Current status of freeradius v4
Hello, I'm currently trying out the current master build at my university for eduroam authentication and have discovered some errors/difficulties (e.g. mschapv2 failed when only NT-Password and no LM-Password was supplied, Issue #2799). Currently, I don't know if it is helpful to create a github issue for each issue I'll find, so I just wanted to ask here: Whats the current status of Freeradius 4? Is it still under heavy development and bug reports will just increase the background noise or is the current master supposed to be somewhat stable and issues will help? Two issues I'm currently dealing with: * Proxying RADIUS-Requests (freeradius 4 send out Access-Rejects when received a Access-Challenge from the home server) * Linelog module (reply:Packet-Type seems to be empty, Debug output tells me not to use Response-Packet-Type) Kind regards, Jan-Frederik Rieckers
On Jul 24, 2019, at 5:02 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel@uni-bremen.de> wrote:
I'm currently trying out the current master build at my university for eduroam authentication and have discovered some errors/difficulties (e.g. mschapv2 failed when only NT-Password and no LM-Password was supplied, Issue #2799).
That's been fixed.
Currently, I don't know if it is helpful to create a github issue for each issue I'll find, so I just wanted to ask here:
Whats the current status of Freeradius 4? Is it still under heavy development and bug reports will just increase the background noise or is the current master supposed to be somewhat stable and issues will help?
It's still under heavy development. That being said, some specific builds are in production use at large Telcos. But the daily builds may or may not work perfectly. For bug reports, it's fine to submit a detailed bug report saying "this should work, but it doesn't work". With debug output, steps to reproduce, etc. We've gotten a few bug reports from people who are surprised that v4 doesn't work the same as v3. Those reports are closed as "not a bug, RTFM".
Two issues I'm currently dealing with: * Proxying RADIUS-Requests (freeradius 4 send out Access-Rejects when received a Access-Challenge from the home server)
That seems bad. The rlm_radius module was tested with proxying, but not with Access-Challenge packets. In the short term, you can over-ride this with policies. When running the RADIUS module, do: radius if (updated) { update reply { Packet-Type := Access-Challenge } } I'll try to push a cleaner fix today.
* Linelog module (reply:Packet-Type seems to be empty, Debug output tells me not to use Response-Packet-Type)
Hmm... it should only complain there if you're actually using Response-Packet-Type. What does the full debug output say? We're using linelog all over the place, so it should work. Alan DeKok.
Hello, Thanks for the quick reply! On 24.07.19 13:11, Alan DeKok wrote:
(e.g. mschapv2 failed when only NT-Password and no LM-Password was supplied, Issue #2799).
That's been fixed.
Seen that. Thanks for fixing it so fast.
Two issues I'm currently dealing with: * Proxying RADIUS-Requests (freeradius 4 send out Access-Rejects when received a Access-Challenge from the home server)
That seems bad. The rlm_radius module was tested with proxying, but not with Access-Challenge packets.
In the short term, you can over-ride this with policies. When running the RADIUS module, do:
radius if (updated) { update reply { Packet-Type := Access-Challenge } }
I'll try to push a cleaner fix today.
