Access to the attributes lists in different sections
work vlpl
thework.vlpl at gmail.com
Fri Apr 27 17:34:55 CEST 2018
> On Fri, 27 Apr 2018 at 19:20, Alan DeKok <aland at deployingradius.com>
wrote:
> Use a database.
If I will be using database, how I can track users, I mean how to get
session id?
> The code *should* clear session-state only after running the post-auth
section.
> I think what's happening is that it's using the outer State attribute
inside of the inner tunnel. So when the inner tunnel returns
Access-Reject, the session-state is cleared. Which just happens to be the
same state as for the outer session.
> I think the solution is to just not delete the session state when
inside the inner-tunnel. It will be deleted in the outer tunnel anyways,
so that should work.
I am not using any special instruction in configuration to clear
session-state. There are parts from configuration. I stripped down linelog
instructions.
from inner tunnel config:
--------------
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {}
post-proxy {
eap
}
}
--------------
from outer tunnel config:
--------------
post-auth {
exec
remove_reply_message_if_eap
linelog
`...`
Post-Auth-Type REJECT {
update control {
Some-Attribute := &session-state:Some-Attribute
}
attr_filter.access_reject
eap
linelog
`...`
remove_reply_message_if_eap
}
}
pre-proxy { }
post-proxy {
update control {
Some-Attribute := &session-state:Some-Attribute
}
eap
}
}
--------------
To debug, when session-state list is cleared I added in fr_state_discard()
function debug message
">>>>>>>>>>> DISCARDING SESSION-STATE <<<<<<<<<<"
and there is a log. Again, I stripped down linelog output.
--------------
(6) Received Access-Reject Id 100 from 172.20.0.5:1812 to 172.20.0.6:42957
length 23
(6) Proxy-State = 0x36
(6) # Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/testing-stie
(6) post-proxy {
(6) update control {
(6) Some-Attribute := &session-state:Some-Attribute ->
'testing_remote'
(6) } # update control = noop
(6) eap: Doing post-proxy callback
(6) eap: Passing reply from proxy back into the tunnel
(6) eap: Got tunneled Access-Reject
(6) eap: Reply was rejected
(6) eap: Failed in post-proxy callback
(6) eap: Sending EAP Failure (code 4) ID 6 length 4
(6) [eap] = reject
(6) } # post-proxy = reject
(6) >>>>>>>>>>> DISCARDING SESSION-STATE <<<<<<<<<<
(6) Using Post-Auth-Type Reject
(6) # Executing group from file
/usr/local/etc/raddb/sites-enabled/testing-stie
(6) Post-Auth-Type REJECT {
(6) update control {
(6) No attributes updated
(6) No attributes updated
(6) } # update control = noop
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject: --> anonymous
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6) [attr_filter.access_reject] = updated
(6) [eap] = noop
(6) linelog: EXPAND messages.%{%{Packet-Type}:-default}
(6) linelog: --> messages.Access-Request
...
(6) EXPAND Some-Attribute=%{%{control:Some-Attribute}:-no},
(6) --> Some-Attribute=testing_remote,
(6) policy remove_reply_message_if_eap {
(6) if (&reply:EAP-Message && &reply:Reply-Message) {
(6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(6) else {
(6) [noop] = noop
(6) } # else = noop
(6) } # policy remove_reply_message_if_eap = noop
(6) } # Post-Auth-Type REJECT = updated
(6) >>>>>>>>>>> DISCARDING SESSION-STATE <<<<<<<<<<
(6) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
--------------
As you can see debug message shows two times. I think session-states are
cleared in this line
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/main/auth.c#L481
So just to clarify, If home server return Access-Reject, then
Post-Auth-Type REJECT section will not have access to session-state list?
More information about the Freeradius-Users
mailing list