proxy keyed-balance setting
Scott McLane Gardner
sgardne at uark.edu
Wed Sep 7 21:44:29 CEST 2016
> Try changing the Load-Balance-Key to User-Name. And then using radtest for simple tests. That gets you the useful debug information, without tons of EAP stuff.
> But... the Load-Balance-Key seems to work here. I haven't heard of anyone else having issues with it.
The users get rejected because they're fake, but I get the same results using User-Name. Here are 2 clients trying to connect, different usernames both go to the same server. These 2 clients are the only ones using this server right now.
Received Access-Request Id 4 from 10.7.2.37:37771 to 10.7.0.28:1812 length 77
User-Name = 'user1'
User-Password = 'REDACTED'
NAS-IP-Address = 127.0.0.1
NAS-Port = 43
Message-Authenticator = 0xa09859e7179919143cd31505405ef595
(0) Received Access-Request packet from host 10.7.2.37 port 37771, id=4, length=77
(0) User-Name = 'user1'
(0) User-Password = 'REDACTED'
(0) NAS-IP-Address = 127.0.0.1
(0) NAS-Port = 43
(0) Message-Authenticator = 0xa09859e7179919143cd31505405ef595
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ )
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\\.$/)
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /@\\./)
(0) if (&User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : No '@' in User-Name = "user1", looking up realm NULL
(0) suffix : Found realm "DEFAULT"
(0) suffix : Adding Stripped-User-Name = "user1"
(0) suffix : Adding Realm = "DEFAULT"
(0) suffix : Proxying request from user user1 to realm DEFAULT
(0) suffix : Preparing to proxy authentication request to realm "DEFAULT"
(0) [suffix] = updated
(0) eap : No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files : users: Matched entry DEFAULT at line 2
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = noop
(0) } # authorize = updated
(0) # Executing section pre-proxy from file /etc/raddb/sites-enabled/default
(0) pre-proxy {
(0) update control {
(0) EXPAND %{User-Name}
(0) --> user1
(0) Load-Balance-Key := "user1"
(0) } # update control = noop
(0) } # pre-proxy = noop
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 47824
(0) Proxying request to home server 10.7.0.29 port 1812 timeout 20.000000
(0) Sending Access-Request packet to host 10.7.0.29 port 1812, id=38, length=0
(0) User-Name = 'user1'
(0) User-Password = 'REDACTED'
(0) NAS-IP-Address = 127.0.0.1
(0) NAS-Port = 43
(0) Message-Authenticator = 0xa09859e7179919143cd31505405ef595
(0) Event-Timestamp = 'Sep 7 2016 14:36:26 CDT'
(0) Stripped-User-Name = 'user1'
(0) Realm = 'DEFAULT'
(0) Proxy-State = 0x34
Sending Access-Request Id 38 from 0.0.0.0:47824 to 10.7.0.29:1812
User-Name = 'user1'
User-Password = 'REDACTED'
NAS-IP-Address = 127.0.0.1
NAS-Port = 43
Message-Authenticator = 0xa09859e7179919143cd31505405ef595
Event-Timestamp = 'Sep 7 2016 14:36:26 CDT'
Proxy-State = 0x34
Waking up in 0.3 seconds.
Waking up in 0.1 seconds.
(0) Expecting proxy response no later than 19.499780 seconds from now
Waking up in 19.4 seconds.
