Issue with dynamic home servers in 3.2.3
I am trying to add OpenRoaming support via dynamic DNS lookups to FreeRADIUS 3.2.3 As per the doc at freeradius-server-3.2.3/doc/configuration/dynamic_home_servers.md it states you need to do the following: 1. Enable the control socket 2. Enable dynamic = true and set the directory = ${raddb}/home_servers/ in proxy.conf 3. Ensure the /mods-config/realm/freeradius-naptr-to-home-server.sh is present in order to perform real-time DNS lookups unknown realms. So far so good. The doc gives an example of what to use inside the authorize {} block. Here is my config (added the "aaa+auth:radius.tls.tcp" to the script's third parameter... if (User-Name =~ /@(.*)$/) { switch "%{home_server_dynamic:%{1}}" { case "1" { # Proxy to this one particular home server update control { &Home-Server-Name := "%{1}" } } case "0" { # Proxy with home server pool, failover, etc. update control { &Proxy-To-Realm := "%{1}" } } case { # no home server exists, ask DNS update control { # you can add a parameter for the NAPTR tag to look up, e.g. "aaa+auth:radius.tls.tcp" (RFC7585, OpenRoaming) # if the third parameter is omitted, it defaults to "x-eduroam:radius.tls" &Temp-Home-Server-String := `%{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh -d %{config:confdir} %{1} aaa+auth:radius.tls.tcp` } if ("%{control:Temp-Home-Server-String}" == "" ) { update control { &Home-Server-Name := "%{1}" } } else { reject } } } } When testing this, I can see that it is performing the DNS lookup and adding a dynamic home server to the home_servers folder, but it still fails and doesn't actually proxy the request to the dynamically discovered server: (0) if (User-Name =~ /@(.*)$/) { (0) if (User-Name =~ /@(.*)$/) -> TRUE (0) if (User-Name =~ /@(.*)$/) { (0) switch %{home_server_dynamic:%{1}} { (0) EXPAND %{home_server_dynamic:%{1}} (0) --> (0) case { (0) update control { (0) Executing: %{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh -d %{config:confdir} %{1} aaa+auth:radius.tls.tcp: (0) EXPAND confdir (0) --> confdir (0) EXPAND %{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh (0) --> /usr/local/etc/raddb/mods-config/realm/freeradius-naptr-to-home-server.sh (0) EXPAND confdir (0) --> confdir (0) EXPAND %{config:confdir} (0) --> /usr/local/etc/raddb (0) EXPAND %{1} (0) --> openroaming.goog Waking up in 0.3 seconds. ... new connection request on command socket Listening on command file /usr/local/var/run/radiusd/radiusd.sock Waking up in 0.2 seconds. radmin> add home_server file /usr/local/etc/raddb/home_servers/openroaming.goog including configuration file /usr/local/etc/raddb/home_servers/openroaming.goog including configuration file /usr/local/etc/raddb/home_servers/tls.conf home_server openroaming.goog { nonblock = no ipaddr = radsec.openroaming.goog IPv4 address [146.148.44.172] port = 2083 type = "auth" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } recv_coa { } } Waking up in 0.1 seconds. ... shutting down socket command file /usr/local/var/run/radiusd/radiusd.sock ... cleaning up socket command file /usr/local/var/run/radiusd/radiusd.sock Waking up in 0.1 seconds. (0) Program returned code (0) and output '' (0) &Temp-Home-Server-String := (0) } # update control = noop (0) if ("%{control:Temp-Home-Server-String}" == "" ) { (0) if ("%{control:Temp-Home-Server-String}" == "" ) -> TRUE (0) if ("%{control:Temp-Home-Server-String}" == "" ) { (0) [reject] = reject (0) } # if ("%{control:Temp-Home-Server-String}" == "" ) = reject (0) } # case = reject (0) } # switch %{home_server_dynamic:%{1}} = reject (0) } # if (User-Name =~ /@(.*)$/) = reject It seems if ("%{control:Temp-Home-Server-String}" == "" ) { is the offending line. Even though the naptr script succeeds and returns a code 0, it's marking it as failed. So, i reversed the if statement so I could at least test further: if ("%{control:Temp-Home-Server-String}" == "" ) { update control { &Home-Server-Name := "%{1}" } } else { reject } I now get the following: (0) if ("%{control:Temp-Home-Server-String}" == "" ) { (0) if ("%{control:Temp-Home-Server-String}" == "" ) -> TRUE (0) if ("%{control:Temp-Home-Server-String}" == "" ) { (0) update control { (0) EXPAND %{1} (0) --> openroaming.goog (0) &Home-Server-Name := openroaming.goog (0) } # update control = noop (0) } # if ("%{control:Temp-Home-Server-String}" == "" ) = noop (0) ... skipping else: Preceding "if" was taken (0) } # case = noop (0) } # switch %{home_server_dynamic:%{1}} = noop (0) } # if (User-Name =~ /@(.