post-auth problem after update from 2.0.4 to 2.1.10
Gerald Krause
gk at ax.tc
Mon Apr 16 20:34:56 CEST 2012
Hi,
after upgrading our server from 2.0.4 to 2.1.10 we see a change in the
auth logic - e.g. when processing proxied requests to a home server and
their replies. We need this feature to append some special attributes to
the accept-packet from the home server before sending it to the NAS.
1) Our config in 2.0.4 (the DEFAULT record is recognized before sending
the packet to the NAS):
proxy.conf:
===========
realm foo {
type = radius
authhost = 1.2.3.4
secret = hidden
nostrip
}
users file:
===========
DEFAULT User-Name =~ "test at foo"
MS-Primary-DNS-Server = "192.168.203.6",
MS-Secondary-DNS-Server = "192.168.203.1",
MS-Primary-NBNS-Server = "192.168.203.6"
sites-enabled/default:
======================
authorize {
...
files
...
}
test:
=====
# radtest test at foo password localhost:1812
# /usr/sbin/freeradiusd -X
...
rad_recv: Access-Request packet from host 127.0.0.1 port 51046, id=236,
length=74
User-Name = "test at foo"
User-Password = "password"
NAS-IP-Address = 172.16.1.63
NAS-Port = 123
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Looking up realm "foo" for User-Name = "test at foo"
rlm_realm: Found realm "foo"
rlm_realm: Adding Realm = "foo"
rlm_realm: Proxying request from user test to realm foo
rlm_realm: Preparing to proxy authentication request to realm "foo"
++[suffix] returns updated
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
expand: %{User-Name} -> test at foo
users: Matched entry DEFAULT at line 6
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 228 to 1.2.3.4 port 1812
User-Name = "test at foo"
User-Password = "password"
NAS-IP-Address = 172.16.1.63
NAS-Port = 123
Proxy-State = 0x323336
Proxying request 50 to home server 1.2.3.4 port 1812
Sending Access-Request of id 228 to 1.2.3.4 port 1812
User-Name = "test at foo"
User-Password = "password"
NAS-IP-Address = 172.16.1.63
NAS-Port = 123
Proxy-State = 0x323336
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 1.2.3.4 port 1812, id=228,
length=117
Proxy-State = 0x323336
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0x4f300502000001370001c0a8cb0601cd117a507f4414000000000000010e
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x0000000e
+- entering group post-proxy
rlm_eap: No pre-existing handler found
++[eap] returns noop
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Proxy reply, or no User-Name. Ignoring.
++[suffix] returns noop
++[eap] returns noop
++[unix] returns notfound
expand: %{User-Name} -> test at foo
users: Matched entry DEFAULT at line 6
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [test at foo/password] (from client LOCALHOST port 123)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 236 to 127.0.0.1 port 51046
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0x4f300502000001370001c0a8cb0601cd117a507f4414000000000000010e
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x0000000e
MS-Primary-DNS-Server = 192.168.203.6
MS-Secondary-DNS-Server = 192.168.203.1
MS-Primary-NBNS-Server = 192.168.203.6
Finished request 50.
2) Our config in 2.1.10 (the DEFAULT record is ignored before sending
the packet to the NAS):
proxy.conf:
===========
realm foo {
type = radius
authhost = 1.2.3.4
secret = hidden
nostrip
}
users file:
===========
DEFAULT User-Name =~ "test at foo"
MS-Primary-DNS-Server = "192.168.203.6",
MS-Secondary-DNS-Server = "192.168.203.1",
MS-Primary-NBNS-Server = "192.168.203.6"
sites-enabled/default:
======================
authorize {
...
files
...
}
test:
=====
# radtest test at foo password localhost:1812
# /usr/sbin/freeradiusd -X
...
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 49833, id=110,
length=74
User-Name = "test at foo"
User-Password = "password"
NAS-IP-Address = 172.16.1.55
NAS-Port = 123
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "foo" for User-Name = "test at foo"
[suffix] Found realm "foo"
[suffix] Adding Realm = "foo"
[suffix] Proxying request from user test to realm foo
[suffix] Preparing to proxy authentication request to realm "foo"
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] expand: %{User-Name} -> test at foo
[files] users: Matched entry DEFAULT at line 6
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 231 to 1.2.3.4 port 1812
User-Name = "test at foo"
User-Password = "password"
NAS-IP-Address = 172.16.1.55
NAS-Port = 123
Proxy-State = 0x313130
Proxying request 0 to home server 1.2.3.4 port 1812
Sending Access-Request of id 231 to 1.2.3.4 port 1812
User-Name = "test at foo"
User-Password = "password"
NAS-IP-Address = 172.16.1.55
NAS-Port = 123
Proxy-State = 0x313130
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 1.2.3.4 port 1812, id=231,
length=117
Proxy-State = 0x313130
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0x4f440516000001370001c0a8cb0601cd117a507f44140000000000000122
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x0000000e
# Executing section post-proxy from file
/etc/freeradius/sites-enabled/default
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [test at foo] (from client LOCALHOST port 123)
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 110 to 127.0.0.1 port 49833
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0x4f440516000001370001c0a8cb0601cd117a507f44140000000000000122
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x0000000e
Finished request 0.
I tried it under 2.1.10 also with "files" in the "post-auth" section but
it did not work - I've got only one more message that tells me a "noop":
...
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[files] returns noop
++[exec] returns noop
...
So my question is how to assign the DEFAULT record to an reply packet
from a proxy in 2.1.10?
Thx,
Gerald
More information about the Freeradius-Users
mailing list