Exec and dropped attributes between v2.0 and 3.0

Luke Cameron lukessi at gmail.com
Wed Dec 4 19:40:47 CET 2019


Thanks Alan and Mathew for your help so far.

I do apologies if I frustrated you that wasn't what I wanted to do.

Please see my replies below in Bold, the gmail web app isn't great.

On Wed, 4 Dec 2019 at 16:59, Matthew Newton <mcn at freeradius.org> wrote:

> On Wed, 2019-12-04 at 16:35 +0000, Luke Cameron wrote:
> > Ready to process requests
> > (0) Received Access-Request Id 31 from xxx.xxx.40.10:49430 to
> > xxx.xxx.40.10:1812 length 78
> > (0)   User-Name = "testuser"
> > (0)   User-Password = "testuser"
> > (0)   NAS-IP-Address = xxx.xxx.40.10
> > (0)   NAS-Port = 1812
> > (0)   Message-Authenticator = 0x4ea342f707f8b90e09291fe54a2e09e2
> > (0) # Executing section authorize from file /etc/raddb/sites-
> > enabled/default
>
> As Alan pointed out, there's no Framed-IP-Address in the request, so
> there's nothing to log there.
>
> But there _is_ one in the reply, which means you've added it somewhere
> in FreeRADIUS.
>
> What are you trying to log? One sent by the NAS? In which case fix the
> NAS to send it. Or one generated by FreeRADIUS, in which case you stand
> a chance, as long as you log it *after* it's been added.
>
> * FreeRADIUS is generating it. *

>
> > (0)     [preprocess] = ok
> > (0)     [chap] = noop
> > (0)     [mschap] = noop
> > (0)     [digest] = noop
> > (0) suffix: Checking for suffix after "@"
> > (0) suffix: No '@' in User-Name = "testuser", looking up realm NULL
> > (0) suffix: No such realm "NULL"
> > (0)     [suffix] = noop
> > (0) eap: No EAP-Message, not doing EAP
> > (0)     [eap] = noop
> > (0) files: users: Matched entry testuser at line 1
> > (0) files: EXPAND /etc/raddb/var.sh %{User-Name} %{reply:Framed-IP-
> > Address}
> > (0) files:    --> /etc/raddb/var.sh testuser
> > (0) files: EXPAND Hello, %{User-Name}
> > (0) files:    --> Hello, testuser
> > (0)     [files] = ok
>
> This looks like a likely suspect. Have you added a reply attribute in
> the users file?
>

*Correct *

>
> There's nothing going to get logged if you call your script here, as
> there's no attribute already existing, as you've found out.
>
> > (0)   post-auth {
> > (0)     update {
> > (0)       No attributes updated
> > (0)     } # update = noop
> > (0) gprsh01-ippool: Could not find Pool-Name attribute
> > (0)     [gprsh01-ippool] = noop
> > (0) gprsh02-ippool: Could not find Pool-Name attribute
> > (0)     [gprsh02-ippool] = noop
>
> Returning noop, so doesn't look like these added the Framed-IP-Address
> attribute. So my suspicion is the users file.
>

*Yes it gets added from the users file. Logging is working and shows the
Framed-IP-Address but not my script. Which is weird as I believe the log
module is before the exec module.  *

>
> You can add "debug_reply" into the config in places to discover at
> which point it gets added, if you need to.
>
> *Cool Thanks I will add that tomorrow and see where it gets added. *


> There's no point logging it before it's added, as it won't exist.
>
> > (0) Sent Access-Accept Id 31 from xxx.xxx.40.10:1812 to
> > xxx.xxx.40.10:49430
> > length 0
> > (0)   Framed-IP-Address = 10.199.0.1
> > (0)   Reply-Message = "Hello, testuser"
> > (0) Finished request
>
> --
> Matthew
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list