Proxy based on User-Name with regex
Hi there, I have been trying to setup a freeradius server that will proxy the authentication to another server if the User-Name starts with 1234. So for instance a user logs in with username 1234XXXXXX then in section AUTHORIZE i have a policy that checks with regex if the username falls in this category: api_proxyRedirect{ if (User-Name =~ /[1-4]{4}[A-Za-z0-9]{6}/) { update control { Proxy-To-Realm := "myrealm" } } } Unfortunatelly everything works up to the point where the control needs to be updated. The server responds with ++++[control] not found. Any ideas will be very welcome. Regards, Ivaylo Petkov -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-based-on-User-Name-with-regex-... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 06/10/2011 10:55 PM, ivaylosp wrote:
Hi there,
I have been trying to setup a freeradius server that will proxy the authentication to another server if the User-Name starts with 1234. So for instance a user logs in with username 1234XXXXXX then in section AUTHORIZE i have a policy that checks with regex if the username falls in this category: api_proxyRedirect{ if (User-Name =~ /[1-4]{4}[A-Za-z0-9]{6}/) { update control { Proxy-To-Realm := "myrealm" } } } Unfortunatelly everything works up to the point where the control needs to be updated. The server responds with ++++[control] not found.
Really? Hmm. Everything looks ok at a glance. Can you post a full "radiusd -X" debug?
rad_recv: Access-Request packet from host 192.168.1.12 port 49733, id=242, length=51 User-Name = "1234abcdefg" User-Password = "test" # Executing section authorize from file /etc/freeradius/sites-enabled/ims +- entering group authorize {...} ++- entering policy api_addPrefix {...} +++? if (User-Name =~ /[1-4]{4}[A-Za-z0-9]{6}/) ? Evaluating (User-Name =~ /[1-4]{4}[A-Za-z0-9]{6}/) -> TRUE +++? if (User-Name =~ /[1-4]{4}[A-Za-z0-9]{6}/) -> TRUE +++- entering if (User-Name =~ /[1-4]{4}[A-Za-z0-9]{6}/) {...} ++++[control] returns notfound +++- if (User-Name =~ /[1-4]{4}[A-Za-z0-9]{6}/) returns notfound ++- policy api_addPrefix returns notfound [sql] expand: %{User-Name} -> 1234abcdefg [sql] sql_set_user escaped user --> '1234abcdefg' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1234abcdefg' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '1234abcdefg' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User 1234abcdefg not found ++[sql] returns notfound WARNING: You set Proxy-To-Realm = ISE, but the realm does not exist! Cancelling invalid proxy request. ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/ims +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 1234abcdefg attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 242 to 192.168.1.12 port 49733 Waking up in 4.9 seconds. Cleaning up request 0 ID 242 with timestamp +129 -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-based-on-User-Name-with-regex-... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
rlm_sql (sql): Released sql socket id: 3 [sql] User 1234abcdefg not found ++[sql] returns notfound WARNING: You set Proxy-To-Realm = ISE, but the realm does not exist! Cancelling invalid proxy request. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
seems fairly obvious. check that you have a 'ISE' realm alan
Thanks Alan. I did notice that and i created the realm. It is forwarding now. Just one thing i can not understand is why do i get the message +++[control] returns notfound Or this is a default response when you use UPDATE PS. Thanks for your help i really appreciate it. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-based-on-User-Name-with-regex-... Sent from the FreeRadius - User mailing list archive at Nabble.com.
ivaylosp <ivaylosp@gmail.com> wrote:
User-Name = "1234abcdefg" ............"12341234567"
if (User-Name =~ /[1-4]{4}[A-Za-z0-9]{6}/)
This matches four numbers and then *six* alphanumerics; anywhere in your string (substr-esque)...might not be what you want? Did you mean to include a '/^....$/'? Cheers -- Alexander Clouter .sigmonster says: Old programmers never die, they just become managers.
Hi,
Hi there,
I have been trying to setup a freeradius server that will proxy the authentication to another server if the User-Name starts with 1234. So for instance a user logs in with username 1234XXXXXX then in section AUTHORIZE i have a policy that checks with regex if the username falls in this category: api_proxyRedirect{ if (User-Name =~ /[1-4]{4}[A-Za-z0-9]{6}/) { update control { Proxy-To-Realm := "myrealm" } } } Unfortunatelly everything works up to the point where the control needs to be updated. The server responds with ++++[control] not found.
not sure....we ahve similar things - the only thing we dont do is wrap is up in an external call - removed the api_proxyRedirect and bracket pair? alan
Thanks for the reply Alan, I have tried that and for some reason i can not manipulate the CONTROL or REQUEST parameters within authorize section with update. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-based-on-User-Name-with-regex-... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (4)
-
Alan Buxey -
Alexander Clouter -
ivaylosp -
Phil Mayers