FreeRADIUS accounting to multiple destinations

Алексей Морозенко alexmorozenko at gmail.com
Fri Jul 27 10:43:09 CEST 2018


I did the next thing
First, I've changed order in preacct in a such way:

preacct {
...
        files
        update {
                control:Replicate-To-Realm := fortigate02 # replicate
modified accounting request to FG-2
        }
        replicate
}

and replicate worked (Now I can see message: replicate: Replicating list
'request' to Realm 'fortigate02')

But still without groups.
Then I've decided to try add group check in preprocess (hints)
And it's working!

But I cannot understand why.
Could you please explain me?
--
Best regards, Alex Morozenko


пт, 27 лип. 2018 о 11:36 Алексей Морозенко <alexmorozenko at gmail.com> пише:

> I think it should be very simple
>
> preacct {
> ...
>         files # /etc/freeradius/mods-config/files/accounting searches for
> LDAP group (DEFAULT ldap01-LDAP-Group ==
> "cn=devops,cn=groups,cn=accounts,dc=office,dc=lan", Filter-Id :=
> accounting) and adds  Filter-Id                 # attribute containing
> group name to the request  (I've changed attribute name to avoid
> misunderstanding. Of course, i've enabled rfc2865 dictionary). Is it the
> right way to modify original packet?
>
>         replicate # enable replication module
>
>         update {
>                 control:Replicate-To-Realm := fortigate02 # replicate
> modified accounting request to FG-2
>         }
> }
>
> But it seems to be non-working :
>
> (14) Received Accounting-Request Id 22 from 10.0.5.71:64245 to
> 10.132.15.206:1813 length 218
> (14)   Acct-Status-Type = Start
> (14)   NAS-IP-Address = 10.0.5.71
> (14)   User-Name = "alex"
> (14)   NAS-Port = 0
> (14)   NAS-Port-Type = Wireless-802.11
> (14)   Calling-Station-Id = "a8667f23c53e"
> (14)   Called-Station-Id = "3817c3c13fa8"
> (14)   Framed-IP-Address = 10.0.20.210
> (14)   Acct-Multi-Session-Id = "A8667F23C53E-1532621349"
> (14)   Acct-Session-Id = "3817C393FA90-A8667F23C53E-5B5A3C05-C1D30"
> (14)   Acct-Delay-Time = 0
> (14)   Aruba-Essid-Name = "team"
> (14)   Aruba-Location-Id = "Floor1-Main"
> (14)   Aruba-User-Vlan = 20
> (14)   Aruba-Device-Type = "OS X"
> (14)   Acct-Authentic = RADIUS
> (14) # Executing section preacct from file
> /etc/freeradius/sites-enabled/default
> (14)   preacct {
> (14)     [preprocess] = ok
> (14)     policy acct_unique {
> (14)       update request {
> (14)         &Tmp-String-9 := "ai:"
> (14)       } # update request = noop
> (14)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
> ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
> (14)       EXPAND %{hex:&Class}
> (14)          -->
> (14)       EXPAND ^%{hex:&Tmp-String-9}
> (14)          --> ^61693a
> (14)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
> ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE
> (14)       else {
> (14)         update request {
> (14)           EXPAND
> %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
> (14)              --> 910afd2bf35840c31321ab5e1da2ca47
> (14)           &Acct-Unique-Session-Id := 910afd2bf35840c31321ab5e1da2ca47
> (14)         } # update request = noop
> (14)       } # else = noop
> (14)     } # policy acct_unique = noop
> (14) suffix: Checking for suffix after "@"
> (14) suffix: No '@' in User-Name = "alex", looking up realm NULL
> (14) suffix: Found realm "DEFAULT"
> (14) suffix: Adding Stripped-User-Name = "alex"
> (14) suffix: Adding Realm = "DEFAULT"
> (14) suffix: Proxying request from user alex to realm DEFAULT
> (14) suffix: Preparing to proxy accounting request to realm "DEFAULT"
> (14)     [suffix] = updated
> (14) files: Searching for user in group
> "cn=accounting,cn=groups,cn=accounts,dc=office,dc=lan"
> rlm_ldap (ldap01): Reserved connection (1)
> (14) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (14) files:    --> (uid=alex)
> (14) files: Performing search in "cn=users,cn=accounts,dc=office,dc=lan"
> with filter "(uid=alex)", scope "sub"
> (14) files: Waiting for search result...
> (14) files: User object found at DN
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
> (14) files: Checking for user in group objects
> (14) files:   EXPAND
> (&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> (14) files:      -->
> (&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
> (14) files:   Performing search in
> "cn=accounting,cn=groups,cn=accounts,dc=office,dc=lan" with filter
> "(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
> scope "sub"
> (14) files:   Waiting for search result...
> (14) files:   Search returned no results
> (14) files: Checking user object's memberOf attributes
> (14) files:   Performing unfiltered search in
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
