real authenication after upgrade from 30.0.15 to 3.0.16

Marek Zarychta zarychtam at plan-b.pwste.edu.pl
Tue Jan 30 16:10:33 CET 2018 

Dear users,

after upgrade to 3.0.16, I have issues with realm authentication. All
requests proxied to nonlocal realms and authentication requests for
users without a realm can still be served.

Client sends initial Access-Request and receives Access-Challenge whith
"No Message-Authenticator attribute found".

See attached diffs of the detailed debug logs: 

--- log.ok	2018-01-30 14:21:05.093454000 +0100
+++ log.bad	2018-01-30 14:20:34.505666000 +0100
@@ -1,4 +1,4 @@
-FreeRADIUS Version 3.0.15
+FreeRADIUS Version 3.0.16
 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
 There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
 PARTICULAR PURPOSE
@@ -88,7 +88,7 @@
 	sbindir = "/usr/local/sbin"
 	logdir = "/var/log"
 	run_dir = "/var/run/radiusd"
-	libdir = "/usr/local/lib/freeradius-3.0.15"
+	libdir = "/usr/local/lib/freeradius-3.0.16"
 	radacctdir = "/var/log/radacct"
 	hostname_lookups = no
 	max_request_time = 30
@@ -1143,6 +1143,8 @@
    	cipher_server_preference = no
    	ecdh_curve = "prime256v1"
    	disable_tlsv1_2 = yes
+   	tls_max_version = ""
+   	tls_min_version = "1.0"
     cache {
     	enable = no
     	lifetime = 24
@@ -1307,9 +1309,9 @@
 Listening on auth address * port 1812 bound to server default
 Listening on acct address * port 1813 bound to server default
 Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
-Listening on proxy address * port 19369
+Listening on proxy address * port 17390
 Ready to process requests
-(0) Received Access-Request Id 0 from 10.0.6.253:38291 to 0.0.0.0:1812 length 158
+(0) Received Access-Request Id 0 from 10.0.6.253:56240 to 0.0.0.0:1812 length 158
 (0)   User-Name = "someuserm at some.realm"
 (0)   NAS-IP-Address = 127.0.0.1
 (0)   Calling-Station-Id = "02-00-00-00-00-01"
@@ -1318,7 +1320,7 @@
 (0)   Service-Type = Framed-User
 (0)   Connect-Info = "CONNECT 11Mbps 802.11b"
 (0)   EAP-Message = 0x0200001b017a617279636874616d4070777374652e6564752e706c
-(0)   Message-Authenticator = 0x73f14e50279eda60f9b8f887174f8e93
+(0)   Message-Authenticator = 0x808acae379001500e79c7ab3a2c83636
 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/radius.some.realm
 (0)   authorize {
 (0)     policy filter_username {
@@ -1384,7 +1386,7 @@
 (0) auth_log:    --> /var/log/radacct/10.0.6.253/auth-detail-20180130
 (0) auth_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/10.0.6.253/auth-detail-20180130
 (0) auth_log: EXPAND %t
-(0) auth_log:    --> Tue Jan 30 14:21:04 2018
+(0) auth_log:    --> Tue Jan 30 14:20:29 2018
 (0)     [auth_log] = ok
 (0)     [chap] = noop
 (0)     [mschap] = noop
@@ -1487,7 +1489,7 @@
 (0) pre_proxy_log:    --> /var/log/radacct/10.0.6.253/pre-proxy-detail-20180130
 (0) pre_proxy_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d expands to /var/log/radacct/10.0.6.253/pre-proxy-detail-20180130
 (0) pre_proxy_log: EXPAND %t
-(0) pre_proxy_log:    --> Tue Jan 30 14:21:04 2018
+(0) pre_proxy_log:    --> Tue Jan 30 14:20:29 2018
 (0)       [pre_proxy_log] = ok
 (0)       if ("%{Packet-Type}" != "Accounting-Request") {
 (0)       EXPAND %{Packet-Type}
@@ -1567,7 +1569,7 @@
 (0) auth_log:    --> /var/log/radacct/10.0.6.253/auth-detail-20180130
 (0) auth_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/10.0.6.253/auth-detail-20180130
 (0) auth_log: EXPAND %t
-(0) auth_log:    --> Tue Jan 30 14:21:04 2018
+(0) auth_log:    --> Tue Jan 30 14:20:29 2018
 (0)     [auth_log] = ok
 (0)     [chap] = noop
 (0)     [mschap] = noop
@@ -1585,7 +1587,7 @@
 (0) eap_peap: Initiating new EAP-TLS session
 (0) eap_peap: [eaptls start] = request
 (0) eap: Sending EAP Request (code 1) ID 1 length 6
-(0) eap: EAP session adding &reply:State = 0xe72255ede7234ce0
+(0) eap: EAP session adding &reply:State = 0xcd2b6be2cd2a720f
 (0)     [eap] = handled
 (0)   } # authenticate = handled
 (0) Using Post-Auth-Type Challenge
@@ -1600,7 +1602,7 @@
 (0) post_proxy_log:    --> /var/log/radacct/10.0.6.253/post-proxy-detail-20180130
 (0) post_proxy_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d expands to /var/log/radacct/10.0.6.253/post-proxy-detail-20180130
 (0) post_proxy_log: EXPAND %t
-(0) post_proxy_log:    --> Tue Jan 30 14:21:04 2018
+(0) post_proxy_log:    --> Tue Jan 30 14:20:29 2018
 (0)       [post_proxy_log] = ok
 (0) attr_filter.post-proxy: EXPAND %{Realm}
 (0) attr_filter.post-proxy:    --> some.realm
@@ -1610,3413 +1612,18 @@
 (0)       [eap] = noop
 (0)     } # post-proxy = updated
 (0) }
+(0) Clearing existing &reply: attributes
+(0) Found Post-Proxy-Type Fail-Authentication
+(0) server radius.some.realm {
+(0)   Post-Proxy-Type sub-section not found.  Ignoring.
+(0)   # Executing group from file /usr/local/etc/raddb/sites-enabled/radius.some.realm
+(0) }
 (0) Using Post-Auth-Type Challenge
 (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/radius.some.realm
 (0)   Challenge { ... } # empty sub-section is ignored
-(0) Sent Access-Challenge Id 0 from 0.0.0.0:1812 to 10.0.6.253:38291 length 0
-(0)   EAP-Message = 0x010100061920
-(0)   Message-Authenticator = 0x00000000000000000000000000000000
-(0)   State = 0xe72255ede7234ce0450d40d020db3d2d
+(0) Sent Access-Challenge Id 0 from 0.0.0.0:1812 to 10.0.6.253:56240 length 0
+(0)   State = 0x2761a24a7c3ece99bd01e4f7ae40f330
 (0) Finished request
 Waking up in 4.9 seconds.

All configuration files are from the previous version. Should I try to
reconfigure it with respect to original configuration files from 3.0.16
to work again or is this in some way connected with the bug I found to
be fixed in upcoming 3.0.17 version: 

Bug fixes
        * Don't call post-proxy twice when proxying to
          a virtual server.  Matthew Newton, #2161.

Best regards,
-- 
Marek Zarychta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180130/3651e3b6/attachment.sig>

More information about the Freeradius-Users mailing list