Can we do sql just once during eap-tls handshake
We are using eap-tls for authetication assisted with a database for filling in some attributes. FreeRADIUS Version 2.1.3 with minimal configuration will do a sql lookup for each round. (Four selects: radcheck, radusergroup, radgroupcheck and radgroupreply). There are 6-9 rounds depending on certificate chain sizes. Obviously performance would be better with only one database lookup. Part of the (attempted) configuration: authorize { preprocess eap if (I have tried some conditions here) { sql if (notfound) { fail } } } authenticate { eap } Is there som nice condition that will result in only one lookup in the database? A thing that complicates thing is that TLS (that declares Success I beleive) is run during authenticate which is later the the attempted database lookup. The TLS outcome is pretty well known in the second last round: There are logs saying [tls] (other): SSL negotiation finished successfully SSL Connection Established but there is still one Access-Challange. So if this fact could be tested in the last round that test would be a nice candidate for doing the sql update. As an aside: Is there a way to really inspect the client certificate (preferrably the entire chain) and let it affect some logic (in perl as an example)? -- View this message in context: http://www.nabble.com/Can-we-do-sql-just-once-during-eap-tls-handshake-tp223... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Johan F2 wrote:
We are using eap-tls for authetication assisted with a database for filling in some attributes.
FreeRADIUS Version 2.1.3 with minimal configuration will do a sql lookup for each round. (Four selects: radcheck, radusergroup, radgroupcheck and radgroupreply). There are 6-9 rounds depending on certificate chain sizes.
Obviously performance would be better with only one database lookup.
Part of the (attempted) configuration: authorize { preprocess
eap if (I have tried some conditions here) {
The default FR 2.0 config has: authorize { eap { ok = return } } ...which will do what you want. As always, mangling the default config without understanding why it does what it does is a bad idea.
Thanks Phil, I have tried that but regrettably it does not work. According to my logs eap returns "updated" every round when doing authorize. (During the authenticate stage eap returns "handled" except the last round where it returns "ok") The comment preceeding eap in the default config says: # As of 2.0, the EAP module returns "ok" in the authorize stage # for TTLS and PEAP. In 1.x, it never returned "ok" here, so so there is no promise about any improvement when doing EAP-TLS . Sorry about the ...mangling the default config without understanding... I am porting an existing config (by someone else) from 1.x so I missed that. I did examine the log checking the return values from eap though. /Johan Phil Mayers wrote:
Johan F2 wrote:
We are using eap-tls for authetication assisted with a database for filling in some attributes.
FreeRADIUS Version 2.1.3 with minimal configuration will do a sql lookup for each round. (Four selects: radcheck, radusergroup, radgroupcheck and radgroupreply). There are 6-9 rounds depending on certificate chain sizes.
Obviously performance would be better with only one database lookup.
Part of the (attempted) configuration: authorize { preprocess
eap if (I have tried some conditions here) {
The default FR 2.0 config has:
authorize { eap { ok = return } }
...which will do what you want. As always, mangling the default config without understanding why it does what it does is a bad idea.
-- View this message in context: http://www.nabble.com/Can-we-do-sql-just-once-during-eap-tls-handshake-tp223... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Thanks Phil, I have tried that but regrettably it does not work. According to my logs eap returns "updated" every round when doing authorize. (During the authenticate stage eap returns "handled" except the last round where it returns "ok")
The comment preceeding eap in the default config says: # As of 2.0, the EAP module returns "ok" in the authorize stage # for TTLS and PEAP. In 1.x, it never returned "ok" here, so so there is no promise about any improvement when doing EAP-TLS .
You can try adding updated = return to eap section in authorize. Not sure if that breaks anything. Ivan Kalik Kalik Informatika ISP
I have tested "updated = return" and it behaves as expected. That is authorize always returns without reading the database so the attributes are never set. Remeber that eap returns "updated" every round including the last one where the database should be consulted. I need a test that returns true when doing authorize in the same round as authenticate will return ok. /Johan You can try adding updated = return to eap section in authorize. Not sure if that breaks anything. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Can-we-do-sql-just-once-during-eap-tls-handshake-tp223... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I have tested "updated = return" and it behaves as expected. That is authorize always returns without reading the database so the attributes are never set.
