post-auth problem after update from 2.0.4 to 2.1.10
Hi, after upgrading our server from 2.0.4 to 2.1.10 we see a change in the auth logic - e.g. when processing proxied requests to a home server and their replies. We need this feature to append some special attributes to the accept-packet from the home server before sending it to the NAS. 1) Our config in 2.0.4 (the DEFAULT record is recognized before sending the packet to the NAS): proxy.conf: =========== realm foo { type = radius authhost = 1.2.3.4 secret = hidden nostrip } users file: =========== DEFAULT User-Name =~ "test@foo" MS-Primary-DNS-Server = "192.168.203.6", MS-Secondary-DNS-Server = "192.168.203.1", MS-Primary-NBNS-Server = "192.168.203.6" sites-enabled/default: ====================== authorize { ... files ... } test: ===== # radtest test@foo password localhost:1812 # /usr/sbin/freeradiusd -X ... rad_recv: Access-Request packet from host 127.0.0.1 port 51046, id=236, length=74 User-Name = "test@foo" User-Password = "password" NAS-IP-Address = 172.16.1.63 NAS-Port = 123 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm "foo" for User-Name = "test@foo" rlm_realm: Found realm "foo" rlm_realm: Adding Realm = "foo" rlm_realm: Proxying request from user test to realm foo rlm_realm: Preparing to proxy authentication request to realm "foo" ++[suffix] returns updated rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound expand: %{User-Name} -> test@foo users: Matched entry DEFAULT at line 6 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 228 to 1.2.3.4 port 1812 User-Name = "test@foo" User-Password = "password" NAS-IP-Address = 172.16.1.63 NAS-Port = 123 Proxy-State = 0x323336 Proxying request 50 to home server 1.2.3.4 port 1812 Sending Access-Request of id 228 to 1.2.3.4 port 1812 User-Name = "test@foo" User-Password = "password" NAS-IP-Address = 172.16.1.63 NAS-Port = 123 Proxy-State = 0x323336 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Accept packet from host 1.2.3.4 port 1812, id=228, length=117 Proxy-State = 0x323336 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x4f300502000001370001c0a8cb0601cd117a507f4414000000000000010e MS-Link-Utilization-Threshold = 50 MS-Link-Drop-Time-Limit = 120 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x0000000e +- entering group post-proxy rlm_eap: No pre-existing handler found ++[eap] returns noop +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Proxy reply, or no User-Name. Ignoring. ++[suffix] returns noop ++[eap] returns noop ++[unix] returns notfound expand: %{User-Name} -> test@foo users: Matched entry DEFAULT at line 6 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Login OK: [test@foo/password] (from client LOCALHOST port 123) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 236 to 127.0.0.1 port 51046 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x4f300502000001370001c0a8cb0601cd117a507f4414000000000000010e MS-Link-Utilization-Threshold = 50 MS-Link-Drop-Time-Limit = 120 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x0000000e MS-Primary-DNS-Server = 192.168.203.6 MS-Secondary-DNS-Server = 192.168.203.1 MS-Primary-NBNS-Server = 192.168.203.6 Finished request 50. 2) Our config in 2.1.10 (the DEFAULT record is ignored before sending the packet to the NAS): proxy.conf: =========== realm foo { type = radius authhost = 1.2.3.4 secret = hidden nostrip } users file: =========== DEFAULT User-Name =~ "test@foo" MS-Primary-DNS-Server = "192.168.203.6", MS-Secondary-DNS-Server = "192.168.203.1", MS-Primary-NBNS-Server = "192.168.203.6" sites-enabled/default: ====================== authorize { ... files ... } test: ===== # radtest test@foo password localhost:1812 # /usr/sbin/freeradiusd -X ... Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 49833, id=110, length=74 User-Name = "test@foo" User-Password = "password" NAS-IP-Address = 172.16.1.55 NAS-Port = 123 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "foo" for User-Name = "test@foo" [suffix] Found realm "foo" [suffix] Adding Realm = "foo" [suffix] Proxying request from user test to realm foo [suffix] Preparing to proxy authentication request to realm "foo" ++[suffix] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] expand: %{User-Name} -> test@foo [files] users: Matched entry DEFAULT at line 6 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 231 to 1.2.3.4 port 1812 User-Name = "test@foo" User-Password = "password" NAS-IP-Address = 172.16.1.55 NAS-Port = 123 Proxy-State = 0x313130 Proxying request 0 to home server 1.2.3.4 port 1812 Sending Access-Request of id 231 to 1.2.3.4 port 1812 User-Name = "test@foo" User-Password = "password" NAS-IP-Address = 172.16.1.55 NAS-Port = 123 Proxy-State = 0x313130 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Accept packet from host 1.2.3.4 port 1812, id=231, length=117 Proxy-State = 0x313130 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x4f440516000001370001c0a8cb0601cd117a507f44140000000000000122 MS-Link-Utilization-Threshold = 50 MS-Link-Drop-Time-Limit = 120 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x0000000e # Executing section post-proxy from file /etc/freeradius/sites-enabled/default +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [test@foo] (from client LOCALHOST port 123) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 110 to 127.0.0.1 port 49833 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x4f440516000001370001c0a8cb0601cd117a507f44140000000000000122 MS-Link-Utilization-Threshold = 50 MS-Link-Drop-Time-Limit = 120 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x0000000e Finished request 0. I tried it under 2.1.10 also with "files" in the "post-auth" section but it did not work - I've got only one more message that tells me a "noop": ... # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[files] returns noop ++[exec] returns noop ... So my question is how to assign the DEFAULT record to an reply packet from a proxy in 2.1.10? Thx, Gerald
Gerald Krause wrote:
after upgrading our server from 2.0.4 to 2.1.10
Please use 2.1.12. It's better.
