If MSCHAP attributes exist, use for AuthN, otherwise, force Kerberos? Also, gracefully accepting @domain in username?
Alan DeKok
aland at deployingradius.com
Thu Mar 11 13:32:19 CET 2021
On Mar 10, 2021, at 8:05 PM, Braden McGrath <braden at big-geek.net> wrote:
> Your comment got me to re-inspect more carefully, and I found where
> the problem was. I read through much of radiusd.conf when first
> setting things up, and I thought, "I don't need to proxy anything to
> other servers, this is all local!" so I changed "proxy_requests" to
> "no" and commented out "$INCLUDE proxy.conf", and I did this a week
> ago. I just now saw that the debug output wasn't reading proxy.conf,
> and after I poked around I realized I shot myself in the foot. Insert
> facepalm.jpg here.
Yup. :)
> Presumably I *could* be setting up realms in a separate (dedicated)
> file and just $INCLUDE'ing that instead? But for future maintenance's
> sake / standardization, I'll just stick to this... it's not really
> hurting me to leave things close to default state.
Sure. The various config files are brought in via $INCLUDE, so the content can be anywhere. We just separate them out into different files for sanity and management simplicity.
> If *non-regex* realm names are *supposed* to be case-sensitive within
> proxy.conf, they certainly aren't behaving that way.
Hmm... just checked again. Yes, they're case insensitive. DNS names and all that.
> That is exactly how it dies - a # and then a copy of the duplicated
> "realm X" line, and the process is gone.
It exits with an error (do "echo $?", and you'll see a non-zero exit code).
But yes, it should print an error. I've pushed a fix with a descriptive error message.
Alan DeKok.
More information about the Freeradius-Users
mailing list