Attributes sent to proxy servers ...

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Tue Feb 5 14:57:45 CET 2008 

Arran Cudbard-Bell wrote:
> A.L.M.Buxey at lboro.ac.uk wrote:
>> hi,
>>
>> you are still pre-proxy attr filtering?
>> alan
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>   
> No, didn't really see the point.. Internal attributes aren't meant to 
> be proxied, and those are the only ones I really wanted filtering out.
>
> Looks like something very strange is going on with proxying accounting 
> packets as well.
>
> rad_recv: Accounting-Request packet from host 139.184.8.16 port 1026, 
> id=225, length=141
>    Acct-Session-Id = "004E00000019"
>    Acct-Status-Type = Start
>    Acct-Authentic = RADIUS
>    Acct-Delay-Time = 15
>    NAS-Port = 1
>    Calling-Station-Id = "00-1B-63-A3-A8-DD"
>    Event-Type = Framed-User
>    NAS-IP-Address = 139.184.8.16
>    NAS-Identifier = "hp-e-its-dev8021x-sw1"
>    User-Name = "ac221 at loopback.sussex.ac.uk"
> server default-outer {
> +- entering group preacct
> ++? if ("%{User-Name}" =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/)
>    expand: %{User-Name} -> ac221 at loopback.sussex.ac.uk
> ? Evaluating ("%{User-Name}" =~ 
> /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) -> TRUE
> ++? if ("%{User-Name}" =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) -> 
> TRUE
> ++- entering if ("%{User-Name}" =~ 
> /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/)
> +++? if (!"%{2}"||("%{2}" == 'sussex.ac.uk'))
>    expand: %{2} -> loopback.sussex.ac.uk
> ? Evaluating "loopback.sussex.ac.uk" -> FALSE
>    expand: %{2} -> loopback.sussex.ac.uk
> ? Evaluating ("%{2}" == 'sussex.ac.uk') -> FALSE
> +++? if (!"%{2}"||("%{2}" == 'sussex.ac.uk')) -> FALSE
> +++- entering else else
>    expand: %{1}@%{2} -> ac221 at loopback.sussex.ac.uk
> ++++[request] returns noop
> +++- else else returns noop
> ++- if ("%{User-Name}" =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) 
> returns noop
> ++ ... skipping else for request 20: Preceding "if" was taken
>    expand: %{Realm} -> %{2}
> ++- entering switch %{Realm}
> +++- entering case
> ++++[control] returns noop
> ++++[request] returns noop
> +++- case  returns noop
> ++- switch %{Realm} returns noop
> ++? if ("%{Called-Station-Id}" =~ 
> /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
>
>    expand: %{Called-Station-Id} ->
> ? Evaluating ("%{Called-Station-Id}" =~ 
> /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
> -> FALSE
> ++? if ("%{Called-Station-Id}" =~ 
> /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
> -> FALSE
> ++? if ("%{Calling-Station-Id}" =~ 
> /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
>
>    expand: %{Calling-Station-Id} -> 00-1B-63-A3-A8-DD
> ? Evaluating ("%{Calling-Station-Id}" =~ 
> /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
> -> TRUE
> ++? if ("%{Calling-Station-Id}" =~ 
> /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
> -> TRUE
> ++- entering if ("%{Calling-Station-Id}" =~ 
> /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
>
>    expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001B63A3A8DD
> +++[request] returns noop
> ++- if ("%{Calling-Station-Id}" =~ 
> /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
> returns noop
> ++? if ("%{NAS-Port-Id}" =~ /wl[0-9]*/)
>    expand: %{NAS-Port-Id} ->
> ? Evaluating ("%{NAS-Port-Id}" =~ /wl[0-9]*/) -> FALSE
> ++? if ("%{NAS-Port-Id}" =~ /wl[0-9]*/) -> FALSE
> ++? if (("%{NAS-Port-Type}" == 'Wireless-802.11')||("%{NAS-Port-Type}" 
> == 'Ethernet'))
>    expand: %{NAS-Port-Type} ->
> ?? Evaluating ("%{NAS-Port-Type}" == 'Wireless-802.11') -> FALSE
>    expand: %{NAS-Port-Type} ->
> ?? Evaluating ("%{NAS-Port-Type}" == 'Ethernet') -> FALSE
> ++? if (("%{NAS-Port-Type}" == 'Wireless-802.11')||("%{NAS-Port-Type}" 
> == 'Ethernet')) -> FALSE
> ++? if ("%{NAS-IP-Address}" == '127.0.0.1')
>    expand: %{NAS-IP-Address} -> 139.184.8.16
> ? Evaluating ("%{NAS-IP-Address}" == '127.0.0.1') -> FALSE
> ++? if ("%{NAS-IP-Address}" == '127.0.0.1') -> FALSE
>    expand: %{Client-Shortname} -> hp-e-its-dev8021x-sw1
> ++[request] returns noop
> rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in 
> request, unique ID MAY be inconsistent
> rlm_acct_unique: Hashing ',NAS-Port = 1,NAS-IP-Address = 
> 139.184.8.16,Acct-Session-Id = "004E00000019",User-Name = 
> "ac221 at loopback.sussex.ac.uk"'
