"redundant" block works in "default" virtual server, but does not work in "inner-tunnel".
Rahman Duran
rahman.duran at erzurum.edu.tr
Thu Mar 3 06:39:57 UTC 2022
Hi,
I am trying to implement a service based authorize section in FreeRadius
(just like in Aruba ClearPass) so I can selectively decide what to do with
the request based on source IP, SSID, username realm etc.
Long story short, the following configuration works in default virtual
server but it does not in inner tunnel. In inner-tunnel, if the first ldap
section could not find user, then it does not go on and check second ldap;
authorize {
.....
.....
.....
### AUTHORIZE: Hizmet verecek servis tanımları buradan itibaren
tanımlanacak.
### Bu bölüm olduğu gibi "inner-tunnel" virtual server'ın aynı kısmına
kopyalanmalı.
### 000: BIDB Test Ağı Servisi ###
### Test ağı
if ( \
((&Packet-Src-IP-Address < 10.10.243.0/24) || (&Packet-Src-IP-Address
== 172.19.148.9/32)) \
&& (&NAS-Port-Type == "Wireless-802.11") \
&& (&Called-Station-SSID == "bidb-test") \
&& (&User-Name =~ /^.+ at erzurum\.edu\.tr$/) \
) {
update request {
ETU-Radius-Service-Name := "BIDB_Test"
}
if (&Virtual-Server == "inner-tunnel") {
update outer.request {
ETU-Radius-Service-Name := "BIDB_Test"
}
}
# EAP modülü OK döndürüyorsa işlemleri burada kes, gerisini
authentication bölümündeki EAP modülü işleyecek.
group etu_eap_process {
eap
if (ok) {
return
}
}
# İstek bir EAP isteği ise ve biz inner-tunnel değil isek burada
başka bir kontrol yapma. Bunları inner-tunele bırak
if ((&Virtual-Server == "inner-tunnel") || (!(&Virtual-Server ==
"inner-tunnel") && !&EAP-Message)) {
# Authentication source
group etu_auth_source {
redundant {
ldap_personel
ldap_ogrenci
}
# Auth source'da kullanıcı bulunmuyorsa isteği reddet
if (noop || notfound) {
update request {
Module-Failure-Message := "Auth Source Reject: [%{User-Name}]
No matching user found in authentication source!"
}
if (&Virtual-Server == "inner-tunnel") {
update outer.request {
Module-Failure-Message := "Auth Source Reject:
[%{User-Name}] No matching user found in authentication source!"
}
}
reject
}
}
# Authentication modules
group etu_auth_modules {
pap
mschap
}
}
# Servis eşleştiyse burada işleyişi kes, diğer servislere bakma
return
}
.....
.....
.....
The above section is same in both default and inner tunnel, but when doing
eap-peap or eap-ttls (so inner-tunnel used), user sarched in
[ldap_personel] and not found, so it should search in [ldap_ogrenci] but
it does not. Here is the debug section:
....
....
....
