Copying Attributes Between Proxy-Reply and Reply Messages

Mike Loosbrock m-loosbrock at bethel.edu
Tue Jan 27 19:31:52 CET 2009 

Hello,

I'm running 2.0.4 on Debian testing. I have a test setup in which I'm  
proxying access requests between two virtual servers running inside  
the same daemon:

radtest <---> [ virtual server A <---(proxy)---> virtual server B ]

Proxing is triggered using the rlm_realm module and all attr_filter  
module instances in radiusd.conf have been commented out.

Authentication works fine, but reply attributes created by B are not  
being returned to radtest unless I configure the following in A:

post-auth {
   update reply {
     Attribute1 := "%{proxy-reply:Attribute1}"
     Attribute2 := "%{proxy-reply:Attribute2}"
     Attribute3 := "%{proxy-reply:Attribute3}"
     ...
   }
}

My understanding is that without any attribute filters in place, the  
proxy-reply list in virtual server A is supposed to be automatically  
copied to its reply list. Is this correct, or is there an option that  
needs to be set somewhere?

Also, it seems that this scenario is functionally similar to how the  
peap and ttls modules proxy tunneled EAP exchanges to another virtual  
server using the 'virtual_server' option. Those modules use a  
'use_tunneled_reply' option which seems to force the behavior I'm  
trying to achieve. Or am I way off the mark?

I've attached what I think is just the relevant debug output. If more  
is needed, please let me know. Thanks!

### START DEBUG OUTPUT ###
...
server monitor {
  modules {
  Module: Checking authenticate {...} for more modules to load
  Module: Checking authorize {...} for more modules to load
  Module: Linked to module rlm_realm
  Module: Instantiating vpn_realm
   realm vpn_realm {
         format = "prefix"
         delimiter = "."
         ignore_default = yes
         ignore_null = yes
   }
  Module: Checking preacct {...} for more modules to load
  Module: Checking accounting {...} for more modules to load
  Module: Checking session {...} for more modules to load
  Module: Checking pre-proxy {...} for more modules to load
  Module: Checking post-proxy {...} for more modules to load
  Module: Checking post-auth {...} for more modules to load
  }
}
server vpn {
  modules {
  Module: Checking authenticate {...} for more modules to load
  Module: Linked to module rlm_pap
  Module: Instantiating pap
   pap {
         encryption_scheme = "auto"
         auto_header = no
   }
  Module: Checking authorize {...} for more modules to load
  Module: Checking preacct {...} for more modules to load
  Module: Checking accounting {...} for more modules to load
  Module: Checking session {...} for more modules to load
  Module: Checking pre-proxy {...} for more modules to load
  Module: Checking post-proxy {...} for more modules to load
  }
}
server {
  modules {
  }
}
radiusd: #### Opening IP addresses and Ports ####
listen {
         type = "auth"
         ipaddr = *
         port = 0
}
listen {
         type = "acct"
         ipaddr = *
         port = 0
}
listen {
         type = "proxy"
         ipaddr = *
         port = 0
}
main {
         snmp = no
         smux_password = ""
         snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 4041
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 4030, id=27,  
length=76
         User-Name = "vpn_realm.mloosbro"
         User-Password = "password"
         NAS-IP-Address = 10.0.1.200
         NAS-Port = 1
         Framed-Protocol = PPP
server monitor {
+- entering group authorize
     rlm_realm: Looking up realm "vpn_realm" for User-Name =  
"vpn_realm.mloosbro"
     rlm_realm: Found realm "vpn_realm"
     rlm_realm: Adding Stripped-User-Name = "mloosbro"
     rlm_realm: Adding Realm = "vpn_realm"
     rlm_realm: Proxying request from user mloosbro to realm vpn_realm
     rlm_realm: Preparing to proxy authentication request to realm  
"vpn_realm"
++[vpn_realm] returns updated
} # server monitor
+- entering group pre-proxy
++[noop] returns noop
 >>> Sending proxied request internally to virtual server.
server vpn {
+- entering group authorize
         expand: %{control:NS-Override-User} ->
         expand: %{Stripped-User-Name} -> mloosbro
         expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} ->  
mloosbro
         expand: %{%{control:NS-Override-User}:-%{%{Stripped-User- 
Name}:-%{%{User-Name}:-DEFAULT}}} -> mloosbro
rlm_sql (ns-sql-vpn): sql_set_user escaped user --> 'mloosbro'
rlm_sql (ns-sql-vpn): Reserving sql socket id: 4
         expand: SELECT id, username, attribute, value, op            
FROM radcheck_asa           WHERE username = '%{SQL-User- 
Name}'           ORDER BY id -> SELECT id, username, a
  WHERE username = 'mloosbro'           ORDER BY id
         expand: SELECT groupname           FROM  
radusergroup           WHERE username = '%{SQL-User-Name}'            
ORDER BY priority -> SELECT groupname           FROM radusergr
  BY priority
         expand: SELECT id, groupname, attribute,           Value,  
op           FROM radgroupcheck_asa           WHERE groupname = '%{Sql- 
Group}'           ORDER BY id -> SELECT id
M radgroupcheck_asa           WHERE groupname = 'its- 
network'           ORDER BY id
rlm_sql (ns-sql-vpn): User found in group its-network
         expand: SELECT id, groupname, attribute,           value,  
op           FROM radgroupreply_asa           WHERE groupname = '%{Sql- 
Group}'           ORDER BY id -> SELECT id
M radgroupreply_asa           WHERE groupname = 'its- 
network'           ORDER BY id
         expand: SELECT id, groupname, attribute,           Value,  
op           FROM radgroupcheck_asa           WHERE groupname = '%{Sql- 
Group}'           ORDER BY id -> SELECT id
M radgroupcheck_asa           WHERE groupname = 'employee'            
ORDER BY id
rlm_sql (ns-sql-vpn): User found in group employee
         expand: SELECT id, groupname, attribute,           value,  
op           FROM radgroupreply_asa           WHERE groupname = '%{Sql- 
Group}'           ORDER BY id -> SELECT id
M radgroupreply_asa           WHERE groupname = 'employee'            
ORDER BY id
rlm_sql (ns-sql-vpn): Released sql socket id: 4
++[ns-sql-vpn] returns ok
++[control] returns ok
   rad_check_password:  Found Auth-Type Kerberos
auth: type "Kerberos"
+- entering group Kerberos
rlm_krb5: verify_krb_v5_tgt: host key not found : No such file or  
directory
++[krb5] returns ok
Login OK: [mloosbro/password] (from client monitor port 1 via TLS  
tunnel)
} # server vpn
Going to the next request
<<< Received proxied response from internal virtual server.
+- entering group authorize
     rlm_realm: Proxy reply, or no User-Name.  Ignoring.
++[vpn_realm] returns noop
   rad_check_password:  Found Auth-Type
   rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [vpn_realm.mloosbro/password] (from client monitor port 1)
+- entering group post-auth
++[noop] returns noop
Sending Access-Accept of id 27 to 127.0.0.1 port 4030
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 4030, id=27,  
length=76
Sending duplicate reply to client monitor port 4030 - ID: 27
Sending Access-Accept of id 27 to 127.0.0.1 port 4030
Waking up in 4.9 seconds.
Cleaning up request 0 ID 27 with timestamp +3
Ready to process requests.

### END DEBUG OUTPUT ###

Mike Loosbrock
Bethel University Network Services
651-638-6723

More information about the Freeradius-Users mailing list