Issues with post-auth not running in inner-tunnel/proxy-inner-tunnel
Chris Griffin
cgriffin352 at gmail.com
Fri Aug 12 12:51:47 UTC 2022
Hi Alan,
I did a little debugging inside the code and found that
'request_data_get' returns NULL so we never pass the conditional which
allows rad_postauth to be called. Any other debug information that would
help?
Thanks
Chris
On Wed, Aug 10, 2022 at 9:52 AM Alan DeKok <aland at deployingradius.com>
wrote:
> On Aug 10, 2022, at 9:06 AM, Chris Griffin <cgriffin352 at gmail.com> wrote:
> >
> > I am currently migrating some Freeradius 2 based services over to
> > Freeradius 3 (3.2.0), and I am having an issue with post-auth executing
> in
> > the inner-tunnel. In Freeradius 2, I have some post-auth logic that runs
> > fine, but it seems that the post-auth section does not run in Freeradius
> > 3.
>
> It should run if you have the "post-auth" section in the inner-tunnel
> virtual server. See
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/src/modules/rlm_eap/types/rlm_eap_peap/peap.c#L560
>
> and a few lines later where it calls rad_postauth()
>
> > I have gone through the documentation and posts to the listserv and
> > haven't found any clues as to why. In my particular case, I am using the
> > proxy-inner-tunnel configuration and adding a post-auth section, but in
> > other tests, it doesn't seem that post-auth runs when I try to use the
> > "inner-tunnel" config, which already has a post-auth section. Just to
> make
> > things simple to debug, I was able to build a very simple test case which
> > shows the problem:
> >
> > Steps to re-create:
> >
> > build 3.2.0
> > delete link to inner-tunnel and link to proxy-inner-tunnel. edit eap to
> > point to proxy-inner-tunnel as virtual server
> >
> > add section post-auth and put:
> >
> > update outer.session-state {
> > User-Name := &User-Name
> > }
> >
> > just as a test action to look for.
> >
> > add config to proxy.conf to allow for proxying the inner tunnel to
> another
> > radius server.
> >
> > Resulting logs when testing with eapol_test:
>
> It should also print out something like this for the "inner-tunnel"
> virtual server. That way you know it's been loaded and parsed.
>
> server inner-tunnel { # from file ./raddb/sites-enabled/inner-tunnel
> # Loading authenticate {...}
> Compiling Auth-Type PAP for attr Auth-Type
> Compiling Auth-Type CHAP for attr Auth-Type
> Compiling Auth-Type MS-CHAP for attr Auth-Type
> # Loading authorize {...}
> # Loading session {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
>
> If it doesn't say "Loading post-auth" for the proxy-inner-tunnel virtual
> server, then that's the problem. You've put the post-auth section
> somewhere where the server can't see it (or ignores it).
>
> If it is there, then I'm a little surprised it doesn't work. We'll have
> to look at that in more detail.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list