cannot return access accept from proxy to client
Hi all, I encountered a problem during authentication request. Would you give me a hand ? Many thanks! Configuration: Host A ( Radius server) Host B ( proxy all requests to host A ) Problem: 1) Access-Request is sent to Host B from client 2) Host B proxy request to Host A 3) Host A sends Access-Accept to Host B 4) Host B receive Access-Accept from Host A 5) Host B sends Access-Reject to client ( log message comes below) *My question is how can I set radius such that it can send the access-accept to client ? rad_recv: Access-Accept packet from host xxx.xxx.xxx.xxx:1812, id=3, length=156 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 3 hints: Matched DEFAULT at 81 modcall[authorize]: module "preprocess" returns ok for request 3radius_xlat: '/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/auth-detail-20050921'rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/auth-detail-20050921 modcall[authorize]: module "auth_log" returns ok for request 3 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[authorize]: module "suffix" returns noop for request 3 users: Matched entry DEFAULT at line 168 modcall[authorize]: module "files" returns ok for request 3modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type SQL rad_check_password: Auth-Type = Accept, accepting the userLogin OK: [EMAIL PROTECTED]/8F4Lf0T] (from client ivrs port 0 cli 00-0C-41-2F-00-71) Processing the post-auth section of radiusd.confmodcall: entering group post-auth for request 3radius_xlat: '/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921'rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921 modcall[post-auth]: module "reply_log" returns ok for request 3rlm_sql (sql): Processing sql_postauthradius_xlat: '' modcall[post-auth]: module "sql" returns fail for request 3modcall: group post-auth returns fail for request 3Delaying request 3 for 1 secondsFinished request 3=== ___(c) 2005 Interactive Technology Holdings Limited Group.All rights reserved.CONFIDENTIALITY: This communication and any attachment(s)is intended solely for the person or organisation to whichit is addressed and it may be confidential. Thiscommunication may contain confidential or legally privilegedmaterial and may not be copied, redistributed or published(in whole or in part) without our prior written consent.This communication may have been intercepted, partiallydestroyed, arrive late, incomplete or contain viruses and noliability is accepted by any member of the InteractiveTechnology Holdings Limited Group as a result. If you arenot the intended recipient, employee or agent responsiblefor delivering the message to the intended recipient youmust not copy, disclose, distribute or take any action inreliance on it. If you have received this communication inerror, please immediately reply and highlight the error tothe sender immediately and destroy the original from yourcomputer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot return access accept from proxy to client
Seeing your output, it says that it's failing because "post-auth" module is failing due to the fail of the "sql" module invoked. Lookup your radiusd.conf file, and see why you are using sql in post-auth, and see if this setup is correct. - Original Message - From: Wilson Lie To: freeradius-users@lists.freeradius.org Sent: Wednesday, September 21, 2005 5:58 AM Subject: cannot return access accept from proxy to client Hi all, I encountered a problem during authentication request. Would you give me a hand ? Many thanks! Configuration: Host A ( Radius server) Host B ( proxy all requests to host A ) Problem: 1) Access-Request is sent to Host B from client 2) Host B proxy request to Host A 3) Host A sends Access-Accept to Host B 4) Host B receive Access-Accept from Host A 5) Host B sends Access-Reject to client ( log message comes below) *My question is how can I set radius such that it can send the access-accept to client ? rad_recv: Access-Accept packet from host xxx.xxx.xxx.xxx:1812, id=3, length=156 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 3 hints: Matched DEFAULT at 81 modcall[authorize]: module "preprocess" returns ok for request 3radius_xlat: '/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/auth-detail-20050921'rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/auth-detail-20050921 modcall[authorize]: module "auth_log" returns ok for request 3 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[authorize]: module "suffix" returns noop for request 3 users: Matched entry DEFAULT at line 168 modcall[authorize]: module "files" returns ok for request 3modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type SQL rad_check_password: Auth-Type = Accept, accepting the userLogin OK: [EMAIL PROTECTED]/8F4Lf0T] (from client ivrs port 0 cli 00-0C-41-2F-00-71) Processing the post-auth section of radiusd.confmodcall: entering group post-auth for request 3radius_xlat: '/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921'rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921 modcall[post-auth]: module "reply_log" returns ok for request 3rlm_sql (sql): Processing sql_postauthradius_xlat: '' modcall[post-auth]: module "sql" returns fail for request 3modcall: group post-auth returns fail for request 3Delaying request 3 for 1 secondsFinished request 3=== ___(c) 2005 Interactive Technology Holdings Limited Group.All rights reserved.CONFIDENTIALITY: This communication and any attachment(s)is intended solely for the person or organisation to whichit is addressed and it may be confidential. Thiscommunication may contain confidential or legally privilegedmaterial and may not be copied, redistributed or published(in whole or in part) without our prior written consent.This communication may have been intercepted, partiallydestroyed, arrive late, incomplete or contain viruses and noliability is accepted by any member of the InteractiveTechnology Holdings Limited Group as a result. If you arenot the intended recipient, employee or agent responsiblefor delivering the message to the intended recipient youmust not copy, disclose, distribute or take any action inreliance on it. If you have received this communication inerror, please immediately reply and highlight the error tothe sender immediately and destroy the original from yourcomputer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: cannot return access accept from proxy to client
Yes, as Host B is used as both proxy and also authentication server depending on the realm received. When host B acts as a authentication server, the [sql] in post-auth is used to log some message for that particular username. When host B acts as a proxy, the [sql] failed as the username from access-accept is missing. Therefore, any method that can avoid the case such that [sql] won't be invoked when host B acts as a proxy ? -Original Message- From: Paolo Rotela [mailto:[EMAIL PROTECTED] Sent: 2005/9/21 [星期三] 下午 08:28 To: FreeRadius users mailing list Cc: Subject: Re: cannot return access accept from proxy to client Seeing your output, it says that it's failing because "post-auth" module is failing due to the fail of the "sql" module invoked. Lookup your radiusd.conf file, and see why you are using sql in post-auth, and see if this setup is correct. - Original Message - From: Wilson Lie <mailto:[EMAIL PROTECTED]> To: freeradius-users@lists.freeradius.org Sent: Wednesday, September 21, 2005 5:58 AM Subject: cannot return access accept from proxy to client Hi all, I encountered a problem during authentication request. Would you give me a hand ? Many thanks! Configuration: Host A ( Radius server) Host B ( proxy all requests to host A ) Problem: 1) Access-Request is sent to Host B from client 2) Host B proxy request to Host A 3) Host A sends Access-Accept to Host B 4) Host B receive Access-Accept from Host A 5) Host B sends Access-Reject to client( log message comes below) *My question is how can I set radius such that it can send the access-accept to client ? rad_recv: Access-Accept packet from host xxx.xxx.xxx.xxx:1812, id=3, length=156 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 hints: Matched DEFAULT at 81 modcall[authorize]: module "preprocess" returns ok for request 3 radius_xlat: '/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/auth-detail-20050921' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/auth-detail-20050921 modcall[authorize]: module "auth_log" returns ok for request 3 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[authorize]: module "suffix" returns noop for request 3 users: Matched entry DEFAULT at line 168 modcall[authorize]: module "files" returns ok for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type SQL rad_check_password: Auth-Type = Accept, accepting the user Login OK: [EMAIL PROTECTED]/8F4Lf0T] (from client ivrs port 0 cli 00-0C-41-2F-00-71) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 3 radius_xlat: '/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921 modcall[post-auth]: module "reply_log" returns ok for request 3 rlm_sql (sql): Processing sql_postauth radius_xlat: '' modcall[post-auth]: module "sql" returns fail for request 3 modcall: group post-auth returns fail for request 3 Delaying request 3 for 1 seconds Finished request 3 === ___ (c) 2005 Interactive Technology Holdings Limited Group. All rights reserved. CONFIDENTIALITY: This communication and any attachment(s) is intended solely for the person or or
Re: cannot return access accept from proxy to client
Wilson Lie wrote: > When host B acts as a proxy, the [sql] failed as the username from > access-accept is missing. You should make the SQL query so that it won't make an error when certain attributes are not present or empty. See the example sql.conf file. Turn sql traces on and run in debug mode to see what queries are done. Check why they are failing and correct the queries. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: cannot return access accept from proxy to client
