Cannot get value of config item with \\
Hello I'm having trouble getting the value of auth_pool of a realm. Realms are defined as regular expressions matched by suffix module against the domain portion of users username. The problem is when the realm regex contains \\ (eg: "~^example\\.com$") the config variable is not found: ++? if ("%{config:realm[%{Realm}].auth_pool}" =~ /%{client-shortname}/i) expand: realm[%{Realm}].auth_pool -> realm[~^example\\.com$].auth_pool WARNING: No such configuration item realm[~^example\\.com$].auth_pool expand: %{config:realm[%{Realm}].auth_pool} -> expand: %{client-shortname} -> idp If I change the realm regex so it has no \\ (eg: "~^example.com$") it is found correctly: ++? if ("%{config:realm[%{Realm}].auth_pool}" =~ /%{client-shortname}/i) expand: realm[%{Realm}].auth_pool -> realm[~^example.com$].auth_pool expand: %{config:realm[%{Realm}].auth_pool} -> idp_pool expand: %{client-shortname} -> idp My config looks something like this: sites-enabled/default: authorize { preprocess suffix # Sets Realm variable files if ("%{config:realm[%{Realm}].auth_pool}" =~ /%{client-shortname}/i) { reject } } ... proxy.conf: home_server idp { type = auth ipaddr = 10.0.99.110 port = 1812 secret = secret response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } home_server_pool idp_pool { type = client-balance home_server = idp } realm "~^example\\.com$" { nostrip auth_pool = idp_pool } clients.conf: client 10.0.99.110 { secret = secret shortname = idp nastype = other } Is this a bug or a safety feature (preventing some sort of injection attacks)? I tried all sorts of combination of single quites, double quotes, no quotes, but to no avail. Am I missing something obvious? Any ideas would be appreciated. -- Matej Vadnjal ANRES
Matej Vadnjal wrote:
I'm having trouble getting the value of auth_pool of a realm. Realms are defined as regular expressions matched by suffix module against the domain portion of users username.
Ok... *why* are you doing that?
if ("%{config:realm[%{Realm}].auth_pool}" =~ /%{client-shortname}/i) { reject }
That's odd. What do you think that configuration does, and why do you want it to do that?
Is this a bug or a safety feature (preventing some sort of injection attacks)? I tried all sorts of combination of single quites, double quotes, no quotes, but to no avail.
Escaping characters is a security feature. Alan DeKok.
On Monday 02.02.2009 10:37:59 Alan DeKok wrote:
Matej Vadnjal wrote:
I'm having trouble getting the value of auth_pool of a realm. Realms are defined as regular expressions matched by suffix module against the domain portion of users username.
Ok... *why* are you doing that?
if ("%{config:realm[%{Realm}].auth_pool}" =~ /%{client-shortname}/i) { reject }
That's odd. What do you think that configuration does, and why do you want it to do that?
I have a server that receives requests from radius servers and forwards them to other radius servers (we are a national top-level radius for eduroam project). I'd like to check if a request that I received from a radius server will be proxied back to that same server resulting in a proxy loop. The way I see things there is no other way to find out to which server the request will be proxied to. My idea is that if I keep the names of servers in clients.conf and server pools in proxy.conf similar enough, I could compare them with a regexp and if they match reject the request, preventing a loop.
Is this a bug or a safety feature (preventing some sort of injection attacks)? I tried all sorts of combination of single quites, double quotes, no quotes, but to no avail.
Escaping characters is a security feature.
As I suspected. However in my case the value of Realm variable is one of predefined values in proxy.conf and not supplied by users. Regards, Matej Vadnjal
I'd like to check if a request that I received from a radius server will be proxied back to that same server resulting in a proxy loop.
The way I see things there is no other way to find out to which server the request will be proxied to.
Create a table proxy with information form proxy.conf. Use unlang to see if proxy IP matces Client-IP-Address from the request and reject if it does. Ivan Kalik Kalik Informatika ISP
Matej Vadnjal wrote:
On Monday 02.02.2009 10:37:59 Alan DeKok wrote: I'd like to check if a request that I received from a radius server will be proxied back to that same server resulting in a proxy loop.
