A question about Response-Packet-Type Attribute
Hi everybody, I use FreeRADIUS 1.0.2 and I'm experiensing a problem with $subj attribute usage. I would like to tune RADIUS Server so that it sends particular set of RADIUS attributes depending on the outgoing packet type (Challenge or Accept). For that task I've been using Response-Packet-Type attribute in "users" configuration file. My "users" configuration file looks as: "test_user" User-Password == "test pass", Response-Packet-Type == Access-Challenge Proxy-State = "Challenge" "test_user" User-Password == "test pass", Response-Packet-Type == Access-Accept Proxy-State = "Accept" But this does not work, I see that "Response-Packet-Type" attribute equals to "0" at the checking phase. I induce that because the following rune works in my envirounment: test_user User-Password == "test pass", Response-Packet-Type == 0 Proxy-State = "With response 0" Note that here "Proxy-State" attribute used just for testing purposes. Then I decided to change "users" configuration file as follows: "test_user" User-Password == "test pass" Fall-Through = Yes "test_user" Response-Packet-Type == Access-Challenge Proxy-State = "Challenge" "test_user" Response-Packet-Type == Access-Accept Proxy-State = "Accept" But still I did not get desired behaviour. Looking at configuration files I found that there is "post-auth" section in radiusd.conf configuration file, but I'm not sure that it suits for me. Please, could you tell me what should I do to solve my problem. Thank you, Oleg.
Oleg Kravtsov <oleg_box@mail.ru> wrote:
I would like to tune RADIUS Server so that it sends particular set of RADIUS attributes depending on the outgoing packet type (Challenge or Accept).
The server doesn't really support that.
For that task I've been using Response-Packet-Type attribute in "users" configuration file.
Which won't work, because the "users" file is processed BEFORE the response packet type is determined.
My "users" configuration file looks as:
"test_user" User-Password == "test pass", Response-Packet-Type == Access-Challenge Proxy-State = "Challenge"
DON'T set the Proxy-State attribute, even for replies.
Looking at configuration files I found that there is "post-auth" section in radiusd.conf configuration file, but I'm not sure that it suits for me.
The "post-auth" section is processed after the Response-Packet-Type is set. So you DO want the "post-auth" section. The "files" module doesn't have a "post-auth" section, though. But it wouldn't be that hard to add. Alan DeKok.
Alan, thank you for the reply,
I would like to tune RADIUS Server so that it sends particular set of RADIUS attributes depending on the outgoing packet type (Challenge or Accept).
The server doesn't really support that.
In this case I wonder if I can do something already available to solve the real problem (with Acct-Interim-Interval attribute). I want it to be included ONLY into Access-Accept message, as this attribute can't present in Access-Challenge RADIUS message. My example with Proxy-State attribute (not with Acct-Interim-Interval) was just because RADIUS Client does not discard packets with Proxy-State attribute. Oleg.
Oleg Kravtsov <oleg_box@mail.ru> wrote:
In this case I wonder if I can do something already available to solve the real problem (with Acct-Interim-Interval attribute). I want it to be included ONLY into Access-Accept message, as this attribute can't present in Access-Challenge RADIUS message.
Who cares? If it's in Access-Challenge, the NAS will ignore it.
My example with Proxy-State attribute (not with Acct-Interim-Interval) was just because RADIUS Client does not discard packets with Proxy-State attribute.
That makes no sense to me. Alan DeKok.
Who cares? If it's in Access-Challenge, the NAS will ignore it.
Some devices (at least one we work with) does strict checkings against presence of attributes in a particular messages (according to RFC 2865, 2866, 2869). Ok, I see that currently we can't do what we want. We are ready to work on supporting this feature in FreeRADIUS, if this does not get a lot of time. What would you recommend us to start with so that this will fit best into your architecture. Thank you, Oleg.
Hi Everybody, I found the solution to the task I described, it is quite simple. I would like to share the solution with you just in case you want the same feature in the future. I've added post-auth callback for "files" module, which actually just calls callback used for authentication. post-auth callback is called only in case we successfully authenticated and so we can use it only when Access-Accept is going to be sent. In case of Access-Challenge we did not go to this section, so that we can write configuration file like the following: "users" file: # This rule will be applied only in case RADIUS Server sends Access-Accept message, # You can add any attributes you want to be sent in Accept message, and olse # overwrite (or remove) attributes added in common rule (specified below). "oleg" Response-Packet-Type == Access-Accept, User-Password == "oleg pass" Acct-Interim-Interval := 60, Idle-Timeout := 20, Class := "Accept Class", Session-Timeout := 50, # We want Session-Timeout attribute with 50 in Access-Accept (without this line we will get 100 value, which is set in "common rule") Termination-Action := 0, Session-Timeout -= 100 # this is an example of removing attribute from Access-Accept message, which was added in common rule. # Common rule # We enter this rule any time we get Access-Request message before authentication takes place. # Here we should add a set of attributes we want to be included in Access-Challenge messages. # If you should take care about not including some of these attributes in Access-Accept messages, # you need to remove them explicitly in the previous rule. "oleg" User-Password == "oleg pass" Session-Timeout := 100 # We want Session-Timeout attribute with 100 in Access-Accept Also we should add "files" module into post-auth section - add in "radiusd.conf" file a single line: post-auth { ... # The following line is a new one. files ... } What should be added in sources: ------------------------------------------ src/modules/rlm_files/rlm_files.c Add this function: /* * Execute postauth_query after authentication */ static int file_postauth(void *instance, REQUEST *request) { return file_authorize(instance, request); } Modify the following variable: module_t rlm_files = { ... } instead of line: NULL /* post-auth */ put: file_postauth /* post-auth */ Yes, it is pretty simple. How it works: ------------------ First on "auth" action server skips the first "oleg" user entry as Response-Packet-Type is still "0", and we match the second entry. This entry should keep a set of attributes we need to include in Access-Challenge packet (in our case Session-Timeout equals to 100). When server decides that it is time to send Access-Accept message it does "post-auth" action, and in our case users file is processed again. This time Response-Packet-Type attribute is Access-Accep, so that we overwrite all the attributes set on "auth" action with new ones (using += operators). Hope that will help someone. Best Regards, Oleg. PS: I've been really delighted reading your sources - well-done work! Thank you.
participants (2)
-
Alan DeKok -
Oleg Kravtsov