Virtual Server not setting attributes on reply

Timothy nzkbuk at gmail.com
Mon Dec 21 14:55:11 CET 2009


2009/12/21 Alan Buxey <A.L.M.Buxey at lboro.ac.uk>:
> Hi,
>
>> If I authenticate to TEST1/user
>> My response is "only" a successful auth.
>>
>> If I authenticate to TEST2/user
>> My response is a successful auth WITH Attributes (in this case the
>> attribute I'm setting is
>> Cisco-AVPair = "shell:priv-lvl=15"
>
> where are you setting that attribute? in the default virtual_server
> in the post-auth?

Not the default virtual server. The test virtual server
The flow is client -> default virtual server acting as a proxy -> test
virtual server
If the test virtual server is configured as a remote radius server
then things work great. If it's configured as a virtual server using
the "virtual_server=name" then things break.

I'm setting the attribues in the test virtual server via post-auth.

The idea would be to have the different virtual servers using tables /
databases for their own user list.

>> It appears to me that using the virtual server is stripping the
>> attributes from the reply.

> check your attr filter - check that those attributes arent cleared - if
> you run in full debug mode you should see everything that is happening
> and exactly where it gets set and where it gets wiped

The attributes just don't look to be getting set. I'm guessing that
the post-auth section isn't being used with you proxy to a "virtual
server" rather than to a "real" server

realm TEST1 using "virtual server"

rad_recv: Access-Request packet from host 192.168.183.20 port 2530,
id=16, length=106
        User-Name = "TEST1/default"
        Acct-Session-Id = "1261403370P17nsl"
        NAS-IP-Address = 127.0.0.1
        NAS-Identifier = "Localhost"
        NAS-Port = 0
        Calling-Station-Id = "1115551212"
        User-Password = "password"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
    rlm_realm: Looking up realm "TEST1" for User-Name = "TEST1/default"
    rlm_realm: Found realm "TEST1"
    rlm_realm: Adding Stripped-User-Name = "default"
    rlm_realm: Adding Realm = "TEST1"
    rlm_realm: Proxying request from user default to realm TEST1
    rlm_realm: Preparing to proxy authentication request to realm "TEST1"
++[slash] returns updated
    rlm_realm: Request already proxied.  Ignoring.
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
>>> Sending proxied request internally to virtual server.
server test {
+- entering group authorize
        expand: %{Stripped-User-Name} -> default
        expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> default
rlm_sql (sql): sql_set_user escaped user --> 'default'
rlm_sql (sql): Reserving sql socket id: 3
        expand: SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = 'default'           ORDER BY
id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op
    FROM radcheck           WHERE username = 'default'           ORDER
BY id
rlm_sql (sql): User found in radcheck table
        expand: SELECT id, username, attribute, value, op
FROM radreply           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply           WHERE username = 'default'           ORDER BY
id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op
    FROM radreply           WHERE username = 'default'           ORDER
BY id
        expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
SELECT groupname           FROM radusergroup           WHERE username
= 'default'           ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup
       WHERE username = 'default'           ORDER BY priority
        expand: SELECT id, groupname, attribute,           Value, op
        FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'
         ORDER BY id -> SELECT id, groupname, attribute,
Value, op           FROM radgroupcheck           WHERE groupname =
'shells'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, groupname, attribute,
Value, op           FROM radgroupcheck           WHERE groupname =
'shells'           ORDER BY id
rlm_sql (sql): User found in group shells
        expand: SELECT id, groupname, attribute,           value, op
        FROM radgroupreply           WHERE groupname = '%{Sql-Group}'
         ORDER BY id -> SELECT id, groupname, attribute,
value, op           FROM radgroupreply           WHERE groupname =
'shells'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, groupname, attribute,
value, op           FROM radgroupreply           WHERE groupname =
'shells'           ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing MD5-Password from hex encoding
++[pap] returns updated
  rad_check_password:  Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "password"
rlm_pap: Using MD5 encryption.
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [default/password] (from client desktop port 0 cli
1115551212 via TLS tunnel)
+- entering group post-auth
rlm_sql (sql): Processing sql_postauth
        expand: %{Stripped-User-Name} -> default
        expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> default
rlm_sql (sql): sql_set_user escaped user --> 'default'
        expand: %{User-Password} -> password
        expand: INSERT INTO radpostauth
(username, pass, reply, authdate)                           VALUES (
                        '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
            (username, pass, reply, authdate)
 VALUES (                           'default',
  'password',                           'Access-Accept', '2009-12-21
13:49:30')
        expand: /var/log/freeradius/sqltrace.sql ->
/var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
                   (username, pass, reply, authdate)
        VALUES (                           'default',
         'password',                           'Access-Accept',
'2009-12-21 13:49:30')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query:  INSERT INTO radpostauth
  (username, pass, reply, authdate)                           VALUES (
                          'default',
'password',                           'Access-Accept', '2009-12-21
13:49:30')
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
} # server test
Going to the next request
<<< Received proxied response from internal virtual server.
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
    rlm_realm: Proxy reply, or no User-Name.  Ignoring.
++[slash] returns noop
    rlm_realm: Proxy reply, or no User-Name.  Ignoring.
++[suffix] returns noop
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  rad_check_password:  Found Auth-Type
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [TEST1/default/password] (from client desktop port 0 cli 1115551212)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 16 to 192.168.183.20 port 2530
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 16 with timestamp +11
Ready to process requests.


