Version 3.0.16 has been released

Stefan Winter stefan.winter at restena.lu
Thu Jan 18 16:27:53 CET 2018


Hi,

ah! A closer look reveals:

3.0.15:

   } # post-auth = ok
 Finished internally proxied request.
 Clearing existing &reply: attributes
 Found Auth-Type = Accept
 Auth-Type = Accept, accepting the user
 # Executing section post-auth from file
/usr/local/freeradius/config/raddb/sites-enabled/AAI
   post-auth {

3.0.16:

   } # post-auth = ok
 Finished internally proxied request.
 Clearing existing &reply: attributes
 Found Auth-Type = Accept
 Auth-Type = Accept, accepting the user
 Clearing existing &reply: attributes
 Found Post-Proxy-Type Fail-Authentication
 Post-Proxy-Type sub-section not found.  Ignoring.
 # Executing section post-auth from file
/usr/local/freeradius/config/raddb/sites-enabled/AAI
   post-auth {

So for some reason it starts to run through the purge /twice/.

And there's something about Fail-Authentication? In fact the
authentication does not fail, it eventually sends out an Access-Accept -
but without attributes.

Probably the first occurence is the normal one, and is not actually
clearing anything; and the second one is new and confused, and actually
does clear attributes.

Greetings,

Stefan Winter

Am 18.01.2018 um 13:40 schrieb Alan DeKok:
> On Jan 18, 2018, at 2:30 AM, Stefan Winter <stefan.winter at restena.lu> wrote:
>> there appears to be a behaviour change when using proxy-to-vserver. I
>> see missing attributes in such a scenario, and a diff of debug output of
>> 3.0.15 to 3.0.16 tells me this line is new:
>>
>> Finished internally proxied request.
>>> Clearing existing &reply: attributes
>>
>> That is at least rather explicit, thanks for that debug message.
> 
>   That message has been there since February 2015.  So it isn't new.
> 
>> But as it happens I really like those attributes. How can I make them
>> *not* be scrubbed when handing the request back from the vserver in
>> 3.0.16 and onwards?
> 
>   The "proxy to virtual server" code has been doing that since about the same time.
> 
>> The Changelog doesn't seem to mention that behaviour change or an option
>> to control this behaviour...
> 
>   It wasn't supposed to change.
> 
>   So I'm not sure why it's different.  I'll take a look.
> 
>   Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180118/4ea52499/attachment.sig>


More information about the Freeradius-Users mailing list