Remeber that eap returns "updated" every round including the last one where the database should be consulted.
I need a test that returns true when doing authorize in the same round as authenticate will return ok.
Try running authorize:sql in post-auth. Or was it sql:authorize? Ivan Kalik Kalik Informatika ISP
Both authorize:sql and sql:authorize cause an error "Failed to find module". Plain sql or sql authorize { } lead to the documented post-auth behaviour of sql (that is writing to log). I have not found any documentation about forcing a module into running code for for another phase (authorize when doing post-auth). tnt-4 wrote:
Try running authorize:sql in post-auth. Or was it sql:authorize?
Ivan Kalik Kalik Informatika ISP
-- View this message in context: http://www.nabble.com/Can-we-do-sql-just-once-during-eap-tls-handshake-tp223... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Johan F2 wrote:
Both authorize:sql and sql:authorize cause an error "Failed to find module".
Use "sql.authorize"
I have not found any documentation about forcing a module into running code for for another phase (authorize when doing post-auth).
It's not documented. It was a "feature" that got added semi-accidentally, and then turned out to be too useful to remove. Alan DeKok.
It works! Now there is only one database access per authetication. The relevant part of the config is now: authorize { .... eap } authenticate { eap } post-auth { sql.authorize if (notfound) { fail } } Somewhat un-obvious but thanks alot for the help! (But I guess setting Auth-method to Reject in the database no longer works.) /Johan Alan DeKok-2 wrote:
Johan F2 wrote:
Both authorize:sql and sql:authorize cause an error "Failed to find module".
Use "sql.authorize"
I have not found any documentation about forcing a module into running code for for another phase (authorize when doing post-auth).
It's not documented. It was a "feature" that got added semi-accidentally, and then turned out to be too useful to remove.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Can-we-do-sql-just-once-during-eap-tls-handshake-tp223... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi I need some opinions. Condition: 1. I have a local realm (suffix), xyz.com. I'm using freeradius 2.1.3+mysql. 2. My own user's username in mysql radcheck table is store in username@xyz.com format 3. A person want me to proxy his prefix ABC/his-customer-username@myrealm to his radius server, i.e: ABC/his-customer-username@xyz.com 4. The proxy has strip both prefix and suffix, which means when ABC/his-customer-username@xyz.com auth request come in, i have to forward only his-customer-username to his radius. I know i can using hint to strip his prefix, but i'm stuck at proxy config. I can't proxy xyz.com to his radius, otherwise my own user's username will also proxy to his radius server. How can i proxy his-customer-username without mess up my own user's username? It's sound a bit stupid, but i still keen to find out is that possible to achieve the objective or not. Thanks a lot!! Piston
Condition:
1. I have a local realm (suffix), xyz.com. I'm using freeradius 2.1.3+mysql.
2. My own user's username in mysql radcheck table is store in username@xyz.com format
3. A person want me to proxy his prefix ABC/his-customer-username@myrealm to his radius server, i.e: ABC/his-customer-username@xyz.com
That is wrong. His customers should use ABC/his-customer-username only, not have @xyz.com as well.
4. The proxy has strip both prefix and suffix, which means when ABC/his-customer-username@xyz.com auth request come in, i have to forward only his-customer-username to his radius.
If you don't have to deal with @xyz.com at the end it works by default. Change instructions for his users. They shouldn't append your domain as well. Only his prefix. Ivan Kalik Kalik Informatika ISP
Hi,
1. I have a local realm (suffix), xyz.com. I'm using freeradius 2.1.3+mysql.
2. My own user's username in mysql radcheck table is store in username@xyz.com format
3. A person want me to proxy his prefix ABC/his-customer-username@myrealm to his radius server, i.e: ABC/his-customer-username@xyz.com
nasty. same realm but needs to be handled differently. okay. i'd say use unlang for this. before prefix, realm etc are called in the auth stage, have a check ie quick pseudo-code whilst i have a coffee if (user-name =~ "^ABC\/") { update realm == "another_realm" } then in proxy.conf another_realm { blah blah } ie 'fake' the realm within the FreeRADIUS engine so that its got its own special entry in proxy.conf alan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
