RFC compliance in sanitizing Access-Reject responses
All, First, thank you for an excellent server. Within a few hours we went from google-ing for a radius server to having a proxy up which does (almost) everything we needed to make a third party device/server learn many cool new tricks. Unfortunately last night I had to spend 3 hours (maybe "only" 3 hours, attesting to high code quality) in trying to figure out why Access-Reject messages were loosing all but the Reply-Message attribute. Eventually I did find, first a hint on the mailing lists, then the RFC, and then finally after quite a bit of digging, the code in util.c : case PW_AUTHENTICATION_REJECT: pairmove2(&vps, &(packet->vps), PW_EAP_MESSAGE); pairmove2(&vps, &(packet->vps), PW_MESSAGE_AUTHENTICATOR); pairmove2(&vps, &(packet->vps), PW_REPLY_MESSAGE); break; I would like to suggest at least two small changes to make freeradius an even better tool than it already is. The first is really simple and would take practically no work at all: can we please have a log message here that notifies the user of this operation when running with -X? This would have saved me most of the time I've spent digging through mailing lists and the rlm_attr_filter code, and allowed me to quickly find the above culprit. This is actually quite necessary, since any "detail" logs that can be inserted on the proxy reply path happily show all attributes - the attributes magically disappear right before packet is sent. The second request is also trivial to implement: make the above code configurable/optional. Yes, there is a great deal of strength and respect in supporting the RFC to the dot - and without a doubt, that should be the default out-of-the-box configuration. But not all devices are created equal - and in my case, as I'm sure in some others, useful information is passed in the Access-Reject message in attributes other than Reply-Message. Obviously this is not compliant - but all the devices I have are quite happy accepting those "extra" arguments, and a third party server is certainly very happy to send them. Making this code "optional" with a config file switch saves me from hacking the sources. Code change can be achieved simply by moving up case PW_AUTHENTICATION_REJECT: above the default: case and wrapping the 4 line body (including break;) inside of an if statement, so this change is also quite triviail. The third "request" or "option" perhaps, is a bit more complex. I would propose that the above code is actually a hack to comply with RFC, and that the appropriate mechanism of accomplishing this effect is through an appropriate set of attribute filters (enabled by default). This would require extending the attr_filters module to consider the request/response type being filtered. The default configuration can point out the RFC in the comments and filter out everything with the three exceptions. This of course allows for maximal flexibility, while still respecting the standard in the default configuration. I think this one is quite a bit more work, so I do not put too many hopes into it, but I figured I would throw it out on the table. Again, thanks for a great server. The above "hickup" is hardly worth mentioning when compared to the overall experience we've had in setting up the proxy and getting it to do what we want.
Mike <needacoder@gmail.com> wrote:
First, thank you for an excellent server. Within a few hours we went from google-ing for a radius server to having a proxy up which does (almost) everything we needed to make a third party device/server learn many cool new tricks.
That's nice to hear.
I would like to suggest at least two small changes to make freeradius an even better tool than it already is. The first is really simple and would take practically no work at all: can we please have a log message here that notifies the user of this operation when running with -X?
That's not a bad idea. Even better, have module do for Access-Reject *and* Accounting-Response, and document what it does.
The second request is also trivial to implement: make the above code configurable/optional. Yes, there is a great deal of strength and respect in supporting the RFC to the dot - and without a doubt, that should be the default out-of-the-box configuration. But not all devices are created equal - and in my case, as I'm sure in some others, useful information is passed in the Access-Reject message in attributes other than Reply-Message.
I agree. The goal of the server is to have as much configurable as possible. The only things that are ot open for configuration are security issues that will destory your network if configured incorrectly.
The third "request" or "option" perhaps, is a bit more complex. I would propose that the above code is actually a hack to comply with RFC, and that the appropriate mechanism of accomplishing this effect is through an appropriate set of attribute filters (enabled by default).
That's probably the best response. When the server was originally written, there wasn't an "attr_filter" module, so that wasn't an option. We'll put this on the roadmap for 2.0.
Again, thanks for a great server. The above "hickup" is hardly worth mentioning when compared to the overall experience we've had in setting up the proxy and getting it to do what we want.
That's good to hear. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On 8/23/06, Alan DeKok <aland@deployingradius.com> wrote:
I would like to suggest at least two small changes to make freeradius an even better tool than it already is. The first is really simple and would take practically no work at all: can we please have a log message here that notifies the user of this operation when running with -X?
That's not a bad idea. Even better, have module do for Access-Reject *and* Accounting-Response, and document what it does.
The second request is also trivial to implement: make the above code configurable/optional. Yes, there is a great deal of strength and respect in supporting the RFC to the dot - and without a doubt, that should be the default out-of-the-box configuration. But not all devices are created equal - and in my case, as I'm sure in some others, useful information is passed in the Access-Reject message in attributes other than Reply-Message.
I agree. The goal of the server is to have as much configurable as possible.
The only things that are ot open for configuration are security issues that will destory your network if configured incorrectly.
