Access to the attributes lists in different sections
Hello, I use rlm_python module to query information about supplicant from backend database and based on retrieved data decide what to do next with request. Also some of data retrieved from database go to a log. Some of requests are eap, and use inner tunnel virtual site. To prevent double log records (one from inner tunnel and one from "outer" virtual site) I do log operation (linelog module) only in "outer" virtual site. And pass necessary data from inner tunnel by using update outer.session-state { ... } I not use reply list, to store necessary data, because python module can set Proxy-To-Realm attribute and redirect some of request to home server (do proxy operation), and after received reply from proxy, freeradius server replace original reply with reply from home server. outer.session-state works for the most of cases, but not work for eap-ttls request, that will be proxied and rejected by home server. For example this is network config for eapol_test util network={ key_mgmt=WPA-EAP eap=TTLS identity="testing_remote" anonymous_identity="anonymous" phase2="autheap=MSCHAPV2" ... } Freeradius server configured to proxy only inner stage, after real identity is revealed. After the home server rejects the request, freeradius server clear session-state list in "outer" virtual site, and I can not access in in Post-Auth-Type REJECT section. To mitigate this I copy necessary data from session-state to control list in post-proxy section update control { Some-Attribute := &session-state:Some-Attribute } And control attributes list is available in Post-Auth-Type REJECT section. And this is basically works. My question is - Is there other way or attribute list, to store some data during full radius authentication session (until freeradius send Access-Reject reply), to be get able access to stored data from all sections (authorize, post-auth, Post-Auth-Type REJECT, pre-proxy, post-proxy etc.)? Or maybe there is a way to configure freeradius to not clear session-state list after Access-Reject reply from home server? -- Vladimir
On Apr 27, 2018, at 5:54 AM, work vlpl <thework.vlpl@gmail.com> wrote:
My question is - Is there other way or attribute list, to store some data during full radius authentication session (until freeradius send Access-Reject reply), to be get able access to stored data from all sections (authorize, post-auth, Post-Auth-Type REJECT, pre-proxy, post-proxy etc.)?
Use a database. The session-state list is automatically managed by the server for an authentication session. It's used to store data about that session. Without session-state, each packet is processed independently of all other packets.
Or maybe there is a way to configure freeradius to not clear session-state list after Access-Reject reply from home server?
The code *should* clear session-state only after running the post-auth section. I think what's happening is that it's using the outer State attribute inside of the inner tunnel. So when the inner tunnel returns Access-Reject, the session-state is cleared. Which just happens to be the same state as for the outer session. I think the solution is to just not delete the session state when inside the inner-tunnel. It will be deleted in the outer tunnel anyways, so that should work. Alan DeKok.
On Fri, 27 Apr 2018 at 19:20, Alan DeKok <aland@deployingradius.com> wrote: Use a database.
If I will be using database, how I can track users, I mean how to get session id?
The code *should* clear session-state only after running the post-auth section.
I think what's happening is that it's using the outer State attribute inside of the inner tunnel. So when the inner tunnel returns Access-Reject, the session-state is cleared. Which just happens to be the same state as for the outer session.
I think the solution is to just not delete the session state when inside the inner-tunnel. It will be deleted in the outer tunnel anyways, so that should work.
