Copying Attributes Between Proxy-Reply and Reply Messages
Mike Loosbrock
m-loosbrock at bethel.edu
Tue Jan 27 19:31:52 CET 2009
Hello,
I'm running 2.0.4 on Debian testing. I have a test setup in which I'm
proxying access requests between two virtual servers running inside
the same daemon:
radtest <---> [ virtual server A <---(proxy)---> virtual server B ]
Proxing is triggered using the rlm_realm module and all attr_filter
module instances in radiusd.conf have been commented out.
Authentication works fine, but reply attributes created by B are not
being returned to radtest unless I configure the following in A:
post-auth {
update reply {
Attribute1 := "%{proxy-reply:Attribute1}"
Attribute2 := "%{proxy-reply:Attribute2}"
Attribute3 := "%{proxy-reply:Attribute3}"
...
}
}
My understanding is that without any attribute filters in place, the
proxy-reply list in virtual server A is supposed to be automatically
copied to its reply list. Is this correct, or is there an option that
needs to be set somewhere?
Also, it seems that this scenario is functionally similar to how the
peap and ttls modules proxy tunneled EAP exchanges to another virtual
server using the 'virtual_server' option. Those modules use a
'use_tunneled_reply' option which seems to force the behavior I'm
trying to achieve. Or am I way off the mark?
I've attached what I think is just the relevant debug output. If more
is needed, please let me know. Thanks!
### START DEBUG OUTPUT ###
...
server monitor {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating vpn_realm
realm vpn_realm {
format = "prefix"
delimiter = "."
ignore_default = yes
ignore_null = yes
}
Module: Checking preacct {...} for more modules to load
Module: Checking accounting {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking pre-proxy {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
}
server vpn {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Checking authorize {...} for more modules to load
Module: Checking preacct {...} for more modules to load
Module: Checking accounting {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking pre-proxy {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
}
}
server {
modules {
}
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "proxy"
ipaddr = *
port = 0
}
main {
snmp = no
smux_password = ""
snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 4041
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 4030, id=27,
length=76
User-Name = "vpn_realm.mloosbro"
User-Password = "password"
NAS-IP-Address = 10.0.1.200
NAS-Port = 1
Framed-Protocol = PPP
server monitor {
+- entering group authorize
rlm_realm: Looking up realm "vpn_realm" for User-Name =
"vpn_realm.mloosbro"
rlm_realm: Found realm "vpn_realm"
rlm_realm: Adding Stripped-User-Name = "mloosbro"
rlm_realm: Adding Realm = "vpn_realm"
rlm_realm: Proxying request from user mloosbro to realm vpn_realm
rlm_realm: Preparing to proxy authentication request to realm
"vpn_realm"
++[vpn_realm] returns updated
} # server monitor
+- entering group pre-proxy
++[noop] returns noop
>>> Sending proxied request internally to virtual server.
server vpn {
+- entering group authorize
expand: %{control:NS-Override-User} ->
expand: %{Stripped-User-Name} -> mloosbro
expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} ->
mloosbro
expand: %{%{control:NS-Override-User}:-%{%{Stripped-User-
Name}:-%{%{User-Name}:-DEFAULT}}} -> mloosbro
rlm_sql (ns-sql-vpn): sql_set_user escaped user --> 'mloosbro'
rlm_sql (ns-sql-vpn): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op
FROM radcheck_asa WHERE username = '%{SQL-User-
Name}' ORDER BY id -> SELECT id, username, a
WHERE username = 'mloosbro' ORDER BY id
expand: SELECT groupname FROM
radusergroup WHERE username = '%{SQL-User-Name}'
ORDER BY priority -> SELECT groupname FROM radusergr
BY priority
expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck_asa WHERE groupname = '%{Sql-
Group}' ORDER BY id -> SELECT id
M radgroupcheck_asa WHERE groupname = 'its-
network' ORDER BY id
rlm_sql (ns-sql-vpn): User found in group its-network
expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply_asa WHERE groupname = '%{Sql-
Group}' ORDER BY id -> SELECT id
M radgroupreply_asa WHERE groupname = 'its-
network' ORDER BY id
expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck_asa WHERE groupname = '%{Sql-
Group}' ORDER BY id -> SELECT id
M radgroupcheck_asa WHERE groupname = 'employee'
ORDER BY id
rlm_sql (ns-sql-vpn): User found in group employee
expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply_asa WHERE groupname = '%{Sql-
Group}' ORDER BY id -> SELECT id
M radgroupreply_asa WHERE groupname = 'employee'
ORDER BY id
rlm_sql (ns-sql-vpn): Released sql socket id: 4
++[ns-sql-vpn] returns ok
++[control] returns ok
rad_check_password: Found Auth-Type Kerberos
auth: type "Kerberos"
+- entering group Kerberos
rlm_krb5: verify_krb_v5_tgt: host key not found : No such file or
directory
++[krb5] returns ok
Login OK: [mloosbro/password] (from client monitor port 1 via TLS
tunnel)
} # server vpn
Going to the next request
<<< Received proxied response from internal virtual server.
+- entering group authorize
rlm_realm: Proxy reply, or no User-Name. Ignoring.
++[vpn_realm] returns noop
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [vpn_realm.mloosbro/password] (from client monitor port 1)
+- entering group post-auth
++[noop] returns noop
Sending Access-Accept of id 27 to 127.0.0.1 port 4030
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 4030, id=27,
length=76
Sending duplicate reply to client monitor port 4030 - ID: 27
Sending Access-Accept of id 27 to 127.0.0.1 port 4030
Waking up in 4.9 seconds.
Cleaning up request 0 ID 27 with timestamp +3
Ready to process requests.
### END DEBUG OUTPUT ###
Mike Loosbrock
Bethel University Network Services
651-638-6723
More information about the Freeradius-Users
mailing list