Second stage authrization with proxy
Gianluca Baù
gluca.b at gmail.com
Wed May 31 10:49:34 CEST 2017
Hello Matthew,
thanks for your quick reply.
>> That's if "not notfound" - you probably want if (notfound) {
Ops, i already used this condition... the copy and paste was from the
forum's link. However it doesn't work.
>> Did you leave the logic as above? Where did you put it in the config?
The code is in sites-enabled/default. Mi authorize section is (without
commented lines):
authorize {
preprocess
mschap
suffix
eap {
ok = return
}
files
sql
if (notfound) {
update control {
Proxy-To-Realm := "newrealm"
}
}
expiration
logintime
pap
}
>> Well the full output of radiusd -X
Following the output of /usr/sbin/freeradius -X:
rad_recv: Access-Request packet from host ************ port 50808, id=180,
length=203
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "2C:60:0C:E0:51:5D"
Called-Station-Id = "server1"
NAS-Port-Id = "ether5"
User-Name = "2C:60:0C:E0:51:5D"
NAS-Port = 2151679390
Acct-Session-Id = "8040059e"
Framed-IP-Address = 192.168.1.33
Mikrotik-Host-IP = 192.168.1.33
CHAP-Challenge = 0x302086b437e865de6ce30ed04671936d
CHAP-Password = 0x565c5fe1fcfdc8641c00d5fb52c3d19132
Service-Type = Login-User
WISPr-Logoff-URL = "http://0.0.0.0/logout"
NAS-Identifier = "MikroTik"
NAS-IP-Address = **************
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] = ok
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "2C:60:0C:E0:51:5D", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
[sql] expand: %{User-Name} -> 2C:60:0C:E0:51:5D
[sql] sql_set_user escaped user --> '2C:60:0C:E0:51:5D'
rlm_sql (sql): Reserving sql socket id: 31
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '2C:60:0C:E0:51:5D' ORDER BY
id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '2C:60:0C:E0:51:5D'
ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = '2C:60:0C:E0:51:5D' ORDER BY
id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '2C:60:0C:E0:51:5D'
ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'2C:60:0C:E0:51:5D' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM
radusergroup WHERE username = '2C:60:0C:E0:51:5D' ORDER
BY priority
rlm_sql (sql): Released sql socket id: 31
++[sql] = ok
++? if (notfound)
? Evaluating (notfound) -> FALSE
++? if (notfound) -> FALSE
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = CHAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/freeradius/sites-enabled/default
+group CHAP {
[chap] login attempt by "2C:60:0C:E0:51:5D" with CHAP password
[chap] Using clear text password "***********" for user 2C:60:0C:E0:51:5D
authentication.
[chap] Password check failed
++[chap] = reject
+} # group CHAP = reject
Failed to authenticate the user.
Login incorrect (rlm_chap: Wrong user password):
[2C:60:0C:E0:51:5D/<CHAP-Password>] (from client ****** port 2151679390 cli
2C:60:0C:E0:51:5D)
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> 2C:60:0C:E0:51:5D
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host ************* port 50808, id=180,
length=203
Waiting to send Access-Reject to client ******* port 50808 - ID: 180
Waking up in 0.7 seconds.
rad_recv: Access-Request packet from host ********* port 50808, id=180,
length=203
Waiting to send Access-Reject to client ********** port 50808 - ID: 180
Waking up in 0.4 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 180 to ********* port 50808
Waking up in 4.9 seconds.
Cheers
2017-05-30 21:14 GMT+02:00 Matthew Newton <matthew at newtoncomputing.co.uk>:
> On Tue, May 30, 2017 at 11:07:03AM +0200, Gianluca Baù wrote:
> > i would like to forward authorization requests to another Freeradius
> server
> > if the user is not present in the local one.
>
> OK
>
> > authorize {
> > ......
> > if (!notfound) {
>
> That's if "not notfound" - you probably want if (notfound) {
>
> > update control {
> > Proxy-To-Realm := "newrealm"
> > }
> > }
> > ......
> > }
> >
> > For me this condition is never matched.
>
> Did you leave the logic as above? Where did you put it in the
> config?
>
> As "notfound" is relevant to the previous module that was called,
> location matters. e.g. if you're using ldap, put it after your
> ldap call, not at the end of the authorize{} section after pap.
>
> > May you help me please? Do you need other technical details?
>
> Well the full output of radiusd -X means we have some sort of
> clue as to what is actually going on.
>
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
More information about the Freeradius-Users
mailing list