"redundant" block works in "default" virtual server, but does not work in "inner-tunnel".
Jorge Pereira
jpereira at freeradius.org
Thu Mar 3 16:54:42 UTC 2022
Which version are you running?
> On 3 Mar 2022, at 03:39, Rahman Duran <rahman.duran at erzurum.edu.tr> wrote:
>
> Hi,
>
> I am trying to implement a service based authorize section in FreeRadius
> (just like in Aruba ClearPass) so I can selectively decide what to do with
> the request based on source IP, SSID, username realm etc.
>
> Long story short, the following configuration works in default virtual
> server but it does not in inner tunnel. In inner-tunnel, if the first ldap
> section could not find user, then it does not go on and check second ldap;
>
> authorize {
> .....
> .....
> .....
>
> ### AUTHORIZE: Hizmet verecek servis tanımları buradan itibaren
> tanımlanacak.
> ### Bu bölüm olduğu gibi "inner-tunnel" virtual server'ın aynı kısmına
> kopyalanmalı.
>
>
> ### 000: BIDB Test Ağı Servisi ###
> ### Test ağı
> if ( \
> ((&Packet-Src-IP-Address < 10.10.243.0/24) || (&Packet-Src-IP-Address
> == 172.19.148.9/32)) \
> && (&NAS-Port-Type == "Wireless-802.11") \
> && (&Called-Station-SSID == "bidb-test") \
> && (&User-Name =~ /^.+ at erzurum\.edu\.tr$/) \
> ) {
>
> update request {
> ETU-Radius-Service-Name := "BIDB_Test"
> }
> if (&Virtual-Server == "inner-tunnel") {
> update outer.request {
> ETU-Radius-Service-Name := "BIDB_Test"
> }
> }
>
> # EAP modülü OK döndürüyorsa işlemleri burada kes, gerisini
> authentication bölümündeki EAP modülü işleyecek.
> group etu_eap_process {
> eap
> if (ok) {
> return
> }
> }
>
> # İstek bir EAP isteği ise ve biz inner-tunnel değil isek burada
> başka bir kontrol yapma. Bunları inner-tunele bırak
> if ((&Virtual-Server == "inner-tunnel") || (!(&Virtual-Server ==
> "inner-tunnel") && !&EAP-Message)) {
> # Authentication source
> group etu_auth_source {
> redundant {
> ldap_personel
> ldap_ogrenci
> }
>
> # Auth source'da kullanıcı bulunmuyorsa isteği reddet
> if (noop || notfound) {
> update request {
> Module-Failure-Message := "Auth Source Reject: [%{User-Name}]
> No matching user found in authentication source!"
> }
> if (&Virtual-Server == "inner-tunnel") {
> update outer.request {
> Module-Failure-Message := "Auth Source Reject:
> [%{User-Name}] No matching user found in authentication source!"
> }
> }
> reject
> }
> }
>
> # Authentication modules
> group etu_auth_modules {
> pap
> mschap
> }
> }
>
> # Servis eşleştiyse burada işleyişi kes, diğer servislere bakma
> return
> }
>
> .....
> .....
> .....
>
> The above section is same in both default and inner tunnel, but when doing
> eap-peap or eap-ttls (so inner-tunnel used), user sarched in
> [ldap_personel] and not found, so it should search in [ldap_ogrenci] but
> it does not. Here is the debug section:
>
> ....
> ....
> ....
