Proxied Access-Challenge requests are missing AVPs
Leonardo Arena
rnalrd at gmail.com
Fri Sep 11 10:20:50 CEST 2015
On gio, 2015-09-10 at 18:47 +0100, Arran Cudbard-Bell wrote:
> > On 10 Sep 2015, at 15:57, Leonardo Arena <rnalrd at gmail.com> wrote:
> >
> > Hi list,
> >
> > I have a FreeRADIUS 3.0.3 proxy which forward all Cisco WAPs
> > Wireless-802.11 authentication requests to a Windows NPS server. Clients
> > use PEAP to authenticate.
> >
> > What I'm seeing is that the Access-Challenge from the NPS is forwarded
> > without any AVPs, and of course the WAP silently drops it.
> >
> > Please find below the debug output and the relevant configuration files
> > attached.
> >
> > Couldn't find really anything helpful in the ML archive.
> >
> > Could you please give me any suggestion of what could be wrong?
>
> Weird, unless you list a filter module in post-proxy the response should be forwarded. You're using a very out of date version of v3.0.x though, try 3.0.9 and see if you still see the same issue.
>
I'm using default attr-filter module (see below) and AFAICS it's used
only by inner-tunnel, and I don't have any post-proxy file.
I'll give a shot with 3.0.9 although with 3.0.4 clients.conf changed
syntax IIRC and that's why we stick with 3.0.3. Upgrading clients.conf
in 200+ installations does not look an attractive option. :)
Thanks!
- leo
/etc/raddb/mods-enabled# cat attr_filter
# -*- text -*-
#
# $Id: 1caff077b2429c948a04777fcd619be901ac83dc $
#
# This file defines a number of instances of the "attr_filter" module.
#
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter attr_filter.post-proxy {
key = "%{Realm}"
filename = ${modconfdir}/${.:name}/post-proxy
}
# attr_filter - filters the attributes in the packets we send to
# the RADIUS home servers.
attr_filter attr_filter.pre-proxy {
key = "%{Realm}"
filename = ${modconfdir}/${.:name}/pre-proxy
}
# Enforce RFC requirements on the contents of Access-Reject
# packets. See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_reject {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/access_reject
}
# Enforce RFC requirements on the contents of Access-Challenge
# packets. See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_challenge {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/access_challenge
}
# Enforce RFC requirements on the contents of the
# Accounting-Response packets. See the comments at the
# top of the file for more details.
#
attr_filter attr_filter.accounting_response {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/accounting_response
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150911/ba2ac782/attachment-0001.sig>
More information about the Freeradius-Users
mailing list