*)$/) = noop (0) Proxying due to Home-Server-Name (0) There was no response configured: rejecting request Any thoughts on this? P.S. I think there is a bug in the freeradius-naptr-to-home-server.sh script, because it doesn't add the lines "secret" and "type" when it dynamically generates the home_server block. I had to modify it to add these lines in, else the radmin command failed to dynamically load it. Thanks
On Aug 10, 2023, at 7:38 AM, James Wood via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am trying to add OpenRoaming support via dynamic DNS lookups to FreeRADIUS 3.2.3
As per the doc at freeradius-server-3.2.3/doc/configuration/dynamic_home_servers.md it states you need to do the following:
1. Enable the control socket 2. Enable dynamic = true and set the directory = ${raddb}/home_servers/ in proxy.conf 3. Ensure the /mods-config/realm/freeradius-naptr-to-home-server.sh is present in order to perform real-time DNS lookups unknown realms.
So far so good.
That's good.
The doc gives an example of what to use inside the authorize {} block. Here is my config (added the "aaa+auth:radius.tls.tcp" to the script's third parameter... ... When testing this, I can see that it is performing the DNS lookup and adding a dynamic home server to the home_servers folder, but it still fails and doesn't actually proxy the request to the dynamically discovered server:
Hmm... most things seem to be OK.
%{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh (0) --> /usr/local/etc/raddb/mods-config/realm/freeradius-naptr-to-home-server.sh (0) EXPAND confdir (0) --> confdir (0) EXPAND %{config:confdir} (0) --> /usr/local/etc/raddb (0) EXPAND %{1} (0) --> openroaming.goog Waking up in 0.3 seconds. ... new connection request on command socket
it's running the script, that's good.
Listening on command file /usr/local/var/run/radiusd/radiusd.sock Waking up in 0.2 seconds. radmin> add home_server file /usr/local/etc/raddb/home_servers/openroaming.goog including configuration file /usr/local/etc/raddb/home_servers/openroaming.goog including configuration file /usr/local/etc/raddb/home_servers/tls.conf home_server openroaming.goog {
it's adding the home server. That's good.
(0) Program returned code (0) and output ''
(0) &Temp-Home-Server-String := (0) } # update control = noop (0) if ("%{control:Temp-Home-Server-String}" == "" ) { (0) if ("%{control:Temp-Home-Server-String}" == "" ) -> TRUE (0) if ("%{control:Temp-Home-Server-String}" == "" ) { (0) [reject] = reject (0) } # if ("%{control:Temp-Home-Server-String}" == "" ) = reject
So the script isn't returning anything.
(0) } # case = reject (0) } # switch %{home_server_dynamic:%{1}} = reject (0) } # if (User-Name =~ /@(.*)$/) = reject
It seems if ("%{control:Temp-Home-Server-String}" == "" ) { is the offending line. Even though the naptr script succeeds and returns a code 0, it's marking it as failed.
No... it's marked as not returning anything. Edit the script to add a line at the end: echo $1 And it should work.
So, i reversed the if statement so I could at least test further: .. (0) Proxying due to Home-Server-Name (0) There was no response configured: rejecting request
It should be proxying to the home server. I'm not sure what's going wrong here. I'll have to dig into it in more detail.
Any thoughts on this?
P.S. I think there is a bug in the freeradius-naptr-to-home-server.sh script, because it doesn't add the lines "secret" and "type" when it dynamically generates the home_server block. I had to modify it to add these lines in, else the radmin command failed to dynamically load it.
Those lines are in the "tls.conf" file. You don't need to add them to the "home_server" block, as the "$INCLUDE tls.conf" will automatically add them. Alan DeKok.
