Invalid location for 'if' on 3.0.4

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

Invalid location for 'if' on 3.0.4

mdstest
Hi folks,

We  have freeradius running on version 2.2.6 running on CentOS6 for a
few years now.  Now we need to build a need a new host on CentOS7.  I
installed version 3.0.4 from repo.  As I copied my proxy.conf file
from the old host.  I encounter an error and couldn't figure out what
is wrong.

$radiusd -X 2>&1 | tee debugfile
radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu,
built on Mar  5 2015 at 23:41:36
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
/etc/raddb/proxy.conf[103]: Invalid location for 'if'
Errors reading or parsing /etc/raddb/radiusd.conf

proxy.conf

post-proxy {
  update proxy-reply {
    Filter-Id !* ""
    Fortinet-Access-Profile !* ""
    Juniper-Local-User-Name !* ""
    Cisco-AVPair !* ""
 #   Raritan-VSA-Placeholder !* ""
    PaloAlto-Admin-Role !* ""
    PaloAlto-Panorama-Admin-Role !* ""
    F5-LTM-User-Info-1 !* ""
  }


  if("%{proxy-reply:Packet-Type}" == Access-Accept) {
      perl
      update proxy-reply {
        Reply-Message := "Welcome user!"
      }
  }
}

Please pardon me for maybe this is a simple error but I am new to
freeradius and have read doc but couldn't figure it out.

Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Invalid location for 'if' on 3.0.4

Adam Bishop-2
On 28 Nov 2018, at 17:22, MDS Test <[hidden email]> wrote:
> We  have freeradius running on version 2.2.6 running on CentOS6 for a
> few years now.  Now we need to build a need a new host on CentOS7.  I
> installed version 3.0.4 from repo.  As I copied my proxy.conf file
> from the old host.  I encounter an error and couldn't figure out what
> is wrong.

It sounds like your 2.2 config has been heavily modified - that content shouldn't be in the proxy.conf file.

It's best to start from the default 3.0 configuration, and apply your changes one at a time as 2.2 and 3.0 are not 100% config compatible.

Also, upgrade - 3.0.4 is very old at this point, and there are a number of improvements you're missing out on.


Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Invalid location for 'if' on 3.0.4

mdstest
Thank you.  I will start from the 3.0 default config.
On Wed, Nov 28, 2018 at 11:27 AM Adam Bishop <[hidden email]> wrote:

>
> On 28 Nov 2018, at 17:22, MDS Test <[hidden email]> wrote:
> > We  have freeradius running on version 2.2.6 running on CentOS6 for a
> > few years now.  Now we need to build a need a new host on CentOS7.  I
> > installed version 3.0.4 from repo.  As I copied my proxy.conf file
> > from the old host.  I encounter an error and couldn't figure out what
> > is wrong.
>
> It sounds like your 2.2 config has been heavily modified - that content shouldn't be in the proxy.conf file.
>
> It's best to start from the default 3.0 configuration, and apply your changes one at a time as 2.2 and 3.0 are not 100% config compatible.
>
> Also, upgrade - 3.0.4 is very old at this point, and there are a number of improvements you're missing out on.
>
>
> Adam Bishop
>
>   gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460
>
> jisc.ac.uk
>
> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>
> Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Invalid location for 'if' on 3.0.4

Alan Buxey
In reply to this post by mdstest
hi,

post-proxy etc statements live in virtual servers - that kind of stuff
would normally live in your virtual server section - I'm guessing
your 2.x config may have just been lifted from an even older 1.x config or
such with loads of INCLUDE things rather than taking
the standard layout/config.

alan

On Wed, 28 Nov 2018 at 17:22, MDS Test <[hidden email]> wrote:

