Proxy problem in FreeRADIUS 1.1.3

Alan DeKok aland at deployingradius.com
Fri Sep 8 18:50:28 CEST 2006


"Chris A. Kalin" <cak at netwurx.net> wrote:
> We have bob at realm.com and bob.  Bob (the local user) is disabled, he's 
> in a certain group on my server that locks him out completely.  On my 
> backup RADIUS server, which is version 0.8-pre, I get the expected 
> behavior - if bob tries to log in, he gets a "Your account has been 
> disabled" message, but if bob at domain.com tries to log in, the proxy 
> request goes to the remote server and it'll work.

  OK...

> But on 1.1.3 I get weird results.  Bob (local) gets the same "disabled" 
> message, but so does bob at domain.com.  But if I take bob out of the local 
> passwd file, bob at domain.com proxies to where it's supposed to go and 
> works fine.  What's even weirder is in the above failure, I don't even 
> get anything in radius.log about bob at domain.com failing auth - I have to 
> hear about it from the customer himself.

  In 1.1.3, the account lockouts in /etc/passwd are handled by the
unix module, unless you've got something else set up.  And the unix
module only has an "authenticate" handler.  That means it's run only
if "Auth-Type = System", and never for proxying.

  Please post a config & debug logs from 1.1.3.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog



More information about the Freeradius-Users mailing list