Post-Auth Section not executed
NOC WVNET
noclist at wvnet.at
Mon Feb 19 23:38:59 CET 2018
Hi all,
I'm testing an LDAP Backend for PPPoE User Authorization.
Goal is to remove the added AVPairs (during Authorization) if authentication
fail.
I have put the statements in the "post-auth" Section but it
seems it is never executed.
------------------------------------------------------------------
RADIUS VERSION
(http://packages.networkradius.com/centos/7/repo)
-------------------------------------------------------------------
radiusd: FreeRADIUS Version 3.0.16, for host x86_64-redhat-linux-gnu, built
on Jan 11 2018 at 16:34:57
FreeRADIUS Version 3.0.16
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
--------------------------------------
cat ../sites-available/wvnet-aaa
--------------------------------------
server wvnet-aaa {
listen {
ipaddr = ATVIED6INFRAH4AAA
port = 1812
type = auth
}
authorize {
filter_username
filter_password
preprocess
if ( &User-Name =~ /^(.*)@(.*$)/ ) {
update request {
Stripped-User-Name := "%{1}"
Realm := "%{2}"
}
}
auth_log
ATVIED6INFRAH4LDAP
chap
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
}
post_auth {
Post-Auth-Type REJECT {
update reply {
Cisco-AVPair !* ANY
}
attr_filter.access_reject
}
}
listen {
ipaddr = ATVIED6INFRAH4AAA
port = 1813
type = acct
}
preacct {
preprocess
update request {
FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l -
%{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
}
acct_unique
acct_counters64
}
accounting {
redundant {
ATVIED6INFRAH4MYSQL
ATVIED6INFRAH3MYSQL
ATVIED6INFRAH2MYSQL
}
attr_filter.accounting_response
}
}
--------------------------
cat ../mods-enabled/ldap
--------------------------
ldap ATVIED6INFRAH4LDAP {
server = 'ldaps://ATVIED6INFRAH4LDAP.as29081.net'
identity = '---------'
password = '---------'
valuepair_attribute = 'radiusAttribute'
base_dn = 'ou=DialIn,ou=AccessService,ou=AAA,dc=as29081,dc=net'
update {
control:Password-With-Header += 'userPassword'
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
user {
base_dn = "${..base_dn}"
#filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
filter = "(cn=%{User-Name})"
scope = 'sub'
access_attribute = 'dialupAccess'
access_positive = yes
}
group {
}
profile {
}
client {
base_dn = 'ou=AccessServer,ou=AAA,dc=as29081,dc=net'
filter = '(objectClass=radiusClient)'
scope = 'sub'
attribute {
ipaddr =
'radiusClientIdentifier'
secret =
'radiusClientSecret'
shortname =
'radiusClientShortname'
nas_type = 'radiusClientType'
virtual_server =
'radiusClientVirtualServer'
require_message_authenticator =
'radiusClientRequireMa'
}
}
read_clients = no
accounting {
}
post-auth {
}
options {
dereference = 'never'
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 2
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
start_tls = no
ca_path = /etc/openldap/certs
certificate_file = /etc/openldap/certs/as29081_net.crt
private_key_file = /etc/openldap/certs/as29081_net.key
random_file = /dev/urandom
require_cert = 'allow'
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 20
lifetime = 0
idle_timeout = 60
}
}
DEBUG-OUTPUT
------------
(1) Received Access-Request Id 58 from 10.214.30.1:38589 to
10.214.200.35:1812 length 109
(1) User-Name = "atvied6infraclust-monitor at edsl.wvnet.at"
(1) User-Password = "secret"
(1) NAS-IP-Address = 10.214.10.1
(1) NAS-Port = 1
(1) Message-Authenticator = 0x74809479c2c4eb92b4d90fa454a31de5
(1) # Executing section authorize from file
/etc/raddb/sites-enabled/wvnet-aaa
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) policy filter_password {
