3.0.18: operator = not behaving as expected after proxying to virtual server
Alan DeKok
aland at deployingradius.com
Sat Apr 6 14:07:18 CEST 2019
On Apr 6, 2019, at 6:26 AM, stefan.winter at restena.lu wrote:
>
> I have a setup where a proxied-to virtual server sets the attribute Session-Timeout with := and then the calling server sets it subsidiary to a different value with = in post-proxy.
>
> The reply_log for both servers shows that the first value is set ok, but the second = operator *adds* the Session-Timeout attribute a second time.
> ...
> The post-proxy configuration of the caller is:
>
> post-proxy {
> update reply {
> Cisco-Account-Info = "ASERVICE_INTERNET-DEFAULT",
> Session-Timeout = 86400,
> Idle-Timeout = 7200
> }
> post_proxy_log
> }
Post-proxy doesn't do what you think it does. It's a way to mangle the *proxied* reply. Not the *actual* reply.
When a proxied reply is received, the server runs post-proxy, and then *adds* the proxied reply to the real reply. Operators aren't used for that addition.
So what's happening is:
- request is proxied
- Session-Timeout is added to the proxy reply
- back in the main server the original reply is deleted
- post-proxy { } section runs
- adds session-time out to the reply, using "=". Which works, as the reply is empty
- once post-proxy is finished, the proxy reply is appended to the real reply.
Which means you have two Session-Timeout attributes.
The solution is to do "update proxy-reply" in the post-proxy section. Don't do "update reply"
Alan DeKok.
More information about the Freeradius-Users
mailing list