Hmm... if a server proxies requests to you that it *should* have handled itself, it is seriously broken.
The way I see things there is no other way to find out to which server the request will be proxied to.
Put this in pre-proxy: if (Realm && ("%{home_server:ipaddr}" == "%{client:ipaddr}")) { reject } That should work. And no, this isn't well documented.
My idea is that if I keep the names of servers in clients.conf and server pools in proxy.conf similar enough, I could compare them with a regexp and if they match reject the request, preventing a loop.
Just check IP's. Alan DeKok.
Hi..Can anyone help me. I can't get client connect to radius server.any suggestion on how to fix it..appreciated.Here the radius output:Going to the next request Waking up in 4.9 seconds. User-Name = "john" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:30:1a:29:03:66" Calling-Station-Id = "00:1c:f0:10:56:b8" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "127.0.0.1" Connect-Info = "CONNECT 11Mbps 802.11b" State = 0x2e2e1d922d2b04150913ca69285527e1 EAP-Message = 0x020500061900 Message-Authenticator = 0xf3ce12fbfc579d77238be586aeef433a +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "john", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x0106004f190028cf8fd6b39dddc11a23092d5ac5dbe80d40773189ee2e9a705859d3fcb1ccb0bec3b2d64f501fbac0a2e4d68161a9e646b9dc3e921d54190eaf26d9658df7f216030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2e2e1d922a2804150913ca69285527e1 Finished request 46. Going to the next request Waking up in 4.8 seconds. User-Name = "john" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:30:1a:29:03:66" Calling-Station-Id = "00:1c:f0:10:56:b8" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "127.0.0.1" Connect-Info = "CONNECT 11Mbps 802.11b" State = 0x2e2e1d922a2804150913ca69285527e1 EAP-Message = 0x02060140198000000136160301010610000102010017507e2bfc6cace25c10e8a2bc0fe8aa360f2b071b51363de465dacc8f210868470b8d57d54b0c41d3e2fd9b90697768c2e0d01f33df5eba91b2a8e5c7aa40e40af6e1a89b7d0951310271056840ead1d02cbbc8dcddc12dce27ccb5b7112ec5697c966d92b857f14013075bade26248666a8231f125698da53235ad80bb01880423bb7d6b6c0fb4f729959e5876893b795589d81fa384fb3bc426b1b424459af21de01ca8f1e61e4015703ebfc4b5fd9e0bc1fc62fbce7e9dca044805f35def1e7b560b93ba05b5483a2ea950adb72345843c062d1072ee234acc9649afd60c866ef885e1f3490a EAP-Message = 0x4ba37822b0bd1a7ea0cb3b34da4a4f5241eeb3cf84d9d2d414030100010116030100203959736f3c912439ed32a1d40f8039184eceff7a3e7916103b2987864910a40a Message-Authenticator = 0x7563893321cf7c546a720b6d7940d1bf +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "john", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 253 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 310 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls:>>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls:>>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x01070031190014030100010116030100206f92b1c2416afc363cc61e8b8b6ca0629a5c9126eed17062e9579417bb5eb047 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2e2e1d922b2904150913ca69285527e1 Finished request 47. Going to the next request Waking up in 4.8 seconds. Cleaning up request 42 ID 86 with timestamp +565 Cleaning up request 43 ID 88 with timestamp +565 Cleaning up request 44 ID 90 with timestamp +565 Cleaning up request 45 ID 92 with timestamp +565 Cleaning up request 46 ID 94 with timestamp +565 Cleaning up request 47 ID 96 with timestamp +565 Ready to process requests. User-Name = "john" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:30:1a:29:03:66" Calling-Station-Id = "00:1c:f0:10:56:b8" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "127.0.0.1" Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0101000501 Message-Authenticator = 0xb0d8611f26c07faf1b6e36b551d1441e +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "john", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type request id 1 length 5 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry john at line 101 expand: Hello, %{User-Name} -> Hello, john ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Identity Unknown, authentication failed rlm_eap: Failed in handler ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [john/<via Auth-Type = EAP>] (from client sB3010 port 0 cli 00:1c:f0:10:56:b8) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> john attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 48 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 48 Reply-Message = "Hello, john" Waking up in 4.9 seconds. Cleaning up request 48 ID 98 with timestamp +626 Ready to process requests. _________________________________________________________________ Need a new place to rent, share or buy? Let ninemsn property help http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Edomain%2Ecom%2Eau%...
saman saman wrote:
Hi..Can anyone help me. I can't get client connect to radius server. any suggestion on how to fix it..appreciated. Here the radius output:
...
