freeradius 3 - proxing

Khapare Joshi khapare77 at gmail.com
Mon Dec 8 18:01:15 CET 2014


Hi

I testing freeradius 3 version for upgrade our old version 2 freeradius
server.

Local auth works well but when I need to proxy realm I always got "no
response from the server", I spoke to the guy who look after the remote
radius server and he confirms it is running.

my version 2 configuration is working well though.

this is what i get in debug mode:


Received Access-Request Id 36 from 192.168.1.20:1814 to 10.128.1.10:1812
length 141
    User-Name = 'bob at test.com'
    NAS-IP-Address = 127.0.0.1
    Calling-Station-Id = '02-00-00-00-00-01'
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = 'CONNECT 11Mbps 802.11b'
    EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
    Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
    Proxy-State = 0x30
(0) Received Access-Request packet from host 192.168.1.20 port 1814, id=36,
length=141
(0)     User-Name = 'bob at test.com'
(0)     NAS-IP-Address = 127.0.0.1
(0)     Calling-Station-Id = '02-00-00-00-00-01'
(0)     Framed-MTU = 1400
(0)     NAS-Port-Type = Wireless-802.11
(0)     Connect-Info = 'CONNECT 11Mbps 802.11b'
(0)     EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
(0)     Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
(0)     Proxy-State = 0x30
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)   filter_username filter_username {
(0)     if (!&User-Name)
(0)     if (!&User-Name)  -> FALSE
(0)     if (&User-Name =~ / /)
(0)     if (&User-Name =~ / /)  -> FALSE
(0)     if (&User-Name =~ /@.*@/ )
(0)     if (&User-Name =~ /@.*@/ )  -> FALSE
(0)     if (&User-Name =~ /\\.\\./ )
(0)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
FALSE
(0)     if (&User-Name =~ /\\.$/)
(0)     if (&User-Name =~ /\\.$/)   -> FALSE
(0)     if (&User-Name =~ /@\\./)
(0)     if (&User-Name =~ /@\\./)   -> FALSE
(0)   } # filter_username filter_username = notfound
(0)   [preprocess] = ok
(0)  auth_log : EXPAND
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(0)  auth_log :    --> /var/log/radacct/192.168.1.20/auth-detail-20141208
(0)  auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/192.168.1.20/auth-detail-20141208
(0)  auth_log : EXPAND %t
(0)  auth_log :    --> Mon Dec  8 16:38:14 2014
(0)   [auth_log] = ok
(0)   [chap] = noop
(0)   [mschap] = noop
(0)   [digest] = noop
(0)  suffix : Checking for suffix after "@"
(0)  suffix : Looking up realm "test.com" for User-Name = "bob at test.com"
(0)  suffix : Found realm "test.com"
(0)  suffix : Adding Realm = "test.com"
(0)  suffix : Proxying request from user bob at test.com to realm test.com
(0)  suffix : Preparing to proxy authentication request to realm "test.com"

(0)   [suffix] = updated
(0)  eap : Request is supposed to be proxied to Realm test.com. Not doing
EAP.
(0)   [eap] = noop
(0)   [files] = noop
(0)   [expiration] = noop
(0)   [logintime] = noop
(0)   [pap] = noop
(0)  } #  authorize = updated
(0) # Executing section pre-proxy from file
/usr/local/etc/raddb/sites-enabled/default
(0)   pre-proxy {
(0)   operator-name.pre-proxy operator-name.pre-proxy {
(0)     if (("%{request:Packet-Type}" == 'Access-Request') &&
"%{client:Operator-Name}")
(0) EXPAND %{request:Packet-Type}
(0)    --> Access-Request
(0) Client does not contain config item "Operator-Name"
(0) EXPAND %{client:Operator-Name}
(0)    -->
(0)     if (("%{request:Packet-Type}" == 'Access-Request') &&
"%{client:Operator-Name}")  -> FALSE
(0)   } # operator-name.pre-proxy operator-name.pre-proxy = noop
(0)  pre_proxy_log : EXPAND
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d