(633) if ( ((&Packet-Src-IP-Address < 10.10.243.0/24) ||
(&Packet-Src-IP-Address == 172.19.148.9/32)) && (&NAS-Port-Type ==
"Wireless-802.11") && (&Called-Station-SSID == "bidb-test") &&
(&User-Name =~ /^.+ at erzurum\.edu\.tr$/) ) {
(633) EXPAND &Packet-Src-IP-Address
(633) --> 10.10.243.23
(633) if ( ((&Packet-Src-IP-Address < 10.10.243.0/24) ||
(&Packet-Src-IP-Address == 172.19.148.9/32)) && (&NAS-Port-Type ==
"Wireless-802.11") && (&Called-Station-SSID == "bidb-test") &&
(&User-Name =~ /^.+ at erzurum\.edu\.tr$/) ) -> TRUE
(633) if ( ((&Packet-Src-IP-Address < 10.10.243.0/24) ||
(&Packet-Src-IP-Address == 172.19.148.9/32)) && (&NAS-Port-Type ==
"Wireless-802.11") && (&Called-Station-SSID == "bidb-test") &&
(&User-Name =~ /^.+ at erzurum\.edu\.tr$/) ) {
(633) update request {
(633) ETU-Radius-Service-Name := "BIDB_Test"
(633) } # update request = noop
(633) if (&Virtual-Server == "inner-tunnel") {
(633) EXPAND &Virtual-Server
(633) --> inner-tunnel
(633) if (&Virtual-Server == "inner-tunnel") -> TRUE
(633) if (&Virtual-Server == "inner-tunnel") {
(633) update outer.request {
(633) ETU-Radius-Service-Name := "BIDB_Test"
(633) } # update outer.request = noop
(633) } # if (&Virtual-Server == "inner-tunnel") = noop
(633) group {
(633) eap: No EAP-Message, not doing EAP
(633) [eap] = noop
(633) if (ok) {
(633) if (ok) -> FALSE
(633) } # group = noop
(633) if ((&Virtual-Server == "inner-tunnel") || (!(&Virtual-Server
== "inner-tunnel") && !&EAP-Message)) {
(633) EXPAND &Virtual-Server
(633) --> inner-tunnel
(633) if ((&Virtual-Server == "inner-tunnel") || (!(&Virtual-Server
== "inner-tunnel") && !&EAP-Message)) -> TRUE
(633) if ((&Virtual-Server == "inner-tunnel") || (!(&Virtual-Server
== "inner-tunnel") && !&EAP-Message)) {
(633) group {
(633) redundant {
rlm_ldap (ldap_personel): Closing connection (10): Hit idle_timeout, was
idle for 53546 seconds
rlm_ldap (ldap_personel): Closing connection (12): Hit idle_timeout, was
idle for 53529 seconds
rlm_ldap (ldap_personel): Closing connection (11): Hit idle_timeout, was
idle for 53522 seconds
rlm_ldap (ldap_personel): You probably need to lower "min"
rlm_ldap (ldap_personel): Closing connection (13): Hit idle_timeout, was
idle for 53521 seconds
rlm_ldap (ldap_personel): You probably need to lower "min"
rlm_ldap (ldap_personel): 0 of 0 connections in use. You may need to
increase "spare"
rlm_ldap (ldap_personel): Opening additional connection (14), 1 of 32
pending slots used
rlm_ldap (ldap_personel): Connecting to ldap://95.183.213.8:389
rlm_ldap (ldap_personel): Waiting for bind result...
rlm_ldap (ldap_personel): Bind successful
rlm_ldap (ldap_personel): Reserved connection (14)
(633) ldap_personel: EXPAND (&(email=%{User-Name})(objectClass=kPerson))
(633) ldap_personel: --> (&(email=ogr1 at erzurum.edu.tr
)(objectClass=kPerson))
(633) ldap_personel: Performing search in "cn=personel,dc=etu" with filter
"(&(email=ogr1 at erzurum.edu.tr)(objectClass=kPerson))", scope "sub"
(633) ldap_personel: Waiting for search result...
(633) ldap_personel: Search returned no results
rlm_ldap (ldap_personel): Released connection (14)
Need 1 more connections to reach min connections (2)
rlm_ldap (ldap_personel): Opening additional connection (15), 1 of 31
pending slots used
rlm_ldap (ldap_personel): Connecting to ldap://95.183.213.8:389
rlm_ldap (ldap_personel): Waiting for bind result...
rlm_ldap (ldap_personel): Bind successful
(633) [ldap_personel] = notfound
(633) } # redundant = notfound
(633) if (noop || notfound) {
(633) if (noop || notfound) -> TRUE
(633) if (noop || notfound) {
(633) update request {
(633) EXPAND Auth Source Reject: [%{User-Name}] No matching
user found in authentication source!
(633) --> Auth Source Reject: [ogr1 at erzurum.edu.tr] No
matching user found in authentication source!
