update request ... seems not to be working
Sam Hartman
hartmans at mit.edu
Fri Jul 25 16:45:28 CEST 2014
Hi.
debug output from the pre-proxy policy I submitted a pull request for
recently.
As far as I can tell the update request block is not doing anything.
%{client:trust_router_coi}
(0) --> apc.painless-security.com
(0) if ("%{client:trust_router_coi}") -> TRUE
(0) if ("%{client:trust_router_coi}") {
(0) update request {
(0) EXPAND %{client:trust_router_coi}
(0) --> apc.painless-security.com
(0) trust-router-coi := "apc.painless-security.com"
(0) } # update request = noop
(0) } # if ("%{client:trust_router_coi}") = noop
(0) if ("%{client:gss_acceptor_realm_name}")
(0) EXPAND %{client:gss_acceptor_realm_name}
(0) --> painless-security.com
(0) if ("%{client:gss_acceptor_realm_name}") -> TRUE
(0) if ("%{client:gss_acceptor_realm_name}") {
(0) update request {
(0) EXPAND %{client:gss_acceptor_realm_name}
(0) --> painless-security.com
(0) gss-acceptor-realm-name := "painless-security.com"
(0) } # update request = noop
(0) } # if ("%{client:gss_acceptor_realm_name}") = noop
(0) } # abfab_pre_proxy abfab_pre_proxy = noop
(0) } # pre-proxy = noop
Opening new proxy socket 'proxy (0.0.0.0, 0) -> home_server (54.210.169.190, 208
3)'
Trying SSL to port 2083
Requiring Server certificate
(0) (other): before/connect initialization
(0) TLS_connect: before/connect initialization
(0) >>> TLS 1.0 Handshake [length 003d], ClientHello
(0) TLS_connect: SSLv3 write client hello A
(0) <<< TLS 1.0 Handshake [length 0036], ServerHello
...
(0) Sending Access-Request packet to host 54.210.169.190 port 2083, id=100, leng
th=0
(0) User-Name = '@staff.painless-security.com'
(0) GSS-Acceptor-Service-Name = 'gss'
(0) GSS-Acceptor-Host-Name = 'painless-security.com'
(0) EAP-Message = 0x02000021014073746166662e7061696e6c6573732d73656375726974
792e636f6d
(0) Message-Authenticator = 0x93d2db00804f0168b47e8213de6dcf21
(0) NAS-IP-Address = 127.0.0.1
(0) Realm = 'apc.painless-security.com%staff.painless-security.com'
(0) EAP-Type = Identity
(0) Proxy-State = 0x30
Sending Access-Request Id 100 from 10.1.10.90:44014 to 54.210.169.190:2083
User-Name = '@staff.painless-security.com'
GSS-Acceptor-Service-Name = 'gss'
GSS-Acceptor-Host-Name = 'painless-security.com'
EAP-Message = 0x02000021014073746166662e7061696e6c6573732d73656375726974
792e636f6d
Message-Authenticator = 0x93d2db00804f0168b47e8213de6dcf21
NAS-IP-Address = 127.0.0.1
Proxy-State = 0x30
Unlang:
abfab_pre_proxy {
# check acceptor host name is correct
if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") {
if ("%{client:gss_acceptor_host_name}" != "%{gss-acceptor-host-name}") {
reject
}
}
# set trust-router-coi attribute from client configuration
if ("%{client:trust_router_coi}") {
update request {
trust-router-coi := "%{client:trust_router_coi}"
}
}
# set gss-acceptor-realm-name attribute from client configuration
if ("%{client:gss_acceptor_realm_name}") {
update request {
gss-acceptor-realm-name := "%{client:gss_acceptor_realm_name}"
}
}
}
What I'd expect to happen is for my outgoing request to have
gss-acceptor-realm-name and trust-router-coi attributes set.
More information about the Freeradius-Devel
mailing list