post-auth problem after update from 2.0.4 to 2.1.10

Gerald Krause gk at ax.tc
Mon Apr 16 20:34:56 CEST 2012


Hi,

after upgrading our server from 2.0.4 to 2.1.10 we see a change in the
auth logic - e.g. when processing proxied requests to a home server and
their replies. We need this feature to append some special attributes to
the accept-packet from the home server before sending it to the NAS.


1) Our config in 2.0.4 (the DEFAULT record is recognized before sending
the packet to the NAS):

proxy.conf:
===========
realm foo {
        type      = radius
        authhost  = 1.2.3.4
        secret    = hidden
        nostrip
}

users file:
===========
DEFAULT	User-Name =~ "test at foo"
	MS-Primary-DNS-Server = "192.168.203.6",
	MS-Secondary-DNS-Server = "192.168.203.1",
	MS-Primary-NBNS-Server = "192.168.203.6"

sites-enabled/default:
======================
authorize {
	...
	files
	...
}

test:
=====
# radtest test at foo password localhost:1812

# /usr/sbin/freeradiusd -X
...
rad_recv: Access-Request packet from host 127.0.0.1 port 51046, id=236,
length=74
        User-Name = "test at foo"
        User-Password = "password"
        NAS-IP-Address = 172.16.1.63
        NAS-Port = 123
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: Looking up realm "foo" for User-Name = "test at foo"
    rlm_realm: Found realm "foo"
    rlm_realm: Adding Realm = "foo"
    rlm_realm: Proxying request from user test to realm foo
    rlm_realm: Preparing to proxy authentication request to realm "foo"
++[suffix] returns updated
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
        expand: %{User-Name} -> test at foo
    users: Matched entry DEFAULT at line 6
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 228 to 1.2.3.4 port 1812
        User-Name = "test at foo"
        User-Password = "password"
        NAS-IP-Address = 172.16.1.63
        NAS-Port = 123
        Proxy-State = 0x323336
Proxying request 50 to home server 1.2.3.4 port 1812
Sending Access-Request of id 228 to 1.2.3.4 port 1812
        User-Name = "test at foo"
        User-Password = "password"
        NAS-IP-Address = 172.16.1.63
        NAS-Port = 123
        Proxy-State = 0x323336
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 1.2.3.4 port 1812, id=228,
length=117
        Proxy-State = 0x323336
        Framed-Protocol = PPP
        Service-Type = Framed-User
        Class =
0x4f300502000001370001c0a8cb0601cd117a507f4414000000000000010e
        MS-Link-Utilization-Threshold = 50
        MS-Link-Drop-Time-Limit = 120
        MS-MPPE-Encryption-Policy = 0x00000002
        MS-MPPE-Encryption-Types = 0x0000000e
+- entering group post-proxy
  rlm_eap: No pre-existing handler found
++[eap] returns noop
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: Proxy reply, or no User-Name.  Ignoring.
++[suffix] returns noop
++[eap] returns noop
++[unix] returns notfound
        expand: %{User-Name} -> test at foo
    users: Matched entry DEFAULT at line 6
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  rad_check_password:  Found Auth-Type
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [test at foo/password] (from client LOCALHOST port 123)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 236 to 127.0.0.1 port 51046
        Framed-Protocol = PPP
        Service-Type = Framed-User
        Class =
0x4f300502000001370001c0a8cb0601cd117a507f4414000000000000010e
        MS-Link-Utilization-Threshold = 50
        MS-Link-Drop-Time-Limit = 120
        MS-MPPE-Encryption-Policy = 0x00000002
        MS-MPPE-Encryption-Types = 0x0000000e
        MS-Primary-DNS-Server = 192.168.203.6
        MS-Secondary-DNS-Server = 192.168.203.1
        MS-Primary-NBNS-Server = 192.168.203.6
Finished request 50.



2) Our config in 2.1.10 (the DEFAULT record is ignored before sending
the packet to the NAS):


proxy.conf:
===========
realm foo {
        type      = radius
        authhost  = 1.2.3.4
        secret    = hidden
        nostrip
}

users file:
===========
DEFAULT	User-Name =~ "test at foo"
	MS-Primary-DNS-Server = "192.168.203.6",
	MS-Secondary-DNS-Server = "192.168.203.1",
	MS-Primary-NBNS-Server = "192.168.203.6"

sites-enabled/default:
======================
authorize {
	...
	files
	...
}

test:
=====
# radtest test at foo password localhost:1812

# /usr/sbin/freeradiusd -X
...
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 49833, id=110,
length=74
        User-Name = "test at foo"
        User-Password = "password"
        NAS-IP-Address = 172.16.1.55
        NAS-Port = 123
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "foo" for User-Name = "test at foo"
[suffix] Found realm "foo"
[suffix] Adding Realm = "foo"
[suffix] Proxying request from user test to realm foo
[suffix] Preparing to proxy authentication request to realm "foo"
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files]         expand: %{User-Name} -> test at foo
[files] users: Matched entry DEFAULT at line 6
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  WARNING: Empty pre-proxy section.  Using default return values.
Sending Access-Request of id 231 to 1.2.3.4 port 1812
        User-Name = "test at foo"
        User-Password = "password"
        NAS-IP-Address = 172.16.1.55
        NAS-Port = 123
        Proxy-State = 0x313130
Proxying request 0 to home server 1.2.3.4 port 1812
Sending Access-Request of id 231 to 1.2.3.4 port 1812
        User-Name = "test at foo"
        User-Password = "password"
        NAS-IP-Address = 172.16.1.55
        NAS-Port = 123
        Proxy-State = 0x313130
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 1.2.3.4 port 1812, id=231,
length=117
        Proxy-State = 0x313130
        Framed-Protocol = PPP
        Service-Type = Framed-User
        Class =
0x4f440516000001370001c0a8cb0601cd117a507f44140000000000000122
        MS-Link-Utilization-Threshold = 50
        MS-Link-Drop-Time-Limit = 120
        MS-MPPE-Encryption-Policy = 0x00000002
        MS-MPPE-Encryption-Types = 0x0000000e
# Executing section post-proxy from file
/etc/freeradius/sites-enabled/default
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [test at foo] (from client LOCALHOST port 123)
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 110 to 127.0.0.1 port 49833
        Framed-Protocol = PPP
        Service-Type = Framed-User
        Class =
0x4f440516000001370001c0a8cb0601cd117a507f44140000000000000122
        MS-Link-Utilization-Threshold = 50
        MS-Link-Drop-Time-Limit = 120
        MS-MPPE-Encryption-Policy = 0x00000002
        MS-MPPE-Encryption-Types = 0x0000000e
Finished request 0.



I tried it under 2.1.10 also with "files" in the "post-auth" section but
it did not work - I've got only one more message that tells me a "noop":

...
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[files] returns noop
++[exec] returns noop
...

So my question is how to assign the DEFAULT record to an reply packet
from a proxy in 2.1.10?


Thx,
Gerald


More information about the Freeradius-Users mailing list