I suspect that the freeradius will return failed at once when "username" attribute is not found and because the username attribute won't be included in the "access-accept' packet . The "sql" can be executed successfully when host B acts as authentication server. So maybe I should ask can freeradius be configured as both authentication server and proxy server at the same host ? Hope someone can help on this. Many thanks! You should make the SQL query so that it won't make an error when certainattributes are not present or empty.See the example sql.conf file.Turn sql traces on and run in debug mode to see what queries are done.Check why they are failing and correct the queries.--Groeten, Regards, Salutations, ___(c) 2005 Interactive Technology Holdings Limited Group.All rights reserved.CONFIDENTIALITY: This communication and any attachment(s)is intended solely for the person or organisation to whichit is addressed and it may be confidential. Thiscommunication may contain confidential or legally privilegedmaterial and may not be copied, redistributed or published(in whole or in part) without our prior written consent.This communication may have been intercepted, partiallydestroyed, arrive late, incomplete or contain viruses and noliability is accepted by any member of the InteractiveTechnology Holdings Limited Group as a result. If you arenot the intended recipient, employee or agent responsiblefor delivering the message to the intended recipient youmust not copy, disclose, distribute or take any action inreliance on it. If you have received this communication inerror, please immediately reply and highlight the error tothe sender immediately and destroy the original from yourcomputer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot return access accept from proxy to client
"Wilson Lie" <[EMAIL PROTECTED]> wrote: > I suspect that the freeradius will return failed at once when > "username" attribute is not found and because the username attribute > won't be included in the "access-accept' packet . No. FreeRADIUS doesn't care about User-Name's in Access-Accept. > The "sql" can be executed successfully when host B acts as > authentication server.=20 Look at the differences between the two queries. They ARE different. > So maybe I should ask can freeradius be configured as both > authentication server and proxy server at the same host ? Yes. Many, many people have configured this successfully. If your site doesn't work, it's because something is going wrong in your local config, and debug mode will tell you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: cannot return access accept from proxy to client
Hi , Thanks for your help. I'm not sure that I can tell the case clear enough. But I'm afraid that you misunderstood the question. Kindly help me again or correct me if I'm really wrong. >> No. FreeRADIUS doesn't care about User-Name's in Access-Accept. Yes, for normal Access-Accept if Host B act as server , the access-accept can be sent back to client But when access-accept is sent from host A -> Host B , from host B debug log, it can be seen that as user-name is missing, the [sql] module cannot be run , freeradius return failed in [sql] where [sql] refers to post-auth query in this case and the statement contains "User-name" attribute (e.g. update xxx set xxx where username=attribute ) So I would like to ask if any special handling by freeradius in this case ? As the post-auth [sql] section is configured in sql.conf and it should be same because only one post-auth query can be configured. Or "user-name" attribute can never be included in the post-auth query in this case ? ( i.e. Host B acts as both proxy and auth-server) Many thanks! Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 3 radius_xlat: '/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921 modcall[post-auth]: module "reply_log" returns ok for request 3 rlm_sql (sql): Processing sql_postauth radius_xlat: '' modcall[post-auth]: module "sql" returns fail for request 3 modcall: group post-auth returns fail for request 3 Delaying request 3 for 1 seconds Finished request 3 = -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: 2005/9/22 [星期四] 下午 11:19 To: FreeRadius users mailing list Cc: Subject: Re: cannot return access accept from proxy to client "Wilson Lie" <[EMAIL PROTECTED]> wrote: > I suspect that the freeradius will return failed at once when > "username" attribute is not found and because the username attribute > won't be included in the "access-accept' packet . No. FreeRADIUS doesn't care about User-Name's in Access-Accept. > The "sql" can be executed successfully when host B acts as > authentication server.