real authenication after upgrade from 30.0.15 to 3.0.16
Dear users, after upgrade to 3.0.16, I have issues with realm authentication. All requests proxied to nonlocal realms and authentication requests for users without a realm can still be served. Client sends initial Access-Request and receives Access-Challenge whith "No Message-Authenticator attribute found". See attached diffs of the detailed debug logs: --- log.ok 2018-01-30 14:21:05.093454000 +0100 +++ log.bad 2018-01-30 14:20:34.505666000 +0100 @@ -1,4 +1,4 @@ -FreeRADIUS Version 3.0.15 +FreeRADIUS Version 3.0.16 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE @@ -88,7 +88,7 @@ sbindir = "/usr/local/sbin" logdir = "/var/log" run_dir = "/var/run/radiusd" - libdir = "/usr/local/lib/freeradius-3.0.15" + libdir = "/usr/local/lib/freeradius-3.0.16" radacctdir = "/var/log/radacct" hostname_lookups = no max_request_time = 30 @@ -1143,6 +1143,8 @@ cipher_server_preference = no ecdh_curve = "prime256v1" disable_tlsv1_2 = yes + tls_max_version = "" + tls_min_version = "1.0" cache { enable = no lifetime = 24 @@ -1307,9 +1309,9 @@ Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel -Listening on proxy address * port 19369 +Listening on proxy address * port 17390 Ready to process requests -(0) Received Access-Request Id 0 from 10.0.6.253:38291 to 0.0.0.0:1812 length 158 +(0) Received Access-Request Id 0 from 10.0.6.253:56240 to 0.0.0.0:1812 length 158 (0) User-Name = "someuserm@some.realm" (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = "02-00-00-00-00-01" @@ -1318,7 +1320,7 @@ (0) Service-Type = Framed-User (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) EAP-Message = 0x0200001b017a617279636874616d4070777374652e6564752e706c -(0) Message-Authenticator = 0x73f14e50279eda60f9b8f887174f8e93 +(0) Message-Authenticator = 0x808acae379001500e79c7ab3a2c83636 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/radius.some.realm (0) authorize { (0) policy filter_username { @@ -1384,7 +1386,7 @@ (0) auth_log: --> /var/log/radacct/10.0.6.253/auth-detail-20180130 (0) auth_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/10.0.6.253/auth-detail-20180130 (0) auth_log: EXPAND %t -(0) auth_log: --> Tue Jan 30 14:21:04 2018 +(0) auth_log: --> Tue Jan 30 14:20:29 2018 (0) [auth_log] = ok (0) [chap] = noop (0) [mschap] = noop @@ -1487,7 +1489,7 @@ (0) pre_proxy_log: --> /var/log/radacct/10.0.6.253/pre-proxy-detail-20180130 (0) pre_proxy_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d expands to /var/log/radacct/10.0.6.253/pre-proxy-detail-20180130 (0) pre_proxy_log: EXPAND %t -(0) pre_proxy_log: --> Tue Jan 30 14:21:04 2018 +(0) pre_proxy_log: --> Tue Jan 30 14:20:29 2018 (0) [pre_proxy_log] = ok (0) if ("%{Packet-Type}" != "Accounting-Request") { (0) EXPAND %{Packet-Type} @@ -1567,7 +1569,7 @@ (0) auth_log: --> /var/log/radacct/10.0.6.253/auth-detail-20180130 (0) auth_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/10.0.6.253/auth-detail-20180130 (0) auth_log: EXPAND %t -(0) auth_log: --> Tue Jan 30 14:21:04 2018 +(0) auth_log: --> Tue Jan 30 14:20:29 2018 (0) [auth_log] = ok (0) [chap] = noop (0) [mschap] = noop @@ -1585,7 +1587,7 @@ (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 1 length 6 -(0) eap: EAP session adding &reply:State = 0xe72255ede7234ce0 +(0) eap: EAP session adding &reply:State = 0xcd2b6be2cd2a720f (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge @@ -1600,7 +1602,7 @@ (0) post_proxy_log: --> /var/log/radacct/10.0.6.253/post-proxy-detail-20180130 (0) post_proxy_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d expands to /var/log/radacct/10.0.6.253/post-proxy-detail-20180130 (0) post_proxy_log: EXPAND %t -(0) post_proxy_log: --> Tue Jan 30 14:21:04 2018 +(0) post_proxy_log: --> Tue Jan 30 14:20:29 2018 (0) [post_proxy_log] = ok (0) attr_filter.post-proxy: EXPAND %{Realm} (0) attr_filter.post-proxy: --> some.realm @@ -1610,3413 +1612,18 @@ (0) [eap] = noop (0) } # post-proxy = updated (0) } +(0) Clearing existing &reply: attributes +(0) Found Post-Proxy-Type Fail-Authentication +(0) server radius.some.realm { +(0) Post-Proxy-Type sub-section not found. Ignoring. +(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/radius.some.realm +(0) } (0) Using Post-Auth-Type Challenge (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/radius.some.realm (0) Challenge { ... } # empty sub-section is ignored -(0) Sent Access-Challenge Id 0 from 0.0.0.0:1812 to 10.0.6.253:38291 length 0 -(0) EAP-Message = 0x010100061920 -(0) Message-Authenticator = 0x00000000000000000000000000000000 -(0) State = 0xe72255ede7234ce0450d40d020db3d2d +(0) Sent Access-Challenge Id 0 from 0.0.0.0:1812 to 10.0.6.253:56240 length 0 +(0) State = 0x2761a24a7c3ece99bd01e4f7ae40f330 (0) Finished request Waking up in 4.9 seconds. All configuration files are from the previous version. Should I try to reconfigure it with respect to original configuration files from 3.0.16 to work again or is this in some way connected with the bug I found to be fixed in upcoming 3.0.17 version: Bug fixes * Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161. Best regards, -- Marek Zarychta
On Tue, 2018-01-30 at 16:10 +0100, Marek Zarychta wrote:
All configuration files are from the previous version. Should I try to reconfigure it with respect to original configuration files from 3.0.16 to work again or is this in some way connected with the bug I found to be fixed in upcoming 3.0.17 version:
Bug fixes * Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161.
Yes, please try v3.0.x HEAD and see if that solves it. -- Matthew
On Tue, Jan 30, 2018 at 03:15:15PM +0000, Matthew Newton wrote:
Bug fixes * Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161.
Yes, please try v3.0.x HEAD and see if that solves it.
Yes, this solves the problem. Thank you. So I am going to perform upgrade of our eduroam servers from 3.0.15 directly to 3.0.17 when it is officially released. -- Marek Zarychta
participants (2)
-
Marek Zarychta -
Matthew Newton