Proxies "status-server" pings are broken when virtual server "status" is enabled
Olivier Beytrison
olivier at heliosnet.org
Wed Jan 30 08:29:50 CET 2013
Hello,
Any idea on the point below?
Olivier
On 28 janv. 2013, at 10:07, Olivier Beytrison <olivier at heliosnet.org> wrote:
> On a side note, I have something fun going on in post-auth here. I want
> to bypass the post-auth section for Packet-Type == Status-Server. So I
> wrote :
>
>
> post-auth {
> if(Packet-Type != Status-Server){
> reply_log
> if("%{realm}" !~ /.*hes-so.ch/){
> sql
> }
> }
> Post-Auth-Type REJECT {
> sql
> }
> }
>
> But the logic is inverted when you look at the logs.
>
> Now on the log ...
>
> rad_recv: Status-Server packet from host 127.0.0.1 port 60277, id=12,
> length=38
> Message-Authenticator = 0xc09707a123242d5bee7be80eb07b3128
> (81) # Executing group from file /etc/freeradius/sites-enabled/eduroam
> (81) group Status-Server {
> (81) - entering group Status-Server {...}
> (81) [ok] = ok
> (81) # Executing section post-auth from file
> /etc/freeradius/sites-enabled/eduroam
> (81) group post-auth {
> (81) - entering group post-auth {...}
> (81) ? if (Packet-Type != Status-Server)
> (81) ? Evaluating (Packet-Type != Status-Server) -> TRUE
> (81) ? if (Packet-Type != Status-Server) -> TRUE
> (81) if (Packet-Type != Status-Server) {
> (81) - entering if (Packet-Type != Status-Server) {...}
>
> And what's even more funny .... On an Access-Accept packet it says that
> Packet-Type != Status-Server -> FALSE :D
>
> rad_recv: Access-Accept packet from host 130.59.138.29 port 1812,
> id=129, length=189
> MS-MPPE-Recv-Key =
> 0x180d7429b72d1ef1757290ed8a0f47e8f22583e1bcb704c208c89a405779ba0d
> MS-MPPE-Send-Key =
> 0x0602884e6fba66616fc31d0047a1947bc996d10034886589d1a7b4a2ef37879e
> EAP-Message = 0x03080004
> Message-Authenticator = 0xbb3d302a9d2b4a124f70e8f49e1588dd
> User-Name = "anonymous at test.hes-so.ch"
> Proxy-State = 0x38
> (110) # Executing section post-proxy from file
> /etc/freeradius/sites-enabled/eduroam
> (110) group post-proxy {
> (110) - entering group post-proxy {...}
> [snip of post_proxy_log junk]
> (110) [post_proxy_log] = ok
> (110) attr_filter.post-proxy : expand: '%{Realm}' -> 'DEFAULT'
> (110) attr_filter.post-proxy : Matched entry DEFAULT at line 103
> (110) [attr_filter.post-proxy] = updated
> (110) Found Auth-Type = Accept
> (110) Auth-Type = Accept, accepting the user
> (110) # Executing section post-auth from file
> /etc/freeradius/sites-enabled/eduroam
> (110) group post-auth {
> (110) - entering group post-auth {...}
> (110) ? if (Packet-Type != Status-Server)
> (110) ? Evaluating (Packet-Type != Status-Server) -> FALSE
> (110) ? if (Packet-Type != Status-Server) -> FALSE
> Sending Access-Accept of id 8 from 127.0.0.1 port 1812 to 127.0.0.1 port
> 56702
> MS-MPPE-Recv-Key =
> 0x180d7429b72d1ef1757290ed8a0f47e8f22583e1bcb704c208c89a405779ba0d
> EAP-Message = 0x03080004
> Message-Authenticator = 0xbb3d302a9d2b4a124f70e8f49e1588dd
>
> --
>
> Olivier Beytrison
> Network & Security Engineer, HES-SO Fribourg
> Mobile: +41 (0)78 619 73 53
> Mail: olivier at heliosnet.org
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
>
>
More information about the Freeradius-Devel
mailing list