FreeRADIUS accounting to multiple destinations
Алексей Морозенко
alexmorozenko at gmail.com
Fri Jul 27 10:36:45 CEST 2018
I think it should be very simple
preacct {
...
files # /etc/freeradius/mods-config/files/accounting searches for
LDAP group (DEFAULT ldap01-LDAP-Group ==
"cn=devops,cn=groups,cn=accounts,dc=office,dc=lan", Filter-Id :=
accounting) and adds Filter-Id # attribute containing
group name to the request (I've changed attribute name to avoid
misunderstanding. Of course, i've enabled rfc2865 dictionary). Is it the
right way to modify original packet?
replicate # enable replication module
update {
control:Replicate-To-Realm := fortigate02 # replicate
modified accounting request to FG-2
}
}
But it seems to be non-working :
(14) Received Accounting-Request Id 22 from 10.0.5.71:64245 to
10.132.15.206:1813 length 218
(14) Acct-Status-Type = Start
(14) NAS-IP-Address = 10.0.5.71
(14) User-Name = "alex"
(14) NAS-Port = 0
(14) NAS-Port-Type = Wireless-802.11
(14) Calling-Station-Id = "a8667f23c53e"
(14) Called-Station-Id = "3817c3c13fa8"
(14) Framed-IP-Address = 10.0.20.210
(14) Acct-Multi-Session-Id = "A8667F23C53E-1532621349"
(14) Acct-Session-Id = "3817C393FA90-A8667F23C53E-5B5A3C05-C1D30"
(14) Acct-Delay-Time = 0
(14) Aruba-Essid-Name = "team"
(14) Aruba-Location-Id = "Floor1-Main"
(14) Aruba-User-Vlan = 20
(14) Aruba-Device-Type = "OS X"
(14) Acct-Authentic = RADIUS
(14) # Executing section preacct from file
/etc/freeradius/sites-enabled/default
(14) preacct {
(14) [preprocess] = ok
(14) policy acct_unique {
(14) update request {
(14) &Tmp-String-9 := "ai:"
(14) } # update request = noop
(14) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(14) EXPAND %{hex:&Class}
(14) -->
(14) EXPAND ^%{hex:&Tmp-String-9}
(14) --> ^61693a
(14) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(14) else {
(14) update request {
(14) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(14) --> 910afd2bf35840c31321ab5e1da2ca47
(14) &Acct-Unique-Session-Id := 910afd2bf35840c31321ab5e1da2ca47
(14) } # update request = noop
(14) } # else = noop
(14) } # policy acct_unique = noop
(14) suffix: Checking for suffix after "@"
(14) suffix: No '@' in User-Name = "alex", looking up realm NULL
(14) suffix: Found realm "DEFAULT"
(14) suffix: Adding Stripped-User-Name = "alex"
(14) suffix: Adding Realm = "DEFAULT"
(14) suffix: Proxying request from user alex to realm DEFAULT
(14) suffix: Preparing to proxy accounting request to realm "DEFAULT"
(14) [suffix] = updated
(14) files: Searching for user in group
"cn=accounting,cn=groups,cn=accounts,dc=office,dc=lan"
rlm_ldap (ldap01): Reserved connection (1)
(14) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(14) files: --> (uid=alex)
(14) files: Performing search in "cn=users,cn=accounts,dc=office,dc=lan"
with filter "(uid=alex)", scope "sub"
(14) files: Waiting for search result...
(14) files: User object found at DN
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
(14) files: Checking for user in group objects
(14) files: EXPAND
(&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(14) files: -->
(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
(14) files: Performing search in
"cn=accounting,cn=groups,cn=accounts,dc=office,dc=lan" with filter
"(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
scope "sub"
(14) files: Waiting for search result...
(14) files: Search returned no results
(14) files: Checking user object's memberOf attributes
(14) files: Performing unfiltered search in
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
(14) files: Waiting for search result...
(14) files: Processing memberOf value
"cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
rlm_ldap (ldap01): Released connection (1)
(14) files: User is not a member of
"cn=accounting,cn=groups,cn=accounts,dc=office,dc=lan"
(14) files: Searching for user in group
"cn=accounting,cn=groups,cn=accounts,dc=office,dc=lan"
rlm_ldap (ldap02): Reserved connection (4)
(14) files: Using user DN from request
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
(14) files: Checking for user in group objects
(14) files: EXPAND
(&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(14) files: -->
(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
(14) files: Performing search in
"cn=accounting,cn=groups,cn=accounts,dc=office,dc=lan" with filter
"(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
scope "sub"
(14) files: Waiting for search result...
(14) files: Search returned no results
(14) files: Checking user object's memberOf attributes
(14) files: Performing unfiltered search in
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
(14) files: Waiting for search result...
