Add VSA in pre-proxy stage

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Add VSA in pre-proxy stage

Arnaud LAURIOU
Hello,

I'm trying to add a VSA in an Access-Request before proxing it to an
authentification RADIUS server.

I use this attribute definition :
BEGIN-VENDOR    FreeRADIUS      format=Extended-Vendor-Specific-1
ATTRIBUTE       FreeRADIUS-Eduroam-Prevent-Loop         1 integer
END-VENDOR      FreeRADIUS


I add this VSA in the pre-proxy stage, but I get :
(0)   # Executing section pre-proxy from file
/etc/freeradius/sites-enabled/default
(0)     pre-proxy {
...
(0)       if (!FreeRADIUS-Eduroam-Prevent-Loop) {
(0)       if (!FreeRADIUS-Eduroam-Prevent-Loop)  -> TRUE
(0)       if (!FreeRADIUS-Eduroam-Prevent-Loop)  {
(0)         update request {
(0)           &FreeRADIUS-Eduroam-Prevent-Loop := 1
(0)         } # update request = noop
(0)       } # if (!FreeRADIUS-Eduroam-Prevent-Loop)  = noop
(0)       ... skipping else: Preceding "if" was taken

Why is the return state of this update to 'noop' ? I shoud not get a
'ok' or 'updated' return state ?

And this VSA does not seem to be added to the forwarded Access-Request :
(0) Proxying request to home server 194.57.4.197 port 1812 timeout 14.000000
(0) Sent Access-Request Id 255 from 0.0.0.0:47596 to 194.57.4.197:1812
length 162
(0)   User-Name = "[hidden email]"
(0)   NAS-IP-Address = 127.0.0.1
(0)   Calling-Station-Id := "02-00-00-00-00-01"
(0)   Framed-MTU = 1400
(0)   NAS-Port-Type = Wireless-802.11
(0)   Service-Type = Framed-User
(0)   Connect-Info = "eduroam.fr monitoring"
(0)   EAP-Message = 0x02c8001901616e6f6e796d6f75734072656e617465722e6672
(0)   Message-Authenticator = 0x0705ffe079dfb7dc4cd3bdaad44477d4
(0)   Event-Timestamp = "Sep 11 2020 15:14:17 CEST"
(0)   Proxy-State = 0x30


It seems that I missed something, but where ?

Regards,

Arnaud Lauriou


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Add VSA in pre-proxy stage

Alan DeKok-2
On Sep 11, 2020, at 10:06 AM, Arnaud LAURIOU <[hidden email]> wrote:
>
> Hello,
>
> I'm trying to add a VSA in an Access-Request before proxing it to an authentification RADIUS server.
>
> I use this attribute definition :
> BEGIN-VENDOR    FreeRADIUS      format=Extended-Vendor-Specific-1
> ATTRIBUTE       FreeRADIUS-Eduroam-Prevent-Loop         1 integer
> END-VENDOR      FreeRADIUS

  Please don't use VSAs you don't control.  We will likely add our own definitions which conflict with this one.

  If you do need custom VSAs, just use a custom vendor number, and create your own dictionary.  i.e. use a vendor number like 32000.  Which is used by someone, but 99.99% not for RADIUS.  So it's mostly OK.

>
> I add this VSA in the pre-proxy stage, but I get :
> (0)   # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
> (0)     pre-proxy {
> ...
> (0)       if (!FreeRADIUS-Eduroam-Prevent-Loop) {
> (0)       if (!FreeRADIUS-Eduroam-Prevent-Loop)  -> TRUE
> (0)       if (!FreeRADIUS-Eduroam-Prevent-Loop)  {
> (0)         update request {

$ man unlang

        update proxy-request {
                ...

  :)

> (0)           &FreeRADIUS-Eduroam-Prevent-Loop := 1
> (0)         } # update request = noop
> (0)       } # if (!FreeRADIUS-Eduroam-Prevent-Loop)  = noop
> (0)       ... skipping else: Preceding "if" was taken
>
> Why is the return state of this update to 'noop' ? I shoud not get a 'ok' or 'updated' return state ?

  Nope.  Reasons for that are complex, but it's fine.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Add VSA in pre-proxy stage

Bjørn Mork
Alan DeKok <[hidden email]> writes:

> On Sep 11, 2020, at 10:06 AM, Arnaud LAURIOU <[hidden email]> wrote:
>>
>> Hello,
>>
>> I'm trying to add a VSA in an Access-Request before proxing it to an authentification RADIUS server.
>>
>> I use this attribute definition :
>> BEGIN-VENDOR    FreeRADIUS      format=Extended-Vendor-Specific-1
>> ATTRIBUTE       FreeRADIUS-Eduroam-Prevent-Loop         1 integer
>> END-VENDOR      FreeRADIUS
>
>   Please don't use VSAs you don't control.  We will likely add our own
>   definitions which conflict with this one.
>
>   If you do need custom VSAs, just use a custom vendor number, and
>   create your own dictionary.  i.e. use a vendor number like 32000.
>   Which is used by someone, but 99.99% not for RADIUS.  So it's mostly
>   OK.

Note that a vendor number is cheap.  Actually, free.  As in free beer
Just fill in the form at https://pen.iana.org/pen/app

Then you can create as many RADIUS VSAs as you like without worrying
about dictionary collisions.  Or at least a couple of hundred :-)

32000 belongs to Ekstrem Bir Bilgisayar, BTW.  



Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html