Proxy / reply translation
Richard J Palmer
richard at merula.net
Sun Nov 12 12:16:55 CET 2017
HI Again
I have now set this login to proxy via another freeradius server and I
have moved the code to post_proxy.
I am now seeing:
(1) Starting proxy to home server 10.0.25.5 port 1645
(1) Proxying request to home server 10.0.25.5 port 1645 timeout
14.000000
(1) Sent Access-Request Id 9 from 0.0.0.0:53508 to 10.0.25.5:1645
length 104
(1) User-Name = "richard2 at test.login"
(1) User-Password = "12345"
(1) NAS-IP-Address = 10.0.25.8
(1) NAS-Port = 1
(1) Message-Authenticator = 0x369545d0fafed5ff1a2b52ca10bfadd5
(1) Event-Timestamp = "Nov 12 2017 10:16:42 GMT"
(1) Proxy-State = 0x3836
Waking up in 0.3 seconds.
(1) Clearing existing &reply: attributes
(1) Received Access-Accept Id 9 from 10.0.25.5:1645 to 10.0.25.8:53508
length 101
(1) Framed-IP-Address = 1.2.108.10
(1) Framed-IP-Netmask = 255.255.255.248
(1) Cisco-AVPair = "ip:route=1.2.108.8 255.255.255.248"
(1) Filter-Id = "P"
(1) Chargeable-User-Identity = "richard2"
(1) Acct-Interim-Interval = 60
(1) Proxy-State = 0x3836
(1) # Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/default
(1) post-proxy {
(1) post_proxy_log: EXPAND
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
(1) post_proxy_log: -->
/usr/local/var/log/radius/radacct/127.0.0.1/post-proxy-detail-20171112
(1) post_proxy_log:
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/127.0.0.1/post-proxy-detail-20171112
(1) post_proxy_log: EXPAND %t
(1) post_proxy_log: --> Sun Nov 12 10:16:42 2017
(1) [post_proxy_log] = ok
(1) policy rewrite_routes {
(1) if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
(1) ERROR: Failed retrieving values required to evaluate
condition
(1) } # policy rewrite_routes = ok
(1) eap: No pre-existing handler found
(1) [eap] = noop
(1) } # post-proxy = ok
(1) Found Auth-Type = Accept
(1) Auth-Type = Accept, accepting the user
post Proxy log shows:
Sun Nov 12 10:16:42 2017
Packet-Type = Access-Accept
Framed-IP-Address = 1.2.108.10
Framed-IP-Netmask = 255.255.255.248
Cisco-AVPair = "ip:route=1.2.108.8 255.255.255.248"
Filter-Id = "P"
Chargeable-User-Identity = "richard2"
Acct-Interim-Interval = 60
Proxy-State = 0x3836
Timestamp = 1510481802
I am reasonably certain there is a issue somewhere with if
(&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/)
Using an online Regex testing tool and using the above as a basis I
can see that
Cisco-AVPair = \"ip:route=([^ ]+) ([^ ]+)\"
This retrieves the data I need - However that is not accepted by the
freeradius config (understandably as it's not quote the same thing).
My initial thought is the issue could be the quotes - but I am
clutching at straws here. I have looked at the documents - but with
Regex not being my strong point I am not sure what I have missed on
the FR config...
Could I please have one last pointer here ?
Thanks!
Richard
On Saturday 11/11/2017 at 8:42 pm, Alan Buxey wrote:
> Not that remote server, just spin up another server that this one
> talks to,
> replying back with such results.
>
> Run in full debug mode, you should see contents of packets, since this
> isn't in the post-proxy or post-auth (as you are putting things in
> during
> Auth stage and checking/changing them there - which isn't how the real
> server would behave or be configured) the check you make will be
> different
> too
>
> alan
>
> On 11 Nov 2017 8:17 pm, "Richard J Palmer" <richard at merula.net> wrote:
>
>>
>> Hi
>>
>> I can almost certainly test this with the remote radius server - I am
>> just
>> waiting for the remote server to be configured to allow me access -
>> and in
>> the mean time was trying to test my config locally.
