Re: Attributes sent to proxy servers ...
hi, you are still pre-proxy attr filtering? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attributes sent to proxy servers ...
[EMAIL PROTECTED] wrote: hi, you are still pre-proxy attr filtering? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No, didn't really see the point.. Internal attributes aren't meant to be proxied, and those are the only ones I really wanted filtering out. Looks like something very strange is going on with proxying accounting packets as well. rad_recv: Accounting-Request packet from host 139.184.8.16 port 1026, id=225, length=141 Acct-Session-Id = 004E0019 Acct-Status-Type = Start Acct-Authentic = RADIUS Acct-Delay-Time = 15 NAS-Port = 1 Calling-Station-Id = 00-1B-63-A3-A8-DD Event-Type = Framed-User NAS-IP-Address = 139.184.8.16 NAS-Identifier = hp-e-its-dev8021x-sw1 User-Name = [EMAIL PROTECTED] server default-outer { +- entering group preacct ++? if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) expand: %{User-Name} - [EMAIL PROTECTED] ? Evaluating (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) - TRUE ++? if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) - TRUE ++- entering if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) +++? if (!%{2}||(%{2} == 'sussex.ac.uk')) expand: %{2} - loopback.sussex.ac.uk ? Evaluating loopback.sussex.ac.uk - FALSE expand: %{2} - loopback.sussex.ac.uk ? Evaluating (%{2} == 'sussex.ac.uk') - FALSE +++? if (!%{2}||(%{2} == 'sussex.ac.uk')) - FALSE +++- entering else else expand: [EMAIL PROTECTED] - [EMAIL PROTECTED] [request] returns noop +++- else else returns noop ++- if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) returns noop ++ ... skipping else for request 20: Preceding if was taken expand: %{Realm} - %{2} ++- entering switch %{Realm} +++- entering case [control] returns noop [request] returns noop +++- case returns noop ++- switch %{Realm} returns noop ++? if (%{Called-Station-Id} =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) expand: %{Called-Station-Id} - ? Evaluating (%{Called-Station-Id} =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) - FALSE ++? if (%{Called-Station-Id} =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) - FALSE ++? if (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) expand: %{Calling-Station-Id} - 00-1B-63-A3-A8-DD ? Evaluating (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) - TRUE ++? if (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) - TRUE ++- entering if (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) expand: %{1}%{2}%{3}%{4}%{5}%{6} - 001B63A3A8DD +++[request] returns noop ++- if (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) returns noop ++? if (%{NAS-Port-Id} =~ /wl[0-9]*/) expand: %{NAS-Port-Id} - ? Evaluating (%{NAS-Port-Id} =~ /wl[0-9]*/) - FALSE ++? if (%{NAS-Port-Id} =~ /wl[0-9]*/) - FALSE ++? if ((%{NAS-Port-Type} == 'Wireless-802.11')||(%{NAS-Port-Type} == 'Ethernet')) expand: %{NAS-Port-Type} - ?? Evaluating (%{NAS-Port-Type} == 'Wireless-802.11') - FALSE expand: %{NAS-Port-Type} - ?? Evaluating (%{NAS-Port-Type} == 'Ethernet') - FALSE ++? if ((%{NAS-Port-Type} == 'Wireless-802.11')||(%{NAS-Port-Type} == 'Ethernet')) - FALSE ++? if (%{NAS-IP-Address} == '127.0.0.1') expand: %{NAS-IP-Address} - 139.184.8.16 ? Evaluating (%{NAS-IP-Address} == '127.0.0.1') - FALSE ++? if (%{NAS-IP-Address} == '127.0.0.1') - FALSE expand: %{Client-Shortname} - hp-e-its-dev8021x-sw1 ++[request] returns noop rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing ',NAS-Port = 1,NAS-IP-Address = 139.184.8.16,Acct-Session-Id = 004E0019,User-Name = [EMAIL PROTECTED]' rlm_acct_unique: Acct-Unique-Session-ID = 67d4bffd71faf76b. ++[acct_unique] returns ok +- entering group accounting expand: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 - /var/log/radiusd/20080205/accounting-detail-12:00 rlm_detail: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 expands to /var/log/radiusd/20080205/accounting-detail-12:00 expand: %{Packet-Src-IP-Address} - %t - 139.184.8.16 - Tue Feb 5 12:49:09 2008 ++[accounting_log] returns ok expand: %{Stripped-User-Name} - [EMAIL PROTECTED] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -
Re: Attributes sent to proxy servers ...
