Attributes from users File not added to Proxy Response
Dr. Karl-Heinz Pape
dk8hi at web.de
Tue Oct 11 09:21:17 CEST 2016
Hello!
I am running FreeRADIUS Version 2.2.8 (the latest version available for
my current Ubuntu set-up).
The FreeRADIUS acts as a proxy and forwards the request to another
RADIUS.
The answer is received and the information in the user file seems to be
processed
(which can be seen from the double Auth-Type listed in the debug
output, and yes,
I removed the Auth-Type from the users file and it still does not
work).
Now the additional attributes from the users file are NOT added to the
response of the FreeRADIUS
to the NAS.
With an earlier version of FreeRADIUS these attributes had been added,
as I can see from old
Wireshark dumps of the RADIUS communication.
The Context-Name = dsl would be required by the RedBack NAS to find the
correct context!
Am I missing something?
Thanks in advance
Karl-Heinz
Here is the entry in the users file:
DEFAULT Realm == "alice-voip.de"
Session-Timeout = 86400,
Framed-MTU = 1492,
Context-Name = dsl
And here the debug output:
root at dnsrad1:/etc/freeradius# freeradius -X
freeradius: FreeRADIUS Version 2.2.8, for host x86_64-pc-linux-gnu,
built on Apr 5 2016 at 13:40:43
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
.....
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
realm alice-voip.de {
nostrip
authhost = www.xxx.yyy.zzz:1812
secret = testing123
}
.....
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client www.xxx.yyy.zzz {
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan
"
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Creating Auth-Type = digest
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 1024
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
reading pairlist file /etc/freeradius/users
-----
-----
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
NAS-Identifier, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/etc/freeradius/modules/detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-I
Pv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from
file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file
/etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 56616
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
.....
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host www.xxx.yyy.zzz port 1812,
id=72, length=304
User-Name = "1905462460-001C28 at alice-voip.de"
User-Password = "1234567820"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = "BRRB-0262-03-01"
NAS-Port = 301996733
NAS-Real-Port = 301991893
NAS-Port-Type = Virtual
NAS-Port-Id = "1/2 vlan-id 2005 pppoe 6845"
Medium-Type = DSL
Mac-Addr = "00-1c-28-18-66-b6"
Connect-Info = "outer-tag"
Platform-Type = SE-400
OS-Version = "6.1.3.4p2"
Agent-Circuit-Id =
0x454448552d303236322d30332d30312061746d2030302f353a312e3335
ADSL-Agent-Circuit-Id = "EDHU-0262-03-01 atm 00/5:1.35"
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "alice-voip.de" for User-Name =
"1905462460-001C28 at alice-voip.de"
[suffix] Found realm "alice-voip.de"
[suffix] Adding Realm = "alice-voip.de"
[suffix] Proxying request from user 1905462460-001C28 to realm
alice-voip.de
[suffix] Preparing to proxy authentication request to realm
"alice-voip.de"
++[suffix] = updated
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 219
++[files] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 133 to www.xxx.yyy.zzz port 1812
User-Name = "1905462460-001C28 at alice-voip.de"
User-Password = "1234567820"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = "BRRB-0262-03-01"
