Reply-Message not copied from Tunnel to outside?
This is a discussion on Reply-Message not copied from Tunnel to outside? within the FreeRADIUS Users forums, part of the Networking and Network Related category; Hello, in my setup I use TTLS-PAP to authenticate users (which works perfectly). N= ow=20 I have setup ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-09-2005
|
|||
|
|||
Reply-Message not copied from Tunnel to outside?
Hello,
in my setup I use TTLS-PAP to authenticate users (which works perfectly). N= ow=20 I have setup a test user to enable some keepalive checking for the server. = I=20 use MySQL as backend and have put a Reply-Message attribute in radreply. It= =20 gets picked up alright in the tunneled user check and I have set=20 "use_tunneled_reply" in eap.conf. So I'd expect to see that Reply-Message=20 gets copied to the outside request upon returning the request. But this=20 doesn't happen. Here's the -X log: modcall: entering group authenticate for request 57 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled=20 attributes. TTLS: Got tunneled request User-Name =3D "testuser.deny@restena.lu" User-Password =3D "THE_PASSWORD" FreeRADIUS-Proxied-To =3D 127.0.0.1 TTLS: Sending tunneled request User-Name =3D "testuser.deny@restena.lu" User-Password =3D "THE_PASSWORD" FreeRADIUS-Proxied-To =3D 127.0.0.1 Framed-MTU =3D 1400 Called-Station-Id =3D "0007.0eb3.6c36" Calling-Station-Id =3D "0002.2d50.fc8d" Cisco-AVPair =3D "ssid=3Deduroam" Service-Type =3D Login-User NAS-Port-Type =3D Wireless-802.11 Cisco-NAS-Port =3D "444" NAS-Port =3D 444 NAS-IP-Address =3D 158.64.3.4 NAS-Identifier =3D "ap-1.rest.restena.lu" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 57 radius_xlat: '/var/log/radius/radacct/20050309/rawdump' rlm_detail: /var/log/radius/radacct/%Y%m%d/rawdump expands=20 to /var/log/radius/radacct/20050309/rawdump modcall[authorize]: module "rawdump" returns ok for request 57 modcall[authorize]: module "preprocess" returns ok for request 57 radius_xlat: '/var/log/radius/radacct/127.0.0.1/auth-detail-20050309' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d= =20 expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20050309 modcall[authorize]: module "auth_log" returns ok for request 57 radius_xlat: =20 '/var/log/radius/radacct/20050309/ap-1.rest.restena.lu-service/auth-detail' rlm_detail: /var/log/radius/radacct/%Y%m%d/%{NAS-Identifier}-service/auth-d= etail=20 expands=20 to /var/log/radius/radacct/20050309/ap-1.rest.restena.lu-service/auth-detail modcall[authorize]: module "nas_auth_log" returns ok for request 57 modcall[authorize]: module "attr_filter" returns noop for request 57 rlm_realm: Looking up realm "restena.lu" for User-Name =3D=20 "testuser.deny@restena.lu" rlm_realm: Found realm "restena.lu" rlm_realm: Proxying request from user testuser.deny to realm restena.lu rlm_realm: Adding Realm =3D "restena.lu" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 57 modcall[authorize]: module "mschap" returns noop for request 57 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 57 radius_xlat: 'testuser.deny@restena.lu' rlm_sql (sql): sql_set_user escaped user --> 'testuser.deny@restena.lu' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE=20 Username =3D 'testuser.deny@restena.lu' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 radius_xlat: 'SELECT=20 radgroupcheck.id,radgroupcheck.GroupName,radgroupc heck.Attribute,radgroupch= eck.Value,radgroupcheck.op =20 =46ROM radgroupcheck,usergroup WHERE usergroup.Username =3D=20 'testuser.deny@restena.lu' AND usergroup.GroupName =3D radgroupcheck.GroupN= ame=20 ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE=20 Username =3D 'testuser.deny@restena.lu' ORDER BY id' radius_xlat: 'SELECT=20 radgroupreply.id,radgroupreply.GroupName,radgroupr eply.Attribute,radgroupre= ply.Value,radgroupreply.op =20 =46ROM radgroupreply,usergroup WHERE usergroup.Username =3D=20 'testuser.deny@restena.lu' AND usergroup.GroupName =3D radgroupreply.GroupN= ame=20 ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns ok for request 57 modcall: group authorize returns ok for request 57 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type =3D Reject, rejecting user auth: Failed to validate the user. Login incorrect: [testuser.deny@restena.lu] (from client localhost port 444= =20 cli 0002.2d50.fc8d) TTLS: Got tunneled reply RADIUS code 3 Reply-Message =3D "This is an account for testing purposes.You are = not=20 admitted access because this user is only for keepalive checking." TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 57 modcall: group authenticate returns invalid for request 57 auth: Failed to validate the user. Login incorrect: [someluser@restena.lu] (from client galadriel port 444 cli= =20 0002.2d50.fc8d) Delaying request 57 for 1 seconds =46inished request 57 Going to the next request Waking up in 1 seconds... =2D-- Walking the entire request list --- Waking up in 1 seconds... =2D-- Walking the entire request list --- Sending Access-Reject of id 47 to 158.64.1.43:1814 EAP-Message =3D 0x04070004 Message-Authenticator =3D 0x00000000000000000000000000000000 Proxy-State =3D 0x313931 Waking up in 3 seconds... The user's entry in MySQL is as follows: mysql> select * from radcheck where UserName =3D 'testuser.deny@restena.lu'; +-------+--------------------------+---------------+----+----------+ | id | UserName | Attribute | op | Value | +-------+--------------------------+---------------+----+----------+ | 13824 | testuser.deny@restena.lu | User-Password | :=3D | THE_PASSWORD | | 13826 | testuser.deny@restena.lu | Auth-Type | :=3D | Reject | +-------+--------------------------+---------------+----+----------+ 2 rows in set (0.00 sec) mysql> select * from radreply where UserName =3D 'testuser.deny@restena.lu'; +----+--------------------------+---------------+----+-- | id | UserName | Attribute | op | Value = =20 | +----+--------------------------+---------------+----+-- | 3 | testuser.deny@restena.lu | Reply-Message | =3D | This is an account= for=20 testing purposes. You are not admitted access because this user is only for= =20 keepalive checking. | +----+--------------------------+---------------+----+-- Shouldn't the Reply-Message be copied to the outside when "use_tunneled_rep= ly"=20 is on? Greetings, Stefan Winter =2D-=20 Stefan WINTER =46ondation RESTENA - R=E9seau T=E9l=E9informatique de l'Education National= e et de=20 la Recherche Ing=E9nieur r=E9seau et syst=E8me 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: stefan.winter@restena.lu =A0 =A0 t=E9l.: =A0 =A0 =A0+352 424409-33 http://www.restena.lu =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 fax: =A0 =A0 = =A0+352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
|
Linear Mode
