Proxy

Nicolas Breuer Nicolas.Breuer at belcenter.biz
Thu Nov 25 14:55:31 CET 2021 

Hello,

According to the doc  https://wiki.freeradius.org/config/Proxy

.........

  *   he remote server replies with ACK or REJECT
     *   On ACK: The initial Auth-Type is set to Accept
     *   On REJECT: The initial Auth-Type is set to Reject
  *   Then the users file is processed as usual. The username used at this point is the one after hints file processing (regardless of the "hints" option). It also includes the realm (regardless of the setting of the "nostrip" option) unless the realm is LOCAL.

...........


Waking up in 0.3 seconds.
(0) Marking home server 217. port 1649 alive
(0) Clearing existing &reply: attributes
(0) Received Access-Accept Id 112 from NAS
(0)   Service-Type = Framed-User
(0)   Cisco-AVPair = "ip:vrf-id=BEXX"
(0)   Cisco-AVPair = "ip:ip-unnumbered=Loopback22"
(0)   Framed-IP-Netmask = 255.255.255.255
(0)   Proxy-State = 0x3936
(0)   Framed-IP-Address = ZZZ
(0)   Session-Timeout = 172800

(0) server dsl {
(0)   # Executing section post-proxy from file /etc/raddb/config/...
(0)     post-proxy {
(0) post_proxy_log:    --> Thu Nov 25 14:48:24 2021
(0)       [post_proxy_log] = ok
(0) attr_filter.post-proxy: EXPAND %{Realm}
(0) attr_filter.post-proxy:    --> BE
(0) attr_filter.post-proxy: Matched entry DEFAULT at line 106
(0)       [attr_filter.post-proxy] = updated
(0)     } # post-proxy = updated
(0) }
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file /etc/raddb/config/
(0)   post-auth {
(0)     if (&reply:Subscription-Name=="PRO"){
(0)     ERROR: Failed retrieving values required to evaluate condition
(0)     if (&reply:Subscription-Name=="NOSERVICE"){
(0)     ERROR: Failed retrieving values required to evaluate condition
(0)     elsif (&reply:Subscription-Name !=  '') {
(0)     ERROR: Failed retrieving values required to evaluate condition
(0)     update reply {
(0)       Service-Type := Framed-User
(0)       Framed-IP-Netmask := 255.255.255.255
(0)     } # update reply = noop
(0)     if (reply:Framed-IP-Address) {
(0)     if (reply:Framed-IP-Address)  -> FALSE
(0)     else {
(0)       update reply {
(0)         Session-Timeout = 172800
(0)       } # update reply = noop
(0)     } # else = noop
(0)   } # post-auth = noop
(0) Login OK: [BCtest at BXXX] (from client test port 0)
(0) Sent Access-Accept Id 96 from
(0)   Framed-IP-Netmask := 255.255.255.255
(0)   Service-Type := Framed-User
(0)   Session-Timeout = 172800
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 96 with timestamp +8
Ready to process requests


In users I have a match before the proxy
(0)     [suffix] = updated
(0) auth_dsl: users: Matched entry DEFAULT at line 10
(0) auth_dsl: users: Matched entry DEFAULT at line 54
(0) auth_dsl: users: Matched entry DEFAULT at line 79
(0)     [auth_dsl] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = noop

But this is not applied at all after the accept....

Any ideas ?

More information about the Freeradius-Users mailing list