reject request in post-proxy

Matt Zagrabelny mzagrabe at d.umn.edu
Mon Aug 24 23:40:37 CEST 2020 

Greetings,

I am using FR 3.0.17.

I am trying to use unlang in the post-proxy section of my default site to
reject certain requests. The following config example is a test condition
and contrived.

post-proxy {
    eap
    if (User-Name == 'mzagrabe') {
        reject
    }
}

However, I am not getting the expected reject when I successfully
authenticate.
Here is the -X output:

[...]
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "mzagrabe", looking up realm NULL
(0) suffix: Found realm "NULL"
(0) suffix: Adding Stripped-User-Name = "mzagrabe"
(0) suffix: Adding Realm = "NULL"
(0) suffix: Proxying request from user mzagrabe to realm NULL
(0) suffix: Preparing to proxy authentication request to realm "NULL"
(0)     [suffix] = updated
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = noop
(0)   } # authorize = updated
(0) Starting proxy to home server 10.0.0.1 port 1812
(0) Proxying request to home server 10.0.0.1 port 1812 timeout 30.000000
(0) Sent Access-Request Id 81 from 0.0.0.0:32865 to 10.0.0.1:1812 length 115
(0)   User-Name = "mzagrabe"
(0)   User-Password = "I need something strong to distract my mind-2020"
(0)   NAS-IP-Address = 192.168.0.2
(0)   Event-Timestamp = "Aug 24 2020 16:21:09 CDT"
(0)   Message-Authenticator := 0x00
(0)   Proxy-State = 0x323330
Waking up in 0.3 seconds.
(0) Expecting proxy response no later than 29.667028 seconds from now
Waking up in 29.6 seconds.
(0) Marking home server 10.0.0.1 port 1812 alive
(0) Clearing existing &reply: attributes
(0) Received Access-Accept Id 81 from 10.0.0.1:1812 to 192.168.0.1:32865
length 53
(0)   Reply-Message = "Success. Logging you in..."
(0)   Proxy-State = 0x323330
(0) # Executing section post-proxy from file
/etc/freeradius/3.0/sites-enabled/default
(0)   post-proxy {
(0) eap: No pre-existing handler found
(0)     [eap] = noop
(0)     if (User-Name == 'mzagrabe') {
(0)     if (User-Name == 'mzagrabe')  -> TRUE
(0)     if (User-Name == 'mzagrabe')  {
(0)       [reject] = reject
(0)     } # if (User-Name == 'mzagrabe')  = reject
(0)   } # post-proxy = reject
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Sent Access-Accept Id 230 from 192.168.0.1:1812 to 192.168.0.2:52859
length 0
(0)   Reply-Message = "Success. Logging you in..."
(0) Finished request

How do I reject in post-proxy after the home server returns a successful
authentication check?

Thanks for any help!

-m

More information about the Freeradius-Users mailing list