Thanks for the patch, but unfortunately it still doesn't detect the newly added home server: (0) Received Access-Request Id 23 (0) User-Name = "anonymous@openroaming.goog" (0) NAS-IP-Address = 192.168.1.116 (0) NAS-Identifier = "E0-CB-BC-8A-1A-6E:vap2" (0) Called-Station-Id = "EA-CB-BC-8A-1A-6E:OpenRoaming" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) NAS-Port = 1 (0) Calling-Station-Id = "EA-67-EB-42-53-54" (0) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 24 / Channel: 11" (0) Acct-Session-Id = "F31127A5FD1096A9" (0) Acct-Multi-Session-Id = "DF5D82378001D0A8" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027073 (0) Meraki-Ap-Name = "meraki-mr42-test-ap" (0) Meraki-Ap-Tags = " recently-added " (0) Meraki-Device-Name = "meraki-mr42-test-ap" (0) Framed-MTU = 1400 (0) EAP-Message = 0x02d7001f01616e6f6e796d6f7573406f70656e726f616d696e672e676f6f67 (0) HS20-AP-Version = 1 (0) HS20-Mobile-Device-Version = 0x010000 (0) HS20-Roaming-Consortium = 0x5a03ba0000 (0) Message-Authenticator = 0xa19f2c8cbd0ed22319bc5601aea1e902 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) policy openroaming_lookup { (0) if (User-Name =~ /@(.*)$/) { (0) if (User-Name =~ /@(.*)$/) -> TRUE (0) if (User-Name =~ /@(.*)$/) { (0) switch %{home_server_dynamic:%{1}} { (0) EXPAND %{home_server_dynamic:%{1}} (0) --> (0) case { (0) update control { (0) Executing: %{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh -d %{config:confdir} %{1} aaa+auth:radius.tls.tcp: (0) EXPAND confdir (0) --> confdir (0) EXPAND %{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh (0) --> /usr/local/etc/raddb/mods-config/realm/freeradius-naptr-to-home-server.sh (0) EXPAND confdir (0) --> confdir (0) EXPAND %{config:confdir} (0) --> /usr/local/etc/raddb (0) EXPAND %{1} (0) --> openroaming.goog Waking up in 0.3 seconds. ... new connection request on command socket Listening on command file /usr/local/var/run/radiusd/radiusd.sock Waking up in 0.1 seconds. radmin> add home_server file /usr/local/etc/raddb/home_servers/ openroaming.goog including configuration file /usr/local/etc/raddb/home_servers/ openroaming.goog including configuration file /usr/local/etc/raddb/home_servers/tls.conf home_server openroaming.goog { nonblock = no ipaddr = radsec.openroaming.goog IPv4 address [146.148.44.172] port = 2083 type = "auth+acct" proto = "tcp" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } recv_coa { } } tls { verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/new/wba/x.key" certificate_file = "/usr/local/etc/raddb/certs/new/wba/x.crt" ca_file = "/usr/local/etc/raddb/certs/new/wba/x.ca" private_key_password = <<< secret >>> fragment_size = 8192 include_length = yes check_crl = no cipher_list = "ALL" ca_path_reload_interval = 0 ecdh_curve = "prime256v1" tls_max_version = "1.3" tls_min_version = "1.2" } (0) Program returned code (0) and output 'openroaming.goog' (0) &Temp-Home-Server-String := openroaming.goog (0) } # update control = noop (0) if (&control:Temp-Home-Server-String == "" ) { (0) if (&control:Temp-Home-Server-String == "" ) -> FALSE (0) else { (0) update control { (0) EXPAND %{1} (0) --> openroaming.goog (0) &Home-Server-Name := openroaming.goog (0) } # update control = noop (0) } # else = noop (0) } # case = noop (0) } # switch %{home_server_dynamic:%{1}} = noop (0) } # if (User-Name =~ /@(.