post-auth not being entered in inner-tunnel
Alex Sharaz
alex.sharaz at york.ac.uk
Wed Mar 13 17:09:55 CET 2013
o.k.
Attached are cut down versions of the log files
inner-tunnel server =
root at nasaaa3:/etc/freeradius/sites-enabled# cat inner-tunnel
# inner-tunnel virtual server
#
# This virtual server is used to unwrap and process EAP requests - whether they
# originate locally, or from the NRPS.
#
# Depending on the EAP type, requests may pass through this virtual server
# multiple times - especially with EAP types involving a challenge/response,
# or a TLS tunnel (PEAP, TTLS, MSCHAPv2...)
#
# as 17/12/12 - Added Session Timeout setting so people have to reauth
# every 3600 seconds
#
# 18/12/12 - Wrapped a check round Session Timout to make sure it only gets
# added to an Access-Accept
#
# 03/02/13 - Dont sql access-accept responses if user is nagios health check usr
#
server inner-tunnel {
listen {
# Where to listen
ipaddr = 127.0.0.1
port = 18120
type = auth # Accounting packets do not contain EAP
}
authorize {
# Parse the realm/username
suffix
# Allow AuthN modules to scan for the attributes they need and assign themse
chap
#mschap_default
mschap
# Make sure that the request is not proxied (i.e. if the user were to have p
update control {
Proxy-To-Realm := LOCAL
}
# Handle EAP-MSCHAP-v2 requests, plus set some EAP related attributes
eap {
ok = return
}
# Read in the users file
files
york_passwd
if (Packet-Type == Access-Accept) {
update reply {
Session-Timeout := "3600"
Termination-Action := "RADIUS-Request"
}
}
if (request:Aruba-Location-Id) {
update reply {
York-Auth-Type := "wireless"
York-Auth-Device := "%{Aruba-Location-Id}"
York-Calling-Station-Id := "%{Calling-Station-Id}"
}
if (!(request:Realm == "NULL") && !(request:Realm == "york.ac.uk")) {
update reply {
York-Accept-Vlan := "Visiting Eduroam Users"
}
}
}
if ((request:NAS-Port-Type =~ /^Ethernet$/) ) {
update reply {
York-Auth-Device := "%{NAS-Identifier}"
York-Auth-Device-Port := "%{NAS-Port-Id}"
York-Calling-Station-Id := "%{Calling-Station-Id}"
}
}
if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9
update reply {
York-Auth-Type := "dot1x"
}
}
#
# if we are sending a vlan we also need to add these two attributes
# Put it here so that we cover both wired and wireless Vlan specification
#
if (reply:Tunnel-Private-Group-ID) {
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
}
}
# Has users account expired?
expiration
# Check for plaintext
pap
#################
# Don't really need these in a properly working system
#
# detail
# auth_log
reply_log
################
}
# Note that all of these requests are wrapped in an if block - this is to reduce loa
# from certain EAP types that cycle through this stage multiple times before a passw
# is actually sent
authenticate {
# Handle plaintext passwords
Auth-Type PAP {
if ((EAP-Type == 1) || (EAP-Message =~ /^0x02..00061a..$/)) {
noop
}
else {
pap
}
}
# Handle chap passwords
Auth-Type CHAP {
if ((EAP-Type == 1) || (EAP-Message =~ /^0x02..00061a..$/)) {
noop
}
else {
chap
}
}
# Handle mschap passwords
Auth-Type MS-CHAP {
if ((EAP-Type == 1) || (EAP-Message =~ /^0x02..00061a..$/)) {
noop
}
else {
mschap {
reject = 2
}
if (reject) {
mschap_default
}
}
}
# Inner message is also EAP
eap
}
post-auth {
update reply {
User-Name := "%{User-Name}"
}
sql_log
Post-Auth-Type REJECT {
sql_log
attr_filter.access_reject
}
# set_session_time
# }
#
#
# 11/02/13 - Not live yet
# perl
reply_log
}
session {
# eduroam has no requirement for simultaneous usage checking
}
pre-proxy {
# The inner tunnel should not be proxied
pre_proxy_log
}
post-proxy {
# The inner tunnel should not be proxied
post_proxy_log
eap
}
} # inner-tunnel server block
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vsn220.log
Type: application/octet-stream
Size: 31865 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130313/d0176f20/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vsn221.log
Type: application/octet-stream
Size: 62264 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130313/d0176f20/attachment-0003.obj>
-------------- next part --------------
On 13 Mar 2013, at 13:05, Olivier Beytrison <olivier at heliosnet.org> wrote:
> On 13.03.2013 12:46, Alex Sharaz wrote:
>> Hi,
>>
>> I've got a number of FR 2.2.0 servers that invoke sql_log in the inner-tunnel post-auth in order to write user-name some other attributes into a back end mysql database server and it all works. If I've got non-eap requests coming in , the "default" site deals with it. If I've got eap-based requests coming in the inner-tunnel deals with them. About a week ago I downloaded the latest 2.2 code from git.freeradius, built that and upgraded one of my FR2.2 servers. Since then I can't see an invocation of post-auth within the inner-tunnel. I can see it for the "default" site but not the inner-tunnel. Everything else seems to work but not that. Same hardware platform, same config files just different FR code.
>>
>> I've generated two radius -X dumps, vsn220.log and vsn221.log on my test server. The only raw client accessing this server is the switch my mac is sitting on configured to do macauth and 802.1x on my ethernet port. By simply disconnecting and reconnecting my mac I've generated a macauth followed by an 802.1x auth. In both files you can see post-auth being invoked for the default site. but only the vsn220.log file has a corresponding post-auth for the inner-tunnel.
>>
>> It may be that there's something else I've configured wrong that is only showing up in van 2.2.1 (ish). Should I be sending these traces to the free radius list or is there another address I can email them to
>
> Sounds weird. But again hard to tell without a radius -X output. Just
> send it here on the list, a complete request output, and maybe the
> relevant virtual-server configuration snippet
>
> Olivier
> --
>
> Olivier Beytrison
> Network & Security Engineer, HES-SO Fribourg
> Mail: olivier at heliosnet.org
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list