subject:"Re\: Attributes sent to proxy servers ..."

Re: Attributes sent to proxy servers ...

2008-02-05 Thread A . L . M . Buxey

hi,

you are still pre-proxy attr filtering? 

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Attributes sent to proxy servers ...

2008-02-05 Thread Arran Cudbard-Bell


[EMAIL PROTECTED] wrote:

hi,

you are still pre-proxy attr filtering? 


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  
No, didn't really see the point.. Internal attributes aren't meant to be 
proxied, and those are the only ones I really wanted filtering out.


Looks like something very strange is going on with proxying accounting 
packets as well.


rad_recv: Accounting-Request packet from host 139.184.8.16 port 1026, 
id=225, length=141

   Acct-Session-Id = 004E0019
   Acct-Status-Type = Start
   Acct-Authentic = RADIUS
   Acct-Delay-Time = 15
   NAS-Port = 1
   Calling-Station-Id = 00-1B-63-A3-A8-DD
   Event-Type = Framed-User
   NAS-IP-Address = 139.184.8.16
   NAS-Identifier = hp-e-its-dev8021x-sw1
   User-Name = [EMAIL PROTECTED]
server default-outer {
+- entering group preacct
++? if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/)
   expand: %{User-Name} - [EMAIL PROTECTED]
? Evaluating (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) 
- TRUE

++? if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) - 
TRUE
++- entering if (%{User-Name} =~ /?([EMAIL 
PROTECTED])@?([-[:alnum:]._]*)?$/)
+++? if (!%{2}||(%{2} == 'sussex.ac.uk'))
   expand: %{2} - loopback.sussex.ac.uk
? Evaluating loopback.sussex.ac.uk - FALSE
   expand: %{2} - loopback.sussex.ac.uk
? Evaluating (%{2} == 'sussex.ac.uk') - FALSE
+++? if (!%{2}||(%{2} == 'sussex.ac.uk')) - FALSE
+++- entering else else
   expand: [EMAIL PROTECTED] - [EMAIL PROTECTED]
[request] returns noop
+++- else else returns noop
++- if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) 
returns noop

++ ... skipping else for request 20: Preceding if was taken
   expand: %{Realm} - %{2}
++- entering switch %{Realm}
+++- entering case
[control] returns noop
[request] returns noop
+++- case  returns noop
++- switch %{Realm} returns noop
++? if (%{Called-Station-Id} =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)

   expand: %{Called-Station-Id} -
? Evaluating (%{Called-Station-Id} =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
- FALSE
++? if (%{Called-Station-Id} =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
- FALSE
++? if (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)

   expand: %{Calling-Station-Id} - 00-1B-63-A3-A8-DD
? Evaluating (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
- TRUE
++? if (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
- TRUE
++- entering if (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)

   expand: %{1}%{2}%{3}%{4}%{5}%{6} - 001B63A3A8DD
+++[request] returns noop
++- if (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
returns noop

++? if (%{NAS-Port-Id} =~ /wl[0-9]*/)
   expand: %{NAS-Port-Id} -
? Evaluating (%{NAS-Port-Id} =~ /wl[0-9]*/) - FALSE
++? if (%{NAS-Port-Id} =~ /wl[0-9]*/) - FALSE
++? if ((%{NAS-Port-Type} == 'Wireless-802.11')||(%{NAS-Port-Type} 
== 'Ethernet'))

   expand: %{NAS-Port-Type} -
?? Evaluating (%{NAS-Port-Type} == 'Wireless-802.11') - FALSE
   expand: %{NAS-Port-Type} -
?? Evaluating (%{NAS-Port-Type} == 'Ethernet') - FALSE
++? if ((%{NAS-Port-Type} == 'Wireless-802.11')||(%{NAS-Port-Type} 
== 'Ethernet')) - FALSE

++? if (%{NAS-IP-Address} == '127.0.0.1')
   expand: %{NAS-IP-Address} - 139.184.8.16
? Evaluating (%{NAS-IP-Address} == '127.0.0.1') - FALSE
++? if (%{NAS-IP-Address} == '127.0.0.1') - FALSE
   expand: %{Client-Shortname} - hp-e-its-dev8021x-sw1
++[request] returns noop
rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in 
request, unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',NAS-Port = 1,NAS-IP-Address = 
139.184.8.16,Acct-Session-Id = 004E0019,User-Name = 
[EMAIL PROTECTED]'

rlm_acct_unique: Acct-Unique-Session-ID = 67d4bffd71faf76b.
++[acct_unique] returns ok
+- entering group accounting
   expand: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 - 
/var/log/radiusd/20080205/accounting-detail-12:00
rlm_detail: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 expands to 
/var/log/radiusd/20080205/accounting-detail-12:00
   expand: %{Packet-Src-IP-Address} - %t - 139.184.8.16 - Tue Feb  5 
12:49:09 2008

++[accounting_log] returns ok
   expand: %{Stripped-User-Name} - [EMAIL PROTECTED]
   expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -

Re: Attributes sent to proxy servers ...

