Second stage authrization with proxy

Gianluca Baù gluca.b at gmail.com
Wed May 31 11:15:06 CEST 2017 

Hello again Matthew,

i figured out the problem. The username is effectively present in the local
radius but with a wrong password so in this case "notfound" is false.

I thought that radius considers "not found" the user against the match of
username and password but it checks for username only. The -X option has
clearly shown this.

Thanks for your help.

Gianluca



2017-05-31 10:49 GMT+02:00 Gianluca Baù <gluca.b at gmail.com>:

> Hello Matthew,
>
> thanks for your quick reply.
>
> >> That's if "not notfound" - you probably want if (notfound) {
>
> Ops, i already used this condition... the copy and paste was from the
> forum's link. However it doesn't work.
>
> >> Did you leave the logic as above? Where did you put it in the config?
>
> The code is in sites-enabled/default. Mi authorize section is (without
> commented lines):
>
> authorize {
>      preprocess
>      mschap
>      suffix
>      eap {
>          ok = return
>      }
>      files
>      sql
>
>      if (notfound) {
>                 update control {
>                         Proxy-To-Realm := "newrealm"
>                 }
>      }
>
>      expiration
>      logintime
>      pap
> }
>
> >> Well the full output of radiusd -X
>
> Following the output of /usr/sbin/freeradius -X:
>
> rad_recv: Access-Request packet from host ************ port 50808, id=180,
> length=203
>     NAS-Port-Type = Wireless-802.11
>     Calling-Station-Id = "2C:60:0C:E0:51:5D"
>     Called-Station-Id = "server1"
>     NAS-Port-Id = "ether5"
>     User-Name = "2C:60:0C:E0:51:5D"
>     NAS-Port = 2151679390
>     Acct-Session-Id = "8040059e"
>     Framed-IP-Address = 192.168.1.33
>     Mikrotik-Host-IP = 192.168.1.33
>     CHAP-Challenge = 0x302086b437e865de6ce30ed04671936d
>     CHAP-Password = 0x565c5fe1fcfdc8641c00d5fb52c3d19132
>     Service-Type = Login-User
>     WISPr-Logoff-URL = "http://0.0.0.0/logout"
>     NAS-Identifier = "MikroTik"
>     NAS-IP-Address = **************
> # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> +group authorize {
> ++[preprocess] = ok
> [chap] Setting 'Auth-Type := CHAP'
> ++[chap] = ok
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "2C:60:0C:E0:51:5D", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] = noop
> ++[files] = noop
> [sql]     expand: %{User-Name} -> 2C:60:0C:E0:51:5D
> [sql] sql_set_user escaped user --> '2C:60:0C:E0:51:5D'
> rlm_sql (sql): Reserving sql socket id: 31
> [sql]     expand: SELECT id, username, attribute, value, op           FROM
> radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY
> id -> SELECT id, username, attribute, value, op           FROM
> radcheck           WHERE username = '2C:60:0C:E0:51:5D'           ORDER BY
> id
> rlm_sql_mysql: query:  SELECT id, username, attribute, value, op
> FROM radcheck           WHERE username = '2C:60:0C:E0:51:5D'
> ORDER BY id
> [sql] User found in radcheck table
> [sql]     expand: SELECT id, username, attribute, value, op           FROM
> radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY
> id -> SELECT id, username, attribute, value, op           FROM
> radreply           WHERE username = '2C:60:0C:E0:51:5D'           ORDER BY
> id
> rlm_sql_mysql: query:  SELECT id, username, attribute, value, op
> FROM radreply           WHERE username = '2C:60:0C:E0:51:5D'
> ORDER BY id
> [sql]     expand: SELECT groupname           FROM radusergroup
> WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
> groupname           FROM radusergroup           WHERE username =
> '2C:60:0C:E0:51:5D'           ORDER BY priority
> rlm_sql_mysql: query:  SELECT groupname           FROM
> radusergroup           WHERE username = '2C:60:0C:E0:51:5D'           ORDER
> BY priority
> rlm_sql (sql): Released sql socket id: 31
> ++[sql] = ok
> ++? if (notfound)
> ? Evaluating (notfound) -> FALSE
> ++? if (notfound) -> FALSE
> ++[expiration] = noop
> ++[logintime] = noop
> [pap] WARNING: Auth-Type already set.  Not setting to PAP
> ++[pap] = noop
> +} # group authorize = ok
> Found Auth-Type = CHAP
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!
> !!!    Replacing User-Password in config items with
> Cleartext-Password.     !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!
> !!! Please update your configuration so that the "known
> good"               !!!
> !!! clear text password is in Cleartext-Password, and not in
> User-Password. !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group CHAP {
> [chap] login attempt by "2C:60:0C:E0:51:5D" with CHAP password
> [chap] Using clear text password "***********" for user 2C:60:0C:E0:51:5D
> authentication.
> [chap] Password check failed
> ++[chap] = reject
> +} # group CHAP = reject
> Failed to authenticate the user.
> Login incorrect (rlm_chap: Wrong user password): [2C:60:0C:E0:51:5D/<CHAP-Password>]
> (from client ****** port 2151679390 cli 2C:60:0C:E0:51:5D)
> Using Post-Auth-Type REJECT
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group REJECT {
> [attr_filter.access_reject]     expand: %{User-Name} -> 2C:60:0C:E0:51:5D
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> rad_recv: Access-Request packet from host ************* port 50808,
> id=180, length=203
> Waiting to send Access-Reject to client ******* port 50808 - ID: 180
> Waking up in 0.7 seconds.
> rad_recv: Access-Request packet from host ********* port 50808, id=180,
> length=203
> Waiting to send Access-Reject to client ********** port 50808 - ID: 180
> Waking up in 0.4 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 180 to ********* port 50808
> Waking up in 4.9 seconds.
>
> Cheers
>
> 2017-05-30 21:14 GMT+02:00 Matthew Newton <matthew at newtoncomputing.co.uk>:
>
>> On Tue, May 30, 2017 at 11:07:03AM +0200, Gianluca Baù wrote:
>> > i would like to forward authorization requests to another Freeradius
>> server
>> > if the user is not present in the local one.
>>
>> OK
>>
>> > authorize {
>> >    ......
>> > if (!notfound) {
>>
>> That's if "not notfound" - you probably want if (notfound) {
>>
>> >                 update control {
>> >                         Proxy-To-Realm := "newrealm"
>> >                 }
>> >         }
>> >     ......
>> > }
>> >
>> > For me this condition is never matched.
>>
>> Did you leave the logic as above? Where did you put it in the
>> config?
>>
>> As "notfound" is relevant to the previous module that was called,
>> location matters. e.g. if you're using ldap, put it after your
>> ldap call, not at the end of the authorize{} section after pap.
>>
>> > May you help me please? Do you need other technical details?
>>
>> Well the full output of radiusd -X means we have some sort of
>> clue as to what is actually going on.
>>
>> --
>> Matthew
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>
>
>

More information about the Freeradius-Users mailing list