reject request in post-proxy

classic Classic list List threaded Threaded
10 messages Options
| Threaded
Open this post in threaded view
|

reject request in post-proxy

Users mailing list
Greetings,

I am using FR 3.0.17.

I am trying to use unlang in the post-proxy section of my default site to
reject certain requests. The following config example is a test condition
and contrived.

post-proxy {
    eap
    if (User-Name == 'mzagrabe') {
        reject
    }
}

However, I am not getting the expected reject when I successfully
authenticate.
Here is the -X output:

[...]
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "mzagrabe", looking up realm NULL
(0) suffix: Found realm "NULL"
(0) suffix: Adding Stripped-User-Name = "mzagrabe"
(0) suffix: Adding Realm = "NULL"
(0) suffix: Proxying request from user mzagrabe to realm NULL
(0) suffix: Preparing to proxy authentication request to realm "NULL"
(0)     [suffix] = updated
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = noop
(0)   } # authorize = updated
(0) Starting proxy to home server 10.0.0.1 port 1812
(0) Proxying request to home server 10.0.0.1 port 1812 timeout 30.000000
(0) Sent Access-Request Id 81 from 0.0.0.0:32865 to 10.0.0.1:1812 length 115
(0)   User-Name = "mzagrabe"
(0)   User-Password = "I need something strong to distract my mind-2020"
(0)   NAS-IP-Address = 192.168.0.2
(0)   Event-Timestamp = "Aug 24 2020 16:21:09 CDT"
(0)   Message-Authenticator := 0x00
(0)   Proxy-State = 0x323330
Waking up in 0.3 seconds.
(0) Expecting proxy response no later than 29.667028 seconds from now
Waking up in 29.6 seconds.
(0) Marking home server 10.0.0.1 port 1812 alive
(0) Clearing existing &reply: attributes
(0) Received Access-Accept Id 81 from 10.0.0.1:1812 to 192.168.0.1:32865
length 53
(0)   Reply-Message = "Success. Logging you in..."
(0)   Proxy-State = 0x323330
(0) # Executing section post-proxy from file
/etc/freeradius/3.0/sites-enabled/default
(0)   post-proxy {
(0) eap: No pre-existing handler found
(0)     [eap] = noop
(0)     if (User-Name == 'mzagrabe') {
(0)     if (User-Name == 'mzagrabe')  -> TRUE
(0)     if (User-Name == 'mzagrabe')  {
(0)       [reject] = reject
(0)     } # if (User-Name == 'mzagrabe')  = reject
(0)   } # post-proxy = reject
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Sent Access-Accept Id 230 from 192.168.0.1:1812 to 192.168.0.2:52859
length 0
(0)   Reply-Message = "Success. Logging you in..."
(0) Finished request

How do I reject in post-proxy after the home server returns a successful
authentication check?

Thanks for any help!

-m
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: reject request in post-proxy

Alan DeKok-2
On Aug 24, 2020, at 5:40 PM, Matt Zagrabelny via Freeradius-Users <[hidden email]> wrote:

> I am trying to use unlang in the post-proxy section of my default site to
> reject certain requests. The following config example is a test condition
> and contrived.
>
> post-proxy {
>    eap
>    if (User-Name == 'mzagrabe') {
>        reject
>    }
> }
>
> However, I am not getting the expected reject when I successfully
> authenticate.

  You can't reject users in the post-proxy section.  Instead, just do:

post-proxy {
   eap
   if (User-Name == 'mzagrabe') {
       update parent.reply {
                Packet-Type := Reject
        }
   }
}

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: reject request in post-proxy

Users mailing list
Hey Alan,

Thanks for the reply.