I assume the fix was pushed in the commit "handle Access-Challenge responses" ? If so, it still has problems proxying Access-Challenge packets. See debug output and configuration below. Regarding the linelog module: If I use %{reply:Packet-Type} as message selector, this variable seems to be empty. (I haven't tested that with the current master, only the one from yesterday) Greetings, Jan-Frederik Rieckers (PS: Whenever I shoud stop using freeradius-devel for this and use freeradius-users or Github Issues, please tell me.) This is my configuration: sites-enabled/default
recv Access-Request { filter_username if (&User-Name =~ /@uni-bremen\.de$/ \ || &User-Name =~ /@guest.uni-bremen.de$/) { eap { ok = return } } else { update control { &Auth-Type := proxy-to-radsec } } } recv Status-Server { ok } authenticate eap { eap } authenticate proxy-to-radsec { redundant { radsec1 radsec2 } if (updated) { update reply { &Packet-Type := Access-Challenge } } } send Access-Challenge { attr_filter.access_challenge.post-auth handled } send Access-Accept { update { &reply: += &session-state: } outer_linelog eap -sql remove_reply_message_if_eap } send Access-Reject { -sql outer_linelog attr_filter.access_reject eap remove_reply_message_if_eap delay_reject }
and mods-enabled/radsecproxy
radius radsec1 { transport = udp type = Access-Request udp { ipaddr = X.X.X.X port = 2084 secret = *secret* } } radius radsec2 { transport = udp type = Access-Request udp { ipaddr = Y.Y.Y.Y port = 2084 secret = *secret* } }
mods-enabled/linelog:
linelog outer_linelog { destination = 'syslog' syslog { facility = local3 } reference = "messages.%{%{Response-Packet-Type}:-default}" messages { default = "Unknown packet type %{Packet-Type}" Access-Accept = "Login OK: [%{User-Name}] (cli %{request:Calling-Station-Id})" Access-Reject = "Login incorrect: [%{User-Name}] (%{%{reply:Reply-Message}:-%{request:Module-Failure-Message}}) (cli %{request:Calling-Station-Id})" } }
The output of radiusd -X:
Debug : proto_radius_udp - Received Access-Request ID 30 length 213 proto_radius_udp server * port 1812 Debug : (0) Received Access-Request ID 30 from 10.11.0.216:56845 to 10.11.0.232:1812 length 213 via socket proto_radius_udp server * port 1812 Debug : (0) User-Name = "eduroam-selfcompile@extern.janfred.de" Debug : (0) NAS-IP-Address = 127.0.0.1 Debug : (0) Calling-Station-Id = "02-00-00-00-00-01" Debug : (0) Framed-MTU = 1400 Debug : (0) NAS-Port-Type = Wireless-802.11 Debug : (0) Service-Type = Framed-User Debug : (0) Connect-Info = "CONNECT 11Mbps 802.11b" Debug : (0) EAP-Message = 0x0200002a01656475726f616d2d73656c66636f6d70696c654065787465726e2e6a616e667265642e6465 Debug : (0) Message-Authenticator = 0xecf8fd6c7d455e2f366350e1f17d8609 Debug : (0) Event-Timestamp = Jul 24 2019 15:05:32 UTC Debug : (0) Operator-Name = "1uni-bremen.de" Debug : (0) Proxy-State = 0x30 Debug : Resetting worker 30 cleanup timer to +0s Debug : (0) running request Debug : (0) Running 'recv Access-Request' from file /usr/local/etc/raddb/sites-enabled/default-nocomment Debug : (0) recv Access-Request { Debug : (0) filter_username { Debug : (0) if (&State) { Debug : (0) ... Debug : (0) } Debug : (0) elseif (&User-Name) { Debug : (0) if (&User-Name =~ / /) { Debug : (0) ... Debug : (0) } Debug : (0) if (&User-Name =~ /@[^@]*@/ ) { Debug : (0) ... Debug : (0) } Debug : (0) if (&User-Name =~ /\.\./ ) { Debug : (0) ... Debug : (0) } Debug : (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { Debug : (0) ... Debug : (0) } Debug : (0) if (&User-Name =~ /\.$/) { Debug : (0) ... Debug : (0) } Debug : (0) if (&User-Name =~ /@\./) { Debug : (0) ... Debug : (0) } Debug : (0) update session-state { Debug : (0) &Session-State-User-Name := &User-Name -> "eduroam-selfcompile@extern.janfred.de" Debug : (0) } # update session-state (noop) Debug : (0) } # elseif (&User-Name) (noop) Debug : (0) } # filter_username (noop) Debug : (0) if (&User-Name =~ /@uni-bremen\.de$/ || &User-Name =~ /@guest.uni-bremen.de$/) { Debug : (0) ... Debug : (0) } Debug : (0) else { Debug : (0) update control { Debug : (0) &Auth-Type := proxy-to-radsec Debug : (0) } # update control (noop) Debug : (0) } # else (noop) Debug : (0) } # recv Access-Request (noop) Debug : (0) Running 'authenticate