>
>
> (633) if ( ((&Packet-Src-IP-Address < 10.10.243.0/24) ||
> (&Packet-Src-IP-Address == 172.19.148.9/32)) && (&NAS-Port-Type ==
> "Wireless-802.11") && (&Called-Station-SSID == "bidb-test") &&
> (&User-Name =~ /^.+ at erzurum\.edu\.tr$/) ) {
> (633) EXPAND &Packet-Src-IP-Address
> (633) --> 10.10.243.23
> (633) if ( ((&Packet-Src-IP-Address < 10.10.243.0/24) ||
> (&Packet-Src-IP-Address == 172.19.148.9/32)) && (&NAS-Port-Type ==
> "Wireless-802.11") && (&Called-Station-SSID == "bidb-test") &&
> (&User-Name =~ /^.+ at erzurum\.edu\.tr$/) ) -> TRUE
> (633) if ( ((&Packet-Src-IP-Address < 10.10.243.0/24) ||
> (&Packet-Src-IP-Address == 172.19.148.9/32)) && (&NAS-Port-Type ==
> "Wireless-802.11") && (&Called-Station-SSID == "bidb-test") &&
> (&User-Name =~ /^.+ at erzurum\.edu\.tr$/) ) {
> (633) update request {
> (633) ETU-Radius-Service-Name := "BIDB_Test"
> (633) } # update request = noop
> (633) if (&Virtual-Server == "inner-tunnel") {
> (633) EXPAND &Virtual-Server
> (633) --> inner-tunnel
> (633) if (&Virtual-Server == "inner-tunnel") -> TRUE
> (633) if (&Virtual-Server == "inner-tunnel") {
> (633) update outer.request {
> (633) ETU-Radius-Service-Name := "BIDB_Test"
> (633) } # update outer.request = noop
> (633) } # if (&Virtual-Server == "inner-tunnel") = noop
> (633) group {
> (633) eap: No EAP-Message, not doing EAP
> (633) [eap] = noop
> (633) if (ok) {
> (633) if (ok) -> FALSE
> (633) } # group = noop
> (633) if ((&Virtual-Server == "inner-tunnel") || (!(&Virtual-Server
> == "inner-tunnel") && !&EAP-Message)) {
> (633) EXPAND &Virtual-Server
> (633) --> inner-tunnel
> (633) if ((&Virtual-Server == "inner-tunnel") || (!(&Virtual-Server
> == "inner-tunnel") && !&EAP-Message)) -> TRUE
> (633) if ((&Virtual-Server == "inner-tunnel") || (!(&Virtual-Server
> == "inner-tunnel") && !&EAP-Message)) {
> (633) group {
> (633) redundant {
> rlm_ldap (ldap_personel): Closing connection (10): Hit idle_timeout, was
> idle for 53546 seconds
> rlm_ldap (ldap_personel): Closing connection (12): Hit idle_timeout, was
> idle for 53529 seconds
> rlm_ldap (ldap_personel): Closing connection (11): Hit idle_timeout, was
> idle for 53522 seconds
> rlm_ldap (ldap_personel): You probably need to lower "min"
> rlm_ldap (ldap_personel): Closing connection (13): Hit idle_timeout, was
> idle for 53521 seconds
> rlm_ldap (ldap_personel): You probably need to lower "min"
> rlm_ldap (ldap_personel): 0 of 0 connections in use. You may need to
> increase "spare"
> rlm_ldap (ldap_personel): Opening additional connection (14), 1 of 32
> pending slots used
> rlm_ldap (ldap_personel): Connecting to ldap://95.183.213.8:389
> rlm_ldap (ldap_personel): Waiting for bind result...
> rlm_ldap (ldap_personel): Bind successful
> rlm_ldap (ldap_personel): Reserved connection (14)
> (633) ldap_personel: EXPAND (&(email=%{User-Name})(objectClass=kPerson))
> (633) ldap_personel: --> (&(email=ogr1 at erzurum.edu.tr
> )(objectClass=kPerson))
> (633) ldap_personel: Performing search in "cn=personel,dc=etu" with filter
> "(&(email=ogr1 at erzurum.edu.tr)(objectClass=kPerson))", scope "sub"
> (633) ldap_personel: Waiting for search result...
> (633) ldap_personel: Search returned no results
> rlm_ldap (ldap_personel): Released connection (14)
> Need 1 more connections to reach min connections (2)
> rlm_ldap (ldap_personel): Opening additional connection (15), 1 of 31
> pending slots used
> rlm_ldap (ldap_personel): Connecting to ldap://95.183.213.8:389
> rlm_ldap (ldap_personel): Waiting for bind result...
> rlm_ldap (ldap_personel): Bind successful
> (633) [ldap_personel] = notfound
> (633) } # redundant = notfound
> (633) if (noop || notfound) {
> (633) if (noop || notfound) -> TRUE
> (633) if (noop || notfound) {
> (633) update request {
> (633) EXPAND Auth Source Reject: [%{User-Name}] No matching
> user found in authentication source!
