Behaviour of freeradius when receiving a response from a proxy server
Hi all, I wonder about the freeradius server behaviour after receiving a response from a proxy. Is it normal that the request passes through the post-auth section once the request has been received ? Below, the behaviour i observed Note: this is only a test in order to undersand the freeradius server behaviour in that case. rad_recv: Access-Request packet from host 127.0.0.1:16395, id=235, length=109 User-Name = "D00000" User-Password = "password" NAS-IP-Address = 172.26.233.2 NAS-Port-Type = Wireless-802.11 WISPr-Location-Name = "Testing:FR,localhost" NAS-Identifier = "FRAF1" Event-Timestamp = "Jun 12 2007 09:26:34 GMT" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall: entering group request_processing for request 0 radius_xlat: 'test.fr' rlm_attr_rewrite: Added attribute Proxy-To-Realm with value 'test.fr' modcall[authorize]: module "add_proxy_to_realm" returns ok for request 0 modcall: leaving group request_processing (returns ok) for request 0 modcall: leaving group authorize (returns ok) for request 0 Processing the pre-proxy section of radiusd.conf modcall: entering group pre-proxy for request 0 modcall: entering group request_processing for request 0 radius_xlat: '/var/log/freeradius/radacct//RADIUS-Trace-20070612' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/RADIUS-Trace-%Y%m%d expands to /var/log/freeradius/radacct//RADIUS-Trace-20070612 modcall[pre-proxy]: module "radius_trace" returns ok for request 0 modcall: leaving group request_processing (returns ok) for request 0 modcall: leaving group pre-proxy (returns ok) for request 0 Sending Access-Request of id 0 to 172.26.233.2 port 1812 User-Name = "D000001" User-Password = "password" NAS-IP-Address = 172.26.233.2 NAS-Port-Type = Wireless-802.11 WISPr-Location-Name = "Testing:FR,localhost" NAS-Identifier = "FRAF1" Event-Timestamp = "Jun 12 2007 09:26:34 GMT" Proxy-State = 0x323335 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Accept packet from host 172.26.233.2:1812, id=0, length=67 Reply-Message = "User authenticated on remote platform." Proxy-State = 0x323335 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 0 radius_xlat: '/var/log/freeradius/radacct//RADIUS-Trace-20070612' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/RADIUS-Trace-%Y%m%d expands to /var/log/freeradius/radacct//RADIUS-Trace-20070612 modcall[post-proxy]: module "radius_trace" returns ok for request 0 modcall: leaving group post-proxy (returns ok) for request 0 authorize: Skipping authorize in post-proxy stage rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user radius_xlat: 'User authenticated on remote platform.' Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 modcall: entering group request_processing for request 0 modcall[post-auth]: module "local_voucher_account_info" returns ok for request 0 radius_xlat: '/var/log/freeradius/radacct//RADIUS-Trace-20070612' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/RADIUS-Trace-%Y%m%d expands to /var/log/freeradius/radacct//RADIUS-Trace-20070612 modcall[post-auth]: module "radius_trace" returns ok for request 0 modcall: leaving group request_processing (returns ok) for request 0 modcall: leaving group post-auth (returns ok) for request 0 Sending Access-Accept of id 91 to 127.0.0.1 port 16395 Reply-Message = "User authenticated on remote platform." Finished request 0 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 91 with timestamp 466e71d8 Nothing to do. Sleeping until we see a request. The example above shows that the request passes through authorize, pre-proxy, post-proxy and then though post-auth. Is there any way that the request does not pass through the post-auth section ? Thanks in advance.
Nicolas Castel wrote:
I wonder about the freeradius server behaviour after receiving a response from a proxy. Is it normal that the request passes through the post-auth section once the request has been received ?
Yes. It is documented as working that way. The idea is that the proxy can re-write, add, or delete, any attributes returned by the home server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan Dekok wrote:
Nicolas Castel wrote:
I wonder about the freeradius server behaviour after receiving a response from a proxy. Is it normal that the request passes through the post-auth section once the request has been received ?
Yes. It is documented as working that way. The idea is that the proxy can re-write, add, or delete, any attributes returned by the home server.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What about reply attributes prior to proxying ? Does the server store these and merge them back into the response post proxy ? Or is the response take purely from what comes back from the home server ? Wheres the documentation for this btw ? I had a quick look in doc and couldn't see anything... and the stuff on the wiki is horribly out of date, and only covers proxying with the realm modules. -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
participants (3)
-
Alan Dekok -
Arran Cudbard-Bell -
Nicolas Castel