rlm_exec and proxy request paradox
Nathan M
locu.lists at gmail.com
Sat Jun 18 00:11:16 CEST 2011
Hello,
I'm in the process of updating old 1.x freeradius servers to 2.1.10.
We have scripts which fire to verify some local verifications and
return some attributes which get passed along with the response to the
NAS. The old method used Exec-Program-Wait in the users file;
however, per recommendation in docs and list I'm converting things
over to use the newer rlm_exec method.
The new method works great for local authentication; however, I'm
getting stumped on requests which are proxied to another radius server
which accepts the request. Process of events:
1. Auth request is proxied to 3rd party server, which returns an Access-Accept
rad_recv: Access-Accept packet from host 10.0.0.243 port 1645, id=184, length=37
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Proxy-State = 0x313238
2. As configured in post-proxy, visp_proxyauth is run. For the sake
of simplicity visp_proxyauth executes a script which simply responds
with exit 1 to mimic a failed local verification.
# Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-proxy {...}
Exec-Program output:
Exec-Program: returned: 1
++[visp_proxyauth] returns reject
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Problem, even though visp_proxyauth returns reject with exit 1, I
believe the earlier Auth-Type = Accept from the response of the 3rd
party radius server the request was proxied to is being used to accept
the login.
This differs from how 1.x acted in that if exec-program-wait returned
exit 1 it would fail the request. My new install of 2.1.10 accepts
the request which is not the desired behavior. I'm definitely open to
modifying my config or exit codes to accommodate any differences
introduced in 2.x.
I've seemingly tried too many different configuration options and
different tactics to try to make this work but seem to be stumped and
looking for some outside perspective. My goal would be to ultimately
reject the request if visp_proxyauth exits with return value 1 (user
reject). Any assistance is greatly appreciated.
- N
Complete debug output follows:
FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on
Jun 15 2011 at 18:03:23
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/vispauth
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/vispauth3
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/vispauth2
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
main {
user = "radius"
group = "radius"
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 48000
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 3
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
realm DEFAULT {
nostrip
authhost = LOCAL
accthost = LOCAL
}
realm abc.com {
nostrip
authhost = 10.0.0.243:1645
accthost = 10.0.0.243:1646
secret = xxx
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.0.0.0/24 {
require_message_authenticator = no
secret = "xxx"
shortname = "wkstation"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/usr/local/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/usr/local/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Instantiating module "visp_auth" from file
/usr/local/etc/raddb/modules/vispauth
exec visp_auth {
wait = yes
program = "/tmp/auth.sh"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "prefix" from file
/usr/local/etc/raddb/modules/realm
realm prefix {
format = "prefix"
delimiter = "#"
ignore_default = yes
ignore_null = yes
}
Module: Instantiating module "suffix" from file
/usr/local/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/usr/local/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/usr/local/etc/raddb/modules/detail
detail {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from
file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/usr/local/etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Instantiating module "visp_proxyauth" from file
/usr/local/etc/raddb/modules/vispauth
exec visp_proxyauth {
wait = yes
program = "/tmp/auth.sh"
input_pairs = "request"
output_pairs = "reply"
packet_type = "Access-Accept"
shell_escape = yes
}
Module: Instantiating module "attr_filter.post-proxy" from file
/usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.post-proxy {
attrsfile = "/usr/local/etc/raddb/attrs"
key = "%{Realm}"
}
[/usr/local/etc/raddb/attrs]:129 WARNING! Check item
"Simultaneous-Use" found in filter list for realm "xDEFAULT".
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 10.0.0.1
port = 1645
}
listen {
type = "acct"
ipaddr = 10.0.0.1
port = 1646
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication address 10.0.0.1 port 1645
Listening on accounting address 10.0.0.1 port 1646
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on proxy address 10.0.0.1 port 1647
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.0.6 port 61666, id=128, length=75
User-Name = "testuser at abc.com"
User-Password = "xxx"
Framed-Protocol = PPP
Service-Type = Framed-User
Called-Station-Id = "5415551212"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[prefix] No '#' in User-Name = "testuser at abc.com", skipping NULL due to config.
++[prefix] returns noop
[suffix] Looking up realm "abc.com" for User-Name = "testuser at abc.com"
[suffix] Found realm "abc.com"
[suffix] Adding Stripped-User-Name = "testuser"
[suffix] Adding Realm = "abc.com"
[suffix] Proxying request from user testuser to realm abc.com
[suffix] Preparing to proxy authentication request to realm "abc.com"
++[suffix] returns updated
[files] users: Matched entry DEFAULT at line 172
[files] users: Matched entry DEFAULT at line 234
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 184 to 10.0.0.243 port 1645
User-Name = "testuser"
User-Password = "xxx"
Framed-Protocol = PPP
Service-Type = Framed-User
Called-Station-Id = "5415551212"
NAS-IP-Address = 10.0.0.6
Proxy-State = 0x313238
Proxying request 0 to home server 10.0.0.243 port 1645
Sending Access-Request of id 184 to 10.0.0.243 port 1645
User-Name = "testuser"
User-Password = "xxx"
Framed-Protocol = PPP
Service-Type = Framed-User
Called-Station-Id = "5415551212"
NAS-IP-Address = 10.0.0.6
Proxy-State = 0x313238
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 10.0.0.243 port 1645, id=184, length=37
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Proxy-State = 0x313238
# Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-proxy {...}
Exec-Program output:
Exec-Program: returned: 1
++[visp_proxyauth] returns reject
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [testuser at abc.com/xxx] (from client visp-wkstation port 0)
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 128 to 10.0.0.6 port 61666
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
More information about the Freeradius-Users
mailing list