Proxy problem in FreeRADIUS 1.1.3
Chris A. Kalin
cak at netwurx.net
Fri Sep 8 20:23:08 CEST 2006
Alan DeKok wrote:
> "Chris A. Kalin" <cak at netwurx.net> wrote:
>
>>Sending Access-Reject of id 3 to xx.xx.xx.xx port 4587
>> Reply-Message = "Your account has been disabled."
>
>
> That message does not appear in the server source. It's added
> somewhere by your local config.
Right, in the users file. I knew that one already, sorry I didn't post
the users files.
>>Fri Sep 8 12:37:40 2006 : Debug: modsingle[authorize]: calling files
>>(rlm_files) for request 2
>>Fri Sep 8 12:37:40 2006 : Debug: users: Matched entry DEFAULT at
>>line 54
>>Fri Sep 8 12:37:40 2006 : Debug: users: Matched entry DEFAULT at
>>line 72
>
>
> Check those two lines.
>
> Find the entry in your configuration files that adds that
> Reply-Message, it's setting Auth-Type := Reject, too.
That's exactly riight, but why is it even getting to my users file?
It's supposed to be proxying the auth request to another box, and
apparently does, but then it charges ahead and checks the username
against the local password database anyway, and finds a local user with
a GID that generates the "Your account has been disabled" message. It's
like it's proxying the request but doesn't stop once it gets a hit. An
identical users file with the same proxy.conf and (as similiar as it can
be) radiusd.conf under an older FreeRADIUS doesn't do this. And more
importantly, it's not logging _anything_ to my radius.log (in the event
of this particular failure I mean, other logs work fine), which is the
first time I've ever seen that happen in FreeRADIUS. If the remote end
rejects the user I get a "remote host says so" or similar error. Right
now I'm not getting anything.
Thanks!
More information about the Freeradius-Users
mailing list