I am not using any special instruction in configuration to clear session-state. There are parts from configuration. I stripped down linelog instructions. from inner tunnel config: -------------- post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy {} post-proxy { eap } } -------------- from outer tunnel config: -------------- post-auth { exec remove_reply_message_if_eap linelog `...` Post-Auth-Type REJECT { update control { Some-Attribute := &session-state:Some-Attribute } attr_filter.access_reject eap linelog `...` remove_reply_message_if_eap } } pre-proxy { } post-proxy { update control { Some-Attribute := &session-state:Some-Attribute } eap } } -------------- To debug, when session-state list is cleared I added in fr_state_discard() function debug message ">>>>>>>>>>> DISCARDING SESSION-STATE <<<<<<<<<<" and there is a log. Again, I stripped down linelog output. -------------- (6) Received Access-Reject Id 100 from 172.20.0.5:1812 to 172.20.0.6:42957 length 23 (6) Proxy-State = 0x36 (6) # Executing section post-proxy from file /usr/local/etc/raddb/sites-enabled/testing-stie (6) post-proxy { (6) update control { (6) Some-Attribute := &session-state:Some-Attribute -> 'testing_remote' (6) } # update control = noop (6) eap: Doing post-proxy callback (6) eap: Passing reply from proxy back into the tunnel (6) eap: Got tunneled Access-Reject (6) eap: Reply was rejected (6) eap: Failed in post-proxy callback (6) eap: Sending EAP Failure (code 4) ID 6 length 4 (6) [eap] = reject (6) } # post-proxy = reject (6) >>>>>>>>>>> DISCARDING SESSION-STATE <<<<<<<<<< (6) Using Post-Auth-Type Reject (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/testing-stie (6) Post-Auth-Type REJECT { (6) update control { (6) No attributes updated (6) No attributes updated (6) } # update control = noop (6) attr_filter.access_reject: EXPAND %{User-Name} (6) attr_filter.access_reject: --> anonymous (6) attr_filter.access_reject: Matched entry DEFAULT at line 11 (6) [attr_filter.access_reject] = updated (6) [eap] = noop (6) linelog: EXPAND messages.%{%{Packet-Type}:-default} (6) linelog: --> messages.Access-Request ... (6) EXPAND Some-Attribute=%{%{control:Some-Attribute}:-no}, (6) --> Some-Attribute=testing_remote, (6) policy remove_reply_message_if_eap { (6) if (&reply:EAP-Message && &reply:Reply-Message) { (6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (6) else { (6) [noop] = noop (6) } # else = noop (6) } # policy remove_reply_message_if_eap = noop (6) } # Post-Auth-Type REJECT = updated (6) >>>>>>>>>>> DISCARDING SESSION-STATE <<<<<<<<<< (6) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. -------------- As you can see debug message shows two times. I think session-states are cleared in this line https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/main/auth.c#... So just to clarify, If home server return Access-Reject, then Post-Auth-Type REJECT section will not have access to session-state list?
On Apr 27, 2018, at 11:34 AM, work vlpl <thework.vlpl@gmail.com> wrote:
If I will be using database, how I can track users, I mean how to get session id?
There is no Acct-Session-Id in accounting packets. You have to use something else. What you use depends on what's in the RADIUS packets. It's all a bit magical, TBH.
I am not using any special instruction in configuration to clear session-state.
Yes, I know. The server automatically does this. If you try the v3.0.x branch from github, it should now work for you. Alan DeKok.
On Fri, 27 Apr 2018 at 23:08, Alan DeKok <aland@deployingradius.com> wrote: Yes, I know. The server automatically does this.
If you try the v3.0.x branch from github, it should now work for you.
Thank you for quick patch, but it is not helped. Your patch indeed will fix the issue with the early removal of the session. But I think my issue happens by other reason. I believe, that rad_postauth() function is called after rad_authenticate(). And the last one has code, that handle proxy request. Please look again at this line https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/main/auth.c#... I think this line, and 487 line, will delete session, when home server return Access-Reject, or call to it failed. I added more debug printf inctruction before 481 line RDEBUG("request->parent cast to int %d", request->parent); And this is output (6) eap: Sending EAP Failure (code 4) ID 6 length 4 (6) [eap] = reject (6) } # post-proxy = reject (6) request->parent cast to int 0 (6) >>>>>>>>>>> DISCARDING SESSION-STATE <<<<<<<<<< (6) Using Post-Auth-Type Reject To fix this issue I would delete the lines 481 and 487. Because session anyway will be cleared in rad_postauth(). But I am sure you more better know freeradius code than me. And can decide is it safe to delete it or not.
On Apr 27, 2018, at 2:27 PM, work vlpl <thework.vlpl@gmail.com> wrote:
To fix this issue I would delete the lines 481 and 487. Because session anyway will be cleared in rad_postauth(). But I am sure you more better know freeradius code than me. And can decide is it safe to delete it or not.
That's fine. I've pushed a fix. Alan DeKok.
participants (2)
-
Alan DeKok -
work vlpl