Discussion:
Invalid location for 'if' on 3.0.4
(too old to reply)
MDS Test
2018-11-28 17:22:27 UTC
Permalink
Hi folks,

We have freeradius running on version 2.2.6 running on CentOS6 for a
few years now. Now we need to build a need a new host on CentOS7. I
installed version 3.0.4 from repo. As I copied my proxy.conf file
from the old host. I encounter an error and couldn't figure out what
is wrong.

$radiusd -X 2>&1 | tee debugfile
radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu,
built on Mar 5 2015 at 23:41:36
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
/etc/raddb/proxy.conf[103]: Invalid location for 'if'
Errors reading or parsing /etc/raddb/radiusd.conf

proxy.conf

post-proxy {
update proxy-reply {
Filter-Id !* ""
Fortinet-Access-Profile !* ""
Juniper-Local-User-Name !* ""
Cisco-AVPair !* ""
# Raritan-VSA-Placeholder !* ""
PaloAlto-Admin-Role !* ""
PaloAlto-Panorama-Admin-Role !* ""
F5-LTM-User-Info-1 !* ""
}


if("%{proxy-reply:Packet-Type}" == Access-Accept) {
perl
update proxy-reply {
Reply-Message := "Welcome user!"
}
}
}

Please pardon me for maybe this is a simple error but I am new to
freeradius and have read doc but couldn't figure it out.

Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
Adam Bishop
2018-11-28 17:27:33 UTC
Permalink
Post by MDS Test
We have freeradius running on version 2.2.6 running on CentOS6 for a
few years now. Now we need to build a need a new host on CentOS7. I
installed version 3.0.4 from repo. As I copied my proxy.conf file
from the old host. I encounter an error and couldn't figure out what
is wrong.
It sounds like your 2.2 config has been heavily modified - that content shouldn't be in the proxy.conf file.

It's best to start from the default 3.0 configuration, and apply your changes one at a time as 2.2 and 3.0 are not 100% config compatible.

Also, upgrade - 3.0.4 is very old at this point, and there are a number of improvements you're missing out on.


Adam Bishop

gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.


-
List info/subscribe/uns
MDS Test
2018-11-28 17:33:34 UTC
Permalink
Thank you. I will start from the 3.0 default config.
Post by Adam Bishop
Post by MDS Test
We have freeradius running on version 2.2.6 running on CentOS6 for a
few years now. Now we need to build a need a new host on CentOS7. I
installed version 3.0.4 from repo. As I copied my proxy.conf file
from the old host. I encounter an error and couldn't figure out what
is wrong.
It sounds like your 2.2 config has been heavily modified - that content shouldn't be in the proxy.conf file.
It's best to start from the default 3.0 configuration, and apply your changes one at a time as 2.2 and 3.0 are not 100% config compatible.
Also, upgrade - 3.0.4 is very old at this point, and there are a number of improvements you're missing out on.
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.free
Alan Buxey
2018-11-28 18:08:55 UTC
Permalink
hi,

post-proxy etc statements live in virtual servers - that kind of stuff
would normally live in your virtual server section - I'm guessing
your 2.x config may have just been lifted from an even older 1.x config or
such with loads of INCLUDE things rather than taking
the standard layout/config.

alan
Post by MDS Test
Hi folks,
We have freeradius running on version 2.2.6 running on CentOS6 for a
few years now. Now we need to build a need a new host on CentOS7. I
installed version 3.0.4 from repo. As I copied my proxy.conf file
from the old host. I encounter an error and couldn't figure out what
is wrong.
$radiusd -X 2>&1 | tee debugfile
radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu,
built on Mar 5 2015 at 23:41:36
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
/etc/raddb/proxy.conf[103]: Invalid location for 'if'
Errors reading or parsing /etc/raddb/radiusd.conf
proxy.conf
post-proxy {
update proxy-reply {
Filter-Id !* ""
Fortinet-Access-Profile !* ""
Juniper-Local-User-Name !* ""
Cisco-AVPair !* ""
# Raritan-VSA-Placeholder !* ""
PaloAlto-Admin-Role !* ""
PaloAlto-Panorama-Admin-Role !* ""
F5-LTM-User-Info-1 !* ""
}
if("%{proxy-reply:Packet-Type}" == Access-Accept) {
perl
update proxy-reply {
Reply-Message := "Welcome user!"
}
}
}
Please pardon me for maybe this is a simple error but I am new to
freeradius and have read doc but couldn't figure it out.
Mike
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
MDS Test
2018-11-29 14:17:35 UTC
Permalink
If it helps, this is my full proxy.conf config of version 2.2.4
The snippet probably didnt provide the entire picture.

proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server nbf_auth_1 {
ipaddr = 10.10.10.26
port = 1812
type = auth
secret = "xxxxxxxxxx"
}
home_server nbf_auth_2 {
ipaddr = 10.10.10.25
port = 1812
type = auth
secret = "xxxxxxxxxx"
}
home_server nbf_auth_3 {
ipaddr = 10.10.10.24
port = 1812
type = auth
secret = "xxxxxxxxxx"
}
home_server nbf_auth_4 {
ipaddr = 10.10.10.23
port = 1812
type = auth
secret = "xxxxxxxxx"
}
home_server nbf_auth_5 {
ipaddr = 10.10.10.22
port = 1812
type = auth
secret = "xxxxxxxx"
}
home_server nbf_auth_6 {
ipaddr = 10.10.10.21
port = 1812
type = auth
secret = "xxxxxxxxx"
}
home_server_pool server_pool {
type = fail-over
home_server = nbf_auth_1
home_server = nbf_auth_2
home_server = nbf_auth_3
home_server = nbf_auth_4
home_server = nbf_auth_5
home_server = nbf_auth_6
}
pre-proxy {
update proxy-request {
Called-Station-Id !* ""
Calling-Station-Id !* ""
NAS-Port-Type !* ""
Connect-Info !* ""
EAP-Message !* ""
Message-Authenticator !* ""
NAS-Port !* ""
}
}

post-proxy {
# Strip out anything that from the remote that we
# provide ourselves.
update proxy-reply {
Filter-Id !* ""
Fortinet-Access-Profile !* ""
Juniper-Local-User-Name !* ""
Cisco-AVPair !* ""
# Raritan-VSA-Placeholder !* ""
PaloAlto-Admin-Role !* ""
PaloAlto-Panorama-Admin-Role !* ""
F5-LTM-User-Info-1 !* ""
}


if("%{proxy-reply:Packet-Type}" == Access-Accept) {
perl
update proxy-reply {
Reply-Message := "Welcome user!"
}
}
}

realm NULL {
}
realm LOCAL {
}
realm att_ent_token {
auth_pool = server_pool
}
Post by Alan Buxey
hi,
post-proxy etc statements live in virtual servers - that kind of stuff
would normally live in your virtual server section - I'm guessing
your 2.x config may have just been lifted from an even older 1.x config or
such with loads of INCLUDE things rather than taking
the standard layout/config.
alan
Post by MDS Test
Hi folks,
We have freeradius running on version 2.2.6 running on CentOS6 for a
few years now. Now we need to build a need a new host on CentOS7. I
installed version 3.0.4 from repo. As I copied my proxy.conf file
from the old host. I encounter an error and couldn't figure out what
is wrong.
$radiusd -X 2>&1 | tee debugfile
radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu,
built on Mar 5 2015 at 23:41:36
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
/etc/raddb/proxy.conf[103]: Invalid location for 'if'
Errors reading or parsing /etc/raddb/radiusd.conf
proxy.conf
post-proxy {
update proxy-reply {
Filter-Id !* ""
Fortinet-Access-Profile !* ""
Juniper-Local-User-Name !* ""
Cisco-AVPair !* ""
# Raritan-VSA-Placeholder !* ""
PaloAlto-Admin-Role !* ""
PaloAlto-Panorama-Admin-Role !* ""
F5-LTM-User-Info-1 !* ""
}
if("%{proxy-reply:Packet-Type}" == Access-Accept) {
perl
update proxy-reply {
Reply-Message := "Welcome user!"
}
}
}
Please pardon me for maybe this is a simple error but I am new to
freeradius and have read doc but couldn't figure it out.
Mike
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscrib
Alan DeKok
2018-11-29 14:22:18 UTC
Permalink
Post by MDS Test
If it helps, this is my full proxy.conf config of version 2.2.4
We didn't ask for that. You were asked to start with the default v3 config.

Version 2 allowed for "pre-proxy" sections to be outside of a "server" section. Version 3 does not allow this.

You MUST put "pre-proxy", etc. into a "server" section.

Read raddb/README.rst. There are detailed instructions for upgrading from v2 to v3.

Do NOT copy your v2 config over to v3. You MUST start from the default v3 configuration, and gradually move pieces over, with testing.

And do NOT use 3.0.4. There is no reason to use a version which is ~5 years old. 3.0.17 is available, and has many fixes and feature enhancements over 3.0.4.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.fr

Loading...