Hello, Thanks for the quick reply! On 24.07.19 13:11, Alan DeKok wrote:
(e.g. mschapv2 failed when only NT-Password and no LM-Password was supplied, Issue #2799).
That's been fixed.
Seen that. Thanks for fixing it so fast.
Two issues I'm currently dealing with: * Proxying RADIUS-Requests (freeradius 4 send out Access-Rejects when received a Access-Challenge from the home server)
That seems bad. The rlm_radius module was tested with proxying, but not with Access-Challenge packets.
In the short term, you can over-ride this with policies. When running the RADIUS module, do:
radius if (updated) { update reply { Packet-Type := Access-Challenge } }
I'll try to push a cleaner fix today.
I assume the fix was pushed in the commit "handle Access-Challenge responses" ? If so, it still has problems proxying Access-Challenge packets. See debug output and configuration below. Regarding the linelog module: If I use %{reply:Packet-Type} as message selector, this variable seems to be empty. (I haven't tested that with the current master, only the one from yesterday) Greetings, Jan-Frederik Rieckers (PS: Whenever I shoud stop using freeradius-devel for this and use freeradius-users or Github Issues, please tell me.) This is my configuration: sites-enabled/default
recv Access-Request { filter_username if (&User-Name =~ /@uni-bremen\.de$/ \ || &User-Name =~ /@guest.uni-bremen.de$/) { eap { ok = return } } else { update control { &Auth-Type := proxy-to-radsec } } } recv Status-Server { ok } authenticate eap { eap } authenticate proxy-to-radsec { redundant { radsec1 radsec2 } if (updated) { update reply { &Packet-Type := Access-Challenge } } } send Access-Challenge { attr_filter.access_challenge.post-auth handled } send Access-Accept { update { &reply: += &session-state: } outer_linelog eap -sql remove_reply_message_if_eap } send Access-Reject { -sql outer_linelog attr_filter.access_reject eap remove_reply_message_if_eap delay_reject }
and mods-enabled/radsecproxy
radius radsec1 { transport = udp type = Access-Request udp { ipaddr = X.X.X.X port = 2084 secret = *secret* } } radius radsec2 { transport = udp type = Access-Request udp { ipaddr = Y.Y.Y.Y port = 2084 secret = *secret* } }
mods-enabled/linelog:
linelog outer_linelog { destination = 'syslog' syslog { facility = local3 } reference = "messages.%{%{Response-Packet-Type}:-default}" messages { default = "Unknown packet type %{Packet-Type}" Access-Accept = "Login OK: [%{User-Name}] (cli %{request:Calling-Station-Id})" Access-Reject = "Login incorrect: [%{User-Name}] (%{%{reply:Reply-Message}:-%{request:Module-Failure-Message}}) (cli %{request:Calling-Station-Id})" } }
The output of radiusd -X:
Debug : proto_radius_udp - Received Access-Request ID 30 length 213 proto_radius_udp server * port 1812 Debug : (0) Received Access-Request ID 30 from 10.11.0.216:56845 to 10.11.0.232:1812 length 213 via socket proto_radius_udp server * port 1812 Debug : (0) User-Name = "eduroam-selfcompile@extern.janfred.de" Debug : (0) NAS-IP-Address = 127.0.0.1 Debug : (0) Calling-Station-Id = "02-00-00-00-00-01" Debug : (0) Framed-MTU = 1400 Debug : (0) NAS-Port-Type = Wireless-802.11 Debug : (0) Service-Type = Framed-User Debug : (0) Connect-Info = "CONNECT 11Mbps 802.11b" Debug : (0) EAP-Message = 0x0200002a01656475726f616d2d73656c66636f6d70696c654065787465726e2e6a616e667265642e6465 Debug : (0) Message-Authenticator = 0xecf8fd6c7d455e2f366350e1f17d8609 Debug : (0) Event-Timestamp = Jul 24 2019 15:05:32 UTC Debug : (0) Operator-Name = "1uni-bremen.de" Debug : (0) Proxy-State = 0x30 Debug : Resetting worker 30 cleanup timer to +0s Debug : (0) running request Debug : (0) Running 'recv Access-Request' from file /usr/local/etc/raddb/sites-enabled/default-nocomment Debug : (0) recv Access-Request { Debug : (0) filter_username { Debug : (0) if (&State) { Debug : (0) ... Debug : (0) } Debug : (0) elseif (&User-Name) { Debug : (0) if (&User-Name =~ / /) { Debug : (0) ... Debug : (0) } Debug : (0) if (&User-Name =~ /@[^@]*@/ ) { Debug : (0) ... Debug : (0) } Debug : (0) if (&User-Name =~ /\.\./ ) { Debug : (0) ... Debug : (0) } Debug : (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { Debug : (0) ... Debug : (0) } Debug : (0) if (&User-Name =~ /\.$/) { Debug : (0) ... Debug : (0) } Debug : (0) if (&User-Name =~ /@\./) { Debug : (0) ... Debug : (0) } Debug : (0) update session-state { Debug : (0) &Session-State-User-Name := &User-Name -> "eduroam-selfcompile@extern.janfred.de" Debug : (0) } # update session-state (noop) Debug : (0) } # elseif (&User-Name) (noop) Debug : (0) } # filter_username (noop) Debug : (0) if (&User-Name =~ /@uni-bremen\.de$/ || &User-Name =~ /@guest.uni-bremen.de$/) { Debug : (0) ... Debug : (0) } Debug : (0) else { Debug : (0) update control { Debug : (0) &Auth-Type := proxy-to-radsec Debug : (0) } # update control (noop) Debug : (0) } # else (noop) Debug : (0) } # recv Access-Request (noop) Debug : (0) Running 'authenticate proxy-to-radsec' from file /usr/local/etc/raddb/sites-enabled/default-nocomment Debug : (0) authenticate proxy-to-radsec { Debug : (0) group { Debug : (0) Sending Access-Request ID 0 length 195 over connection proto udp local 0.0.0.0 port 56773 remote 10.11.0.216 port 20$ 4 Debug : (0) &User-Name = "eduroam-selfcompile@extern.janfred.de" Debug : (0) &NAS-IP-Address = 127.0.0.1 Debug : (0) &Calling-Station-Id = "02-00-00-00-00-01" Debug : (0) &Framed-MTU = 1400 Debug : (0) &NAS-Port-Type = Wireless-802.11 Debug : (0) &Service-Type = Framed-User Debug : (0) &Connect-Info = "CONNECT 11Mbps 802.11b" Debug : (0) &EAP-Message = 0x0200002a01656475726f616d2d73656c66636f6d70696c654065787465726e2e6a616e667265642e6465 Debug : (0) &Event-Timestamp = Jul 24 2019 15:05:32 UTC Debug : (0) &Operator-Name = "1uni-bremen.de" Debug : (0) &Proxy-State = 0x30 Debug : (0) &Proxy-State = 0x45ad4539 Debug : (0) &Message-Authenticator = 0x45d55902781dc4ea5b7d27ba63e6a80d Debug : (0) radsec1 - Proxying request. Expecting response within 2.000000s Debug : (0) radsec1 (yield) Debug : Waking up in 1.996337512 seconds. Debug : (0) Received Access-Challenge ID 11 length 73 reply packet on connection proto udp local 0.0.0.0 port 56773 remote 10.11. 