Attributes sent to proxy servers ...
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Tue Feb 5 14:21:23 CET 2008
A.L.M.Buxey at lboro.ac.uk wrote:
> hi,
>
> you are still pre-proxy attr filtering?
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
No, didn't really see the point.. Internal attributes aren't meant to be
proxied, and those are the only ones I really wanted filtering out.
Looks like something very strange is going on with proxying accounting
packets as well.
rad_recv: Accounting-Request packet from host 139.184.8.16 port 1026,
id=225, length=141
Acct-Session-Id = "004E00000019"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Acct-Delay-Time = 15
NAS-Port = 1
Calling-Station-Id = "00-1B-63-A3-A8-DD"
Event-Type = Framed-User
NAS-IP-Address = 139.184.8.16
NAS-Identifier = "hp-e-its-dev8021x-sw1"
User-Name = "ac221 at loopback.sussex.ac.uk"
server default-outer {
+- entering group preacct
++? if ("%{User-Name}" =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/)
expand: %{User-Name} -> ac221 at loopback.sussex.ac.uk
? Evaluating ("%{User-Name}" =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/)
-> TRUE
++? if ("%{User-Name}" =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) -> TRUE
++- entering if ("%{User-Name}" =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/)
+++? if (!"%{2}"||("%{2}" == 'sussex.ac.uk'))
expand: %{2} -> loopback.sussex.ac.uk
? Evaluating "loopback.sussex.ac.uk" -> FALSE
expand: %{2} -> loopback.sussex.ac.uk
? Evaluating ("%{2}" == 'sussex.ac.uk') -> FALSE
+++? if (!"%{2}"||("%{2}" == 'sussex.ac.uk')) -> FALSE
+++- entering else else
expand: %{1}@%{2} -> ac221 at loopback.sussex.ac.uk
++++[request] returns noop
+++- else else returns noop
++- if ("%{User-Name}" =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/)
returns noop
++ ... skipping else for request 20: Preceding "if" was taken
expand: %{Realm} -> %{2}
++- entering switch %{Realm}
+++- entering case
++++[control] returns noop
++++[request] returns noop
+++- case returns noop
++- switch %{Realm} returns noop
++? if ("%{Called-Station-Id}" =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
expand: %{Called-Station-Id} ->
? Evaluating ("%{Called-Station-Id}" =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
-> FALSE
++? if ("%{Called-Station-Id}" =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
-> FALSE
++? if ("%{Calling-Station-Id}" =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
expand: %{Calling-Station-Id} -> 00-1B-63-A3-A8-DD
? Evaluating ("%{Calling-Station-Id}" =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
-> TRUE
++? if ("%{Calling-Station-Id}" =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
-> TRUE
++- entering if ("%{Calling-Station-Id}" =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001B63A3A8DD
+++[request] returns noop
++- if ("%{Calling-Station-Id}" =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
returns noop
++? if ("%{NAS-Port-Id}" =~ /wl[0-9]*/)
expand: %{NAS-Port-Id} ->
? Evaluating ("%{NAS-Port-Id}" =~ /wl[0-9]*/) -> FALSE
++? if ("%{NAS-Port-Id}" =~ /wl[0-9]*/) -> FALSE
++? if (("%{NAS-Port-Type}" == 'Wireless-802.11')||("%{NAS-Port-Type}"
== 'Ethernet'))
expand: %{NAS-Port-Type} ->
?? Evaluating ("%{NAS-Port-Type}" == 'Wireless-802.11') -> FALSE
expand: %{NAS-Port-Type} ->
?? Evaluating ("%{NAS-Port-Type}" == 'Ethernet') -> FALSE
++? if (("%{NAS-Port-Type}" == 'Wireless-802.11')||("%{NAS-Port-Type}"
== 'Ethernet')) -> FALSE
++? if ("%{NAS-IP-Address}" == '127.0.0.1')
expand: %{NAS-IP-Address} -> 139.184.8.16
? Evaluating ("%{NAS-IP-Address}" == '127.0.0.1') -> FALSE
++? if ("%{NAS-IP-Address}" == '127.0.0.1') -> FALSE
expand: %{Client-Shortname} -> hp-e-its-dev8021x-sw1
++[request] returns noop
rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in
request, unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',NAS-Port = 1,NAS-IP-Address =
139.184.8.16,Acct-Session-Id = "004E00000019",User-Name =
"ac221 at loopback.sussex.ac.uk"'
rlm_acct_unique: Acct-Unique-Session-ID = "67d4bffd71faf76b".
