Strange behavior of files module in post-auth
    Stabla, Daniel 
    dstabla at materna.de
       
    Fri Feb 27 15:17:20 CET 2015
    
    
  
Hi,
we try to send VLAN-Attributes after a sucessfull authentication to our 
clients.
A file "rad-vlan" contains the MAC-Address, as search key, and various
other attributes which we want to assign.
"rad-vlan" is processed through the module files in the section post-auth
and does nothing. Only if we execute it with rad-vlan.authorize, it is
successfully processed.
Without ".authorize":
Configuration
############################
server eap_server {
listen {
         ipaddr = *
         port = 1645
         type = auth
         limit {
         }
}
authorize {
         eap {
                 ok = return
         }
         files
         expiration
         logintime
}
authenticate {
         Auth-Type PAP {
         }
         Auth-Type CHAP {
         }
         Auth-Type MS-CHAP {
         }
         eap
         Auth-Type eap {
                 eap {
                         handled = 1
                 }
                 if (handled && (Response-Packet-Type == 
Access-Challenge)) {
                 }
         }
}
preacct {
         preprocess
         acct_unique
         files
}
accounting {
         detail
         exec
}
session {
}
post-auth {
         if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) {
                 update request {
                                 Stripped-User-Name := "%{2}"
                                 Realm := "%{1}"
                                 }
         }
         update reply {
                         Tunnel-Type := "13"
                         Tunnel-Medium-Type := "6"
         }
         rad-vlan <----------------------------------------------------
         update reply {
Tunnel-Private-Group-Id="%{control:Tunnel-Private-Group-Id}"
         }
         Post-Auth-Type REJECT {
                 eap
         }
}
pre-proxy {
}
post-proxy {
         eap
}
}
Debugoutput
####################################################
(14)  } #  authenticate = ok
(14) Login OK: [materna\\ldapsearch/<via Auth-Type = EAP>] (from client 
sles11 port 0 cli 12-34-56-78-90-AB)
(14) # Executing section post-auth from file 
/etc/radiusd/sites-enabled/default
(14)   post-auth {
(14)    if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/)
(14) EXPAND %{request:User-Name}
(14)    --> materna\\ldapsearch
(14)    if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/)  -> TRUE
(14)   if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/)  {
(14)    update request {
(14) EXPAND %{2}
(14)    --> ldapsearch
(14)    Stripped-User-Name := "ldapsearch"
(14) EXPAND %{1}
(14)    --> materna\
(14)    Realm := "materna\\"
(14)    } # update request = noop
(14)   } # if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/)  = noop
(14)   update reply {
(14)    Tunnel-Type := VLAN
(14)    Tunnel-Medium-Type := IEEE-802
(14)   } # update reply = noop
(14)  rad-vlan : EXPAND %{Calling-Station-Id} 
<----------------------------------------------------
(14)  rad-vlan :    --> 12-34-56-78-90-AB 
<----------------------------------------------------
(14)   [rad-vlan] = noop
(14)   update reply {
(14) EXPAND %{control:Tunnel-Private-Group-Id}
(14)    -->
(14)    Tunnel-Private-Group-Id = ""
(14)   } # update reply = noop
(14)  } #  post-auth = noop
With ".authorize":
Configuration
#############################################################################
server eap_server {
listen {
         ipaddr = *
         port = 1645
         type = auth
         limit {
         }
}
authorize {
         eap {
                 ok = return
         }
         files
         expiration
         logintime
}
authenticate {
         Auth-Type PAP {
         }
         Auth-Type CHAP {
         }
         Auth-Type MS-CHAP {
         }
         eap
         Auth-Type eap {
                 eap {
                         handled = 1
                 }
                 if (handled && (Response-Packet-Type == 
Access-Challenge)) {
                 }
         }
}
preacct {
         preprocess
         acct_unique
         files
}
accounting {
         detail
         exec
}
session {
}
post-auth {
         if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) {
                 update request {
                                 Stripped-User-Name := "%{2}"
                                 Realm := "%{1}"
                                 }
         }
         update reply {
                         Tunnel-Type := "13"
                         Tunnel-Medium-Type := "6"
         }
         rad-vlan.authorize 
<----------------------------------------------------
         update reply {
Tunnel-Private-Group-Id="%{control:Tunnel-Private-Group-Id}"
         }
         Post-Auth-Type REJECT {
                 eap
         }
}
pre-proxy {
}
post-proxy {
         eap
}
}
Debugoutput
#################################################################
(14)  } #  authenticate = ok
(14) Login OK: [materna\\ldapsearch/<via Auth-Type = EAP>] (from client 
sles11 port 0 cli 12-34-56-78-90-AB)
(14) # Executing section post-auth from file 
/etc/radiusd/sites-enabled/default
(14)   post-auth {
(14)    if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/)
(14) EXPAND %{request:User-Name}
(14)    --> materna\\ldapsearch
(14)    if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/)  -> TRUE
(14)   if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/)  {
(14)    update request {
(14) EXPAND %{2}
(14)    --> ldapsearch
(14)    Stripped-User-Name := "ldapsearch"
(14) EXPAND %{1}
(14)    --> materna\
(14)    Realm := "materna\\"
(14)    } # update request = noop
(14)   } # if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/)  = noop
(14)   update reply {
(14)    Tunnel-Type := VLAN
(14)    Tunnel-Medium-Type := IEEE-802
(14)   } # update reply = noop
(14)  rad-vlan : EXPAND %{Calling-Station-Id}
(14)  rad-vlan :    --> 12-34-56-78-90-AB
(14)  rad-vlan : users: Matched entry 12-34-56-78-90-AB at line 1
(14)   [rad-vlan.authorize] = ok
(14)   update reply {
(14) EXPAND %{control:Tunnel-Private-Group-Id}
(14)    --> 200
(14)    Tunnel-Private-Group-Id = "200"
(14)   } # update reply = noop
(14)  } #  post-auth = ok
    
    
More information about the Freeradius-Users
mailing list