proxy fallback?
Christopher Fournier
christf1 at nortel.com
Thu Jun 21 16:38:46 CEST 2007
Using freeradius 1.1.6: I'm trying to establish a sequential auth order,
but it seems I'm missing the boat on something. The goal is the
following auth order, in iteration:
1) Check for local users in MySQL table
2) Proxy the request to another server
3) Use the local 'users' file (that is to permit all users, by default)
In the 'authorize' clause, I have tried several configurations, but none
seem to work as expected. In its most basic form, it was:
authorize {
preprocess
sql
suffix
files
}
I have also tried modifying the clause using the 'redundant' and 'group'
token:
authorize {
preprocess
redundant {
sql {
notfound = 4
fail = 4
}
suffix {
notfound = 1
reject = 2
updated = 3
fail = 4
}
}
files
}
And lots of variations thereof. What seems to happen consistently, is
that the 'suffix' clause supersedes the 'files' module, that is
configured to permit all by default. Below is the debug:
rad_recv: Access-Request packet from host 127.0.0.1:44323, id=85,
length=59
User-Name = "xyzuser"
User-Password = "foo"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall: entering group redundant for request 0
radius_xlat: 'xyzuser'
rlm_sql (sql): sql_set_user escaped user --> 'xyzuser'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'xyzuser' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): User xyzuser not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'xyzuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'xyzuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): User xyzuser not found in radgroupcheck
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): User not found
modcall[authorize]: module "sql" returns notfound for request 0
rlm_realm: No '@' in User-Name = "xyzuser", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "xyzuser"
rlm_realm: Proxying request from user xyzuser to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Preparing to proxy authentication request to realm "NULL"
modcall[authorize]: module "suffix" returns updated for request 0
modcall: leaving group redundant (returns notfound) for request 0
users: Matched entry DEFAULT at line 1
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
Sending Access-Request of id 0 to [DELETED] port 1645
User-Name = "xyzuser"
User-Password = "foo"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Proxy-State = 0x3835
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Reject packet from host [DELETED]:1645, id=0, length=73
Nortel-Attr-1 = 0x00000000
Nortel-Attr-2 = 0x756e6b6e6f776e5f7573657220
Nortel-Attr-4 = 0x4e6f20737563682075736572
Login incorrect (Home Server says so): [xyzuser/foo] (from client
localhost port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
If I move the 'files' module before the 'suffix' module in the
'authorize' clause, it works fine. Again, it seems that the proxy
over-rides any further processing, despite changing the priorities.
Could anyone provide some idea as to what I'm missing, or how to make
this work? Thank you in advance for any help!
- Chris
More information about the Freeradius-Users
mailing list