Help with Rewriting RAD_REQUEST in rlm_perl for proxy

Ken Gribble gribble at cs.ucdavis.edu
Thu Jun 12 01:17:29 CEST 2008


Greetings!

I'm using freeradius installed from the freeradius.i386 1.1.3-1.2.el  
rpm on CentOS 5 (recompiled RedHat).

I'd like to use freeradius as an accounting proxy between two other  
machines, in order to rewrite some Attributes (User-Name and Acct- 
Session-Id) before they arrive at their final destination. I need to  
rewrite any reference to a username to a unique ID number (long story).

I embarked on using rlm_perl for this task, I have the proxy working,  
but when the data arrives at it's destination the Attributes have not  
been changed. I'm hoping someone has changed attributes before they  
are sent along to their Accounting radius server in a similar manner,  
with rlm_perl.

I have tried changing many hashes, and to be honest I'm very new to  
freeradius and I'm not sure which one should be changed. That's where  
I seem to be stuck, how to change RAD_REQUEST{'User-Name'} so when it  
is proxied it sends my rewrites.

Thank you for any help or pointers you can provide! Examples of what I  
have done are below.

-Ken


Here is one example of what I have tried in the perl module I wrote:

from my_filter.pl:
...
# Function to handle pre_proxy
sub pre_proxy {
         # For debugging purposes only
         print "start pre_proxy ***\n";
         $RAD_REPLY{'User-Name'} = "12345678";
         $RAD_REQUEST{'User-Name'} = "12345678";
         $RAD_REPLY{'Acct-Session-Id'} = "12345678";
         $RAD_REQUEST{'Acct-Session-Id'} = "12345678";
         &log_request_attributes;
         print "returning from pre_proxy ***\n";
         return RLM_MODULE_UPDATED;
}
...

In the modules section of radiusd.conf I have:
...
         perl {
                module = /etc/raddb/modules/my_filter.pl
                func_pre_proxy = pre_proxy
                func_post_proxy = post_proxy

         }
...

and also in radiusd.conf:

...
pre-proxy {
         perl
}
post-proxy {
         perl
}
...

Here is the output I get when I feed radiusd a faked (to protect the  
innocent) request:

# radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
  main: prefix = "/usr"
  main: localstatedir = "/var"
  main: logdir = "/var/log/radius"
  main: libdir = "/usr/lib"
  main: radacctdir = "/var/log/radius/radacct"
  main: hostname_lookups = no
  main: snmp = no
  main: max_request_time = 30
  main: cleanup_delay = 5
  main: max_requests = 1024
  main: delete_blocked_requests = 0
  main: port = 0
  main: allow_core_dumps = no
  main: log_stripped_names = no
  main: log_file = "/var/log/radius/radius.log"
  main: log_auth = no
  main: log_auth_badpass = no
  main: log_auth_goodpass = no
  main: pidfile = "/var/run/radiusd/radiusd.pid"
  main: user = "radiusd"
  main: group = "radiusd"
  main: usercollide = no
  main: lower_user = "no"
  main: lower_pass = "no"
  main: nospace_user = "no"
  main: nospace_pass = "no"
  main: checkrad = "/usr/sbin/checkrad"
  main: proxy_requests = yes
  proxy: retry_delay = 5
  proxy: retry_count = 3
  proxy: synchronous = no
  proxy: default_fallback = yes
  proxy: dead_time = 120
  proxy: post_proxy_authorize = no
  proxy: wake_all_if_all_dead = no
  security: max_attributes = 200
  security: reject_delay = 1
  security: status_server = no
  main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib
Module: Loaded preprocess
  preprocess: huntgroups = "/etc/raddb/huntgroups"
  preprocess: hints = "/etc/raddb/hints"
  preprocess: with_ascend_hack = no
  preprocess: ascend_channels_per_line = 23
  preprocess: with_ntdomain_hack = no
  preprocess: with_specialix_jetstream_hack = no
  preprocess: with_cisco_vsa_hack = no
  preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
  realm: format = "suffix"
  realm: delimiter = "@"
  realm: ignore_default = no
  realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
  files: usersfile = "/etc/raddb/users"
  files: acctusersfile = "/etc/raddb/acct_users"
  files: preproxy_usersfile = "/etc/raddb/preproxy_users"
  files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
  detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/ 
detail-%Y%m%d"
  detail: detailperm = 384
  detail: dirperm = 493
  detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
  radutmp: filename = "/var/log/radius/radutmp"
  radutmp: username = "%{User-Name}"
  radutmp: case_sensitive = yes
  radutmp: check_with_nas = yes
  radutmp: perm = 384
  radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Module: Loaded perl
  perl: module = "/etc/raddb/modules/orange_filter.pl"
  perl: func_authorize = "authorize"
  perl: func_authenticate = "authenticate"
  perl: func_accounting = "accounting"
  perl: func_preacct = "preacct"
  perl: func_checksimul = "checksimul"
  perl: func_detach = "detach"
  perl: func_xlat = "xlat"
  perl: func_pre_proxy = "pre_proxy"
  perl: func_post_proxy = "post_proxy"
  perl: func_post_auth = "post_auth"
  perl: perl_flags = "(null)"
  perl: func_start_accounting = "(null)"
  perl: func_stop_accounting = "(null)"
  perl: max_clones = 32
  perl: start_clones = 5
  perl: min_spare_clones = 3
  perl: max_spare_clones = 3
  perl: cleanup_delay = 5
  perl: max_request_per_clone = 0
Module: Instantiated perl (perl)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Accounting-Request packet from host 165.217.8.24:32820,  
id=135, length=210
         NAS-IP-Address = 148.121.8.213
         Acct-Status-Type = Start
         User-Name = "kenlime at somerealm.com"
         NAS-Port = 4192
         NAS-Port-Type = Wireless-802.11
         Framed-IP-Address = 128.120.211.175
         Calling-Station-Id = "001CB3B8AC38"
         Called-Station-Id = "000B86425400"
         Acct-Session-Id = "kenlime001CB3B8AC38-B90"
         Acct-Authentic = RADIUS
         Acct-Delay-Time = 0
         Aruba-Essid-Name = "the-fake"
         Aruba-Location-Id = "SEG-FAKE-SOUTH"
         Aruba-User-Role = "wireless-stuff"
         Aruba-User-Vlan = 0
   Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 0
   modcall[preacct]: module "preprocess" returns noop for request 0
     rlm_realm: Looking up realm "somerealm.com" for User-Name = "kenlime at somerealm.com 
"
     rlm_realm: Found realm "DEFAULT"
     rlm_realm: Proxying request from user kenlime to realm DEFAULT
     rlm_realm: Adding Realm = "DEFAULT"
     rlm_realm: Preparing to proxy accounting request to realm "DEFAULT"
   modcall[preacct]: module "suffix" returns updated for request 0
   modcall[preacct]: module "files" returns noop for request 0
modcall: leaving group preacct (returns updated) for request 0
   Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 0
radius_xlat:  '/var/log/radius/radacct/169.237.4.24/detail-20080611'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d  
expands to /var/log/radius/radacct/169.237.4.24/detail-20080611
rlm_detail: Freeradius-Proxied-To set to 169.237.4.13
   modcall[accounting]: module "detail" returns ok for request 0
radius_xlat:  '/var/log/radius/radutmp'
radius_xlat:  'kenlime at somerealm.com'
   modcall[accounting]: module "radutmp" returns ok for request 0
modcall: leaving group accounting (returns ok) for request 0
   Processing the pre-proxy section of radiusd.conf
modcall: entering group pre-proxy for request 0
perl_pool: item 0x9b3ae48 asigned new request. Handled so far: 1
found interpetator at address 0x9b3ae48
start pre_proxy ***
rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11
rlm_perl: RAD_REQUEST: Acct-Session-Id = 12345678
rlm_perl: RAD_REQUEST: Called-Station-Id = 000B86425400
rlm_perl: RAD_REQUEST: Client-IP-Address = 165.217.8.24
rlm_perl: RAD_REQUEST: Aruba-User-Role = wireless-stuff
rlm_perl: RAD_REQUEST: Acct-Authentic = RADIUS
rlm_perl: RAD_REQUEST: Acct-Status-Type = Start
rlm_perl: RAD_REQUEST: Realm = ARRAY(0x9c4374c)
rlm_perl: RAD_REQUEST: NAS-IP-Address = 148.121.8.213
rlm_perl: RAD_REQUEST: Calling-Station-Id = 001CB3B8AC38
rlm_perl: RAD_REQUEST: Aruba-Essid-Name = the-fake
rlm_perl: RAD_REQUEST: User-Name = 12345678
rlm_perl: RAD_REQUEST: Aruba-Location-Id = SEG-FAKE-SOUTH
rlm_perl: RAD_REQUEST: Aruba-User-Vlan = 0
rlm_perl: RAD_REQUEST: Framed-IP-Address = 128.120.211.175
rlm_perl: RAD_REQUEST: NAS-Port = 4192
rlm_perl: RAD_REQUEST: Acct-Delay-Time = 0
returning from pre_proxy ***
rlm_perl: Added pair User-Name = 12345678
rlm_perl: Added pair Acct-Session-Id = 12345678
rlm_perl: Added pair Proxy-To-Realm = DEFAULT
perl_pool total/active/spare [5/0/5]
Unreserve perl at address 0x9b3ae48
   modcall[pre-proxy]: module "perl" returns updated for request 0
modcall: leaving group pre-proxy (returns updated) for request 0
Sending Accounting-Request of id 0 to 169.237.4.13 port 1813
         NAS-IP-Address = 148.121.8.213
         Acct-Status-Type = Start
         User-Name = "kenlime at somerealm.com"
         NAS-Port = 4192
         NAS-Port-Type = Wireless-802.11
         Framed-IP-Address = 128.120.211.175
         Calling-Station-Id = "001CB3B8AC38"
         Called-Station-Id = "000B86425400"
         Acct-Session-Id = "kenlime001CB3B8AC38-B90"
         Acct-Authentic = RADIUS
         Acct-Delay-Time = 0
         Aruba-Essid-Name = "the-fake"
         Aruba-Location-Id = "SEG-FAKE-SOUTH"
         Aruba-User-Role = "wireless-stuff"
         Aruba-User-Vlan = 0
         Proxy-State = 0x313335
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Accounting-Response packet from host 165.217.8.13:1813,  
id=0, length=25
         Proxy-State = 0x313335
   Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 0
perl_pool: item 0x9c24450 asigned new request. Handled so far: 1
found interpetator at address 0x9c24450
start post_proxy ***
return from post_proxy ***
rlm_perl: Added pair Proxy-To-Realm = DEFAULT
rlm_perl: Added pair Proxy-State = 0x313335
perl_pool total/active/spare [5/0/5]
Unreserve perl at address 0x9c24450
   modcall[post-proxy]: module "perl" returns ok for request 0
modcall: leaving group post-proxy (returns ok) for request 0
Sending Accounting-Response of id 135 to 165.217.8.24 port 32820
Finished request 0
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 135 with timestamp 485059f3
Nothing to do.  Sleeping until we see a request.


At the other end, in the detail log I see:

Wed Jun 11 16:04:19 2008
         NAS-IP-Address = 148.121.8.213
         Acct-Status-Type = Start
         User-Name = "kenlime at somerealm.com"
         NAS-Port = 4192
         NAS-Port-Type = Wireless-802.11
         Framed-IP-Address = 128.120.211.175
         Calling-Station-Id = "001CB3B8AC38"
         Called-Station-Id = "000B86425400"
         Acct-Session-Id = "kenlime001CB3B8AC38-B90"
         Acct-Authentic = RADIUS
         Acct-Delay-Time = 0
         Aruba-Essid-Name = "the-fake"
         Aruba-Location-Id = "SEG-FAKE-SOUTH"
         Aruba-User-Role = "wireless-stuff"
         Aruba-User-Vlan = 0
         Proxy-State = 0x313335
         Client-IP-Address = 169.237.4.24
         Acct-Unique-Session-Id = "d9069000ee35accc"
         Timestamp = 1213225459

Thanks again!

-Ken



More information about the Freeradius-Users mailing list