Second stage authrization with proxy
Hello, i would like to forward authorization requests to another Freeradius server if the user is not present in the local one. The proxy configuration is ok, now i need to know how to tell the local radius to forward the request **if user not found**. In an old similar post ( http://freeradius.1045715.n5.nabble.com/Re-Local-Auth-if-Proxy-Auth-fails-OR...) Alan Dekok explains the way: authorize { ...... if (!notfound) { update control { Proxy-To-Realm := "newrealm" } } ...... } For me this condition is never matched. Without the if condition the request is correctly forwarded but even if the user exists in local Freeradius server. May you help me please? Do you need other technical details? Cheers, Gianluca
On Tue, May 30, 2017 at 11:07:03AM +0200, Gianluca Baù wrote:
i would like to forward authorization requests to another Freeradius server if the user is not present in the local one.
OK
authorize { ...... if (!notfound) {
That's if "not notfound" - you probably want if (notfound) {
update control { Proxy-To-Realm := "newrealm" } } ...... }
For me this condition is never matched.
Did you leave the logic as above? Where did you put it in the config? As "notfound" is relevant to the previous module that was called, location matters. e.g. if you're using ldap, put it after your ldap call, not at the end of the authorize{} section after pap.
May you help me please? Do you need other technical details?
Well the full output of radiusd -X means we have some sort of clue as to what is actually going on. -- Matthew
Hello Matthew, thanks for your quick reply.
That's if "not notfound" - you probably want if (notfound) {
Ops, i already used this condition... the copy and paste was from the forum's link. However it doesn't work.
Did you leave the logic as above? Where did you put it in the config?
The code is in sites-enabled/default. Mi authorize section is (without commented lines): authorize { preprocess mschap suffix eap { ok = return } files sql if (notfound) { update control { Proxy-To-Realm := "newrealm" } } expiration logintime pap }
Well the full output of radiusd -X
Following the output of /usr/sbin/freeradius -X: rad_recv: Access-Request packet from host ************ port 50808, id=180, length=203 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "2C:60:0C:E0:51:5D" Called-Station-Id = "server1" NAS-Port-Id = "ether5" User-Name = "2C:60:0C:E0:51:5D" NAS-Port = 2151679390 Acct-Session-Id = "8040059e" Framed-IP-Address = 192.168.1.33 Mikrotik-Host-IP = 192.168.1.33 CHAP-Challenge = 0x302086b437e865de6ce30ed04671936d CHAP-Password = 0x565c5fe1fcfdc8641c00d5fb52c3d19132 Service-Type = Login-User WISPr-Logoff-URL = "http://0.0.0.0/logout" NAS-Identifier = "MikroTik" NAS-IP-Address = ************** # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [chap] Setting 'Auth-Type := CHAP' ++[chap] = ok ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "2C:60:0C:E0:51:5D", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop ++[files] = noop [sql] expand: %{User-Name} -> 2C:60:0C:E0:51:5D [sql] sql_set_user escaped user --> '2C:60:0C:E0:51:5D' rlm_sql (sql): Reserving sql socket id: 31 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '2C:60:0C:E0:51:5D' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '2C:60:0C:E0:51:5D' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '2C:60:0C:E0:51:5D' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '2C:60:0C:E0:51:5D' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '2C:60:0C:E0:51:5D' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '2C:60:0C:E0:51:5D' ORDER BY priority rlm_sql (sql): Released sql socket id: 31 ++[sql] = ok ++? if (notfound) ? Evaluating (notfound) -> FALSE ++? if (notfound) -> FALSE ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = ok Found Auth-Type = CHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/freeradius/sites-enabled/default +group CHAP { [chap] login attempt by "2C:60:0C:E0:51:5D" with CHAP password [chap] Using clear text password "***********" for user 2C:60:0C:E0:51:5D authentication. [chap] Password check failed ++[chap] = reject +} # group CHAP = reject Failed to authenticate the user. Login incorrect (rlm_chap: Wrong user password): [2C:60:0C:E0:51:5D/<CHAP-Password>] (from client ****** port 2151679390 cli 2C:60:0C:E0:51:5D) Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> 2C:60:0C:E0:51:5D attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host ************* port 50808, id=180, length=203 Waiting to send Access-Reject to client ******* port 50808 - ID: 180 Waking up in 0.7 seconds. rad_recv: Access-Request packet from host ********* port 50808, id=180, length=203 Waiting to send Access-Reject to client ********** port 50808 - ID: 180 Waking up in 0.4 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 180 to ********* port 50808 Waking up in 4.9 seconds. Cheers 2017-05-30 21:14 GMT+02:00 Matthew Newton <matthew@newtoncomputing.co.uk>:
On Tue, May 30, 2017 at 11:07:03AM +0200, Gianluca Baù wrote:
i would like to forward authorization requests to another Freeradius server if the user is not present in the local one.
OK
authorize { ...... if (!notfound) {
That's if "not notfound" - you probably want if (notfound) {
update control { Proxy-To-Realm := "newrealm" } } ...... }
For me this condition is never matched.