The third "request" or "option" perhaps, is a bit more complex. I would propose that the above code is actually a hack to comply with RFC, and that the appropriate mechanism of accomplishing this effect is through an appropriate set of attribute filters (enabled by default).
That's probably the best response. When the server was originally written, there wasn't an "attr_filter" module, so that wasn't an option.
We'll put this on the roadmap for 2.0.
Glad to hear it. Is there an estimate on 2.0 release date? I haven't been able to find this on the web site or in the faq.
Mike <needacoder@gmail.com> wrote:
Glad to hear it. Is there an estimate on 2.0 release date? I haven't been able to find this on the web site or in the faq.
Hopefully by November. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
I thought a little about filtering access-reject packets. Perhaps it's not very useful, but here is my personal opinion. 1. Allowing VSA in the reply packets is really a bug: if you have an existing username with a wrong password, the VSA useful to set up a connection were pulled from the database during autorize and are send in the reject packet. 2. Making the option user-defined may bring more confusion. Too many options make the server more difficult to configure. Moreover the administrator may not figure out easily that turning this option on will hit the bug in (1). 3. Moving the function to a module is a bit dangerous. The modules are optional, and I don't want the server to do something crazy when removing one of the modules. 4. I like software that figure out themselves what to do ;-) Apparently the users complaining about the problem are using FreeRADIUS as a proxy for RFC-ignorant third party servers. That's why I think we could relax the filter on proxy replies *only*. The rationale is when FreeRADIUS is acting as a home server, it's hard to configure it to intentionally reply VSA in access-reject, therefore the current behaviour should be fine. When FreeRADIUS is acting as proxy, we are not really responsible if the incoming packets are not RFC-compliant. Then perhaps it makes sense to allow the VSA in the latter case. -- Nicolas Baradakis
Nicolas Baradakis <nbk@sitadelle.com> wrote:
1. Allowing VSA in the reply packets is really a bug: if you have an existing username with a wrong password, the VSA useful to set up a connection were pulled from the database during autorize and are send in the reject packet.
That's more of a bug that the return attributes are set up before the user is fully authentication. They should be configured *after* authentication.
2. Making the option user-defined may bring more confusion. Too many options make the server more difficult to configure. Moreover the administrator may not figure out easily that turning this option on will hit the bug in (1).
I don't have a problem with using the attr_filter module.
3. Moving the function to a module is a bit dangerous. The modules are optional, and I don't want the server to do something crazy when removing one of the modules.
I agree But doing something dumb is different than doing something crazy. Sending attributes in an Access-Reject won't affect 99.9% of the clients, so there's no problem. Making the validation of Message-Authenticator optional is, however, not going to happen. Ever.
4. I like software that figure out themselves what to do ;-) Apparently the users complaining about the problem are using FreeRADIUS as a proxy for RFC-ignorant third party servers. That's why I think we could relax the filter on proxy replies *only*.
attr_filter should be able to do that.
The rationale is when FreeRADIUS is acting as a home server, it's hard to configure it to intentionally reply VSA in access-reject, therefore the current behaviour should be fine. When FreeRADIUS is acting as proxy, we are not really responsible if the incoming packets are not RFC-compliant. Then perhaps it makes sense to allow the VSA in the latter case.
Sure. But some NASes (rhymes with "bisco") need attributes in the Access-Reject, even locally. I'm not set on changing it, but I'm not set on the existing method, either. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
Nicolas Baradakis <nbk@sitadelle.com> wrote:
1. Allowing VSA in the reply packets is really a bug: if you have an existing username with a wrong password, the VSA useful to set up a connection were pulled from the database during autorize and are send in the reject packet.
That's more of a bug that the return attributes are set up before the user is fully authentication. They should be configured *after* authentication.
Until now it's the only method to get reply items from a SQL database: you have to use the "authorize_reply_query" directive. I'm not using LDAP, but I think this module adds VP to the reply packet during authorize, too. Is it reasonable to modify the SQL queries in version 2.0? We could get only the check items in authorize, and the reply items will be pulled later in post-auth. (only if login is successful) As the failed login attempts represent a significant part of the total RADIUS traffic, this should notably reduce the load of the backend database. (we don't query reply items if not needed) -- Nicolas Baradakis
Nicolas Baradakis <nbk@sitadelle.com> wrote:
Until now it's the only method to get reply items from a SQL database: you have to use the "authorize_reply_query" directive. I'm not using LDAP, but I think this module adds VP to the reply packet during authorize, too.
Yes.
Is it reasonable to modify the SQL queries in version 2.0? We could get only the check items in authorize, and the reply items will be pulled later in post-auth. (only if login is successful)
Yes.
As the failed login attempts represent a significant part of the total RADIUS traffic, this should notably reduce the load of the backend database. (we don't query reply items if not needed)
Yes. We'll just have to document it. I'll start a page on migration from 1.x to 2.x, and document some of the changes I've made. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (3)
-
Alan DeKok -
Mike -
Nicolas Baradakis