At Mon, 14 Jun 2004 14:09:45 -0400,
Alan DeKok wrote:
>
> Kostas Zorbadelos <[EMAIL PROTECTED]> wrote:
> > I would like to know if and how it is possible to modify an accounting
> > and an authentication request
> > packet that is going to be proxied to a specific realm.
>
> Ues. Use the "preproxy" section.
>
> Alan DeKok.
>
Hello again. Now that I have a working configuration that solves my
problem, I post it to the list for archiving purposes and also a few
clarifications.
I am using version 0.9.3 but I plan to test everything with 1.0.0 pre2
also.
Description of the problem
---------------------------
I wanted for every username of the form [EMAIL PROTECTED] to add 3 wispr
attributes (Location-Id, LocationName and LogoffUrl) to the access request
packets and 2 attributes (Location-Id, Location-Name) to the
accounting packets before they get proxied to the home radius.
I used the attr_rewrite module with the following config in
radiusd.conf:
attr_rewrite addLocationId {
attribute = WISPr-Location-ID
# may be "packet", "reply", or "config"
searchin = packet
searchfor = "[+ ]"
replacewith = "isocc=gr,cc=30,ac=21,network=otenet"
ignore_case = no
new_attribute = yes
max_matches = 10
## If set to yes then the replace string will be appended to the
original string
append = yes
}
attr_rewrite addLocationName {
attribute = WISPr-Location-Name
# may be "packet", "reply", or "config"
searchin = packet
searchfor = ""
replacewith = "OTENET,hotspot"
ignore_case = no
new_attribute = yes
max_matches = 10
## If set to yes then the replace string will be appended to the
original string
append = yes
}
attr_rewrite addLogoffUrl {
attribute = WISPr-Logoff-URL
# may be "packet", "reply", or "config"
searchin = packet
searchfor = ""
replacewith =
"https://192.168.3.3:8443/accountLogoff/home?confirmed=true";
ignore_case = no
new_attribute = yes
max_matches = 10
## If set to yes then the replace string will be appended to the
original string
append = yes
}
1) The pre-proxy section
-------------------------
The pre-proxy section in radiusd.conf wasn't what I wanted because the
modifications would happen before the proxy of every packet and not
just packets destined to the specific realm testrealm. After the test
however I noticed that the packets were not modified at all (is this a
bug that is fixed in 1.0.0?)
My configuration
pre-proxy {
addLocationId
addLocationName
addLogoffUrl
}
and the relevant part of the debugging output
rad_recv: Access-Request packet from host 212.205.85.239:4422, id=214, length=103
Acct-Session-Id = "000001C3"
User-Name = "[EMAIL PROTECTED]"
User-Password = "usera"
NAS-IP-Address = 212.205.178.115
NAS-Port = 0
NAS-Port-Type = Virtual
Proxy-State = 0x6f70656e65745f776c616e
modcall: entering group authorize for request 0
...
rlm_realm: Preparing to proxy authentication request to realm "testrealm"
...
modcall: entering group pre-proxy for request 0
radius_xlat: 'isocc=gr,cc=30,ac=21,network=otenet'
rlm_attr_rewrite: Added attribute WISPr-Location-ID with value
'isocc=gr,cc=30,ac=21,network=otenet'
modcall[pre-proxy]: module "addLocationId" returns ok for request 0
radius_xlat: 'OTENET,hotspot'
rlm_attr_rewrite: Added attribute WISPr-Location-Name with value 'OTENET,hotspot'
modcall[pre-proxy]: module "addLocationName" returns ok for request 0
radius_xlat: 'https://192.168.3.3:8443/accountLogoff/home?confirmed=true'
rlm_attr_rewrite: Added attribute WISPr-Logoff-URL with value
'https://192.168.3.3:8443/accountLogoff/home?confirmed=true'
modcall[pre-proxy]: module "addLogoffUrl" returns ok for request 0
modcall: group pre-proxy returns ok for request 0
Sending Access-Request of id 1 to 212.205.178.120:1812
User-Name = "usera"
Acct-Session-Id = "000001C3"
User-Password = "usera"
NAS-IP-Address = 212.205.178.115
NAS-Port = 0
NAS-Port-Type = Virtual
Proxy-State = 0x6f70656e65745f776c616e
Proxy-State = 0x323134
...
As you can see the packet was not modified. The same thing happened
for accounting packets also.
2) The solution with autz-type and acct-type
---------------------------------------------
Here is the relevant parts from the working config:
authorize {
preprocess
chap
realmslash
suffix
#
# Read the 'users' file
files
Autz-Type WLANRoaming{
addLocationId
addLocationName
addLogoffUrl
}
mschap
}
In the users file:
DEFAULT Suffix == "@testrealm", Autz-Type := WLANRoaming
preacct {
preprocess
#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
realmslash
suffix
#
# Read the 'acct_users' file
files
}
accounting {
acct_unique
Acct-Type WLANRoaming{
addLocationId
addLocationName
detail
sql1
}
}
In the acct_users file:
DEFAULT Suffix == "@testrealm", Acct-Type := WLANRoaming
With this configuration everything works as expected. The packets are
modified before they get proxied and are modified only for the
testrealm.
