Hi all, I'm testing an LDAP Backend for PPPoE User Authorization. Goal is to remove the added AVPairs (during Authorization) if authentication fail. I have put the statements in the "post-auth" Section but it seems it is never executed. ------------------------------------------------------------------ RADIUS VERSION (http://packages.networkradius.com/centos/7/repo) ------------------------------------------------------------------- radiusd: FreeRADIUS Version 3.0.16, for host x86_64-redhat-linux-gnu, built on Jan 11 2018 at 16:34:57 FreeRADIUS Version 3.0.16 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT -------------------------------------- cat ../sites-available/wvnet-aaa -------------------------------------- server wvnet-aaa { listen { ipaddr = ATVIED6INFRAH4AAA port = 1812 type = auth } authorize { filter_username filter_password preprocess if ( &User-Name =~ /^(.*)@(.*$)/ ) { update request { Stripped-User-Name := "%{1}" Realm := "%{2}" } } auth_log ATVIED6INFRAH4LDAP chap pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } } post_auth { Post-Auth-Type REJECT { update reply { Cisco-AVPair !* ANY } attr_filter.access_reject } } listen { ipaddr = ATVIED6INFRAH4AAA port = 1813 type = acct } preacct { preprocess update request { FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" } acct_unique acct_counters64 } accounting { redundant { ATVIED6INFRAH4MYSQL ATVIED6INFRAH3MYSQL ATVIED6INFRAH2MYSQL } attr_filter.accounting_response } } -------------------------- cat ../mods-enabled/ldap -------------------------- ldap ATVIED6INFRAH4LDAP { server = 'ldaps://ATVIED6INFRAH4LDAP.as29081.net' identity = '---------' password = '---------' valuepair_attribute = 'radiusAttribute' base_dn = 'ou=DialIn,ou=AccessService,ou=AAA,dc=as29081,dc=net' update { control:Password-With-Header += 'userPassword' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } user { base_dn = "${..base_dn}" #filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" filter = "(cn=%{User-Name})" scope = 'sub' access_attribute = 'dialupAccess' access_positive = yes } group { } profile { } client { base_dn = 'ou=AccessServer,ou=AAA,dc=as29081,dc=net' filter = '(objectClass=radiusClient)' scope = 'sub' attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' shortname = 'radiusClientShortname' nas_type = 'radiusClientType' virtual_server = 'radiusClientVirtualServer' require_message_authenticator = 'radiusClientRequireMa' } } read_clients = no accounting { } post-auth { } options { dereference = 'never' chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 2 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { start_tls = no ca_path = /etc/openldap/certs certificate_file = /etc/openldap/certs/as29081_net.crt private_key_file = /etc/openldap/certs/as29081_net.key random_file = /dev/urandom require_cert = 'allow' } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 20 lifetime = 0 idle_timeout = 60 } } DEBUG-OUTPUT ------------ (1) Received Access-Request Id 58 from 10.214.30.1:38589 to 10.214.200.35:1812 length 109 (1) User-Name = "atvied6infraclust-monitor@edsl.wvnet.at" (1) User-Password = "secret" (1) NAS-IP-Address = 10.214.10.1 (1) NAS-Port = 1 (1) Message-Authenticator = 0x74809479c2c4eb92b4d90fa454a31de5 (1) # Executing section authorize from file /etc/raddb/sites-enabled/wvnet-aaa (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) policy filter_password { (1) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (1) EXPAND %{string:User-Password} (1) --> secret (1) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (1) } # policy filter_password = notfound (1) [preprocess] = ok (1) if ( &User-Name =~ /^(.