proxy keyed-balance setting

Scott McLane Gardner sgardne at uark.edu
Wed Sep 7 21:44:29 CEST 2016


>  Try changing the Load-Balance-Key to User-Name.  And then using radtest for simple tests.  That gets you the useful debug information, without tons of EAP stuff.

>  But... the Load-Balance-Key seems to work here.  I haven't heard of anyone else having issues with it.

The users get rejected because they're fake, but I get the same results using User-Name. Here are 2 clients trying to connect, different usernames both go to the same server. These 2 clients are the only ones using this server right now.

Received Access-Request Id 4 from 10.7.2.37:37771 to 10.7.0.28:1812 length 77
	User-Name = 'user1'
	User-Password = 'REDACTED'
	NAS-IP-Address = 127.0.0.1
	NAS-Port = 43
	Message-Authenticator = 0xa09859e7179919143cd31505405ef595
(0) Received Access-Request packet from host 10.7.2.37 port 37771, id=4, length=77
(0) 	User-Name = 'user1'
(0) 	User-Password = 'REDACTED'
(0) 	NAS-IP-Address = 127.0.0.1
(0) 	NAS-Port = 43
(0) 	Message-Authenticator = 0xa09859e7179919143cd31505405ef595
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)   filter_username filter_username {
(0)     if (!&User-Name) 
(0)     if (!&User-Name)  -> FALSE
(0)     if (&User-Name =~ / /) 
(0)     if (&User-Name =~ / /)  -> FALSE
(0)     if (&User-Name =~ /@.*@/ ) 
(0)     if (&User-Name =~ /@.*@/ )  -> FALSE
(0)     if (&User-Name =~ /\\.\\./ ) 
(0)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))  
(0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(0)     if (&User-Name =~ /\\.$/)  
(0)     if (&User-Name =~ /\\.$/)   -> FALSE
(0)     if (&User-Name =~ /@\\./)  
(0)     if (&User-Name =~ /@\\./)   -> FALSE
(0)   } # filter_username filter_username = notfound
(0)   [preprocess] = ok
(0)   [chap] = noop
(0)   [mschap] = noop
(0)   [digest] = noop
(0)  suffix : Checking for suffix after "@"
(0)  suffix : No '@' in User-Name = "user1", looking up realm NULL
(0)  suffix : Found realm "DEFAULT"
(0)  suffix : Adding Stripped-User-Name = "user1"
(0)  suffix : Adding Realm = "DEFAULT"
(0)  suffix : Proxying request from user user1 to realm DEFAULT
(0)  suffix : Preparing to proxy authentication request to realm "DEFAULT" 
(0)   [suffix] = updated
(0)  eap : No EAP-Message, not doing EAP
(0)   [eap] = noop
(0)  files : users: Matched entry DEFAULT at line 2
(0)   [files] = ok
(0)   [expiration] = noop
(0)   [logintime] = noop
(0)   [pap] = noop
(0)  } #  authorize = updated
(0) # Executing section pre-proxy from file /etc/raddb/sites-enabled/default
(0)   pre-proxy {
(0)   update control {
(0) EXPAND %{User-Name}
(0)    --> user1
(0) 	Load-Balance-Key := "user1"
(0)   } # update control = noop
(0)  } #  pre-proxy = noop
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 47824
(0) Proxying request to home server 10.7.0.29 port 1812 timeout 20.000000
(0) Sending Access-Request packet to host 10.7.0.29 port 1812, id=38, length=0
(0) 	User-Name = 'user1'
(0) 	User-Password = 'REDACTED'
(0) 	NAS-IP-Address = 127.0.0.1
(0) 	NAS-Port = 43
(0) 	Message-Authenticator = 0xa09859e7179919143cd31505405ef595
(0) 	Event-Timestamp = 'Sep  7 2016 14:36:26 CDT'
(0) 	Stripped-User-Name = 'user1'
(0) 	Realm = 'DEFAULT'
(0) 	Proxy-State = 0x34
Sending Access-Request Id 38 from 0.0.0.0:47824 to 10.7.0.29:1812
	User-Name = 'user1'
	User-Password = 'REDACTED'
	NAS-IP-Address = 127.0.0.1
	NAS-Port = 43
	Message-Authenticator = 0xa09859e7179919143cd31505405ef595
	Event-Timestamp = 'Sep  7 2016 14:36:26 CDT'
	Proxy-State = 0x34
Waking up in 0.3 seconds.
Waking up in 0.1 seconds.
(0) Expecting proxy response no later than 19.499780 seconds from now
Waking up in 19.4 seconds.
Received Access-Reject Id 38 from 10.7.0.29:1812 to 10.7.0.28:47824 length 23
	Proxy-State = 0x34
(0) Received Access-Reject packet from host 10.7.0.29 port 1812, id=38, length=23
(0) 	Proxy-State = 0x34
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)  Post-Auth-Type REJECT {
(0)  attr_filter.access_reject : EXPAND %{User-Name}
(0)  attr_filter.access_reject :    --> user1
(0)  attr_filter.access_reject : Matched entry DEFAULT at line 11
(0)   [attr_filter.access_reject] = updated
(0)  eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(0)   [eap] = noop
(0)   remove_reply_message_if_eap remove_reply_message_if_eap {
(0)     if (&reply:EAP-Message && &reply:Reply-Message) 
(0)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)    else else {
(0)     [noop] = noop
(0)    } # else else = noop
(0)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0)  } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 10.7.2.37 port 37771, id=4, length=0
