FreeRadius 3.0.12 - Select radreply but dont send them

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

FreeRadius 3.0.12 - Select radreply but dont send them

Thibault Lansiaux
Hi,

We are having a problem with a freeradius migration, from two different
servers.
The first (old) 1.x : is OK
On the new server (freeradius 3.0.12) FreeRadius select the user's
radreply but don't send them in the "Access-Accept"

We compared "sites-enabled/default" from the old and new, and didn't
find differences in "authorize {" and "preprocess {"

Bellow the Freeradius -X request :

Ready to process requests
(0) Received Access-Request Id 212 from 4.5.6.7:20506 to 1.2.3.4:1812
length 179
(0) Acct-Session-Id = "008fe531"
(0) NAS-Port = 0
(0) NAS-Port-Type = Virtual
(0) User-Name = "MY-NAS-ID"
(0) Calling-Station-Id = "01-02-03-04-05-06"
(0) Called-Station-Id = "11-12-13-14-15-16"
(0) Framed-IP-Address = 192.168.3.254
(0) User-Password = "mypassword"
(0) NAS-Identifier = "MY-NAS-ID"
(0) NAS-IP-Address = 10.0.50.1
(0) Framed-MTU = 1496
(0) Connect-Info = "HTTPS"
(0) Service-Type = Administrative-User
(0) Message-Authenticator = 0x26fc427cba3a98946382a756c6659634
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) [preprocess] = ok
(0) update request {
(0) EXPAND %{User-Name}
(0) --> MY-NAS-ID
(0) SQL-User-Name set to 'MY-NAS-ID'
rlm_sql (sql): Reserved connection (0)
(0) Executing select query: SELECT groupname FROM radhuntgroup WHERE
nasipaddress="MY-NAS-ID"
rlm_sql (sql): Released connection (0)
rlm_sql (sql): Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
(0) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress="%{NAS-Identifier}"}
(0) --> my-nas-id-group
(0) &Huntgroup-Name := my-nas-id-group
(0) } # update request = noop
(0) if (&Huntgroup-Name == "%{sql:SELECT groupname FROM radusergroup
WHERE username="%{User-Name}"}"){
(0) EXPAND %{User-Name}
(0) --> MY-NAS-ID
(0) SQL-User-Name set to 'MY-NAS-ID'
rlm_sql (sql): Reserved connection (1)
(0) Executing select query: SELECT groupname FROM radusergroup WHERE
username="MY-NAS-ID"
rlm_sql (sql): Released connection (1)
(0) EXPAND %{sql:SELECT groupname FROM radusergroup WHERE
username="%{User-Name}"}
(0) --> my-nas-id-group
(0) if (&Huntgroup-Name == "%{sql:SELECT groupname FROM radusergroup
WHERE username="%{User-Name}"}") -> TRUE
(0) if (&Huntgroup-Name == "%{sql:SELECT groupname FROM radusergroup
WHERE username="%{User-Name}"}") {
(0) [ok] = ok
(0) } # if (&Huntgroup-Name == "%{sql:SELECT groupname FROM radusergroup
WHERE username="%{User-Name}"}") = ok
(0) ... skipping else: Preceding "if" was taken
(0) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/freeradius/radacct/4.5.6.7/auth-detail-20190927
(0) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/4.5.6.7/auth-detail-20190927
(0) auth_log: EXPAND %t
(0) auth_log: --> Fri Sep 27 11:58:20 2019
(0) [auth_log] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "MY-NAS-ID", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [unix] = notfound
(0) sql: EXPAND %{User-Name}
(0) sql: --> MY-NAS-ID
(0) sql: SQL-User-Name set to 'MY-NAS-ID'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'MY-NAS-ID' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'MY-NAS-ID' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "mypassword"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'MY-NAS-ID' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'MY-NAS-ID' ORDER BY id
(0) sql: User found in radreply table, merging reply items
(0) sql: Colubris-AVPair ==
"access-list=loginserver,DENY,all,192.168.0.0/18,all"
(0) sql: Colubris-AVPair ==
"access-list=loginserver,DENY,all,172.16.0.0/12,all"
(0) sql: Colubris-AVPair ==
"access-list=loginserver,DENY,all,10.0.0.0/8,all"
(0) sql: Colubris-AVPair ==
"access-list=loginserver,ACCEPT,tcp,www.mydomain.com,all"
(0) sql: Colubris-AVPair == "use-access-list=loginserver"
(0) sql: Colubris-AVPair ==
"logo=https://webportail.mydomain.com/directory/logo.gif"
(0) sql: Colubris-AVPair ==
"fail-page=https://webportail.mydomain.com/directory/fail.html"
(0) sql: Colubris-AVPair ==
"session-page=https://webportail.mydomain.com/directory/session.html"
(0) sql: Colubris-AVPair ==
"messages=https://webportail.mydomain.com/directory/messages.txt"
(0) sql: Colubris-AVPair ==
"transport-page=https://webportail.mydomain.com/directory/transport.html"
(0) sql: Colubris-AVPair ==
"login-err-url=https://webportail.mydomain.com/directory/login-error.php"
(0) sql: Colubris-AVPair ==
"goodbye-url=https://webportail.mydomain.com/directory/goodbye.php"
(0) sql: Colubris-AVPair ==
"login-url=<a href="https://webportail.mydomain.com/directory/index.php?mac=%m">https://webportail.mydomain.com/directory/index.php?mac=%m"
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username =
'MY-NAS-ID' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup
WHERE username = 'MY-NAS-ID' ORDER BY priority
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'my-nas-id-group' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname = 'my-nas-id-group' ORDER BY id
(0) sql: Group "my-nas-id-group": Conditional check items matched
(0) sql: Group "my-nas-id-group": Merging assignment check items
(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'my-nas-id-group' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname = 'my-nas-id-group' ORDER BY id
(0) sql: Group "my-nas-id-group": Merging reply items
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) reply_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(0) reply_log: --> /var/log/freeradius/radacct/4.5.6.7/reply-detail-20190927
(0) reply_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/4.5.6.7/reply-detail-20190927
(0) reply_log: EXPAND %t
(0) reply_log: --> Fri Sep 27 11:58:20 2019
(0) [reply_log] = ok
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (3)
(0) sql: EXPAND %{User-Name}
(0) sql: --> MY-NAS-ID
(0) sql: SQL-User-Name set to 'MY-NAS-ID'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( '%{SQL-User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'MY-NAS-ID', 'mypassword', 'Access-Accept', '2019-09-27 11:58:20')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass,
reply, authdate) VALUES ( 'MY-NAS-ID', 'mypassword', 'Access-Accept',
'2019-09-27 11:58:20')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (3)
(0) [sql] = ok
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Login OK: [MY-NAS-ID/mypassword] (from client MY_CLIENT-WAN-IP port
0 cli 01-02-03-04-05-06)
(0) Sent Access-Accept Id 212 from 1.2.3.4:1812 to 4.5.6.7:20506 length 0
(0) Finished request
Waking up in 4.9 seconds.

