Hi I agree, we should have updated our freeradius a long time ago, but we will do better going forward. Just to explain what we are training to achieve. Our fixed line customers authenticate with username and password. Our fixed line customers can have a mobile VAS linked to fixed line. Customer can have single SIM or multiple SIM linked to fixed line username on LDAP. In the case of mobile service, we receive the MSISDN in the radius access request. We then lookup the username which has the MSISDN linked on LDAP. If subscriber name has this MSISDN linked, the radius will respond with the username in the access-accept. If no match is found it will respond with access-reject. When the radius receives the accounting start for this session it will have the username of the fixed line service returned in the access-accept and not the MSISDN which was original in the access request. So basically, in the case of the mobile VAS, the authentication finds the username on LDAP which has the MSISDN linked as a VAS and if no username has the MSISDN (for example customer cancelled the VAS but is still trying to use the SIM) it will send an access reject. No password checks are done for mobile service. This mobile VAS was implemented before I joined so there might be better alternative to provide the same result. Kind regards Steven On Wed, 22 Feb 2023 at 14:00, <freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Freeradius Upgrade from 3.0.1 to 3.2.2 (Steven Walters) 2. Re: Freeradius Upgrade from 3.0.1 to 3.2.2 (Alan DeKok) 3. Some new documentation for "how to make FreeRADIUS do what I want" (Alan DeKok)
----------------------------------------------------------------------
Message: 1 Date: Tue, 21 Feb 2023 23:47:05 +0200 From: Steven Walters <steven.walters1@gmail.com> To: freeradius-users@lists.freeradius.org Subject: Freeradius Upgrade from 3.0.1 to 3.2.2 Message-ID: <CALF=EMKe4Ky91x7A2GgAKaQkVv0D+qxjWqFkaTOgzq= BvBFA2w@mail.gmail.com> Content-Type: text/plain; charset="UTF-8"
Hi
I am in the process of upgrading our radius servers but have one issue outstanding.
Basically we receive in the radius request from mobile a MSISDN. We then go do a lookup to find the username on LDAP matching the MSISDN.
In the old version everything works fine but after upgrading the radius responds with access rejection even though MSISDN finds a username on LDAP.
Below are extracts from the mobile virtual server file and ldap file.
mobile virtual server:
# The ldap module reads passwords from the LDAP database. -ldap-mobile if (!ok) { reject
ldap:
user { # Where to start searching in the tree for users base_dn = "${..base_dn}"
# Filter for user objects, should be specific enough # to identify a single user object. #filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" #filter = "(mobileradiusCallingStationId=%{Calling-Station-Id})" filter = "(&(mobileradiusCallingStationId=%{Calling-Station-Id})(status=10100))"
Below is debug from version 3.0.1
rlm_ldap (ldap-mobile): Reserved connection (11) (9) ldap-mobile : expand: "(&(mobileradiusCallingStationId=%{Calling-Station-Id})(status=10100))" -> '(&(mobileradiusCallingStationId=27671946862)(status=10100))' (9) ldap-mobile : expand: "cn=radius,ou=isp" -> 'cn=radius,ou=isp' (9) ldap-mobile : Performing search in 'cn=radius,ou=isp' with filter '(&(mobileradiusCallingStationId=27671946862)(status=10100))' (9) ldap-mobile : Waiting for search result... (9) ldap-mobile : User object found at DN "uid=onyebilanma@telkomsa.net ,cn=radius,ou=isp" (9) ldap-mobile : Processing user attributes (9) ldap-mobile : reply:User-Name := ' onyebilanma@telkomsa.net ' (9) ldap-mobile : control:User-Name := ' onyebilanma@telkomsa.net' rlm_ldap (ldap-mobile): Released connection (11) rlm_ldap (ldap-mobile): Opening additional connection (12) rlm_ldap (ldap-mobile): Connecting to 10.146.46.133:389 TLSMC: MozNSS compatibility interception begins. tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present. tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. rlm_ldap (ldap-mobile): Waiting for bind result... rlm_ldap (ldap-mobile): Bind successful (9) [-ldap-mobile] = ok (9) ? if (!ok) (9) ? if (!ok) -> FALSE (9) } # authorize = ok (9) Found Auth-Type = Accept (9) Auth-Type = Accept, accepting the user (9) Login OK: [27671946862] (from client 105.187.248.220 port 0 cli 27671946862) (9) # Executing section post-auth from file /etc/raddb/sites-enabled/mobile (9) post-auth { (9) [exec] = noop (9) remove_reply_message_if_eap remove_reply_message_if_eap { (9) ? if (reply:EAP-Message && reply:Reply-Message) (9) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (9) else else { (9) [noop] = noop (9) } # else else = noop (9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (9) update reply { (9) Acct-Interim-Interval = 14400 (9) } # update reply = noop (9) } # post-auth = noop Sending Access-Accept of id 134 from 10.146.44.71 port 1812 to 105.187.248.220 port 4017 User-Name = 'onyebilanma@telkomsa.net' Acct-Interim-Interval = 14400
