Hi all, A segfault report sorry. Arran and Alan Dekok kindly helped me here with expanding variables from dynamic indexes, which works fine, as long as the variable is plugged into a string value. I'm trying to retrieve an integer value in the same way. Ideally, I'd like to expand in an if statement and compare, i.e. if ( "%{xlat:control:Tmp-Integer-1[%{control:Tmp-Integer-0}]}" > 1 ), rather than plug into a variable and then compare there, but maybe that's a step too far? It works fine plugging the variable into a string, xlat seems to cast fine, even if we do an if ("%{xlat:control:Tmp-String-1[%{control:Tmp-Integer-0}]}" > 1 ), so the workaround is obvious, just thought I'd best let you know about the seg anyway. Thanks Andy map sql_SP_rsh-radius-lant &control:Tmp-String-0 { control:Tmp-string-1 += tmp_acctuniqueid control:Tmp-string-2 += tmp_acctsessionid control:Tmp-string-3 += tmp_username control:Tmp-string-4 += tmp_devicetype control:Tmp-Integer-1+= tmp_macaddresslimit control:Tmp-string-5 += tmp_accounttable } update control { Tmp-Integer-0 := 0 Tmp-String-6 := "%{xlat:control:Tmp-Integer-1[%{control:Tmp-Integer-0}]}" } (0) Executing select query: call get_active_sessions_for_switchport ('192.168.105.86', '1', 864000) (0) control:Tmp-string-1 += 2863e8aa72426a2af96f7af0ef7ebdb9 (0) control:Tmp-string-2 += 000E000000E1 (0) control:Tmp-string-3 += 20b399f37010 (0) control:Tmp-string-4 += AP (0) control:Tmp-Integer-1 += 32 (0) control:Tmp-string-5 += radacct_lan0 (0) control:Tmp-string-1 += 4685a44565edf4d8aae476f8ed3b0ab9 (0) control:Tmp-string-2 += 000E0000009C (0) control:Tmp-string-3 += 20b399f37010 (0) control:Tmp-string-4 += AP (0) control:Tmp-Integer-1 += 32 (0) control:Tmp-string-5 += radacct_lan0 rlm_sql (sql_SP_rsh-radius-lant): Released connection (0) rlm_sql (sql_SP_rsh-radius-lant): Need 4 more connections to reach 3 spares rlm_sql (sql_SP_rsh-radius-lant): Opening additional connection (1), 1 of 9 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on rsh-radius-sql via TCP/IP, server version 5.5.31-0ubuntu0.13.04.1, protocol version 10 (0) } # map sql_SP_rsh-radius-lant &control:Tmp-String-0 (updated) (0) update control { (0) Tmp-Integer-0 := 0 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff6839301 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 (gdb) bt #0 0x00007ffff6839301 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007ffff70f78d9 in talloc_strdup () from /usr/lib/x86_64-linux-gnu/libtalloc.so.2 #2 0x00007ffff7951c3d in talloc_typed_strdup (t=0xd4d210, p=0x20 <Address 0x20 out of bounds>) at src/lib/missing.c:592 #3 0x00007ffff7bc087e in xlat_tokenize_request (request=0xd4d210, fmt=0x20 <Address 0x20 out of bounds>, head=0x7fffffffd100) at src/main/xlat.c:1812 #4 0x00007ffff7bc2522 in xlat_expand (out=0x7fffffffd148, outlen=2048, request=0xd4d210, fmt=0x20 <Address 0x20 out of bounds>, escape=0x0, escape_ctx=0x0) at src/main/xlat.c:2567 #5 0x00007ffff7bc2860 in radius_xlat (out=0xdc2c90 "", outlen=2048, request=0xd4d210, fmt=0x20 <Address 0x20 out of bounds>, escape=0x0, ctx=0x0) at src/main/xlat.c:2645 #6 0x00007ffff7bbd634 in xlat_xlat (out=0x7fffffffd200, outlen=2048, mod_inst=0x0, xlat_inst=0x0, request=0xd4d210, fmt=0xdc2c10 "control:Tmp-Integer-1[0]") at src/main/xlat.c:634 #7 0x00007ffff7bc1e3f in xlat_aprint (ctx=0xd4d210, request=0xd4d210, node=0xd20950, escape=0x0, escape_ctx=0x0, lvl=0) at src/main/xlat.c:2358 #8 0x00007ffff7bc2131 in xlat_process (out=0x7fffffffd380, request=0xd4d210, head=0xd20950, escape=0x0, escape_ctx=0x0) at src/main/xlat.c:2445 #9 0x00007ffff7bc243a in xlat_expand_struct (out=0x7fffffffd448, outlen=0, request=0xd4d210, node=0xd20950, escape=0x0, escape_ctx=0x0) at src/main/xlat.c:2517 #10 0x00007ffff7bc2932 in radius_axlat_struct (out=0x7fffffffd448, request=0xd4d210, xlat=0xd20950, escape=0x0, ctx=0x0) at src/main/xlat.c:2660 #11 0x00007ffff7babe3f in map_to_vp (ctx=0xd4d210, out=0x7fffffffd520, request=0xd4d210, map=0xce17d0, uctx=0x0) at src/main/map.c:813 #12 0x00007ffff7bace48 in map_to_request (request=0xd4d210, map=0xce17d0, func=0x7ffff7baba77 <map_to_vp>, ctx=0x0) at src/main/map.c:1137 #13 0x00000000004318c6 in modcall_update (request=0xd4d210, stack=0x7fffffffd810, presult=0x7fffffffd7b0, priority=0x7fffffffd7ac) at src/main/interpreter.c:587 #14 0x00000000004320e0 in modcall_recurse (request=0xd4d210, stack=0x7fffffffd810, presult=0x7fffffffd80c, ppriority=0x7fffffffd808) at src/main/interpreter.c:839 #15 0x00000000004324ee in modcall (component=MOD_AUTHORIZE, c=0xcbdde0, request=0xd4d210) at src/main/interpreter.c:1001 #16 0x0000000000427e2a in indexed_modcall (comp=MOD_AUTHORIZE, idx=0, request=0xd4d210) at src/main/modules.c:977 #17 0x000000000042a0c3 in process_authorize (autz_type=0, request=0xd4d210) at src/main/modules.c:2108 #18 0x000000000040fd07 in rad_authenticate (request=0xd4d210) at src/main/auth.c:435 #19 0x000000000043b6d5 in request_running (request=0xd4d210, action=1) at src/main/process.c:1482 #20 0x000000000043a3db in request_queue_or_run (request=0xd4d210, process=0x43b573 <request_running>) at src/main/process.c:953 #21 0x000000000043bff1 in request_receive (ctx=0xd4cf10, listener=0xb01310, packet=0xd4cf70, client=0xae51e0, fun=0x40fa64 <rad_authenticate>) at src/main/process.c:1739 #22 0x0000000000419d1a in auth_socket_recv (listener=0xb01310) at src/main/listen.c:1901 #23 0x00000000004431be in event_socket_handler (xel=0xd3ef70, fd=12, ctx=0xb01310) at src/main/process.c:4542 #24 0x00007ffff7970044 in fr_event_loop (el=0xd3ef70) at src/lib/event.c:637 #25 0x00000000004450b2 in radius_event_process () at src/main/process.c:5585 #26 0x0000000000433103 in main (argc=2, argv=0x7fffffffe6d8) at src/main/radiusd.c:586
On Dec 17, 2015, at 4:50 AM, Franks Andy (IT Technical Architecture Manager) <Andy.Franks@sath.nhs.uk> wrote:
It works fine plugging the variable into a string, xlat seems to cast fine, even if we do an if ("%{xlat:control:Tmp-String-1[%{control:Tmp-Integer-0}]}" > 1 ), so the workaround is obvious, just thought I'd best let you know about the seg anyway.
The fix is simple. I'll push a fix later today. Alan DeKok.
On Dec 17, 2015, at 4:50 AM, Franks Andy (IT Technical Architecture Manager) <Andy.Franks@sath.nhs.uk> wrote:
Ideally, I'd like to expand in an if statement and compare, i.e. if ( "%{xlat:control:Tmp-Integer-1[%{control:Tmp-Integer-0}]}" > 1 ),
Hmm... you shouldn't be able to dynamically expand non-string attributes. The idea behind %{xlat:} is that you could do something like: Tmp-String-0 := "sql: SELECT ..." and then do: Blah = "%{xlat:Tmp-String-0}" i.e. the contents of the %{xlat} expansion are another string to be expanded. You're not using it that way. You're trying to dynamically expand an array reference, and then use that to get an integer. And you're *not* dynamically expanding the integer. So the %{xlat} expansion is not what you want. You want something else. Something which isn't yet implemented. I'll see if I can think of something. Alan DeKok.
On 17 Dec 2015, at 09:47, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 17, 2015, at 4:50 AM, Franks Andy (IT Technical Architecture Manager) <Andy.Franks@sath.nhs.uk> wrote:
Ideally, I'd like to expand in an if statement and compare, i.e. if ( "%{xlat:control:Tmp-Integer-1[%{control:Tmp-Integer-0}]}" > 1 ),
Hmm... you shouldn't be able to dynamically expand non-string attributes. The idea behind %{xlat:} is that you could do something like:
Tmp-String-0 := "sql: SELECT ..."
and then do:
Blah = "%{xlat:Tmp-String-0}"
i.e. the contents of the %{xlat} expansion are another string to be expanded.
