update reply problem

Ana Gallardo Gómez anaougu at gmail.com
Fri Mar 23 12:51:24 CET 2012 

I'm using Freeradius 2.1.10 and I have one problem updating reply.

When I use EAP-TTLS-PAP, I have this configuration in inner-tunnel:

post-auth {
   sql{
      fail=1
   }
   if (fail) {
      update reply {
         Codigo-Reject = Imposible-Contactar-Backend
      }
      reply_log
      reject
   }
   else{
      reply_log
   }
}

and this configuraion in outer-tunnel:

post-auth {
...

   Post-Auth-Type REJECT {
      update reply {
         Codigo-Reject = Credenciales-Erroneas
      }
      sql{
         fail=1
      }
...
}

If MySQL is down, post-auth inner-tunnel set Codigo-Reject =
Imposible-Contactar-Backend

Post-Auth-Type REJECT don't have to update the reply because I'm using "="
operator

But, Post-Auth-Type REJECT set Codigo-Reject to Credenciales-Erroneas.

Debug log:

# Executing section post-auth from file /etc/freeradius/sites-enabled/
inner-tunnel
+- entering group post-auth {...}
[sql]     expand: %{Stripped-User-Name} -> 02747632
[sql]     expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} ->
02747632
[sql] sql_set_user escaped user --> '02747632'
[sql]     expand: INSERT INTO radpostauth
(username, mac, client, reply,
authdate,codreject,radauth)                           VALUES
(                           LOWER('%{User-Name}'),
LOWER('%i'),               '%C',
'%{reply:Packet-Type}', NOW(),
'%{reply:Codigo-Reject}','radius') -> INSERT INTO
radpostauth                           (username, mac, client, reply,
authdate,codreject,radauth)                           VALUES
(                           LOWER('02747632'),
LOWER('66:77:99:B1:A0:2F'),               'PA',
'Access-Accept', NOW(),               '','radius')
rlm_sql (sql) in sql_postauth: query is INSERT INTO
radpostauth                           (username, mac, client, reply,
authdate,codreject,radauth)                           VALUES
(                           LOWER('02747632'),
LOWER('66:77:99:B1:A0:2F'),               'PA',
'Access-Accept', NOW(),               '','radius')
rlm_sql (sql): Ignoring unconnected handle 3..
rlm_sql (sql): Ignoring unconnected handle 2..
rlm_sql (sql): Ignoring unconnected handle 1..
rlm_sql (sql): Ignoring unconnected handle 0..
rlm_sql (sql): Ignoring unconnected handle 4..
++[sql] returns fail
++? if (fail)
? Evaluating (fail) -> TRUE
++? if (fail) -> TRUE
++- entering if (fail) {...}
+++[reply] returns fail
[reply_log]     expand:
/var/log/freeradius/radacct/%Y/%m/%d/%{Client-IP-Address}-reply-detail-%Y%m%d
-> /var/log/freeradius/radacct/2012/03/23/10.253.40.43-reply-detail-20120323
[reply_log]
/var/log/freeradius/radacct/%Y/%m/%d/%{Client-IP-Address}-reply-detail-%Y%m%d
expands to
/var/log/freeradius/radacct/2012/03/23/10.253.40.43-reply-detail-20120323
[reply_log]     expand: %t -> Fri Mar 23 11:59:41 2012
+++[reply_log] returns ok
+++[reject] returns reject
++- if (fail) returns reject
} # server inner-tunnel
[ttls] Got tunneled reply code 3
    Relaciones = "03"
    Nombre-Completo = "MARCOS"
    Codigo-Reject = Imposible-Contactar-Backend
[ttls] Got tunneled Access-Reject
[eapeduroam] Handler failed in EAP/ttls
[eapeduroam] Failed in EAP select
++[eapeduroam] returns invalid
Failed to authenticate the user.
} # server eduroam
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/eduroam
+- entering group REJECT {...}
++[reply] returns noop
[sql]     expand: %{Stripped-User-Name} -> 02747632
[sql]     expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} ->
02747632
[sql] sql_set_user escaped user --> '02747632'
[sql]     expand: INSERT INTO radpostauth
(username, mac, client, reply,
authdate,codreject,radauth)                           VALUES
(                           LOWER('%{User-Name}'),
LOWER('%i'),               '%C',
'%{reply:Packet-Type}', NOW(),
'%{reply:Codigo-Reject}','radius') -> INSERT INTO
radpostauth                           (username, mac, client, reply,
authdate,codreject,radauth)                           VALUES
(                           LOWER('02747632'),
LOWER('66:77:99:B1:A0:2F'),               'PA',
'Access-Reject', NOW(),               'Credenciales-Erroneas','radius')
rlm_sql (sql) in sql_postauth: query is INSERT INTO
radpostauth                           (username, mac, client, reply,
authdate,codreject,radauth)                           VALUES
(                           LOWER('02747632'),
LOWER('66:77:99:B1:A0:2F'),               'PA',
'Access-Reject', NOW(),               'Credenciales-Erroneas','radius')
rlm_sql (sql): Ignoring unconnected handle 3..
rlm_sql (sql): Ignoring unconnected handle 2..
rlm_sql (sql): Ignoring unconnected handle 1..
rlm_sql (sql): Ignoring unconnected handle 0..
rlm_sql (sql): Ignoring unconnected handle 4..
++[sql] returns fail


I don't know what I'm doing wrong :(

I whould like to know wahta this mean:

[eapeduroam] Handler failed in EAP/ttls
[eapeduroam] Failed in EAP select
++[eapeduroam] returns invalid

And, the last thing, can I do:

# inner-tunnel

post-auth {
   sql{
      fail=1
   }
   if (fail) {
      update reply {
         Codigo-Reject = Imposible-Contactar-Backend
*         Packet-Type := Access-Reject*
      }
      reply_log
      reject
   }

Thank you very much and sorry for my english.




::::::::::::::::::::::::::::::::::::
:: Ana Gallardo Gómez ::
::::::::::::::::::::::::::::::::::::
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120323/32fb5fa5/attachment.html>

More information about the Freeradius-Users mailing list