0.216 port 2084 Debug : (0) &EAP-Message = 0x010100061520 Debug : (0) &Message-Authenticator = 0xaa2410363e4546fcad585a1bb568af94 Debug : (0) &State = 0x57487590574960fe50542e3cd559b240 Debug : (0) &Proxy-State = 0x30 Debug : (0) &Proxy-State = 0x45ad4539 Debug : radsec1 - Setting idle timeout to +300.000 for connection proto udp local 0.0.0.0 port 56773 remote 10.11.0.216 port 2084 Debug : (0) running request Debug : (0) radsec1 - Resuming execution Debug : (0) radsec1 (updated) Debug : (0) } # group (updated) Debug : (0) if (updated) { Debug : (0) update reply { Debug : (0) &Packet-Type := Access-Challenge Debug : (0) } # update reply (noop) Debug : (0) } # if (updated) (noop) Debug : (0) } # authenticate proxy-to-radsec (noop) Debug : (0) Failed to authenticate the user Debug : (0) Running 'send Access-Reject' from file /usr/local/etc/raddb/sites-enabled/default-nocomment Debug : (0) send Access-Reject { Debug : (0) outer_linelog - EXPAND messages.%{%{Response-Packet-Type}:-default} WARN : (0) outer_linelog - WARNING: %{Response-Packet-Type} is ONLY for responses! WARN : (0) outer_linelog - WARNING: Please replace %{Response-Packet-Type} with %{reply:Packet-Type} Debug : (0) outer_linelog - --> messages.Access-Reject Debug : (0) outer_linelog - EXPAND Login incorrect: [%{User-Name}] (%{%{reply:Reply-Message}:-%{request:Module-Failure-Message}}) ( cli %{request:Calling-Station-Id}) Debug : (0) outer_linelog - --> Login incorrect: [eduroam-selfcompile@extern.janfred.de] () (cli 02-00-00-00-00-01) Debug : (0) outer_linelog (ok) Debug : (0) attr_filter.access_reject - EXPAND %{User-Name} Debug : (0) attr_filter.access_reject - --> eduroam-selfcompile@extern.janfred.de Debug : (0) attr_filter.access_reject - Matched entry DEFAULT at line 11 Debug : (0) attr_filter.access_reject (updated) Debug : (0) eap (noop) Debug : (0) remove_reply_message_if_eap { Debug : (0) if (&reply:EAP-Message && &reply:Reply-Message) { Debug : (0) ... Debug : (0) } Debug : (0) else { Debug : (0) noop (noop) Debug : (0) } # else (noop) Debug : (0) } # remove_reply_message_if_eap (noop) Debug : (0) delay_reject - EXPAND %{%{reply:FreeRADIUS-Response-Delay}:-1} Debug : (0) delay_reject - --> 1 Debug : (0) delay_reject - Delaying request by ~0.955292996s Debug : (0) delay_reject (yield) Debug : Waking up in 0.954933986 seconds. Debug : (0) Delay done Debug : (0) running request Debug : (0) delay_reject - Resuming execution Debug : (0) delay_reject (ok) Debug : (0) } # send Access-Reject (updated) Debug : (0) done request Debug : (0) Sending Access-Reject ID 30 from 10.11.0.232:1812 to 10.11.0.216:56845 length 73 via socket proto_radius_udp server * por t 1812 Debug : (0) EAP-Message = 0x010100061520 Debug : (0) Message-Authenticator = 0xaa2410363e4546fcad585a1bb568af94 Debug : (0) State = 0x57487590574960fe50542e3cd559b240 Debug : (0) Proxy-State = 0x30 Debug : (0) Proxy-State = 0x45ad4539 Debug : (0) finished request. Debug : Waking up in 147.881892498 seconds. Debug : Waking up in 4.999991043 seconds.