> (633) --> Auth Source Reject: [ogr1 at erzurum.edu.tr] No
> matching user found in authentication source!
> (633) Module-Failure-Message := Auth Source Reject: [
> ogr1 at erzurum.edu.tr] No matching user found in authentication source!
> (633) } # update request = noop
> (633) if (&Virtual-Server == "inner-tunnel") {
> (633) EXPAND &Virtual-Server
> (633) --> inner-tunnel
> (633) if (&Virtual-Server == "inner-tunnel") -> TRUE
> (633) if (&Virtual-Server == "inner-tunnel") {
> (633) update outer.request {
> (633) EXPAND Auth Source Reject: [%{User-Name}] No
> matching user found in authentication source!
> (633) --> Auth Source Reject: [ogr1 at erzurum.edu.tr] No
> matching user found in authentication source!
> (633) Module-Failure-Message := Auth Source Reject: [
> ogr1 at erzurum.edu.tr] No matching user found in authentication source!
> (633) } # update outer.request = noop
> (633) } # if (&Virtual-Server == "inner-tunnel") = noop
> (633) [reject] = reject
> (633) } # if (noop || notfound) = reject
> (633) } # group = reject
> (633) } # if ((&Virtual-Server == "inner-tunnel") ||
> (!(&Virtual-Server == "inner-tunnel") && !&EAP-Message)) = reject
> (633) } # if ( ((&Packet-Src-IP-Address < 10.10.243.0/24) ||
> (&Packet-Src-IP-Address == 172.19.148.9/32)) && (&NAS-Port-Type ==
> "Wireless-802.11") && (&Called-Station-SSID == "bidb-test") &&
> (&User-Name =~ /^.+ at erzurum\.edu\.tr$/) ) = reject
> (633) } # authorize = reject
> (633) EXPAND Called-Station-ID: %{Called-Station-ID} Calling-Station-ID:
> %{Calling-Station-ID} Auth-Type: %{control:Auth-Type}
> (633) --> Called-Station-ID: a8bd27c04dac Calling-Station-ID:
> 3233fb9fb6d3 Auth-Type:
> (633) Invalid user (Auth Source Reject: [ogr1 at erzurum.edu.tr] No matching
> user found in authentication source!): [ogr1 at erzurum.edu.tr] (from client
> rektorluk port 0 cli 3233fb9fb6d3 via TLS tunnel) Called-Station-ID:
> a8bd27c04dac Calling-Station-ID: 3233fb9fb6d3 Auth-Type:
> (633) Using Post-Auth-Type Reject
> (633) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (633) Post-Auth-Type REJECT {
> (633) attr_filter.access_reject: EXPAND %{User-Name}
> (633) attr_filter.access_reject: --> ogr1 at erzurum.edu.tr
> (633) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (633) [attr_filter.access_reject] = updated
> (633) update outer.session-state {
> (633) &Module-Failure-Message := &request:Module-Failure-Message ->
> 'Auth Source Reject: [ogr1 at erzurum.edu.tr] No matching user found in
> authentication source!'
> (633) } # update outer.session-state = noop
> (633) } # Post-Auth-Type REJECT = updated
> (633) EXPAND Called-Station-ID: %{Called-Station-ID} Calling-Station-ID:
> %{Calling-Station-ID} Auth-Type: %{control:Auth-Type}
> (633) --> Called-Station-ID: a8bd27c04dac Calling-Station-ID:
> 3233fb9fb6d3 Auth-Type:
> (633) Login incorrect (Auth Source Reject: [ogr1 at erzurum.edu.tr] No
> matching user found in authentication source!): [ogr1 at erzurum.edu.tr] (from
> client rektorluk port 0 cli 3233fb9fb6d3 via TLS tunnel) Called-Station-ID:
> a8bd27c04dac Calling-Station-ID: 3233fb9fb6d3 Auth-Type:
> (633) } # server inner-tunnel
> (633) Virtual server sending reply
> (633) eap_ttls: Got tunneled Access-Reject
> (633) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module
> failed
> ....
> ....
> ....
>
> Any idea why "redundant" behaves different in the inner-tunnel or what am I
> missing?
>
> Regards,
>
> Rahman Duran
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jorge Pereira
jpereira at networkradius.com
More information about the Freeradius-Users
mailing list