2008-02-05 Thread Alan DeKok

Arran Cudbard-Bell wrote:
 Noticed with CVS head that all attributes (including internal ones)
 appear to be getting proxied. Is this just a cosmetic thing ?

  It's just a cosmetic thing.  The internal attributes are being
printed, but not sent.

  I don't see why it's happening, though.  The code in src/lib/radius.c
doesn't print internal attributes in debugging mode...

  Does this happen in 2.0.1?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Attributes sent to proxy servers ...

2008-02-05 Thread Arran Cudbard-Bell


Arran Cudbard-Bell wrote:

[EMAIL PROTECTED] wrote:

hi,

you are still pre-proxy attr filtering?
alan
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
  
No, didn't really see the point.. Internal attributes aren't meant to 
be proxied, and those are the only ones I really wanted filtering out.


Looks like something very strange is going on with proxying accounting 
packets as well.


rad_recv: Accounting-Request packet from host 139.184.8.16 port 1026, 
id=225, length=141

   Acct-Session-Id = 004E0019
   Acct-Status-Type = Start
   Acct-Authentic = RADIUS
   Acct-Delay-Time = 15
   NAS-Port = 1
   Calling-Station-Id = 00-1B-63-A3-A8-DD
   Event-Type = Framed-User
   NAS-IP-Address = 139.184.8.16
   NAS-Identifier = hp-e-its-dev8021x-sw1
   User-Name = [EMAIL PROTECTED]
server default-outer {
+- entering group preacct
++? if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/)
   expand: %{User-Name} - [EMAIL PROTECTED]
? Evaluating (%{User-Name} =~ 
/?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) - TRUE
++? if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) - 
TRUE
++- entering if (%{User-Name} =~ 
/?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/)

+++? if (!%{2}||(%{2} == 'sussex.ac.uk'))
   expand: %{2} - loopback.sussex.ac.uk
? Evaluating loopback.sussex.ac.uk - FALSE
   expand: %{2} - loopback.sussex.ac.uk
? Evaluating (%{2} == 'sussex.ac.uk') - FALSE
+++? if (!%{2}||(%{2} == 'sussex.ac.uk')) - FALSE
+++- entering else else
   expand: [EMAIL PROTECTED] - [EMAIL PROTECTED]
[request] returns noop
+++- else else returns noop
++- if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) 
returns noop

++ ... skipping else for request 20: Preceding if was taken
   expand: %{Realm} - %{2}
++- entering switch %{Realm}
+++- entering case
[control] returns noop
[request] returns noop
+++- case  returns noop
++- switch %{Realm} returns noop
++? if (%{Called-Station-Id} =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 


   expand: %{Called-Station-Id} -
? Evaluating (%{Called-Station-Id} =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
- FALSE
++? if (%{Called-Station-Id} =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
- FALSE
++? if (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 


   expand: %{Calling-Station-Id} - 00-1B-63-A3-A8-DD
? Evaluating (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
- TRUE
++? if (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
- TRUE
++- entering if (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 


   expand: %{1}%{2}%{3}%{4}%{5}%{6} - 001B63A3A8DD
+++[request] returns noop
++- if (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
returns noop

++? if (%{NAS-Port-Id} =~ /wl[0-9]*/)
   expand: %{NAS-Port-Id} -
? Evaluating (%{NAS-Port-Id} =~ /wl[0-9]*/) - FALSE
++? if (%{NAS-Port-Id} =~ /wl[0-9]*/) - FALSE
++? if ((%{NAS-Port-Type} == 'Wireless-802.11')||(%{NAS-Port-Type} 
== 'Ethernet'))

   expand: %{NAS-Port-Type} -
?? Evaluating (%{NAS-Port-Type} == 'Wireless-802.11') - FALSE
   expand: %{NAS-Port-Type} -
?? Evaluating (%{NAS-Port-Type} == 'Ethernet') - FALSE
++? if ((%{NAS-Port-Type} == 'Wireless-802.11')||(%{NAS-Port-Type} 
== 'Ethernet')) - FALSE

++? if (%{NAS-IP-Address} == '127.0.0.1')
   expand: %{NAS-IP-Address} - 139.184.8.16
? Evaluating (%{NAS-IP-Address} == '127.0.0.1') - FALSE
++? if (%{NAS-IP-Address} == '127.0.0.1') - FALSE
   expand: %{Client-Shortname} - hp-e-its-dev8021x-sw1
++[request] returns noop
rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in 
request, unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',NAS-Port = 1,NAS-IP-Address = 
139.184.8.16,Acct-Session-Id = 004E0019,User-Name = 
[EMAIL PROTECTED]'

rlm_acct_unique: Acct-Unique-Session-ID = 67d4bffd71faf76b.
++[acct_unique] returns ok
+- entering group accounting
   expand: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 - 
/var/log/radiusd/20080205/accounting-detail-12:00
rlm_detail: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 expands to 
/var/log/radiusd/20080205/accounting-detail-12:00
   expand: %{Packet-Src-IP-Address} - %t - 139.184.8.16 - Tue Feb  5 
12:49:09 2008

++[accounting_log] returns ok
   expand: %{Stripped-User-Name} - [EMAIL PROTECTED]
   expand:

Re: Attributes sent to proxy servers ...

