If MSCHAP attributes exist, use for AuthN, otherwise, force Kerberos? Also, gracefully accepting @domain in username?

Alan DeKok aland at deployingradius.com
Thu Mar 11 13:32:19 CET 2021


On Mar 10, 2021, at 8:05 PM, Braden McGrath <braden at big-geek.net> wrote:
> Your comment got me to re-inspect more carefully, and I found where
> the problem was. I read through much of radiusd.conf when first
> setting things up, and I thought, "I don't need to proxy anything to
> other servers, this is all local!" so I changed "proxy_requests" to
> "no" and commented out "$INCLUDE proxy.conf", and I did this a week
> ago. I just now saw that the debug output wasn't reading proxy.conf,
> and after I poked around I realized I shot myself in the foot. Insert
> facepalm.jpg here.

  Yup.  :)

> Presumably I *could* be setting up realms in a separate (dedicated)
> file and just $INCLUDE'ing that instead? But for future maintenance's
> sake / standardization, I'll just stick to this... it's not really
> hurting me to leave things close to default state.

  Sure.  The various config files are brought in via $INCLUDE, so the content can be anywhere.  We just separate them out into different files for sanity and management simplicity.

> If *non-regex* realm names are *supposed* to be case-sensitive within
> proxy.conf, they certainly aren't behaving that way.

  Hmm... just checked again.  Yes, they're case insensitive.  DNS names and all that.

> That is exactly how it dies - a # and then a copy of the duplicated
> "realm X" line, and the process is gone.

  It exits with an error (do "echo $?", and you'll see a non-zero exit code).

  But yes, it should print an error.  I've pushed a fix with a descriptive error message.

  Alan DeKok.




More information about the Freeradius-Users mailing list