Hi again, I'm now trying this out in a more near-life environment with a long list of statically defined realms from proxy.conf AND dynamic discovery. It appears that the case "0" - realm exists and is statically defined - doesn't really work, or I misunderstand what statically defined means in this context. In authorize, I call suffix and later the "case" conditional for dynamic home servers. - suffix finds the realm, sets Proxy-To-Realm - switch does NOT consider the realm statically defined and triggers dynamic discovery instead. This looks as follows: EXPAND %{home_server_dynamic:%{1}} --> even though suffix has loaded the realm list and has already set Proxy-To-Realm. Full debug below, plus the realm definition: I'm musing whether "statically defined" merely means that a realm was in the home_servers/ directory at startup already; and dynamic means it was added during runtime? That would make the whole statement much less useful... Stefan home_server server_158.64.1.8 { ipaddr = 158.64.1.8 port = 0 type = "auth+acct" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } recv_coa { } } home_server server_158.64.1.43 { ipaddr = 158.64.1.43 port = 0 type = "auth+acct" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } recv_coa { } } home_server_pool education.lu_pool { type = fail-over home_server = server_158.64.1.8 home_server = server_158.64.1.43 } realm education.lu { pool = education.lu_pool nostrip } Ready to process requests Thread 1 waiting to be assigned a request Threads: total/active/spare threads = 5/0/5 Waking up in 0.3 seconds. Thread 5 got semaphore Thread 5 handling request 0, (1 handled so far) (0) Received Access-Request Id 254 from 127.0.0.1:56410 to 127.0.0.1:11812 length 95 (0) User-Name = "stefan@education.lu" (0) User-Password = "test123" (0) NAS-IP-Address = 158.64.1.52 (0) NAS-Port = 123 (0) Message-Authenticator = 0x169c5902b42c13cc9e5b4a06aa5f419a (0) Framed-Protocol = PPP (0) # Executing section authorize from file /opt/freeradius/3.2.0/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "education.lu" for User-Name = "stefan@education.lu" (0) suffix: Found realm "education.lu" (0) suffix: Adding Realm = "education.lu" (0) suffix: Proxying request from user stefan@education.lu to realm education.lu (0) suffix: Preparing to proxy authentication request to realm "education.lu" (0) [suffix] = updated (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = noop (0) if (User-Name =~ /@(.*)$/) { (0) if (User-Name =~ /@(.*)$/) -> TRUE (0) if (User-Name =~ /@(.*)$/) { (0) switch %{home_server_dynamic:%{1}} { (0) EXPAND %{home_server_dynamic:%{1}} (0) --> (0) case { (0) update control { (0) Executing: %{config:prefix}/bin/naptr-eduroam-freeradius.sh %{1} %{config:prefix}: (0) EXPAND prefix (0) --> prefix (0) EXPAND %{config:prefix}/bin/naptr-eduroam-freeradius.sh (0) --> /opt/freeradius/3.2.0/bin/naptr-eduroam-freeradius.sh (0) EXPAND %{1} (0) --> education.lu (0) EXPAND prefix (0) --> prefix (0) EXPAND %{config:prefix} (0) --> /opt/freeradius/3.2.0 ... new connection request on command socket On 31.05.22 14:35, Alan DeKok wrote:
On May 31, 2022, at 4:32 AM, Stefan Winter<stefan.winter@restena.lu> wrote:
Ah! Could have figured that out myself, I guess. It took me a bit of staring at things (and checking the code) to figure it out. I'm a big fan of useful error messages, so that one had to be fixed/
With this, I now have a patchset to fully automate dynamic lookup, using the naptr-eduroam.sh script from radsecproxy as a discovery base (adapted to also work with RFC7585 NAPTR targets and with that, OpenRoaming). Nice!
This is WIP here:https://github.com/FreeRADIUS/freeradius-server/compare/v3.2.x...restena-sw:... I'll take a look at the PR, thanks.
Alan DeKok.
- List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html
-- This email may contain information for limited distribution only, please treat accordingly. Fondation Restena, Stefan WINTER Chief Technology Officer 2, avenue de l'Université L-4365 Esch-sur-Alzette