(0)  pre_proxy_log :    --> /var/log/radacct/
192.168.1.20/pre-proxy-detail-20141208
(0)  pre_proxy_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
expands to /var/log/radacct/192.168.1.20/pre-proxy-detail-20141208
(0)  pre_proxy_log : EXPAND %t
(0)  pre_proxy_log :    --> Mon Dec  8 16:38:14 2014
(0)   [pre_proxy_log] = ok
(0)  } #  pre-proxy = ok
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 37396
(0) Proxying request to home server remote-rad-server port 1812 timeout
30.000000
(0) Sending Access-Request packet to host remote-rad-server port 1812,
id=175, length=0
(0)     User-Name = 'bob at test.com'
(0)     NAS-IP-Address = 127.0.0.1
(0)     Calling-Station-Id = '02-00-00-00-00-01'
(0)     Framed-MTU = 1400
(0)     NAS-Port-Type = Wireless-802.11
(0)     Connect-Info = 'CONNECT 11Mbps 802.11b'
(0)     EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
(0)     Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
(0)     Proxy-State = 0x30
(0)     Event-Timestamp = 'Dec  8 2014 16:38:14 GMT'
(0)     Realm = 'test.com'
(0)     EAP-Type = Identity
(0)     Proxy-State = 0x3336
Sending Access-Request Id 175 from 0.0.0.0:37396 to remote-rad-server:1812
    User-Name = 'bob at test.com'
    NAS-IP-Address = 127.0.0.1
    Calling-Station-Id = '02-00-00-00-00-01'
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = 'CONNECT 11Mbps 802.11b'
    EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
    Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
    Proxy-State = 0x30
    Event-Timestamp = 'Dec  8 2014 16:38:14 GMT'
    Proxy-State = 0x3336
Waking up in 0.3 seconds.
Waking up in 0.1 seconds.
(0) Expecting proxy response no later than 29.488865 seconds from now
Waking up in 29.4 seconds.
Received Access-Request Id 36 from 192.168.1.20:1814 to 10.128.1.10:1812
length 141
(0) Sending duplicate proxied request to home server remote-rad-server port
1812 - ID: 175
(0) Sending Access-Request packet to host remote-rad-server port 1812,
id=175, length=151
(0)     User-Name = 'bob at test.com'
(0)     NAS-IP-Address = 127.0.0.1
(0)     Calling-Station-Id = '02-00-00-00-00-01'
(0)     Framed-MTU = 1400
(0)     NAS-Port-Type = Wireless-802.11
(0)     Connect-Info = 'CONNECT 11Mbps 802.11b'
(0)     EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
(0)     Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
(0)     Proxy-State = 0x30
(0)     Event-Timestamp = 'Dec  8 2014 16:38:14 GMT'
(0)     Realm = 'test.com'
(0)     EAP-Type = Identity
(0)     Proxy-State = 0x3336
Sending Access-Request Id 175 from 0.0.0.0:37396 to remote-rad-server:1812
    User-Name = 'bob at test.com'
    NAS-IP-Address = 127.0.0.1
    Calling-Station-Id = '02-00-00-00-00-01'
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = 'CONNECT 11Mbps 802.11b'
    EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
    Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
    Proxy-State = 0x30
    Event-Timestamp = 'Dec  8 2014 16:38:14 GMT'
    Proxy-State = 0x3336
Waking up in 26.9 seconds.
Received Access-Request Id 36 from 192.168.1.20:1814 to 10.128.1.10:1812
length 141
(0) Sending duplicate proxied request to home server remote-rad-server port
1812 - ID: 175
(0) Sending Access-Request packet to host remote-rad-server port 1812,
id=175, length=151
(0)     User-Name = 'bob at test.com'
(0)     NAS-IP-Address = 127.0.0.1
(0)     Calling-Station-Id = '02-00-00-00-00-01'
(0)     Framed-MTU = 1400
(0)     NAS-Port-Type = Wireless-802.11
(0)     Connect-Info = 'CONNECT 11Mbps 802.11b'
(0)     EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
(0)     Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
(0)     Proxy-State = 0x30
(0)     Event-Timestamp = 'Dec  8 2014 16:38:14 GMT'
(0)     Realm = 'test.com'
(0)     EAP-Type = Identity
(0)     Proxy-State = 0x3336
Sending Access-Request Id 175 from 0.0.0.0:37396 to remote-rad-server:1812
    User-Name = 'bob at test.com'
    NAS-IP-Address = 127.0.0.1
    Calling-Station-Id = '02-00-00-00-00-01'
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = 'CONNECT 11Mbps 802.11b'
    EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
    Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
    Proxy-State = 0x30
    Event-Timestamp = 'Dec  8 2014 16:38:14 GMT'
    Proxy-State = 0x3336
Waking up in 20.9 seconds.
Received Access-Request Id 36 from 192.168.1.20:1814 to 10.128.1.10:1812
length 141
(0) Sending duplicate proxied request to home server remote-rad-server port
1812 - ID: 175
(0) Sending Access-Request packet to host remote-rad-server port 1812,
id=175, length=151
(0)     User-Name = 'bob at test.com'
(0)     NAS-IP-Address = 127.0.0.1
(0)     Calling-Station-Id = '02-00-00-00-00-01'
(0)     Framed-MTU = 1400
(0)     NAS-Port-Type = Wireless-802.11
(0)     Connect-Info = 'CONNECT 11Mbps 802.11b'
(0)     EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
(0)     Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
(0)     Proxy-State = 0x30
(0)     Event-Timestamp = 'Dec  8 2014 16:38:14 GMT'
(0)     Realm = 'test.com'
(0)     EAP-Type = Identity
(0)     Proxy-State = 0x3336
Sending Access-Request Id 175 from 0.0.0.0:37396 to remote-rad-server:1812
    User-Name = 'bob at test.com'
    NAS-IP-Address = 127.0.0.1
    Calling-Station-Id = '02-00-00-00-00-01'
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = 'CONNECT 11Mbps 802.11b'
    EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
    Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
    Proxy-State = 0x30
    Event-Timestamp = 'Dec  8 2014 16:38:14 GMT'
    Proxy-State = 0x3336
Waking up in 8.9 seconds.
Received Status-Server Id 248 from 192.168.1.20:1814 to 10.128.1.10:1812
length 68
    Message-Authenticator = 0x9f4f11180db5f0c2be4113388ea12cbf
    NAS-Identifier = 'Status Check. Are you alive?'
(1) Received Status-Server packet from host 192.168.1.20 port 1814, id=248,
length=68
(1)     Message-Authenticator = 0x9f4f11180db5f0c2be4113388ea12cbf
(1)     NAS-Identifier = 'Status Check. Are you alive?'
(1) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(1)   post-auth {
(1)  reply_log : EXPAND
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d