You're not using it that way. You're trying to dynamically expand an array reference, and then use that to get an integer. And you're *not* dynamically expanding the integer.
So the %{xlat} expansion is not what you want. You want something else. Something which isn't yet implemented.
I'll see if I can think of something.
He wants: &Attribute[&index] Which is pretty easy to implement. Just the tmpl parser and the tmpl cursor code needs to change. I believe everything uses that now for resolving array offsets in attributes. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 17 Dec 2015, at 09:50, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 17 Dec 2015, at 09:47, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 17, 2015, at 4:50 AM, Franks Andy (IT Technical Architecture Manager) <Andy.Franks@sath.nhs.uk> wrote:
Ideally, I'd like to expand in an if statement and compare, i.e. if ( "%{xlat:control:Tmp-Integer-1[%{control:Tmp-Integer-0}]}" > 1 ),
Hmm... you shouldn't be able to dynamically expand non-string attributes. The idea behind %{xlat:} is that you could do something like:
Tmp-String-0 := "sql: SELECT ..."
and then do:
Blah = "%{xlat:Tmp-String-0}"
i.e. the contents of the %{xlat} expansion are another string to be expanded.
You're not using it that way. You're trying to dynamically expand an array reference, and then use that to get an integer. And you're *not* dynamically expanding the integer.
So the %{xlat} expansion is not what you want. You want something else. Something which isn't yet implemented.
I'll see if I can think of something.
He wants:
&Attribute[&index]
Which is pretty easy to implement.
Just the tmpl parser and the tmpl cursor code needs to change. I believe everything uses that now for resolving array offsets in attributes.
Could also just print non string types to a string and write that to the buffer in the xlat xlat, which is a little nicer than just erroring out. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Dec 17, 2015, at 9:53 AM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
Could also just print non string types to a string and write that to the buffer in the xlat xlat, which is a little nicer than just erroring out.
Sure. The first fix is to *not* crash. Alan DeKok.
Can anyone advise on the best method for performing an LDAP authorize if I'm using both EAP-TLS and EAP-PEAP? In my site config, I do: eap { ok = return } -ldap This works great for PEAP, as the eap module returns and ok, then the LDAP lookup is performed in the inner tunnel, once only. However when a certificate based client associates with EAP-PEAP, the eap module returns 'updated' and the ldap check is performed for each packet. I have updated the ldap line to be: ldap { notfound = reject } For a successful authentication, it performs the ldap search a number of times. Is there any way I can only do this once? Dave Hartburn
Hi,
In my site config, I do: eap { ok = return } -ldap
This works great for PEAP, as the eap module returns and ok, then the LDAP lookup is performed in the inner tunnel, once only.
However when a certificate based client associates with EAP-PEAP, the eap module returns 'updated' and the ldap check is performed for each packet. I have updated the ldap line to be:
how are you doing policies on EAP-TLS clients? some people use ldap for looking up memberships/groups etc - hence the fall-through is fine for default.... but not for your use case. if you dont want ldap to be processed...and the module returns 'updated' then maybe eap { ok = return updated = return } -ldap (dont forget, EAP-TLS wont go into inner-tunnel) alan
Hi, We are using LDAP to check for group membership, so we need the lookup to do that authorization. I need something like updated = return (all but once) That is not valid syntax ;) Dave On 17/12/15 18:28, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
In my site config, I do: eap { ok = return } -ldap
This works great for PEAP, as the eap module returns and ok, then the LDAP lookup is performed in the inner tunnel, once only.
However when a certificate based client associates with EAP-PEAP, the eap module returns 'updated' and the ldap check is performed for each packet. I have updated the ldap line to be:
how are you doing policies on EAP-TLS clients? some people use ldap for looking up memberships/groups etc - hence the fall-through is fine for default.... but not for your use case.
if you dont want ldap to be processed...and the module returns 'updated' then maybe
eap { ok = return updated = return } -ldap
(dont forget, EAP-TLS wont go into inner-tunnel)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Dec 18, 2015 at 11:12:52AM +0000, David Hartburn wrote:
We are using LDAP to check for group membership, so we need the lookup to do that authorization.
Are you using the check_eap_tls virtual server? It's designed to do just that for EAP-TLS. It gets called once at certificate verification time. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Sorry, this is the first chance I have had to come back to this. No, we are not using that as the virtual server. I think ours was based on the default and is doing EAP-TLS too. Currently if the request comes from our wireless LAN controllers it puts it into our local eduroam virtual server, to which I added EAP-TLS. I'm struggling to find any documentation or examples on using the check_eap_tls module. It is a case of putting something in our local eduroam virtual server to punt TLS attempts off to this server? Where would you put that without breaking the EAP-PEAP authentication? David On 18/12/15 11:41, Matthew Newton wrote:
On Fri, Dec 18, 2015 at 11:12:52AM +0000, David Hartburn wrote:
We are using LDAP to check for group membership, so we need the lookup to do that authorization.
