JRS - Proxying v2
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Sat Apr 7 15:30:06 CEST 2007
Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>
>> Though using todays CVS (head revision for radiusd, checked out about 3
>> hours) , I still get Unknown type "client_balance".
>>
>
> Hmm.. I'll check the code && get back to you.
>
>
>> Also it doesn't let me put multiple servers in a server pool, and dies
>> on runtime with
>>
>> /usr/local/freeradius-cvs060407/etc/raddb/radiusd.conf[147]: Ignoring
>> duplicate home server jrs1_auth.
>>
>
> That's not nice. I'll check that out, too.
>
>
More weirdness
Sending Access-Request of id 190 to 0.0.0.0 port 1812
User-Name = "ac221 at brighton.ac.uk"
User-Password = "password"
Service-Type = Framed-User
NAS-IP-Address = 139.184.8.1
Proxy-State = 0x313532
Proxying request 4 to realm jrs, home server 0.0.0.0 port 1812
Sending Access-Request of id 190 to 0.0.0.0 port 1812
User-Name = "ac221 at brighton.ac.uk"
User-Password = "password"
Service-Type = Framed-User
NAS-IP-Address = 139.184.8.1
Stripped-User-Name = "ac221"
Realm = "brighton.ac.uk"
Realm = "jrs"
Proxy-State = 0x313532
Seems to work fine when I define the host using ipaddr, as opposed to a
hostname.
Sending Access-Request of id 37 to 193.82.174.185 port 1812
User-Name = "ac221 at brighton.ac.uk"
User-Password = "password"
Service-Type = Framed-User
NAS-IP-Address = 139.184.8.1
Proxy-State = 0x313738
Proxying request 4 to realm jrs, home server 193.82.174.185 port 1812
Sending Access-Request of id 37 to 193.82.174.185 port 1812
User-Name = "ac221 at brighton.ac.uk"
User-Password = "password"
Service-Type = Framed-User
NAS-IP-Address = 139.184.8.1
Stripped-User-Name = "ac221"
Realm = "brighton.ac.uk"
Realm = "jrs"
Proxy-State = 0x313738
Going to the next request
Sorry, just another to add to the list :)
TCP Dump shows
14:30:41.581211 IP arr-land.co.uk.nm-asses-admin >
radius2.uscs.susx.ac.uk.radius: RADIUS, Access Request (1), id:
0xf 0 length: 72
14:30:41.581451 IP radius2.uscs.susx.ac.uk.tdp-suite > 0.0.0.0.radius:
RADIUS, Access Request (1), id: 0x83 length: 77
Really is broken...
>>>> If many home servers are intended to be identical, it may be worth
>>>> referencing the configuration from one to another, maybe via some kind
>>>> of template. That would make it just as flexible, but less typing.
>>>>
>> Revised JRS 2
>> janet_servers {
>> server0 = roaming0.ja.net
>> server1 = roaming1.ja.net
>> server2 = roaming2.ja.net
>> secret = theirkey
>>
> ...
>
>> home_server jrs0_auth {
>> hostname = ${janet_servers.server0}
>> $INCLUDE ${confdir}/jrs.auth.conf
>> }
>>
>
> That's an interesting way of doing templates. I think I'll add
> similar examples to proxy.conf.
>
What would be really cool is if you made a minor change to the clients
configuration section, so that it mirrored the format
of the home_server declarations.
So that you had the three ways of defining hosts like you do in
home_server declarations
ipaddr = 127.0.0.1
ipv6addr = ::1
hostname = localhost
And then took the shortname from the instance name
so
client localhost{
hostname = localhost
nastype = other
secret = super_secret
}
As this would allow you to use variables defined elsewhere in the config.
Which
a) Keeps everything in a standard format
b) Allows you to define certain variables centrally, so that if
something changes such as the top level domain
of a bi directional proxy, you don't have to go hunting through changing
all the entries.
Though I know this breaks compatibility with 1.1.* , and I don't know
how much your trying to keep compatibility
with 1.1.*.
---
#######################################################################
# Allow the JRS proxy servers to talk to us.
client jrs_roaming0 {
hostname = ${jrs_config.server0}
nastype = other
secret = ${jrs_config.secret0}
}
client jrs_roaming1 {
hostname = ${jrs_config.server1}
nastype = other
secret = ${jrs_config.secret1}
}
client jrs_roaming2 {
hostname = ${jrs_config.server2}
nastype = other
secret = ${jrs_config.secret2}
}
Thanks,
Arran
More information about the Freeradius-Users
mailing list