*)$/) = noop (0) } # policy openroaming_lookup = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "openroaming.goog" for User-Name = " anonymous@openroaming.goog" (0) suffix: No such realm "openroaming.goog" (0) [suffix] = noop (0) [chap] = noop (0) eap: Peer sent EAP Response (code 2) ID 215 length 31 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Proxying due to Home-Server-Name (0) WARNING: No such home server openroaming.goog (0) There was no response configured: rejecting request (0) Using Post-Auth-Type Reject (0) Login incorrect: [anonymous@openroaming.goog/<via Auth-Type = eap>] (0) Sent Access-Reject Id 23 If I restart the server with the dynamic home_server existing (added in previous request), it finds it but still fails to proxy with the same error "No such home server openroaming.goog": Ready to process requests Thread 4 got semaphore Thread 4 handling request 1, (1 handled so far) (1) Received Access-Request Id 47 (1) User-Name = "anonymous@openroaming.goog" (1) NAS-IP-Address = 192.168.1.116 (1) NAS-Identifier = "E0-CB-BC-8A-1A-6E:vap2" (1) Called-Station-Id = "EA-CB-AC-8A-1A-6E:OpenRoaming" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) NAS-Port = 1 (1) Calling-Station-Id = "EA-67-EB-42-53-54" (1) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 24 / Channel: 40" (1) Acct-Session-Id = "6B0E19729A2182BD" (1) Acct-Multi-Session-Id = "50ADAEDCDD91F194" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027076 (1) WLAN-AKM-Suite = 1027073 (1) Meraki-Ap-Name = "meraki-mr42-test-ap" (1) Meraki-Ap-Tags = " recently-added " (1) Meraki-Device-Name = "meraki-mr42-test-ap" (1) Framed-MTU = 1400 (1) EAP-Message = 0x028a001f01616e6f6e796d6f7573406f70656e726f616d696e672e676f6f67 (1) HS20-AP-Version = 1 (1) HS20-Mobile-Device-Version = 0x010000 (1) HS20-Roaming-Consortium = 0x5a03ba0000 (1) Message-Authenticator = 0x47f64e212bc52c41b171fcfa5b5879dc (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) [preprocess] = ok (1) policy openroaming_lookup { (1) if (User-Name =~ /@(.*)$/) { (1) if (User-Name =~ /@(.*)$/) -> TRUE (1) if (User-Name =~ /@(.*)$/) { (1) switch %{home_server_dynamic:%{1}} { (1) EXPAND %{home_server_dynamic:%{1}} (1) --> 1 (1) case 1 { (1) update control { (1) EXPAND %{1} (1) --> openroaming.goog (1) &Home-Server-Name := openroaming.goog (1) } # update control = noop (1) } # case 1 = noop (1) } # switch %{home_server_dynamic:%{1}} = noop (1) } # if (User-Name =~ /@(.*)$/) = noop (1) } # policy openroaming_lookup = noop (1) policy username_lookup { (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "openroaming.goog" for User-Name = " anonymous@openroaming.goog" (1) suffix: No such realm "openroaming.goog" (1) [suffix] = noop (1) [chap] = noop (1) eap: Peer sent EAP Response (code 2) ID 138 length 31 (1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (1) [eap] = ok (1) } # authorize = ok (1) Proxying due to Home-Server-Name (1) WARNING: No such home server openroaming.goog (1) There was no response configured: rejecting request (1) Using Post-Auth-Type Reject (1) Login incorrect: [anonymous@openroaming.goog/<via Auth-Type = eap>] (1) Sent Access-Reject Id 47 On Mon, 15 Jul 2024 at 20:52, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 15, 2024, at 3:14 PM, James Wood via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
Unfortunately this breaks it... it now doesn't even find the dynamically added home server for authentication requests:
Please use "radiusd -X". Adding more "-x" doesn't help.
Please try the fix in https://github.com/FreeRADIUS/freeradius-server/commit/76e3504728eb6c986d8bc...
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html