NAS-Port = 301996733
NAS-Real-Port = 301991893
NAS-Port-Type = Virtual
NAS-Port-Id = "1/2 vlan-id 2005 pppoe 6845"
Medium-Type = DSL
Mac-Addr = "00-1c-28-18-66-b6"
Connect-Info = "outer-tag"
Platform-Type = SE-400
OS-Version = "6.1.3.4p2"
Agent-Circuit-Id =
0x454448552d303236322d30332d30312061746d2030302f353a312e3335
ADSL-Agent-Circuit-Id = "EDHU-0262-03-01 atm 00/5:1.35"
NAS-IP-Address = www.xxx.yyy.zzz
Proxy-State = 0x3732
Proxying request 7 to home server www.xxx.yyy.zzz port 1812
Sending Access-Request of id 133 to www.xxx.yyy.zzz port 1812
User-Name = "1905462460-001C28 at alice-voip.de"
User-Password = "1234567820"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = "BRRB-0262-03-01"
NAS-Port = 301996733
NAS-Real-Port = 301991893
NAS-Port-Type = Virtual
NAS-Port-Id = "1/2 vlan-id 2005 pppoe 6845"
Medium-Type = DSL
Mac-Addr = "00-1c-28-18-66-b6"
Connect-Info = "outer-tag"
Platform-Type = SE-400
OS-Version = "6.1.3.4p2"
Agent-Circuit-Id =
0x454448552d303236322d30332d30312061746d2030302f353a312e3335
ADSL-Agent-Circuit-Id = "EDHU-0262-03-01 atm 00/5:1.35"
NAS-IP-Address = www.xxx.yyy.zzz
Proxy-State = 0x3732
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host www.xxx.yyy.zzz port 1812,
id=133, length=274
Tunnel-Type:1 = L2TP
Tunnel-Client-Auth-Id:1 = "hn_alice_voip"
Tunnel-Assignment-Id:1 = "hn_alice_voip"
Attr-69 = 0x01555555555555555555555555555555
Tunnel-Preference:1 = 1
Tunnel-Medium-Type:1 = IPv4
Tunnel-Server-Endpoint:1 = "www.xxx.yyy.zzz"
Tunnel-Type:2 = L2TP
Tunnel-Client-Auth-Id:2 = "hn_alice_voip"
Tunnel-Assignment-Id:2 = "hn_alice_voip"
Attr-69 = 0x02555555555555555555555555555555
Tunnel-Preference:2 = 2
Tunnel-Medium-Type:2 = IPv4
Tunnel-Server-Endpoint:2 = "www.xxx.yyy.zzy"
Tunnel-Type:3 = L2TP
Tunnel-Client-Auth-Id:3 = "hn_alice_voip"
Tunnel-Assignment-Id:3 = "hn_alice_voip"
Attr-69 = 0x03555555555555555555555555555555
Tunnel-Preference:3 = 3
Tunnel-Medium-Type:3 = IPv4
Tunnel-Server-Endpoint:3 = "www.xxx.yyy.zzx"
Proxy-State = 0x3732
# Executing section post-proxy from file
/etc/freeradius/sites-enabled/default
+group post-proxy {
[eap] No pre-existing handler found
++[eap] = noop
+} # group post-proxy = noop
Found Auth-Type = Accept
Found Auth-Type = Accept
Warning: Found 2 auth-types on request for user
'1905462460-001C28 at alice-voip.de'
Auth-Type = Accept, accepting the user
Login OK: [1905462460-001C28 at alice-voip.de/1234567820] (from client
www.xxx.yyy.zzz port 301996733)
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 72 to www.xxx.yyy.zzz port 1812
Tunnel-Type:1 = L2TP
Tunnel-Client-Auth-Id:1 = "hn_alice_voip"
Tunnel-Assignment-Id:1 = "hn_alice_voip"
Attr-69 = 0x01555555555555555555555555555555
Tunnel-Preference:1 = 1
Tunnel-Medium-Type:1 = IPv4
Tunnel-Server-Endpoint:1 = "www.xxx.yyy.zzz"
Tunnel-Type:2 = L2TP
Tunnel-Client-Auth-Id:2 = "hn_alice_voip"
Tunnel-Assignment-Id:2 = "hn_alice_voip"
Attr-69 = 0x02555555555555555555555555555555
Tunnel-Preference:2 = 2
Tunnel-Medium-Type:2 = IPv4
Tunnel-Server-Endpoint:2 = "www.xxx.yyy.zzy"
Tunnel-Type:3 = L2TP
Tunnel-Client-Auth-Id:3 = "hn_alice_voip"
Tunnel-Assignment-Id:3 = "hn_alice_voip"
Attr-69 = 0x03555555555555555555555555555555
Tunnel-Preference:3 = 3
Tunnel-Medium-Type:3 = IPv4
Tunnel-Server-Endpoint:3 = "www.xxx.yyy.zzx"
Finished request 7.
Going to the next request
Waking up in 3.8 seconds.
^C
root at dnsrad1:/etc/freeradius#
================ end of debug output =================
More information about the Freeradius-Users
mailing list