VSA attributes sent with Access-Reject response

Contact (COEXSI) contact at coexsi.fr
Fri May 16 23:02:36 CEST 2014 


> -----Original Message-----
> From: freeradius-users-bounces+contact=coexsi.fr at lists.freeradius.org
> [mailto:freeradius-users-bounces+contact=coexsi.fr at lists.freeradius.org]
> On Behalf Of Alan DeKok
> Sent: vendredi 16 mai 2014 22:36
> To: FreeRadius users mailing list
> Subject: Re: VSA attributes sent with Access-Reject response
> 
> Contact (COEXSI) wrote:
> > Yes, we had removed the "always" module as we didn't think it was for
> > production purpose.
> 
>   See "man radiusd".  It tells you how to make changes, so that you know
> it works.
> 
> > At the beginning of its configuration file, we can read it's used for
> > debugging:
> >
> > # The "always" module is here for debugging purposes. Each # instance
> > simply returns the same result, always, without # doing anything.
> 
>   Well, it's used.
> 
> > After adding the "always" module, the configuration is parsed without
> error.
> > But, the VSA are still sent along with the EAP-MD5 Access-Challenge
> > response!
> 
>   If only there was some way of seeing what the server was doing.
> 

Sorry, I forgot to add the technical information...


Here is an cleaned extract of the configuration:
------------------------------------------------


authorize {
	preprocess
	chap
	mschap
	eap {
		ok = return
	}
	sql
	pap
}
authenticate {
	Auth-Type PAP {
		pap
	}
	Auth-Type CHAP {
		chap
	}
	Auth-Type MS-CHAP {
		mschap
	}
	eap
	Auth-Type eap {
		eap {
			handled = 1  
		}
		if (handled && (Response-Packet-Type == Access-Challenge)) {
			attr_filter.access_challenge.post-auth
			handled
		}
	}
}
post-auth {
	sql
	Post-Auth-Type REJECT { 
		sql
		attr_filter.access_reject
	}
}
preacct {
	preprocess
	acct_unique
}
accounting {
	sql
	attr_filter.accounting_response
}


Here is the Access-Challenge sent with VSA:
-------------------------------------------


