Hi, I am using freeradius 2.1.10 and python modules at different stages(pre-proxy, post-proxy) of my RADIUS server which is running in proxy mode.
From the python pre-proxy module I am able to return "radiusd.RLM_MODULE_HANDLED" which is handled at pre-proxy section of the file "sites-available/default".
I want the server to stop at "HANDLED" and send back "Access-Accept" back to the requested client from pre-proxy once the return is HANDLED. Can anyone point to me how to achieve this? The following is what I have tried. My problem is that: if I configure "ok" from "if (handled) {" part of the pre-proxy, the server proceeds with sending this request to external RADIUS server for Authentication(looks like normal behavior with module returning OK ) and if I return "handled" from "if(handled) {" part, then the server gives the following, (Same behavior is observed with setting "handled = return" inside "python{}" module.) Ready to process requests. rad_recv: Access-Request packet from host 72.163.210.89 port 2051, id=96, length=104 User-Name = "ranjith" User-Password = "test123" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "ranjith", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "ranjith" [suffix] Adding Realm = "NULL" [suffix] Proxying request from user ranjith to realm NULL [suffix] Preparing to proxy authentication request to realm "NULL" ++[suffix] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop *** I am in authorize!!!!!!!!!!!!!!!!!! *** *** radlog call in authorize *** ++[python] returns ok ++? if (handled) ? Evaluating (handled) -> FALSE ++? if (handled) -> FALSE ++[files] returns noop [sql] expand: %{User-Name} -> ranjith [sql] sql_set_user escaped user --> 'ranjith' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'ranjith' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'ranjith' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 [sql] User ranjith not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop # Executing section pre-proxy from file /etc/raddb/sites-enabled/default +- entering group pre-proxy {...} *** radlog call in pre_proxy_ranjith !!!!!!!!!!!!!!!*** *** pre_proxy_ranjith Found Session !!!!!!!!!!!!! *** ++[python] returns handled ++? if (handled) ? Evaluating (handled) -> TRUE ++? if (handled) -> TRUE ++- entering if (handled) {...} +++[handled] returns handled ++- if (handled) returns handled There was no response configured: rejecting request 1 Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> ranjith attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 94 to 72.163.210.89 port 2010 Waking up in 4.9 seconds. Cleaning up request 1 ID 94 with timestamp +19 Ready to process requests. The following is the snippet of the "sites-available/default" pre-proxy section. pre-proxy { # attr_rewrite # Uncomment the following line if you want to change attributes # as defined in the preproxy_users file. # files # Uncomment the following line if you want to filter requests # sent to remote servers based on the rules defined in the # 'attrs.pre-proxy' file. # attr_filter.pre-proxy # If you want to have a log of packets proxied to a home # server, un-comment the following line, and the # 'detail pre_proxy_log' section, above. # pre_proxy_log #python python { notfound = 1 noop = 2 ok = 3 updated = 4 fail = return reject = return userlock = return invalid = return handled = 3 #handled = return #ok = return } if (handled) { #Post-Auth-Type = Access-Accept #Response-Packet-Type = Access-Accept #handled ok } } The following is the snippet of the "sites-available/default" authenticate section(added python module). authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. digest # # Pluggable Authentication Modules. # pam # # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # # For normal "crypt" authentication, the "pap" module should # be used instead of the "unix" module. The "unix" module should # be used for authentication ONLY for compatibility with legacy # FreeRADIUS configurations. # unix python #python { #This doesn't work #ok = handled #} # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. # Auth-Type LDAP { # ldap # } # # Allow EAP authentication. eap # # The older configurations sent a number of attributes in # Access-Challenge packets, which wasn't strictly correct. # If you want to filter out these attributes, uncomment # the following lines. # # Auth-Type eap { # eap { # handled = 1 # } # if (handled && (Response-Packet-Type == Access-Challenge)) { # attr_filter.access_challenge.post-auth # handled # override the "updated" code from attr_filter # } # } } Thanks Ranjith T