Empty user attributes in proxied request

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Thu Jan 5 22:18:27 CET 2012


>    to authenticate with the eduroam user. It seems that although the
>    request is proxied, my server tries to locally check the authorized
>    attributes of the user against my local ldap server. And since no
>    such user exists ldap returns : object not found

use unlang to put a protection wrapper around your ldap eg

if (%{realm} == /yourrealm.com/){

>          Next, my server proxies an other request with empty attributes
>    certainly resulting from the previous object found result :
>    Sending Access-Request of id 144 to port 1812
>            User-Name := ""
>            User-Password := ""
>            Service-Type := Authenticate-Only
>            Message-Authenticator := 0x00000000000000000000000000000000
>            NAS-Identifier := "Status Check. Are you alive?"

this is a status-check packet - your server is configured to sent status-check packets
tothe remote proxy to check if its up/alive - there is no response to this request -
so thats bad.  you COULD configure proxy.conf for that remote proxy to use a
username/pass (ideally a BAD password to get a REJECT) for this purpose if the
remote proxy isnt responding to these packets as it should.  for status requests
a reject is as good as an accept...you get a response..thats what the server wants.
you also then avoid leaking WORKING credentials into the system  :-)


More information about the Freeradius-Users mailing list