On Mon, Aug 24, 2020 at 7:22 PM Alan DeKok <[hidden email]> wrote:

>
>
>
>   You can't reject users in the post-proxy section.  Instead, just do:
>
> post-proxy {
>    eap
>    if (User-Name == 'mzagrabe') {
>        update parent.reply {
>                 Packet-Type := Reject
>         }
>    }
> }


I'm getting an error using that config:

/etc/freeradius/3.0/sites-enabled/default[939]: Unknown or invalid
value "Reject" for attribute Packet-Type
/etc/freeradius/3.0/sites-enabled/default[938]: Failed to parse
"update" subsection.
/etc/freeradius/3.0/sites-enabled/default[893]: Errors parsing
post-proxy section.

Any ideas?

Thank you!

-m
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: reject request in post-proxy

Alan DeKok-2
On Aug 24, 2020, at 8:47 PM, Matt Zagrabelny via Freeradius-Users <[hidden email]> wrote:
>
> I'm getting an error using that config:
>
> /etc/freeradius/3.0/sites-enabled/default[939]: Unknown or invalid
> value "Reject" for attribute Packet-Type

  Use Access-Reject instead.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: reject request in post-proxy

Users mailing list
On Mon, Aug 24, 2020 at 8:37 PM Alan DeKok <[hidden email]> wrote:
>
> On Aug 24, 2020, at 8:47 PM, Matt Zagrabelny via Freeradius-Users <[hidden email]> wrote:
> >
> > I'm getting an error using that config:
> >
> > /etc/freeradius/3.0/sites-enabled/default[939]: Unknown or invalid
> > value "Reject" for attribute Packet-Type
>
>   Use Access-Reject instead.

The server starts, but states that the Packet-Type is invalid when the
post-proxy gets evaluated...

Here is the single line:

(2)         ERROR: Mapping "Access-Reject" -> "Packet-Type" invalid in
this context

and a more full -X output:

(2) Received Access-Accept Id 32 from 10.0.0.1:1812 to
192.168.0.1:41424 length 53
(2)   Reply-Message = "Success. Logging you in..."
(2)   Proxy-State = 0x313834
(2) # Executing section post-proxy from file
/etc/freeradius/3.0/sites-enabled/default
(2)   post-proxy {
(2) eap: No pre-existing handler found
(2)     [eap] = noop
(2)     if (User-Name == 'mzagrabe') {
(2)     if (User-Name == 'mzagrabe')  -> TRUE
(2)     if (User-Name == 'mzagrabe')  {
(2)       update parent.reply {
(2)         ERROR: Mapping "Access-Reject" -> "Packet-Type" invalid in
this context
(2)       } # update parent.reply = invalid
(2)     } # if (User-Name == 'mzagrabe')  = invalid
(2)   } # post-proxy = invalid
(2) Found Auth-Type = Accept
(2) Auth-Type = Accept, accepting the user
(2) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(2)   post-auth {
(2)     update {
(2)       No attributes updated
(2)     } # update = noop
(2)     [exec] = noop
(2)     policy remove_reply_message_if_eap {
(2)       if (&reply:EAP-Message && &reply:Reply-Message) {
(2)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(2)       else {
(2)         [noop] = noop
(2)       } # else = noop
(2)     } # policy remove_reply_message_if_eap = noop
(2)   } # post-auth = noop
(2) Sent Access-Accept Id 184 from 192.168.0.1:1812 to
192.168.0.2:53235 length 0
(2)   Reply-Message = "Success. Logging you in..."
(2) Finished request

Thank you for the continued help!

-m
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: reject request in post-proxy

Alan DeKok-2
On Aug 24, 2020, at 10:02 PM, Matt Zagrabelny via Freeradius-Users <[hidden email]> wrote:

>
> On Mon, Aug 24, 2020 at 8:37 PM Alan DeKok <[hidden email]> wrote:
>>
>> On Aug 24, 2020, at 8:47 PM, Matt Zagrabelny via Freeradius-Users <[hidden email]> wrote:
>>>
>>> I'm getting an error using that config:
>>>
>>> /etc/freeradius/3.0/sites-enabled/default[939]: Unknown or invalid
>>> value "Reject" for attribute Packet-Type
>>
>>  Use Access-Reject instead.
>
> The server starts, but states that the Packet-Type is invalid when the
> post-proxy gets evaluated...
>
> Here is the single line:
>
> (2)         ERROR: Mapping "Access-Reject" -> "Packet-Type" invalid in
> this context

