Virtual server pre-proxy section not executed for proxied authentication on v3.0.18 and above

[Alan DeKok]

On Oct 1, 2019, at 12:07 PM, <paul.moser at bt.com> <paul.moser at bt.com> wrote:
> 
> I've been attempting to upgrade some FreeRadius servers that have been following the v3.0.x line. Normally taking the existing running configuration from one minor version and applying to the next has just worked, however attempting to go from 3.0.17 to 3.0.18 (or 3.0.19 or the latest head) and it appears that the pre-proxy section of a virtual server isn't called when proxying authentication requests and the packet is sent straight to the remote radius server. Nothing in the change log or proxy.conf etc jumps out at me as indicating a deliberate change in this area.

  That's unfortunate.

> I can reproduce the problem by applying a minimal realm/home_server_pool/home_server/virtual server combination to an out-of-the-box new install of each version so I don't think it is caused by carrying over some old/incompatible configuration from an old version, however it's quite possible my understanding of how proxying is suppose to work is wrong and my configuration worked by accident rather than design and later versions have tightened up the behaviour.

  Quite possibly.  Unfortunately older versions of the server were somewhat flexible, and people relied on that flexibility.   As we've tightened the rules on undefined behaviour, things change.  :(

> Two full outputs from radiusd -X included at end of the email.
> 
> An a minimal example to reproduce the problem to proxy.conf I've added:
> 
> home_server example_home_server {
>  ipaddr = 1.2.3.4
>  port = 1812
>  secret = password
> }
> 
> home_server_pool example_home_server_pool {
>  home_server = example_home_server
>  virtual_server = example-virtual-server

  Ah... so you're using a *different* virtual server for pre/post proxy, and not the same one which is receiving the request.

  That should work.  I'll take a look.

  Alan DeKok.