Copying Attributes Between Proxy-Reply and Reply Messages

Tue, 27 Jan 2009 10:34:14 -0800 

Hello,
I'm running 2.0.4 on Debian testing. I have a test setup in which I'm proxying access requests between two virtual servers running inside the same daemon: 

radtest <---> [ virtual server A <---(proxy)---> virtual server B ]


Proxing is triggered using the rlm_realm module and all attr_filter  
module instances in radiusd.conf have been commented out.



Authentication works fine, but reply attributes created by B are not  
being returned to radtest unless I configure the following in A:


post-auth {
  update reply {
    Attribute1 := "%{proxy-reply:Attribute1}"
    Attribute2 := "%{proxy-reply:Attribute2}"
    Attribute3 := "%{proxy-reply:Attribute3}"
    ...
  }
}


My understanding is that without any attribute filters in place, the  
proxy-reply list in virtual server A is supposed to be automatically  
copied to its reply list. Is this correct, or is there an option that  
needs to be set somewhere?



Also, it seems that this scenario is functionally similar to how the  
peap and ttls modules proxy tunneled EAP exchanges to another virtual  
server using the 'virtual_server' option. Those modules use a  
'use_tunneled_reply' option which seems to force the behavior I'm  
trying to achieve. Or am I way off the mark?



I've attached what I think is just the relevant debug output. If more  
is needed, please let me know. Thanks!


### START DEBUG OUTPUT ###
...
server monitor {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating vpn_realm
  realm vpn_realm {
        format = "prefix"
        delimiter = "."
        ignore_default = yes
        ignore_null = yes
  }
 Module: Checking preacct {...} for more modules to load
 Module: Checking accounting {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking pre-proxy {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 }
}
server vpn {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
        encryption_scheme = "auto"
        auto_header = no
  }
 Module: Checking authorize {...} for more modules to load
 Module: Checking preacct {...} for more modules to load
 Module: Checking accounting {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking pre-proxy {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 }
}
server {
 modules {
 }
}
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = *
        port = 0
}
listen {
        type = "acct"
        ipaddr = *
        port = 0
}
listen {
        type = "proxy"
        ipaddr = *
        port = 0
}
main {
        snmp = no
        smux_password = ""
        snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 4041
Ready to process requests.

rad_recv: Access-Request packet from host 127.0.0.1 port 4030, id=27,  
length=76

        User-Name = "vpn_realm.mloosbro"
        User-Password = "password"
        NAS-IP-Address = 10.0.1.200
        NAS-Port = 1
        Framed-Protocol = PPP
server monitor {
+- entering group authorize

    rlm_realm: Looking up realm "vpn_realm" for User-Name =  
"vpn_realm.mloosbro"

    rlm_realm: Found realm "vpn_realm"
    rlm_realm: Adding Stripped-User-Name = "mloosbro"
    rlm_realm: Adding Realm = "vpn_realm"
    rlm_realm: Proxying request from user mloosbro to realm vpn_realm

    rlm_realm: Preparing to proxy authentication request to realm  
"vpn_realm"

++[vpn_realm] returns updated
} # server monitor
+- entering group pre-proxy
++[noop] returns noop
>>> Sending proxied request internally to virtual server.
server vpn {
+- entering group authorize
        expand: %{control:NS-Override-User} ->
        expand: %{Stripped-User-Name} -> mloosbro

        expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} ->  
mloosbro
        expand: %{%{control:NS-Override-User}:-%{%{Stripped-User- 
Name}:-%{%{User-Name}:-DEFAULT}}} -> mloosbro

rlm_sql (ns-sql-vpn): sql_set_user escaped user --> 'mloosbro'
rlm_sql (ns-sql-vpn): Reserving sql socket id: 4

        expand: SELECT id, username, attribute, value, op            
FROM radcheck_asa           WHERE username = '%{SQL-User- 
Name}'           ORDER BY id -> SELECT id, username, a

 WHERE username = 'mloosbro'           ORDER BY id

        expand: SELECT groupname           FROM  
radusergroup           WHERE username = '%{SQL-User-Name}'            
ORDER BY priority -> SELECT groupname           FROM radusergr

 BY priority

        expand: SELECT id, groupname, attribute,           Value,  
op           FROM radgroupcheck_asa           WHERE groupname = '%{Sql- 
Group}'           ORDER BY id -> SELECT id
M radgroupcheck_asa           WHERE groupname = 'its- 
network'           ORDER BY id

rlm_sql (ns-sql-vpn): User found in group its-network

        expand: SELECT id, groupname, attribute,           value,  
op           FROM radgroupreply_asa           WHERE groupname = '%{Sql- 
Group}'           ORDER BY id -> SELECT id
M radgroupreply_asa           WHERE groupname = 'its- 
network'           ORDER BY id
        expand: SELECT id, groupname, attribute,           Value,  
op           FROM radgroupcheck_asa           WHERE groupname = '%{Sql- 
Group}'           ORDER BY id -> SELECT id
M radgroupcheck_asa           WHERE groupname = 'employee'            
ORDER BY id

rlm_sql (ns-sql-vpn): User found in group employee

        expand: SELECT id, groupname, attribute,           value,  
op           FROM radgroupreply_asa           WHERE groupname = '%{Sql- 
Group}'           ORDER BY id -> SELECT id
M radgroupreply_asa           WHERE groupname = 'employee'            
ORDER BY id

rlm_sql (ns-sql-vpn): Released sql socket id: 4
++[ns-sql-vpn] returns ok
++[control] returns ok
  rad_check_password:  Found Auth-Type Kerberos
auth: type "Kerberos"
+- entering group Kerberos

rlm_krb5: verify_krb_v5_tgt: host key not found : No such file or  
directory

++[krb5] returns ok

Login OK: [mloosbro/password] (from client monitor port 1 via TLS  
tunnel)

} # server vpn
Going to the next request
<<< Received proxied response from internal virtual server.
+- entering group authorize
    rlm_realm: Proxy reply, or no User-Name.  Ignoring.
++[vpn_realm] returns noop
  rad_check_password:  Found Auth-Type
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [vpn_realm.mloosbro/password] (from client monitor port 1)
+- entering group post-auth
++[noop] returns noop
Sending Access-Accept of id 27 to 127.0.0.1 port 4030
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 127.0.0.1 port 4030, id=27,  
length=76

Sending duplicate reply to client monitor port 4030 - ID: 27
Sending Access-Accept of id 27 to 127.0.0.1 port 4030
Waking up in 4.9 seconds.
Cleaning up request 0 ID 27 with timestamp +3
Ready to process requests.

### END DEBUG OUTPUT ###

Mike Loosbrock
Bethel University Network Services
651-638-6723

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to