we see a change in the auth logic - e.g. when processing proxied requests to a home server and their replies. We need this feature to append some special attributes to the accept-packet from the home server before sending it to the NAS.
Yes. The "post-proxy authorize" functionality has been removed. It was horrible and unnecessary.
users file: =========== DEFAULT User-Name =~ "test@foo" MS-Primary-DNS-Server = "192.168.203.6", MS-Secondary-DNS-Server = "192.168.203.1", MS-Primary-NBNS-Server = "192.168.203.6"
You can just list "files.authorize" in the "post-proxy" section. It will run the "users" file, add those attributes. Alan DeKok.
Am 16.04.2012 21:22, schrieb Alan DeKok:
Gerald Krause wrote:
after upgrading our server from 2.0.4 to 2.1.10
Please use 2.1.12. It's better.
I'll check that suggestion. In the moment this is a plain "apt-get install/update/upgrade" Debian box that comes with 2.1.10 (don't blame me...) but maybe I'am going to install freeradius from scratch somewhat later.
we see a change in the auth logic - e.g. when processing proxied requests to a home server and their replies. We need this feature to append some special attributes to the accept-packet from the home server before sending it to the NAS.
Yes. The "post-proxy authorize" functionality has been removed. It was horrible and unnecessary.
o-kay
users file: =========== DEFAULT User-Name =~ "test@foo" MS-Primary-DNS-Server = "192.168.203.6", MS-Secondary-DNS-Server = "192.168.203.1", MS-Primary-NBNS-Server = "192.168.203.6"
You can just list "files.authorize" in the "post-proxy" section. It will run the "users" file, add those attributes.
Great, that did the trick for me! Thank you Alan, Gerald
On Mon, Apr 16, 2012 at 10:00:03PM +0200, Gerald Krause wrote:
Please use 2.1.12. It's better.
I'll check that suggestion. In the moment this is a plain "apt-get install/update/upgrade" Debian box that comes with 2.1.10 (don't blame me...) but maybe I'am going to install freeradius from scratch somewhat later.
FWIW, building packages for the latest FR on Debian is really easy. There's instructions from tarball on the wiki: http://wiki.freeradius.org/Build#Building+Debian+packages I've put instructions up to build from git[0], I'm sure it's in many other places too. in short, assuming build deps installed: $ git clone git://github.com/alandekok/freeradius-server.git $ cd freeradius-server/ $ git checkout release_2_1_12 $ buildpackage -us -uc -rfakeroot You can easily build packages for the latest 2.1.x tree this way too (git checkout v2.1.x), which has even more shiny RADIUS goodness (although if you don't install the freeradius-mysql package you'll have to remove /etc/freeradius/modules/dhcp_sqlippool to get it to start). Matthew [0] http://notes.asd.me.uk/2012/01/27/compiling_freeradius_from_git_on_debian/ -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Am 16.04.2012 22:40, schrieb Matthew Newton:
On Mon, Apr 16, 2012 at 10:00:03PM +0200, Gerald Krause wrote:
Please use 2.1.12. It's better.
I'll check that suggestion. In the moment this is a plain "apt-get install/update/upgrade" Debian box that comes with 2.1.10 (don't blame me...) but maybe I'am going to install freeradius from scratch somewhat later.
FWIW, building packages for the latest FR on Debian is really easy.
There's instructions from tarball on the wiki: http://wiki.freeradius.org/Build#Building+Debian+packages
I've put instructions up to build from git[0], I'm sure it's in many other places too.
in short, assuming build deps installed:
$ git clone git://github.com/alandekok/freeradius-server.git $ cd freeradius-server/ $ git checkout release_2_1_12 $ buildpackage -us -uc -rfakeroot
You can easily build packages for the latest 2.1.x tree this way too (git checkout v2.1.x), which has even more shiny RADIUS goodness (although if you don't install the freeradius-mysql package you'll have to remove /etc/freeradius/modules/dhcp_sqlippool to get it to start).
Matthew
[0] http://notes.asd.me.uk/2012/01/27/compiling_freeradius_from_git_on_debian/
All right, thank you Matthew for this hint. Gerald
participants (3)
-
Alan DeKok -
Gerald Krause -
Matthew Newton