Sending Access-Reject Id 4 from 10.7.0.28:1812 to 10.7.2.37:37771
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 4 with timestamp +231
Ready to process requests
Received Access-Request Id 134 from 10.7.2.37:42049 to 10.7.0.28:1812 length 77
	User-Name = 'user2'
	User-Password = 'REDACTED'
	NAS-IP-Address = 127.0.0.1
	NAS-Port = 43
	Message-Authenticator = 0x8492cc7453e8c02139f1b8081cc8b0d7
(1) Received Access-Request packet from host 10.7.2.37 port 42049, id=134, length=77
(1) 	User-Name = 'user2'
(1) 	User-Password = 'REDACTED'
(1) 	NAS-IP-Address = 127.0.0.1
(1) 	NAS-Port = 43
(1) 	Message-Authenticator = 0x8492cc7453e8c02139f1b8081cc8b0d7
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1)   authorize {
(1)   filter_username filter_username {
(1)     if (!&User-Name) 
(1)     if (!&User-Name)  -> FALSE
(1)     if (&User-Name =~ / /) 
(1)     if (&User-Name =~ / /)  -> FALSE
(1)     if (&User-Name =~ /@.*@/ ) 
(1)     if (&User-Name =~ /@.*@/ )  -> FALSE
(1)     if (&User-Name =~ /\\.\\./ ) 
(1)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(1)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))  
(1)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(1)     if (&User-Name =~ /\\.$/)  
(1)     if (&User-Name =~ /\\.$/)   -> FALSE
(1)     if (&User-Name =~ /@\\./)  
(1)     if (&User-Name =~ /@\\./)   -> FALSE
(1)   } # filter_username filter_username = notfound
(1)   [preprocess] = ok
(1)   [chap] = noop
(1)   [mschap] = noop
(1)   [digest] = noop
(1)  suffix : Checking for suffix after "@"
(1)  suffix : No '@' in User-Name = "user2", looking up realm NULL
(1)  suffix : Found realm "DEFAULT"
(1)  suffix : Adding Stripped-User-Name = "user2"
(1)  suffix : Adding Realm = "DEFAULT"
(1)  suffix : Proxying request from user user2 to realm DEFAULT
(1)  suffix : Preparing to proxy authentication request to realm "DEFAULT" 
(1)   [suffix] = updated
(1)  eap : No EAP-Message, not doing EAP
(1)   [eap] = noop
(1)  files : users: Matched entry DEFAULT at line 2
(1)   [files] = ok
(1)   [expiration] = noop
(1)   [logintime] = noop
(1)   [pap] = noop
(1)  } #  authorize = updated
(1) # Executing section pre-proxy from file /etc/raddb/sites-enabled/default
(1)   pre-proxy {
(1)   update control {
(1) EXPAND %{User-Name}
(1)    --> user2
(1) 	Load-Balance-Key := "user2"
(1)   } # update control = noop
(1)  } #  pre-proxy = noop
(1) Proxying request to home server 10.7.0.29 port 1812 timeout 20.000000
(1) Sending Access-Request packet to host 10.7.0.29 port 1812, id=246, length=0
(1) 	User-Name = 'user2'
(1) 	User-Password = 'REDACTED'
(1) 	NAS-IP-Address = 127.0.0.1
(1) 	NAS-Port = 43
(1) 	Message-Authenticator = 0x8492cc7453e8c02139f1b8081cc8b0d7
(1) 	Event-Timestamp = 'Sep  7 2016 14:36:50 CDT'
(1) 	Stripped-User-Name = 'user2'
(1) 	Realm = 'DEFAULT'
(1) 	Proxy-State = 0x313334
Sending Access-Request Id 246 from 0.0.0.0:47824 to 10.7.0.29:1812
	User-Name = 'user2'
	User-Password = 'REDACTED'
	NAS-IP-Address = 127.0.0.1
	NAS-Port = 43
	Message-Authenticator = 0x8492cc7453e8c02139f1b8081cc8b0d7
	Event-Timestamp = 'Sep  7 2016 14:36:50 CDT'
	Proxy-State = 0x313334
Waking up in 0.3 seconds.
Waking up in 0.1 seconds.
(1) Expecting proxy response no later than 19.499795 seconds from now
Waking up in 19.4 seconds.
Received Access-Reject Id 246 from 10.7.0.29:1812 to 10.7.0.28:47824 length 25
	Proxy-State = 0x313334
(1) Received Access-Reject packet from host 10.7.0.29 port 1812, id=246, length=25
(1) 	Proxy-State = 0x313334
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)  Post-Auth-Type REJECT {
(1)  attr_filter.access_reject : EXPAND %{User-Name}
(1)  attr_filter.access_reject :    --> user2
(1)  attr_filter.access_reject : Matched entry DEFAULT at line 11
(1)   [attr_filter.access_reject] = updated
(1)  eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(1)   [eap] = noop
(1)   remove_reply_message_if_eap remove_reply_message_if_eap {
(1)     if (&reply:EAP-Message && &reply:Reply-Message) 
(1)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)    else else {
(1)     [noop] = noop
(1)    } # else else = noop
(1)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(1)  } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sending Access-Reject packet to host 10.7.2.37 port 42049, id=134, length=0
Sending Access-Reject Id 134 from 10.7.0.28:1812 to 10.7.2.37:42049
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 134 with timestamp +255
Ready to process requests



More information about the Freeradius-Users mailing list