reject request in post-proxy
Greetings, I am using FR 3.0.17. I am trying to use unlang in the post-proxy section of my default site to reject certain requests. The following config example is a test condition and contrived. post-proxy { eap if (User-Name == 'mzagrabe') { reject } } However, I am not getting the expected reject when I successfully authenticate. Here is the -X output: [...] (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "mzagrabe", looking up realm NULL (0) suffix: Found realm "NULL" (0) suffix: Adding Stripped-User-Name = "mzagrabe" (0) suffix: Adding Realm = "NULL" (0) suffix: Proxying request from user mzagrabe to realm NULL (0) suffix: Preparing to proxy authentication request to realm "NULL" (0) [suffix] = updated (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = noop (0) } # authorize = updated (0) Starting proxy to home server 10.0.0.1 port 1812 (0) Proxying request to home server 10.0.0.1 port 1812 timeout 30.000000 (0) Sent Access-Request Id 81 from 0.0.0.0:32865 to 10.0.0.1:1812 length 115 (0) User-Name = "mzagrabe" (0) User-Password = "I need something strong to distract my mind-2020" (0) NAS-IP-Address = 192.168.0.2 (0) Event-Timestamp = "Aug 24 2020 16:21:09 CDT" (0) Message-Authenticator := 0x00 (0) Proxy-State = 0x323330 Waking up in 0.3 seconds. (0) Expecting proxy response no later than 29.667028 seconds from now Waking up in 29.6 seconds. (0) Marking home server 10.0.0.1 port 1812 alive (0) Clearing existing &reply: attributes (0) Received Access-Accept Id 81 from 10.0.0.1:1812 to 192.168.0.1:32865 length 53 (0) Reply-Message = "Success. Logging you in..." (0) Proxy-State = 0x323330 (0) # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default (0) post-proxy { (0) eap: No pre-existing handler found (0) [eap] = noop (0) if (User-Name == 'mzagrabe') { (0) if (User-Name == 'mzagrabe') -> TRUE (0) if (User-Name == 'mzagrabe') { (0) [reject] = reject (0) } # if (User-Name == 'mzagrabe') = reject (0) } # post-proxy = reject (0) Found Auth-Type = Accept (0) Auth-Type = Accept, accepting the user (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 230 from 192.168.0.1:1812 to 192.168.0.2:52859 length 0 (0) Reply-Message = "Success. Logging you in..." (0) Finished request How do I reject in post-proxy after the home server returns a successful authentication check? Thanks for any help! -m
On Aug 24, 2020, at 5:40 PM, Matt Zagrabelny via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am trying to use unlang in the post-proxy section of my default site to reject certain requests. The following config example is a test condition and contrived.
post-proxy { eap if (User-Name == 'mzagrabe') { reject } }
However, I am not getting the expected reject when I successfully authenticate.
You can't reject users in the post-proxy section. Instead, just do: post-proxy { eap if (User-Name == 'mzagrabe') { update parent.reply { Packet-Type := Reject } } } Alan DeKok.
Hey Alan, Thanks for the reply. On Mon, Aug 24, 2020 at 7:22 PM Alan DeKok <aland@deployingradius.com> wrote:
You can't reject users in the post-proxy section. Instead, just do:
post-proxy { eap if (User-Name == 'mzagrabe') { update parent.reply { Packet-Type := Reject } } }
I'm getting an error using that config: /etc/freeradius/3.0/sites-enabled/default[939]: Unknown or invalid value "Reject" for attribute Packet-Type /etc/freeradius/3.0/sites-enabled/default[938]: Failed to parse "update" subsection. /etc/freeradius/3.0/sites-enabled/default[893]: Errors parsing post-proxy section. Any ideas? Thank you! -m
On Aug 24, 2020, at 8:47 PM, Matt Zagrabelny via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm getting an error using that config:
/etc/freeradius/3.0/sites-enabled/default[939]: Unknown or invalid value "Reject" for attribute Packet-Type
Use Access-Reject instead.
On Mon, Aug 24, 2020 at 8:37 PM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 24, 2020, at 8:47 PM, Matt Zagrabelny via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm getting an error using that config:
/etc/freeradius/3.0/sites-enabled/default[939]: Unknown or invalid value "Reject" for attribute Packet-Type
Use Access-Reject instead.
