Send CoA/DM Requests over existing TLS connection

√únal Kayaduman kayadumanunal at gmail.com
Sun Aug 22 16:08:24 CEST 2021


Hello,

I want to send CoA over existing TLS connection that is established with
client before. But, I am getting error as below.
Is there anyone who can help me ?
I also added my configurations below.

*clients.conf*
    client 10.10.10.10 {
        ipaddr = 10.10.10.10
        proto = tcp
        secret = testing123
    }

*tls.conf*
listen {

ipaddr = *
port = 2083
type = auth+acct
proto = tcp
virtual_server = default
limit {
     max_connections = 16
     lifetime = 0
     idle_timeout = 30
}

tls {

private_key_password = whatever

private_key_file = ${certdir}/server.pem

certificate_file = ${certdir}/server.pem

ca_file = ${cadir}/ca.pem

dh_file = ${certdir}/dh

fragment_size = 8192

ca_path = ${cadir}

ca_path_reload_interval = 3600

cipher_list = "DEFAULT"

cipher_server_preference = no

tls_min_version = "1.2"

tls_max_version = "1.3"

cache {

     enable = no

     lifetime = 24 # hours

}

require_client_cert = no

verify {

}

}

}

*default.conf*

server default {
    authorize {

if (&User-Name == "bob") {
    update coa {
        &User-Name = "%{User-Name}"
        &Calling-Station-Id = "%{Calling-Station-Id}"
        &NAS-IP-Address = "10.10.10.10"
    }
}


        filter_username
        preprocess
        chap
        mschap
        digest
        suffix
        eap {
            ok = return
        }
        files
        -sql
        -ldap
        expiration
        logintime
        pap
        Autz-Type New-TLS-Connection {
            ok
        }

    }

    authenticate {
        Auth-Type PAP {
            pap
        }

        Auth-Type CHAP {
            chap
        }

        Auth-Type MS-CHAP {
            mschap
        }

        mschap
        digest
        eap
    }

    preacct {
        preprocess
        acct_unique
        suffix
        files
    }

    accounting {
        detail
        unix
        -sql
        exec
        attr_filter.accounting_response
    }

    session {
    }

    post-auth {
        if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
            update reply {
                &User-Name !* ANY
            }
        }
        update {
            &reply: += &session-state:
        }
        -sql
        exec
        remove_reply_message_if_eap
        Post-Auth-Type REJECT {
            -sql
            attr_filter.access_reject
            eap
            remove_reply_message_if_eap
        }
        Post-Auth-Type Challenge {
        }

        if (EAP-Key-Name && &reply:EAP-Session-Id) {
            update reply {
                &EAP-Key-Name := &reply:EAP-Session-Id
            }
        }
    }

    pre-proxy {
    }

    post-proxy {
        eap
    }
}

*ERROR*
Listening on auth+acct proto tcp address * port 2083 (TLS) bound to server
default
Ready to process requests
 ... new connection request on TCP socket
Listening on auth+acct from client (10.10.10.10, 42673) -> (*, 2083,
virtual-server=default)
Waking up in 0.3 seconds.
(0) (TLS) recv TLS 1.3 Handshake, Finished
(0) tls_recv: Access-Request packet from host 10.10.10.10 port 42673, id=0,
length=69
Threads: total/active/spare threads = 5/0/5
Thread 5 got semaphore
Thread 5 handling request 0, (1 handled so far)
(0) Received Access-Request Id 0 from 10.10.10.10:42673 to 0.0.0.0:2083 length
69
(0)   NAS-IP-Address = 1.1.1.1
(0)   Calling-Station-Id = "00010305AABB"
(0)   Framed-IP-Address = 192.168.1.1
(0)   User-Name = "bob"
(0)   User-Password = "hello"
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     if (&User-Name == "bob") {
(0)     if (&User-Name == "bob")  -> TRUE
(0)     if (&User-Name == "bob")  {
(0)       update coa {
(0)         EXPAND %{User-Name}
(0)            --> bob
(0)         &User-Name = bob
(0)         EXPAND %{Calling-Station-Id}
(0)            --> 00010305AABB
(0)         &Calling-Station-Id = 00010305AABB
(0)         &NAS-IP-Address = 10.10.10.10
(0)       } # update coa = noop
(0)     } # if (&User-Name == "bob")  = noop
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = noop
(0)     } # policy filter_username = noop
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "bob", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry bob at line 87
(0) files: EXPAND Hello, %{User-Name}
(0) files:    --> Hello, bob
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = updated
(0)   } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0)     [pap] = ok
(0)   } # Auth-Type PAP = ok
(0) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(0)   post-auth {
(0)     if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(0)     if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name))  -> FALSE
(0)     update {
(0)       No attributes updated for RHS &session-state:
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)     if (EAP-Key-Name && &reply:EAP-Session-Id) {
(0)     if (EAP-Key-Name && &reply:EAP-Session-Id)  -> FALSE
(0)   } # post-auth = noop
(0) WARNING: Unknown destination 10.10.10.10:3799 for CoA request.
(0) Sent Access-Accept Id 0 from 0.0.0.0:2083 to 10.10.10.10:42673 length 0
(0)   Reply-Message = "Hello, bob"
(0) (TLS) send TLS 1.3 Handshake, Finished
(0) Finished request


More information about the Freeradius-Users mailing list