Virtual Server not setting attributes on reply
Timothy
nzkbuk at gmail.com
Mon Dec 21 14:55:11 CET 2009
2009/12/21 Alan Buxey <A.L.M.Buxey at lboro.ac.uk>:
> Hi,
>
>> If I authenticate to TEST1/user
>> My response is "only" a successful auth.
>>
>> If I authenticate to TEST2/user
>> My response is a successful auth WITH Attributes (in this case the
>> attribute I'm setting is
>> Cisco-AVPair = "shell:priv-lvl=15"
>
> where are you setting that attribute? in the default virtual_server
> in the post-auth?
Not the default virtual server. The test virtual server
The flow is client -> default virtual server acting as a proxy -> test
virtual server
If the test virtual server is configured as a remote radius server
then things work great. If it's configured as a virtual server using
the "virtual_server=name" then things break.
I'm setting the attribues in the test virtual server via post-auth.
The idea would be to have the different virtual servers using tables /
databases for their own user list.
>> It appears to me that using the virtual server is stripping the
>> attributes from the reply.
> check your attr filter - check that those attributes arent cleared - if
> you run in full debug mode you should see everything that is happening
> and exactly where it gets set and where it gets wiped
The attributes just don't look to be getting set. I'm guessing that
the post-auth section isn't being used with you proxy to a "virtual
server" rather than to a "real" server
realm TEST1 using "virtual server"
rad_recv: Access-Request packet from host 192.168.183.20 port 2530,
id=16, length=106
User-Name = "TEST1/default"
Acct-Session-Id = "1261403370P17nsl"
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "Localhost"
NAS-Port = 0
Calling-Station-Id = "1115551212"
User-Password = "password"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
rlm_realm: Looking up realm "TEST1" for User-Name = "TEST1/default"
rlm_realm: Found realm "TEST1"
rlm_realm: Adding Stripped-User-Name = "default"
rlm_realm: Adding Realm = "TEST1"
rlm_realm: Proxying request from user default to realm TEST1
rlm_realm: Preparing to proxy authentication request to realm "TEST1"
++[slash] returns updated
rlm_realm: Request already proxied. Ignoring.
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
>>> Sending proxied request internally to virtual server.
server test {
+- entering group authorize
expand: %{Stripped-User-Name} -> default
expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> default
rlm_sql (sql): sql_set_user escaped user --> 'default'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'default' ORDER BY
id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'default' ORDER
BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'default' ORDER BY
id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'default' ORDER
BY id
expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username
= 'default' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'default' ORDER BY priority
expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'shells' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'shells' ORDER BY id
rlm_sql (sql): User found in group shells
expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'shells' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'shells' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing MD5-Password from hex encoding
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "password"
rlm_pap: Using MD5 encryption.
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [default/password] (from client desktop port 0 cli
1115551212 via TLS tunnel)
+- entering group post-auth
rlm_sql (sql): Processing sql_postauth
expand: %{Stripped-User-Name} -> default
expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> default
rlm_sql (sql): sql_set_user escaped user --> 'default'
expand: %{User-Password} -> password
expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'default',
'password', 'Access-Accept', '2009-12-21
13:49:30')
expand: /var/log/freeradius/sqltrace.sql ->
/var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'default',
'password', 'Access-Accept',
'2009-12-21 13:49:30')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'default',
'password', 'Access-Accept', '2009-12-21
13:49:30')
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
} # server test
Going to the next request
<<< Received proxied response from internal virtual server.
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
rlm_realm: Proxy reply, or no User-Name. Ignoring.
++[slash] returns noop
rlm_realm: Proxy reply, or no User-Name. Ignoring.