Did you leave the logic as above? Where did you put it in the config?
As "notfound" is relevant to the previous module that was called, location matters. e.g. if you're using ldap, put it after your ldap call, not at the end of the authorize{} section after pap.
May you help me please? Do you need other technical details?
Well the full output of radiusd -X means we have some sort of clue as to what is actually going on.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Hello again Matthew, i figured out the problem. The username is effectively present in the local radius but with a wrong password so in this case "notfound" is false. I thought that radius considers "not found" the user against the match of username and password but it checks for username only. The -X option has clearly shown this. Thanks for your help. Gianluca 2017-05-31 10:49 GMT+02:00 Gianluca Baù <gluca.b@gmail.com>:
Hello Matthew,
thanks for your quick reply.
That's if "not notfound" - you probably want if (notfound) {
Ops, i already used this condition... the copy and paste was from the forum's link. However it doesn't work.
Did you leave the logic as above? Where did you put it in the config?
The code is in sites-enabled/default. Mi authorize section is (without commented lines):
authorize { preprocess mschap suffix eap { ok = return } files sql
if (notfound) { update control { Proxy-To-Realm := "newrealm" } }
expiration logintime pap }
Well the full output of radiusd -X
Following the output of /usr/sbin/freeradius -X:
rad_recv: Access-Request packet from host ************ port 50808, id=180, length=203 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "2C:60:0C:E0:51:5D" Called-Station-Id = "server1" NAS-Port-Id = "ether5" User-Name = "2C:60:0C:E0:51:5D" NAS-Port = 2151679390 Acct-Session-Id = "8040059e" Framed-IP-Address = 192.168.1.33 Mikrotik-Host-IP = 192.168.1.33 CHAP-Challenge = 0x302086b437e865de6ce30ed04671936d CHAP-Password = 0x565c5fe1fcfdc8641c00d5fb52c3d19132 Service-Type = Login-User WISPr-Logoff-URL = "http://0.0.0.0/logout" NAS-Identifier = "MikroTik" NAS-IP-Address = ************** # Executing section authorize from file /etc/freeradius/sites-enabled/ default +group authorize { ++[preprocess] = ok [chap] Setting 'Auth-Type := CHAP' ++[chap] = ok ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "2C:60:0C:E0:51:5D", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop ++[files] = noop [sql] expand: %{User-Name} -> 2C:60:0C:E0:51:5D [sql] sql_set_user escaped user --> '2C:60:0C:E0:51:5D' rlm_sql (sql): Reserving sql socket id: 31 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '2C:60:0C:E0:51:5D' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '2C:60:0C:E0:51:5D' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '2C:60:0C:E0:51:5D' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '2C:60:0C:E0:51:5D' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '2C:60:0C:E0:51:5D' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '2C:60:0C:E0:51:5D' ORDER BY priority rlm_sql (sql): Released sql socket id: 31 ++[sql] = ok ++? if (notfound) ? Evaluating (notfound) -> FALSE ++? if (notfound) -> FALSE ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = ok Found Auth-Type = CHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!! # Executing group from file /etc/freeradius/sites-enabled/default +group CHAP { [chap] login attempt by "2C:60:0C:E0:51:5D" with CHAP password [chap] Using clear text password "***********" for user 2C:60:0C:E0:51:5D authentication. [chap] Password check failed ++[chap] = reject +} # group CHAP = reject Failed to authenticate the user. Login incorrect (rlm_chap: Wrong user password): [2C:60:0C:E0:51:5D/<CHAP-Password>] (from client ****** port 2151679390 cli 2C:60:0C:E0:51:5D) Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> 2C:60:0C:E0:51:5D attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host ************* port 50808, id=180, length=203 Waiting to send Access-Reject to client ******* port 50808 - ID: 180 Waking up in 0.7 seconds. rad_recv: Access-Request packet from host ********* port 50808, id=180, length=203 Waiting to send Access-Reject to client ********** port 50808 - ID: 180 Waking up in 0.4 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 180 to ********* port 50808 Waking up in 4.9 seconds.
Cheers
2017-05-30 21:14 GMT+02:00 Matthew Newton <matthew@newtoncomputing.co.uk>:
On Tue, May 30, 2017 at 11:07:03AM +0200, Gianluca Baù wrote:
i would like to forward authorization requests to another Freeradius server if the user is not present in the local one.
OK
authorize { ...... if (!notfound) {
That's if "not notfound" - you probably want if (notfound) {
update control { Proxy-To-Realm := "newrealm" } } ...... }
For me this condition is never matched.
Did you leave the logic as above? Where did you put it in the config?
As "notfound" is relevant to the previous module that was called, location matters. e.g. if you're using ldap, put it after your ldap call, not at the end of the authorize{} section after pap.
May you help me please? Do you need other technical details?
Well the full output of radiusd -X means we have some sort of clue as to what is actually going on.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
participants (2)
-
Gianluca Baù -
Matthew Newton