Issues with post-auth not running in inner-tunnel/proxy-inner-tunnel

Chris Griffin cgriffin352 at gmail.com
Wed Aug 10 14:04:27 UTC 2022 

Hi Alan,
  In my case I am using the "proxy-inner-tunnel" config, but I have added a
post-auth section to it.  Sorry I didn't post the loading debug.  Here is
what I have for proxy-inner-tunnel:

server proxy-inner-tunnel { # from file
/opt/freeradius-test/etc/raddb/sites-enabled/proxy-inner-tunnel
 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
} # server proxy-inner-tunnel

Happy to do any other debugs you would like to see.

Thanks!
Chris

On Wed, Aug 10, 2022 at 9:52 AM Alan DeKok <aland at deployingradius.com>
wrote:

> On Aug 10, 2022, at 9:06 AM, Chris Griffin <cgriffin352 at gmail.com> wrote:
> >
> > I am currently migrating some Freeradius 2 based services over to
> > Freeradius 3 (3.2.0), and I am having an issue with post-auth executing
> in
> > the inner-tunnel.  In Freeradius 2, I have some post-auth logic that runs
> > fine, but it seems that the post-auth section does not run in Freeradius
> > 3.
>
>   It should run if you have the "post-auth" section in the inner-tunnel
> virtual server.  See
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/src/modules/rlm_eap/types/rlm_eap_peap/peap.c#L560
>
>   and a few lines later where it calls rad_postauth()
>
> >  I have gone through the documentation and posts to the listserv and
> > haven't found any clues as to why.  In my particular case, I am using the
> > proxy-inner-tunnel configuration and adding a post-auth section, but in
> > other tests, it doesn't seem that post-auth runs when I try to use the
> > "inner-tunnel" config, which already has a post-auth section.  Just to
> make
> > things simple to debug, I was able to build a very simple test case which
> > shows the problem:
> >
> > Steps to re-create:
> >
> > build 3.2.0
> > delete link to inner-tunnel and link to proxy-inner-tunnel.  edit eap to
> > point to proxy-inner-tunnel as virtual server
> >
> > add section post-auth and put:
> >
> > update outer.session-state {
> >      User-Name := &User-Name
> > }
> >
> > just as a test action to look for.
> >
> > add config to proxy.conf to allow for proxying the inner tunnel to
> another
> > radius server.
> >
> > Resulting logs when testing with eapol_test:
>
>   It should also print out something like this for the "inner-tunnel"
> virtual server.   That way you know it's been loaded and parsed.
>
> server inner-tunnel { # from file ./raddb/sites-enabled/inner-tunnel
>  # Loading authenticate {...}
> Compiling Auth-Type PAP for attr Auth-Type
> Compiling Auth-Type CHAP for attr Auth-Type
> Compiling Auth-Type MS-CHAP for attr Auth-Type
>  # Loading authorize {...}
>  # Loading session {...}
>  # Loading post-proxy {...}
>  # Loading post-auth {...}
>
>   If it doesn't say "Loading post-auth" for the proxy-inner-tunnel virtual
> server, then that's the problem.  You've put the post-auth section
> somewhere where the server can't see it (or ignores it).
>
>   If it is there, then I'm a little surprised it doesn't work.  We'll have
> to look at that in more detail.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list