Cannot get value of config item with \\

Matej Vadnjal matej.vadnjal at
Tue Feb 3 08:15:26 CET 2009

On Monday 02.02.2009 12:37:09 Alan DeKok wrote:
>   Hmm... if a server proxies requests to you that it *should* have
> handled itself, it is seriously broken.

It also happens when users mistype their user names. Suppose you have a user: 
user at a.orgA.tld. orgA has a radius server that proxies requests for realm 
a.orgA.tld to another server, but all other requests go to upstream server 

If our user mistypes their user name as user at b.orgA.tld radius at orgA 
forwards that request to our server but we see this as realm *.orgA.tld (orgA 
has a lot of sub-domains - we don't want to define all of them separately) so 
we send the request back to them.

>  Put this in pre-proxy:
> 	if (Realm &&
> 	    ("%{home_server:ipaddr}" == "%{client:ipaddr}")) {
> 		reject
> 	}
>   That should work.  And no, this isn't well documented.

Great. I did not know about %{home_server:ipaddr}. However there are still two 

- %{client:ipaddr} does not expand to anything on my end but Client-IP-Address 

- If I reject in pre-proxy my server crashes. No error message or anything, it 
just exits (see attached debug). Is this a bug? I'm using version 2.1.0.


Matej Vadnjal

-------------- next part --------------
rad_recv: Access-Request packet from host port 1814, id=200, length=94            
        User-Name = ""                                                              
        Message-Authenticator = 0xc683a697de2b17b81dbad41e7c5bb471                            
        EAP-Message = 0x0202000f01407072696d65722e7369                                        
        NAS-IP-Address =                                                           
        NAS-Identifier = ""                                                    
        Proxy-State = 0x3134                                                                  
+- entering group authorize {...}                                                             
++[preprocess] returns ok                                                                     
[suffix] Looking up realm "" for User-Name = ""                            
[suffix] Found realm "~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$"                    
[suffix] Adding Realm = "~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$"                 
[suffix] Proxying request from user  to realm ~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$
[suffix] Preparing to proxy authentication request to realm "~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$"
++[suffix] returns updated
        expand: %{User-Name} ->
[files] users: Matched entry DEFAULT at line 10
++[files] returns ok
+- entering group pre-proxy {...}
++? if (Realm && ("%{home_server:ipaddr}" == "%{Client-IP-Address}"))
? Evaluating (Realm ) -> TRUE
        expand: %{home_server:ipaddr} ->
        expand: %{Client-IP-Address} ->
? Evaluating ("%{home_server:ipaddr}" == "%{Client-IP-Address}") -> TRUE
++? if (Realm && ("%{home_server:ipaddr}" == "%{Client-IP-Address}")) -> TRUE
++- entering if (Realm && ("%{home_server:ipaddr}" == "%{Client-IP-Address}")) {...}
+++[reject] returns reject
++- if (Realm && ("%{home_server:ipaddr}" == "%{Client-IP-Address}")) returns reject
There was no response configured: rejecting request 0
Using Post-Auth-Type Reject
+- entering group REJECT {...}
        expand: %{User-Name} ->
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.

More information about the Freeradius-Users mailing list