Greetings!
I'm using freeradius installed from the freeradius.i386 1.1.3-1.2.el
rpm on CentOS 5 (recompiled RedHat).
I'd like to use freeradius as an accounting proxy between two other
machines, in order to rewrite some Attributes (User-Name and Acct-
Session-Id) before they arrive at their final destination. I need to
rewrite any reference to a username to a unique ID number (long story).
I embarked on using rlm_perl for this task, I have the proxy working,
but when the data arrives at it's destination the Attributes have not
been changed. I'm hoping someone has changed attributes before they
are sent along to their Accounting radius server in a similar manner,
with rlm_perl.
I have tried changing many hashes, and to be honest I'm very new to
freeradius and I'm not sure which one should be changed. That's where
I seem to be stuck, how to change RAD_REQUEST{'User-Name'} so when it
is proxied it sends my rewrites.
Thank you for any help or pointers you can provide! Examples of what I
have done are below.
-Ken
Here is one example of what I have tried in the perl module I wrote:
from my_filter.pl:
...
# Function to handle pre_proxy
sub pre_proxy {
# For debugging purposes only
print "start pre_proxy ***\n";
$RAD_REPLY{'User-Name'} = "12345678";
$RAD_REQUEST{'User-Name'} = "12345678";
$RAD_REPLY{'Acct-Session-Id'} = "12345678";
$RAD_REQUEST{'Acct-Session-Id'} = "12345678";
&log_request_attributes;
print "returning from pre_proxy ***\n";
return RLM_MODULE_UPDATED;
}
...
In the modules section of radiusd.conf I have:
...
perl {
module = /etc/raddb/modules/my_filter.pl
func_pre_proxy = pre_proxy
func_post_proxy = post_proxy
}
...
and also in radiusd.conf:
...
pre-proxy {
perl
}
post-proxy {
perl
}
...
Here is the output I get when I feed radiusd a faked (to protect the
innocent) request:
# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/
detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Module: Loaded perl
perl: module = "/etc/raddb/modules/orange_filter.pl"
perl: func_authorize = "authorize"
perl: func_authenticate = "authenticate"
perl: func_accounting = "accounting"
perl: func_preacct = "preacct"
perl: func_checksimul = "checksimul"
perl: func_detach = "detach"
perl: func_xlat = "xlat"
perl: func_pre_proxy = "pre_proxy"
perl: func_post_proxy = "post_proxy"
perl: func_post_auth = "post_auth"
perl: perl_flags = "(null)"
perl: func_start_accounting = "(null)"
perl: func_stop_accounting = "(null)"
perl: max_clones = 32
perl: start_clones = 5
perl: min_spare_clones = 3
perl: max_spare_clones = 3
perl: cleanup_delay = 5
perl: max_request_per_clone = 0
Module: Instantiated perl (perl)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Accounting-Request packet from host 165.217.8.24:32820,
id=135, length=210
NAS-IP-Address = 148.121.8.213
Acct-Status-Type = Start
User-Name = "[EMAIL PROTECTED]"
NAS-Port = 4192
NAS-Port-Type = Wireless-802.11
Framed-IP-Address = 128.120.211.175
Calling-Station-Id = "001CB3B8AC38"
Called-Station-Id = "000B86425400"
Acct-Session-Id = "kenlime001CB3B8AC38-B90"
Acct-Authentic = RADIUS
Acct-Delay-Time = 0
Aruba-Essid-Name = "the-fake"
Aruba-Location-Id = "SEG-FAKE-SOUTH"
Aruba-User-Role = "wireless-stuff"
Aruba-User-Vlan = 0
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 0
modcall[preacct]: module "preprocess" returns noop for request 0
rlm_realm: Looking up realm "somerealm.com" for User-Name = "[EMAIL PROTECTED]
"
rlm_realm: Found realm "DEFAULT"
rlm_realm: Proxying request from user kenlime to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Preparing to proxy accounting request to realm "DEFAULT"
modcall[preacct]: module "suffix" returns updated for request 0
modcall[preacct]: module "files" returns noop for request 0
modcall: leaving group preacct (returns updated) for request 0
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 0
radius_xlat: '/var/log/radius/radacct/169.237.4.24/detail-20080611'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/169.237.4.24/detail-20080611
