Proxies "status-server" pings are broken when virtual server "status" is enabled
Olivier Beytrison
olivier at heliosnet.org
Mon Jan 28 11:07:31 CET 2013
On 28.01.2013 10:07, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>> This comes from the fact that in the status virtual-server, the
>> "Autz-Type status-server" stanza is defined. But in the current virtual
>> server receiving the "ping" (eduroam) it's not defined,so it triggers an
>> reject message.
>
> well, enable it then.
>
>> Well in the end it doesn't change much as the remote server will still
>> mark the server alive after receiving 3 access-reject in response to his
>> status-server.
>
> correct
>
>
>> But is this behaviour wanted ?
>
> depends. on you. there is no point in having an access-accept (using username/password)
> as thats a credential that could be leaked or stolen etc.... its actually just as good (and standard)
> to have a reject response....the remote server/local server still know that each other are alive!
>
> ideally, both servers handle status-server packets and a basic 'status ping' will work just as well.
Nice, thanks for those precisions AlanB :)
On a side note, I have something fun going on in post-auth here. I want
to bypass the post-auth section for Packet-Type == Status-Server. So I
wrote :
post-auth {
if(Packet-Type != Status-Server){
reply_log
if("%{realm}" !~ /.*hes-so.ch/){
sql
}
}
Post-Auth-Type REJECT {
sql
}
}
But the logic is inverted when you look at the logs.
Now on the log ...
rad_recv: Status-Server packet from host 127.0.0.1 port 60277, id=12,
length=38
Message-Authenticator = 0xc09707a123242d5bee7be80eb07b3128
(81) # Executing group from file /etc/freeradius/sites-enabled/eduroam
(81) group Status-Server {
(81) - entering group Status-Server {...}
(81) [ok] = ok
(81) # Executing section post-auth from file
/etc/freeradius/sites-enabled/eduroam
(81) group post-auth {
(81) - entering group post-auth {...}
(81) ? if (Packet-Type != Status-Server)
(81) ? Evaluating (Packet-Type != Status-Server) -> TRUE
(81) ? if (Packet-Type != Status-Server) -> TRUE
(81) if (Packet-Type != Status-Server) {
(81) - entering if (Packet-Type != Status-Server) {...}
And what's even more funny .... On an Access-Accept packet it says that
Packet-Type != Status-Server -> FALSE :D
rad_recv: Access-Accept packet from host 130.59.138.29 port 1812,
id=129, length=189
MS-MPPE-Recv-Key =
0x180d7429b72d1ef1757290ed8a0f47e8f22583e1bcb704c208c89a405779ba0d
MS-MPPE-Send-Key =
0x0602884e6fba66616fc31d0047a1947bc996d10034886589d1a7b4a2ef37879e
EAP-Message = 0x03080004
Message-Authenticator = 0xbb3d302a9d2b4a124f70e8f49e1588dd
User-Name = "anonymous at test.hes-so.ch"
Proxy-State = 0x38
(110) # Executing section post-proxy from file
/etc/freeradius/sites-enabled/eduroam
(110) group post-proxy {
(110) - entering group post-proxy {...}
[snip of post_proxy_log junk]
(110) [post_proxy_log] = ok
(110) attr_filter.post-proxy : expand: '%{Realm}' -> 'DEFAULT'
(110) attr_filter.post-proxy : Matched entry DEFAULT at line 103
(110) [attr_filter.post-proxy] = updated
(110) Found Auth-Type = Accept
(110) Auth-Type = Accept, accepting the user
(110) # Executing section post-auth from file
/etc/freeradius/sites-enabled/eduroam
(110) group post-auth {
(110) - entering group post-auth {...}
(110) ? if (Packet-Type != Status-Server)
(110) ? Evaluating (Packet-Type != Status-Server) -> FALSE
(110) ? if (Packet-Type != Status-Server) -> FALSE
Sending Access-Accept of id 8 from 127.0.0.1 port 1812 to 127.0.0.1 port
56702
MS-MPPE-Recv-Key =
0x180d7429b72d1ef1757290ed8a0f47e8f22583e1bcb704c208c89a405779ba0d
EAP-Message = 0x03080004
Message-Authenticator = 0xbb3d302a9d2b4a124f70e8f49e1588dd
--
Olivier Beytrison
Network & Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: olivier at heliosnet.org
More information about the Freeradius-Devel
mailing list