RE: Freeradius-Users Digest, Vol 52, Issue 48
echo "Acct-Session-Id={ACTSESSION}\nUser-Name={MYUSERNAME}\nX-Ascend-Session-Svr- Key={SESSIONKEY}" | radclient -x 10.0.5.1:3799 disconnect 123 session removed successfully but I receive Disconnect-NAK (unsuccessfully) Again this error :((( Reply-Message = "Session Not Removed" Error-Cause = Session-Context-Not-Removable Cisco: . ! aaa server radius dynamic-author server-key 7 00554155 port 3799 auth-type any ! . -----Original Message----- From: freeradius-users-bounces+nadir=ultel.net@lists.freeradius.org [mailto:freeradius-users-bounces+nadir=ultel.net@lists.freeradius.org] On Behalf Of freeradius-users-request@lists.freeradius.org Sent: Monday, August 10, 2009 2:51 PM To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 52, Issue 48 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: Freeradius-Users Digest, Vol 52, Issue 47 (Gilbert Lo) 2. Do not query LDAP if authenticated via proxy (Steven Carr) 3. Mac based authentication (Sanhenra Sinaga) 4. Re: radius server 2.1.6 not storing data in radacct table..help (Alan Buxey) 5. (Nadir M. Aliyev) 6. Re: your mail (Alan Buxey) ---------------------------------------------------------------------- Message: 1 Date: Mon, 10 Aug 2009 01:36:58 -0700 From: "Gilbert Lo" <gilbertlo@stgeorges.bc.ca> Subject: Re: Freeradius-Users Digest, Vol 52, Issue 47 To: freeradius-users@lists.freeradius.org Message-ID: <fc.00802d7e01bfda553b9aca0027e19de6.1bfda56@stgeorges.bc.ca> Content-Type: text/plain; charset=UTF-8 Thank you for your message. I am away until August 7th. I will respond to your message on my return . For urgent matters, please contact helpdesk@stgeorges.bc.ca . Cheers, Gilbert Lo ------------------------------ Message: 2 Date: Mon, 10 Aug 2009 09:39:22 +0100 From: Steven Carr <steven.carr@sunderland.ac.uk> Subject: Do not query LDAP if authenticated via proxy To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4A7FDCBA.907@sunderland.ac.uk> Content-Type: text/plain; charset="utf-8" Hi list, I have the following question, not entirely sure how to stop FreeRADIUS (Debian recompile 2.0.4) from doing this so any ideas would be grateful. We are joining Eduroam and we have our FreeRADIUS set to proxy on the DEFAULT realm and have a separate realm for our local domain. If we pass a request to the proxy to be authenticated both before and after the request has been proxied it queries our LDAP server to check if the user exists.
rad_recv: Access-Request packet from host 127.0.0.1 port 43386, id=216, length=82
User-Name = "user@domain.com"
User-Password = "******"
NAS-IP-Address = 157.228.68.190
NAS-Port = 1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Looking up realm "domain.com" for User-Name =
"user@domain.com"
rlm_realm: Found realm "DEFAULT"
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Proxying request from user user to realm DEFAULT
rlm_realm: Preparing to proxy authentication request to realm
"DEFAULT"
++[suffix] returns updated
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user@domain.com
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand:
(&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=%{Stripped-User-Na me:-%{User-Name}})) -> (&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user@domain.com))
expand: dc=domain,dc=com -> dc=domain,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=com, with filter (&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user@domain.com))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 112 to 194.83.56.233 port 1812
User-Name = "user@domain.com"
User-Password = "******"
NAS-IP-Address = 157.228.68.190
NAS-Port = 1
Proxy-State = 0x323136
Proxying request 1 to home server 194.83.56.233 port 1812
Sending Access-Request of id 112 to 194.83.56.233 port 1812
User-Name = "user@domain.com"
User-Password = "******"
NAS-IP-Address = 157.228.68.190
NAS-Port = 1
Proxy-State = 0x323136
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 194.83.56.233 port 1812, id=112, length=25
Proxy-State = 0x323136
+- entering group post-proxy
rlm_eap: No pre-existing handler found
++[eap] returns noop
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Proxy reply, or no User-Name. Ignoring.
++[suffix] returns noop
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user@domain.com
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand:
(&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=%{Stripped-User-Na me:-%{User-Name}})) -> (&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user@domain.com))
expand: dc=domain,dc=com -> dc=domain,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=com, with filter (&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user@domain.com))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [user@domain.com/******] (from client localhost port 1)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 216 to 127.0.0.1 port 43386
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 216 with timestamp +10
Ready to process requests.
How can I stop it from doing this? it is a waste of time and an unnecessary connection/query to our LDAP server as it is never going to be authenticated by our LDAP server. Thanks Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953
Hi,
echo "Acct-Session-Id={ACTSESSION}\nUser-Name={MYUSERNAME}\nX-Ascend-Session-Svr- Key={SESSIONKEY}" | radclient -x 10.0.5.1:3799 disconnect 123
session removed successfully but I receive Disconnect-NAK (unsuccessfully)
RFC 5176 "Session Context Not Removable" is a fatal error sent in response to a Disconnect-Request if the NAS was able to locate the session context, but could not remove it for some reason. It MUST NOT be sent within a CoA-ACK, CoA-NAK, or Disconnect-ACK, only within a Disconnect-NAK. ensure that ALL the things you are sending to the device are present on the device.... ie X-Ascend-Session-Svr-Key ? alan
participants (2)
-
Alan Buxey -
Nadir M. Aliyev