rlm_detail: Freeradius-Proxied-To set to 169.237.4.13
modcall[accounting]: module "detail" returns ok for request 0
radius_xlat: '/var/log/radius/radutmp'
radius_xlat: '[EMAIL PROTECTED]'
modcall[accounting]: module "radutmp" returns ok for request 0
modcall: leaving group accounting (returns ok) for request 0
Processing the pre-proxy section of radiusd.conf
modcall: entering group pre-proxy for request 0
perl_pool: item 0x9b3ae48 asigned new request. Handled so far: 1
found interpetator at address 0x9b3ae48
start pre_proxy ***
rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11
rlm_perl: RAD_REQUEST: Acct-Session-Id = 12345678
rlm_perl: RAD_REQUEST: Called-Station-Id = 000B86425400
rlm_perl: RAD_REQUEST: Client-IP-Address = 165.217.8.24
rlm_perl: RAD_REQUEST: Aruba-User-Role = wireless-stuff
rlm_perl: RAD_REQUEST: Acct-Authentic = RADIUS
rlm_perl: RAD_REQUEST: Acct-Status-Type = Start
rlm_perl: RAD_REQUEST: Realm = ARRAY(0x9c4374c)
rlm_perl: RAD_REQUEST: NAS-IP-Address = 148.121.8.213
rlm_perl: RAD_REQUEST: Calling-Station-Id = 001CB3B8AC38
rlm_perl: RAD_REQUEST: Aruba-Essid-Name = the-fake
rlm_perl: RAD_REQUEST: User-Name = 12345678
rlm_perl: RAD_REQUEST: Aruba-Location-Id = SEG-FAKE-SOUTH
rlm_perl: RAD_REQUEST: Aruba-User-Vlan = 0
rlm_perl: RAD_REQUEST: Framed-IP-Address = 128.120.211.175
rlm_perl: RAD_REQUEST: NAS-Port = 4192
rlm_perl: RAD_REQUEST: Acct-Delay-Time = 0
returning from pre_proxy ***
rlm_perl: Added pair User-Name = 12345678
rlm_perl: Added pair Acct-Session-Id = 12345678
rlm_perl: Added pair Proxy-To-Realm = DEFAULT
perl_pool total/active/spare [5/0/5]
Unreserve perl at address 0x9b3ae48
modcall[pre-proxy]: module "perl" returns updated for request 0
modcall: leaving group pre-proxy (returns updated) for request 0
Sending Accounting-Request of id 0 to 169.237.4.13 port 1813
NAS-IP-Address = 148.121.8.213
Acct-Status-Type = Start
User-Name = "[EMAIL PROTECTED]"
NAS-Port = 4192
NAS-Port-Type = Wireless-802.11
Framed-IP-Address = 128.120.211.175
Calling-Station-Id = "001CB3B8AC38"
Called-Station-Id = "000B86425400"
Acct-Session-Id = "kenlime001CB3B8AC38-B90"
Acct-Authentic = RADIUS
Acct-Delay-Time = 0
Aruba-Essid-Name = "the-fake"
Aruba-Location-Id = "SEG-FAKE-SOUTH"
Aruba-User-Role = "wireless-stuff"
Aruba-User-Vlan = 0
Proxy-State = 0x313335
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Accounting-Response packet from host 165.217.8.13:1813,
id=0, length=25
Proxy-State = 0x313335
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 0
perl_pool: item 0x9c24450 asigned new request. Handled so far: 1
found interpetator at address 0x9c24450
start post_proxy ***
return from post_proxy ***
rlm_perl: Added pair Proxy-To-Realm = DEFAULT
rlm_perl: Added pair Proxy-State = 0x313335
perl_pool total/active/spare [5/0/5]
Unreserve perl at address 0x9c24450
modcall[post-proxy]: module "perl" returns ok for request 0
modcall: leaving group post-proxy (returns ok) for request 0
Sending Accounting-Response of id 135 to 165.217.8.24 port 32820
Finished request 0
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 135 with timestamp 485059f3
Nothing to do. Sleeping until we see a request.
At the other end, in the detail log I see:
Wed Jun 11 16:04:19 2008
NAS-IP-Address = 148.121.8.213
Acct-Status-Type = Start
User-Name = "[EMAIL PROTECTED]"
NAS-Port = 4192
NAS-Port-Type = Wireless-802.11
Framed-IP-Address = 128.120.211.175
Calling-Station-Id = "001CB3B8AC38"
Called-Station-Id = "000B86425400"
Acct-Session-Id = "kenlime001CB3B8AC38-B90"
Acct-Authentic = RADIUS
Acct-Delay-Time = 0
Aruba-Essid-Name = "the-fake"
Aruba-Location-Id = "SEG-FAKE-SOUTH"
Aruba-User-Role = "wireless-stuff"
Aruba-User-Vlan = 0
Proxy-State = 0x313335
Client-IP-Address = 169.237.4.24
Acct-Unique-Session-Id = "d9069000ee35accc"
Timestamp = 1213225459
Thanks again!
-Ken
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