(1) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(1) EXPAND %{string:User-Password}
(1) --> secret
(1) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) -> FALSE
(1) } # policy filter_password = notfound
(1) [preprocess] = ok
(1) if ( &User-Name =~ /^(.*)@(.*$)/ ) {
(1) if ( &User-Name =~ /^(.*)@(.*$)/ ) -> TRUE
(1) if ( &User-Name =~ /^(.*)@(.*$)/ ) {
(1) update request {
(1) EXPAND %{1}
(1) --> atvied6infraclust-monitor
(1) Stripped-User-Name := atvied6infraclust-monitor
(1) EXPAND %{2}
(1) --> edsl.wvnet.at
(1) Realm := edsl.wvnet.at
(1) } # update request = noop
(1) } # if ( &User-Name =~ /^(.*)@(.*$)/ ) = noop
(1) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/auth-detail-%Y%m%d
(1) auth_log: -->
/var/log/radius/radacct/10.214.30.1/auth-detail-20180219
(1) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/10.214.30.1/auth-detail-20180219
(1) auth_log: EXPAND %t
(1) auth_log: --> Mon Feb 19 22:59:20 2018
(1) [auth_log] = ok
rlm_ldap (ATVIED6INFRAH4LDAP): Reserved connection (1)
(1) ATVIED6INFRAH4LDAP: EXPAND (cn=%{User-Name})
(1) ATVIED6INFRAH4LDAP: --> (cn=atvied6infraclust-monitor at edsl.wvnet.at)
(1) ATVIED6INFRAH4LDAP: Performing search in
"ou=DialIn,ou=AccessService,ou=AAA,dc=as29081,dc=net" with filter
"(cn=atvied6infraclust-monitor at edsl.wvnet.at)", scope "sub"
(1) ATVIED6INFRAH4LDAP: Waiting for search result...
(1) ATVIED6INFRAH4LDAP: User object found at DN
"cn=atvied6infraclust-monitor at edsl.wvnet.at,ou=edsl.wvnet.at,ou=realm,ou=Dia
lIn,ou=AccessService,ou=AAA,dc=as29081,dc=net"
(1) ATVIED6INFRAH4LDAP: Processing user attributes
(1) ATVIED6INFRAH4LDAP: control:Password-With-Header += 'secret'
(1) ATVIED6INFRAH4LDAP: reply::Cisco-AVPair += 'ip:addr-pool=monitor-pool'
(1) ATVIED6INFRAH4LDAP: reply::Cisco-AVPair +=
'lcp:interface-config=service-policy input monitor'
rlm_ldap (ATVIED6INFRAH4LDAP): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_ldap (ATVIED6INFRAH4LDAP): Opening additional connection (6), 1 of 26
pending slots used
rlm_ldap (ATVIED6INFRAH4LDAP): Connecting to
ldaps://ATVIED6INFRAH4LDAP.as29081.net:636
TLS certificate verification: Error, self signed certificate in certificate
chain
rlm_ldap (ATVIED6INFRAH4LDAP): Waiting for bind result...
rlm_ldap (ATVIED6INFRAH4LDAP): Bind successful
(1) [ATVIED6INFRAH4LDAP] = updated
(1) [chap] = noop
(1) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password
(1) pap: Removing &control:Password-With-Header
(1) [pap] = updated
(1) } # authorize = updated
(1) Found Auth-Type = PAP
(1) # Executing group from file /etc/raddb/sites-enabled/wvnet-aaa
(1) Auth-Type PAP {
(1) pap: Login attempt with password
(1) pap: Comparing with "known good" Cleartext-Password
(1) pap: ERROR: Cleartext password does not match "known good" password
(1) pap: Passwords don't match
(1) [pap] = reject
(1) } # Auth-Type PAP = reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) Login incorrect (pap: Cleartext password does not match "known good"
password): [atvied6infraclust-monitor at edsl.wvnet.at/secret] (from client
ATVIED6INFRACLUST-RADCLIENT port 1)
(1) Delaying response for 2.000000 seconds
Waking up in 0.6 seconds.
Waking up in 1.3 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 58 from 10.214.200.35:1812 to 10.214.30.1:38589
length 110
(1) Cisco-AVPair += "ip:addr-pool=monitor-pool"
(1) Cisco-AVPair += "lcp:interface-config=service-policy input monitor"
Waking up in 2.9 seconds.
(1) Cleaning up request packet ID 58 with timestamp +26
Ready to process requests
BR
Stefan
More information about the Freeradius-Users
mailing list