Proxy Question
Reynold McGuire
rmcguire at suffolk.edu
Fri Apr 21 15:01:27 CEST 2006
Thanks for the reply.
I forgot to mention that I had 'ntdomain' addedd to the authorize stanze.
The request is getting to my IAS server, but IAS doesn’t understand
"DOMAIN\username" it does, at least in my implementation, understand
"username at domain"...
Is there a way to get "DOMAIN\username" converted to "username at domain"?
This is also using the radtest program with the following input:
./radtest "adm.suffolk.edu\\\\rmcguire" "password" 127.0.0.1 20 secret
Here is radiusd -X
root at ACAD1:5:./radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /apps/renn/freeRadius/etc/raddb/proxy.conf
Config: including file: /apps/renn/freeRadius/etc/raddb/clients.conf
Config: including file: /apps/renn/freeRadius/etc/raddb/snmp.conf
Config: including file: /apps/renn/freeRadius/etc/raddb/eap.conf
Config: including file: /apps/renn/freeRadius/etc/raddb/sql.conf
main: prefix = "/apps/renn/freeRadius"
main: localstatedir = "/apps/renn/freeRadius/var"
main: logdir = "/apps/renn/freeRadius/var/log/radius"
main: libdir = "/apps/renn/freeRadius/lib"
main: radacctdir = "/apps/renn/freeRadius/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/apps/renn/freeRadius/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/apps/renn/freeRadius/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/apps/renn/freeRadius/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /apps/renn/freeRadius/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/apps/renn/freeRadius/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = yes
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file =
"/apps/renn/freeRadius/etc/raddb/certs/cert-srv.pem"
tls: certificate_file =
"/apps/renn/freeRadius/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/apps/renn/freeRadius/etc/raddb/certs/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/apps/renn/freeRadius/etc/raddb/certs/dh"
tls: random_file = "/apps/renn/freeRadius/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = "mschapv2"
ttls: copy_request_to_tunnel = no
ttls: use_tunneled_reply = yes
rlm_eap: Loaded and initialized type ttls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/apps/renn/freeRadius/etc/raddb/huntgroups"
preprocess: hints = "/apps/renn/freeRadius/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = yes
Module: Instantiated realm (suffix)
realm: format = "prefix"
realm: delimiter = "\"
realm: ignore_default = no
realm: ignore_null = yes
Module: Instantiated realm (ntdomain)
Module: Loaded files
files: usersfile = "/apps/renn/freeRadius/etc/raddb/users"
files: acctusersfile = "/apps/renn/freeRadius/etc/raddb/acct_users"
files: preproxy_usersfile =
"/apps/renn/freeRadius/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/apps/renn/freeRadius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y
%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/apps/renn/freeRadius/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1645
Listening on accounting *:1646
Listening on proxy *:1647
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:34507, id=40, length=76
User-Name = "adm.suffolk.edu\\rmcguire"
User-Password = "password"
NAS-IP-Address = 255.255.255.255
NAS-Port = 20
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "adm.suffolk.edu\rmcguire", skipping
NULL due to config.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_realm: Looking up realm "adm.suffolk.edu" for User-Name =
"adm.suffolk.edu\rmcguire"
rlm_realm: Found realm "adm.suffolk.edu"
rlm_realm: Proxying request from user rmcguire to realm adm.suffolk.edu
rlm_realm: Adding Realm = "adm.suffolk.edu"
rlm_realm: Preparing to proxy authentication request to realm
"adm.suffolk.edu"
modcall[authorize]: module "ntdomain" returns updated for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
Sending Access-Request of id 0 to 10.18.1.37 port 1812
User-Name = "adm.suffolk.edu\\rmcguire"
User-Password = "t<W at mcore~!"
NAS-IP-Address = 255.255.255.255
NAS-Port = 20
Proxy-State = 0x3430
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Reject packet from host 10.18.1.37:1812, id=0, length=24
Proxy-State = 0x3430
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 0
modcall[post-proxy]: module "eap" returns noop for request 0
modcall: leaving group post-proxy (returns noop) for request 0
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:34507, id=40, length=76
Sending Access-Reject of id 40 to 127.0.0.1 port 34507
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 40 with timestamp 4448d631
Nothing to do. Sleeping until we see a request.
-----Original Message-----
From: Bjørn Mork [mailto:bjorn at mork.no]
Sent: Friday, April 21, 2006 8:42 AM
To: rmcguire at suffolk.edu
Cc: FreeRadius users mailing list
Subject: Re: Proxy Question
"Reynold McGuire" <rmcguire at suffolk.edu> writes:
> How can I get freeRadius to see "domain.com\username" and convert that
> to "username at domain.com" and proxy that off?
If you need both styles:
modules {
..
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = yes
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = yes
}
..
}
authorize {
..
suffix
ntdomain
..
}
Please run radiusd -X if this doesn't work,
Bjørn
More information about the Freeradius-Users
mailing list