Are you using the check_eap_tls virtual server? It's designed to do just that for EAP-TLS.
It gets called once at certificate verification time.
Matthew
On Mon, Jan 25, 2016 at 04:56:26PM +0000, David Hartburn wrote:
I'm struggling to find any documentation or examples on using the check_eap_tls module. It is a case of putting something in our local eduroam virtual server to punt TLS attempts off to this server? Where would you put that without breaking the EAP-PEAP authentication?
The virtual server is specified in mods-enabled/eap: https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-avail... then check_eap_tls should be fairly self-documenting: https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-avai... Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi,
I'm struggling to find any documentation or examples on using the check_eap_tls module. It is a case of putting something in our local eduroam virtual server to punt TLS attempts off to this server? Where would you put that without breaking the EAP-PEAP authentication?
just call virtual_server = check-eap-tls in the TLS specific sub-section of eap the original commit for this feature is: https://github.com/mcnewton/freeradius-server/commit/fbee1e9b4ce93c15d0f074a... peap and ttls have their own subsections so can be treated differently alan
Thanks Alan and Matthew, that has got it going (after a long time looking at a stupid mistake I made!). On a reject I did get an error message detailed below. I changed the LDAP condition to check for a group called 'cheese', rather than my real LDAP group in order to force a rejection. This does reject but gives an EAP error. Is this just the normal way it drops out of the check-eap-tls virtual server? It certainly does what I want, but at the moment I'm treating red as something bad. Dave (44) if (Ldap-Group != "cheese") -> TRUE (44) if (Ldap-Group != "cheese") { (44) update config { (44) Auth-Type := Reject (44) } # update config = noop (44) } # if (Ldap-Group != "cheese") = noop (44) } # if ("%{User-Name}" =~ /^host\/(.*)\\.ad\\.kent\\.ac\\.uk$/i) = noop (44) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (44) auth_log : --> /var/log/radius/radacct/129.12.6.216/auth-detail-20160128 (44) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/129.12.6.216/auth-detail-20160128 (44) auth_log : EXPAND %t (44) auth_log : --> Thu Jan 28 16:29:23 2016 (44) [auth_log] = ok (44) } # authorize = ok (44) Found Auth-Type = Reject (44) Auth-Type = Reject, rejecting user (44) Failed to authenticate the user (44) Login incorrect: [host/LT7VISC18.ad.kent.ac.uk] (from client cwlc-cer port 2 cli 24:77:03:ac:c4:94 via TLS tunnel) (44) Using Post-Auth-Type Reject (44) Reply: (44) } # server check-eap-tls (44) eap_tls : Certificates were rejected by the virtual server SSL: Removing session 819d396e4ac42d139e27941979cef5340eeca0bba6ed20fb285ff3dd518d3d6f from the cache (44) ERROR: eap : Failed continuing EAP TLS (13) session. EAP sub-module failed (44) eap : Failed in EAP select (44) [eap] = invalid (44) } # authenticate = invalid (44) Failed to authenticate the user (44) Login incorrect (eap: Failed continuing EAP TLS (13) session. EAP sub-module failed) On 25/01/16 17:08, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
I'm struggling to find any documentation or examples on using the check_eap_tls module. It is a case of putting something in our local eduroam virtual server to punt TLS attempts off to this server? Where would you put that without breaking the EAP-PEAP authentication?
just call virtual_server = check-eap-tls in the TLS specific sub-section of eap
the original commit for this feature is:
https://github.com/mcnewton/freeradius-server/commit/fbee1e9b4ce93c15d0f074a...
peap and ttls have their own subsections so can be treated differently
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, Jan 28, 2016 at 04:41:58PM +0000, David Hartburn wrote:
On a reject I did get an error message detailed below. I changed the LDAP condition to check for a group called 'cheese', rather than my real LDAP group in order to force a rejection. This does reject but gives an EAP error. Is this just the normal way it drops out of the check-eap-tls virtual server?
Looks fine to me. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Brilliant, thank you again Dave On 28/01/16 16:46, Matthew Newton wrote:
On Thu, Jan 28, 2016 at 04:41:58PM +0000, David Hartburn wrote:
On a reject I did get an error message detailed below. I changed the LDAP condition to check for a group called 'cheese', rather than my real LDAP group in order to force a rejection. This does reject but gives an EAP error. Is this just the normal way it drops out of the check-eap-tls virtual server?
Looks fine to me.
Matthew
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
David Hartburn -
Franks Andy (IT Technical Architecture Manager) -
Matthew Newton