Part of the debugging output:
rad_recv: Access-Request packet from host 212.205.85.239:4422, id=220, length=103
Acct-Session-Id = "000001C9"
User-Name = "[EMAIL PROTECTED]"
User-Password = "usera"
NAS-IP-Address = 212.205.178.115
NAS-Port = 0
NAS-Port-Type = Virtual
Proxy-State = 0x6f70656e65745f776c616e
modcall: entering group authorize for request 2
...
rlm_realm: Preparing to proxy authentication request to realm "testrealm"
modcall[authorize]: module "suffix" returns updated for request 2
users: Matched DEFAULT at 71
modcall[authorize]: module "files" returns ok for request 2
modcall[authorize]: module "mschap" returns noop for request 2
modcall: group authorize returns updated for request 2
modcall: entering group Autz-Type for request 2
radius_xlat: 'isocc=gr,cc=30,ac=21,network=otenet'
rlm_attr_rewrite: Added attribute WISPr-Location-ID with value
'isocc=gr,cc=30,ac=21,network=otenet'
modcall[authorize]: module "addLocationId" returns ok for request 2
radius_xlat: 'OTENET,hotspot'
rlm_attr_rewrite: Added attribute WISPr-Location-Name with value 'OTENET,hotspot'
modcall[authorize]: module "addLocationName" returns ok for request 2
radius_xlat: 'https://192.168.3.3:8443/accountLogoff/home?confirmed=true'
rlm_attr_rewrite: Added attribute WISPr-Logoff-URL with value
'https://192.168.3.3:8443/accountLogoff/home?confirmed=true'
modcall[authorize]: module "addLogoffUrl" returns ok for request 2
modcall: group Autz-Type returns ok for request 2
Sending Access-Request of id 2 to 212.205.178.120:1812
User-Name = "usera"
Acct-Session-Id = "000001C9"
User-Password = "usera"
NAS-IP-Address = 212.205.178.115
NAS-Port = 0
NAS-Port-Type = Virtual
Proxy-State = 0x6f70656e65745f776c616e
WISPr-Location-ID = "isocc=gr,cc=30,ac=21,network=otenet"
WISPr-Location-Name = "OTENET,hotspot"
WISPr-Logoff-URL = "https://192.168.3.3:8443/accountLogoff/home?confirmed=true";
Proxy-State = 0x323230
...
rad_recv: Accounting-Request packet from host 212.205.85.239:4423, id=221, length=175
NAS-IP-Address = 212.205.178.115
NAS-Port = 0
NAS-Port-Type = Virtual
User-Name = "[EMAIL PROTECTED]"
Acct-Status-Type = Start
Class = 0x5342522d434c20444e3d225553455241222041543d22302200
Class = 0x5342522d434c20444e3d225553455241222041543d22302200
Service-Type = Framed-User
Acct-Session-Id = "000001C9"
Framed-Protocol = PPP
Framed-IP-Address = 192.168.5.115
Event-Timestamp = "Jun 15 2004"
Acct-Delay-Time = 0
Proxy-State = 0x6f70656e65745f776c616e
modcall: entering group preacct for request 4
...
rlm_realm: Found realm "testrealm"
rlm_realm: Adding Stripped-User-Name = "usera"
rlm_realm: Proxying request from user usera to realm testrealm
rlm_realm: Adding Realm = "testrealm"
rlm_realm: Preparing to proxy accounting request to realm "testrealm"
modcall[preacct]: module "suffix" returns updated for request 4
acct_users: Matched DEFAULT at 17
modcall[preacct]: module "files" returns ok for request 4
modcall: group preacct returns updated for request 4
modcall: entering group Acct-Type for request 4
radius_xlat: 'isocc=gr,cc=30,ac=21,network=otenet'
rlm_attr_rewrite: Added attribute WISPr-Location-ID with value
'isocc=gr,cc=30,ac=21,network=otenet'
modcall[accounting]: module "addLocationId" returns ok for request 4
radius_xlat: 'OTENET,hotspot'
rlm_attr_rewrite: Added attribute WISPr-Location-Name with value 'OTENET,hotspot'
modcall[accounting]: module "addLocationName" returns ok for request 4
radius_xlat:
'/space/radius/freeradius-0.9.3/BUILD/var/log/radius/radacct/212.205.85.239/detail-20040615'
rlm_detail:
/space/radius/freeradius-0.9.3/BUILD/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to
/space/radius/freeradius-0.9.3/BUILD/var/log/radius/radacct/212.205.85.239/detail-20040615
rlm_detail: Freeradius-Proxied-To set to 212.205.178.120
modcall[accounting]: module "detail" returns ok for request 4
...
Sending Accounting-Request of id 3 to 212.205.178.120:1813
User-Name = "usera"
NAS-IP-Address = 212.205.178.115
NAS-Port = 0
NAS-Port-Type = Virtual
Acct-Status-Type = Start
Class = 0x5342522d434c20444e3d225553455241222041543d22302200
Class = 0x5342522d434c20444e3d225553455241222041543d22302200
Service-Type = Framed-User
Acct-Session-Id = "000001C9"
Framed-Protocol = PPP
Framed-IP-Address = 192.168.5.115
Event-Timestamp = "Jun 15 2004"
Acct-Delay-Time = 0
Proxy-State = 0x6f70656e65745f776c616e
WISPr-Location-ID = "isocc=gr,cc=30,ac=21,network=otenet"
WISPr-Location-Name = "OTENET,hotspot"
Proxy-State = 0x323231
Waking up in 5 seconds...
...
As you can see the packets are modified as expected.
To conclude my questions are: is the behaviour of the pre-proxy correct or is
there a bug?
Is the attr_rewrite stable enough to use in production systems? In the
radius.conf file it is written that
"# rewrite arbitrary packets. Useful in accounting and authorization.
#
## This module is highly experimental at the moment. Please give
## feedback to the mailing list.
#"
Thanks for everything and let me know if there are better (or simply
different) suggestions to solving my problem.
Kostas
--
Kostas Zorbadelos
Currently at: Otenet IT Department
mailto: [EMAIL PROTECTED]
Out there in the darkness, out there in the night
out there in the starlight, one soul burns brighter
than a thousand suns.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