> (14) files:   Waiting for search result...
> (14) files: Processing memberOf value
> "cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> rlm_ldap (ldap01): Released connection (1)
> (14) files: User is not a member of
> "cn=accounting,cn=groups,cn=accounts,dc=office,dc=lan"
> (14) files: Searching for user in group
> "cn=accounting,cn=groups,cn=accounts,dc=office,dc=lan"
> rlm_ldap (ldap02): Reserved connection (4)
> (14) files: Using user DN from request
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
> (14) files: Checking for user in group objects
> (14) files:   EXPAND
> (&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> (14) files:      -->
> (&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
> (14) files:   Performing search in
> "cn=accounting,cn=groups,cn=accounts,dc=office,dc=lan" with filter
> "(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
> scope "sub"
> (14) files:   Waiting for search result...
> (14) files:   Search returned no results
> (14) files: Checking user object's memberOf attributes
> (14) files:   Performing unfiltered search in
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
> (14) files:   Waiting for search result...
> (14) files: Processing memberOf value
> "cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> rlm_ldap (ldap02): Released connection (4)
> (14) files: User is not a member of
> "cn=accounting,cn=groups,cn=accounts,dc=office,dc=lan"
> (14) files: Searching for user in group
> "cn=accounting,cn=groups,cn=accounts,dc=office,dc=lan"
> rlm_ldap (ldap03): Reserved connection (4)
> (14) files: Using user DN from request
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
> (14) files: Checking for user in group objects
> (14) files:   EXPAND
> (&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> (14) files:      -->
> (&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
> (14) files:   Performing search in
> "cn=accounting,cn=groups,cn=accounts,dc=office,dc=lan" with filter
> "(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
> scope "sub"
> (14) files:   Waiting for search result...
> (14) files:   Search returned no results
> (14) files: Checking user object's memberOf attributes
> (14) files:   Performing unfiltered search in
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
> (14) files:   Waiting for search result...
> (14) files: Processing memberOf value
> "cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> rlm_ldap (ldap03): Released connection (4)
> (14) files: User is not a member of
> "cn=accounting,cn=groups,cn=accounts,dc=office,dc=lan"
> (14) files: Searching for user in group
> "cn=ads,cn=groups,cn=accounts,dc=office,dc=lan"
> rlm_ldap (ldap01): Reserved connection (6)
> (14) files: Using user DN from request
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
> (14) files: Checking for user in group objects
> (14) files:   EXPAND
> (&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> (14) files:      -->
> (&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
> (14) files:   Performing search in
> "cn=ads,cn=groups,cn=accounts,dc=office,dc=lan" with filter
> "(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
> scope "sub"
> (14) files:   Waiting for search result...
> (14) files:   Search returned no results
> (14) files: Checking user object's memberOf attributes
> (14) files:   Performing unfiltered search in
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
> (14) files:   Waiting for search result...
> (14) files: Processing memberOf value
> "cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> rlm_ldap (ldap01): Released connection (6)
> (14) files: User is not a member of
> "cn=ads,cn=groups,cn=accounts,dc=office,dc=lan"
> (14) files: Searching for user in group
> "cn=ads,cn=groups,cn=accounts,dc=office,dc=lan"
> rlm_ldap (ldap02): Reserved connection (5)
> (14) files: Using user DN from request
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
> (14) files: Checking for user in group objects
> (14) files:   EXPAND
> (&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> (14) files:      -->
> (&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
> (14) files:   Performing search in
> "cn=ads,cn=groups,cn=accounts,dc=office,dc=lan" with filter
> "(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
> scope "sub"
> (14) files:   Waiting for search result...
> (14) files:   Search returned no results
> (14) files: Checking user object's memberOf attributes
> (14) files:   Performing unfiltered search in
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
> (14) files:   Waiting for search result...
> (14) files: Processing memberOf value
> "cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> rlm_ldap (ldap02): Released connection (5)
