Access proxied, Accounting not proxied
Mr. K
dbuschiazzo at gmail.com
Thu May 28 22:52:02 CEST 2009
Hi all,
I am trying to use a FreeRadius server as a proxy server using the realm.
Apparently my configuration is working for the Access-Request messages, but
not for the Accounting-request messages.
The proxy.conf is very simple:
realm test.com {
type = radius
authhost = NNN.NNN.NN5.7:1812
accthost = NNN.NNN.NN5.7:1813
secret = ******
ldflag = round_robin
nostrip
}
With this configuration, the access request messages are sent to the proper
server, as you can see in the next radiusd –X output:
We receive the message from the PDSN:
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 172.17.7.214:32786, id=6,
length=337
Calling-Station-Id = "310008172268681"
User-Name = "8177899857 at test.com"
NAS-IP-Address = 172.17.7.214
NAS-Identifier = "bws"
The radius sent it to the proper server:
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
radius_xlat:
'/usr/freeRadius/log/radius/radacct/172.17.7.214/auth-detail-20090528'
rlm_detail:
/usr/freeRadius/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/freeRadius/log/radius/radacct/172.17.7.214/auth-detail-20090528
modcall[authorize]: module "auth_log" returns ok for request 2
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module "chap" returns ok for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '/' in User-Name = "8177899857 at test.com", looking up realm
NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "IPASS" returns noop for request 2
rlm_realm: Looking up realm "test.com" for User-Name
="8177899857 at test.com"
rlm_realm: Found realm "test.com"
rlm_realm: Proxying request from user 8177899857 to realm test.com
rlm_realm: Adding Realm = "test.com"
rlm_realm: Preparing to proxy authentication request to realm "test.com"
modcall[authorize]: module "suffix" returns updated for request 2
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 2
radius_xlat: '8177899857 at test.com'
rlm_sql (sql): sql_set_user escaped user --> '8177899857 at test.com'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = '8177899857 at test.com' ORDER BY
id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username =
'8177899857 at test.com' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY usergroup.priority, radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = '8177899857 at test.com' ORDER BY
id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username =
'8177899857 at test.com' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY usergroup.priority, radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
Processing the pre-proxy section of radiusd.conf
modcall: entering group pre-proxy for request 2
radius_xlat:
'/usr/freeRadius/log/radius/radacct/172.17.7.214/pre-proxy-detail-20090528'
rlm_detail:
/usr/freeRadius/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
expands to
/usr/freeRadius/log/radius/radacct/172.17.7.214/pre-proxy-detail-20090528
modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 2
modcall: leaving group pre-proxy (returns ok) for request 2
Sending Access-Request of id 1 to NNN.NNN.NN5.7 port 1812
Calling-Station-Id = "310008172268681"
User-Name = "8177899857 at test.com"
NAS-IP-Address = 172.17.7.214
The problem arises, when the same PDSN ask for an Accounting-Request and the
server. The server replies that the shared-key is not correct.
Waking up in 2 seconds...
rad_recv: Accounting-Request packet from host 172.17.7.214:32786, id=7,
length=735
Received Accounting-Request packet from 172.17.7.214 with invalid signature!
(Shared secret is incorrect.) Dropping packet without response.
Finished request 3
The shared key configured is one per node in both the radius and the PDSN;
so it is difficult for me to understand this behavior. Is there any
configuration missing?
Is it possible that the freeradius server is not checking shared key when
sending the access-request message to it’s destination and checking the key
while processing the accounting-request?
Regards,
K
--
View this message in context: http://www.nabble.com/Access-proxied%2C-Accounting-not-proxied-tp23769897p23769897.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list