proxy-to-radsec' from file /usr/local/etc/raddb/sites-enabled/default-nocomment Debug : (0) authenticate proxy-to-radsec { Debug : (0) group { Debug : (0) Sending Access-Request ID 0 length 195 over connection proto udp local 0.0.0.0 port 56773 remote 10.11.0.216 port 20$ 4 Debug : (0) &User-Name = "eduroam-selfcompile@extern.janfred.de" Debug : (0) &NAS-IP-Address = 127.0.0.1 Debug : (0) &Calling-Station-Id = "02-00-00-00-00-01" Debug : (0) &Framed-MTU = 1400 Debug : (0) &NAS-Port-Type = Wireless-802.11 Debug : (0) &Service-Type = Framed-User Debug : (0) &Connect-Info = "CONNECT 11Mbps 802.11b" Debug : (0) &EAP-Message = 0x0200002a01656475726f616d2d73656c66636f6d70696c654065787465726e2e6a616e667265642e6465 Debug : (0) &Event-Timestamp = Jul 24 2019 15:05:32 UTC Debug : (0) &Operator-Name = "1uni-bremen.de" Debug : (0) &Proxy-State = 0x30 Debug : (0) &Proxy-State = 0x45ad4539 Debug : (0) &Message-Authenticator = 0x45d55902781dc4ea5b7d27ba63e6a80d Debug : (0) radsec1 - Proxying request. Expecting response within 2.000000s Debug : (0) radsec1 (yield) Debug : Waking up in 1.996337512 seconds. Debug : (0) Received Access-Challenge ID 11 length 73 reply packet on connection proto udp local 0.0.0.0 port 56773 remote 10.11. 0.216 port 2084 Debug : (0) &EAP-Message = 0x010100061520 Debug : (0) &Message-Authenticator = 0xaa2410363e4546fcad585a1bb568af94 Debug : (0) &State = 0x57487590574960fe50542e3cd559b240 Debug : (0) &Proxy-State = 0x30 Debug : (0) &Proxy-State = 0x45ad4539 Debug : radsec1 - Setting idle timeout to +300.000 for connection proto udp local 0.0.0.0 port 56773 remote 10.11.0.216 port 2084 Debug : (0) running request Debug : (0) radsec1 - Resuming execution Debug : (0) radsec1 (updated) Debug : (0) } # group (updated) Debug : (0) if (updated) { Debug : (0) update reply { Debug : (0) &Packet-Type := Access-Challenge Debug : (0) } # update reply (noop) Debug : (0) } # if (updated) (noop) Debug : (0) } # authenticate proxy-to-radsec (noop) Debug : (0) Failed to authenticate the user Debug : (0) Running 'send Access-Reject' from file /usr/local/etc/raddb/sites-enabled/default-nocomment Debug : (0) send Access-Reject { Debug : (0) outer_linelog - EXPAND messages.%{%{Response-Packet-Type}:-default} WARN : (0) outer_linelog - WARNING: %{Response-Packet-Type} is ONLY for responses! WARN : (0) outer_linelog - WARNING: Please replace %{Response-Packet-Type} with %{reply:Packet-Type} Debug : (0) outer_linelog - --> messages.Access-Reject Debug : (0) outer_linelog - EXPAND Login incorrect: [%{User-Name}] (%{%{reply:Reply-Message}:-%{request:Module-Failure-Message}}) ( cli %{request:Calling-Station-Id}) Debug : (0) outer_linelog - --> Login incorrect: [eduroam-selfcompile@extern.janfred.de] () (cli 02-00-00-00-00-01) Debug : (0) outer_linelog (ok) Debug : (0) attr_filter.access_reject - EXPAND %{User-Name} Debug : (0) attr_filter.access_reject - --> eduroam-selfcompile@extern.janfred.de Debug : (0) attr_filter.access_reject - Matched entry DEFAULT at line 11 Debug : (0) attr_filter.access_reject (updated) Debug : (0) eap (noop) Debug : (0) remove_reply_message_if_eap { Debug : (0) if (&reply:EAP-Message && &reply:Reply-Message) { Debug : (0) ... Debug : (0) } Debug : (0) else { Debug : (0) noop (noop) Debug : (0) } # else (noop) Debug : (0) } # remove_reply_message_if_eap (noop) Debug : (0) delay_reject - EXPAND %{%{reply:FreeRADIUS-Response-Delay}:-1} Debug : (0) delay_reject - --> 1 Debug : (0) delay_reject - Delaying request by ~0.955292996s Debug : (0) delay_reject (yield) Debug : Waking up in 0.954933986 seconds. Debug : (0) Delay done Debug : (0) running request Debug : (0) delay_reject - Resuming execution Debug : (0) delay_reject (ok) Debug : (0) } # send Access-Reject (updated) Debug : (0) done request Debug : (0) Sending Access-Reject ID 30 from 10.11.0.232:1812 to 10.11.0.216:56845 length 73 via socket proto_radius_udp server * por t 1812 Debug : (0) EAP-Message = 0x010100061520 Debug : (0) Message-Authenticator = 0xaa2410363e4546fcad585a1bb568af94 Debug : (0) State = 0x57487590574960fe50542e3cd559b240 Debug : (0) Proxy-State = 0x30 Debug : (0) Proxy-State = 0x45ad4539 Debug : (0) finished request. Debug : Waking up in 147.881892498 seconds. Debug : Waking up in 4.999991043 seconds.
