proxying Access-Request Items (Attributes)

Orion Timbale timbaledorion at hotmail.com
Wed Oct 28 17:38:06 CET 2015 

Thanks Arran
You are my hero.
It works by adding attribute in our specific directory.


Tim

Le 26/10/2015 16:55, Arran Cudbard-Bell a écrit :
>> On Oct 26, 2015, at 11:48 AM, Orion Timbale <timbaledorion at hotmail.com> wrote:
>>
>>
>> Thanks to all freeradius users!!!!
>>
>>
>> I'm using freeradius v3.0.4 under Fedora 22.
>> I try to proxy some Access-Request and add some check item/attribute
>> before proxying.
>> The radiusd -X output regarding this problem looks like this:
>>
>> "Wed Oct 21 18:31:19 2015 : Debug: (0) # Executing section pre-proxy
>> from file /etc/raddb/sites-enabled/default
>> Wed Oct 21 18:31:19 2015 : Debug: (0)   pre-proxy {
>> Wed Oct 21 18:31:19 2015 : Debug: (0)   node.pre-proxy node.pre-proxy {
>> Wed Oct 21 18:31:19 2015 : Debug: (0)     if ("%{request:Packet-Type}"
>> == 'Access-Request')
>> Wed Oct 21 18:31:19 2015 : Debug: (0) EXPAND %{request:Packet-Type}
>> Wed Oct 21 18:31:19 2015 : Debug: (0)    --> Access-Request
>> Wed Oct 21 18:31:19 2015 : Debug: (0)     if ("%{request:Packet-Type}"
>> == 'Access-Request')   -> TRUE
>> Wed Oct 21 18:31:19 2015 : Debug: (0)    if ("%{request:Packet-Type}" ==
>> 'Access-Request')   {
>> Wed Oct 21 18:31:19 2015 : Debug: (0)     update proxy-request {
>> Wed Oct 21 18:31:19 2015 : Debug: (0)   &NodeID == '0000000002'
>> Wed Oct 21 18:31:19 2015 : Debug: (0) No existing attribute to filter,
>> adding instead
>> Wed Oct 21 18:31:19 2015 : Debug: (0)     } # update proxy-request = noop
>> Wed Oct 21 18:31:19 2015 : Debug: (0)    } # if
>> ("%{request:Packet-Type}" == 'Access-Request')   = noop
>> Wed Oct 21 18:31:19 2015 : Debug: (0)   } # byon-node.pre-proxy
>> byon-node.pre-proxy = noop
>> Wed Oct 21 18:31:19 2015 : Debug: (0)  } #  pre-proxy = noop
>> Wed Oct 21 18:31:19 2015 : Debug: (0) proxy: Trying to allocate ID (0/2)
>> Wed Oct 21 18:31:19 2015 : Debug: (0) proxy: Failed allocating ID:
>> Failed finding socket, caller must allocate a new one
>> Wed Oct 21 18:31:19 2015 : Debug: (0) proxy: Trying to open a new
>> listener to the home server
>> Wed Oct 21 18:31:19 2015 : Debug: Opening new proxy socket 'proxy
>> address * port 0'
>> Wed Oct 21 18:31:19 2015 : Debug: Listening on proxy address * port 45141
>> Wed Oct 21 18:31:19 2015 : Debug: (0) proxy: Trying to allocate ID (1/2)
>> Wed Oct 21 18:31:19 2015 : Debug: (0) proxy: request is now in proxy hash
>> Wed Oct 21 18:31:19 2015 : Debug: (0) proxy: allocating destination
>> 192.168.42.193 port 1812 - Id 16
>> Wed Oct 21 18:31:19 2015 : Debug: (0) Proxying request to home server
>> 192.168.42.193 port 1812 timeout 14.000000
>> Wed Oct 21 18:31:19 2015 : Debug: (0) Sending Access-Request packet to
>> host 192.168.42.193 port 1812, id=16, length=0
>> Wed Oct 21 18:31:19 2015 : Debug: (0)   User-Name =
>> 'fname.lname at my-network.com'
>> Wed Oct 21 18:31:19 2015 : Debug: (0)   User-Password = 'passme'
>> Wed Oct 21 18:31:19 2015 : Debug: (0)   NAS-IP-Address = 127.0.0.1
>> Wed Oct 21 18:31:19 2015 : Debug: (0)   NAS-Port = 100
>> Wed Oct 21 18:31:19 2015 : Debug: (0)   Message-Authenticator =
>> 0x29fc545638a7a1c6ec10b5f7e2c860c9
>> Wed Oct 21 18:31:19 2015 : Debug: (0)   Event-Timestamp = 'Oct 21 2015
>> 18:31:19 CEST'
>> Wed Oct 21 18:31:19 2015 : Debug: (0)   Realm = 'DEFAULT'
>> Wed Oct 21 18:31:19 2015 : Debug: (0)   Proxy-State = 0x3337
>> Wed Oct 21 18:31:19 2015 : Debug: (0)   NodeID == '0000000002'
>> Sending Access-Request Id 16 from 0.0.0.0:45141 to 192.168.42.193:1812
>>        User-Name = 'fname.lname at my-network.com'
>>        User-Password = 'passme'
>>        NAS-IP-Address = 127.0.0.1
>>        NAS-Port = 100
>>        Message-Authenticator = 0x29fc545638a7a1c6ec10b5f7e2c860c9
>>        Event-Timestamp = 'Oct 21 2015 18:31:19 CEST'
>>        Proxy-State = 0x3337"
>>
>>
>>
>> As you can see  Realm and NodeID are not passed to the radius proxy in
>> the access request.
> Because they're not protocol attributes, and so there's no way to encode them?
>
>> Can anyone suggest me something ?
> Define new VSAs under your IANA number.
>
> -Arran
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list