=20 Look at the differences between the two queries. They ARE different. > So maybe I should ask can freeradius be configured as both > authentication server and proxy server at the same host ? Yes. Many, many people have configured this successfully. If your site doesn't work, it's because something is going wrong in your local config, and debug mode will tell you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html (c) 2005 Interactive Technology Holdings Limited Group. All rights reserved. CONFIDENTIALITY: This communication and any attachment(s) is intended solely for the person or organisation to which it is addressed and it may be confidential. This communication may contain confidential or legally privileged material and may not be copied, redistributed or published (in whole or in part) without our prior written consent. This communication may have been intercepted, partially destroyed, arrive late, incomplete or contain viruses and no liability is accepted by any member of the Interactive Technology Holdings Limited Group as a result. If you are not the intended recipient, employee or agent responsible for delivering the message to the intended recipient you must not copy, disclose, distribute or take any action in reliance on it. If you have received this communication in error, please immediately reply and highlight the error to the sender immediately and destroy the original from your computer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot return access accept from proxy to client
"Wilson Lie" <[EMAIL PROTECTED]> wrote: > But I'm afraid that you misunderstood the question. I understood it fine. My response should have been clear. > Yes, for normal Access-Accept if Host B act as server , the > access-accept can be sent back to client The problem has NOTHING to do with host B or Access-Accept. > But when access-accept is sent from host A -> Host B , from host B debug > log, it can be seen that > as user-name is missing, the [sql] module cannot be run , No, the SQL module *is* run, but it is telling you that the query YOU CONFIGURED did not return any matches. > freeradius return failed in [sql] > where [sql] refers to post-auth query in this case and the statement > contains "User-name" attribute > (e.g. update xxx set xxx where username=attribute ) The post-auth query is updating the SQL database with data from the Access-Request packet. If that Access-Request packet does not contain a User-name, then the SQL query will not work. This has nothing to do with Access-Accept, or host A, or host B. > So I would like to ask if any special handling by freeradius in this case ? I can't parse that sentence. > As the post-auth [sql] section is configured in sql.conf and it should be > same because only one post-auth query > can be configured. You can configure multiple SQL modules, where one has a postauth_query and the other does not. See the documentation. > Or "user-name" attribute can never be included in the post-auth query in > this case ? ( i.e. Host B acts as both proxy and auth-server) It's up to YOU to decide that. That's why the queries are configurable. If the queries aren't doing what you want, edit them. If the server isn't doing what you want, edit the configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: cannot return access accept from proxy to client
Dear Alan, Thanks for your help. Maybe I should ask the question in another way. Host B acted as both proxy/server. for realm A , -> proxy to other server for realm B -> process locally When the auth-accept is returned to proxy ( Host B) , it will process section [post-auth] in radiusd.conf no matter what host B receive. Q1. Any method such that host B won't goes into [post-auth] when it is receiving result from another server ? Q2. In case host B cannot bypass [post-auth] when receiving result from another server, how can I define multiple sql section in [post-auth] ? As I cannot find any rule that I can set in [post-auth] such that it can go to [sql1] for realm A and [sql2] for realm B Many thanks! -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Friday, September 23, 2005 1:10 AM To: FreeRadius users mailing list Subject: Re: cannot return access accept from proxy to client "Wilson Lie" <[EMAIL PROTECTED]> wrote: > But I'm afraid that you misunderstood the question. I understood it fine. My response should have been clear. > Yes, for normal Access-Accept if Host B act as server , the > access-accept can be sent back to client The problem has NOTHING to do with host B or Access-Accept. > But when access-accept is sent from host A -> Host B , from host B debug > log, it can be seen that > as user-name is missing, the [sql] module cannot be run , No, the SQL module *is* run, but it is telling you that the query YOU CONFIGURED did not return any matches. > freeradius return failed in [sql] > where [sql] refers to post-auth query in this case and the statement > contains "User-name" attribute > (e.g. update xxx set xxx where username=attribute ) The post-auth query is updating the SQL database with data from the Access-Request packet. If