> (14) files: User is not a member of
> "cn=ads,cn=groups,cn=accounts,dc=office,dc=lan"
> (14) files: Searching for user in group
> "cn=ads,cn=groups,cn=accounts,dc=office,dc=lan"
> rlm_ldap (ldap03): Reserved connection (5)
> (14) files: Using user DN from request
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
> (14) files: Checking for user in group objects
> (14) files:   EXPAND
> (&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> (14) files:      -->
> (&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
> (14) files:   Performing search in
> "cn=ads,cn=groups,cn=accounts,dc=office,dc=lan" with filter
> "(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
> scope "sub"
> (14) files:   Waiting for search result...
> (14) files:   Search returned no results
> (14) files: Checking user object's memberOf attributes
> (14) files:   Performing unfiltered search in
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
> (14) files:   Waiting for search result...
> (14) files: Processing memberOf value
> "cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> rlm_ldap (ldap03): Released connection (5)
> (14) files: User is not a member of
> "cn=ads,cn=groups,cn=accounts,dc=office,dc=lan"
> (14) files: Searching for user in group
> "cn=designers,cn=groups,cn=accounts,dc=office,dc=lan"
> rlm_ldap (ldap01): Reserved connection (7)
> (14) files: Using user DN from request
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
> (14) files: Checking for user in group objects
> (14) files:   EXPAND
> (&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> (14) files:      -->
> (&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
> (14) files:   Performing search in
> "cn=designers,cn=groups,cn=accounts,dc=office,dc=lan" with filter
> "(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
> scope "sub"
> (14) files:   Waiting for search result...
> (14) files:   Search returned no results
> (14) files: Checking user object's memberOf attributes
> (14) files:   Performing unfiltered search in
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
> (14) files:   Waiting for search result...
> (14) files: Processing memberOf value
> "cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> rlm_ldap (ldap01): Released connection (7)
> (14) files: User is not a member of
> "cn=designers,cn=groups,cn=accounts,dc=office,dc=lan"
> (14) files: Searching for user in group
> "cn=designers,cn=groups,cn=accounts,dc=office,dc=lan"
> rlm_ldap (ldap02): Reserved connection (3)
> (14) files: Using user DN from request
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
> (14) files: Checking for user in group objects
> (14) files:   EXPAND
> (&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> (14) files:      -->
> (&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
> (14) files:   Performing search in
> "cn=designers,cn=groups,cn=accounts,dc=office,dc=lan" with filter
> "(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
> scope "sub"
> (14) files:   Waiting for search result...
> (14) files:   Search returned no results
> (14) files: Checking user object's memberOf attributes
> (14) files:   Performing unfiltered search in
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
> (14) files:   Waiting for search result...
> (14) files: Processing memberOf value
> "cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> rlm_ldap (ldap02): Released connection (3)
> (14) files: User is not a member of
> "cn=designers,cn=groups,cn=accounts,dc=office,dc=lan"
> (14) files: Searching for user in group
> "cn=designers,cn=groups,cn=accounts,dc=office,dc=lan"
> rlm_ldap (ldap03): Reserved connection (3)
> (14) files: Using user DN from request
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
> (14) files: Checking for user in group objects
> (14) files:   EXPAND
> (&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> (14) files:      -->
> (&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
> (14) files:   Performing search in
> "cn=designers,cn=groups,cn=accounts,dc=office,dc=lan" with filter
> "(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
> scope "sub"
> (14) files:   Waiting for search result...
> (14) files:   Search returned no results
> (14) files: Checking user object's memberOf attributes
> (14) files:   Performing unfiltered search in
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
> (14) files:   Waiting for search result...
> (14) files: Processing memberOf value
> "cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> rlm_ldap (ldap03): Released connection (3)
> (14) files: User is not a member of
> "cn=designers,cn=groups,cn=accounts,dc=office,dc=lan"
> (14) files: Searching for user in group
> "cn=devops,cn=groups,cn=accounts,dc=office,dc=lan"
