Freeradius Upgrade from 3.0.1 to 3.2.2
Hi I am in the process of upgrading our radius servers but have one issue outstanding. Basically we receive in the radius request from mobile a MSISDN. We then go do a lookup to find the username on LDAP matching the MSISDN. In the old version everything works fine but after upgrading the radius responds with access rejection even though MSISDN finds a username on LDAP. Below are extracts from the mobile virtual server file and ldap file. mobile virtual server: # The ldap module reads passwords from the LDAP database. -ldap-mobile if (!ok) { reject ldap: user { # Where to start searching in the tree for users base_dn = "${..base_dn}" # Filter for user objects, should be specific enough # to identify a single user object. #filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" #filter = "(mobileradiusCallingStationId=%{Calling-Station-Id})" filter = "(&(mobileradiusCallingStationId=%{Calling-Station-Id})(status=10100))" Below is debug from version 3.0.1 rlm_ldap (ldap-mobile): Reserved connection (11) (9) ldap-mobile : expand: "(&(mobileradiusCallingStationId=%{Calling-Station-Id})(status=10100))" -> '(&(mobileradiusCallingStationId=27671946862)(status=10100))' (9) ldap-mobile : expand: "cn=radius,ou=isp" -> 'cn=radius,ou=isp' (9) ldap-mobile : Performing search in 'cn=radius,ou=isp' with filter '(&(mobileradiusCallingStationId=27671946862)(status=10100))' (9) ldap-mobile : Waiting for search result... (9) ldap-mobile : User object found at DN "uid=onyebilanma@telkomsa.net ,cn=radius,ou=isp" (9) ldap-mobile : Processing user attributes (9) ldap-mobile : reply:User-Name := 'onyebilanma@telkomsa.net ' (9) ldap-mobile : control:User-Name := ' onyebilanma@telkomsa.net' rlm_ldap (ldap-mobile): Released connection (11) rlm_ldap (ldap-mobile): Opening additional connection (12) rlm_ldap (ldap-mobile): Connecting to 10.146.46.133:389 TLSMC: MozNSS compatibility interception begins. tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present. tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. rlm_ldap (ldap-mobile): Waiting for bind result... rlm_ldap (ldap-mobile): Bind successful (9) [-ldap-mobile] = ok (9) ? if (!ok) (9) ? if (!ok) -> FALSE (9) } # authorize = ok (9) Found Auth-Type = Accept (9) Auth-Type = Accept, accepting the user (9) Login OK: [27671946862] (from client 105.187.248.220 port 0 cli 27671946862) (9) # Executing section post-auth from file /etc/raddb/sites-enabled/mobile (9) post-auth { (9) [exec] = noop (9) remove_reply_message_if_eap remove_reply_message_if_eap { (9) ? if (reply:EAP-Message && reply:Reply-Message) (9) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (9) else else { (9) [noop] = noop (9) } # else else = noop (9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (9) update reply { (9) Acct-Interim-Interval = 14400 (9) } # update reply = noop (9) } # post-auth = noop Sending Access-Accept of id 134 from 10.146.44.71 port 1812 to 105.187.248.220 port 4017 User-Name = 'onyebilanma@telkomsa.net' Acct-Interim-Interval = 14400 Below is debug from version 3.2.2 rlm_ldap (ldap-mobile): Reserved connection (2) (5) ldap-mobile: EXPAND (&(mobileradiusCallingStationId=%{Calling-Station-Id})(status=10100)) (5) ldap-mobile: --> (&(mobileradiusCallingStationId=27659066168)(status=10100)) (5) ldap-mobile: Performing search in "cn=radius,ou=isp" with filter "(&(mobileradiusCallingStationId=27659066168)(status=10100))", scope "sub" (5) ldap-mobile: Waiting for search result... (5) ldap-mobile: User object found at DN "uid=ahmed.elhefnawy@telkomsa.net ,cn=radius,ou=isp" (5) ldap-mobile: Processing user attributes (5) ldap-mobile: reply:User-Name := 'ahmed.elhefnawy@telkomsa.net' (5) ldap-mobile: control:User-Name := 'ahmed.elhefnawy@telkomsa.net' rlm_ldap (ldap-mobile): Released connection (2) Need 4 more connections to reach min connections (8) Need more connections to reach 16 spares rlm_ldap (ldap-mobile): Opening additional connection (9), 1 of 28 pending slots used rlm_ldap (ldap-mobile): Connecting to ldap://10.146.46.133:389 rlm_ldap (ldap-mobile): Waiting for bind result... rlm_ldap (ldap-mobile): Bind successful (5) [ldap-mobile] = updated (5) if (!ok) { (5) if (!ok) -> TRUE (5) if (!ok) { (5) [reject] = reject (5) } # if (!ok) = reject (5) } # authorize = reject (5) Invalid user: [27659066168] (from client 105.187.248.220 port 0 cli 27659066168) (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/raddb/sites-enabled/mobile (5) Post-Auth-Type REJECT { (5) policy remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else { (5) [noop] = noop (5) } # else = noop (5) } # policy remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = noop (5) Login incorrect: [27659066168] (from client 105.187.248.220 port 0 cli 27659066168) (5) Delaying response for 2.000000 seconds Any advice would be appreciated? Regards Steven
On Feb 21, 2023, at 4:47 PM, Steven Walters <steven.walters1@gmail.com> wrote:
Below is debug from version 3.0.1
To be honest... 3.0.1 is about ten years old. We're not going to worry a lot about compatibility with every little piece of it. Plus, there have been many bug fixes since then, including security fixes. If you don't like people attacking your RADIUS server, it should have been updated regularly.
... Below is debug from version 3.2.2 ... (5) [ldap-mobile] = updated (5) if (!ok) {
Change that to: if (!ok || !updated) { ... and it will work.
Any advice would be appreciated?
Upgrade regularly. Plus, it helps to explain *why* you have this configuration. You generally don't have to explicitly reject users who don't have passwords. The server will do this automatically. So you don't need a "if not found in LDAP, reject" configuration. Just check LDAP. If the user isn't found, they won't have a password read from LDAP. And the server won't be able to authenticate them. Alan DeKok.
participants (2)
-
Alan DeKok -
Steven Walters