  Hmm... then this should work:

update reply {
        Packet-Type := Access-Reject
}

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: reject request in post-proxy

Users mailing list
On Mon, Aug 24, 2020 at 9:18 PM Alan DeKok <[hidden email]> wrote:

> > Here is the single line:
> >
> > (2)         ERROR: Mapping "Access-Reject" -> "Packet-Type" invalid in
> > this context
>
>   Hmm... then this should work:
>
> update reply {
>         Packet-Type := Access-Reject
> }

I don't get the ERROR, but I also don't get rejected:

(0) Received Access-Accept Id 112 from 10.0.0.1:1812 to
192.168.0.1:44740 length 53
(0)   Reply-Message = "Success. Logging you in..."
(0)   Proxy-State = 0x323033
(0) # Executing section post-proxy from file
/etc/freeradius/3.0/sites-enabled/default
(0)   post-proxy {
(0) eap: No pre-existing handler found
(0)     [eap] = noop
(0)     if (User-Name == 'mzagrabe') {
(0)     if (User-Name == 'mzagrabe')  -> TRUE
(0)     if (User-Name == 'mzagrabe')  {
(0)       update reply {
(0)         Packet-Type := Access-Reject
(0)       } # update reply = noop
(0)     } # if (User-Name == 'mzagrabe')  = noop
(0)   } # post-proxy = noop
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Sent Access-Accept Id 203 from 192.168.0.1:1812 to
192.168.0.2:33745 length 0
(0)   Reply-Message = "Success. Logging you in..."
(0) Finished request

Thanks for the help!

-m
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: reject request in post-proxy

Alan DeKok-2
On Aug 24, 2020, at 10:23 PM, Matt Zagrabelny via Freeradius-Users <[hidden email]> wrote:
> I don't get the ERROR, but I also don't get rejected:

  You'll have to do a little more digging then.  Maybe also use 3.0.21, instead of 3.0.17

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: reject request in post-proxy

Users mailing list
On Mon, Aug 24, 2020 at 9:25 PM Alan DeKok <[hidden email]> wrote:
>
> On Aug 24, 2020, at 10:23 PM, Matt Zagrabelny via Freeradius-Users <[hidden email]> wrote:
> > I don't get the ERROR, but I also don't get rejected:
>
>   You'll have to do a little more digging then.  Maybe also use 3.0.21, instead of 3.0.17

Thanks for the help, Alan.

3.0.21 behaves the same. However, I was under the (wrong) impression
that I needed to put my business logic in post-proxy since I was
proxying all authentication requests - that is, I was no longer
performing any local auth.

But, it seems I can put the business logic of rejecting users in
post-auth and that will work with the proxying.

I'm not sure if the limitations of not being able to "reject" in
post-proxy is worth putting in a feature request or not.

Thanks again for the help and FreeRADIUS, too. It is all very appreciated.

-m
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: reject request in post-proxy

Alan DeKok-2
On Aug 26, 2020, at 10:39 AM, Matt Zagrabelny <[hidden email]> wrote:
> 3.0.21 behaves the same. However, I was under the (wrong) impression
> that I needed to put my business logic in post-proxy since I was
> proxying all authentication requests - that is, I was no longer
> performing any local auth.

  No, pre/post-proxy are just an *additional* step.  They don't prevent anything else from happening.

> But, it seems I can put the business logic of rejecting users in
> post-auth and that will work with the proxying.
>
> I'm not sure if the limitations of not being able to "reject" in
> post-proxy is worth putting in a feature request or not.

  Probably not.  We're trying to keep v3 stable, and making minimal changes.

> Thanks again for the help and FreeRADIUS, too. It is all very appreciated.

  You're welcome.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html