that Access-Request packet does not contain a User-name, then the SQL query will not work. This has nothing to do with Access-Accept, or host A, or host B. > So I would like to ask if any special handling by freeradius in this case ? I can't parse that sentence. > As the post-auth [sql] section is configured in sql.conf and it should be > same because only one post-auth query > can be configured. You can configure multiple SQL modules, where one has a postauth_query and the other does not. See the documentation. > Or "user-name" attribute can never be included in the post-auth query in > this case ? ( i.e. Host B acts as both proxy and auth-server) It's up to YOU to decide that. That's why the queries are configurable. If the queries aren't doing what you want, edit them. If the server isn't doing what you want, edit the configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html (c) 2005 Interactive Technology Holdings Limited Group. All rights reserved. CONFIDENTIALITY: This communication and any attachment(s) is intended solely for the person or organisation to which it is addressed and it may be confidential. This communication may contain confidential or legally privileged material and may not be copied, redistributed or published (in whole or in part) without our prior written consent. This communication may have been intercepted, partially destroyed, arrive late, incomplete or contain viruses and no liability is accepted by any member of the Interactive Technology Holdings Limited Group as a result. If you are not the intended recipient, employee or agent responsible for delivering the message to the intended recipient you must not copy, disclose, distribute or take any action in reliance on it. If you have received this communication in error, please immediately reply and highlight the error to the sender immediately and destroy the original from your computer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot return access accept from proxy to client
"Wilson Lie" <[EMAIL PROTECTED]> wrote: > Q1. Any method such that host B won't goes into [post-auth] when it is > receiving result from another server ? I'm not sure what you mean here. Perhaps you could try using complete sentences. I *think* the answer is "source code edits". > Q2. In case host B cannot bypass [post-auth] when receiving result from > another server, how can I define multiple > sql section in [post-auth] ? As I cannot find any rule that I can > set in [post-auth] such that it can go to [sql1] > for realm A and [sql2] for realm B doc/Post-Auth-Type. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: cannot return access accept from proxy to client
Hi Alan, for Q2, doc/Post-Auth-type don't have information to support branching by realm ? -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 04, 2005 8:23 AM To: FreeRadius users mailing list Subject: Re: cannot return access accept from proxy to client "Wilson Lie" <[EMAIL PROTECTED]> wrote: > Q1. Any method such that host B won't goes into [post-auth] when it is > receiving result from another server ? I'm not sure what you mean here. Perhaps you could try using complete sentences. I *think* the answer is "source code edits". > Q2. In case host B cannot bypass [post-auth] when receiving result from > another server, how can I define multiple > sql section in [post-auth] ? As I cannot find any rule that I can > set in [post-auth] such that it can go to [sql1] > for realm A and [sql2] for realm B doc/Post-Auth-Type. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html (c) 2005 Interactive Technology Holdings Limited Group. All rights reserved. CONFIDENTIALITY: This communication and any attachment(s) is intended solely for the person or organisation to which it is addressed and it may be confidential. This communication may contain confidential or legally privileged material and may not be copied, redistributed or published (in whole or in part) without our prior written consent. This communication may have been intercepted, partially destroyed, arrive late, incomplete or contain viruses and no liability is accepted by any member of the Interactive Technology Holdings Limited Group as a result. If you are not the intended recipient, employee or agent responsible for delivering the message to the intended recipient you must not copy, disclose, distribute or take any action in reliance on it. If you have received this communication in error, please immediately reply and highlight the error to the sender immediately and destroy the original from your computer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot return access accept from proxy to client
"Wilson Lie" <[EMAIL PROTECTED]> wrote: > for Q2, doc/Post-Auth-type don't have information to support branching by > realm ? No, but you can use some other method to set Post-Auth-Type, and that method can look for realms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html