EAP-Message = 0x0101000501
Your supplicant is sending an empty identity. This isn't permitted. Alan DeKok.
Hi Alan,Appreciated if you could give me some tips how to solve the problem.I ready have not idea why this happen or where did i get wrong..newbie.Thank in advance.> Date: Mon, 2 Feb 2009 14:50:04 +0100> From: aland@deployingradius.com> To: freeradius-users@lists.freeradius.org> Subject: Re: mschav2 can't get connected> > saman saman wrote:>> >> Hi..Can anyone help me. I can't get client connect to radius server.>> any suggestion on how to fix it..appreciated.>> Here the radius output:> ...>> EAP-Message = 0x0101000501> > Your supplicant is sending an empty identity. This isn't permitted.> > Alan DeKok.> -> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _________________________________________________________________ Get rid of those unwanted christmas presents! Get what you want at ebay. http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Frover%2Eebay%2Ecom%2Frover%2...
Hi Alan,Appreciated if you could give me some tips how to solve the problem.I ready have not idea why this happen or where did i get wrong..newbie.Thank in advance.>
What are you using to connect to the AP? Whatever you are using is broken. Fix it or get a new one. Ivan Kalik Kalik Informatika ISP
Hi Ivan,Thanks for your quick response.I'm using D Link DWA 510 PCI adaptor to connect to SmartBridge sB3210 AP (bridging). Is it the device problem or the Windows XP itself?what is the device in the market that you would recommend would solve such a problem?> To: freeradius-users@lists.freeradius.org> Subject: RE: mschav2 can't get connected> Date: Tue, 3 Feb 2009 15:55:39 +0100> From: tnt@kalik.net> >>Hi Alan,Appreciated if you could give me some tips how to solve the problem.I ready have not idea why this happen or where did i get wrong..newbie.Thank in advance.>> > What are you using to connect to the AP? Whatever you are using is> broken. Fix it or get a new one.> > Ivan Kalik> Kalik Informatika ISP> > -> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _________________________________________________________________ Get rid of those unwanted christmas presents! Get what you want at ebay. http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Frover%2Eebay%2Ecom%2Frover%2...
Hi Ivan,I just not sure if the card broken because when I set it to use WPA then it's working perfectlybut why MSCHAPv2 & EAP-TLS didn't work?Will that be other reasons or missing some thing that cause the problem.should I send you the execution log?From: ssaman@hotmail.comTo: freeradius-users@lists.freeradius.orgSubject: RE: mschav2 can't get connectedDate: Tue, 3 Feb 2009 23:46:15 +0900 Hi Alan,Appreciated if you could give me some tips how to solve the problem.I ready have not idea why this happen or where did i get wrong..newbie.Thank in advance.> Date: Mon, 2 Feb 2009 14:50:04 +0100> From: aland@deployingradius.com> To: freeradius-users@lists.freeradius.org> Subject: Re: mschav2 can't get connected> > saman saman wrote:>> >> Hi..Can anyone help me. I can't get client connect to radius server.>> any suggestion on how to fix it..appreciated.>> Here the radius output:> ...>> EAP-Message = 0x0101000501> > Your supplicant is sending an empty identity. This isn't permitted.> > Alan DeKok.> -> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlGet what you want at ebay. Get rid of those unwanted christmas presents! _________________________________________________________________ Get rid of those unwanted christmas presents! Get what you want at ebay. http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Frover%2Eebay%2Ecom%2Frover%2...
Hi Ivan,I just not sure if the card broken because when I set it to use WPA then it's working perfectlybut why MSCHAPv2 & EAP-TLS didn't work?
