freeradius 3 - proxing
Khapare Joshi
khapare77 at gmail.com
Mon Dec 8 18:01:15 CET 2014
Hi
I testing freeradius 3 version for upgrade our old version 2 freeradius
server.
Local auth works well but when I need to proxy realm I always got "no
response from the server", I spoke to the guy who look after the remote
radius server and he confirms it is running.
my version 2 configuration is working well though.
this is what i get in debug mode:
Received Access-Request Id 36 from 192.168.1.20:1814 to 10.128.1.10:1812
length 141
User-Name = 'bob at test.com'
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
Proxy-State = 0x30
(0) Received Access-Request packet from host 192.168.1.20 port 1814, id=36,
length=141
(0) User-Name = 'bob at test.com'
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = '02-00-00-00-00-01'
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = 'CONNECT 11Mbps 802.11b'
(0) EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
(0) Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
(0) Proxy-State = 0x30
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ )
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\\.$/)
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /@\\./)
(0) if (&User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) auth_log : EXPAND
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log : --> /var/log/radacct/192.168.1.20/auth-detail-20141208
(0) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/192.168.1.20/auth-detail-20141208
(0) auth_log : EXPAND %t
(0) auth_log : --> Mon Dec 8 16:38:14 2014
(0) [auth_log] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : Looking up realm "test.com" for User-Name = "bob at test.com"
(0) suffix : Found realm "test.com"
(0) suffix : Adding Realm = "test.com"
(0) suffix : Proxying request from user bob at test.com to realm test.com
(0) suffix : Preparing to proxy authentication request to realm "test.com"
(0) [suffix] = updated
(0) eap : Request is supposed to be proxied to Realm test.com. Not doing
EAP.
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = noop
(0) } # authorize = updated
(0) # Executing section pre-proxy from file
/usr/local/etc/raddb/sites-enabled/default
(0) pre-proxy {
(0) operator-name.pre-proxy operator-name.pre-proxy {
(0) if (("%{request:Packet-Type}" == 'Access-Request') &&
"%{client:Operator-Name}")
(0) EXPAND %{request:Packet-Type}
(0) --> Access-Request
(0) Client does not contain config item "Operator-Name"
(0) EXPAND %{client:Operator-Name}
(0) -->
(0) if (("%{request:Packet-Type}" == 'Access-Request') &&
"%{client:Operator-Name}") -> FALSE
(0) } # operator-name.pre-proxy operator-name.pre-proxy = noop
(0) pre_proxy_log : EXPAND
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
(0) pre_proxy_log : --> /var/log/radacct/
192.168.1.20/pre-proxy-detail-20141208
(0) pre_proxy_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
expands to /var/log/radacct/192.168.1.20/pre-proxy-detail-20141208
(0) pre_proxy_log : EXPAND %t
(0) pre_proxy_log : --> Mon Dec 8 16:38:14 2014
(0) [pre_proxy_log] = ok
(0) } # pre-proxy = ok
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 37396
(0) Proxying request to home server remote-rad-server port 1812 timeout
30.000000
(0) Sending Access-Request packet to host remote-rad-server port 1812,
id=175, length=0
(0) User-Name = 'bob at test.com'
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = '02-00-00-00-00-01'
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = 'CONNECT 11Mbps 802.11b'
(0) EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
(0) Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
(0) Proxy-State = 0x30
(0) Event-Timestamp = 'Dec 8 2014 16:38:14 GMT'
(0) Realm = 'test.com'
(0) EAP-Type = Identity
(0) Proxy-State = 0x3336
Sending Access-Request Id 175 from 0.0.0.0:37396 to remote-rad-server:1812
User-Name = 'bob at test.com'
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
Proxy-State = 0x30
Event-Timestamp = 'Dec 8 2014 16:38:14 GMT'
Proxy-State = 0x3336
Waking up in 0.3 seconds.
Waking up in 0.1 seconds.
(0) Expecting proxy response no later than 29.488865 seconds from now
Waking up in 29.4 seconds.
Received Access-Request Id 36 from 192.168.1.20:1814 to 10.128.1.10:1812
length 141
(0) Sending duplicate proxied request to home server remote-rad-server port
1812 - ID: 175
(0) Sending Access-Request packet to host remote-rad-server port 1812,
id=175, length=151
(0) User-Name = 'bob at test.com'
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = '02-00-00-00-00-01'
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = 'CONNECT 11Mbps 802.11b'
(0) EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
(0) Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
(0) Proxy-State = 0x30
(0) Event-Timestamp = 'Dec 8 2014 16:38:14 GMT'
(0) Realm = 'test.com'
(0) EAP-Type = Identity
(0) Proxy-State = 0x3336
Sending Access-Request Id 175 from 0.0.0.0:37396 to remote-rad-server:1812
User-Name = 'bob at test.com'
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
Proxy-State = 0x30
Event-Timestamp = 'Dec 8 2014 16:38:14 GMT'
Proxy-State = 0x3336
Waking up in 26.9 seconds.