Arran Cudbard-Bell wrote: Noticed with CVS head that all attributes (including internal ones) appear to be getting proxied. Is this just a cosmetic thing ? It's just a cosmetic thing. The internal attributes are being printed, but not sent. I don't see why it's happening, though. The code in src/lib/radius.c doesn't print internal attributes in debugging mode... Does this happen in 2.0.1? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attributes sent to proxy servers ...
Arran Cudbard-Bell wrote: [EMAIL PROTECTED] wrote: hi, you are still pre-proxy attr filtering? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No, didn't really see the point.. Internal attributes aren't meant to be proxied, and those are the only ones I really wanted filtering out. Looks like something very strange is going on with proxying accounting packets as well. rad_recv: Accounting-Request packet from host 139.184.8.16 port 1026, id=225, length=141 Acct-Session-Id = 004E0019 Acct-Status-Type = Start Acct-Authentic = RADIUS Acct-Delay-Time = 15 NAS-Port = 1 Calling-Station-Id = 00-1B-63-A3-A8-DD Event-Type = Framed-User NAS-IP-Address = 139.184.8.16 NAS-Identifier = hp-e-its-dev8021x-sw1 User-Name = [EMAIL PROTECTED] server default-outer { +- entering group preacct ++? if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) expand: %{User-Name} - [EMAIL PROTECTED] ? Evaluating (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) - TRUE ++? if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) - TRUE ++- entering if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) +++? if (!%{2}||(%{2} == 'sussex.ac.uk')) expand: %{2} - loopback.sussex.ac.uk ? Evaluating loopback.sussex.ac.uk - FALSE expand: %{2} - loopback.sussex.ac.uk ? Evaluating (%{2} == 'sussex.ac.uk') - FALSE +++? if (!%{2}||(%{2} == 'sussex.ac.uk')) - FALSE +++- entering else else expand: [EMAIL PROTECTED] - [EMAIL PROTECTED] [request] returns noop +++- else else returns noop ++- if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) returns noop ++ ... skipping else for request 20: Preceding if was taken expand: %{Realm} - %{2} ++- entering switch %{Realm} +++- entering case [control] returns noop [request] returns noop +++- case returns noop ++- switch %{Realm} returns noop ++? if (%{Called-Station-Id} =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) expand: %{Called-Station-Id} - ? Evaluating (%{Called-Station-Id} =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) - FALSE ++? if (%{Called-Station-Id} =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) - FALSE ++? if (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) expand: %{Calling-Station-Id} - 00-1B-63-A3-A8-DD ? Evaluating (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) - TRUE ++? if (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) - TRUE ++- entering if (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) expand: %{1}%{2}%{3}%{4}%{5}%{6} - 001B63A3A8DD +++[request] returns noop ++- if (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) returns noop ++? if (%{NAS-Port-Id} =~ /wl[0-9]*/) expand: %{NAS-Port-Id} - ? Evaluating (%{NAS-Port-Id} =~ /wl[0-9]*/) - FALSE ++? if (%{NAS-Port-Id} =~ /wl[0-9]*/) - FALSE ++? if ((%{NAS-Port-Type} == 'Wireless-802.11')||(%{NAS-Port-Type} == 'Ethernet')) expand: %{NAS-Port-Type} - ?? Evaluating (%{NAS-Port-Type} == 'Wireless-802.11') - FALSE expand: %{NAS-Port-Type} - ?? Evaluating (%{NAS-Port-Type} == 'Ethernet') - FALSE ++? if ((%{NAS-Port-Type} == 'Wireless-802.11')||(%{NAS-Port-Type} == 'Ethernet')) - FALSE ++? if (%{NAS-IP-Address} == '127.0.0.1') expand: %{NAS-IP-Address} - 139.184.8.16 ? Evaluating (%{NAS-IP-Address} == '127.0.0.1') - FALSE ++? if (%{NAS-IP-Address} == '127.0.0.1') - FALSE expand: %{Client-Shortname} - hp-e-its-dev8021x-sw1 ++[request] returns noop rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing ',NAS-Port = 1,NAS-IP-Address = 139.184.8.16,Acct-Session-Id = 004E0019,User-Name = [EMAIL PROTECTED]' rlm_acct_unique: Acct-Unique-Session-ID = 67d4bffd71faf76b. ++[acct_unique] returns ok +- entering group accounting expand: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 - /var/log/radiusd/20080205/accounting-detail-12:00 rlm_detail: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 expands to /var/log/radiusd/20080205/accounting-detail-12:00 expand: %{Packet-Src-IP-Address} - %t - 139.184.8.16 - Tue Feb 5 12:49:09 2008 ++[accounting_log] returns ok expand: %{Stripped-User-Name} - [EMAIL PROTECTED] expand:
Re: Attributes sent to proxy servers ...
