Issues with post-auth not running in inner-tunnel/proxy-inner-tunnel
Alan DeKok
aland at deployingradius.com
Wed Aug 10 13:51:57 UTC 2022
On Aug 10, 2022, at 9:06 AM, Chris Griffin <cgriffin352 at gmail.com> wrote:
>
> I am currently migrating some Freeradius 2 based services over to
> Freeradius 3 (3.2.0), and I am having an issue with post-auth executing in
> the inner-tunnel. In Freeradius 2, I have some post-auth logic that runs
> fine, but it seems that the post-auth section does not run in Freeradius
> 3.
It should run if you have the "post-auth" section in the inner-tunnel virtual server. See https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/src/modules/rlm_eap/types/rlm_eap_peap/peap.c#L560
and a few lines later where it calls rad_postauth()
> I have gone through the documentation and posts to the listserv and
> haven't found any clues as to why. In my particular case, I am using the
> proxy-inner-tunnel configuration and adding a post-auth section, but in
> other tests, it doesn't seem that post-auth runs when I try to use the
> "inner-tunnel" config, which already has a post-auth section. Just to make
> things simple to debug, I was able to build a very simple test case which
> shows the problem:
>
> Steps to re-create:
>
> build 3.2.0
> delete link to inner-tunnel and link to proxy-inner-tunnel. edit eap to
> point to proxy-inner-tunnel as virtual server
>
> add section post-auth and put:
>
> update outer.session-state {
> User-Name := &User-Name
> }
>
> just as a test action to look for.
>
> add config to proxy.conf to allow for proxying the inner tunnel to another
> radius server.
>
> Resulting logs when testing with eapol_test:
It should also print out something like this for the "inner-tunnel" virtual server. That way you know it's been loaded and parsed.
server inner-tunnel { # from file ./raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
If it doesn't say "Loading post-auth" for the proxy-inner-tunnel virtual server, then that's the problem. You've put the post-auth section somewhere where the server can't see it (or ignores it).
If it is there, then I'm a little surprised it doesn't work. We'll have to look at that in more detail.
Alan DeKok.
More information about the Freeradius-Users
mailing list