class attribute wont pass

Brian tbt at intercom.net
Fri Jul 8 17:18:51 CEST 2005 

Hello,

I'm running freeradius 0.9.3 (I know.. it's old..), operating in a proxy 
configuration.  I'm having issues with freeradius not passing the 
"class" attribute back to the NAS after receiving it from one of our 
proxy customers.  I can't put the Class attribute in the user's file 
because the proxy customer uses different values per customer.  We only 
have one customer that passes the class attribute to us, so this is the 
first instance where we are having this issue.  I've tried changing the 
attribute value from "octet" to "string" in the dictionary file as was 
suggested previously on the mailing list, but it doesn't make a 
difference :-( Here is debug output from radiusd:


rad_recv: Access-Request packet from host 63.110.xxx.xx:3401, id=75, 
length=211
        User-Name = "user at realm.com"
        User-Password = "6875"
        NAS-IP-Address = 63.215.xx.xxx
        NAS-Port = 807
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Ascend-Data-Rate = 28800
        Ascend-Calling-Id-Type-Of-Num = Unknown
        Ascend-Calling-Id-Number-Plan = Unknown
        Ascend-Xmit-Rate = 50667
        Called-Station-Id = "317270xxxx"
        Calling-Station-Id = "317862xxxx"
        NAS-Identifier = "nas.ind.Level3.net"
        Acct-Session-Id = "483826947"
        NAS-Port-Type = Async
        Ascend-NAS-Port-Format = 4
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 73
  modcall[authorize]: module "attr_filter" returns noop for request 73
    rlm_realm: Looking up realm "realm.com" for User-Name = "user at realm.com"
    rlm_realm: Found realm "realm.com"
    rlm_realm: Proxying request from user user to realm realm.com
    rlm_realm: Adding Realm = "realm.com"
    rlm_realm: Preparing to proxy authentication request to realm 
"realm.com"
modcall[authorize]: module "suffix" returns updated for request 73
    users: Matched DEFAULT at 537
  modcall[authorize]: module "files" returns ok for request 73
  hints: Matched DEFAULT at 49
  modcall[authorize]: module "preprocess" returns ok for request 73
modcall: group authorize returns updated for request 73
Sending Access-Request of id 1 to 63.174.xxx.xx:1645
        User-Name = "user at realm.com"
        User-Password = "6875"
        NAS-IP-Address = 63.215.xx.xxx
        NAS-Port = 807
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Ascend-Data-Rate = 28800
        Ascend-Calling-Id-Type-Of-Num = Unknown
        Ascend-Calling-Id-Number-Plan = Unknown
        Ascend-Xmit-Rate = 50667
        Called-Station-Id = "317270xxxx"
        Calling-Station-Id = "317862xxxx"
        NAS-Identifier = "nas.ind.Level3.net"
        Acct-Session-Id = "483826947"
        NAS-Port-Type = Async
        Ascend-NAS-Port-Format = 4
        Proxy-State = 0x3735
Waking up in 1 seconds...
rad_recv: Access-Accept packet from host 63.174.xxx.xx:1645, id=1, 
length=218
        Proxy-State = 0x3735
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Ascend-Data-Filter = "ip in forward tcp est"
        Ascend-Data-Filter = "ip in forward dstip 63.174.xxx.x/24 0"
        Ascend-Data-Filter = "ip in drop tcp dstport = 25"
        Ascend-Data-Filter = "ip in forward 0"
        Idle-Timeout = 1800
        Session-Timeout = 21600
        Propel-Accelerate = 1
        X-Ascend-Idle-Limit = 1800
        X-Ascend-Maximum-Time = 28800
        Class = "IEAS1\005378602\003292"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 73
 attr_filter: Matched entry DEFAULT at line 84
  modcall[authorize]: module "attr_filter" returns updated for request 73
    rlm_realm: Proxy reply, or no User-Name.  Ignoring.
  modcall[authorize]: module "suffix" returns noop for request 73
    users: Matched DEFAULT at 537
  modcall[authorize]: module "files" returns ok for request 73
  hints: Matched DEFAULT at 49
  modcall[authorize]: module "preprocess" returns ok for request 73
modcall: group authorize returns updated for request 73
  rad_check_password:  Found Auth-Type
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [user at realm.com/6875] (from client acs223 port 807 cli 3178623267)
Sending Access-Accept of id 75 to 63.110.xxx.xx:3401
        Service-Type := Framed-User
        Framed-IP-Address := 255.255.255.254
        Framed-IP-Netmask := 255.255.255.255
        Framed-Protocol := PPP
        Ascend-Data-Filter = "ip in forward tcp est"
        Ascend-Data-Filter = "ip in forward dstip 63.174.xxx.x/24 0"
        Ascend-Data-Filter = "ip in drop tcp dstport = 25"
        Ascend-Data-Filter = "ip in forward 0"
        Session-Timeout = 21600
        X-Ascend-Maximum-Time = 28800
        Framed-Compression = Van-Jacobson-TCP-IP
        Idle-Timeout = 900
        X-Ascend-Idle-Limit = 900
Finished request 73



--------


As you can see in the debug output, the freeradius server receives the 
class attribute from 63.174.xxx.xx, but when sending back to the NAS at 
63.110.xxx.xx, the Class attribute is not being tagged on.  Any help / 
direction would be greatly appreciated!

Thanks.

Brian Taylor

More information about the Freeradius-Users mailing list