Strange behavior of files module in post-auth
Stabla, Daniel
dstabla at materna.de
Fri Feb 27 15:17:20 CET 2015
Hi,
we try to send VLAN-Attributes after a sucessfull authentication to our
clients.
A file "rad-vlan" contains the MAC-Address, as search key, and various
other attributes which we want to assign.
"rad-vlan" is processed through the module files in the section post-auth
and does nothing. Only if we execute it with rad-vlan.authorize, it is
successfully processed.
Without ".authorize":
Configuration
############################
server eap_server {
listen {
ipaddr = *
port = 1645
type = auth
limit {
}
}
authorize {
eap {
ok = return
}
files
expiration
logintime
}
authenticate {
Auth-Type PAP {
}
Auth-Type CHAP {
}
Auth-Type MS-CHAP {
}
eap
Auth-Type eap {
eap {
handled = 1
}
if (handled && (Response-Packet-Type ==
Access-Challenge)) {
}
}
}
preacct {
preprocess
acct_unique
files
}
accounting {
detail
exec
}
session {
}
post-auth {
if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) {
update request {
Stripped-User-Name := "%{2}"
Realm := "%{1}"
}
}
update reply {
Tunnel-Type := "13"
Tunnel-Medium-Type := "6"
}
rad-vlan <----------------------------------------------------
update reply {
Tunnel-Private-Group-Id="%{control:Tunnel-Private-Group-Id}"
}
Post-Auth-Type REJECT {
eap
}
}
pre-proxy {
}
post-proxy {
eap
}
}
Debugoutput
####################################################
(14) } # authenticate = ok
(14) Login OK: [materna\\ldapsearch/<via Auth-Type = EAP>] (from client
sles11 port 0 cli 12-34-56-78-90-AB)
(14) # Executing section post-auth from file
/etc/radiusd/sites-enabled/default
(14) post-auth {
(14) if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/)
(14) EXPAND %{request:User-Name}
(14) --> materna\\ldapsearch
(14) if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) -> TRUE
(14) if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) {
(14) update request {
(14) EXPAND %{2}
(14) --> ldapsearch
(14) Stripped-User-Name := "ldapsearch"
(14) EXPAND %{1}
(14) --> materna\
(14) Realm := "materna\\"
(14) } # update request = noop
(14) } # if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) = noop
(14) update reply {
(14) Tunnel-Type := VLAN
(14) Tunnel-Medium-Type := IEEE-802
(14) } # update reply = noop
(14) rad-vlan : EXPAND %{Calling-Station-Id}
<----------------------------------------------------
(14) rad-vlan : --> 12-34-56-78-90-AB
<----------------------------------------------------
(14) [rad-vlan] = noop
(14) update reply {
(14) EXPAND %{control:Tunnel-Private-Group-Id}
(14) -->
(14) Tunnel-Private-Group-Id = ""
(14) } # update reply = noop
(14) } # post-auth = noop
With ".authorize":
Configuration
#############################################################################
server eap_server {
listen {
ipaddr = *
port = 1645
type = auth
limit {
}
}
authorize {
eap {
ok = return
}
files
expiration
logintime
}
authenticate {
Auth-Type PAP {
}
Auth-Type CHAP {
}
Auth-Type MS-CHAP {
}
eap
Auth-Type eap {
eap {
handled = 1
}
if (handled && (Response-Packet-Type ==
Access-Challenge)) {
}
}
}
preacct {
preprocess
acct_unique
files
}
accounting {
detail
exec
}
session {
}
post-auth {
if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) {
update request {
Stripped-User-Name := "%{2}"
Realm := "%{1}"
}
}
update reply {
Tunnel-Type := "13"
Tunnel-Medium-Type := "6"
}
rad-vlan.authorize
<----------------------------------------------------
update reply {
Tunnel-Private-Group-Id="%{control:Tunnel-Private-Group-Id}"
}
Post-Auth-Type REJECT {
eap
}
}
pre-proxy {
}
post-proxy {
eap
}
}
Debugoutput
#################################################################
(14) } # authenticate = ok
(14) Login OK: [materna\\ldapsearch/<via Auth-Type = EAP>] (from client
sles11 port 0 cli 12-34-56-78-90-AB)
(14) # Executing section post-auth from file
/etc/radiusd/sites-enabled/default
(14) post-auth {
(14) if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/)
(14) EXPAND %{request:User-Name}
(14) --> materna\\ldapsearch
(14) if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) -> TRUE
(14) if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) {
(14) update request {
(14) EXPAND %{2}
(14) --> ldapsearch
(14) Stripped-User-Name := "ldapsearch"
(14) EXPAND %{1}
(14) --> materna\
(14) Realm := "materna\\"
(14) } # update request = noop
(14) } # if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) = noop
(14) update reply {
(14) Tunnel-Type := VLAN
(14) Tunnel-Medium-Type := IEEE-802
(14) } # update reply = noop
(14) rad-vlan : EXPAND %{Calling-Station-Id}
(14) rad-vlan : --> 12-34-56-78-90-AB
(14) rad-vlan : users: Matched entry 12-34-56-78-90-AB at line 1
(14) [rad-vlan.authorize] = ok
(14) update reply {
(14) EXPAND %{control:Tunnel-Private-Group-Id}
(14) --> 200
(14) Tunnel-Private-Group-Id = "200"
(14) } # update reply = noop
(14) } # post-auth = ok
More information about the Freeradius-Users
mailing list