Received Access-Reject Id 38 from 10.7.0.29:1812 to 10.7.0.28:47824 length 23
Proxy-State = 0x34
(0) Received Access-Reject packet from host 10.7.0.29 port 1812, id=38, length=23
(0) Proxy-State = 0x34
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject : EXPAND %{User-Name}
(0) attr_filter.access_reject : --> user1
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(0) [eap] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message)
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 10.7.2.37 port 37771, id=4, length=0
Sending Access-Reject Id 4 from 10.7.0.28:1812 to 10.7.2.37:37771
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 4 with timestamp +231
Ready to process requests
Received Access-Request Id 134 from 10.7.2.37:42049 to 10.7.0.28:1812 length 77
User-Name = 'user2'
User-Password = 'REDACTED'
NAS-IP-Address = 127.0.0.1
NAS-Port = 43
Message-Authenticator = 0x8492cc7453e8c02139f1b8081cc8b0d7
(1) Received Access-Request packet from host 10.7.2.37 port 42049, id=134, length=77
(1) User-Name = 'user2'
(1) User-Password = 'REDACTED'
(1) NAS-IP-Address = 127.0.0.1
(1) NAS-Port = 43
(1) Message-Authenticator = 0x8492cc7453e8c02139f1b8081cc8b0d7
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) if (!&User-Name)
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /)
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ )
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\\.\\./ )
(1) if (&User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\\.$/)
(1) if (&User-Name =~ /\\.$/) -> FALSE
(1) if (&User-Name =~ /@\\./)
(1) if (&User-Name =~ /@\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : Checking for suffix after "@"
(1) suffix : No '@' in User-Name = "user2", looking up realm NULL
(1) suffix : Found realm "DEFAULT"
(1) suffix : Adding Stripped-User-Name = "user2"
(1) suffix : Adding Realm = "DEFAULT"
(1) suffix : Proxying request from user user2 to realm DEFAULT
(1) suffix : Preparing to proxy authentication request to realm "DEFAULT"
(1) [suffix] = updated
(1) eap : No EAP-Message, not doing EAP
(1) [eap] = noop
(1) files : users: Matched entry DEFAULT at line 2
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) [pap] = noop
(1) } # authorize = updated
(1) # Executing section pre-proxy from file /etc/raddb/sites-enabled/default
(1) pre-proxy {
(1) update control {
(1) EXPAND %{User-Name}
(1) --> user2
(1) Load-Balance-Key := "user2"
(1) } # update control = noop
(1) } # pre-proxy = noop
(1) Proxying request to home server 10.7.0.29 port 1812 timeout 20.000000
(1) Sending Access-Request packet to host 10.7.0.29 port 1812, id=246, length=0
(1) User-Name = 'user2'
(1) User-Password = 'REDACTED'
(1) NAS-IP-Address = 127.0.0.1
(1) NAS-Port = 43
(1) Message-Authenticator = 0x8492cc7453e8c02139f1b8081cc8b0d7
(1) Event-Timestamp = 'Sep 7 2016 14:36:50 CDT'
(1) Stripped-User-Name = 'user2'
(1) Realm = 'DEFAULT'
(1) Proxy-State = 0x313334
Sending Access-Request Id 246 from 0.0.0.0:47824 to 10.7.0.29:1812
User-Name = 'user2'
User-Password = 'REDACTED'
NAS-IP-Address = 127.0.0.1
NAS-Port = 43
Message-Authenticator = 0x8492cc7453e8c02139f1b8081cc8b0d7
Event-Timestamp = 'Sep 7 2016 14:36:50 CDT'
Proxy-State = 0x313334
Waking up in 0.3 seconds.
Waking up in 0.1 seconds.
(1) Expecting proxy response no later than 19.499795 seconds from now
Waking up in 19.4 seconds.
Received Access-Reject Id 246 from 10.7.0.29:1812 to 10.7.0.28:47824 length 25
Proxy-State = 0x313334
(1) Received Access-Reject packet from host 10.7.0.29 port 1812, id=246, length=25
(1) Proxy-State = 0x313334
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject : EXPAND %{User-Name}
(1) attr_filter.access_reject : --> user2
(1) attr_filter.access_reject : Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(1) [eap] = noop
(1) remove_reply_message_if_eap remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message)
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else else {
(1) [noop] = noop
(1) } # else else = noop
(1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sending Access-Reject packet to host 10.7.2.37 port 42049, id=134, length=0
Sending Access-Reject Id 134 from 10.7.0.28:1812 to 10.7.2.37:42049
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 134 with timestamp +255
Ready to process requests
More information about the Freeradius-Users
mailing list