Running radiusd -X I got (0) Received Access-Request Id 1 from 204.209.81.4:1568 to 204.209.81.1:1645 length 56 (0) User-Name = "Puser" (0) User-Password = "Ppassword" (0) NAS-IP-Address = 192.168.81.4 (0) NAS-Port = 20 (0) # Executing section authorize from file /usr/freerad3/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "Puser", looking up realm NULL (0) suffix: Found realm "DEFAULT" (0) suffix: Adding Stripped-User-Name = "Puser" (0) suffix: Adding Realm = "DEFAULT" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [unix] = updated (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /usr/freerad3/etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known-good" Crypt-password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /usr/freerad3/etc/raddb/sites-enabled/default (0) post-auth { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (0) update { (0) No attributes updated for RHS &session-state: (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 1 from 204.209.81.1:1645 to 204.209.81.4:1568 length 0 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 1 with timestamp +36 Ready to process requests Why is the post-auth doing this? -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! nk.ca started 1 June 1995 . https://www.empire.kred/ROOTNK?t=94a1f39b They are not born of the Lord, who alter His Word to please fools. -unknown
well, I didn't understand your question. But, the post-auth{} is doing what is existing in your configuration. Only that, if you don't want/need such behavior. just comment or remove the lines in your raddb/sites-enabled/default. On 22/06/2020 01:00, The Doctor via Freeradius-Users wrote:
(0) post-auth { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (0) update { (0) No attributes updated for RHS &session-state: (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop
On Mon, Jun 22, 2020 at 05:02:50PM -0300, Jorge Pereira wrote:
well, I didn't understand your question. But, the post-auth{} is doing what is existing in your configuration. Only that, if you don't want/need such behavior. just comment or remove the lines in your raddb/sites-enabled/default.
(0) post-auth { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (0) update { (0) No attributes updated for RHS &session-state: (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop
On 22/06/2020 01:00, The Doctor via Freeradius-Users wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Just did and got this in the post-auth # Executing section post-auth from file /usr/freerad3/etc/raddb/sites-enabled/default (0) post-auth { (0) if (!&reply:State) { (0) if (!&reply:State) -> TRUE (0) if (!&reply:State) { (0) update reply { (0) EXPAND 0x%{randstr:16h} (0) --> 0xe03aec70175aad2ff9b2a907fa71167dbb (0) State := 0xe03aec70175aad2ff9b2a907fa71167dbb (0) } # update reply = noop (0) } # if (!&reply:State) = noop (0) reply_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d (0) reply_log: --> /var/log/radius/radacct/clientNAS/reply-detail-20200622 (0) reply_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/ClientNAS/reply-detail-20200622 (0) reply_log: EXPAND %t (0) reply_log: --> Mon Jun 22 14:19:24 2020 (0) [reply_log] = ok (0) [exec] = noop (0) update reply { (0) EXPAND %{TLS-Cert-Serial} (0) --> (0) Reply-Message += (0) EXPAND %{TLS-Cert-Expiration} (0) --> (0) Reply-Message += (0) EXPAND %{TLS-Cert-Subject} (0) --> (0) Reply-Message += (0) EXPAND %{TLS-Cert-Issuer} (0) --> (0) Reply-Message += (0) EXPAND %{TLS-Cert-Common-Name} (0) --> (0) Reply-Message += (0) EXPAND %{TLS-Cert-Subject-Alt-Name-Email} (0) --> (0) Reply-Message += (0) EXPAND %{TLS-Client-Cert-Serial} (0) --> (0) Reply-Message += (0) EXPAND %{TLS-Client-Cert-Expiration} (0) --> (0) Reply-Message += (0) EXPAND %{TLS-Client-Cert-Subject} (0) --> (0) Reply-Message += (0) EXPAND %{TLS-Client-Cert-Issuer} (0) --> (0) Reply-Message += (0) EXPAND %{TLS-Client-Cert-Common-Name} (0) --> (0) Reply-Message += (0) EXPAND %{TLS-Client-Cert-Subject-Alt-Name-Email} (0) --> (0) Reply-Message += (0) } # update reply = noop (0) policy insert_acct_class { (0) update reply { (0) EXPAND ai:%{md5:%t,%I,%{Packet-Src-Port},%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}},%{NAS-IP-Address},%{Calling-Station-ID},%{User-Name}} (0) --> ai:7566c0fb1bb75e37c3414849878ab3d2 (0) &Class = 0x61693a3735363663306662316262373565333763333431343834393837386162336432 (0) } # update reply = noop (0) } # policy insert_acct_class = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 1 from FreeRadTestserver:1645 to clientNas:1594 length 0 (0) State := 0xe03aec70175aad2ff9b2a907fa71167dbb (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Class = 0x61693a3735363663306662316262373565333763333431343834393837386162336432 (0) Finished request Waking up in 4.9 seconds. The client NAS is a pre 2000 Computone Intelliserver. -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! nk.ca started 1 June 1995 . https://www.empire.kred/ROOTNK?t=94a1f39b They are not born of the Lord, who alter His Word to please fools. -unknown
participants (2)
-
Jorge Pereira -
The Doctor