sql): Processing sql_postauth
		radius_xlat:  ''
		  modcall[post-auth]: module "sql" returns fail for request 3
		modcall: group post-auth returns fail for request 3
		Delaying request 3 for 1 seconds
		Finished request 3
		=======================================================================
		 
		 
		 
		
		 
		 
		___________________________________________________
		(c) 2005 Interactive Technology Holdings Limited Group.
		All rights reserved.
		
		CONFIDENTIALITY: This communication and any attachment(s)
		is intended solely for the person or organisation to which
		it is addressed and it may be confidential. This
		communication may contain confidential or legally privileged
		material and may not be copied, redistributed or published
		(in whole or in part) without our prior written consent.
		This communication may have been intercepted, partially
		destroyed, arrive late, incomplete or contain viruses and no
		liability is accepted by any member of the Interactive
		Technology Holdings Limited Group as a result. If you are
		not the intended recipient, employee or agent responsible
		for delivering the message to the intended recipient you
		must not copy, disclose, distribute or take any action in
		reliance on it. If you have received this communication in
		error, please immediately reply and highlight the error to
		the sender immediately and destroy the original from your
		computer.
		

		
  _____  


		

		- 
		List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




____________________________________________________________
(c) 2005 Interactive Technology Holdings Limited Group.
All rights reserved.

CONFIDENTIALITY: This communication and any attachment(s)
is intended solely for the person or organisation to which
it is addressed and it may be confidential.  This
communication may contain confidential or legally privileged
material and may not be copied, redistributed or published
(in whole or in part) without our prior written consent.
This communication may have been intercepted, partially
destroyed, arrive late, incomplete or contain viruses and no
liability is accepted by any member of the Interactive
Technology Holdings Limited Group as a result.  If you are
not the intended recipient, employee or agent responsible
for delivering the message to the intended recipient you
must not copy, disclose, distribute or take any action in
reliance on it.  If you have received this communication in
error, please immediately reply and highlight the error to
the sender immediately and destroy the original from your
computer.




More information about the Freeradius-Users mailing list