Proxied Access-reject reply

Juanjo Abenza juanjo at excom.es
Sat Sep 27 16:47:57 CEST 2014 

Hi,

I'm using "freeradius-3.0.1-6.el7.x86_64" as proxy, between radius server
and a mikrotik NAS for pppoe users, this is the scheme.

NAS          -->        Proxy freeradius --> freeradius Server
10.200.0.34            10.100.1.100              10.100.1.101

My goal is to change the Access-Reject messaje recieved in the Proxy radius
from the Radius server to send to the NAS an Access-Accept with some
attributtes, like this more or less, i tried to put this just inside
"Post-Auth-Type REJECT" in Post-Auth section without results

 if (reject) {
                ok # over-ride "reject"
                    update control {
                    Auth-Type := Accept
                    Framed-Pool = 'BAN'
                   }
}

i think i just miss to put before this update control the if condition
before, but i dont know which one to use

This is what i can see in debug mode:

rad_recv: Accounting-Response packet from host 10.100.1.101 port 1813,
id=225, length=25
        Proxy-State = 0x323033
(0) # Executing section post-proxy from file
/etc/raddb/sites-enabled/default
(0)   post-proxy {
(0) eap : No pre-existing handler found
(0)   [eap] = noop
(0)  } #  post-proxy = noop
Sending Accounting-Response of id 203 from 10.100.1.100 port 1813 to
10.200.0.34 port 56239
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 10.200.0.34 port 60374, id=204,
length=157
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 8546310
        NAS-Port-Type = Ethernet
        User-Name = 'USERNAME_XX'
        Calling-Station-Id = 'D4:CA:6D:47:A5:27'
        Called-Station-Id = 'pppoe-Excom'
        NAS-Port-Id = 'bridge-pppoe'
        User-Password = 'Password'
        NAS-Identifier = 'PABELLON_RT1'
        NAS-IP-Address = 10.200.0.34
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1)   authorize {
(1)   filter_username filter_username {
(1)    ? if (User-Name != "%{tolower:%{User-Name}}")
(1)     expand: "%{tolower:%{User-Name}}" -> 'username_xx'
(1)    ? if (User-Name != "%{tolower:%{User-Name}}")  -> TRUE
(1)    if (User-Name != "%{tolower:%{User-Name}}")  {
(1)     [reject] = reject
(1)    } # if (User-Name != "%{tolower:%{User-Name}}")  = reject
(1)   } # filter_username filter_username = reject
(1)  } #  authorize = reject
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)  Post-Auth-Type REJECT {
(1) attr_filter.access_reject :         expand: "%{User-Name}" ->
'USERNAME_XX'
(1) attr_filter.access_reject : Matched entry DEFAULT at line 11
(1)   [attr_filter.access_reject] = updated
(1) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(1)   [eap] = noop
(1)   remove_reply_message_if_eap remove_reply_message_if_eap {
(1)    ? if (reply:EAP-Message && reply:Reply-Message)
(1)    ? if (reply:EAP-Message && reply:Reply-Message)  -> FALSE
(1)    else else {
(1)     [noop] = noop
(1)    } # else else = noop
(1)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(1)  } # Post-Auth-Type REJECT = updated
(1) Finished request 1.
(0) Cleaning up request packet ID 203 with timestamp +5
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host 10.200.0.34 port 60374, id=204,
length=157
(1) Discarding duplicate request from client Bejar port 60374 - ID: 204 due
to unfinished request
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 10.200.0.34 port 60374, id=204,
length=157
(1) Discarding duplicate request from client Bejar port 60374 - ID: 204 due
to delayed reject
Waking up in 0.3 seconds.
(1) Sending delayed reject
Sending Access-Reject of id 204 from 10.100.1.100 port 1812 to 10.200.0.34
port 60374


Can anyone help me??

Best regards, JJ


-- 

------------------------------------
Juanjo Abenza Sánchez
Operaciones
Free Technologies Excom, S.L.
http://www.excom.es
Tel. 902 02 02 34   Ext. 202
Fax 902 87 66 41
-----------------------------------

AVISO LEGAL

*Este mensaje es CONFIDENCIAL, siendo para uso exclusivo de su
destinatario. Si usted no es el destinatario,*

*por favor, reenvíe el mensaje inmediatamente a la dirección remitente y
proceda a su borrado.*

*Free Technologies Excom, s.l. **incluirá su dirección de correo
electrónico, así como los datos de contacto que*

*le facilite en un fichero automatizado, con el fin de gestionar el envío
de comunicaciones profesionales y/o*

*personales. Para ejercitar sus derechos de acceso, rectificación,
cancelación y oposición, remita su solicitud a:*

*Free Technologies Excom, s.l. - Avenida Valdeparra nº 27, edificio nº 1,
planta 2, oficina 4 - 28108,*

*Alcobendas (Madrid).*

LEGAL NOTICE

*This message is CONFIDENTIAL, being for exclusive use of the addressee. If
you are not the addressee, please*

*forward this message to sender inmediately and arrange for its deletion.*

*Free Technologies Excom, s.l. **will include your address and contact
details in an automated file, in order to*

*manage the delivery of business and personal communications. To exercise
your rights of access, rectification,*

*cancellation and opposition, send your request to:*

*Free Technologies Excom, s.l. - Avenida Valdeparra nº 27, edificio nº 1,
planta 2, oficina 4 - 28108,*

*Alcobendas (Madrid).*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140927/8f613d26/attachment.html>

More information about the Freeradius-Users mailing list