realm TEST2 using "real" server


rad_recv: Access-Request packet from host 192.168.183.20 port 2535,
id=17, length=106
        User-Name = "TEST2/default"
        Acct-Session-Id = "1261403531L18dgh"
        NAS-IP-Address = 127.0.0.1
        NAS-Identifier = "Localhost"
        NAS-Port = 0
        Calling-Station-Id = "1115551212"
        User-Password = "password"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
    rlm_realm: Looking up realm "TEST2" for User-Name = "TEST2/default"
    rlm_realm: Found realm "TEST2"
    rlm_realm: Adding Stripped-User-Name = "default"
    rlm_realm: Adding Realm = "TEST2"
    rlm_realm: Proxying request from user default to realm TEST2
    rlm_realm: Preparing to proxy authentication request to realm "TEST2"
++[slash] returns updated
    rlm_realm: Request already proxied.  Ignoring.
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 34 to 127.0.0.1 port 11812
        User-Name = "default"
        Acct-Session-Id = "1261403531L18dgh"
        NAS-IP-Address = 127.0.0.1
        NAS-Identifier = "Localhost"
        NAS-Port = 0
        Calling-Station-Id = "1115551212"
        User-Password = "password"
        Proxy-State = 0x3137
Proxying request 1 to home server 127.0.0.1 port 11812
Sending Access-Request of id 34 to 127.0.0.1 port 11812
        User-Name = "default"
        Acct-Session-Id = "1261403531L18dgh"
        NAS-IP-Address = 127.0.0.1
        NAS-Identifier = "Localhost"
        NAS-Port = 0
        Calling-Station-Id = "1115551212"
        User-Password = "password"
        Proxy-State = 0x3137
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=34, length=104
        User-Name = "default"
        Acct-Session-Id = "1261403531L18dgh"
        NAS-IP-Address = 127.0.0.1
        NAS-Identifier = "Localhost"
        NAS-Port = 0
        Calling-Station-Id = "1115551212"
        User-Password = "password"
        Proxy-State = 0x3137
server test {
+- entering group authorize
        expand: %{Stripped-User-Name} ->
        expand: %{User-Name} -> default
        expand: %{%{User-Name}:-DEFAULT} -> default
        expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> default
rlm_sql (sql): sql_set_user escaped user --> 'default'
rlm_sql (sql): Reserving sql socket id: 1
        expand: SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = 'default'           ORDER BY
id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op
    FROM radcheck           WHERE username = 'default'           ORDER
BY id
rlm_sql (sql): User found in radcheck table
        expand: SELECT id, username, attribute, value, op
FROM radreply           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply           WHERE username = 'default'           ORDER BY
id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op
    FROM radreply           WHERE username = 'default'           ORDER
BY id
        expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
SELECT groupname           FROM radusergroup           WHERE username
= 'default'           ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup
       WHERE username = 'default'           ORDER BY priority
        expand: SELECT id, groupname, attribute,           Value, op
        FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'
         ORDER BY id -> SELECT id, groupname, attribute,
Value, op           FROM radgroupcheck           WHERE groupname =
'shells'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, groupname, attribute,
Value, op           FROM radgroupcheck           WHERE groupname =
'shells'           ORDER BY id
rlm_sql (sql): User found in group shells
        expand: SELECT id, groupname, attribute,           value, op
        FROM radgroupreply           WHERE groupname = '%{Sql-Group}'
         ORDER BY id -> SELECT id, groupname, attribute,
value, op           FROM radgroupreply           WHERE groupname =
'shells'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, groupname, attribute,
value, op           FROM radgroupreply           WHERE groupname =
'shells'           ORDER BY id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing MD5-Password from hex encoding
++[pap] returns updated
  rad_check_password:  Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "password"
rlm_pap: Using MD5 encryption.
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [default/password] (from client LocalHost port 0 cli 1115551212)
+- entering group post-auth
rlm_sql (sql): Processing sql_postauth
        expand: %{Stripped-User-Name} ->
        expand: %{User-Name} -> default
        expand: %{%{User-Name}:-DEFAULT} -> default
        expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> default
rlm_sql (sql): sql_set_user escaped user --> 'default'
        expand: %{User-Password} -> password
        expand: INSERT INTO radpostauth
(username, pass, reply, authdate)                           VALUES (
                        '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
            (username, pass, reply, authdate)
 VALUES (                           'default',
  'password',                           'Access-Accept', '2009-12-21
13:52:11')
        expand: /var/log/freeradius/sqltrace.sql ->
/var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
                   (username, pass, reply, authdate)
        VALUES (                           'default',
         'password',                           'Access-Accept',
'2009-12-21 13:52:11')
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_mysql: query:  INSERT INTO radpostauth
  (username, pass, reply, authdate)                           VALUES (
                          'default',
'password',                           'Access-Accept', '2009-12-21
13:52:11')
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
} # server test
Sending Access-Accept of id 34 to 127.0.0.1 port 1814
        Service-Type = NAS-Prompt-User
        Cisco-AVPair = "shell:priv-lvl=15"
        APC-Service-Type = Admin
        Proxy-State = 0x3137
Finished request 2.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 127.0.0.1 port 11812, id=34, length=67
        Service-Type = NAS-Prompt-User
        Cisco-AVPair = "shell:priv-lvl=15"
        APC-Service-Type = Admin
        Proxy-State = 0x3137
+- entering group post-proxy
  rlm_eap: No pre-existing handler found
++[eap] returns noop
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
    rlm_realm: Proxy reply, or no User-Name.  Ignoring.
++[slash] returns noop
    rlm_realm: Proxy reply, or no User-Name.  Ignoring.
++[suffix] returns noop
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  rad_check_password:  Found Auth-Type
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [TEST2/default/password] (from client desktop port 0 cli 1115551212)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 17 to 192.168.183.20 port 2535
        Service-Type = NAS-Prompt-User
        Cisco-AVPair = "shell:priv-lvl=15"
        APC-Service-Type = Admin
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 34 with timestamp +172
Cleaning up request 1 ID 17 with timestamp +172
Ready to process requests.



More information about the Freeradius-Users mailing list