The output of the home server (running freeradius 3.0.17):
(41) Received Access-Request Id 47 from [::1]:49932 to [::1]:1812 length 219 (41) User-Name = "eduroam-selfcompile@extern.janfred.de" (41) NAS-IP-Address = 127.0.0.1 (41) Calling-Station-Id = "02-00-00-00-00-01" (41) Framed-MTU = 1400 (41) NAS-Port-Type = Wireless-802.11 (41) Service-Type = Framed-User (41) Connect-Info = "CONNECT 11Mbps 802.11b" (41) EAP-Message = 0x0200002a01656475726f616d2d73656c66636f6d70696c654065787465726e2e6a616e667265642e6465 (41) Event-Timestamp = "Jul 24 2019 17:05:32 CEST" (41) Operator-Name = "1uni-bremen.de" (41) Proxy-State = 0x30 (41) Proxy-State = 0x45ad4539 (41) Message-Authenticator = 0xf9e969fc1d6bd5a13e9dddee89bf1e41 (41) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (41) authorize { (41) policy filter_username { (41) if (&User-Name) { (41) if (&User-Name) -> TRUE (41) if (&User-Name) { (41) if (&User-Name =~ / /) { (41) if (&User-Name =~ / /) -> FALSE (41) if (&User-Name =~ /@[^@]*@/ ) { (41) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (41) if (&User-Name =~ /\.\./ ) { (41) if (&User-Name =~ /\.\./ ) -> FALSE (41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (41) if (&User-Name =~ /\.$/) { (41) if (&User-Name =~ /\.$/) -> FALSE (41) if (&User-Name =~ /@\./) { (41) if (&User-Name =~ /@\./) -> FALSE (41) } # if (&User-Name) = notfound (41) } # policy filter_username = notfound (41) [preprocess] = ok (41) policy operator-name.authorize { (41) if ("%{client:Operator-Name}") { (41) EXPAND %{client:Operator-Name} (41) --> (41) if ("%{client:Operator-Name}") -> FALSE (41) } # policy operator-name.authorize = ok (41) suffix: Checking for suffix after "@" (41) suffix: Looking up realm "extern.janfred.de" for User-Name = "eduroam-selfcompile@extern.janfred.de" (41) suffix: Found realm "extern.janfred.de" (41) suffix: Adding Stripped-User-Name = "eduroam-selfcompile" (41) suffix: Adding Realm = "extern.janfred.de" (41) suffix: Authentication realm is LOCAL (41) [suffix] = ok (41) policy downcase_calling_station_id { (41) if (&Calling-Station-Id && (&Calling-Station-Id != "%{tolower:%{Calling-Station-Id}}")){ (41) EXPAND %{tolower:%{Calling-Station-Id}} (41) --> 02-00-00-00-00-01 (41) if (&Calling-Station-Id && (&Calling-Station-Id != "%{tolower:%{Calling-Station-Id}}")) -> FALSE (41) } # policy downcase_calling_station_id = ok (41) policy rewrite_calling_station_id { (41) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?$ [0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (41) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?$ [0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (41) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?$ [0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (41) update request { (41) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (41) --> 02-00-00-00-00-01 (41) &Calling-Station-Id := 02-00-00-00-00-01 (41) } # update request = noop (41) [updated] = updated (41) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (41) ... skipping else: Preceding "if" was taken (41) } # policy rewrite_calling_station_id = updated (41) if ( User-Name == "ocspmuststaple@extern.janfred.de" ) { (41) if ( User-Name == "ocspmuststaple@extern.janfred.de" ) -> FALSE (41) else { (41) eap: Peer sent EAP Response (code 2) ID 0 length 42 (41) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (41) [eap] = ok (41) } # else = ok (41) [expiration] = noop (41) [logintime] = noop (41) } # authorize = updated (41) Found Auth-Type = eap (41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (41) Auth-Type eap { (41) eap: Peer sent packet with method EAP Identity (1) (41) eap: Calling submodule eap_ttls to process data (41) eap_ttls: Initiating new EAP-TLS session (41) eap_ttls: [eaptls start] = request (41) eap: Sending EAP Request (code 1) ID 1 length 6 (41) eap: EAP session adding &reply:State = 0x57487590574960fe (41) [eap] = handled (41) } # Auth-Type eap = handled (41) Using Post-Auth-Type Challenge (41) Post-Auth-Type sub-section not found. Ignoring. (41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (41) Sent Access-Challenge Id 47 from [::1]:1812 to [::1]:49932 length 0 (41) EAP-Message = 0x010100061520 (41) Message-Authenticator = 0x00000000000000000000000000000000 (41) State = 0x57487590574960fe50542e3cd559b240 (41) Proxy-State = 0x30 (41) Proxy-State = 0x45ad4539 (41) Finished request Waking up in 4.9 seconds. (41) Cleaning up request packet ID 47 with timestamp +1283 Ready to process requests
On Jul 24, 2019, at 11:13 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel@uni-bremen.de> wrote:
Thanks for the quick reply!
Try getting that level of support from Cisco. :)
I assume the fix was pushed in the commit "handle Access-Challenge responses" ?
Yes.
If so, it still has problems proxying Access-Challenge packets. See debug output and configuration below.
If you're running that code, you don't need to manually set the reply packet type. It should just work.
Regarding the linelog module: If I use %{reply:Packet-Type} as message selector, this variable seems to be empty. (I haven't tested that with the current master, only the one from yesterday)
Hmm.. I'll have to try that. We're using the linelog module a lot, and it seems to work fine.
(PS: Whenever I shoud stop using freeradius-devel for this and use freeradius-users or Github Issues, please tell me.)
It's fine to talk here.
Debug : (0) Received Access-Challenge ID 11 length 73 reply packet on connection proto udp local 0.0.0.0 port 56773 remote 10.11. 0.216 port 2084 Debug : (0) &EAP-Message = 0x010100061520 Debug : (0) &Message-Authenticator = 0xaa2410363e4546fcad585a1bb568af94 Debug : (0) &State = 0x57487590574960fe50542e3cd559b240 Debug : (0) &Proxy-State = 0x30 Debug : (0) &Proxy-State = 0x45ad4539 Debug : radsec1 - Setting idle timeout to +300.000 for connection proto udp local 0.0.0.0 port 56773 remote 10.11.0.216 port 2084 Debug : (0) running request Debug : (0) radsec1 - Resuming execution Debug : (0) radsec1 (updated) Debug : (0) } # group (updated)
That's good
Debug : (0) if (updated) { Debug : (0) update reply { Debug : (0) &Packet-Type := Access-Challenge Debug : (0) } # update reply (noop) Debug : (0) } # if (updated) (noop) Debug : (0) } # authenticate proxy-to-radsec (noop)
That's bad. The "noop' return code shouldn't over-ride the "updated" one. In the short term, you can do: authenticate proxy-to-radsec { redundant { radsec1 radsec2 } if (updated) { update reply { &Packet-Type := Access-Challenge } ok } } And that should fix it. Alan DeKok.
On 24.07.19 19:26, Alan DeKok wrote:
If you're running that code, you don't need to manually set the reply packet type. It should just work.