(14) files: Processing memberOf value
"cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
rlm_ldap (ldap02): Released connection (4)
(14) files: User is not a member of
"cn=accounting,cn=groups,cn=accounts,dc=office,dc=lan"
(14) files: Searching for user in group
"cn=accounting,cn=groups,cn=accounts,dc=office,dc=lan"
rlm_ldap (ldap03): Reserved connection (4)
(14) files: Using user DN from request
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
(14) files: Checking for user in group objects
(14) files: EXPAND
(&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(14) files: -->
(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
(14) files: Performing search in
"cn=accounting,cn=groups,cn=accounts,dc=office,dc=lan" with filter
"(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
scope "sub"
(14) files: Waiting for search result...
(14) files: Search returned no results
(14) files: Checking user object's memberOf attributes
(14) files: Performing unfiltered search in
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
(14) files: Waiting for search result...
(14) files: Processing memberOf value
"cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
rlm_ldap (ldap03): Released connection (4)
(14) files: User is not a member of
"cn=accounting,cn=groups,cn=accounts,dc=office,dc=lan"
(14) files: Searching for user in group
"cn=ads,cn=groups,cn=accounts,dc=office,dc=lan"
rlm_ldap (ldap01): Reserved connection (6)
(14) files: Using user DN from request
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
(14) files: Checking for user in group objects
(14) files: EXPAND
(&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(14) files: -->
(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
(14) files: Performing search in
"cn=ads,cn=groups,cn=accounts,dc=office,dc=lan" with filter
"(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
scope "sub"
(14) files: Waiting for search result...
(14) files: Search returned no results
(14) files: Checking user object's memberOf attributes
(14) files: Performing unfiltered search in
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
(14) files: Waiting for search result...
(14) files: Processing memberOf value
"cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
rlm_ldap (ldap01): Released connection (6)
(14) files: User is not a member of
"cn=ads,cn=groups,cn=accounts,dc=office,dc=lan"
(14) files: Searching for user in group
"cn=ads,cn=groups,cn=accounts,dc=office,dc=lan"
rlm_ldap (ldap02): Reserved connection (5)
(14) files: Using user DN from request
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
(14) files: Checking for user in group objects
(14) files: EXPAND
(&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(14) files: -->
(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
(14) files: Performing search in
"cn=ads,cn=groups,cn=accounts,dc=office,dc=lan" with filter
"(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
scope "sub"
(14) files: Waiting for search result...
(14) files: Search returned no results
(14) files: Checking user object's memberOf attributes
(14) files: Performing unfiltered search in
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
(14) files: Waiting for search result...
(14) files: Processing memberOf value
"cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
rlm_ldap (ldap02): Released connection (5)
(14) files: User is not a member of
"cn=ads,cn=groups,cn=accounts,dc=office,dc=lan"
(14) files: Searching for user in group
"cn=ads,cn=groups,cn=accounts,dc=office,dc=lan"
rlm_ldap (ldap03): Reserved connection (5)
(14) files: Using user DN from request
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
(14) files: Checking for user in group objects
(14) files: EXPAND
(&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(14) files: -->
(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
(14) files: Performing search in
"cn=ads,cn=groups,cn=accounts,dc=office,dc=lan" with filter
"(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
scope "sub"
(14) files: Waiting for search result...
(14) files: Search returned no results
(14) files: Checking user object's memberOf attributes
(14) files: Performing unfiltered search in
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
(14) files: Waiting for search result...
(14) files: Processing memberOf value
"cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
rlm_ldap (ldap03): Released connection (5)
(14) files: User is not a member of
"cn=ads,cn=groups,cn=accounts,dc=office,dc=lan"
(14) files: Searching for user in group
"cn=designers,cn=groups,cn=accounts,dc=office,dc=lan"
rlm_ldap (ldap01): Reserved connection (7)
(14) files: Using user DN from request
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
(14) files: Checking for user in group objects
(14) files: EXPAND
(&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(14) files: -->
(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
(14) files: Performing search in
"cn=designers,cn=groups,cn=accounts,dc=office,dc=lan" with filter
"(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
scope "sub"
(14) files: Waiting for search result...
(14) files: Search returned no results
(14) files: Checking user object's memberOf attributes
(14) files: Performing unfiltered search in
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
(14) files: Waiting for search result...
(14) files: Processing memberOf value
"cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
rlm_ldap (ldap01): Released connection (7)
(14) files: User is not a member of
"cn=designers,cn=groups,cn=accounts,dc=office,dc=lan"
(14) files: Searching for user in group
"cn=designers,cn=groups,cn=accounts,dc=office,dc=lan"
rlm_ldap (ldap02): Reserved connection (3)
(14) files: Using user DN from request
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
(14) files: Checking for user in group objects
(14) files: EXPAND
(&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(14) files: -->
(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
(14) files: Performing search in
"cn=designers,cn=groups,cn=accounts,dc=office,dc=lan" with filter
"(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
scope "sub"
(14) files: Waiting for search result...
