I have an freeradius 3.0.13. I use it to authenticate WiFi users via 802.1x The authentication is via ntlm and I use the ldap module to retrieve the user's memberOf info.
I wish to use freeradius to forward accounting informationio post authentication to my accounting proxy server using the Class field and store inside that field all the groups where user belong separated by comma. For do it I used this configuration:
sites-enabled/inner-tunnel
authorize {
ldap
...
}
post-auth {
...
foreach &control:LDAP-Group {
update reply {
Class += "%{Foreach-Variable-0},"
}
}
...
}
sites-enabled/default
preacct {
preprocess
...
if (&User-Name !~ /host\/.*\..*\..*/ ) {
update control {
Proxy-To-Realm := my_accounting_proxy_server
}
}
}
My problem is that my accounting proxy receive the radius accounting forwarded by freeradius with the Class field with just one group followed by comma.
So the Class field should contain "group1,group2," but I receive "group1,".
If I run freeradius in debug mode I can see that the variable "control:LDAP-Group" is iterated well e the field Class is updated:
# Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(28) post-auth {
...
(28) foreach &control:LDAP-Group
(28) update reply {
(28) EXPAND Foreach-Variable-0
(28) --> group1
(28) EXPAND %{Foreach-Variable-0},
(28) --> group1,
(28) Class += 0x67726F7570312c
(28) } # update reply = noop
(28) update reply {
(28) EXPAND Foreach-Variable-0
(28) --> group2
(28) EXPAND %{Foreach-Variable-0},
(28) --> group2,
(28) Class += 0x67726F7570322c
(28) } # update reply = noop
...
(28) update {
(28) &outer.session-state::Class += &reply:Class[*] -> 0x67726F7570312c
(28) &outer.session-state::Class += &reply:Class[*] -> 0x67726F7570322c
...
(28) &outer.session-state::Tunnel-Type += &reply:Tunnel-Type[*] -> VLAN
(28) &outer.session-state::Tunnel-Medium-Type += &reply:Tunnel-Medium-Type[*] -> IEEE-802
(28) &outer.session-state::Tunnel-Private-Group-Id += &reply:Tunnel-Private-Group-Id[*] -> 'XX'
(28) &outer.session-state::Aruba-User-Vlan += &reply:Aruba-User-Vlan[*] -> XX
(28) &outer.session-state::Reply-Message += &reply:Reply-Message[*] -> 'XXXXX'
...
(28) } # server inner-tunnel
(28) Virtual server sending reply
(28) Class += 0x67726F7570312c
(28) Class += 0x67726F7570322c
...
(28) Using Post-Auth-Type Challenge
(28) # Executing group from file /etc/raddb/sites-enabled/default
(28) Challenge { ... } # empty sub-section is ignored
(28) session-state: Saving cached attributes
(28) Class += 0x67726F7570312c
(28) Class += 0x67726F7570322c
...
(28) Tunnel-Type += VLAN
(28) Tunnel-Medium-Type += IEEE-802
...
(28) Reply-Message += "XXX"
...
(28) Finished request
I captured also the traffic between freeradius and my accounting radius proxy and the Class field is not complete there is just the first group followed by comma. What I'm doing wrong? Someone can help me?
