post-auth not being entered in inner-tunnel

Alex Sharaz alex.sharaz at york.ac.uk
Wed Mar 13 17:09:55 CET 2013


o.k. 

Attached are cut down versions of the log files

inner-tunnel server = 

root at nasaaa3:/etc/freeradius/sites-enabled# cat inner-tunnel
# inner-tunnel virtual server 
#
# This virtual server is used to unwrap and process EAP requests - whether they
# originate locally, or from the NRPS.
#
# Depending on the EAP type, requests may pass through this virtual server
# multiple times - especially with EAP types involving a challenge/response,
# or a TLS tunnel (PEAP, TTLS, MSCHAPv2...)
#
# as 17/12/12 - Added Session Timeout setting so people have to reauth 
#               every 3600 seconds
#
# 18/12/12 - Wrapped a check round Session Timout to make sure it only gets
#            added to an Access-Accept
#
# 03/02/13 - Dont sql access-accept responses if user is nagios health check usr
#

server inner-tunnel {
listen {
	# Where to listen
	ipaddr = 127.0.0.1
	port = 18120
	type = auth # Accounting packets do not contain EAP
}

authorize {
	# Parse the realm/username
	suffix

	# Allow AuthN modules to scan for the attributes they need and assign themse
	chap
	#mschap_default
	mschap


	# Make sure that the request is not proxied (i.e. if the user were to have p
	update control {
	       Proxy-To-Realm := LOCAL
	}

	# Handle EAP-MSCHAP-v2 requests, plus set some EAP related attributes
	eap {
		ok = return
	}

	# Read in the users file
	files
        york_passwd

        if (Packet-Type == Access-Accept) {
           update reply {
                Session-Timeout := "3600"
                Termination-Action := "RADIUS-Request"
           }
        }

        if (request:Aruba-Location-Id) {
           update reply {
                  York-Auth-Type := "wireless"
                  York-Auth-Device := "%{Aruba-Location-Id}"
                  York-Calling-Station-Id := "%{Calling-Station-Id}"
           }
           if (!(request:Realm == "NULL") && !(request:Realm == "york.ac.uk")) {
              update reply {
                  York-Accept-Vlan := "Visiting Eduroam Users"
              }
           }

        }

        if ((request:NAS-Port-Type =~ /^Ethernet$/) ) {
           update reply {
                  York-Auth-Device := "%{NAS-Identifier}"
                  York-Auth-Device-Port := "%{NAS-Port-Id}"
                  York-Calling-Station-Id := "%{Calling-Station-Id}"
           }
        }

        if ((request:NAS-Port-Type =~ /^Ethernet$/) && !(User-Name =~ /^[0-9A-F][0-9
           update reply {
                  York-Auth-Type := "dot1x"
           }
        }
#
# if we are sending a vlan we also need to add these two attributes
# Put it here so that we cover both wired and wireless Vlan specification
#
        if (reply:Tunnel-Private-Group-ID) {
           update reply {
                  Tunnel-Type := VLAN
                  Tunnel-Medium-Type := IEEE-802
           }
        }

	# Has users account expired?
	expiration

	# Check for plaintext
	pap

#################
# Don't really need these in a properly working system
#
#	detail
#	auth_log
	reply_log
################
}

# Note that all of these requests are wrapped in an if block - this is to reduce loa
# from certain EAP types that cycle through this stage multiple times before a passw
# is actually sent
authenticate {
	# Handle plaintext passwords
	Auth-Type PAP {
	        if ((EAP-Type == 1) || (EAP-Message =~ /^0x02..00061a..$/)) {
			noop
		}
		else {
			pap
		}
	}
	# Handle chap passwords
	Auth-Type CHAP {
	        if ((EAP-Type == 1) || (EAP-Message =~ /^0x02..00061a..$/)) {
			noop
		}
		else {
			chap
		}
	}

	# Handle mschap passwords
	Auth-Type MS-CHAP {
        	if ((EAP-Type == 1) || (EAP-Message =~ /^0x02..00061a..$/)) {
	                noop
	        }
	        else {
 			mschap {
        			reject = 2
    			}
    			if (reject) {
        			mschap_default
    			}
		}
	}

	# Inner message is also EAP
	eap
}

post-auth {

      	   update reply {
               	User-Name := "%{User-Name}"
       	   }

	   sql_log
	Post-Auth-Type REJECT {
	   sql_log
	   attr_filter.access_reject
	}

#	set_session_time

#	}
#
#
# 11/02/13 - Not live yet
#	perl
	reply_log
}

session {
	# eduroam has no requirement for simultaneous usage checking
}

pre-proxy {
	# The inner tunnel should not be proxied
	pre_proxy_log
}

post-proxy {
	# The inner tunnel should not be proxied
	post_proxy_log
	eap
}

} # inner-tunnel server block



-------------- next part --------------
A non-text attachment was scrubbed...
Name: vsn220.log
Type: application/octet-stream
Size: 31865 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130313/d0176f20/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vsn221.log
Type: application/octet-stream
Size: 62264 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130313/d0176f20/attachment-0003.obj>
-------------- next part --------------

On 13 Mar 2013, at 13:05, Olivier Beytrison <olivier at heliosnet.org> wrote:

> On 13.03.2013 12:46, Alex Sharaz wrote:
>> Hi,
>> 
>> I've got a number of FR 2.2.0 servers that invoke sql_log in the inner-tunnel post-auth in order to write user-name  some other attributes into a back end mysql database server  and it all works. If I've got non-eap requests coming in , the "default" site deals with it. If I've got eap-based requests coming in the inner-tunnel deals with them. About a week ago I downloaded the latest 2.2 code from git.freeradius, built that and upgraded one of my FR2.2 servers. Since then  I can't see an invocation of post-auth within the inner-tunnel. I can see it for the "default" site but not the inner-tunnel. Everything else seems to work but not that. Same hardware platform, same config files just different  FR code.
>> 
>> I've generated two radius -X dumps, vsn220.log and vsn221.log on my test server. The only raw client accessing this server is the switch my mac is sitting on  configured to do macauth and 802.1x on my ethernet port. By simply disconnecting and reconnecting my mac I've generated a macauth followed by an 802.1x auth. In both files you can see post-auth being invoked for the default site. but only the vsn220.log file has a corresponding post-auth for the inner-tunnel.
>> 
>> It may be  that there's something else I've configured wrong that is only showing up in van 2.2.1 (ish). Should I be sending these traces to the free radius list or is there another address I can email them to
> 
> Sounds weird. But again hard to tell without a radius -X output. Just
> send it here on the list, a complete request output, and maybe the
> relevant virtual-server configuration snippet
> 
> Olivier
> -- 
> 
> Olivier Beytrison
> Network & Security Engineer, HES-SO Fribourg
> Mail: olivier at heliosnet.org
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list