Below is debug from version 3.2.2
rlm_ldap (ldap-mobile): Reserved connection (2) (5) ldap-mobile: EXPAND (&(mobileradiusCallingStationId=%{Calling-Station-Id})(status=10100)) (5) ldap-mobile: --> (&(mobileradiusCallingStationId=27659066168)(status=10100)) (5) ldap-mobile: Performing search in "cn=radius,ou=isp" with filter "(&(mobileradiusCallingStationId=27659066168)(status=10100))", scope "sub" (5) ldap-mobile: Waiting for search result... (5) ldap-mobile: User object found at DN "uid=ahmed.elhefnawy@telkomsa.net ,cn=radius,ou=isp" (5) ldap-mobile: Processing user attributes (5) ldap-mobile: reply:User-Name := 'ahmed.elhefnawy@telkomsa.net' (5) ldap-mobile: control:User-Name := 'ahmed.elhefnawy@telkomsa.net' rlm_ldap (ldap-mobile): Released connection (2) Need 4 more connections to reach min connections (8) Need more connections to reach 16 spares rlm_ldap (ldap-mobile): Opening additional connection (9), 1 of 28 pending slots used rlm_ldap (ldap-mobile): Connecting to ldap://10.146.46.133:389 rlm_ldap (ldap-mobile): Waiting for bind result... rlm_ldap (ldap-mobile): Bind successful (5) [ldap-mobile] = updated (5) if (!ok) { (5) if (!ok) -> TRUE (5) if (!ok) { (5) [reject] = reject (5) } # if (!ok) = reject (5) } # authorize = reject (5) Invalid user: [27659066168] (from client 105.187.248.220 port 0 cli 27659066168) (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/raddb/sites-enabled/mobile (5) Post-Auth-Type REJECT { (5) policy remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else { (5) [noop] = noop (5) } # else = noop (5) } # policy remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = noop (5) Login incorrect: [27659066168] (from client 105.187.248.220 port 0 cli 27659066168) (5) Delaying response for 2.000000 seconds
Any advice would be appreciated?
Regards Steven
------------------------------
Message: 2 Date: Tue, 21 Feb 2023 17:47:47 -0500 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Freeradius Upgrade from 3.0.1 to 3.2.2 Message-ID: <407E5AF6-AD76-468D-97CD-1D5858D63AC1@deployingradius.com> Content-Type: text/plain; charset=us-ascii
On Feb 21, 2023, at 4:47 PM, Steven Walters <steven.walters1@gmail.com> wrote:
Below is debug from version 3.0.1
To be honest... 3.0.1 is about ten years old. We're not going to worry a lot about compatibility with every little piece of it.
Plus, there have been many bug fixes since then, including security fixes. If you don't like people attacking your RADIUS server, it should have been updated regularly.
... Below is debug from version 3.2.2 ... (5) [ldap-mobile] = updated (5) if (!ok) {
Change that to:
if (!ok || !updated) { ...
and it will work.
Any advice would be appreciated?
Upgrade regularly.
Plus, it helps to explain *why* you have this configuration. You generally don't have to explicitly reject users who don't have passwords. The server will do this automatically.
So you don't need a "if not found in LDAP, reject" configuration. Just check LDAP. If the user isn't found, they won't have a password read from LDAP. And the server won't be able to authenticate them.
Alan DeKok.
------------------------------
Message: 3 Date: Tue, 21 Feb 2023 17:58:56 -0500 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Some new documentation for "how to make FreeRADIUS do what I want" Message-ID: <98543E7C-E533-4DBC-9D27-09E9E9261717@deployingradius.com> Content-Type: text/plain; charset=us-ascii
We've been busy working on v4, including making sure that every aspect of the server is extensively documented.
I've just written a document on "policies". But it's really "how do I get this software to do what I want, without going crazy".
https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modul...
It gives a detailed guide to the methods used to create FreeRADIUS configurations.
There's also a document on why FreeRADIUS is so complex to configure:
https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modul...
This should help to explain why we can't just have a shiny button which says "do what I want". The configuration is much, much, more complex than that.
v4 also has complete documentation for each unlang keyword: https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modul...
This documentation applies to v4, but it's _mostly_ compatible with v3. Where there are changes from v3, the documentation explains it.
Hopefully this helps. We're not just wishing that v4 comes out one day. We're actively working on it.
Alan DeKok.
------------------------------
Subject: Digest Footer
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
End of Freeradius-Users Digest, Vol 214, Issue 21 *************************************************
-- Warm Regards Steven Walters 0814287179