Exec and dropped attributes between v2.0 and 3.0

Matthew Newton mcn at freeradius.org
Wed Dec 4 17:58:55 CET 2019 

On Wed, 2019-12-04 at 16:35 +0000, Luke Cameron wrote:
> Ready to process requests
> (0) Received Access-Request Id 31 from xxx.xxx.40.10:49430 to
> xxx.xxx.40.10:1812 length 78
> (0)   User-Name = "testuser"
> (0)   User-Password = "testuser"
> (0)   NAS-IP-Address = xxx.xxx.40.10
> (0)   NAS-Port = 1812
> (0)   Message-Authenticator = 0x4ea342f707f8b90e09291fe54a2e09e2
> (0) # Executing section authorize from file /etc/raddb/sites-
> enabled/default

As Alan pointed out, there's no Framed-IP-Address in the request, so
there's nothing to log there.

But there _is_ one in the reply, which means you've added it somewhere
in FreeRADIUS.

What are you trying to log? One sent by the NAS? In which case fix the
NAS to send it. Or one generated by FreeRADIUS, in which case you stand
a chance, as long as you log it *after* it's been added.


> (0)     [preprocess] = ok
> (0)     [chap] = noop
> (0)     [mschap] = noop
> (0)     [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "testuser", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0)     [suffix] = noop
> (0) eap: No EAP-Message, not doing EAP
> (0)     [eap] = noop
> (0) files: users: Matched entry testuser at line 1
> (0) files: EXPAND /etc/raddb/var.sh %{User-Name} %{reply:Framed-IP-
> Address}
> (0) files:    --> /etc/raddb/var.sh testuser
> (0) files: EXPAND Hello, %{User-Name}
> (0) files:    --> Hello, testuser
> (0)     [files] = ok

This looks like a likely suspect. Have you added a reply attribute in
the users file?

There's nothing going to get logged if you call your script here, as
there's no attribute already existing, as you've found out.

> (0)   post-auth {
> (0)     update {
> (0)       No attributes updated
> (0)     } # update = noop
> (0) gprsh01-ippool: Could not find Pool-Name attribute
> (0)     [gprsh01-ippool] = noop
> (0) gprsh02-ippool: Could not find Pool-Name attribute
> (0)     [gprsh02-ippool] = noop

Returning noop, so doesn't look like these added the Framed-IP-Address
attribute. So my suspicion is the users file.

You can add "debug_reply" into the config in places to discover at
which point it gets added, if you need to.

There's no point logging it before it's added, as it won't exist.

> (0) Sent Access-Accept Id 31 from xxx.xxx.40.10:1812 to
> xxx.xxx.40.10:49430
> length 0
> (0)   Framed-IP-Address = 10.199.0.1
> (0)   Reply-Message = "Hello, testuser"
> (0) Finished request

-- 
Matthew

More information about the Freeradius-Users mailing list