2008-02-05 Thread Alan DeKok

Arran Cudbard-Bell wrote:
...
 Looks like something very strange is going on with proxying accounting
 packets as well.
...
 Where have all the attributes gone ?!!?

  I think you did a cvs update without re-building everything.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Attributes sent to proxy servers ...

2008-02-05 Thread Arran Cudbard-Bell




Never mind ...

++[sql] returns ok
  expand: %{User-Name} - [EMAIL PROTECTED]
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated

*sigh*


All works now.

Might be any idea to replace
accounting {
   ...
   #  Filter attributes from the accounting response.
   attr_filter.accounting_response
}

With
accounting {
   ...
   #  Filter attributes from the accounting response.
   if(!%{control:Proxy-To-Realm}){
   attr_filter.accounting_response
   }
}

In the default config, or create a Post-Acct section for the filter to 
live in. Else all proxied accounting requests will have their attributes 
stripped out.


Still getting internal attributes displayed...

Sending Accounting-Request of id 206 to 194.82.174.185 port 1813
   Acct-Session-Id = 004E001B
   Acct-Status-Type = Start
   Acct-Authentic = RADIUS
   Acct-Delay-Time = 0
   NAS-Port = 1
   Calling-Station-Id = 001B63A3A8DD
   Event-Type = Framed-User
   NAS-IP-Address = 139.184.8.16
   NAS-Identifier = hp-e-its-dev8021x-sw1
   User-Name = [EMAIL PROTECTED]
   Stripped-User-Name = [EMAIL PROTECTED]
   Realm = jrs
   Acct-Unique-Session-Id = 98c00d277000c63a
   SQL-User-Name = [EMAIL PROTECTED]
   Realm = jrs
   Proxy-State = 0x323532

--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton

EXT:01273 873900 | INT: 3900

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Attributes sent to proxy servers ...

2008-02-05 Thread Arran Cudbard-Bell


Alan DeKok wrote:

Arran Cudbard-Bell wrote:
  

Might be any idea to replace
accounting {


...
  

   #  Filter attributes from the accounting response.
   if(!%{control:Proxy-To-Realm}){
   attr_filter.accounting_response



  I'll look into it...

  

Still getting internal attributes displayed...



  Fixed.

  

Yep confirmed.

Sending Accounting-Request of id 108 to 194.82.174.185 port 1813
   Acct-Session-Id = 004E002C
   Acct-Status-Type = Start
   Acct-Authentic = RADIUS
   Acct-Delay-Time = 0
   NAS-Port = 1
   Calling-Station-Id = 001B63A3A8DD
   Service-Type = Framed-User
   NAS-IP-Address = 139.184.8.16
   NAS-Identifier = hp-e-its-dev8021x-sw1
   User-Name = [EMAIL PROTECTED]
   Proxy-State = 0x313931
Proxying request 9 to home server 194.82.174.185 port 1813
Sending Accounting-Request of id 108 to 194.82.174.185 port 1813
   Acct-Session-Id = 004E002C
   Acct-Status-Type = Start
   Acct-Authentic = RADIUS
   Acct-Delay-Time = 0
   NAS-Port = 1
   Calling-Station-Id = 001B63A3A8DD
   Service-Type = Framed-User
   NAS-IP-Address = 139.184.8.16
   NAS-Identifier = hp-e-its-dev8021x-sw1
   User-Name = [EMAIL PROTECTED]
   Proxy-State = 0x313931
Going to the next request

Thanks :)

Small cosmetic one

Module: Instantiating attr_filter.access_reject
 attr_filter attr_filter.access_reject {
   attrsfile = /etc/raddb/filters/attrs.access_reject
   key = %{User-Name}
 }
[/etc/raddb/filters/attrs.access_reject]:11 WARNING! Check item 
Event-Type found in filter list for realm DEFAULT.

}
}

Thats not a 'Check-Item' thats a user defined internal attribute.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  



--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton

EXT:01273 873900 | INT: 3900

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Attributes sent to proxy servers ...

2008-02-05 Thread Alan DeKok

Arran Cudbard-Bell wrote:
 Might be any idea to replace
 accounting {
...
#  Filter attributes from the accounting response.
if(!%{control:Proxy-To-Realm}){
attr_filter.accounting_response

  I'll look into it...

 Still getting internal attributes displayed...

  Fixed.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Attributes sent to proxy servers ...

Re: Attributes sent to proxy servers ...

Re: Attributes sent to proxy servers ...

Re: Attributes sent to proxy servers ...

Re: Attributes sent to proxy servers ...

Re: Attributes sent to proxy servers ...

Re: Attributes sent to proxy servers ...

Re: Attributes sent to proxy servers ...

8 matches

Site Navigation

Mail list logo

Footer information