Post-Auth Section not executed

NOC WVNET noclist at wvnet.at
Mon Feb 19 23:38:59 CET 2018


Hi all,

I'm testing an LDAP Backend for PPPoE User Authorization.
Goal is to remove the added AVPairs (during Authorization) if authentication
fail.

I have put the statements in the "post-auth" Section but it
seems it is never executed.

------------------------------------------------------------------
RADIUS VERSION
(http://packages.networkradius.com/centos/7/repo)
-------------------------------------------------------------------
radiusd: FreeRADIUS Version 3.0.16, for host x86_64-redhat-linux-gnu, built
on Jan 11 2018 at 16:34:57
FreeRADIUS Version 3.0.16
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT

--------------------------------------
cat ../sites-available/wvnet-aaa
--------------------------------------

server wvnet-aaa {
    listen {
        ipaddr = ATVIED6INFRAH4AAA
        port = 1812
        type = auth
    }
     authorize {
        filter_username
        filter_password
        preprocess
        if ( &User-Name =~ /^(.*)@(.*$)/ ) {
                update request {
                    Stripped-User-Name := "%{1}"
                    Realm := "%{2}"
                }
        }
        auth_log
        ATVIED6INFRAH4LDAP
        chap
        pap
    }

    authenticate {
        Auth-Type PAP {
            pap
        }
        Auth-Type CHAP {
            chap
        }
    }

    post_auth {
        Post-Auth-Type REJECT {
			update reply {
				Cisco-AVPair !* ANY
			}
            attr_filter.access_reject
        }
    }

    listen {
        ipaddr = ATVIED6INFRAH4AAA
        port = 1813
        type = acct
    }

    preacct {
        preprocess
        update request {
            FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l -
%{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
        }
        acct_unique
        acct_counters64
    }

    accounting {
        redundant {
            ATVIED6INFRAH4MYSQL
            ATVIED6INFRAH3MYSQL
            ATVIED6INFRAH2MYSQL
        }
        attr_filter.accounting_response
    }
}

--------------------------
cat ../mods-enabled/ldap
--------------------------

ldap ATVIED6INFRAH4LDAP {
        server = 'ldaps://ATVIED6INFRAH4LDAP.as29081.net'
        identity = '---------'
        password = '---------'
        valuepair_attribute = 'radiusAttribute'
        base_dn = 'ou=DialIn,ou=AccessService,ou=AAA,dc=as29081,dc=net'
        update {
                control:Password-With-Header    += 'userPassword'
                control:                        += 'radiusControlAttribute'
                request:                        += 'radiusRequestAttribute'
                reply:                          += 'radiusReplyAttribute'
        }

        user {
                base_dn = "${..base_dn}"
                #filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
                filter = "(cn=%{User-Name})"
                scope = 'sub'
                access_attribute = 'dialupAccess'
                access_positive = yes
        }

        group {
        }

        profile {
        }

        client {
                base_dn = 'ou=AccessServer,ou=AAA,dc=as29081,dc=net'
                filter = '(objectClass=radiusClient)'
                scope = 'sub'
                attribute {
                        ipaddr                          =
'radiusClientIdentifier'
                        secret                          =
'radiusClientSecret'
                        shortname                       =
'radiusClientShortname'
                        nas_type                        = 'radiusClientType'
                        virtual_server                  =
'radiusClientVirtualServer'
                        require_message_authenticator   =
'radiusClientRequireMa'
                }
        }

        read_clients = no

        accounting {
        }

        post-auth {
        }

        options {
                dereference = 'never'
                chase_referrals = yes
                rebind = yes
                res_timeout = 10
                srv_timelimit = 3
                net_timeout = 2
                idle = 60
                probes = 3
                interval = 3
                ldap_debug = 0x0028
        }

        tls {
                start_tls = no
                ca_path = /etc/openldap/certs
                certificate_file = /etc/openldap/certs/as29081_net.crt
                private_key_file = /etc/openldap/certs/as29081_net.key
                random_file = /dev/urandom
                require_cert    = 'allow'
        }

        pool {
                start = ${thread[pool].start_servers}
                min = ${thread[pool].min_spare_servers}
                max = ${thread[pool].max_servers}
                spare = ${thread[pool].max_spare_servers}
                uses = 0
                retry_delay = 20
                lifetime = 0
                idle_timeout = 60
        }
}

