Upgrade form 3.0.17 to 3.0.19 and error "Unable to set parent list"
Dear list, it looks like after upgrade from 3.0.17 to 3.0.19 successfully authenticated users are rejected in post-auth section with the error "Unable to set parent list". This applies only to users from our realm (self-proxied requests). Should configuration files be updated with regard to this update ? Almost the same config worked fine for 3.0.14, 3.0.15 and 3.0.17 (3.0.16 had issues with self-proxied requests though, but it had been fixed in tree just after release date). Please see attached diffs: # diff -U 2 sesjaok sesjafail --- sesjaok 2019-04-14 22:13:01.784098000 +0200 +++ sesjafail 2019-04-14 22:10:32.664311000 +0200 (...) @@ -4772,14 +4823,14 @@ (9) sql: --> .query (9) sql: Using query template 'query' -rlm_sql (sql): Reserved connection (6) +rlm_sql (sql): Reserved connection (0) (9) sql: EXPAND %{User-Name} (9) sql: --> testuser@realm.tld (9) sql: SQL-User-Name set to 'testuser@realm.tld' (9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, apid, authdate) VALUES ( '%{SQL-User-Name}', '%{Calling-Station-Id}', '%{reply:Packet-Type}', '%{Aruba-Location-Id}', '%S') -(9) sql: --> INSERT INTO radpostauth (username, pass, reply, apid, authdate) VALUES ( 'testuser@realm.tld', '02-00-00-00-00-01', 'Access-Accept', '', '2019-04-14 22:13:01') -(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, apid, authdate) VALUES ( 'testuser@realm.tld', '02-00-00-00-00-01', 'Access-Accept', '', '2019-04-14 22:13:01') +(9) sql: --> INSERT INTO radpostauth (username, pass, reply, apid, authdate) VALUES ( 'testuser@realm.tld', '02-00-00-00-00-01', 'Access-Accept', '', '2019-04-14 22:10:31') +(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, apid, authdate) VALUES ( 'testuser@realm.tld', '02-00-00-00-00-01', 'Access-Accept', '', '2019-04-14 22:10:31') (9) sql: SQL query returned: success (9) sql: 1 record(s) updated -rlm_sql (sql): Released connection (6) +rlm_sql (sql): Released connection (0) (9) [sql] = ok (9) if (1) { @@ -4797,21 +4848,48 @@ (9) } # update reply = noop (9) update { -(9) &outer.session-state::Chargeable-User-Identity += &reply:Chargeable-User-Identity[*] -> 0x63353435653635306130656261383366316437303930663232336264326334373266666533613930 -(9) } # update = noop -(9) } # if (1) = noop -(9) } # post-auth = ok -(9) Login OK: [testuser@realm.tld] (from client TEST-NET port 0 cli 02-00-00-00-00-01 via TLS tunnel) +(9) ERROR: Unable to set parent list +(9) } # update = fail +(9) } # if (1) = fail +(9) } # post-auth = fail +(9) Using Post-Auth-Type Reject +(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +(9) Post-Auth-Type REJECT { +(9) sql: EXPAND .query +(9) sql: --> .query +(9) sql: Using query template 'query' +rlm_sql (sql): Reserved connection (1) +(9) sql: EXPAND %{User-Name} +(9) sql: --> testuser@realm.tld +(9) sql: SQL-User-Name set to 'testuser@realm.tld' +(9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, apid, authdate) VALUES ( '%{SQL-User-Name}', '%{Calling-Station-Id}', '%{reply:Packet-Type}', '%{Aruba-Location-Id}', '%S') +(9) sql: --> INSERT INTO radpostauth (username, pass, reply, apid, authdate) VALUES ( 'testuser@realm.tld', '02-00-00-00-00-01', 'Access-Reject', '', '2019-04-14 22:10:31') +(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, apid, authdate) VALUES ( 'testuser@realm.tld', '02-00-00-00-00-01', 'Access-Reject', '', '2019-04-14 22:10:31') +(9) sql: SQL query returned: success +(9) sql: 1 record(s) updated +rlm_sql (sql): Released connection (1) +(9) [sql] = ok +(9) inner_auth_log: EXPAND inner_auth_log.