Issues with post-auth not running in inner-tunnel/proxy-inner-tunnel
Chris Griffin
cgriffin352 at gmail.com
Wed Aug 17 02:01:39 UTC 2022
Hi Alan,
I did some testing and I am still seeing an issue.
Although fake->reply->code = PW_CODE_ACCESS_ACCEPT is now set, a few lines
later where:
process_post_proxy(0, fake);
is called, it gets reset to PW_CODE_ACCESS_CHALLENGE and so in rad_postauth
it builds the VP with Post-Auth-Type, Challenge.
This appears to be a result of having eap in the post-proxy configuration
in proxy-inner-tunnel because we are not proxying as EAP. When I remove
it, this patch appears effective, but EAP seems to fall apart, as the
configuration guidance would suggest.
Any further thoughts?
Tnx
Chris
On Mon, Aug 15, 2022 at 4:08 PM Alan DeKok <aland at deployingradius.com>
wrote:
> On Aug 12, 2022, at 12:05 PM, Chris Griffin <cgriffin352 at gmail.com> wrote:
> > 1. The rad_postauth wasn't being called because
> > "proxy_tunneled_request_as_eap" was commented out. I had made the wrong
> > assumption about what the default was. I uncommented it and set it to no
> > and rad_postauth was correctly called. That was set to no in my
> production
> > 3.2 platform but not this test instance.
>
> OK.
>
> > 2. Digging into the auth.c:
> >
> > Based on this code:
> >
> > /*
> > * If a method was chosen, use that.
> > */
> > if (vp) {
> > postauth_type = vp->vp_integer;
> > RDEBUG2("Using Post-Auth-Type %s",
> > dict_valnamebyattr(PW_POST_AUTH_TYPE, 0,
> > postauth_type));
> > }
> >
> > It is setting the postauth_type to "Challenge" and I am getting this
> > feedback in the debugs:
> >
> > (8) eap: EAP session adding &reply:State = 0x784b1b4e799f01a6
> > (8) [eap] = ok
> > (8) } # post-proxy = ok
> > (8) Using Post-Auth-Type Challenge
> > (8) Post-Auth-Type sub-section not found. Ignoring.
> >
> > It seems that it is only looking for a Post-Auth-Type Challenge section
> in
> > post-auth and if it doesn't have it, the section is ignored.
>
> It only sets "Post-Auth-Type = Challenge" when running an
> Access-Challenge though the "post-auth" section.
>
> It should be using the fake request here for the running post-auth in
> the "inner-tunnel" virtual server.
>
> > Just as a
> > test I changed it it:
> >
> > if (0) {....
> >
> > To avoid setting the postauth_type and the post-auth section is now
> > properly called:
> >
> > (8) # Executing section post-auth from file
> > /opt/freeradius-test/etc/raddb/sites-enabled/proxy-inner-tunnel
> > (8) post-auth {
> >
> > In my very brief testing, everything seems to work now, but this feels
> > "very wrong" as a solution. Do you have any feedback as to the correct
> > thing to do? Should I just put everything for post-auth in a challenge
> > section or is that being mis-set somewhere and causing this result?
>
> It should be running post-auth { ... }, and not the "challenge" bit.
>
> I've pushed a fix in 851cb91 which should fix that.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list