I've tried these "fixes": * Leave everything as it is * Remove the update{} section * Add the "ok" after the update{} All of these fixes don't work. When I run eapol_test, it tells me for the reply Invalid Message-Authenticator! Incoming RADIUS packet did not have correct Message-Authenticator - dropped So it seems to be a problem with message authenticator also? If it would help, I could try to create a set of docker containers to replicate my test setup. Currently this (shoud be|is) the trace of the Radius-Packets: |------------------------------| | Test Machine with eapol_test | |------------------------------| | RADIUS V |------------------------------| | Selfcompiled Freeradius | |------------------------------| | RADIUS V |----------------------------------| | Radsecproxy on production server | |----------------------------------| | RADIUS over TLS V |--------------------------------| | Radsecproxy on my server | | | RADIUS | | V | | Freeradius 3.0.17 on my server | |--------------------------------| So there are a lot of places where it could break, I'll try out for myself which setups work and which don't. Jan-Frederik Rieckers
On Jul 24, 2019, at 2:11 PM, Jan-Frederik Rieckers <rieckers+freeradius-devel@uni-bremen.de> wrote:
I've tried these "fixes":
* Leave everything as it is * Remove the update{} section * Add the "ok" after the update{}
All of these fixes don't work.
Which means... what?
When I run eapol_test, it tells me for the reply Invalid Message-Authenticator! Incoming RADIUS packet did not have correct Message-Authenticator - dropped
So it seems to be a problem with message authenticator also?
Yes, it's not creating a Message-Authenticator attribute for proxied replies that have EAP-Message. I've pushed a fix. Alan DeKok.
I'll set up a set of docker containers to test some different use cases I can imagine when dealing with RADIUS proxying in eduroam. Probably this will take the next week, when I'm ready I'll post a link where you can try out all these things. With the current master I still have the problem that, if I omit the "if (updated)"-Section freeradius sends out Access-Reject when getting an Access-Challenge. When I put the "if(updated)" section there, it sends out the Access-Challenge, but with incorrect Message Authenticator and I haven't foud a way to tell my check script to ignore the Message Authenticator, so I haven't tested it further yet. I currently can't post the radius debug output, I'll probably do that in a few days, when I had the time to create a setup without any production secrets inside the configuration. Greetings Jan-Frederik Rieckers On 26.07.19 00:20, Alan DeKok wrote:
On Jul 24, 2019, at 2:11 PM, Jan-Frederik Rieckers <rieckers+freeradius-devel@uni-bremen.de> wrote:
I've tried these "fixes":
* Leave everything as it is * Remove the update{} section * Add the "ok" after the update{}
All of these fixes don't work.
Which means... what?
When I run eapol_test, it tells me for the reply Invalid Message-Authenticator! Incoming RADIUS packet did not have correct Message-Authenticator - dropped
So it seems to be a problem with message authenticator also?
Yes, it's not creating a Message-Authenticator attribute for proxied replies that have EAP-Message.
I've pushed a fix.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
On Jul 26, 2019, at 9:04 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel@uni-bremen.de> wrote:
Probably this will take the next week, when I'm ready I'll post a link where you can try out all these things.
I have some tests to reproduce it here.
With the current master I still have the problem that, if I omit the "if (updated)"-Section freeradius sends out Access-Reject when getting an Access-Challenge. When I put the "if(updated)" section there, it sends out the Access-Challenge, but with incorrect Message Authenticator and I haven't foud a way to tell my check script to ignore the Message Authenticator, so I haven't tested it further yet.
I've starting poke it, and am looking into some other issues. I'll see if I can push some patches. Alan DeKok.
On Jul 26, 2019, at 9:04 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel@uni-bremen.de> wrote:
With the current master I still have the problem that, if I omit the "if (updated)"-Section freeradius sends out Access-Reject when getting an Access-Challenge. When I put the "if(updated)" section there, it sends out the Access-Challenge, but with incorrect Message Authenticator and I haven't foud a way to tell my check script to ignore the Message Authenticator, so I haven't tested it further yet.
I've pushed some fixes. This should now work: server proxy { namespace = radius listen { type = Access-Request transport = udp udp { ipaddr = * port = 1812 } } recv Access-Request { update session-state { &Session-State-User-Name := &User-Name } update control { &Auth-Type := proxy } } authenticate proxy { radius } }
participants (2)
-
Alan DeKok -
Jan-Frederik Rieckers