DEBUG-OUTPUT
------------

(1) Received Access-Request Id 58 from 10.214.30.1:38589 to
10.214.200.35:1812 length 109
(1)   User-Name = "atvied6infraclust-monitor at edsl.wvnet.at"
(1)   User-Password = "secret"
(1)   NAS-IP-Address = 10.214.10.1
(1)   NAS-Port = 1
(1)   Message-Authenticator = 0x74809479c2c4eb92b4d90fa454a31de5
(1) # Executing section authorize from file
/etc/raddb/sites-enabled/wvnet-aaa
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     policy filter_password {
(1)       if (&User-Password &&            (&User-Password !=
"%{string:User-Password}")) {
(1)       EXPAND %{string:User-Password}
(1)          --> secret
(1)       if (&User-Password &&            (&User-Password !=
"%{string:User-Password}"))  -> FALSE
(1)     } # policy filter_password = notfound
(1)     [preprocess] = ok
(1)     if ( &User-Name =~ /^(.*)@(.*$)/ ) {
(1)     if ( &User-Name =~ /^(.*)@(.*$)/ )  -> TRUE
(1)     if ( &User-Name =~ /^(.*)@(.*$)/ )  {
(1)       update request {
(1)         EXPAND %{1}
(1)            --> atvied6infraclust-monitor
(1)         Stripped-User-Name := atvied6infraclust-monitor
(1)         EXPAND %{2}
(1)            --> edsl.wvnet.at
(1)         Realm := edsl.wvnet.at
(1)       } # update request = noop
(1)     } # if ( &User-Name =~ /^(.*)@(.*$)/ )  = noop
(1) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/auth-detail-%Y%m%d
(1) auth_log:    -->
/var/log/radius/radacct/10.214.30.1/auth-detail-20180219
(1) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/10.214.30.1/auth-detail-20180219
(1) auth_log: EXPAND %t
(1) auth_log:    --> Mon Feb 19 22:59:20 2018
(1)     [auth_log] = ok
rlm_ldap (ATVIED6INFRAH4LDAP): Reserved connection (1)
(1) ATVIED6INFRAH4LDAP: EXPAND (cn=%{User-Name})
(1) ATVIED6INFRAH4LDAP:    --> (cn=atvied6infraclust-monitor at edsl.wvnet.at)
(1) ATVIED6INFRAH4LDAP: Performing search in
"ou=DialIn,ou=AccessService,ou=AAA,dc=as29081,dc=net" with filter
"(cn=atvied6infraclust-monitor at edsl.wvnet.at)", scope "sub"
(1) ATVIED6INFRAH4LDAP: Waiting for search result...
(1) ATVIED6INFRAH4LDAP: User object found at DN
"cn=atvied6infraclust-monitor at edsl.wvnet.at,ou=edsl.wvnet.at,ou=realm,ou=Dia
lIn,ou=AccessService,ou=AAA,dc=as29081,dc=net"
(1) ATVIED6INFRAH4LDAP: Processing user attributes
(1) ATVIED6INFRAH4LDAP: control:Password-With-Header += 'secret'
(1) ATVIED6INFRAH4LDAP: reply::Cisco-AVPair += 'ip:addr-pool=monitor-pool'
(1) ATVIED6INFRAH4LDAP: reply::Cisco-AVPair +=
'lcp:interface-config=service-policy input monitor'
rlm_ldap (ATVIED6INFRAH4LDAP): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_ldap (ATVIED6INFRAH4LDAP): Opening additional connection (6), 1 of 26
pending slots used
rlm_ldap (ATVIED6INFRAH4LDAP): Connecting to
ldaps://ATVIED6INFRAH4LDAP.as29081.net:636
TLS certificate verification: Error, self signed certificate in certificate
chain
rlm_ldap (ATVIED6INFRAH4LDAP): Waiting for bind result...
rlm_ldap (ATVIED6INFRAH4LDAP): Bind successful
(1)     [ATVIED6INFRAH4LDAP] = updated
(1)     [chap] = noop
(1) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password
(1) pap: Removing &control:Password-With-Header
(1)     [pap] = updated
(1)   } # authorize = updated
(1) Found Auth-Type = PAP
(1) # Executing group from file /etc/raddb/sites-enabled/wvnet-aaa
(1)   Auth-Type PAP {
(1) pap: Login attempt with password
(1) pap: Comparing with "known good" Cleartext-Password
(1) pap: ERROR: Cleartext password does not match "known good" password
(1) pap: Passwords don't match
(1)     [pap] = reject
(1)   } # Auth-Type PAP = reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) Post-Auth-Type sub-section not found.  Ignoring.
(1) Login incorrect (pap: Cleartext password does not match "known good"
password): [atvied6infraclust-monitor at edsl.wvnet.at/secret] (from client
ATVIED6INFRACLUST-RADCLIENT port 1)
(1) Delaying response for 2.000000 seconds
Waking up in 0.6 seconds.
Waking up in 1.3 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 58 from 10.214.200.35:1812 to 10.214.30.1:38589
length 110
(1)   Cisco-AVPair += "ip:addr-pool=monitor-pool"
(1)   Cisco-AVPair += "lcp:interface-config=service-policy input monitor"
Waking up in 2.9 seconds.
(1) Cleaning up request packet ID 58 with timestamp +26
Ready to process requests


BR
Stefan



More information about the Freeradius-Users mailing list