Garbled class attribute?

Geoff Silver geoff+freeradius at uslinux.net
Thu Aug 17 20:53:47 CEST 2006 

Alan DeKok wrote:
> Geoff Silver <geoff+freeradius at uslinux.net> wrote:
>> I have a bunch of users which should have a class attribute returned upon 
>> successful authentication.  Their entries look something like:
>>
>> bob       NAS-IP-Address == 172.31.33.66, Hint==HasSlash Auth-Type:=Accept
>>            Class = "OU=MY_CORP", Filter-Id = "SPCCOLO_O", 
>> Split-Tunneling-Policy = 1, Split-Tunnel-List = "SPCCOLO_ST"
>>
>> What they're actually getting back is:
>>
>> Packet-Type = Access-Accept
>> User-Name = "bob"
>> Class = 0x3739774831423272375053516a71424143444358434979507544493d
> 
>   Which is '79...'

*nod*.

>   It works for me, so my guess is that something else in your
> configuration is setting Class to that value.

Okay, I'll bite - so what on earth might be causing that?  I'm not doing any 
rewriting, and both the Filter-Id and the Split-Tunnel-List attributes come 
back as strings.  I thought maybe it was getting confused on the Class since 
it contains an =, but changing that to an _ doesn't help.  Is this perhaps 
coming back from the proxy server, and if so, is there a way to use my local 
Class attribute instead?

My users file has a whole bunch of entries that look like the above, mostly like:

  bob       NAS-IP-Address == 172.31.33.66, Hint==HasSlash, Proxy-To-Realm:=UAS
            Class = "OU=MY_CORP", Filter-Id = "SPCCOLO_O", 
Split-Tunneling-Policy = 1, Split-Tunnel-List = "SPCCOLO_ST"

My hints file looks like:

DEFAULT         User-Password =~ ".*/.*"
                 Hint = HasSlash

My proxy.conf looks like:

proxy server {
         synchronous = no
         retry_delay = 5
         retry_count = 1
         dead_time = 300
         default_fallback = yes
         post_proxy_authorize = yes
}
realm UAS {
         type            = radius
         authhost        = radius.domain.com:1812
         secret          = MySecretKey
}

And my radiusd.conf looks uninterestingly like the following (note that the 
syslog sections are part of rlm_syslog which I submitted a while back):
##
## radiusd.conf -- FreeRADIUS server configuration file.
##

prefix = /opt/radius
exec_prefix = ${prefix}
sysconfdir = /opt/radius/etc
localstatedir = /var
sbindir = /opt/radius/sbin
logdir = /var/log/radius
raddbdir = /opt/radius/etc
radacctdir = /var/log/radius

confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
checkrad = ${sbindir}/checkrad

user = radius
group = radius

max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024

listen {
         ipaddr = *
         port = 1645
         type = auth
}

listen {
         ipaddr = *
         port = 1646
         type = acct
}

listen {
         ipaddr = *
         port = 1812
         type = auth
}

listen {
         ipaddr = *
         port = 1813
         type = acct
}


hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no

lower_user = yes
lower_pass = no
nospace_user = before
nospace_pass = no

security {
         max_attributes = 200
         reject_delay = 1
         status_server = no
}

$INCLUDE  ${confdir}/clients.conf
snmp    = no
#$INCLUDE  ${confdir}/snmp.conf

thread pool {
         start_servers = 5
         max_servers = 32
         min_spare_servers = 3
         max_spare_servers = 10
         max_requests_per_server = 0
}

modules {
         preprocess {
                 huntgroups = ${confdir}/huntgroups
                 hints = ${confdir}/hints
         }

         files {
                 usersfile = ${confdir}/users
                 compat = no
         }

         uas {

         }

         syslog acct_log {
                 loglevel = "info"
                 logfacility = "local3"
                 logname = "radiusd-acct"
         }

         syslog auth_log {
                 hidepasswd = yes
                 loglevel = "info"
                 logfacility = "local3"
                 logname = "radiusd-auth"
         }

         syslog reply_log {
                 hidepasswd = yes
                 # Some of this may be redundant, but it pretty much ensures
                 # we get a unique identifier in every reply log message
                 logextra = "User-Name = %{User-Name},Client-IP-Address = 
%{Client-IP-Address},NAS-IP-Address = %{NAS-IP-Address},NAS-Port = %{NAS-Port}"
                 loglevel = "info"
                 logfacility = "local3"
                 logname = "radiusd-auth"
         }

         acct_unique {
                 key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NAS-Port"
         }

         always fail {
                 rcode = fail
         }
         always reject {
                 rcode = reject
         }
         always ok {
                 rcode = ok
                 simulcount = 0
                 mpp = no
         }

         expr {
         }

         digest {
         }

         exec {
                 wait = yes
                 input_pairs = request
                 output_pairs = none
         }

         exec echo {
                 wait = yes
                 program = "/bin/echo %{User-Name}"
                 input_pairs = request
                 output_pairs = reply
                 #packet_type = Access-Accept
         }
}

instantiate {
         exec
         expr
}

authorize {
         preprocess
         auth_log
         files
}

authenticate {
         Auth-Type UAS {
                 #uas
         }
}

preacct {
         preprocess
         acct_unique
         files
}

accounting {
         acct_log
}

session {
}

post-auth {
         Post-Auth-Type REJECT {
                reply_log
         }
         reply_log
}

proxy_requests  = yes
$INCLUDE ${confdir}/proxy.conf

pre-proxy {
}

post-proxy {
}

More information about the Freeradius-Users mailing list