> Hi folks,
>
> We  have freeradius running on version 2.2.6 running on CentOS6 for a
> few years now.  Now we need to build a need a new host on CentOS7.  I
> installed version 3.0.4 from repo.  As I copied my proxy.conf file
> from the old host.  I encounter an error and couldn't figure out what
> is wrong.
>
> $radiusd -X 2>&1 | tee debugfile
> radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu,
> built on Mar  5 2015 at 23:41:36
> Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License
> For more information about these matters, see the file named COPYRIGHT
> Starting - reading configuration files ...
> including dictionary file /usr/share/freeradius/dictionary
> including dictionary file /usr/share/freeradius/dictionary.dhcp
> including dictionary file /usr/share/freeradius/dictionary.vqp
> including dictionary file /etc/raddb/dictionary
> including configuration file /etc/raddb/radiusd.conf
> including configuration file /etc/raddb/proxy.conf
> /etc/raddb/proxy.conf[103]: Invalid location for 'if'
> Errors reading or parsing /etc/raddb/radiusd.conf
>
> proxy.conf
>
> post-proxy {
>   update proxy-reply {
>     Filter-Id !* ""
>     Fortinet-Access-Profile !* ""
>     Juniper-Local-User-Name !* ""
>     Cisco-AVPair !* ""
>  #   Raritan-VSA-Placeholder !* ""
>     PaloAlto-Admin-Role !* ""
>     PaloAlto-Panorama-Admin-Role !* ""
>     F5-LTM-User-Info-1 !* ""
>   }
>
>
>   if("%{proxy-reply:Packet-Type}" == Access-Accept) {
>       perl
>       update proxy-reply {
>         Reply-Message := "Welcome user!"
>       }
>   }
> }
>
> Please pardon me for maybe this is a simple error but I am new to
> freeradius and have read doc but couldn't figure it out.
>
> Mike
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Invalid location for 'if' on 3.0.4

mdstest
If it helps,  this is my full proxy.conf  config of version 2.2.4
The snippet probably didnt provide the entire picture.

proxy server {
        retry_delay = 5
        retry_count = 3
        default_fallback = no
        dead_time = 120
        wake_all_if_all_dead = no
}
home_server localhost {
        ipaddr = 127.0.0.1
        port = 1812
        type = "auth"
        secret = "testing123"
        response_window = 20
        max_outstanding = 65536
        require_message_authenticator = yes
        zombie_period = 40
        status_check = "status-server"
        ping_interval = 30
        check_interval = 30
        num_answers_to_alive = 3
        num_pings_to_alive = 3
        revive_interval = 120
        status_check_timeout = 4
 coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
 }
}
home_server nbf_auth_1 {
  ipaddr = 10.10.10.26
  port   = 1812
  type   = auth
  secret = "xxxxxxxxxx"
}
home_server nbf_auth_2 {
  ipaddr = 10.10.10.25
  port   = 1812
  type   = auth
  secret = "xxxxxxxxxx"
}
home_server nbf_auth_3 {
  ipaddr = 10.10.10.24
  port   = 1812
  type   = auth
  secret = "xxxxxxxxxx"
}
home_server nbf_auth_4 {
  ipaddr = 10.10.10.23
  port   = 1812
  type   = auth
  secret = "xxxxxxxxx"
}
home_server nbf_auth_5 {
  ipaddr = 10.10.10.22
  port   = 1812
  type   = auth
  secret = "xxxxxxxx"
}
home_server nbf_auth_6 {
  ipaddr = 10.10.10.21
  port   = 1812
  type   = auth
  secret = "xxxxxxxxx"
}
home_server_pool server_pool {
        type = fail-over
        home_server = nbf_auth_1
        home_server = nbf_auth_2
        home_server = nbf_auth_3
        home_server = nbf_auth_4
        home_server = nbf_auth_5
        home_server = nbf_auth_6
}
pre-proxy {
  update proxy-request {
    Called-Station-Id !* ""
    Calling-Station-Id !* ""
    NAS-Port-Type !* ""
    Connect-Info !* ""
    EAP-Message !* ""
    Message-Authenticator !* ""
    NAS-Port !* ""
  }
}

post-proxy {
  # Strip out anything that from the remote that we
  # provide ourselves.
  update proxy-reply {
    Filter-Id !* ""
    Fortinet-Access-Profile !* ""
    Juniper-Local-User-Name !* ""
    Cisco-AVPair !* ""
 #   Raritan-VSA-Placeholder !* ""
    PaloAlto-Admin-Role !* ""
    PaloAlto-Panorama-Admin-Role !* ""
    F5-LTM-User-Info-1 !* ""
  }


  if("%{proxy-reply:Packet-Type}" == Access-Accept) {
      perl
      update proxy-reply {
        Reply-Message := "Welcome user!"
      }
  }
}

realm NULL {
}
realm LOCAL {
}
realm att_ent_token {
        auth_pool = server_pool
}