%{%{reply:Packet-Type}:-format} +(9) inner_auth_log: --> inner_auth_log.Access-Reject +(9) inner_auth_log: EXPAND user-auth#VISINST=%{request:Operator-Name}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{%{reply:Chargeable-User-Identity}:-%{outer.reply:Chargeable-User-Identity}}:-Local User}#RESULT=FAIL# +(9) inner_auth_log: --> user-auth#VISINST=1realm.tld#USER=testuser@realm.tld#CSI=02-00-00-00-00-01#NAS=Unknown Access Point#CUI=0x63353435653635306130656261383366316437303930663232336264326334373266666533613930#RESULT=FAIL# +(9) [inner_auth_log] = ok +(9) attr_filter.access_reject: EXPAND %{User-Name} +(9) attr_filter.access_reject: --> testuser@realm.tld +(9) attr_filter.access_reject: Matched entry DEFAULT at line 11 +(9) [attr_filter.access_reject] = updated +(9) update outer.session-state { +(9) ERROR: Unable to set parent list +(9) } # update outer.session-state = fail +(9) } # Post-Auth-Type REJECT = fail +(9) Rejected in post-auth: [testuser@realm.tld] (from client TEST-NET port 0 cli 02-00-00-00-00-01 via TLS tunnel) +(9) Login incorrect (Unable to set parent list): [testuser@realm.tld] (from client TEST-NET port 0 cli 02-00-00-00-00-01 via TLS tunnel) (9) } # server inner-tunnel (9) Virtual server sending reply -(9) Chargeable-User-Identity := 0x63353435653635306130656261383366316437303930663232336264326334373266666533613930 -(9) eap_peap: Got tunneled reply code 2 -(9) eap_peap: Chargeable-User-Identity := 0x63353435653635306130656261383366316437303930663232336264326334373266666533613930 -(9) eap_peap: Got tunneled reply RADIUS code 2 -(9) eap_peap: Chargeable-User-Identity := 0x63353435653635306130656261383366316437303930663232336264326334373266666533613930 -(9) eap_peap: Tunneled authentication was successful -(9) eap_peap: SUCCESS -(9) eap_peap: Saving tunneled attributes for later +(9) eap_peap: Got tunneled reply code 3 +(9) eap_peap: Got tunneled reply RADIUS code 3 +(9) eap_peap: Tunneled authentication was rejected +(9) eap_peap: FAILURE (9) eap: Sending EAP Request (code 1) ID 10 length 43 -(9) eap: EAP session adding &reply:State = 0x21a3f50328a9ec83 +(9) eap: EAP session adding &reply:State = 0xabcbb745a2c1aea2 (9) [eap] = handled (9) } # authenticate = handled @@ -4819,6 +4897,4 @@ (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/radius.realm.tld (9) Challenge { ... } # empty sub-section is ignored -(9) session-state: Saving cached attributes -(9) Chargeable-User-Identity += 0x63353435653635306130656261383366316437303930663232336264326334373266666533613930 (9) Finished internally proxied request. (9) Clearing existing &reply: attributes @@ -4830,5 +4906,5 @@ (9) post_proxy_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d expands to /var/log/radacct/172.x.y.z/post-proxy-detail-20190414 (9) post_proxy_log: EXPAND %t -(9) post_proxy_log: --> Sun Apr 14 22:13:01 2019 +(9) post_proxy_log: --> Sun Apr 14 22:10:31 2019 (9) [post_proxy_log] = ok (9) attr_filter.post-proxy: EXPAND %{Realm} -- Marek Zarychta
On Apr 14, 2019, at 5:06 PM, Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> wrote:
it looks like after upgrade from 3.0.17 to 3.0.19 successfully authenticated users are rejected in post-auth section with the error "Unable to set parent list". This applies only to users from our realm (self-proxied requests).
The debug log you posted doesn't show self-proxied requests. It shows PEAP, with the "inner-tunnel" virtual server. The "update outer.session-state" section works for me. Perhaps you can post a simplified description. Start from the default configuration, and then show what you changed, and what doesn't work. Alan DeKok.
W dniu 15.04.2019 o 00:23, Alan DeKok pisze:
On Apr 14, 2019, at 5:06 PM, Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> wrote:
it looks like after upgrade from 3.0.17 to 3.0.19 successfully authenticated users are rejected in post-auth section with the error "Unable to set parent list". This applies only to users from our realm (self-proxied requests). The debug log you posted doesn't show self-proxied requests. It shows PEAP, with the "inner-tunnel" virtual server.
The "update outer.session-state" section works for me.
Perhaps you can post a simplified description. Start from the default configuration, and then show what you changed, and what doesn't work.
Alan DeKok.
Thank you for the clue. The issue seems to be resolved. I have replaced "virtual_server = radius.realm.tld" with "virtual_server = default" in the section "home_server localhost" of proxy.conf file and now "update outer.session-state" works again for all virtual servers. Proxy was likely misconfigured or overconfigured, but working fine for a long time. Best regards, -- Marek Zarychta
participants (2)
-
Alan DeKok -
Marek Zarychta