(14) files: Search returned no results
(14) files: Checking user object's memberOf attributes
(14) files: Performing unfiltered search in
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
(14) files: Waiting for search result...
(14) files: Processing memberOf value
"cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
rlm_ldap (ldap02): Released connection (3)
(14) files: User is not a member of
"cn=designers,cn=groups,cn=accounts,dc=office,dc=lan"
(14) files: Searching for user in group
"cn=designers,cn=groups,cn=accounts,dc=office,dc=lan"
rlm_ldap (ldap03): Reserved connection (3)
(14) files: Using user DN from request
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
(14) files: Checking for user in group objects
(14) files: EXPAND
(&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(14) files: -->
(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
(14) files: Performing search in
"cn=designers,cn=groups,cn=accounts,dc=office,dc=lan" with filter
"(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
scope "sub"
(14) files: Waiting for search result...
(14) files: Search returned no results
(14) files: Checking user object's memberOf attributes
(14) files: Performing unfiltered search in
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
(14) files: Waiting for search result...
(14) files: Processing memberOf value
"cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
rlm_ldap (ldap03): Released connection (3)
(14) files: User is not a member of
"cn=designers,cn=groups,cn=accounts,dc=office,dc=lan"
(14) files: Searching for user in group
"cn=devops,cn=groups,cn=accounts,dc=office,dc=lan"
rlm_ldap (ldap01): Reserved connection (5)
(14) files: Using user DN from request
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
(14) files: Checking for user in group objects
(14) files: EXPAND
(&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(14) files: -->
(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
(14) files: Performing search in
"cn=devops,cn=groups,cn=accounts,dc=office,dc=lan" with filter
"(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
scope "sub"
(14) files: Waiting for search result...
(14) files: Search returned no results
(14) files: Checking user object's memberOf attributes
(14) files: Performing unfiltered search in
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
(14) files: Waiting for search result...
(14) files: Processing memberOf value
"cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
rlm_ldap (ldap01): Released connection (5)
(14) files: User is not a member of
"cn=devops,cn=groups,cn=accounts,dc=office,dc=lan"
(14) files: Searching for user in group
"cn=devops,cn=groups,cn=accounts,dc=office,dc=lan"
rlm_ldap (ldap02): Reserved connection (0)
(14) files: Using user DN from request
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
(14) files: Checking for user in group objects
(14) files: EXPAND
(&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(14) files: -->
(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
(14) files: Performing search in
"cn=devops,cn=groups,cn=accounts,dc=office,dc=lan" with filter
"(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
scope "sub"
(14) files: Waiting for search result...
(14) files: Search returned no results
(14) files: Checking user object's memberOf attributes
(14) files: Performing unfiltered search in
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
(14) files: Waiting for search result...
(14) files: Processing memberOf value
"cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
rlm_ldap (ldap02): Released connection (0)
(14) files: User is not a member of
"cn=devops,cn=groups,cn=accounts,dc=office,dc=lan"
(14) files: Searching for user in group
"cn=devops,cn=groups,cn=accounts,dc=office,dc=lan"
rlm_ldap (ldap03): Reserved connection (0)
(14) files: Using user DN from request
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
(14) files: Checking for user in group objects
(14) files: EXPAND
(&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(14) files: -->
(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
(14) files: Performing search in
"cn=devops,cn=groups,cn=accounts,dc=office,dc=lan" with filter
"(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
scope "sub"
(14) files: Waiting for search result...
(14) files: Search returned no results
(14) files: Checking user object's memberOf attributes
(14) files: Performing unfiltered search in
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
(14) files: Waiting for search result...
(14) files: Processing memberOf value
"cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
rlm_ldap (ldap03): Released connection (0)
(14) files: User is not a member of
"cn=devops,cn=groups,cn=accounts,dc=office,dc=lan"
rlm_ldap (ldap03): Reserved connection (5)
(14) files: Using user DN from request
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
(14) files: Checking for user in group objects
(14) files: EXPAND
(&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(14) files: -->
(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
(14) files: Performing search in
"cn=dmp,cn=groups,cn=accounts,dc=office,dc=lan" with filter
"(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
scope "sub"
(14) files: Waiting for search result...
(14) files: Search returned no results
(14) files: Checking user object's memberOf attributes
(14) files: Performing unfiltered search in
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
(14) files: Waiting for search result...