Arran Cudbard-Bell wrote: ... Looks like something very strange is going on with proxying accounting packets as well. ... Where have all the attributes gone ?!!? I think you did a cvs update without re-building everything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attributes sent to proxy servers ...
Never mind ... ++[sql] returns ok expand: %{User-Name} - [EMAIL PROTECTED] attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated *sigh* All works now. Might be any idea to replace accounting { ... # Filter attributes from the accounting response. attr_filter.accounting_response } With accounting { ... # Filter attributes from the accounting response. if(!%{control:Proxy-To-Realm}){ attr_filter.accounting_response } } In the default config, or create a Post-Acct section for the filter to live in. Else all proxied accounting requests will have their attributes stripped out. Still getting internal attributes displayed... Sending Accounting-Request of id 206 to 194.82.174.185 port 1813 Acct-Session-Id = 004E001B Acct-Status-Type = Start Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-Port = 1 Calling-Station-Id = 001B63A3A8DD Event-Type = Framed-User NAS-IP-Address = 139.184.8.16 NAS-Identifier = hp-e-its-dev8021x-sw1 User-Name = [EMAIL PROTECTED] Stripped-User-Name = [EMAIL PROTECTED] Realm = jrs Acct-Unique-Session-Id = 98c00d277000c63a SQL-User-Name = [EMAIL PROTECTED] Realm = jrs Proxy-State = 0x323532 -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attributes sent to proxy servers ...
Alan DeKok wrote: Arran Cudbard-Bell wrote: Might be any idea to replace accounting { ... # Filter attributes from the accounting response. if(!%{control:Proxy-To-Realm}){ attr_filter.accounting_response I'll look into it... Still getting internal attributes displayed... Fixed. Yep confirmed. Sending Accounting-Request of id 108 to 194.82.174.185 port 1813 Acct-Session-Id = 004E002C Acct-Status-Type = Start Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-Port = 1 Calling-Station-Id = 001B63A3A8DD Service-Type = Framed-User NAS-IP-Address = 139.184.8.16 NAS-Identifier = hp-e-its-dev8021x-sw1 User-Name = [EMAIL PROTECTED] Proxy-State = 0x313931 Proxying request 9 to home server 194.82.174.185 port 1813 Sending Accounting-Request of id 108 to 194.82.174.185 port 1813 Acct-Session-Id = 004E002C Acct-Status-Type = Start Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-Port = 1 Calling-Station-Id = 001B63A3A8DD Service-Type = Framed-User NAS-IP-Address = 139.184.8.16 NAS-Identifier = hp-e-its-dev8021x-sw1 User-Name = [EMAIL PROTECTED] Proxy-State = 0x313931 Going to the next request Thanks :) Small cosmetic one Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /etc/raddb/filters/attrs.access_reject key = %{User-Name} } [/etc/raddb/filters/attrs.access_reject]:11 WARNING! Check item Event-Type found in filter list for realm DEFAULT. } } Thats not a 'Check-Item' thats a user defined internal attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attributes sent to proxy servers ...
Arran Cudbard-Bell wrote: Might be any idea to replace accounting { ... # Filter attributes from the accounting response. if(!%{control:Proxy-To-Realm}){ attr_filter.accounting_response I'll look into it... Still getting internal attributes displayed... Fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html