1. I have a local realm (suffix), xyz.com. I'm using freeradius 2.1.3+mysql.
2. My own user's username in mysql radcheck table is store in username@xyz.com format
3. A person want me to proxy his prefix ABC/his-customer-username@myrealm to his radius server, i.e: ABC/his-customer-username@xyz.com
nasty. same realm but needs to be handled differently. okay. i'd say use unlang for this. before prefix, realm etc are called in the auth stage, have a check ie
quick pseudo-code whilst i have a coffee
Or if you want to use the NT domain portion as the realm.. if (User-Name =~ /^([^\\/:*?<>|\"]+)\\\\//) { update control { Realm = "%{1}" } } Think that's the right number of backslashes... -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmz/bEACgkQcaklux5oVKLa4ACeKwkASUqoRcsoaUFKlcHl0r7m WBQAn2FS0pg0FerxaFtw586rIrXq53CV =csnq -----END PGP SIGNATURE-----
Hi I'm putting the following code under /etc/freeradius/site-available/default, authorize section just after preproccess if (User-Name =~ "^ABC\/") { update control { Realm == "%another_realm"} } But i'm getting such error: Expected regular expression at: "^ABC\/") /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section. } Need some guidance, this is the first time using unlang. Thank you very much. Piston ----- Original Message ---- From: "A.L.M.Buxey@lboro.ac.uk" <A.L.M.Buxey@lboro.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Saturday, March 7, 2009 6:15:02 PM Subject: Re: radius proxy senario Hi,
1. I have a local realm (suffix), xyz.com. I'm using freeradius 2.1.3+mysql.
2. My own user's username in mysql radcheck table is store in username@xyz.com format
3. A person want me to proxy his prefix ABC/his-customer-username@myrealm to his radius server, i.e: ABC/his-customer-username@xyz.com
nasty. same realm but needs to be handled differently. okay. i'd say use unlang for this. before prefix, realm etc are called in the auth stage, have a check ie quick pseudo-code whilst i have a coffee if (user-name =~ "^ABC\/") { update realm == "another_realm" } then in proxy.conf another_realm { blah blah } ie 'fake' the realm within the FreeRADIUS engine so that its got its own special entry in proxy.conf alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
piston wrote:
I'm putting the following code under /etc/freeradius/site-available/default, authorize section just after preproccess
if (User-Name =~ "^ABC\/") {
That is not a valid regular expression. See "man unlang" for the form of regular expressions: if (User-Name =~ /^ABC\//) {
update control { Realm == "%another_realm"}
That is not a valid variable expansion. See "man unlang", VARIABLES section for examples of valid variable references. Alan DeKok.
Hi,
Hi
I'm putting the following code under /etc/freeradius/site-available/default, authorize section just after preproccess
if (User-Name =~ "^ABC\/") { update control { Realm == "%another_realm"} }
But i'm getting such error:
Expected regular expression at: "^ABC\/") /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section. }
Need some guidance, this is the first time using unlang.
read the main page for unlang and the online documents - snippets of logic code are not to be blindly used verbatim when supplied on this list - however, this is a quick fix so: if ("%{User-Name}" =~ /"^ABC\/"/ ) { update control { Realm := 'another_realm' } } however, I'd personally prefer (why? still not sure) if ("%{User-Name}" =~ /"^ABC\/"/ ) { update request { Realm := 'another_realm' } } alan
I have trying both if ("%{User-Name}" =~ /"^ABC\/"/ ) { update control { Realm := 'another_realm' } } if ("%{User-Name}" =~ /"^ABC\/"/ ) { update request { Realm := 'another_realm' } } Still not working. Just make sure if I'm not understand wrongly. In the ideal case when receiving access access ABC/userid@my_realm, i should able to transform this login id as userid@another_realm, and proxy the login id base on another_realm at proxy.conf. Debugged log as below: rad_recv: Access-Request packet from host 192.168.168.7 port 2469, id=42, length=65 User-Name = "ABC/userid@my_realm" User-Password = "test" NAS-Port = 100 +- entering group authorize {...} ++[preprocess] returns ok ++? if ("%{User-Name}" =~ /"^ABC\/"/) expand: %{User-Name} -> ABC/userid@my_realm ? Evaluating ("%{User-Name}" =~ /"^ABC\/"/) -> FALSE ++? if ("%{User-Name}" =~ /"^ABC\/"/) -> FALSE No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Thank you Piston ----- Original Message ---- From: "A.L.M.Buxey@lboro.ac.uk" <A.L.M.Buxey@lboro.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Monday, March 9, 2009 5:16:35 PM Subject: Re: radius proxy senario Hi,
Hi
I'm putting the following code under /etc/freeradius/site-available/default, authorize section just after preproccess
if (User-Name =~ "^ABC\/") { update control { Realm == "%another_realm"} }
But i'm getting such error:
Expected regular expression at: "^ABC\/") /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section. }
Need some guidance, this is the first time using unlang.
