Hello Alan, On Fri, Jul 17, 2015 at 3:26 PM, Alan DeKok <aland@deployingradius.com> wrote:
Are you sure you're running 3.0.9? Because that code was buggy in 3.0.8.
Yes, I'm using 3.0.9: FreeRADIUS Version 3.0.9, for host x86_64-unknown-linux-gnu, built on Jul 14 2015 at 19:39:49 Linux version 2.6.32-504.el6.x86_64 (mockbuild@c6b9.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC) ) #1 SMP Wed Oct 15 04:27:16 UTC 2014
And the code to proxy based on Packet-Dst-IP-Address is the *same* for normal packets, and for CoA packets. So please try it for authentication packets. If it works there and not for CoA... something is wrong with your system. Make sure to install (and use) 3.0.9.
If Packet-Dst-IP-Address doesn't work for authentication packets, then there's something magically broken about the code.
Try to come up with a simple example which we can add to the unit test framework...
(7) Received Access-Request Id 82 from 10.56.33.174:32770 to 10.1.1.174:1812 length 267 (7) User-Name = "84-8e-df-ea-e9-62" (7) Called-Station-Id = "44-ad-d9-f1-9b-10:SSIDNAME" (7) Calling-Station-Id = "84-8e-df-ea-e9-62" (7) NAS-Port = 1 (7) NAS-IP-Address = 10.56.33.174 (7) NAS-Identifier = "WLC2504" (7) Airespace-Wlan-Id = 1 (7) User-Password = "xxxxxx" (7) Service-Type = Call-Check (7) Framed-MTU = 1300 (7) NAS-Port-Type = Wireless-802.11 (7) Tunnel-Type:0 = VLAN (7) Tunnel-Medium-Type:0 = IEEE-802 (7) Tunnel-Private-Group-Id:0 = "63" (7) Cisco-AVPair = "audit-session-id=0a3821ae000023bd55a8fab6" (7) Acct-Session-Id = "55a8fab6/84:8e:df:ea:e9:62/9166" (7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (7) authorize { ............. sql queries and checks skipped ............ (7) --> 1 (7) case 1 { (7) update reply { (7) Cisco-AVPair += "url-redirect-acl=acl" (7) EXPAND url-redirect=http://login.domain... (7) --> url-redirect=http://login.domain (7) Cisco-AVPair += url-redirect=http://login.domain (7) Packet-Dst-IP-Address := 10.56.33.190 <------------ here I just override real NAS IP with another NAS fixed address (it present in clients too) (7) } # update reply = noop (7) update control { (7) Auth-Type := Accept (7) } # update control = noop (7) } # case 1 = noop (7) } # switch %{sql:select state from radiusdb.radcheck where username='%{Calling-Station-Id}'} = noop (7) } # else = noop (7) } # authorize = noop (7) Found Auth-Type = Accept (7) Auth-Type = Accept, accepting the user (7) Sent Access-Accept Id 82 from 10.1.1.174:1812 to 10.56.33.174:32770 length 0 <-------- here looks like override ignored (7) Cisco-AVPair += "url-redirect-acl=acl" (7) Cisco-AVPair += "url-redirect= http://login.wi-fi.ru/am/UI/Login?org=mac&service=coa&client_mac=84-8e-df-ea... " (7) Finished request FreeRadius still sends to NAS IP instead of my override IP. So it doesn't matter in CoA or in authorize section it is same behavior - FreeRadius ignores NAS ip override via Packet-DST. Could you please check any simple scenario - just try to override Packet-Dst-IP-Address and than add to override Packet-Dst-Port? Best Regards, Sergey Komaroff