update request ... seems not to be working

Sam Hartman hartmans at mit.edu
Fri Jul 25 16:45:28 CEST 2014


Hi.
debug output  from the pre-proxy policy I submitted a pull request for
recently.

As far as I can tell the update request block is not doing anything.

 %{client:trust_router_coi}
(0)    --> apc.painless-security.com
(0)     if ("%{client:trust_router_coi}")  -> TRUE
(0)    if ("%{client:trust_router_coi}")  {
(0)     update request {
(0) EXPAND %{client:trust_router_coi}
(0)    --> apc.painless-security.com
(0)     trust-router-coi := "apc.painless-security.com"
(0)     } # update request = noop
(0)    } # if ("%{client:trust_router_coi}")  = noop
(0)     if ("%{client:gss_acceptor_realm_name}")
(0) EXPAND %{client:gss_acceptor_realm_name}
(0)    --> painless-security.com
(0)     if ("%{client:gss_acceptor_realm_name}")  -> TRUE
(0)    if ("%{client:gss_acceptor_realm_name}")  {
(0)     update request {
(0) EXPAND %{client:gss_acceptor_realm_name}
(0)    --> painless-security.com
(0)     gss-acceptor-realm-name := "painless-security.com"
(0)     } # update request = noop
(0)    } # if ("%{client:gss_acceptor_realm_name}")  = noop
(0)   } # abfab_pre_proxy abfab_pre_proxy = noop
(0)  } #  pre-proxy = noop
Opening new proxy socket 'proxy (0.0.0.0, 0) -> home_server (54.210.169.190, 208
3)'                                                                            
Trying SSL to port 2083
Requiring Server certificate
(0) (other): before/connect initialization
(0) TLS_connect: before/connect initialization
(0) >>> TLS 1.0 Handshake [length 003d], ClientHello
(0) TLS_connect: SSLv3 write client hello A
(0) <<< TLS 1.0 Handshake [length 0036], ServerHello
...
(0) Sending Access-Request packet to host 54.210.169.190 port 2083, id=100, leng
th=0                                                                           
(0)     User-Name = '@staff.painless-security.com'
(0)     GSS-Acceptor-Service-Name = 'gss'
(0)     GSS-Acceptor-Host-Name = 'painless-security.com'
(0)     EAP-Message = 0x02000021014073746166662e7061696e6c6573732d73656375726974
792e636f6d                                                                     
(0)     Message-Authenticator = 0x93d2db00804f0168b47e8213de6dcf21
(0)     NAS-IP-Address = 127.0.0.1
(0)     Realm = 'apc.painless-security.com%staff.painless-security.com'
(0)     EAP-Type = Identity
(0)     Proxy-State = 0x30
Sending Access-Request Id 100 from 10.1.10.90:44014 to 54.210.169.190:2083
        User-Name = '@staff.painless-security.com'
        GSS-Acceptor-Service-Name = 'gss'
        GSS-Acceptor-Host-Name = 'painless-security.com'
        EAP-Message = 0x02000021014073746166662e7061696e6c6573732d73656375726974
792e636f6d                                                                     
        Message-Authenticator = 0x93d2db00804f0168b47e8213de6dcf21
        NAS-IP-Address = 127.0.0.1
        Proxy-State = 0x30


Unlang:
abfab_pre_proxy {
	# check acceptor host name is correct
	if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") {
		if ("%{client:gss_acceptor_host_name}" != "%{gss-acceptor-host-name}") {
			reject
		}
	}
	# set trust-router-coi attribute from client configuration
	if ("%{client:trust_router_coi}") {
		update request {
			trust-router-coi := "%{client:trust_router_coi}"
		}
	}
	# set gss-acceptor-realm-name attribute from client configuration
	if ("%{client:gss_acceptor_realm_name}") {
		update request {
			gss-acceptor-realm-name := "%{client:gss_acceptor_realm_name}"
		}
	}
}


What I'd expect to happen is for my outgoing request to have
gss-acceptor-realm-name and trust-router-coi attributes set.


More information about the Freeradius-Devel mailing list