read the main page for unlang and the online documents - snippets of logic code are not to be blindly used verbatim when supplied on this list - however, this is a quick fix so: if ("%{User-Name}" =~ /"^ABC\/"/ ) { update control { Realm := 'another_realm' } } however, I'd personally prefer (why? still not sure) if ("%{User-Name}" =~ /"^ABC\/"/ ) { update request { Realm := 'another_realm' } } alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have trying both
if ("%{User-Name}" =~ /"^ABC\/"/ ) { update control { Realm := 'another_realm' } }
if ("%{User-Name}" =~ /"^ABC\/"/ ) { update request { Realm := 'another_realm' } }
Still not working.
Just make sure if I'm not understand wrongly. In the ideal case when receiving access access ABC/userid@my_realm, i should able to transform this login id as userid@another_realm, and proxy the login id base on another_realm at proxy.conf.
Debugged log as below:
rad_recv: Access-Request packet from host 192.168.168.7 port 2469, id=42, length=65 User-Name = "ABC/userid@my_realm" User-Password = "test" NAS-Port = 100 +- entering group authorize {...} ++[preprocess] returns ok ++? if ("%{User-Name}" =~ /"^ABC\/"/) expand: %{User-Name} -> ABC/userid@my_realm ? Evaluating ("%{User-Name}" =~ /"^ABC\/"/) -> FALSE ++? if ("%{User-Name}" =~ /"^ABC\/"/) -> FALSE No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
*Add* that to authorize. Don't delete everything else. Regex don't work well in 2.1.3. Use 2.1.1 or wait a few days for 2.1.4. Ivan Kalik Kalik Informatika ISP
Hi,
if ("%{User-Name}" =~ /"^ABC\/"/ ) {
if ("%{User-Name}" =~ /^ABC\// ) { read a few online regex resources.
++? if ("%{User-Name}" =~ /"^ABC\/"/) expand: %{User-Name} -> ABC/userid@my_realm ? Evaluating ("%{User-Name}" =~ /"^ABC\/"/) -> FALSE ++? if ("%{User-Name}" =~ /"^ABC\/"/) -> FALSE
this clearly states that the regex didnt match. you should scratch your head, ponder why, then check your regex. there are some current quirks and bugs in 2.1.3 with regex - but this sort of form works in 2.1.3 okay ( i have several running) your summary is right though - logically its all okay in your head - you look for stuff beginning with ABC and then rewrite that logically (not for real!) in the engine to be @another_realm which the realm module then handles. alan
Thanks Alan With this: if ("%{User-Name}" =~ /^ABC\//) { update request { Realm := 'another_realm' } } The regex is working by now, but the other problem exist, the rewrite not working properly. freeradius acct log shown that: Tue Mar 10 00:30:54 2009 Packet-Type = Access-Request User-Name = "ABC/userid@my_realm" NAS-Port = 101 NAS-IP-Address = 192.168.168.7 Stripped-User-Name = "userid@my_realm" Realm = "another_realm" Debug log: rad_recv: Access-Request packet from host 192.168.168.7 port 3185, id=126, length=65 User-Name = "ABC/userid@my_realm" User-Password = "test" NAS-Port = 101 +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 79 ++[preprocess] returns ok ++? if ("%{User-Name}" =~ /^ABC\//) expand: %{User-Name} -> ABC/userid@my_realm ? Evaluating ("%{User-Name}" =~ /^ABC\//) -> TRUE ++? if ("%{User-Name}" =~ /^ABC\//) -> TRUE ++- entering if ("%{User-Name}" =~ /^ABC\//) {...