Received Access-Request Id 36 from 192.168.1.20:1814 to 10.128.1.10:1812
length 141
(0) Sending duplicate proxied request to home server remote-rad-server port
1812 - ID: 175
(0) Sending Access-Request packet to host remote-rad-server port 1812,
id=175, length=151
(0) User-Name = 'bob at test.com'
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = '02-00-00-00-00-01'
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = 'CONNECT 11Mbps 802.11b'
(0) EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
(0) Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
(0) Proxy-State = 0x30
(0) Event-Timestamp = 'Dec 8 2014 16:38:14 GMT'
(0) Realm = 'test.com'
(0) EAP-Type = Identity
(0) Proxy-State = 0x3336
Sending Access-Request Id 175 from 0.0.0.0:37396 to remote-rad-server:1812
User-Name = 'bob at test.com'
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
Proxy-State = 0x30
Event-Timestamp = 'Dec 8 2014 16:38:14 GMT'
Proxy-State = 0x3336
Waking up in 20.9 seconds.
Received Access-Request Id 36 from 192.168.1.20:1814 to 10.128.1.10:1812
length 141
(0) Sending duplicate proxied request to home server remote-rad-server port
1812 - ID: 175
(0) Sending Access-Request packet to host remote-rad-server port 1812,
id=175, length=151
(0) User-Name = 'bob at test.com'
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = '02-00-00-00-00-01'
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = 'CONNECT 11Mbps 802.11b'
(0) EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
(0) Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
(0) Proxy-State = 0x30
(0) Event-Timestamp = 'Dec 8 2014 16:38:14 GMT'
(0) Realm = 'test.com'
(0) EAP-Type = Identity
(0) Proxy-State = 0x3336
Sending Access-Request Id 175 from 0.0.0.0:37396 to remote-rad-server:1812
User-Name = 'bob at test.com'
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
EAP-Message = 0x02000014016e656d616e646940756e616b2e6973
Message-Authenticator = 0xe32df9f6e41ef3d00ac9a5943427a59f
Proxy-State = 0x30
Event-Timestamp = 'Dec 8 2014 16:38:14 GMT'
Proxy-State = 0x3336
Waking up in 8.9 seconds.
Received Status-Server Id 248 from 192.168.1.20:1814 to 10.128.1.10:1812
length 68
Message-Authenticator = 0x9f4f11180db5f0c2be4113388ea12cbf
NAS-Identifier = 'Status Check. Are you alive?'
(1) Received Status-Server packet from host 192.168.1.20 port 1814, id=248,
length=68
(1) Message-Authenticator = 0x9f4f11180db5f0c2be4113388ea12cbf
(1) NAS-Identifier = 'Status Check. Are you alive?'
(1) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(1) post-auth {
(1) reply_log : EXPAND
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(1) reply_log : --> /var/log/radacct/192.168.1.20/reply-detail-20141208
(1) reply_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/radacct/192.168.1.20/reply-detail-20141208
(1) reply_log : EXPAND %t
(1) reply_log : --> Mon Dec 8 16:38:44 2014
(1) [reply_log] = ok
(1) [exec] = noop
(1) remove_reply_message_if_eap remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message)
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else else {
(1) [noop] = noop
(1) } # else else = noop
(1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(1) } # post-auth = ok
(1) Sending Access-Accept packet to host 192.168.1.20 port 1814, id=248,
length=0
Sending Access-Accept Id 248 from 10.128.1.10:1812 to 192.168.1.20:1814
(1) Finished request
(0) No proxy response, giving up on request and marking it done
[1mMarking home server remote-rad-server port 1812 as zombie (it has not
responded in 30.000000 seconds).[0m
PING: Waiting 4 seconds for response to ping
Sending Status-Server Id 44 from 0.0.0.0:37396 to remote-rad-server:1812
Message-Authenticator := 0x00
NAS-Identifier := 'Status Check 0. Are you alive?'
PING: Next status packet in 60 seconds
[1m[31m(0) ERROR: Failing proxied request, due to lack of any response
from home server remote-rad-server port 1812[0m
Waking up in 0.3 seconds.
Waking up in 3.6 seconds.
[31mNo response to status check 2 for home server remote-rad-server port
1812[0m
Waking up in 0.8 seconds.
(1) Cleaning up request packet ID 248 with timestamp +40
(0) Cleaning up request packet ID 36 with timestamp +10
Waking up in 57.0 seconds.
^C
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141208/deecd69f/attachment-0001.html>
More information about the Freeradius-Users
mailing list