The server starts, but states that the Packet-Type is invalid when the post-proxy gets evaluated... Here is the single line: (2) ERROR: Mapping "Access-Reject" -> "Packet-Type" invalid in this context and a more full -X output: (2) Received Access-Accept Id 32 from 10.0.0.1:1812 to 192.168.0.1:41424 length 53 (2) Reply-Message = "Success. Logging you in..." (2) Proxy-State = 0x313834 (2) # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default (2) post-proxy { (2) eap: No pre-existing handler found (2) [eap] = noop (2) if (User-Name == 'mzagrabe') { (2) if (User-Name == 'mzagrabe') -> TRUE (2) if (User-Name == 'mzagrabe') { (2) update parent.reply { (2) ERROR: Mapping "Access-Reject" -> "Packet-Type" invalid in this context (2) } # update parent.reply = invalid (2) } # if (User-Name == 'mzagrabe') = invalid (2) } # post-proxy = invalid (2) Found Auth-Type = Accept (2) Auth-Type = Accept, accepting the user (2) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (2) post-auth { (2) update { (2) No attributes updated (2) } # update = noop (2) [exec] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # post-auth = noop (2) Sent Access-Accept Id 184 from 192.168.0.1:1812 to 192.168.0.2:53235 length 0 (2) Reply-Message = "Success. Logging you in..." (2) Finished request Thank you for the continued help! -m
On Aug 24, 2020, at 10:02 PM, Matt Zagrabelny via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
On Mon, Aug 24, 2020 at 8:37 PM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 24, 2020, at 8:47 PM, Matt Zagrabelny via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm getting an error using that config:
/etc/freeradius/3.0/sites-enabled/default[939]: Unknown or invalid value "Reject" for attribute Packet-Type
Use Access-Reject instead.
The server starts, but states that the Packet-Type is invalid when the post-proxy gets evaluated...
Here is the single line:
(2) ERROR: Mapping "Access-Reject" -> "Packet-Type" invalid in this context
Hmm... then this should work: update reply { Packet-Type := Access-Reject } Alan DeKok.
On Mon, Aug 24, 2020 at 9:18 PM Alan DeKok <aland@deployingradius.com> wrote:
Here is the single line:
(2) ERROR: Mapping "Access-Reject" -> "Packet-Type" invalid in this context
Hmm... then this should work:
update reply { Packet-Type := Access-Reject }
I don't get the ERROR, but I also don't get rejected: (0) Received Access-Accept Id 112 from 10.0.0.1:1812 to 192.168.0.1:44740 length 53 (0) Reply-Message = "Success. Logging you in..." (0) Proxy-State = 0x323033 (0) # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default (0) post-proxy { (0) eap: No pre-existing handler found (0) [eap] = noop (0) if (User-Name == 'mzagrabe') { (0) if (User-Name == 'mzagrabe') -> TRUE (0) if (User-Name == 'mzagrabe') { (0) update reply { (0) Packet-Type := Access-Reject (0) } # update reply = noop (0) } # if (User-Name == 'mzagrabe') = noop (0) } # post-proxy = noop (0) Found Auth-Type = Accept (0) Auth-Type = Accept, accepting the user (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 203 from 192.168.0.1:1812 to 192.168.0.2:33745 length 0 (0) Reply-Message = "Success. Logging you in..." (0) Finished request Thanks for the help! -m
On Mon, Aug 24, 2020 at 9:25 PM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 24, 2020, at 10:23 PM, Matt Zagrabelny via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I don't get the ERROR, but I also don't get rejected:
You'll have to do a little more digging then. Maybe also use 3.0.21, instead of 3.0.17
Thanks for the help, Alan. 3.0.21 behaves the same. However, I was under the (wrong) impression that I needed to put my business logic in post-proxy since I was proxying all authentication requests - that is, I was no longer performing any local auth. But, it seems I can put the business logic of rejecting users in post-auth and that will work with the proxying. I'm not sure if the limitations of not being able to "reject" in post-proxy is worth putting in a feature request or not. Thanks again for the help and FreeRADIUS, too. It is all very appreciated. -m
On Aug 26, 2020, at 10:39 AM, Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:
3.0.21 behaves the same. However, I was under the (wrong) impression that I needed to put my business logic in post-proxy since I was proxying all authentication requests - that is, I was no longer performing any local auth.
No, pre/post-proxy are just an *additional* step. They don't prevent anything else from happening.
But, it seems I can put the business logic of rejecting users in post-auth and that will work with the proxying.
I'm not sure if the limitations of not being able to "reject" in post-proxy is worth putting in a feature request or not.
Probably not. We're trying to keep v3 stable, and making minimal changes.
Thanks again for the help and FreeRADIUS, too. It is all very appreciated.
You're welcome. Alan DeKok.
participants (2)
-
Alan DeKok -
Matt Zagrabelny