} +++[request] returns ok ++- if ("%{User-Name}" =~ /^ABC\//) returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.168.7/auth-detail-20090310 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.168.7/auth-detail-20090310 [auth_log] expand: %t -> Tue Mar 10 00:22:03 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [ABC] No '/' in User-Name = "userid@my_realm", looking up realm NULL [ABC] No such realm "NULL" ++[ABC] returns noop if i modify as if ("%{User-Name}" =~ /^ABC\//) { update request { User-Name := 'useris@another_realm' } } radcct log: Tue Mar 10 00:38:39 2009 Packet-Type = Access-Request User-Name = "userid@another_realm" NAS-Port = 101 NAS-IP-Address = 192.168.168.7 Debug log: rad_recv: Access-Request packet from host 192.168.168.7 port 3226, id=134, length=65 User-Name = "ABC/userid@my_realm" User-Password = "test" NAS-Port = 101 +- entering group authorize {...} ++[preprocess] returns ok ++? if ("%{User-Name}" =~ /^ABC\//) expand: %{User-Name} -> ABC/userid@my_realm ? Evaluating ("%{User-Name}" =~ /^ABC\//) -> TRUE ++? if ("%{User-Name}" =~ /^ABC\//) -> TRUE ++- entering if ("%{User-Name}" =~ /^ABC\//) {...} +++[request] returns ok ++- if ("%{User-Name}" =~ /^ABC\//) returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.168.7/auth-detail-20090310 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.168.7/auth-detail-20090310 [auth_log] expand: %t -> Tue Mar 10 00:38:39 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [ABC] No '/' in User-Name = "userid@another_realm", looking up realm NULL [ABC] No such realm "NULL" ++[ABC] returns noop [suffix] Looking up realm "another_realm" for User-Name = "userid@another_realm" [suffix] Found realm "another_realm" [suffix] Adding Stripped-User-Name = "userid" [suffix] Adding Realm = "another_realm" [suffix] Proxying request from user userid to realm another_realm [suffix] Preparing to proxy authentication request to realm "another_realm" Question is, how to update the user-name accordingly? Thanks Piston ----- Original Message ---- From: "A.L.M.Buxey@lboro.ac.uk" <A.L.M.Buxey@lboro.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Monday, March 9, 2009 8:38:25 PM Subject: Re: radius proxy senario Hi,
if ("%{User-Name}" =~ /"^ABC\/"/ ) {
if ("%{User-Name}" =~ /^ABC\// ) { read a few online regex resources.
++? if ("%{User-Name}" =~ /"^ABC\/"/) expand: %{User-Name} -> ABC/userid@my_realm ? Evaluating ("%{User-Name}" =~ /"^ABC\/"/) -> FALSE ++? if ("%{User-Name}" =~ /"^ABC\/"/) -> FALSE
this clearly states that the regex didnt match. you should scratch your head, ponder why, then check your regex. there are some current quirks and bugs in 2.1.3 with regex - but this sort of form works in 2.1.3 okay ( i have several running) your summary is right though - logically its all okay in your head - you look for stuff beginning with ABC and then rewrite that logically (not for real!) in the engine to be @another_realm which the realm module then handles. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Thanks Alan
With this:
if ("%{User-Name}" =~ /^ABC\//) { update request { Realm := 'another_realm' } }
The regex is working by now, but the other problem exist, the rewrite not working properly.
dont play with User-Name! change the config to something instructive eg if ("%{User-Name}" =~ /^ABC\//) { update request { Realm := 'another_realm' } update control { Proxy-To-Realm := "another_realm" } } alan
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Johan F2 -
Phil Mayers -
piston -
tnt@kalik.net