On 28.01.2013 10:07, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
This comes from the fact that in the status virtual-server, the "Autz-Type status-server" stanza is defined. But in the current virtual server receiving the "ping" (eduroam) it's not defined,so it triggers an reject message.
well, enable it then.
Well in the end it doesn't change much as the remote server will still mark the server alive after receiving 3 access-reject in response to his status-server.
correct
But is this behaviour wanted ?
depends. on you. there is no point in having an access-accept (using username/password) as thats a credential that could be leaked or stolen etc.... its actually just as good (and standard) to have a reject response....the remote server/local server still know that each other are alive!
ideally, both servers handle status-server packets and a basic 'status ping' will work just as well. Nice, thanks for those precisions AlanB :)
On a side note, I have something fun going on in post-auth here. I want to bypass the post-auth section for Packet-Type == Status-Server. So I wrote : post-auth { if(Packet-Type != Status-Server){ reply_log if("%{realm}" !~ /.*hes-so.ch/){ sql } } Post-Auth-Type REJECT { sql } } But the logic is inverted when you look at the logs. Now on the log ... rad_recv: Status-Server packet from host 127.0.0.1 port 60277, id=12, length=38 Message-Authenticator = 0xc09707a123242d5bee7be80eb07b3128 (81) # Executing group from file /etc/freeradius/sites-enabled/eduroam (81) group Status-Server { (81) - entering group Status-Server {...} (81) [ok] = ok (81) # Executing section post-auth from file /etc/freeradius/sites-enabled/eduroam (81) group post-auth { (81) - entering group post-auth {...} (81) ? if (Packet-Type != Status-Server) (81) ? Evaluating (Packet-Type != Status-Server) -> TRUE (81) ? if (Packet-Type != Status-Server) -> TRUE (81) if (Packet-Type != Status-Server) { (81) - entering if (Packet-Type != Status-Server) {...} And what's even more funny .... On an Access-Accept packet it says that Packet-Type != Status-Server -> FALSE :D rad_recv: Access-Accept packet from host 130.59.138.29 port 1812, id=129, length=189 MS-MPPE-Recv-Key = 0x180d7429b72d1ef1757290ed8a0f47e8f22583e1bcb704c208c89a405779ba0d MS-MPPE-Send-Key = 0x0602884e6fba66616fc31d0047a1947bc996d10034886589d1a7b4a2ef37879e EAP-Message = 0x03080004 Message-Authenticator = 0xbb3d302a9d2b4a124f70e8f49e1588dd User-Name = "anonymous@test.hes-so.ch" Proxy-State = 0x38 (110) # Executing section post-proxy from file /etc/freeradius/sites-enabled/eduroam (110) group post-proxy { (110) - entering group post-proxy {...} [snip of post_proxy_log junk] (110) [post_proxy_log] = ok (110) attr_filter.post-proxy : expand: '%{Realm}' -> 'DEFAULT' (110) attr_filter.post-proxy : Matched entry DEFAULT at line 103 (110) [attr_filter.post-proxy] = updated (110) Found Auth-Type = Accept (110) Auth-Type = Accept, accepting the user (110) # Executing section post-auth from file /etc/freeradius/sites-enabled/eduroam (110) group post-auth { (110) - entering group post-auth {...} (110) ? if (Packet-Type != Status-Server) (110) ? Evaluating (Packet-Type != Status-Server) -> FALSE (110) ? if (Packet-Type != Status-Server) -> FALSE Sending Access-Accept of id 8 from 127.0.0.1 port 1812 to 127.0.0.1 port 56702 MS-MPPE-Recv-Key = 0x180d7429b72d1ef1757290ed8a0f47e8f22583e1bcb704c208c89a405779ba0d EAP-Message = 0x03080004 Message-Authenticator = 0xbb3d302a9d2b4a124f70e8f49e1588dd -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org