[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sr-dev
Subject:    [Serdev] auth_radius lack of documentation and behaviour issue
From:       reticent <tavis.lists () galaxytelecom ! net>
Date:       2005-08-29 20:55:01
Message-ID: 43137625.2080609 () galaxytelecom ! net
[Download RAW message or body]

I just wanted to mention my experiences with auth_radius because of the 
difficulties i had with it.

The main issue was with the documentation, one section in particular:
" Before sending the request to the radius server we perform some sanity 
checks over the credentials to make sure that only well formed 
credentials will get to the server".
This is a heck of lot more substantial than it sounds, i think it would 
be really helpful to document exactly what "sanity checks" are performed.

In my case i was having a problem because my test UAC's were interacting 
with "dev1.domain.com" and i was using a: 
--
if ( !radius_proxy_authorize("domain.com") )
{
    proxy_challenge("domain.com", "1");
}
--
stanza in the authorization section of my ser config.  This fails 
because the credentials realm is different from the URI host.  I'm using 
this config because my clients will be referencing my server using 
different domain names however i want the authentication database to be 
domain agnostic.

The second issue is that the auth_radius module doesn't alter its logic 
when its given a domain to compare against and skip or alter the 
"Credentials vs URI HOST" check.

I was using this same logic with auth_db without issue

Anyways, i suppose its a feature but it sure caused me alot of grief 
untill i figured out what was happening =D and i'm still unsure as to 
how i can emulate the old behaviour as it is ideal in my situation.


[prev in list] [next in list] [prev in thread] [next in thread]