order of realm processing

tnt at kalik.net tnt at kalik.net
Sat Dec 19 11:45:24 CET 2009 

> i have domain1\user1 and this get radius proxy correctly to the
> radius1 server (11.11.11.11) based on ntdomain prefix
> have also set the ignore_null = yes
>
> i have user1 at domain1 and this get radius proxy correctly to the
> radius1 server (11.11.11.11) based on suffix
> have also set the ignore_null = yes
>
> under /modules/realm
> realm ntdomain {
>         format = prefix
>         delimiter = "\\"
>         ignore_default = yes
>         ignore_null = yes
> }
>
> realm suffix {
>         format = suffix
>         delimiter = "@"
>         ignore_default = yes
>         ignore_null = yes
> }
>
>
> Under proxy.conf
>
> realm domain1 {
>        type             = radius
>        nostrip
>        authhost        = 11.11.11.11:1812
>        accthost        = 11.11.11.11:1813
>        secret          = secret1
> }
>
> realm NULL {
>       type = auth
>        authhost        = 22.22.22.22:1812
>        accthost        = 22.22.22.22:1813
>        secret          = secret1
> }
>
>
> Debug
>
> [ntdomain] No '\' in User-Name = "user2", skipping NULL due to config.
> ++[ntdomain] returns noop
> [suffix] No '@' in User-Name = "user2", skipping NULL due to config.
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> user2
>  attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 3 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 3
> Sending Access-Reject of id 211 to 3.3.3.3 port 1645
> Waking up in 1.0 seconds.
> Cleaning up request 2 ID 210 with timestamp +14
> Waking up in 3.9 seconds.
> Cleaning up request 3 ID 211 with timestamp +17
> Ready to process requests.
>
> i have user2 (without domain) and this get rejected, i want it to send
> to radius2 server (22.22.22.22) as defined in the NULL domain as
> defined in the proxy.conf.  Can advise how to do this?

Remove ignore_null from suffix.

Ivan Kalik

More information about the Freeradius-Users mailing list