Hello, I'm running 2.0.4 on Debian testing. I have a test setup in which I'm proxying access requests between two virtual servers running inside the same daemon: radtest <---> [ virtual server A <---(proxy)---> virtual server B ] Proxing is triggered using the rlm_realm module and all attr_filter module instances in radiusd.conf have been commented out. Authentication works fine, but reply attributes created by B are not being returned to radtest unless I configure the following in A: post-auth { update reply { Attribute1 := "%{proxy-reply:Attribute1}" Attribute2 := "%{proxy-reply:Attribute2}" Attribute3 := "%{proxy-reply:Attribute3}" ... } } My understanding is that without any attribute filters in place, the proxy-reply list in virtual server A is supposed to be automatically copied to its reply list. Is this correct, or is there an option that needs to be set somewhere? Also, it seems that this scenario is functionally similar to how the peap and ttls modules proxy tunneled EAP exchanges to another virtual server using the 'virtual_server' option. Those modules use a 'use_tunneled_reply' option which seems to force the behavior I'm trying to achieve. Or am I way off the mark? I've attached what I think is just the relevant debug output. If more is needed, please let me know. Thanks! ### START DEBUG OUTPUT ### ... server monitor { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating vpn_realm realm vpn_realm { format = "prefix" delimiter = "." ignore_default = yes ignore_null = yes } Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } server vpn { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Checking authorize {...} for more modules to load Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Checking post-proxy {...} for more modules to load } } server { modules { } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "proxy" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 4041 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 4030, id=27, length=76 User-Name = "vpn_realm.mloosbro" User-Password = "password" NAS-IP-Address = 10.0.1.200 NAS-Port = 1 Framed-Protocol = PPP server monitor { +- entering group authorize rlm_realm: Looking up realm "vpn_realm" for User-Name = "vpn_realm.mloosbro" rlm_realm: Found realm "vpn_realm" rlm_realm: Adding Stripped-User-Name = "mloosbro" rlm_realm: Adding Realm = "vpn_realm" rlm_realm: Proxying request from user mloosbro to realm vpn_realm rlm_realm: Preparing to proxy authentication request to realm "vpn_realm" ++[vpn_realm] returns updated } # server monitor +- entering group pre-proxy ++[noop] returns noop
Sending proxied request internally to virtual server. server vpn { +- entering group authorize expand: %{control:NS-Override-User} -> expand: %{Stripped-User-Name} -> mloosbro expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> mloosbro expand: %{%{control:NS-Override-User}:-%{%{Stripped-User- Name}:-%{%{User-Name}:-DEFAULT}}} -> mloosbro rlm_sql (ns-sql-vpn): sql_set_user escaped user --> 'mloosbro' rlm_sql (ns-sql-vpn): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck_asa WHERE username = '%{SQL-User- Name}' ORDER BY id -> SELECT id, username, a WHERE username = 'mloosbro' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergr BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck_asa WHERE groupname = '%{Sql- Group}' ORDER BY id -> SELECT id M radgroupcheck_asa WHERE groupname = 'its- network' ORDER BY id rlm_sql (ns-sql-vpn): User found in group its-network expand: SELECT id, groupname, attribute, value, op FROM radgroupreply_asa WHERE groupname = '%{Sql- Group}' ORDER BY id -> SELECT id M radgroupreply_asa WHERE groupname = 'its- network' ORDER BY id expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck_asa WHERE groupname = '%{Sql- Group}' ORDER BY id -> SELECT id M radgroupcheck_asa WHERE groupname = 'employee' ORDER BY id rlm_sql (ns-sql-vpn): User found in group employee expand: SELECT id, groupname, attribute, value, op FROM radgroupreply_asa WHERE groupname = '%{Sql- Group}' ORDER BY id -> SELECT id M radgroupreply_asa WHERE groupname = 'employee' ORDER BY id rlm_sql (ns-sql-vpn): Released sql socket id: 4 ++[ns-sql-vpn] returns ok ++[control] returns ok rad_check_password: Found Auth-Type Kerberos auth: type "Kerberos" +- entering group Kerberos rlm_krb5: verify_krb_v5_tgt: host key not found : No such file or directory ++[krb5] returns ok Login OK: [mloosbro/password] (from client monitor port 1 via TLS tunnel) } # server vpn Going to the next request <<< Received proxied response from internal virtual server. +- entering group authorize rlm_realm: Proxy reply, or no User-Name. Ignoring. ++[vpn_realm] returns noop rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Login OK: [vpn_realm.mloosbro/password] (from client monitor port 1) +- entering group post-auth ++[noop] returns noop Sending Access-Accept of id 27 to 127.0.0.1 port 4030 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 4030, id=27, length=76 Sending duplicate reply to client monitor port 4030 - ID: 27 Sending Access-Accept of id 27 to 127.0.0.1 port 4030 Waking up in 4.9 seconds. Cleaning up request 0 ID 27 with timestamp +3 Ready to process requests.
### END DEBUG OUTPUT ### Mike Loosbrock Bethel University Network Services 651-638-6723