Thanks. I've included the tls.conf now and as you say it now sets the secret and type dynamically. So I'm now left with the same end issue (it's not using the just added home server to proxy the request out to): ... new connection request on TCP socket Listening on auth+acct from client (209.206.59.19, 49510) -> (*, 2083, virtual-server=default) Waking up in 0.8 seconds. (0) (TLS) Initiating new session (0) (TLS) Handshake state - before SSL initialization (0) (TLS) Handshake state - Server before SSL initialization (0) (TLS) Handshake state - Server before SSL initialization (0) (TLS) recv TLS 1.3 Handshake, ClientHello (0) (TLS) Handshake state - Server SSLv3/TLS read client hello (0) (TLS) send TLS 1.2 Handshake, ServerHello (0) (TLS) Handshake state - Server SSLv3/TLS write server hello (0) (TLS) send TLS 1.2 Handshake, Certificate (0) (TLS) Handshake state - Server SSLv3/TLS write certificate (0) (TLS) send TLS 1.2 Handshake, ServerKeyExchange (0) (TLS) Handshake state - Server SSLv3/TLS write key exchange (0) (TLS) send TLS 1.2 Handshake, ServerHelloDone (0) (TLS) Handshake state - Server SSLv3/TLS write server done (0) (TLS) Server : Need to read more data: SSLv3/TLS write server done (0) (TLS) In Handshake Phase Waking up in 0.7 seconds. (0) (TLS) Handshake state - Server SSLv3/TLS write server done (0) (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (0) (TLS) Handshake state - Server SSLv3/TLS read client key exchange (0) (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (0) (TLS) recv TLS 1.2 Handshake, Finished (0) (TLS) Handshake state - Server SSLv3/TLS read finished (0) (TLS) send TLS 1.2 ChangeCipherSpec (0) (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (0) (TLS) send TLS 1.2 Handshake, Finished (0) (TLS) Handshake state - Server SSLv3/TLS write finished (0) (TLS) Handshake state - SSL negotiation finished successfully (0) (TLS) Connection Established (0) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES256-GCM-SHA384" (0) TLS-Session-Version = "TLS 1.2" Waking up in 0.7 seconds. (0) (TLS): Access-Request packet from host 209.206.59.19 port 49510, id=15, length=442 Threads: total/active/spare threads = 2/0/2 Thread 2 got semaphore Thread 2 handling request 0, (1 handled so far) (0) Received Access-Request Id 15 from 209.206.59.19:49510 to 0.0.0.0:2083 length 442 (0) User-Name = "anonymous@openroaming.goog" (0) NAS-IP-Address = 192.168.1.15 (0) NAS-Identifier = "xx" (0) Called-Station-Id = "xx" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) NAS-Port = 1 (0) Calling-Station-Id = "xx" (0) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 13 / Channel: 64" (0) Acct-Session-Id = "37435BC5701BFFFF" (0) Acct-Multi-Session-Id = "01E86F90CB69EC74" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027073 (0) Framed-MTU = 1400 (0) EAP-Message = 0x0282001f01616e6f6e796d6f7573406f70656e726f616d696e672e676f6f67 (0) HS20-AP-Version = 1 (0) HS20-Mobile-Device-Version = 0x010000 (0) HS20-Roaming-Consortium = 0x5a03ba0000 (0) Message-Authenticator = 0x9db6eae3f189b5ef4add2b2fafc55f00 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) [chap] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "openroaming.goog" for User-Name = "anonymous@openroaming.goog" (0) suffix: Found realm "DEFAULT" (0) suffix: Adding Realm = "DEFAULT" (0) suffix: Proxying request from user anonymous@openroaming.goog to realm DEFAULT (0) suffix: Preparing to proxy authentication request to realm "DEFAULT" (0) [suffix] = updated (0) eap: Request is supposed to be proxied to Realm DEFAULT. Not doing EAP. (0) [eap] = noop (0) [pap] = noop (0) } # authorize = updated (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) if (User-Name =~ /@(.*)$/) { (0) if (User-Name =~ /@(.*)$/) -> TRUE (0) if (User-Name =~ /@(.