Access to the attributes lists in different sections

work vlpl thework.vlpl at gmail.com
Fri Apr 27 17:34:55 CEST 2018


> On Fri, 27 Apr 2018 at 19:20, Alan DeKok <aland at deployingradius.com>
wrote:
>    Use a database.

If I will be using database, how I can track users, I mean how to get
session id?

>    The code *should* clear session-state only after running the post-auth
section.

>    I think what's happening is that it's using the outer State attribute
inside of the inner tunnel.  So when the inner tunnel returns
Access-Reject, the session-state is cleared.  Which just happens to be the
same state as for the outer session.

>    I think the solution is to just not delete the session state when
inside the inner-tunnel.  It will be deleted in the outer tunnel anyways,
so that should work.

I am not using any special instruction in configuration to clear
session-state. There are parts from configuration. I stripped down linelog
instructions.
from inner tunnel config:
--------------
post-auth {
         Post-Auth-Type REJECT {
             attr_filter.access_reject
         }
     }
     pre-proxy {}
     post-proxy {
       eap
     }
}
--------------

from outer tunnel config:
--------------
post-auth {
         exec
         remove_reply_message_if_eap
         linelog
         `...`
         Post-Auth-Type REJECT {
             update control {
                 Some-Attribute := &session-state:Some-Attribute
             }
             attr_filter.access_reject
             eap
         linelog
         `...`
             remove_reply_message_if_eap
         }
     }
     pre-proxy {    }
     post-proxy {
         update control {
             Some-Attribute := &session-state:Some-Attribute
         }
         eap
     }
}
--------------
To debug, when session-state list is cleared I added in fr_state_discard()
function debug message
">>>>>>>>>>> DISCARDING SESSION-STATE <<<<<<<<<<"
and there is a log. Again, I stripped down linelog output.
--------------
(6) Received Access-Reject Id 100 from 172.20.0.5:1812 to 172.20.0.6:42957
length 23
(6)   Proxy-State = 0x36
(6) # Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/testing-stie
(6)   post-proxy {
(6)     update control {
(6)       Some-Attribute := &session-state:Some-Attribute ->
'testing_remote'
(6)     } # update control = noop
(6) eap: Doing post-proxy callback
(6) eap: Passing reply from proxy back into the tunnel
(6) eap: Got tunneled Access-Reject
(6) eap: Reply was rejected
(6) eap: Failed in post-proxy callback
(6) eap: Sending EAP Failure (code 4) ID 6 length 4
(6)     [eap] = reject
(6)   } # post-proxy = reject
(6) >>>>>>>>>>> DISCARDING SESSION-STATE <<<<<<<<<<
(6) Using Post-Auth-Type Reject
(6) # Executing group from file
/usr/local/etc/raddb/sites-enabled/testing-stie
(6)   Post-Auth-Type REJECT {
(6)     update control {
(6)       No attributes updated
(6)       No attributes updated
(6)     } # update control = noop
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject:    --> anonymous
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6)     [attr_filter.access_reject] = updated
(6)     [eap] = noop
(6) linelog: EXPAND messages.%{%{Packet-Type}:-default}
(6) linelog:    --> messages.Access-Request

...

(6)     EXPAND Some-Attribute=%{%{control:Some-Attribute}:-no},
(6)        --> Some-Attribute=testing_remote,
(6)     policy remove_reply_message_if_eap {
(6)       if (&reply:EAP-Message && &reply:Reply-Message) {
(6)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(6)       else {
(6)         [noop] = noop
(6)       } # else = noop
(6)     } # policy remove_reply_message_if_eap = noop
(6)   } # Post-Auth-Type REJECT = updated
(6) >>>>>>>>>>> DISCARDING SESSION-STATE <<<<<<<<<<
(6) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
--------------
As you can see debug message shows two times. I think session-states are
cleared in this line
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/main/auth.c#L481

So just to clarify, If home server return Access-Reject, then
Post-Auth-Type REJECT section will not have access to session-state list?


More information about the Freeradius-Users mailing list