rlm_proxy problems

Geoff Silver geoff+freeradius at uslinux.net
Mon Aug 21 14:23:07 CEST 2006 

The patch applies to 1.1.0, but neither the patched 1.1.0 or a patched 1.1.2 
fixes the problem.

On the concentrator, successful auths look like:

36557 08/21/2006 08:16:24.270 SEV=4 IKE/52 RPT=42919 68.100.177.222
Group [OFFICE] User [hockingmr] User (hockingmr) authenticated.

36562 08/21/2006 08:16:25.230 SEV=4 IKE/119 RPT=62782 68.100.177.222
Group [OFFICE] User [hockingmr] PHASE 1 COMPLETED

where the failures look like:

36141 08/21/2006 08:13:10.640 SEV=3 AUTH/5 RPT=30061 69.175.180.60
Authentication rejected: Reason = Unspecified handle = 6, server = 
205.188.136.151, user = suzannebd, domain = <not specified>

although I see the same effect when using radclient:

Sending Access-Request of id 106 to 127.0.0.1 port 1645
         User-Name = "bob"
         User-Password = "password"
         NAS-IP-Address = 127.0.0.1
         NAS-Port = 1
rad_recv: Access-Accept packet from host 127.0.0.1:1645, id=106, length=43
         Account-Flags = 587300864
         Connect-Info = "OFFICE"

then:

Sending Access-Request of id 121 to 127.0.0.1 port 1645
         User-Name = "bob"
         User-Password = "password"
         NAS-IP-Address = 127.0.0.1
         NAS-Port = 1
rad_recv: Access-Reject packet from host 127.0.0.1:1645, id=121, length=2

I'm at a loss, and without being able to proxy auth to another server, my 
entire infrastructure is useless.  The worst part of this is that I haven't 
been able to re-create it except in a production environment... for whatever 
reason, just running a half dozen simultaneous auths with radclient doesn't 
seem to cause this.

Ideas?  Thanks.

Alan DeKok wrote:
> Geoff Silver <geoff+freeradius at uslinux.net> wrote:
>> Red Hat Enterprise Linux 3.0.  Also has the same build issues on my RedHat 
>> EL4.0 dev system.
> 
>   Weird.  It works for me on FC4, and many other OSes.
> 
>> We were previously using FreeRADIUS 1.1.0, which built fine.  IIRC,
>> the problem surfaced in 1.1.1, which is why we're still using 1.1.0
>> (was hoping it would be fixed in 1.1.2...)
> 
>   Maybe 1.1.3.
> 
>   So... does the patch in the bug apply to 1.1.0, and does it solve
> the problem?
> 
>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list