*)$/) { (0) switch %{home_server_dynamic:%{1}} { (0) EXPAND %{home_server_dynamic:%{1}} (0) --> (0) case { (0) update control { (0) Executing: %{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh -d %{config:confdir} %{1} aaa+auth:radius.tls.tcp: (0) EXPAND confdir (0) --> confdir (0) EXPAND %{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh (0) --> /usr/local/etc/raddb/mods-config/realm/freeradius-naptr-to-home-server.sh (0) EXPAND confdir (0) --> confdir (0) EXPAND %{config:confdir} (0) --> /usr/local/etc/raddb (0) EXPAND %{1} (0) --> openroaming.goog Waking up in 0.3 seconds. ... new connection request on command socket Listening on command file /usr/local/var/run/radiusd/radiusd.sock Waking up in 0.1 seconds. radmin> add home_server file /usr/local/etc/raddb/home_servers/openroaming.goog including configuration file /usr/local/etc/raddb/home_servers/openroaming.goog including configuration file /usr/local/etc/raddb/home_servers/tls.conf home_server openroaming.goog { nonblock = no ipaddr = radsec.openroaming.goog IPv4 address [146.148.44.172] port = 2083 type = "auth" proto = "tcp" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } recv_coa { } } tls { verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/my.key" certificate_file = "/usr/local/etc/raddb/certs/my.crt" ca_file = "/usr/local/etc/raddb/certs/my.ca" private_key_password = <<< secret >>> fragment_size = 1024 include_length = yes check_crl = no ca_path_reload_interval = 0 ecdh_curve = "prime256v1" tls_min_version = "1.2" } (0) Program returned code (0) and output '' (0) &Temp-Home-Server-String := (0) } # update control = noop (0) if ("%{control:Temp-Home-Server-String}" == "" ) { (0) if ("%{control:Temp-Home-Server-String}" == "" ) -> TRUE (0) if ("%{control:Temp-Home-Server-String}" == "" ) { (0) update control { (0) EXPAND %{1} (0) --> openroaming.goog (0) &Home-Server-Name := openroaming.goog (0) } # update control = noop (0) } # if ("%{control:Temp-Home-Server-String}" == "" ) = noop (0) ... skipping else: Preceding "if" was taken (0) } # case = noop (0) } # switch %{home_server_dynamic:%{1}} = noop (0) } # if (User-Name =~ /@(.*)$/) = noop (0) [chap] = noop (0) suffix: Request already has destination realm set. Ignoring (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 130 length 31 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Proxying due to Home-Server-Name (0) There was no response configured: rejecting request (0) Using Post-Auth-Type Reject (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> anonymous@openroaming.goog (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap: Request was previously rejected, inserting EAP-Failure (0) eap: Sending EAP Failure (code 4) ID 130 length 4 (0) [eap] = updated (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect: [anonymous@openroaming.goog/<via Auth-Type = eap>] (from client all port 1 cli xx via TLS tunnel) (0) Finished internally proxied request. (0) Login incorrect (Home Server says so): [anonymous@openroaming.goog/<no User-Password attribute>] (from client all port 1 cli xx) (0) Using Post-Auth-Type Reject (0) Post-Auth-Type sub-section not found. Ignoring. (0) Login incorrect: [anonymous@openroaming.goog/<no User-Password attribute>] (from client all port 1 cli xx) (0) Sent Access-Reject Id 15 from 0.0.0.0:2083 to 209.206.59.19:49510 length 44 (0) EAP-Message = 0x04820004 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) Finished request with: (0) Proxying due to Home-Server-Name (0) There was no response configured: rejecting request still the problem
On Aug 10, 2023, at 12:38 PM, James Wood via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Thanks. I've included the tls.conf now and as you say it now sets the secret and type dynamically.
You don't need to include the tls.conf manually. The script does it for you. The only way this goes wrong is if you modified the script. Please don't do that unless you understand what it does. Making random changes to production-critical scripts is a bad idea.
So I'm now left with the same end issue (it's not using the just added home server to proxy the request out to): ... (0) Proxying due to Home-Server-Name (0) There was no response configured: rejecting request
It looks like you're proxying the *inner* authentication for EAP. Try this *without* EAP first. i.e. just User-Name and User-Password. Alan DeKok.
participants (2)
-
Alan DeKok -
James Wood