On Wed, Nov 28, 2018 at 12:09 PM Alan Buxey <[hidden email]> wrote:

>
> hi,
>
> post-proxy etc statements live in virtual servers - that kind of stuff
> would normally live in your virtual server section - I'm guessing
> your 2.x config may have just been lifted from an even older 1.x config or
> such with loads of INCLUDE things rather than taking
> the standard layout/config.
>
> alan
>
> On Wed, 28 Nov 2018 at 17:22, MDS Test <[hidden email]> wrote:
>
> > Hi folks,
> >
> > We  have freeradius running on version 2.2.6 running on CentOS6 for a
> > few years now.  Now we need to build a need a new host on CentOS7.  I
> > installed version 3.0.4 from repo.  As I copied my proxy.conf file
> > from the old host.  I encounter an error and couldn't figure out what
> > is wrong.
> >
> > $radiusd -X 2>&1 | tee debugfile
> > radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu,
> > built on Mar  5 2015 at 23:41:36
> > Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
> > There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> > PARTICULAR PURPOSE
> > You may redistribute copies of FreeRADIUS under the terms of the
> > GNU General Public License
> > For more information about these matters, see the file named COPYRIGHT
> > Starting - reading configuration files ...
> > including dictionary file /usr/share/freeradius/dictionary
> > including dictionary file /usr/share/freeradius/dictionary.dhcp
> > including dictionary file /usr/share/freeradius/dictionary.vqp
> > including dictionary file /etc/raddb/dictionary
> > including configuration file /etc/raddb/radiusd.conf
> > including configuration file /etc/raddb/proxy.conf
> > /etc/raddb/proxy.conf[103]: Invalid location for 'if'
> > Errors reading or parsing /etc/raddb/radiusd.conf
> >
> > proxy.conf
> >
> > post-proxy {
> >   update proxy-reply {
> >     Filter-Id !* ""
> >     Fortinet-Access-Profile !* ""
> >     Juniper-Local-User-Name !* ""
> >     Cisco-AVPair !* ""
> >  #   Raritan-VSA-Placeholder !* ""
> >     PaloAlto-Admin-Role !* ""
> >     PaloAlto-Panorama-Admin-Role !* ""
> >     F5-LTM-User-Info-1 !* ""
> >   }
> >
> >
> >   if("%{proxy-reply:Packet-Type}" == Access-Accept) {
> >       perl
> >       update proxy-reply {
> >         Reply-Message := "Welcome user!"
> >       }
> >   }
> > }
> >
> > Please pardon me for maybe this is a simple error but I am new to
> > freeradius and have read doc but couldn't figure it out.
> >
> > Mike
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Invalid location for 'if' on 3.0.4

Alan DeKok-2
On Nov 29, 2018, at 9:17 AM, MDS Test <[hidden email]> wrote:
>
> If it helps,  this is my full proxy.conf  config of version 2.2.4

  We didn't ask for that.  You were asked to start with the default v3 config.

  Version 2 allowed for "pre-proxy" sections to be outside of a "server" section.  Version 3 does not allow this.

  You MUST put "pre-proxy", etc. into a "server" section.

  Read raddb/README.rst.  There are detailed instructions for upgrading from v2 to v3.

  Do NOT copy your v2 config over to v3.  You MUST start from the default v3 configuration, and gradually move pieces over, with testing.

  And do NOT use 3.0.4.  There is no reason to use a version which is ~5 years old.  3.0.17 is available, and has many fixes and feature enhancements over 3.0.4.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html