rad_recv: Access-Request packet from host X.X.X.X port 32771, id=141,
length=152
        Acct-Session-Id = "5612ab46"
        NAS-Port = 0
        NAS-Port-Type = Wireless-802.11
        User-Name = "test"
        Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
        Called-Station-Id = "XX-XX-XX-XX-XX-XX"
        Framed-IP-Address = X.X.X.X
        EAP-Message = 0x028d00090174657374
        NAS-Identifier = "test"
        NAS-IP-Address = X.X.X.X
        Framed-MTU = 1496
        Connect-Info = "HTTPS"
        Service-Type = Administrative-User
        Message-Authenticator = 0x0be651342e0ab4fbfe8dbd0c99750120
Fri May 16 22:54:28 2014 : Info: server my_server {
Fri May 16 22:54:28 2014 : Info: # Executing section authorize from file
/etc/raddb/partner.conf
Fri May 16 22:54:28 2014 : Info: +group authorize {
Fri May 16 22:54:28 2014 : Info: ++[preprocess] = ok
Fri May 16 22:54:28 2014 : Info: ++[chap] = noop
Fri May 16 22:54:28 2014 : Info: ++[mschap] = noop
Fri May 16 22:54:28 2014 : Info: [eap] EAP packet type response id 141
length 9
Fri May 16 22:54:28 2014 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Fri May 16 22:54:28 2014 : Info: ++[eap] = updated
Fri May 16 22:54:28 2014 : Info: [sql]  expand: %{User-Name} -> test
Fri May 16 22:54:28 2014 : Info: [sql] sql_set_user escaped user --> 'test'
Fri May 16 22:54:28 2014 : Debug: Closing socket 99 as its lifetime has been
exceeded
Fri May 16 22:54:28 2014 : Info: rlm_sql (sql): Trying to (re)connect
unconnected handle 99..
Fri May 16 22:54:28 2014 : Info: rlm_sql (sql): Attempting to connect
rlm_sql_mysql #99
Fri May 16 22:54:28 2014 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #99
Fri May 16 22:54:28 2014 : Info: rlm_sql (sql): Connected new DB handle, #99
Fri May 16 22:54:28 2014 : Debug: rlm_sql (sql): Reserving sql socket id: 99
Fri May 16 22:54:28 2014 : Debug: rlm_sql (sql): got socket 99 after
skipping 0 unconnected handles, tried to reconnect 1 though
Fri May 16 22:54:28 2014 : Info: [sql]  expand: CALL my_stored_procedure
('%{Virtual-Server}','AUTH_REQ'
,'%{User-Name}','%{Client-IP-Address}','%{Calling-Station-Id}','%{Acct-Sessi
on-Id}','%{NAS-Identifier}','%{Called-Station-Id}','%{Framed-Protocol}','%{A
cct-Delay-Time}','%{Acct-Terminate-Cause}','%{Acct-Session-Time}','%{Acct-Ou
tput-Packets}','%{Acct-Input-Packets}','%{Cleartext-Password}','%{reply:Pack
et-Type}','%{Acct-Status-Type}') -> CALL my_stored_procedure
('my_server','AUTH_REQ'
,'test','X.X.X.X','XX-XX-XX-XX-XX-XX','5612ab46','test','XX-XX-XX-XX-XX-XX',
'','','','','','','','0','')
Fri May 16 22:54:28 2014 : Info: [sql] User found in radcheck table
Fri May 16 22:54:28 2014 : Info: [sql]  expand: CALL my_stored_procedure
('%{Virtual-Server}','AUTH_REPL'
,'%{User-Name}','%{Client-IP-Address}','%{Calling-Station-Id}','%{Acct-Sessi
on-Id}','%{NAS-Identifier}','%{Called-Station-Id}','%{Framed-Protocol}','%{A
cct-Delay-Time}','%{Acct-Terminate-Cause}','%{Acct-Session-Time}','%{Acct-Ou
tput-Packets}','%{Acct-Input-Packets}','%{Cleartext-Password}','%{reply:Pack
et-Type}','%{Acct-Status-Type}') -> CALL my_stored_procedure
('my_server','AUTH_REPL'
,'test','X.X.X.X','XX-XX-XX-XX-XX-XX','5612ab46','test','XX-XX-XX-XX-XX-XX',
'','','','','','','','0','')
Fri May 16 22:54:28 2014 : Debug: rlm_sql (sql): Released sql socket id: 99
Fri May 16 22:54:28 2014 : Info: ++[sql] = ok
Fri May 16 22:54:28 2014 : Info: [pap] WARNING: Auth-Type already set.  Not
setting to PAP
Fri May 16 22:54:28 2014 : Info: ++[pap] = noop
Fri May 16 22:54:28 2014 : Info: +} # group authorize = updated
Fri May 16 22:54:28 2014 : Info: Found Auth-Type = EAP
Fri May 16 22:54:28 2014 : Info: # Executing group from file
/etc/raddb/partner.conf
Fri May 16 22:54:28 2014 : Info: +group authenticate {
Fri May 16 22:54:28 2014 : Info: [eap] EAP Identity
Fri May 16 22:54:28 2014 : Info: [eap] processing type md5
Fri May 16 22:54:28 2014 : Debug: rlm_eap_md5: Issuing Challenge
Fri May 16 22:54:28 2014 : Info: ++[eap] = handled
Fri May 16 22:54:28 2014 : Info: +} # group authenticate = handled
Fri May 16 22:54:28 2014 : Info: } # server my_server
Sending Access-Challenge of id 141 to X.X.X.X port 32771
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Colubris-AVPair += "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        EAP-Message = 0x018e00160410e4221f5be6c61e8cd9c9d5f403e52706
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4a3d8da24ab389bc6e24b0dbbc2bac25
Fri May 16 22:54:28 2014 : Info: Finished request 0.
Fri May 16 22:54:28 2014 : Debug: Going to the next request


>   Alan DeKok.
> .
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list