On Wed, Feb 17, 2021 at 7:56 AM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 16, 2021, at 10:44 PM, Nick Bogdanov <nickrbogdanov@gmail.com> wrote
They are getting set under "authenticate eap" and they are being correctly parsed under "recv Access-Request". But then when I hit the "send Access-Accept" step, they all vanish:
Looking into this some more:
* I've fixed the cert expiration timestamp issue
* there was a memory leak which is now fixed
* for various reasons the TLS certs are available in the sub request, and will need to be copied manually (sorry) to the parent
* which means you need to enable `virtual_server = check-eap-tls` in mods-enabled/eap, and then put policies in there
That should work.
Hmm, still no luck enabling check-eap-tls. If I set `virtual_server = check-eap-tls` in mods-enabled/eap and then symlink sites-available/check-eap-tls to sites-enabled/, it aborts on startup: Parsing security rules to bootstrap UID / GID / chroot / etc. main { prefix = /root/freeradius-server/pfx security { allow_core_dumps = no allow_vulnerable_openssl = no openssl_fips_mode = no } name = radiusd local_state_dir = "/root/freeradius-server/pfx/var" run_dir = /root/freeradius-server/pfx/var/run/radiusd } Parsing main configuration. main { ...freeradius-server/pfx/etc/raddb/sites-enabled/check-eap-tls[31]: virtual server check-eap-tls MUST contain a 'namespace' option If I add `namespace = check-eap-tls` at the top of the server {} section, radiusd gets to the end of the handshake and then rejects the request here: (8) Running request (8) Restored &session-state (8) &session-state.Session-State-User-Name = "a" (8) Running 'recv Access-Request' from file /root/freeradius-server/pfx/etc/raddb/sites-enabled/default (8) recv Access-Request { (8) policy filter_username { (8) if (&State) { (8) if (&User-Name) { (8) if (!&session-state.Session-State-User-Name) { (8) ... (8) } (8) if (&User-Name != &session-state.Session-State-User-Name) { (8) ... (8) } (8) } # if (&User-Name) (...) (8) } # if (&State) (...) (8) } # policy filter_username (...) (8) chap (noop) (8) mschap (noop) (8) digest (noop) (8) eap - Peer sent EAP Response (code 2) ID 249 length 6 (8) eap - Continuing on-going EAP conversation (8) eap - Setting &control.Auth-Type = eap (8) eap (updated) (8) files - EXPAND %{%{Stripped-User-Name}:-%{User-Name}} (8) files - --> a (8) files (noop) (8) expiration (noop) (8) logintime (noop) (8) pap (noop) (8) } # recv Access-Request (updated) (8) Running 'authenticate eap' from file /root/freeradius-server/pfx/etc/raddb/sites-enabled/default (8) authenticate eap { (8) eap - Continuing EAP session (8) eap - Peer sent packet with EAP method TLS (13) (8) eap - Calling submodule eap_tls (8) eap (noop) (8) subrequest { (8) Creating subrequest (8.0) (8) EAP-Type = TLS (8) EAP-Identity = "a" (8.0) eap.tls - Continuing EAP-TLS (8.0) eap.tls - Peer ACKed our handshake fragment. handshake is finished (8.0) eap.tls - [eap-tls verify] = established (8.0) eap.tls - [eap-tls process] = established (8.0) eap.tls - ERROR: Failed to find pre-compiled unlang for section server check-eap-tls { ... } (8.0) eap.tls (invalid) (8) } # subrequest (invalid) (8) eap - Sending EAP Failure (code 4) ID 249 length 4 (8) eap (invalid) (8) } # authenticate eap (invalid) (8) Failed to authenticate the user (8) Running 'send Access-Reject' from file /root/freeradius-server/pfx/etc/raddb/sites-enabled/default (8) send Access-Reject { I updated to git rev 1a0623b0cff8691551dcb701d22d2896c207e3a1 since I saw that you pushed a few commits related to namespaces and virtual servers, then ran `make clean && make && make install`, then started with a clean configuration.