The output of the home server (running freeradius 3.0.17):
(41) Received Access-Request Id 47 from [::1]:49932 to [::1]:1812 length 219 (41) User-Name = "eduroam-selfcompile@extern.janfred.de" (41) NAS-IP-Address = 127.0.0.1 (41) Calling-Station-Id = "02-00-00-00-00-01" (41) Framed-MTU = 1400 (41) NAS-Port-Type = Wireless-802.11 (41) Service-Type = Framed-User (41) Connect-Info = "CONNECT 11Mbps 802.11b" (41) EAP-Message = 0x0200002a01656475726f616d2d73656c66636f6d70696c654065787465726e2e6a616e667265642e6465 (41) Event-Timestamp = "Jul 24 2019 17:05:32 CEST" (41) Operator-Name = "1uni-bremen.de" (41) Proxy-State = 0x30 (41) Proxy-State = 0x45ad4539 (41) Message-Authenticator = 0xf9e969fc1d6bd5a13e9dddee89bf1e41 (41) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (41) authorize { (41) policy filter_username { (41) if (&User-Name) { (41) if (&User-Name) -> TRUE (41) if (&User-Name) { (41) if (&User-Name =~ / /) { (41) if (&User-Name =~ / /) -> FALSE (41) if (&User-Name =~ /@[^@]*@/ ) { (41) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (41) if (&User-Name =~ /\.\./ ) { (41) if (&User-Name =~ /\.\./ ) -> FALSE (41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (41) if (&User-Name =~ /\.$/) { (41) if (&User-Name =~ /\.$/) -> FALSE (41) if (&User-Name =~ /@\./) { (41) if (&User-Name =~ /@\./) -> FALSE (41) } # if (&User-Name) = notfound (41) } # policy filter_username = notfound (41) [preprocess] = ok (41) policy operator-name.authorize { (41) if ("%{client:Operator-Name}") { (41) EXPAND %{client:Operator-Name} (41) --> (41) if ("%{client:Operator-Name}") -> FALSE (41) } # policy operator-name.authorize = ok (41) suffix: Checking for suffix after "@" (41) suffix: Looking up realm "extern.janfred.de" for User-Name = "eduroam-selfcompile@extern.janfred.de" (41) suffix: Found realm "extern.janfred.de" (41) suffix: Adding Stripped-User-Name = "eduroam-selfcompile" (41) suffix: Adding Realm = "extern.janfred.de" (41) suffix: Authentication realm is LOCAL (41) [suffix] = ok (41) policy downcase_calling_station_id { (41) if (&Calling-Station-Id && (&Calling-Station-Id != "%{tolower:%{Calling-Station-Id}}")){ (41) EXPAND %{tolower:%{Calling-Station-Id}} (41) --> 02-00-00-00-00-01 (41) if (&Calling-Station-Id && (&Calling-Station-Id != "%{tolower:%{Calling-Station-Id}}")) -> FALSE (41) } # policy downcase_calling_station_id = ok (41) policy rewrite_calling_station_id { (41) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?$ [0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (41) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?$ [0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (41) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?$ [0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (41) update request { (41) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (41) --> 02-00-00-00-00-01 (41) &Calling-Station-Id := 02-00-00-00-00-01 (41) } # update request = noop (41) [updated] = updated (41) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (41) ... skipping else: Preceding "if" was taken (41) } # policy rewrite_calling_station_id = updated (41) if ( User-Name == "ocspmuststaple@extern.janfred.de" ) { (41) if ( User-Name == "ocspmuststaple@extern.janfred.de" ) -> FALSE (41) else { (41) eap: Peer sent EAP Response (code 2) ID 0 length 42 (41) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (41) [eap] = ok (41) } # else = ok (41) [expiration] = noop (41) [logintime] = noop (41) } # authorize = updated (41) Found Auth-Type = eap (41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (41) Auth-Type eap { (41) eap: Peer sent packet with method EAP Identity (1) (41) eap: Calling submodule eap_ttls to process data (41) eap_ttls: Initiating new EAP-TLS session (41) eap_ttls: [eaptls start] = request (41) eap: Sending EAP Request (code 1) ID 1 length 6 (41) eap: EAP session adding &reply:State = 0x57487590574960fe (41) [eap] = handled (41) } # Auth-Type eap = handled (41) Using Post-Auth-Type Challenge (41) Post-Auth-Type sub-section not found. Ignoring. (41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (41) Sent Access-Challenge Id 47 from [::1]:1812 to [::1]:49932 length 0 (41) EAP-Message = 0x010100061520 (41) Message-Authenticator = 0x00000000000000000000000000000000 (41) State = 0x57487590574960fe50542e3cd559b240 (41) Proxy-State = 0x30 (41) Proxy-State = 0x45ad4539 (41) Finished request Waking up in 4.9 seconds. (41) Cleaning up request packet ID 47 with timestamp +1283 Ready to process requests