WPA what? WPA-PSK? That doesn't use EAP or any other user authentication method. EAP is broken. Card is just radio. Instead of music it repalys data. That is extremly unlikely to be a problem. If the card isn't working - you have no reception. Ivan Kalik Kalik Informatika ISP
On Monday 02.02.2009 12:37:09 Alan DeKok wrote:
Hmm... if a server proxies requests to you that it *should* have handled itself, it is seriously broken.
It also happens when users mistype their user names. Suppose you have a user: user@a.orgA.tld. orgA has a radius server that proxies requests for realm a.orgA.tld to another server, but all other requests go to upstream server (us). If our user mistypes their user name as user@b.orgA.tld radius at orgA forwards that request to our server but we see this as realm *.orgA.tld (orgA has a lot of sub-domains - we don't want to define all of them separately) so we send the request back to them.
Put this in pre-proxy:
if (Realm && ("%{home_server:ipaddr}" == "%{client:ipaddr}")) { reject }
That should work. And no, this isn't well documented.
Great. I did not know about %{home_server:ipaddr}. However there are still two issues: - %{client:ipaddr} does not expand to anything on my end but Client-IP-Address works. - If I reject in pre-proxy my server crashes. No error message or anything, it just exits (see attached debug). Is this a bug? I'm using version 2.1.0. Regards Matej Vadnjal ARNES rad_recv: Access-Request packet from host 10.0.99.110 port 1814, id=200, length=94 User-Name = "@primer.si" Message-Authenticator = 0xc683a697de2b17b81dbad41e7c5bb471 EAP-Message = 0x0202000f01407072696d65722e7369 NAS-IP-Address = 10.0.99.13 NAS-Identifier = "010.000.099.013" Proxy-State = 0x3134 +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "primer.si" for User-Name = "@primer.si" [suffix] Found realm "~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$" [suffix] Adding Realm = "~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$" [suffix] Proxying request from user to realm ~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$ [suffix] Preparing to proxy authentication request to realm "~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$" ++[suffix] returns updated expand: %{User-Name} -> @primer.si [files] users: Matched entry DEFAULT at line 10 ++[files] returns ok +- entering group pre-proxy {...} ++? if (Realm && ("%{home_server:ipaddr}" == "%{Client-IP-Address}")) ? Evaluating (Realm ) -> TRUE expand: %{home_server:ipaddr} -> 10.0.99.110 expand: %{Client-IP-Address} -> 10.0.99.110 ? Evaluating ("%{home_server:ipaddr}" == "%{Client-IP-Address}") -> TRUE ++? if (Realm && ("%{home_server:ipaddr}" == "%{Client-IP-Address}")) -> TRUE ++- entering if (Realm && ("%{home_server:ipaddr}" == "%{Client-IP-Address}")) {...} +++[reject] returns reject ++- if (Realm && ("%{home_server:ipaddr}" == "%{Client-IP-Address}")) returns reject There was no response configured: rejecting request 0 Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> @primer.si attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds.
Matej Vadnjal wrote:
Great. I did not know about %{home_server:ipaddr}. However there are still two issues:
- %{client:ipaddr} does not expand to anything on my end but Client-IP-Address works.
If %{client:ipaddr} doesn't work, it's because there's no "ipaddr" entry in the relevant "client" section.
- If I reject in pre-proxy my server crashes. No error message or anything, it just exits (see attached debug). Is this a bug? I'm using version 2.1.0.
That would be a bug. My first suggestion would be to upgrade rather than trying to track down what's going wrong. Alan DeKok.
On Tuesday 03.02.2009 08:42:44 Alan DeKok wrote:
- If I reject in pre-proxy my server crashes. No error message or anything, it just exits (see attached debug). Is this a bug? I'm using version 2.1.0.
That would be a bug. My first suggestion would be to upgrade rather than trying to track down what's going wrong.
I just tested with version 2.1.3 and it works. Thank you for all your help. Regards Matej Vadnjal ARNES
participants (4)
-
Alan DeKok -
Matej Vadnjal -
saman saman -
tnt@kalik.net