*)@(.*$)/ ) { (1) if ( &User-Name =~ /^(.*)@(.*$)/ ) -> TRUE (1) if ( &User-Name =~ /^(.*)@(.*$)/ ) { (1) update request { (1) EXPAND %{1} (1) --> atvied6infraclust-monitor (1) Stripped-User-Name := atvied6infraclust-monitor (1) EXPAND %{2} (1) --> edsl.wvnet.at (1) Realm := edsl.wvnet.at (1) } # update request = noop (1) } # if ( &User-Name =~ /^(.*)@(.*$)/ ) = noop (1) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres s}}/auth-detail-%Y%m%d (1) auth_log: --> /var/log/radius/radacct/10.214.30.1/auth-detail-20180219 (1) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres s}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.214.30.1/auth-detail-20180219 (1) auth_log: EXPAND %t (1) auth_log: --> Mon Feb 19 22:59:20 2018 (1) [auth_log] = ok rlm_ldap (ATVIED6INFRAH4LDAP): Reserved connection (1) (1) ATVIED6INFRAH4LDAP: EXPAND (cn=%{User-Name}) (1) ATVIED6INFRAH4LDAP: --> (cn=atvied6infraclust-monitor@edsl.wvnet.at) (1) ATVIED6INFRAH4LDAP: Performing search in "ou=DialIn,ou=AccessService,ou=AAA,dc=as29081,dc=net" with filter "(cn=atvied6infraclust-monitor@edsl.wvnet.at)", scope "sub" (1) ATVIED6INFRAH4LDAP: Waiting for search result... (1) ATVIED6INFRAH4LDAP: User object found at DN "cn=atvied6infraclust-monitor@edsl.wvnet.at,ou=edsl.wvnet.at,ou=realm,ou=Dia lIn,ou=AccessService,ou=AAA,dc=as29081,dc=net" (1) ATVIED6INFRAH4LDAP: Processing user attributes (1) ATVIED6INFRAH4LDAP: control:Password-With-Header += 'secret' (1) ATVIED6INFRAH4LDAP: reply::Cisco-AVPair += 'ip:addr-pool=monitor-pool' (1) ATVIED6INFRAH4LDAP: reply::Cisco-AVPair += 'lcp:interface-config=service-policy input monitor' rlm_ldap (ATVIED6INFRAH4LDAP): Released connection (1) Need 4 more connections to reach 10 spares rlm_ldap (ATVIED6INFRAH4LDAP): Opening additional connection (6), 1 of 26 pending slots used rlm_ldap (ATVIED6INFRAH4LDAP): Connecting to ldaps://ATVIED6INFRAH4LDAP.as29081.net:636 TLS certificate verification: Error, self signed certificate in certificate chain rlm_ldap (ATVIED6INFRAH4LDAP): Waiting for bind result... rlm_ldap (ATVIED6INFRAH4LDAP): Bind successful (1) [ATVIED6INFRAH4LDAP] = updated (1) [chap] = noop (1) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (1) pap: Removing &control:Password-With-Header (1) [pap] = updated (1) } # authorize = updated (1) Found Auth-Type = PAP (1) # Executing group from file /etc/raddb/sites-enabled/wvnet-aaa (1) Auth-Type PAP { (1) pap: Login attempt with password (1) pap: Comparing with "known good" Cleartext-Password (1) pap: ERROR: Cleartext password does not match "known good" password (1) pap: Passwords don't match (1) [pap] = reject (1) } # Auth-Type PAP = reject (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) Post-Auth-Type sub-section not found. Ignoring. (1) Login incorrect (pap: Cleartext password does not match "known good" password): [atvied6infraclust-monitor@edsl.wvnet.at/secret] (from client ATVIED6INFRACLUST-RADCLIENT port 1) (1) Delaying response for 2.000000 seconds Waking up in 0.6 seconds. Waking up in 1.3 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 58 from 10.214.200.35:1812 to 10.214.30.1:38589 length 110 (1) Cisco-AVPair += "ip:addr-pool=monitor-pool" (1) Cisco-AVPair += "lcp:interface-config=service-policy input monitor" Waking up in 2.9 seconds. (1) Cleaning up request packet ID 58 with timestamp +26 Ready to process requests BR Stefan