Second stage authrization with proxy

Gianluca Baù gluca.b at gmail.com
Wed May 31 10:49:34 CEST 2017


Hello Matthew,

thanks for your quick reply.

>> That's if "not notfound" - you probably want if (notfound) {

Ops, i already used this condition... the copy and paste was from the
forum's link. However it doesn't work.

>> Did you leave the logic as above? Where did you put it in the config?

The code is in sites-enabled/default. Mi authorize section is (without
commented lines):

authorize {
     preprocess
     mschap
     suffix
     eap {
         ok = return
     }
     files
     sql

     if (notfound) {
                update control {
                        Proxy-To-Realm := "newrealm"
                }
     }

     expiration
     logintime
     pap
}

>> Well the full output of radiusd -X

Following the output of /usr/sbin/freeradius -X:

rad_recv: Access-Request packet from host ************ port 50808, id=180,
length=203
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = "2C:60:0C:E0:51:5D"
    Called-Station-Id = "server1"
    NAS-Port-Id = "ether5"
    User-Name = "2C:60:0C:E0:51:5D"
    NAS-Port = 2151679390
    Acct-Session-Id = "8040059e"
    Framed-IP-Address = 192.168.1.33
    Mikrotik-Host-IP = 192.168.1.33
    CHAP-Challenge = 0x302086b437e865de6ce30ed04671936d
    CHAP-Password = 0x565c5fe1fcfdc8641c00d5fb52c3d19132
    Service-Type = Login-User
    WISPr-Logoff-URL = "http://0.0.0.0/logout"
    NAS-Identifier = "MikroTik"
    NAS-IP-Address = **************
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] = ok
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "2C:60:0C:E0:51:5D", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
[sql]     expand: %{User-Name} -> 2C:60:0C:E0:51:5D
[sql] sql_set_user escaped user --> '2C:60:0C:E0:51:5D'
rlm_sql (sql): Reserving sql socket id: 31
[sql]     expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY
id -> SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '2C:60:0C:E0:51:5D'           ORDER BY
id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '2C:60:0C:E0:51:5D'
ORDER BY id
[sql] User found in radcheck table
[sql]     expand: SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY
id -> SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = '2C:60:0C:E0:51:5D'           ORDER BY
id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op
FROM radreply           WHERE username = '2C:60:0C:E0:51:5D'
ORDER BY id
[sql]     expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username =
'2C:60:0C:E0:51:5D'           ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname           FROM
radusergroup           WHERE username = '2C:60:0C:E0:51:5D'           ORDER
BY priority
rlm_sql (sql): Released sql socket id: 31
++[sql] = ok
++? if (notfound)
? Evaluating (notfound) -> FALSE
++? if (notfound) -> FALSE
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = CHAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/freeradius/sites-enabled/default
+group CHAP {
[chap] login attempt by "2C:60:0C:E0:51:5D" with CHAP password
[chap] Using clear text password "***********" for user 2C:60:0C:E0:51:5D
authentication.
[chap] Password check failed
++[chap] = reject
+} # group CHAP = reject
Failed to authenticate the user.
Login incorrect (rlm_chap: Wrong user password):
[2C:60:0C:E0:51:5D/<CHAP-Password>] (from client ****** port 2151679390 cli
2C:60:0C:E0:51:5D)
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> 2C:60:0C:E0:51:5D
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host ************* port 50808, id=180,
length=203
Waiting to send Access-Reject to client ******* port 50808 - ID: 180
Waking up in 0.7 seconds.
rad_recv: Access-Request packet from host ********* port 50808, id=180,
length=203
Waiting to send Access-Reject to client ********** port 50808 - ID: 180
Waking up in 0.4 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 180 to ********* port 50808
Waking up in 4.9 seconds.

Cheers

2017-05-30 21:14 GMT+02:00 Matthew Newton <matthew at newtoncomputing.co.uk>:

> On Tue, May 30, 2017 at 11:07:03AM +0200, Gianluca Baù wrote:
> > i would like to forward authorization requests to another Freeradius
> server
> > if the user is not present in the local one.
>
> OK
>
> > authorize {
> >    ......
> > if (!notfound) {
>
> That's if "not notfound" - you probably want if (notfound) {
>
> >                 update control {
> >                         Proxy-To-Realm := "newrealm"
> >                 }
> >         }
> >     ......
> > }
> >
> > For me this condition is never matched.
>
> Did you leave the logic as above? Where did you put it in the
> config?
>
> As "notfound" is relevant to the previous module that was called,
> location matters. e.g. if you're using ldap, put it after your
> ldap call, not at the end of the authorize{} section after pap.
>
> > May you help me please? Do you need other technical details?
>
> Well the full output of radiusd -X means we have some sort of
> clue as to what is actually going on.
>
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html


More information about the Freeradius-Users mailing list