++[acct_unique] returns ok
+- entering group accounting
expand: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 ->
/var/log/radiusd/20080205/accounting-detail-12:00
rlm_detail: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 expands to
/var/log/radiusd/20080205/accounting-detail-12:00
expand: %{Packet-Src-IP-Address} - %t -> 139.184.8.16 - Tue Feb 5
12:49:09 2008
++[accounting_log] returns ok
expand: %{Stripped-User-Name} -> ac221 at loopback.sussex.ac.uk
expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} ->
ac221 at loopback.sussex.ac.uk
rlm_sql (sql): sql_set_user escaped user --> 'ac221 at loopback.sussex.ac.uk'
expand: %{Acct-Delay-Time} -> 15
expand: INSERT INTO radacct
(acctsessionid, acctuniqueid, username,
realm, nasidentifier, nasipaddress,
nasportid, nasporttype, acctstarttime,
acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid, calledstationssid,
callingstationid, acctterminatecause, servicetype,
framedprotocol, framedipaddress, acctstartdelay,
acctstopdelay ) VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-Identifier}',
'%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
'%S', '0', '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}','%{Called-Station-SSID}','%{Calling-Station-Id}',
'', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0')
-> INSERT INTO radacct (acctsessionid,
acctuniqueid, username, realm,
nasidentifier, nasipaddress, nasportid,
nasporttype, acctstarttime, acctstoptime,
acctsessiontime, acctauthentic, connectinfo_start,
connectinfo_stop, acctinputoctets, acctoutputoctets,
calledstationid, calledstationssid, callingstationid,
acctterminatecause, servicetype, framedprotocol,
framedipaddress, acctstartdelay, acctstopdelay
) VALUES ('004E00000019',
'67d4bffd71faf76b',
'ac221 at loopback.sussex.ac.uk', 'jrs',
'hp-e-its-dev8021x-sw1', '139.184.8.16', '1', '',
'2008-02-05 12:49:09', '0', '0', 'RADIUS', '',
'', '0', '0', '','','001B63A3A8DD', '',
'Framed-User', '', '', '15', '0')
rlm_sql (sql): Reserving sql socket id: 19
rlm_sql (sql): Released sql socket id: 19
++[sql] returns ok
expand: %{User-Name} -> ac221 at loopback.sussex.ac.uk
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
} # server default-outer
+- entering group pre-proxy
expand: /var/log/radiusd/%Y%m%d/pre-proxy-detail-%H:00 ->
/var/log/radiusd/20080205/pre-proxy-detail-12:00
rlm_detail: /var/log/radiusd/%Y%m%d/pre-proxy-detail-%H:00 expands to
/var/log/radiusd/20080205/pre-proxy-detail-12:00
expand: %{Packet-Src-IP-Address} - %t -> 139.184.8.16 - Tue Feb 5
12:49:09 2008
++[pre_proxy_log] returns ok
Where have all the attributes gone ?!!?
Sending Accounting-Request of id 180 to 194.82.174.185 port 1813
Proxy-State = 0x323235
Proxying request 20 to home server 194.82.174.185 port 1813
Sending Accounting-Request of id 180 to 194.82.174.185 port 1813
Realm = "jrs"
Proxy-State = 0x323235
Going to the next request
Waking up in 0.9 seconds.
Waking up in 14.0 seconds.
Rejecting request 17 due to lack of any response from home server
194.82.174.185 port 1813
--
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
More information about the Freeradius-Users
mailing list