(633) Module-Failure-Message := Auth Source Reject: [
ogr1 at erzurum.edu.tr] No matching user found in authentication source!
(633) } # update request = noop
(633) if (&Virtual-Server == "inner-tunnel") {
(633) EXPAND &Virtual-Server
(633) --> inner-tunnel
(633) if (&Virtual-Server == "inner-tunnel") -> TRUE
(633) if (&Virtual-Server == "inner-tunnel") {
(633) update outer.request {
(633) EXPAND Auth Source Reject: [%{User-Name}] No
matching user found in authentication source!
(633) --> Auth Source Reject: [ogr1 at erzurum.edu.tr] No
matching user found in authentication source!
(633) Module-Failure-Message := Auth Source Reject: [
ogr1 at erzurum.edu.tr] No matching user found in authentication source!
(633) } # update outer.request = noop
(633) } # if (&Virtual-Server == "inner-tunnel") = noop
(633) [reject] = reject
(633) } # if (noop || notfound) = reject
(633) } # group = reject
(633) } # if ((&Virtual-Server == "inner-tunnel") ||
(!(&Virtual-Server == "inner-tunnel") && !&EAP-Message)) = reject
(633) } # if ( ((&Packet-Src-IP-Address < 10.10.243.0/24) ||
(&Packet-Src-IP-Address == 172.19.148.9/32)) && (&NAS-Port-Type ==
"Wireless-802.11") && (&Called-Station-SSID == "bidb-test") &&
(&User-Name =~ /^.+ at erzurum\.edu\.tr$/) ) = reject
(633) } # authorize = reject
(633) EXPAND Called-Station-ID: %{Called-Station-ID} Calling-Station-ID:
%{Calling-Station-ID} Auth-Type: %{control:Auth-Type}
(633) --> Called-Station-ID: a8bd27c04dac Calling-Station-ID:
3233fb9fb6d3 Auth-Type:
(633) Invalid user (Auth Source Reject: [ogr1 at erzurum.edu.tr] No matching
user found in authentication source!): [ogr1 at erzurum.edu.tr] (from client
rektorluk port 0 cli 3233fb9fb6d3 via TLS tunnel) Called-Station-ID:
a8bd27c04dac Calling-Station-ID: 3233fb9fb6d3 Auth-Type:
(633) Using Post-Auth-Type Reject
(633) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(633) Post-Auth-Type REJECT {
(633) attr_filter.access_reject: EXPAND %{User-Name}
(633) attr_filter.access_reject: --> ogr1 at erzurum.edu.tr
(633) attr_filter.access_reject: Matched entry DEFAULT at line 11
(633) [attr_filter.access_reject] = updated
(633) update outer.session-state {
(633) &Module-Failure-Message := &request:Module-Failure-Message ->
'Auth Source Reject: [ogr1 at erzurum.edu.tr] No matching user found in
authentication source!'
(633) } # update outer.session-state = noop
(633) } # Post-Auth-Type REJECT = updated
(633) EXPAND Called-Station-ID: %{Called-Station-ID} Calling-Station-ID:
%{Calling-Station-ID} Auth-Type: %{control:Auth-Type}
(633) --> Called-Station-ID: a8bd27c04dac Calling-Station-ID:
3233fb9fb6d3 Auth-Type:
(633) Login incorrect (Auth Source Reject: [ogr1 at erzurum.edu.tr] No
matching user found in authentication source!): [ogr1 at erzurum.edu.tr] (from
client rektorluk port 0 cli 3233fb9fb6d3 via TLS tunnel) Called-Station-ID:
a8bd27c04dac Calling-Station-ID: 3233fb9fb6d3 Auth-Type:
(633) } # server inner-tunnel
(633) Virtual server sending reply
(633) eap_ttls: Got tunneled Access-Reject
(633) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module
failed
....
....
....
Any idea why "redundant" behaves different in the inner-tunnel or what am I
missing?
Regards,
Rahman Duran
More information about the Freeradius-Users
mailing list