Re: Access-Reject proxied without Reply-Message

Fri, 29 Mar 2002 03:49:44 -0800 

On Thu, Mar 28, 2002 at 09:42:48AM -0600, Chris Parker wrote:
> At 06:18 PM 3/28/2002 +0300, Fduch the Pravking wrote:
> >By the way, how can I say "Any number of such attribute"
> >for rlm_attr_filter?
> 
> It should already do that.  It doesn't track state, so if you permit
> 'Ascend-Data-Filter ~= ".*"' then it will allow through all attributes
> that match that rule.

It doesn't do that.
raddb/attrs:
DEFAULT
        Service-Type == Framed-User,
        Service-Type == Login-User,
        Login-Service == Telnet,
        Login-Service == Rlogin,
        Login-Service == TCP-Clear,
        Login-TCP-Port <= 65536,
        Framed-IP-Address =~ ".*",
        Framed-IP-Netmask == 255.255.255.255,
        Framed-Protocol == PPP,
        Framed-Protocol == SLIP,
        Framed-Compression == Van-Jacobson-TCP-IP,
        Framed-MTU >= 576,
        Framed-Filter-ID =~ ".*",
        Reply-Message =~ ".*",
        Session-Timeout <= 28800,
        Idle-Timeout <= 600,
        Port-Limit <= 2,
        Cisco-AVPair =~ ".*",
        Fall-Through = Yes

And here are logs:

rad_recv: Access-Request packet from host <client>:2893, id=244, length=64
Thread 1 assigned request 35
--- Walking the entire request list ---
Waking up in 4 seconds...
Thread 1 handling request 35, (5 handled so far)
        User-Name = "stricted-user@realm"
        User-Password = "<crypted password>"
        NAS-IP-Address = "<NAS>"
        NAS-Port-Id = "3"
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
  modcall[authorize]: module "attr_filter" returns noop
  modcall[authorize]: module "files" returns notfound
  rlm_realm: Proxying request from user register to realm realm
  modcall[authorize]: module "suffix" returns updated
modcall: group authorize returns updated
Sending Access-Request of id 13 to <remote server>
        User-Name = "stricted-user@realm"
        User-Password = "<crypted-password>"
        NAS-IP-Address = "<NAS>"
        NAS-Port-Id = "3"
        Proxy-State = "244"
Thread 1 waiting to be assigned a request
rad_recv: Access-Accept packet from host <remote server>, id=13, length=1241
Thread 2 assigned request 35
Waking up in 4 seconds...
Thread 2 handling request 35, (5 handled so far)
        User-Name = "stricted-user@realm"
        User-Password = "<crypted password>"
        NAS-IP-Address = "<NAS>"
        Proxy-State = 0x323434
        NAS-Identifier = "<NAS id>"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Cisco-AVPair = "ip:inacl#1=permit udp..."
        Cisco-AVPair = "ip:inacl#2=permit udp..."
        Cisco-AVPair = "ip:inacl#3=permit udp..."
        Cisco-AVPair = "ip:inacl#4=permit udp..."
        Cisco-AVPair = "ip:inacl#5=permit udp..."
        Cisco-AVPair = "ip:inacl#6=permit udp..."
        Cisco-AVPair = "ip:inacl#7=permit udp..."
        Cisco-AVPair = "ip:inacl#8=permit tcp..."
        Cisco-AVPair = "ip:inacl#9=permit tcp..."
        Cisco-AVPair = "ip:inacl#10=deny ip any any"
        Cisco-AVPair = "ip:outacl#1=permit udp..."
        Cisco-AVPair = "ip:outacl#2=permit udp..."
        Cisco-AVPair = "ip:outacl#3=permit udp..."
        Cisco-AVPair = "ip:outacl#4=permit udp..."
        Cisco-AVPair = "ip:outacl#5=permit udp..."
        Cisco-AVPair = "ip:outacl#6=permit udp..."
        Cisco-AVPair = "ip:outacl#7=permit udp..."
        Cisco-AVPair = "ip:outacl#8=permit tcp..."
        Cisco-AVPair = "ip:outacl#9=permit tcp..."
        Cisco-AVPair = "ip:outacl#10=deny ip any any"
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
  attr_filter: Matched entry DEFAULT at line 84
  modcall[authorize]: module "attr_filter" returns updated
  modcall[authorize]: module "files" returns notfound
  modcall[authorize]: module "suffix" returns ok
modcall: group authorize returns updated
  rad_check_password:  Found Auth-Type
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [stricted-user@realm] (from nas <client> port 0)
Sending Access-Accept of id 244 to <client>:2893
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Cisco-AVPair = "ip:inacl#1=permit udp..."
Finished request 35
Going to the next request


So, only the first Cisco-AVPair attribute is sent back to the NAS.
The only way I see is to add as many 'Cisco-AVPair =~ ".*"' lines
to raddb/attrs as it seems to be possible :(

Any comments or suggestions?

-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to