> rlm_acct_unique: Acct-Unique-Session-ID = "67d4bffd71faf76b".
> ++[acct_unique] returns ok
> +- entering group accounting
>    expand: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 -> 
> /var/log/radiusd/20080205/accounting-detail-12:00
> rlm_detail: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 expands to 
> /var/log/radiusd/20080205/accounting-detail-12:00
>    expand: %{Packet-Src-IP-Address} - %t -> 139.184.8.16 - Tue Feb  5 
> 12:49:09 2008
> ++[accounting_log] returns ok
>    expand: %{Stripped-User-Name} -> ac221 at loopback.sussex.ac.uk
>    expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> 
> ac221 at loopback.sussex.ac.uk
> rlm_sql (sql): sql_set_user escaped user --> 
> 'ac221 at loopback.sussex.ac.uk'
>    expand: %{Acct-Delay-Time} -> 15
>    expand:            INSERT INTO radacct             
> (acctsessionid,    acctuniqueid,     username,              
> realm,            nasidentifier,     nasipaddress,     
> nasportid,              nasporttype,      acctstarttime,    
> acctstoptime,              acctsessiontime,  acctauthentic,    
> connectinfo_start,              connectinfo_stop, acctinputoctets,  
> acctoutputoctets,              calledstationid,  calledstationssid, 
> callingstationid, acctterminatecause,              servicetype,      
> framedprotocol,   framedipaddress,              acctstartdelay,   
> acctstopdelay    )           VALUES             ('%{Acct-Session-Id}', 
> '%{Acct-Unique-Session-Id}',              
> '%{SQL-User-Name}',              '%{Realm}', '%{NAS-Identifier}', 
> '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}', 
> '%S', '0',              '0', '%{Acct-Authentic}', 
> '%{Connect-Info}',              '', '0', '0',              
> '%{Called-Station-Id}','%{Called-Station-SSID}','%{Calling-Station-Id}', 
> '',              '%{Service-Type}', '%{Framed-Protocol}', 
> '%{Framed-IP-Address}',              '%{%{Acct-Delay-Time}:-0}', '0') 
> ->            INSERT INTO radacct             (acctsessionid,    
> acctuniqueid,     username,              realm,            
> nasidentifier,     nasipaddress,     nasportid,              
> nasporttype,      acctstarttime,    acctstoptime,              
> acctsessiontime,  acctauthentic,    connectinfo_start,              
> connectinfo_stop, acctinputoctets,  acctoutputoctets,              
> calledstationid,  calledstationssid, callingstationid, 
> acctterminatecause,              servicetype,      framedprotocol,   
> framedipaddress,              acctstartdelay,   acctstopdelay    
> )           VALUES             ('004E00000019', 
> '67d4bffd71faf76b',              
> 'ac221 at loopback.sussex.ac.uk',              'jrs', 
> 'hp-e-its-dev8021x-sw1', '139.184.8.16', '1',              '', 
> '2008-02-05 12:49:09', '0',              '0', 'RADIUS', 
> '',              '', '0', '0',              '','','001B63A3A8DD', 
> '',              'Framed-User', '', '',              '15', '0')
> rlm_sql (sql): Reserving sql socket id: 19
> rlm_sql (sql): Released sql socket id: 19
> ++[sql] returns ok
>    expand: %{User-Name} -> ac221 at loopback.sussex.ac.uk
> attr_filter: Matched entry DEFAULT at line 12
> ++[attr_filter.accounting_response] returns updated
> } # server default-outer
> +- entering group pre-proxy
>    expand: /var/log/radiusd/%Y%m%d/pre-proxy-detail-%H:00 -> 
> /var/log/radiusd/20080205/pre-proxy-detail-12:00
> rlm_detail: /var/log/radiusd/%Y%m%d/pre-proxy-detail-%H:00 expands to 
> /var/log/radiusd/20080205/pre-proxy-detail-12:00
>    expand: %{Packet-Src-IP-Address} - %t -> 139.184.8.16 - Tue Feb  5 
> 12:49:09 2008
> ++[pre_proxy_log] returns ok
>
> Where have all the attributes gone ?!!?
>
> Sending Accounting-Request of id 180 to 194.82.174.185 port 1813
>    Proxy-State = 0x323235
> Proxying request 20 to home server 194.82.174.185 port 1813
> Sending Accounting-Request of id 180 to 194.82.174.185 port 1813
>    Realm = "jrs"
>    Proxy-State = 0x323235
> Going to the next request
> Waking up in 0.9 seconds.
> Waking up in 14.0 seconds.
> Rejecting request 17 due to lack of any response from home server 
> 194.82.174.185 port 1813
>
Never mind ...

++[sql] returns ok
   expand: %{User-Name} -> ac221 at loopback.sussex.ac.uk
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated

*sigh*

-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900

More information about the Freeradius-Users mailing list