proxied request accepted but none of the preproccessed attributes are sent to NAS
Only the proxy server A/V are sent to the nas. None of the preprocess, in specific, the files match which includes things like vrf, ip pool and similar important stuff. Here is the -X output. Where should I start looking? Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 hints: Matched DEFAULT at 117 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: Looking up realm "jnet" for User-Name = "clinicallab@jnet" rlm_realm: Found realm "xyzabc" rlm_realm: Proxying request from user clinicallab to realm xyzabc rlm_realm: Adding Realm = "xyzabc" rlm_realm: Preparing to proxy authentication request to realm "xyzabc" modcall[authorize]: module "suffix" returns updated for request 4 radius_xlat: 'clinicallab@xyzabc' rlm_sql (sql): sql_set_user escaped user --> 'clinicallab@xyzabc' rlm_sql (sql): Reserving sql socket id: 25 radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'clinicallab@xyzabc' ORDER BY id' radius_xlat: 'SELECT GroupName FROM usergroup WHERE UserName='clinicallab@xyzabc'' rlm_sql (sql): Released sql socket id: 25 rlm_sql (sql): User clinicallab@xyzabc not found modcall[authorize]: module "sql" returns notfound for request 4 users: Matched entry DEFAULT at line 552 modcall[authorize]: module "files" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "expiration" returns noop for request 4 modcall[authorize]: module "logintime" returns noop for request 4 modcall[authorize]: module "pap" returns noop for request 4 modcall: leaving group authorize (returns updated) for request 4 --- Walking the entire request list --- Waking up in 1 seconds... authorize: Skipping authorize in post-proxy stage rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Login OK: [clinicallab@xyzabc/1113128] (from client localhost port 1) Finished request 4 Going to the next request Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list ---
Joe Maimon <jmaimon@ttec.com> wrote:
None of the preprocess, in specific, the files match which includes things like vrf, ip pool and similar important stuff.
Here is the -X output. Where should I start looking?
post_proxy_authorize has been removed from the config. It's extra work, but the things you need to do in post-proxy should be done in the post-proxy section, not in "authorize". There IS value in remembering the reply & config items from the authorize section for post-proxy, though. Right now, the server discards them (src/main/proxy.c), it could keep them. Alan DeKok.
Alan DeKok wrote:
Joe Maimon <jmaimon@ttec.com> wrote:
None of the preprocess, in specific, the files match which includes things like vrf, ip pool and similar important stuff.
Here is the -X output. Where should I start looking?
post_proxy_authorize has been removed from the config.
It's extra work, but the things you need to do in post-proxy should be done in the post-proxy section, not in "authorize".
How would I run the Hints and the Users file at that point? radiusd didnt like that.
There IS value in remembering the reply & config items from the authorize section for post-proxy, though. Right now, the server discards them (src/main/proxy.c), it could keep them.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
Thanks, I will take a look.
Joe Maimon <jmaimon@ttec.com> wrote:
How would I run the Hints and the Users file at that point? radiusd didnt like that.
The solution is probably to NOT throw away the information gained from the authorize{} section. SOME information should be thrown away, perhaps, but throwing all of it away is most likely bad. Alan DeKok.
Alan DeKok wrote:
Joe Maimon <jmaimon@ttec.com> wrote:
None of the preprocess, in specific, the files match which includes things like vrf, ip pool and similar important stuff.
Here is the -X output. Where should I start looking?
post_proxy_authorize has been removed from the config.
It's extra work, but the things you need to do in post-proxy should be done in the post-proxy section, not in "authorize".
There IS value in remembering the reply & config items from the authorize section for post-proxy, though. Right now, the server discards them (src/main/proxy.c), it could keep them.
Well to be specific procy.c:62 Thanks for the pointer.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
participants (2)
-
Alan DeKok -
Joe Maimon