Proxies "status-server" pings are broken when virtual server "status" is enabled

Olivier Beytrison olivier at heliosnet.org
Wed Jan 30 08:29:50 CET 2013 

Hello,

Any idea on the point below?

Olivier

On 28 janv. 2013, at 10:07, Olivier Beytrison <olivier at heliosnet.org> wrote:

> On a side note, I have something fun going on in post-auth here. I want
> to bypass the post-auth section for Packet-Type == Status-Server. So I
> wrote :
> 
> 
>        post-auth {
>                if(Packet-Type != Status-Server){
>                        reply_log
>                        if("%{realm}" !~ /.*hes-so.ch/){
>                                sql
>                        }
>                }
>                Post-Auth-Type REJECT {
>                        sql
>                }
>        }
> 
> But the logic is inverted when you look at the logs.
> 
> Now on the log ...
> 
> rad_recv: Status-Server packet from host 127.0.0.1 port 60277, id=12,
> length=38
>        Message-Authenticator = 0xc09707a123242d5bee7be80eb07b3128
> (81) # Executing group from file /etc/freeradius/sites-enabled/eduroam
> (81)   group Status-Server {
> (81)  - entering group Status-Server {...}
> (81)   [ok] = ok
> (81) # Executing section post-auth from file
> /etc/freeradius/sites-enabled/eduroam
> (81)   group post-auth {
> (81)  - entering group post-auth {...}
> (81)   ? if (Packet-Type != Status-Server)
> (81) ? Evaluating (Packet-Type != Status-Server) -> TRUE
> (81)   ? if (Packet-Type != Status-Server) -> TRUE
> (81)    if (Packet-Type != Status-Server) {
> (81)   - entering if (Packet-Type != Status-Server) {...}
> 
> And what's even more funny .... On an Access-Accept packet it says that
> Packet-Type != Status-Server -> FALSE :D
> 
> rad_recv: Access-Accept packet from host 130.59.138.29 port 1812,
> id=129, length=189
>        MS-MPPE-Recv-Key =
> 0x180d7429b72d1ef1757290ed8a0f47e8f22583e1bcb704c208c89a405779ba0d
>        MS-MPPE-Send-Key =
> 0x0602884e6fba66616fc31d0047a1947bc996d10034886589d1a7b4a2ef37879e
>        EAP-Message = 0x03080004
>        Message-Authenticator = 0xbb3d302a9d2b4a124f70e8f49e1588dd
>        User-Name = "anonymous at test.hes-so.ch"
>        Proxy-State = 0x38
> (110) # Executing section post-proxy from file
> /etc/freeradius/sites-enabled/eduroam
> (110)   group post-proxy {
> (110)  - entering group post-proxy {...}
> [snip of post_proxy_log junk]
> (110)   [post_proxy_log] = ok
> (110) attr_filter.post-proxy :  expand: '%{Realm}' -> 'DEFAULT'
> (110) attr_filter.post-proxy : Matched entry DEFAULT at line 103
> (110)   [attr_filter.post-proxy] = updated
> (110) Found Auth-Type = Accept
> (110) Auth-Type = Accept, accepting the user
> (110) # Executing section post-auth from file
> /etc/freeradius/sites-enabled/eduroam
> (110)   group post-auth {
> (110)  - entering group post-auth {...}
> (110)   ? if (Packet-Type != Status-Server)
> (110) ? Evaluating (Packet-Type != Status-Server) -> FALSE
> (110)   ? if (Packet-Type != Status-Server) -> FALSE
> Sending Access-Accept of id 8 from 127.0.0.1 port 1812 to 127.0.0.1 port
> 56702
>        MS-MPPE-Recv-Key =
> 0x180d7429b72d1ef1757290ed8a0f47e8f22583e1bcb704c208c89a405779ba0d
>        EAP-Message = 0x03080004
>        Message-Authenticator = 0xbb3d302a9d2b4a124f70e8f49e1588dd
> 
> -- 
> 
> Olivier Beytrison
> Network & Security Engineer, HES-SO Fribourg
> Mobile: +41 (0)78 619 73 53
> Mail: olivier at heliosnet.org
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
> 
>

More information about the Freeradius-Devel mailing list