Regards,

--

/Thibault Lansiaux/

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius 3.0.12 - Select radreply but dont send them

Alan DeKok-2
On Sep 27, 2019, at 10:09 AM, Thibault Lansiaux <[hidden email]> wrote:
> We are having a problem with a freeradius migration, from two different servers.
> The first (old) 1.x : is OK
> On the new server (freeradius 3.0.12) FreeRadius select the user's radreply but don't send them in the "Access-Accept"
>
> We compared "sites-enabled/default" from the old and new, and didn't find differences in "authorize {" and "preprocess {"
>
> Bellow the Freeradius -X request :

  As you were told on GitHub:

> (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
> (0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'MY-NAS-ID' ORDER BY id
> (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'MY-NAS-ID' ORDER BY id
> (0) sql: User found in radreply table, merging reply items
> (0) sql: Colubris-AVPair == "access-list=loginserver,DENY,all,192.168.0.0/18,all"
> (0) sql: Colubris-AVPair == "access-list=loginserver,DENY,all,172.16.0.0/12,all"
> (0) sql: Colubris-AVPair == "access-list=loginserver,DENY,all,10.0.0.0/8,all"
> (0) sql: Colubris-AVPair == "access-list=loginserver,ACCEPT,tcp,www.mydomain.com,all"
> (0) sql: Colubris-AVPair == "use-access-list=loginserver"
> (0) sql: Colubris-AVPair == "logo=https://webportail.mydomain.com/directory/logo.gif"
> (0) sql: Colubris-AVPair == "fail-page=https://webportail.mydomain.com/directory/fail.html"
> (0) sql: Colubris-AVPair == "session-page=https://webportail.mydomain.com/directory/session.html"
> (0) sql: Colubris-AVPair == "messages=https://webportail.mydomain.com/directory/messages.txt"
> (0) sql: Colubris-AVPair == "transport-page=https://webportail.mydomain.com/directory/transport.html"
> (0) sql: Colubris-AVPair == "login-err-url=https://webportail.mydomain.com/directory/login-error.php"
> (0) sql: Colubris-AVPair == "goodbye-url=https://webportail.mydomain.com/directory/goodbye.php"
> (0) sql: Colubris-AVPair == "login-url=<a href="https://webportail.mydomain.com/directory/index.php?mac=%m">https://webportail.mydomain.com/directory/index.php?mac=%m"

  '==' is NOT the operator you use for the reply.  See the rlm_sql documentation.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius 3.0.12 - Select radreply but dont send them

Alan DeKok-2
On Sep 27, 2019, at 10:33 AM, Thibault Lansiaux <[hidden email]> wrote:
>
> Hi Allan,
>
> The '==' seems not to be the problem, the same radreply (same base.table) is ok with our old freeradius.

  That is not a useful response.  It's quite rude.

  You can (a) waste your time thinking that you're smarter than everyone else, or (b) follow instructions and fix the problem.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html