Can't append attributes to the Access-Accept relayed from the proxy home-server to the clients

Difan Zhao Difan.Zhao at pason.com
Mon Jun 1 21:12:58 CEST 2020 

Hi Freeradius gurus,

I am setting up a freeradius (ver 3.0.16) server on a ubundu 18.04 box and I will use it to authenticate admin access to the networking devices for the mgmt purpose. It doesn't store user passwords locally. It will proxy the authentication requests to a Windows NPS (also running the radius service) that has access to the Windows AD for the user credentials. The idea is that, this freeradius server would append the VSAs for users upon successful authentication to give them the adequate access on the switches, routers, firewalls, ...etc

So I am able to proxy the authentication request to the NPS and I am getting Access-accept back. I am able to get the proper access to my firewall by sending the VSAs but only if I use local accounts. However, I just can't combine them together.

Here is my authorize file

dzhao   Proxy-To-Realm := 'pason.com'
        Fortinet-Group-Name := 'RW'

Here is my proxy.conf

home_server CorpIT_NPS {
        type = auth
        ipaddr = it-00-nps-pro2
        port = 1812
        secret = xxx
        response_window = 60
        zombie_period = 120
}

home_server_pool CorpIT_NPS_pool {
        type = fail-over
        home_server = CorpIT_NPS
}

realm pason.com {
        auth_pool = CorpIT_NPS_pool
}

Here is my -X output. The NPS does MFA so the response is a little slow because I need to click on "approve" on the phone app. I don't see the Access-Accept packet to the client has the Fortinet VSA of "RW" included...

Ready to process requests
(0) Received Access-Request Id 42 from 172.16.0.99:1114 to 10.92.3.75:1812 length 104
(0)   NAS-Identifier = "FGT60D4613054197"
(0)   User-Name = "dzhao"
(0)   User-Password = "Xxx"
(0)   NAS-Port-Type = Virtual
(0)   Acct-Session-Id = "6ddb75a0"
(0)   Connect-Info = "admin-login"
(0)   Fortinet-Vdom-Name = "root"
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "dzhao", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry dzhao at line 1
(0)     [files] = ok
(0) sql: EXPAND %{User-Name}
(0) sql:    --> dzhao
(0) sql: SQL-User-Name set to 'dzhao'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dzhao' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dzhao' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'dzhao' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'dzhao' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.1.44-MariaDB-0ubuntu0.18.04.1, protocol version 10
(0)     [sql] = notfound
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Starting proxy to home server 10.92.3.105 port 1812
(0) Proxying request to home server 10.92.3.105 port 1812 timeout 30.000000
(0) Sent Access-Request Id 10 from 0.0.0.0:53464 to 10.92.3.105:1812 length 138
(0)   NAS-Identifier = "FGT60D4613054197"
(0)   User-Name = "dzhao"
(0)   User-Password = "Xxx"
(0)   NAS-Port-Type = Virtual
(0)   Acct-Session-Id = "6ddb75a0"
(0)   Connect-Info = "admin-login"
(0)   Fortinet-Vdom-Name = "root"
(0)   Event-Timestamp = "Jun  1 2020 12:16:22 MDT"
(0)   NAS-IP-Address = 172.16.0.99
(0)   Message-Authenticator := 0x00
(0)   Proxy-State = 0x3432
Waking up in 0.3 seconds.
(0) Expecting proxy response no later than 29.667310 seconds from now
Waking up in 29.6 seconds.
(0) Sending duplicate proxied request to home server 10.92.3.105 port 1812 - ID: 10
(0) Sent Access-Request Id 10 from 0.0.0.0:53464 to 10.92.3.105:1812 length 138
(0)   NAS-Identifier = "FGT60D4613054197"
(0)   User-Name = "dzhao"
(0)   User-Password = "Xxx"
(0)   NAS-Port-Type = Virtual
(0)   Acct-Session-Id = "6ddb75a0"
(0)   Connect-Info = "admin-login"
(0)   Fortinet-Vdom-Name = "root"
(0)   Event-Timestamp = "Jun  1 2020 12:16:22 MDT"
(0)   NAS-IP-Address = 172.16.0.99
(0)   Message-Authenticator := 0x00
(0)   Proxy-State = 0x3432
Waking up in 25.0 seconds.
(0) Marking home server 10.92.3.105 port 1812 alive
(0) Clearing existing &reply: attributes
(0) Received Access-Accept Id 10 from 10.92.3.105:1812 to 10.92.3.75:53464 length 82
(0)   Proxy-State = 0x3432
(0)   Framed-Protocol = PPP
(0)   Service-Type = Framed-User
(0)   Class = 0x94be085900000137000102000a5c03690000000031a22bda391cd93d01d635f7b722a976000000000000000d
(0) # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default
(0)   post-proxy {
(0) eap: No pre-existing handler found
(0)     [eap] = noop
(0)   } # post-proxy = noop
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated
(0)     } # update = noop
(0) sql: EXPAND .query
(0) sql:    --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND %{User-Name}
(0) sql:    --> dzhao
(0) sql: SQL-User-Name set to 'dzhao'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dzhao', 'Xxx', 'Access-Accept', '2020-06-01 12:16:22')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dzhao', 'Xxx', 'Access-Accept', '2020-06-01 12:16:22')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
Need 3 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 25 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.1.44-MariaDB-0ubuntu0.18.04.1, protocol version 10
(0)     [sql] = ok
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = ok
(0) Login OK: [dzhao] (from client FGT60D4613054197 port 0)
(0) Sent Access-Accept Id 42 from 10.92.3.75:1812 to 172.16.0.99:1114 length 0
(0)   Framed-Protocol = PPP
(0)   Service-Type = Framed-User
(0)   Class = 0x94be085900000137000102000a5c03690000000031a22bda391cd93d01d635f7b722a976000000000000000d
(0) Finished request
Waking up in 4.9 seconds.
(0) Waiting for more responses from the home server
Waking up in 0.3 seconds.
(0) Waiting for more responses from the home server
Waking up in 0.4 seconds.
(0) Waiting for more responses from the home server
Waking up in 0.7 seconds.
(0) Waiting for more responses from the home server
Waking up in 1.1 seconds.
(0) Waiting for more responses from the home server
Waking up in 1.6 seconds.
(0) Waiting for more responses from the home server
Waking up in 2.5 seconds.
(0) Waiting for more responses from the home server
Waking up in 3.7 seconds.
(0) Waiting for more responses from the home server
Waking up in 5.6 seconds.
(0) Waiting for more responses from the home server
Waking up in 8.5 seconds.
(0) Cleaning up request packet ID 42 with timestamp +7
Ready to process requests

I also tried to play with the ./mods-config/attr_filter/post-proxy file but it doesn't work for me either. Here is my post-proxy config
dzhao
    Fortinet-Group-Name := 'RW'

Please help!

Thanks,
Difan

More information about the Freeradius-Users mailing list