>>
>> From the log
>>
>> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>
>> ERROR: Failed retrieving values required to evaluate condition
>>
>> I assume that &Cisco-AVPair is not available here and I should be
>> using
>> something else (or I could have totally the wrong reason).
>>
>> Ultimately the aim was to check if what had written worked before I
>> had
>> access to the upstream server. If it's easier just to wait I shall.
>>
>> Thanks in advance
>>
>> Richard
>>
>>
>>
>>
>> On Saturday 11/11/2017 at 7:39 pm, Alan Buxey wrote:
>>
>>>
>>> Best test would be to have a remote radius server sending back replies
>>> like
>>> you will have as using some local stuff added via SQL isn't going to
>>> be
>>> the
>>> same , goes through different sections,
>>>
>>> alan
>>>
>>> On 11 Nov 2017 7:33 pm, "Richard J Palmer" <richard at merula.net> wrote:
>>>
>>>
>>>>
>>>> HI Alan
>>>>
>>>> I will be using it for Proxy. However I was trying to test / use this
>>>> locally as well while debugging the server / code.
>>>>
>>>> Ideally it would be nice to allow both options to work but I am
>>>> flexible
>>>> if it's easier just to use this for requests that are proxied
>>>>
>>>> Thanks
>>>>
>>>> Richard
>>>>
>>>>
>>>>
>>>>
>>>> On Saturday 11/11/2017 at 7:14 pm, Alan Buxey wrote:
>>>>
>>>>
>>>>>
>>>>> You say you need to modify a reply from their radius server - this
>>>>> will
>>>>> be
>>>>> in the post-proxy section?
>>>>>
>>>>> Also if (&reply:Cisco-AVPair ... ?
>>>>>
>>>>> alan
>>>>>
>>>>>
>>>>> On 11 Nov 2017 6:37 pm, "Richard J Palmer" <richard at merula.net> wrote:
>>>>>
>>>>> Hi
>>>>>
>>>>> Sorry for the delay. I am getting close with this I think... BUT
>>>>> something
>>>>> seems to be slightly wrong.
>>>>>
>>>>> Happy to post a full log as needed - BUT I hope the bit I need is
>>>>> here:
>>>>>
>>>>> (2) sql1: Framed-Route = ""
>>>>> (2) sql1: Framed-IP-Address = 1.2.3.1
>>>>> (2) sql1: Framed-IP-Netmask = 255.255.255.248
>>>>> (2) sql1: Cisco-AVPair += "ip:route=1.2.3.0 255.255.255.248"
>>>>> (2) sql1: Filter-Id = "P"
>>>>> (2) sql1: Chargeable-User-Identity = "richard2"
>>>>>
>>>>> <group SQL statements>
>>>>>
>>>>> (2) sql1: Group "Hotspot": Merging reply items
>>>>> (2) sql1: Acct-Interim-Interval = 600
>>>>>
>>>>> (2) [sql1] = ok
>>>>> (2) } # redundant = ok
>>>>> (2) policy rewrite_routes {
>>>>> (2) if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>>>> (2) ERROR: Failed retrieving values required to evaluate
>>>>> condition
>>>>> (2) } # policy rewrite_routes = ok
>>>>>
>>>>> (2) Login OK: [richard2] (from client local port 1)
>>>>> (2) Sent Access-Accept Id 69 from 127.0.0.1:1645 to 127.0.0.1:48919
>>>>> length 0
>>>>> (2) Framed-IP-Address = 1.2.3.1
>>>>> (2) Framed-IP-Netmask = 255.255.255.248
>>>>> (2) Cisco-AVPair = "ip:route=1.2.3.0 255.255.255.248"
>>>>> (2) Filter-Id = "P"
>>>>> (2) Chargeable-User-Identity = "richard2"
>>>>> (2) Acct-Interim-Interval = 600
>>>>> (2) Finished request
>>>>>
>>>>>
>>>>> In my authorise section I have placed:
>>>>>
>>>>> redundant {
>>>>> sql1
>>>>> sql2
>>>>> handled
>>>>> }
>>>>> # -sql
>>>>> rewrite_routes
>>>>>
>>>>> (The other sections are there - this is just to show where what I hope
>>>>> is
>>>>> relevant. The code itself is based on the code provided below
>>>>>
>>>>> rewrite_routes {
>>>>>
>>>>> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>>>> switch "%{2}" {