(14) files: Processing memberOf value
"cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
(14) files: Processing memberOf value
"cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
rlm_ldap (ldap03): Released connection (5)
(14) files: User is not a member of
"cn=dmp,cn=groups,cn=accounts,dc=office,dc=lan"
(14) files: Searching for user in group
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan"
rlm_ldap (ldap01): Reserved connection (2)
(14) files: Using user DN from request
"uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
(14) files: Checking for user in group objects
(14) files: EXPAND
(&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(14) files: -->
(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
(14) files: Performing search in
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" with filter
"(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
scope "sub"
(14) files: Waiting for search result...
(14) files: User found in group object
"cn=hr,cn=groups,cn=accounts,dc=office,dc=lan"
rlm_ldap (ldap01): Released connection (2)
(14) files: acct_users: Matched entry DEFAULT at line 156
(14) [files] = ok
(14) } # preacct = updated
(14) # Executing section accounting from file
/etc/freeradius/sites-enabled/default
(14) accounting {
(14) detail: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(14) detail: --> /var/log/freeradius/radacct/10.0.5.71/detail-20180726
(14) detail:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.0.5.71/detail-20180726
(14) detail: EXPAND %t
(14) detail: --> Thu Jul 26 21:24:21 2018
(14) [detail] = ok
(14) [replicate] = noop
(14) update {
(14) control:Replicate-To-Realm := fortigate02
(14) } # update = noop
(14) [unix] = ok
(14) [exec] = noop
(14) attr_filter.accounting_response: EXPAND %{User-Name}
(14) attr_filter.accounting_response: --> alex
(14) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(14) [attr_filter.accounting_response] = updated
(14) } # accounting = updated
(14) Starting proxy to home server 10.132.15.192 port 1813
(14) Proxying request to home server 10.132.15.192 port 1813 timeout
30.000000
(14) Sent Accounting-Request Id 148 from 0.0.0.0:42612 to 10.132.15.192:1813
length 228
(14) Acct-Status-Type = Start
(14) NAS-IP-Address = 10.0.5.71
(14) User-Name = "alex"
(14) NAS-Port = 0
(14) NAS-Port-Type = Wireless-802.11
(14) Calling-Station-Id = "a8667f23c53e"
(14) Called-Station-Id = "3817c3c13fa8"
(14) Framed-IP-Address = 10.0.20.210
(14) Acct-Multi-Session-Id = "A8667F23C53E-1532621349"
(14) Acct-Session-Id = "3817C393FA90-A8667F23C53E-5B5A3C05-C1D30"
(14) Acct-Delay-Time = 0
(14) Aruba-Essid-Name = "team"
(14) Aruba-Location-Id = "Floor1-Main"
(14) Aruba-User-Vlan = 20
(14) Aruba-Device-Type = "OS X"
(14) Acct-Authentic = RADIUS
(14) Event-Timestamp = "Jul 26 2018 21:24:21 UTC"
(14) Proxy-State = 0x3232
Waking up in 0.2 seconds.
(14) Clearing existing &reply: attributes
(14) Received Accounting-Response Id 148 from 10.132.15.192:1813 to
10.132.15.206:42612 length 24
(14) Proxy-State = 0x3232
(14) # Executing section post-proxy from file
/etc/freeradius/sites-enabled/default
(14) post-proxy {
(14) eap: No pre-existing handler found
(14) [eap] = noop
(14) } # post-proxy = noop
(14) Sent Accounting-Response Id 22 from 10.132.15.206:1813 to
10.0.5.71:64245 length 0
(14) Finished request
(14) Cleaning up request packet ID 22 with timestamp +54
Waking up in 4.4 seconds.
As I can see, original packet is modified :
(14) files: acct_users: Matched entry DEFAULT at line 156
(14) [files] = ok
(14) } # preacct = updated
)
But not replicated :
(14) [replicate] = noop
(14) update {
(14) control:Replicate-To-Realm := fortigate02
(14) } # update = noop
Tell me please what could be a reason? I cannot figure it out
--
Best regards, Alex Morozenko
вт, 24 лип. 2018 о 20:00 Alan DeKok <aland at deployingradius.com> пише:
> On Jul 24, 2018, at 12:49 PM, Алексей Морозенко <alexmorozenko at gmail.com>
> wrote:
> >
> > I'm incorrect telling «reply», I mean after successfull authorization
> NAS sends accounting request to my RADIUS and then RADIUS proxies that
> request to FG-1 and FG-2
>
> OK.
>
> > Doesn't matter what's it's name, by using files in preacct (pre-proxy) I
> insert additional attribute «Reply-Message» containing group name in
> accounting REQUEST from NAS. And further this modified accounting request
> being proxied to forti according realms.
> > Am I right?
>
> Yes. But only for PROXIED packets. The "pre-proxy" section doesn't
> change the *original* packet.
>
> And the "replicate" module only sends copies of the ORIGINAL packet.
>
> So you have to edit the original packet before calling replicate.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list