Send CoA/DM Requests over existing TLS connection
Hello, I want to send CoA over existing TLS connection that is established with client before. But, I am getting error as below. Is there anyone who can help me ? I also added my configurations below. *clients.conf* client 10.10.10.10 { ipaddr = 10.10.10.10 proto = tcp secret = testing123 } *tls.conf* listen { ipaddr = * port = 2083 type = auth+acct proto = tcp virtual_server = default limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } tls { private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem ca_file = ${cadir}/ca.pem dh_file = ${certdir}/dh fragment_size = 8192 ca_path = ${cadir} ca_path_reload_interval = 3600 cipher_list = "DEFAULT" cipher_server_preference = no tls_min_version = "1.2" tls_max_version = "1.3" cache { enable = no lifetime = 24 # hours } require_client_cert = no verify { } } } *default.conf* server default { authorize { if (&User-Name == "bob") { update coa { &User-Name = "%{User-Name}" &Calling-Station-Id = "%{Calling-Station-Id}" &NAS-IP-Address = "10.10.10.10" } } filter_username preprocess chap mschap digest suffix eap { ok = return } files -sql -ldap expiration logintime pap Autz-Type New-TLS-Connection { ok } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap digest eap } preacct { preprocess acct_unique suffix files } accounting { detail unix -sql exec attr_filter.accounting_response } session { } post-auth { if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { update reply { &User-Name !* ANY } } update { &reply: += &session-state: } -sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject eap remove_reply_message_if_eap } Post-Auth-Type Challenge { } if (EAP-Key-Name && &reply:EAP-Session-Id) { update reply { &EAP-Key-Name := &reply:EAP-Session-Id } } } pre-proxy { } post-proxy { eap } } *ERROR* Listening on auth+acct proto tcp address * port 2083 (TLS) bound to server default Ready to process requests ... new connection request on TCP socket Listening on auth+acct from client (10.10.10.10, 42673) -> (*, 2083, virtual-server=default) Waking up in 0.3 seconds. (0) (TLS) recv TLS 1.3 Handshake, Finished (0) tls_recv: Access-Request packet from host 10.10.10.10 port 42673, id=0, length=69 Threads: total/active/spare threads = 5/0/5 Thread 5 got semaphore Thread 5 handling request 0, (1 handled so far) (0) Received Access-Request Id 0 from 10.10.10.10:42673 to 0.0.0.0:2083 length 69 (0) NAS-IP-Address = 1.1.1.1 (0) Calling-Station-Id = "00010305AABB" (0) Framed-IP-Address = 192.168.1.1 (0) User-Name = "bob" (0) User-Password = "hello" (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) if (&User-Name == "bob") { (0) if (&User-Name == "bob") -> TRUE (0) if (&User-Name == "bob") { (0) update coa { (0) EXPAND %{User-Name} (0) --> bob (0) &User-Name = bob (0) EXPAND %{Calling-Station-Id} (0) --> 00010305AABB (0) &Calling-Station-Id = 00010305AABB (0) &NAS-IP-Address = 10.10.10.10 (0) } # update coa = noop (0) } # if (&User-Name == "bob") = noop (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = noop (0) } # policy filter_username = noop (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "bob", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry bob at line 87 (0) files: EXPAND Hello, %{User-Name} (0) files: --> Hello, bob (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known good" Cleartext-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (0) post-auth { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (0) update { (0) No attributes updated for RHS &session-state: (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) if (EAP-Key-Name && &reply:EAP-Session-Id) { (0) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (0) } # post-auth = noop (0) WARNING: Unknown destination 10.10.10.10:3799 for CoA request. (0) Sent Access-Accept Id 0 from 0.0.0.0:2083 to 10.10.10.10:42673 length 0 (0) Reply-Message = "Hello, bob" (0) (TLS) send TLS 1.3 Handshake, Finished (0) Finished request
On Aug 22, 2021, at 10:08 AM, Ünal Kayaduman <kayadumanunal@gmail.com> wrote:
I want to send CoA over existing TLS connection that is established with client before.
There is no way to do that in RADIUS. No RADIUS client supports it. There is experimental code to do it, but again... no RADIUS client supports it. Even if you did manage to send a CoA packet down a TLS connection, the client would just ignore it. What you want to do is impossible, and won't work. The clients have to be updated to support this.
But, I am getting error as below. Is there anyone who can help me ? I also added my configurations below.
Read http://wiki.freeradius.org/list-help We don't need to see configuration files.
(0) WARNING: Unknown destination 10.10.10.10:3799 for CoA request.
You have to specify a "home server" of type "coa" in order to send CoA packets. This is documented in proxy.conf. Alan DeKok.
Thanks Alan for reply. Now we know what are we gonna do. Have a nice day. Ünal. On Sun, Aug 22, 2021, 5:20 PM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 22, 2021, at 10:08 AM, Ünal Kayaduman <kayadumanunal@gmail.com> wrote:
I want to send CoA over existing TLS connection that is established with client before.
There is no way to do that in RADIUS. No RADIUS client supports it.
There is experimental code to do it, but again... no RADIUS client supports it.
Even if you did manage to send a CoA packet down a TLS connection, the client would just ignore it.
What you want to do is impossible, and won't work. The clients have to be updated to support this.
But, I am getting error as below. Is there anyone who can help me ? I also added my configurations below.
Read http://wiki.freeradius.org/list-help
We don't need to see configuration files.
(0) WARNING: Unknown destination 10.10.10.10:3799 for CoA request.
You have to specify a "home server" of type "coa" in order to send CoA packets. This is documented in proxy.conf.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Ünal Kayaduman