++[suffix] returns noop
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [TEST1/default/password] (from client desktop port 0 cli 1115551212)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 16 to 192.168.183.20 port 2530
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 16 with timestamp +11
Ready to process requests.
realm TEST2 using "real" server
rad_recv: Access-Request packet from host 192.168.183.20 port 2535,
id=17, length=106
User-Name = "TEST2/default"
Acct-Session-Id = "1261403531L18dgh"
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "Localhost"
NAS-Port = 0
Calling-Station-Id = "1115551212"
User-Password = "password"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
rlm_realm: Looking up realm "TEST2" for User-Name = "TEST2/default"
rlm_realm: Found realm "TEST2"
rlm_realm: Adding Stripped-User-Name = "default"
rlm_realm: Adding Realm = "TEST2"
rlm_realm: Proxying request from user default to realm TEST2
rlm_realm: Preparing to proxy authentication request to realm "TEST2"
++[slash] returns updated
rlm_realm: Request already proxied. Ignoring.
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 34 to 127.0.0.1 port 11812
User-Name = "default"
Acct-Session-Id = "1261403531L18dgh"
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "Localhost"
NAS-Port = 0
Calling-Station-Id = "1115551212"
User-Password = "password"
Proxy-State = 0x3137
Proxying request 1 to home server 127.0.0.1 port 11812
Sending Access-Request of id 34 to 127.0.0.1 port 11812
User-Name = "default"
Acct-Session-Id = "1261403531L18dgh"
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "Localhost"
NAS-Port = 0
Calling-Station-Id = "1115551212"
User-Password = "password"
Proxy-State = 0x3137
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=34, length=104
User-Name = "default"
Acct-Session-Id = "1261403531L18dgh"
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "Localhost"
NAS-Port = 0
Calling-Station-Id = "1115551212"
User-Password = "password"
Proxy-State = 0x3137
server test {
+- entering group authorize
expand: %{Stripped-User-Name} ->
expand: %{User-Name} -> default
expand: %{%{User-Name}:-DEFAULT} -> default
expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> default
rlm_sql (sql): sql_set_user escaped user --> 'default'
rlm_sql (sql): Reserving sql socket id: 1
expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'default' ORDER BY
id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'default' ORDER
BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'default' ORDER BY
id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'default' ORDER
BY id
expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username
= 'default' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'default' ORDER BY priority
expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'shells' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'shells' ORDER BY id
rlm_sql (sql): User found in group shells
expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'shells' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'shells' ORDER BY id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing MD5-Password from hex encoding
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "password"
rlm_pap: Using MD5 encryption.
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [default/password] (from client LocalHost port 0 cli 1115551212)
+- entering group post-auth
rlm_sql (sql): Processing sql_postauth
expand: %{Stripped-User-Name} ->
expand: %{User-Name} -> default
expand: %{%{User-Name}:-DEFAULT} -> default
expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> default
rlm_sql (sql): sql_set_user escaped user --> 'default'
expand: %{User-Password} -> password
expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'default',
'password', 'Access-Accept', '2009-12-21
13:52:11')
expand: /var/log/freeradius/sqltrace.sql ->
/var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'default',
'password', 'Access-Accept',
'2009-12-21 13:52:11')
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_mysql: query: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'default',
'password', 'Access-Accept', '2009-12-21
13:52:11')
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
} # server test
Sending Access-Accept of id 34 to 127.0.0.1 port 1814
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
APC-Service-Type = Admin
Proxy-State = 0x3137
Finished request 2.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 127.0.0.1 port 11812, id=34, length=67
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
APC-Service-Type = Admin
Proxy-State = 0x3137
+- entering group post-proxy
rlm_eap: No pre-existing handler found
++[eap] returns noop
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
rlm_realm: Proxy reply, or no User-Name. Ignoring.
++[slash] returns noop
rlm_realm: Proxy reply, or no User-Name. Ignoring.
++[suffix] returns noop
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [TEST2/default/password] (from client desktop port 0 cli 1115551212)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 17 to 192.168.183.20 port 2535
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
APC-Service-Type = Admin
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 34 with timestamp +172
Cleaning up request 1 ID 17 with timestamp +172
Ready to process requests.
More information about the Freeradius-Users
mailing list