> rlm_ldap (ldap01): Reserved connection (5)
> (14) files: Using user DN from request
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
> (14) files: Checking for user in group objects
> (14) files:   EXPAND
> (&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> (14) files:      -->
> (&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
> (14) files:   Performing search in
> "cn=devops,cn=groups,cn=accounts,dc=office,dc=lan" with filter
> "(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
> scope "sub"
> (14) files:   Waiting for search result...
> (14) files:   Search returned no results
> (14) files: Checking user object's memberOf attributes
> (14) files:   Performing unfiltered search in
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
> (14) files:   Waiting for search result...
> (14) files: Processing memberOf value
> "cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> rlm_ldap (ldap01): Released connection (5)
> (14) files: User is not a member of
> "cn=devops,cn=groups,cn=accounts,dc=office,dc=lan"
> (14) files: Searching for user in group
> "cn=devops,cn=groups,cn=accounts,dc=office,dc=lan"
> rlm_ldap (ldap02): Reserved connection (0)
> (14) files: Using user DN from request
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
> (14) files: Checking for user in group objects
> (14) files:   EXPAND
> (&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> (14) files:      -->
> (&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
> (14) files:   Performing search in
> "cn=devops,cn=groups,cn=accounts,dc=office,dc=lan" with filter
> "(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
> scope "sub"
> (14) files:   Waiting for search result...
> (14) files:   Search returned no results
> (14) files: Checking user object's memberOf attributes
> (14) files:   Performing unfiltered search in
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
> (14) files:   Waiting for search result...
> (14) files: Processing memberOf value
> "cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> rlm_ldap (ldap02): Released connection (0)
> (14) files: User is not a member of
> "cn=devops,cn=groups,cn=accounts,dc=office,dc=lan"
> (14) files: Searching for user in group
> "cn=devops,cn=groups,cn=accounts,dc=office,dc=lan"
> rlm_ldap (ldap03): Reserved connection (0)
> (14) files: Using user DN from request
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
> (14) files: Checking for user in group objects
> (14) files:   EXPAND
> (&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> (14) files:      -->
> (&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
> (14) files:   Performing search in
> "cn=devops,cn=groups,cn=accounts,dc=office,dc=lan" with filter
> "(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
> scope "sub"
> (14) files:   Waiting for search result...
> (14) files:   Search returned no results
> (14) files: Checking user object's memberOf attributes
> (14) files:   Performing unfiltered search in
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
> (14) files:   Waiting for search result...
> (14) files: Processing memberOf value
> "cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> rlm_ldap (ldap03): Released connection (0)
> (14) files: User is not a member of
> "cn=devops,cn=groups,cn=accounts,dc=office,dc=lan"
> rlm_ldap (ldap03): Reserved connection (5)
> (14) files: Using user DN from request
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
> (14) files: Checking for user in group objects
> (14) files:   EXPAND
> (&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> (14) files:      -->
> (&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
> (14) files:   Performing search in
> "cn=dmp,cn=groups,cn=accounts,dc=office,dc=lan" with filter
> "(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
> scope "sub"
> (14) files:   Waiting for search result...
> (14) files:   Search returned no results
> (14) files: Checking user object's memberOf attributes
> (14) files:   Performing unfiltered search in
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan", scope "base"
> (14) files:   Waiting for search result...
> (14) files: Processing memberOf value
> "cn=ipausers,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=gsuite,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> (14) files: Processing memberOf value
> "cn=nextcloud-security,cn=groups,cn=accounts,dc=office,dc=lan" as a DN
> rlm_ldap (ldap03): Released connection (5)
> (14) files: User is not a member of
> "cn=dmp,cn=groups,cn=accounts,dc=office,dc=lan"
> (14) files: Searching for user in group
> "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan"
> rlm_ldap (ldap01): Reserved connection (2)
> (14) files: Using user DN from request
