HTTP headers

Alan DeKok aland at deployingradius.com
Thu Dec 2 14:12:53 CET 2021 

> On Dec 2, 2021, at 7:34 AM, Stjepan Roić <roic27 at gmail.com> wrote:
> 
> regarding your input I have previously tried placing that code inside the
> authentication section of the default server but got this error:
> 
> -- Unit freeradius.service has begun starting up.

  Please post the debug outputL from "radiusd -X" or "freeradius -X".  There is absolutely ZERO reason to post the logs from systemd.

  Yes, there's a reason we ask for the debug output.  It lets us separate systemd issues from radius issue.  And it means that the debug output is readable, instead of being randomly reformatted.

> Dec 02 12:03:24 freeradius freeradius[7819]: FreeRADIUS Version 3.0.16
> Dec 02 12:03:24 freeradius freeradius[7819]: Copyright (C) 1999-2017 The
> FreeRADIUS server project and contributors
> Dec 02 12:03:24 freeradius freeradius[7819]: There is NO warranty; not even
> for MERCHANTABILITY or FITNESS FOR A
> Dec 02 12:03:24 freeradius freeradius[7819]: PARTICULAR PURPOSE

  Does that look readable?  No?  That's why we ask for the debug output.

> /etc/freeradius/3.0/sites-enabled/default[480]: Unknown Auth-Type "control"
> in authenticate sub-section.*

  You edited the configuration and broke it.  Don't do that.

  Why are you trying to set "Auth-Type" in the "authenticate" section?

  Why are you trying to set Auth-Type" to a value which doesn't exist?

> Now I done it in the authorization section just before  "filter_username"
> and although the server starts there is no difference in the output on the
> rest server, no headers incoming.
> 
> Debug:
> Ready to process requests
> (0) Received Access-Request Id 59 from 127.0.0.1:33440 to 127.0.0.1:1812
> length 79
> (0)   User-Name = "rba_user1"
> (0)   User-Password = "rba_user1"
> (0)   NAS-IP-Address = 172.16.49.8
> (0)   NAS-Port = 0
> (0)   Message-Authenticator = 0x8204eb0ff20ae8b2ea0b4ed973d894c3
> (0) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (0)   authorize {
> (0)     policy filter_username {
> (0)       if (&User-Name) {
> (0)       if (&User-Name)  -> TRUE
> (0)       if (&User-Name)  {
> (0)         if (&User-Name =~ / /) {
> (0)         if (&User-Name =~ / /)  -> FALSE
> (0)         if (&User-Name =~ /@[^@]*@/ ) {
> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (0)         if (&User-Name =~ /\.\./ ) {
> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
> FALSE
> (0)         if (&User-Name =~ /\.$/)  {
> (0)         if (&User-Name =~ /\.$/)   -> FALSE
> (0)         if (&User-Name =~ /@\./)  {
> (0)         if (&User-Name =~ /@\./)   -> FALSE
> (0)       } # if (&User-Name)  = notfound
> (0)     } # policy filter_username = notfound
> rlm_rest (rest): Reserved connection (0)

  Note that the is NO "update control" section being run here.

  Did you edit the right file?

  Did you restart the server after editing the file?

  You did one of those steps wrong.

  THIS is why we ask for the debug output.  It doesn't matter what you *think* you did.  It matters what you actually did.  And the debug output shows what you actually did.

  In this case, if you read the debug output, you'd see that there's no "update control" being run.  At which point you can go back and verify that (a) you're editing the right file, and (b) you're restarting the server (which is documented as being needed) after editing the files.

  Alan DeKok.

More information about the Freeradius-Users mailing list