Cannot get value of config item with \\

Matej Vadnjal matej.vadnjal at arnes.si
Tue Feb 3 08:15:26 CET 2009


On Monday 02.02.2009 12:37:09 Alan DeKok wrote:
>   Hmm... if a server proxies requests to you that it *should* have
> handled itself, it is seriously broken.

It also happens when users mistype their user names. Suppose you have a user: 
user at a.orgA.tld. orgA has a radius server that proxies requests for realm 
a.orgA.tld to another server, but all other requests go to upstream server 
(us).

If our user mistypes their user name as user at b.orgA.tld radius at orgA 
forwards that request to our server but we see this as realm *.orgA.tld (orgA 
has a lot of sub-domains - we don't want to define all of them separately) so 
we send the request back to them.


>  Put this in pre-proxy:
>
> 	if (Realm &&
> 	    ("%{home_server:ipaddr}" == "%{client:ipaddr}")) {
> 		reject
> 	}
>
>   That should work.  And no, this isn't well documented.

Great. I did not know about %{home_server:ipaddr}. However there are still two 
issues:

- %{client:ipaddr} does not expand to anything on my end but Client-IP-Address 
works.

- If I reject in pre-proxy my server crashes. No error message or anything, it 
just exits (see attached debug). Is this a bug? I'm using version 2.1.0.


Regards

Matej Vadnjal
ARNES


-------------- next part --------------
rad_recv: Access-Request packet from host 10.0.99.110 port 1814, id=200, length=94            
        User-Name = "@primer.si"                                                              
        Message-Authenticator = 0xc683a697de2b17b81dbad41e7c5bb471                            
        EAP-Message = 0x0202000f01407072696d65722e7369                                        
        NAS-IP-Address = 10.0.99.13                                                           
        NAS-Identifier = "010.000.099.013"                                                    
        Proxy-State = 0x3134                                                                  
+- entering group authorize {...}                                                             
++[preprocess] returns ok                                                                     
[suffix] Looking up realm "primer.si" for User-Name = "@primer.si"                            
[suffix] Found realm "~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$"                    
[suffix] Adding Realm = "~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$"                 
[suffix] Proxying request from user  to realm ~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$
[suffix] Preparing to proxy authentication request to realm "~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$"
++[suffix] returns updated
        expand: %{User-Name} -> @primer.si
[files] users: Matched entry DEFAULT at line 10
++[files] returns ok
+- entering group pre-proxy {...}
++? if (Realm && ("%{home_server:ipaddr}" == "%{Client-IP-Address}"))
? Evaluating (Realm ) -> TRUE
        expand: %{home_server:ipaddr} -> 10.0.99.110
        expand: %{Client-IP-Address} -> 10.0.99.110
? Evaluating ("%{home_server:ipaddr}" == "%{Client-IP-Address}") -> TRUE
++? if (Realm && ("%{home_server:ipaddr}" == "%{Client-IP-Address}")) -> TRUE
++- entering if (Realm && ("%{home_server:ipaddr}" == "%{Client-IP-Address}")) {...}
+++[reject] returns reject
++- if (Realm && ("%{home_server:ipaddr}" == "%{Client-IP-Address}")) returns reject
There was no response configured: rejecting request 0
Using Post-Auth-Type Reject
+- entering group REJECT {...}
        expand: %{User-Name} -> @primer.si
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.


More information about the Freeradius-Users mailing list