> "uid=alex,cn=users,cn=accounts,dc=office,dc=lan"
> (14) files: Checking for user in group objects
> (14) files:   EXPAND
> (&(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> (14) files:      -->
> (&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))
> (14) files:   Performing search in
> "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan" with filter
> "(&(objectClass=ipausergroup)(|(member=uid\3dalex\2ccn\3dusers\2ccn\3daccounts\2cdc\3doffice\2cdc\3dnms)(memberUid=alex)))",
> scope "sub"
> (14) files:   Waiting for search result...
> (14) files: User found in group object
> "cn=hr,cn=groups,cn=accounts,dc=office,dc=lan"
> rlm_ldap (ldap01): Released connection (2)
> (14) files: acct_users: Matched entry DEFAULT at line 156
> (14)     [files] = ok
> (14)   } # preacct = updated
> (14) # Executing section accounting from file
> /etc/freeradius/sites-enabled/default
> (14)   accounting {
> (14) detail: EXPAND
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
> (14) detail:    --> /var/log/freeradius/radacct/10.0.5.71/detail-20180726
> (14) detail:
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
> expands to /var/log/freeradius/radacct/10.0.5.71/detail-20180726
> (14) detail: EXPAND %t
> (14) detail:    --> Thu Jul 26 21:24:21 2018
> (14)     [detail] = ok
> (14)     [replicate] = noop
> (14)     update {
> (14)       control:Replicate-To-Realm := fortigate02
> (14)     } # update = noop
> (14)     [unix] = ok
> (14)     [exec] = noop
> (14) attr_filter.accounting_response: EXPAND %{User-Name}
> (14) attr_filter.accounting_response:    --> alex
> (14) attr_filter.accounting_response: Matched entry DEFAULT at line 12
> (14)     [attr_filter.accounting_response] = updated
> (14)   } # accounting = updated
> (14) Starting proxy to home server 10.132.15.192 port 1813
> (14) Proxying request to home server 10.132.15.192 port 1813 timeout
> 30.000000
> (14) Sent Accounting-Request Id 148 from 0.0.0.0:42612 to
> 10.132.15.192:1813 length 228
> (14)   Acct-Status-Type = Start
> (14)   NAS-IP-Address = 10.0.5.71
> (14)   User-Name = "alex"
> (14)   NAS-Port = 0
> (14)   NAS-Port-Type = Wireless-802.11
> (14)   Calling-Station-Id = "a8667f23c53e"
> (14)   Called-Station-Id = "3817c3c13fa8"
> (14)   Framed-IP-Address = 10.0.20.210
> (14)   Acct-Multi-Session-Id = "A8667F23C53E-1532621349"
> (14)   Acct-Session-Id = "3817C393FA90-A8667F23C53E-5B5A3C05-C1D30"
> (14)   Acct-Delay-Time = 0
> (14)   Aruba-Essid-Name = "team"
> (14)   Aruba-Location-Id = "Floor1-Main"
> (14)   Aruba-User-Vlan = 20
> (14)   Aruba-Device-Type = "OS X"
> (14)   Acct-Authentic = RADIUS
> (14)   Event-Timestamp = "Jul 26 2018 21:24:21 UTC"
> (14)   Proxy-State = 0x3232
> Waking up in 0.2 seconds.
> (14) Clearing existing &reply: attributes
> (14) Received Accounting-Response Id 148 from 10.132.15.192:1813 to
> 10.132.15.206:42612 length 24
> (14)   Proxy-State = 0x3232
> (14) # Executing section post-proxy from file
> /etc/freeradius/sites-enabled/default
> (14)   post-proxy {
> (14) eap: No pre-existing handler found
> (14)     [eap] = noop
> (14)   } # post-proxy = noop
> (14) Sent Accounting-Response Id 22 from 10.132.15.206:1813 to
> 10.0.5.71:64245 length 0
> (14) Finished request
> (14) Cleaning up request packet ID 22 with timestamp +54
> Waking up in 4.4 seconds.
>
> As I can see, original packet is modified :
> (14) files: acct_users: Matched entry DEFAULT at line 156
> (14)     [files] = ok
> (14)   } # preacct = updated
> )
> But not replicated :
> (14)     [replicate] = noop
> (14)     update {
> (14)       control:Replicate-To-Realm := fortigate02
> (14)     } # update = noop
>
> Tell me please what could be a reason? I cannot figure it out
>
> --
> Best regards, Alex Morozenko
>
>
> вт, 24 лип. 2018 о 20:00 Alan DeKok <aland at deployingradius.com> пише:
>
>> On Jul 24, 2018, at 12:49 PM, Алексей Морозенко <alexmorozenko at gmail.com>
>> wrote:
>> >
>> > I'm incorrect telling «reply», I mean after successfull authorization
>> NAS sends accounting request to my RADIUS and then RADIUS proxies that
>> request to FG-1 and FG-2
>>
>>   OK.
>>
>> > Doesn't matter what's it's name, by using files in preacct (pre-proxy)
>> I insert additional attribute «Reply-Message» containing group name in
>> accounting REQUEST from NAS. And further this modified accounting request
>> being proxied to forti according realms.
>> > Am I right?
>>
>>   Yes.  But only for PROXIED packets.  The "pre-proxy" section doesn't
>> change the *original* packet.
>>
>>   And the "replicate" module only sends copies of the ORIGINAL packet.
>>
>>   So you have to edit the original packet before calling replicate.
>>
>>   Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>


More information about the Freeradius-Users mailing list