realm based proxy not working

Stephen Walsh S.Walsh at signadou.acu.edu.au
Thu Feb 2 04:36:40 CET 2006 




Hi Folks

I'm trying to get my Radius server handling requests for other realms now,
and have been unsuccessful in the process. Despite my best efforts, the
radius server ignores that the login realm is incorrect and attempts to
authenticate the user against my LDAP tree.

startup with debug shows it's being loaded;

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf

<snip>

 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no

Proxy.conf has;

realm DEFAULT {
        type            = radius
        authhost        = xx.xx.xx.xx:1812
        accthost        = xx.xx.xx.xx.4:1813
        secret          = <snip>
        nostrip
}

realm DEFAULT {
        type            = radius
        authhost        = yy.yy.yy.yy:1812
        accthost        = yy.yy.yy.yy:1813
        secret          = <snip>
        nostrip
}

realm acu.edu.au {
        type            = radius
        authhost        = LOCAL
        accthost        = LOCAL
        strip
}

Radiusd.conf has

# PROXY CONFIGURATION
#
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf

#realm module
'username at realm'
        #
        realm suffix {
                format = suffix
                delimiter = "@"
                ignore_default = no
                ignore_null = yes
        }

authorize {
                preprocess
                suffix
                auth_log
                eap
                ldap1
                ldap2
                ldap3
                ldap4
                ldap5
                ldap6
                ldap7
                }

The logon is reaching the radius server with the correct realm, can anyone
shed any light on this behaviour?

I've tried it with our local domain both above and below the default
entries, but without luck.


Stephen Walsh
s.walsh at signadou.acu.edu.au
Client Support Officer (Technology)
Australian Catholic University (Limited)
PO Box 256, Dickson ACT 2602
Phone: +61 2 6209 1133
Fax: +61 2 6209 1179
Mobile: +61 419 496796
+++++++++++++++++++++++++++++++++++++++++++++++++
CRICOS Registration: 00004G, 00112C, 00873F, 00885B
ABN 15 050 192 660

+++++++++++++++++++++++++++++++++++++++++++++++++

More information about the Freeradius-Users mailing list