Alan DeKok wrote:
Geoff Silver <geoff+freeradius@uslinux.net> wrote:
I have a bunch of users which should have a class attribute returned upon successful authentication. Their entries look something like:
bob NAS-IP-Address == 172.31.33.66, Hint==HasSlash Auth-Type:=Accept Class = "OU=MY_CORP", Filter-Id = "SPCCOLO_O", Split-Tunneling-Policy = 1, Split-Tunnel-List = "SPCCOLO_ST"
What they're actually getting back is:
Packet-Type = Access-Accept User-Name = "bob" Class = 0x3739774831423272375053516a71424143444358434979507544493d
Which is '79...'
*nod*.
It works for me, so my guess is that something else in your configuration is setting Class to that value.
Okay, I'll bite - so what on earth might be causing that? I'm not doing any rewriting, and both the Filter-Id and the Split-Tunnel-List attributes come back as strings. I thought maybe it was getting confused on the Class since it contains an =, but changing that to an _ doesn't help. Is this perhaps coming back from the proxy server, and if so, is there a way to use my local Class attribute instead? My users file has a whole bunch of entries that look like the above, mostly like: bob NAS-IP-Address == 172.31.33.66, Hint==HasSlash, Proxy-To-Realm:=UAS Class = "OU=MY_CORP", Filter-Id = "SPCCOLO_O", Split-Tunneling-Policy = 1, Split-Tunnel-List = "SPCCOLO_ST" My hints file looks like: DEFAULT User-Password =~ ".*/.*" Hint = HasSlash My proxy.conf looks like: proxy server { synchronous = no retry_delay = 5 retry_count = 1 dead_time = 300 default_fallback = yes post_proxy_authorize = yes } realm UAS { type = radius authhost = radius.domain.com:1812 secret = MySecretKey } And my radiusd.conf looks uninterestingly like the following (note that the syslog sections are part of rlm_syslog which I submitted a while back): ## ## radiusd.conf -- FreeRADIUS server configuration file. ## prefix = /opt/radius exec_prefix = ${prefix} sysconfdir = /opt/radius/etc localstatedir = /var sbindir = /opt/radius/sbin logdir = /var/log/radius raddbdir = /opt/radius/etc radacctdir = /var/log/radius confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid checkrad = ${sbindir}/checkrad user = radius group = radius max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 listen { ipaddr = * port = 1645 type = auth } listen { ipaddr = * port = 1646 type = acct } listen { ipaddr = * port = 1812 type = auth } listen { ipaddr = * port = 1813 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = yes lower_pass = no nospace_user = before nospace_pass = no security { max_attributes = 200 reject_delay = 1 status_server = no } $INCLUDE ${confdir}/clients.conf snmp = no #$INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints } files { usersfile = ${confdir}/users compat = no } uas { } syslog acct_log { loglevel = "info" logfacility = "local3" logname = "radiusd-acct" } syslog auth_log { hidepasswd = yes loglevel = "info" logfacility = "local3" logname = "radiusd-auth" } syslog reply_log { hidepasswd = yes # Some of this may be redundant, but it pretty much ensures # we get a unique identifier in every reply log message logextra = "User-Name = %{User-Name},Client-IP-Address = %{Client-IP-Address},NAS-IP-Address = %{NAS-IP-Address},NAS-Port = %{NAS-Port}" loglevel = "info" logfacility = "local3" logname = "radiusd-auth" } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request output_pairs = none } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply #packet_type = Access-Accept } } instantiate { exec expr } authorize { preprocess auth_log files } authenticate { Auth-Type UAS { #uas } } preacct { preprocess acct_unique files } accounting { acct_log } session { } post-auth { Post-Auth-Type REJECT { reply_log } reply_log } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf pre-proxy { } post-proxy { }