>>>>> case "255.255.255.255" {
>>>>> update reply {
>>>>> Framed-Route =
>>>>> "%{1}/32"
>>>>> }
>>>>> }
>>>>> case "255.255.255.254" {
>>>>> update reply {
>>>>> Framed-Route =
>>>>> "%{1}/31"
>>>>> }
>>>>> }
>>>>>
>>>>>
>>>>> and so on (it is in the policy.d folder)
>>>>>
>>>>> I am aware the key to this is the error
>>>>>
>>>>> (2) ERROR: Failed retrieving values required to evaluate
>>>>> condition
>>>>>
>>>>> What I am unclear about is why this is failing / and what I have done
>>>>> wrong
>>>>> here to cause this. If you can give me one more pointer here I'd
>>>>> appreciate
>>>>> it
>>>>>
>>>>> More than happy to send any of the extra config or log as needed
>>>>>
>>>>> Thanks in advance
>>>>>
>>>>> Richard
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Thursday 09/11/2017 at 1:35 pm, Alan DeKok wrote:
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> On Nov 9, 2017, at 8:19 AM, Richard J Palmer <richard at merula.net>
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> This is where my skills are not great (regex) most other areas I can
>>>>>>> work
>>>>>>> with. Ultimately I am happy to pay someone to help write the little
>>>>>>> bit
>>>>>>> of
>>>>>>> code that does this. I do need to cope with Netmasks from /32 to /24
>>>>>>> so a
>>>>>>> few switch cases.
>>>>>>>
>>>>>>>
>>>>>>> It shouldn't be difficult.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Alternatively if someone can provide a few pointers on that bit I can
>>>>>>> probably build from there.
>>>>>>>
>>>>>>>
>>>>>>> If you have:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Cisco-AVPair = "ip:route=1.2.3.1
>>>>>>>>> 255.255.255.240"
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Step 1, split it into pieces:
>>>>>>>>
>>>>>>>
>>>>>> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>>>>>
>>>>>> This matches the "ip:route" prefix. It
>>>>>> then matches
>>>>>> non-space
>>>>>> data,
>>>>>> then a space, and more non-space data. As per the FR documentation,
>>>>>> the
>>>>>> first match goes into %{1}, and the second into %{2}.
>>>>>>
>>>>>> As there are only a limited number of
>>>>>> net masks, you
>>>>>> can expand
>>>>>> the net
>>>>>> mask, and switch over it (inside of the "if" block from above)
>>>>>>
>>>>>> switch "%{2}" {
>>>>>> case "255.255.255.255" {
>>>>>> update reply {
>>>>>> Framed-Route = "%{1}/32"
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> case "255.255.255.254" {
>>>>>> update reply {
>>>>>> Framed-Route = "%{1}/31"
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> case "255.255.255.252" {
>>>>>> update reply {
>>>>>> Framed-Route = "%{1}/30"
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> ... etc...
>>>>>>
>>>>>> # and the "catch all" case, just mash it to /28
>>>>>> case {
>>>>>> update reply {
>>>>>> Framed-Route = "%{1}/28"
>>>>>> }
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> A little verbose, but it should work.
>>>>>>
>>>>>> Alan DeKok.
>>>>>>
>>>>>>
>>>>>> -
>>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>>>>> /users.html
>>>>>>
>>>>>>
>>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>>>> /users.html
>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>>>> /users.html
>>>>>
>>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>>> /users.html
>>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>> /users.html
>>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list