Proxy problem in FreeRADIUS 1.1.3
Alan DeKok
aland at deployingradius.com
Fri Sep 8 18:50:28 CEST 2006
"Chris A. Kalin" <cak at netwurx.net> wrote:
> We have bob at realm.com and bob. Bob (the local user) is disabled, he's
> in a certain group on my server that locks him out completely. On my
> backup RADIUS server, which is version 0.8-pre, I get the expected
> behavior - if bob tries to log in, he gets a "Your account has been
> disabled" message, but if bob at domain.com tries to log in, the proxy
> request goes to the remote server and it'll work.
OK...
> But on 1.1.3 I get weird results. Bob (local) gets the same "disabled"
> message, but so does bob at domain.com. But if I take bob out of the local
> passwd file, bob at domain.com proxies to where it's supposed to go and
> works fine. What's even weirder is in the above failure, I don't even
> get anything in radius.log about bob at domain.com failing auth - I have to
> hear about it from the customer himself.
In 1.1.3, the account lockouts in /etc/passwd are handled by the
unix module, unless you've got something else set up. And the unix
module only has an "authenticate" handler. That means it's run only
if "Auth-Type = System", and never for proxying.
Please post a config & debug logs from 1.1.3.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list