Trouble with unlang

azander azander at netonecom.net
Fri Jan 29 18:36:54 CET 2016


Greetings,

  I am having troubles wrapping my hear around the unlang concepts to
  make this work.

  Situation:
  My company just merged with another that is also using freeradius,
  though they are using 2.x instead of 3.x.  We were in the process of
  upgrading ours to 3.x when this merger was announced internally.  

  I am tasked with merging the radius system.  Here is what I need.

  In proxy.conf we have 4 needed realms, each using a different
  virtual_server.  I have the following:

  realm company1.org {
    virtual_server = company1
  }
  realm company2.net {
    virtual_server = company2
  }
  realm company3.net {
    virtual_server = accept
  }
  realm company4.com {
    virtual_server = reject
  }
  realm NULL {
    virtual_server = company1
  }
  realm DEFAULT {
    virtual_server = default  ##duplicate of company1's file for now.
  }

I have each of the virtual servers listening on different ports and
only listing on ip 127.0.0.1.  Examples:  company1: 9990,9991,
company2: 9992,9993, etc  

The main server listens to ports 1812,1813.

I need the accept virtual_server to accept anything sent to it.  I need
the reject virtual_server to reject all sent to it.  company1 has
realm and non-realm users, using Stripped-User-Name for final lookup to
the database.  Company2 always has the realm on it, and can be
configured to use stripped or non-stripped usernames when going
to the database.

So far company1 and company2 work, but when I add company3 and
company4, things start working very strangely.

When I use radtest to query the server for company3 I get a result:
	(0) Expected Access-Accept got Access-Reject

I am assuming I have my server config messed up, but I won't count
on that being the issue.  Any help would be appreciated.

My accept and reject virtual servers are pretty basic and are almost
identical.   

Below is my accept server config:

#
server accept {
  listen {
        type = auth
        ipaddr = *
        port = 9992
        limit {
              max_connections = 16
              lifetime = 0
              idle_timeout = 120
        }
   }
   listen {
        ipaddr = *
           port = 9993
        type = acct
        limit {
        }
   }

   authorize {
      update control {
         &Auth-Type := Accept
      }
   }
   authenticate {
        Auth-Type CHAP {
                chap
        }
   }
   preacct {
      preprocess
      acct_unique
      suffix
      files
   }
   accoutning {
      detail
      unix
      -sql
      if (noop) {
         ok
      }
      attr_fileter.account_response
   }
   session {
   }
   post_auth {
      replay_log
      -sql
      Post-Auth-Type REJECT {
         -sql
         attr_filter.access_reject
      }
   }
   pre-proxy {
   }
   post-proxy {
      eap
   }
}



More information about the Freeradius-Users mailing list