(1)  reply_log :    --> /var/log/radacct/192.168.1.20/reply-detail-20141208
(1)  reply_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/radacct/192.168.1.20/reply-detail-20141208
(1)  reply_log : EXPAND %t
(1)  reply_log :    --> Mon Dec  8 16:38:44 2014
(1)   [reply_log] = ok
(1)   [exec] = noop
(1)   remove_reply_message_if_eap remove_reply_message_if_eap {
(1)     if (&reply:EAP-Message && &reply:Reply-Message)
(1)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)    else else {
(1)     [noop] = noop
(1)    } # else else = noop
(1)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(1)  } #  post-auth = ok
(1) Sending Access-Accept packet to host 192.168.1.20 port 1814, id=248,
length=0
Sending Access-Accept Id 248 from 10.128.1.10:1812 to 192.168.1.20:1814
(1) Finished request
(0) No proxy response, giving up on request and marking it done
Marking home server remote-rad-server port 1812 as zombie (it has not
responded in 30.000000 seconds).
PING: Waiting 4 seconds for response to ping
Sending Status-Server Id 44 from 0.0.0.0:37396 to remote-rad-server:1812
    Message-Authenticator := 0x00
    NAS-Identifier := 'Status Check 0. Are you alive?'
PING: Next status packet in 60 seconds
(0) ERROR: Failing proxied request, due to lack of any response
from home server remote-rad-server port 1812
Waking up in 0.3 seconds.
Waking up in 3.6 seconds.
No response to status check 2 for home server remote-rad-server port
1812
Waking up in 0.8 seconds.
(1) Cleaning up request packet ID 248 with timestamp +40
(0) Cleaning up request packet ID 36 with timestamp +10
Waking up in 57.0 seconds.
^C
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141208/deecd69f/attachment-0001.html>


More information about the Freeradius-Users mailing list