Current status of freeradius v4
Jan-Frederik Rieckers
rieckers+freeradius-devel at uni-bremen.de
Wed Jul 24 17:13:00 CEST 2019
Hello,
Thanks for the quick reply!
On 24.07.19 13:11, Alan DeKok wrote:
>> (e.g. mschapv2 failed when only NT-Password and no LM-Password was
>> supplied, Issue #2799).
>
> That's been fixed.
Seen that. Thanks for fixing it so fast.
>> Two issues I'm currently dealing with:
>> * Proxying RADIUS-Requests (freeradius 4 send out Access-Rejects when
>> received a Access-Challenge from the home server)
>
> That seems bad. The rlm_radius module was tested with proxying, but not with Access-Challenge packets.
>
> In the short term, you can over-ride this with policies. When running the RADIUS module, do:
>
> radius
> if (updated) {
> update reply {
> Packet-Type := Access-Challenge
> }
> }
>
> I'll try to push a cleaner fix today.
I assume the fix was pushed in the commit "handle Access-Challenge
responses" ?
If so, it still has problems proxying Access-Challenge packets. See
debug output and configuration below.
Regarding the linelog module: If I use %{reply:Packet-Type} as message
selector, this variable seems to be empty. (I haven't tested that with
the current master, only the one from yesterday)
Greetings,
Jan-Frederik Rieckers
(PS: Whenever I shoud stop using freeradius-devel for this and use
freeradius-users or Github Issues, please tell me.)
This is my configuration:
sites-enabled/default
> recv Access-Request {
> filter_username
> if (&User-Name =~ /@uni-bremen\.de$/ \
> || &User-Name =~ /@guest.uni-bremen.de$/) {
> eap {
> ok = return
> }
> }
> else {
> update control {
> &Auth-Type := proxy-to-radsec
> }
> }
> }
> recv Status-Server {
> ok
> }
> authenticate eap {
> eap
> }
> authenticate proxy-to-radsec {
> redundant {
> radsec1
> radsec2
> }
> if (updated) {
> update reply {
> &Packet-Type := Access-Challenge
> }
> }
> }
> send Access-Challenge {
> attr_filter.access_challenge.post-auth
> handled
> }
> send Access-Accept {
> update {
> &reply: += &session-state:
> }
> outer_linelog
> eap
> -sql
> remove_reply_message_if_eap
> }
> send Access-Reject {
> -sql
> outer_linelog
> attr_filter.access_reject
> eap
> remove_reply_message_if_eap
> delay_reject
> }
and mods-enabled/radsecproxy
> radius radsec1 {
> transport = udp
> type = Access-Request
> udp {
> ipaddr = X.X.X.X
> port = 2084
> secret = *secret*
> }
> }
> radius radsec2 {
> transport = udp
> type = Access-Request
> udp {
> ipaddr = Y.Y.Y.Y
> port = 2084
> secret = *secret*
> }
> }
mods-enabled/linelog:
> linelog outer_linelog {
> destination = 'syslog'
> syslog {
> facility = local3
> }
> reference = "messages.%{%{Response-Packet-Type}:-default}"
> messages {
> default = "Unknown packet type %{Packet-Type}"
> Access-Accept = "Login OK: [%{User-Name}] (cli %{request:Calling-Station-Id})"
> Access-Reject = "Login incorrect: [%{User-Name}] (%{%{reply:Reply-Message}:-%{request:Module-Failure-Message}}) (cli %{request:Calling-Station-Id})"
> }
> }
The output of radiusd -X:
> Debug : proto_radius_udp - Received Access-Request ID 30 length 213 proto_radius_udp server * port 1812
> Debug : (0) Received Access-Request ID 30 from 10.11.0.216:56845 to 10.11.0.232:1812 length 213 via socket proto_radius_udp server *
> port 1812
> Debug : (0) User-Name = "eduroam-selfcompile at extern.janfred.de"
> Debug : (0) NAS-IP-Address = 127.0.0.1
> Debug : (0) Calling-Station-Id = "02-00-00-00-00-01"
> Debug : (0) Framed-MTU = 1400
> Debug : (0) NAS-Port-Type = Wireless-802.11
> Debug : (0) Service-Type = Framed-User
> Debug : (0) Connect-Info = "CONNECT 11Mbps 802.11b"
> Debug : (0) EAP-Message = 0x0200002a01656475726f616d2d73656c66636f6d70696c654065787465726e2e6a616e667265642e6465
> Debug : (0) Message-Authenticator = 0xecf8fd6c7d455e2f366350e1f17d8609
> Debug : (0) Event-Timestamp = Jul 24 2019 15:05:32 UTC
> Debug : (0) Operator-Name = "1uni-bremen.de"
> Debug : (0) Proxy-State = 0x30
> Debug : Resetting worker 30 cleanup timer to +0s
> Debug : (0) running request
> Debug : (0) Running 'recv Access-Request' from file /usr/local/etc/raddb/sites-enabled/default-nocomment
> Debug : (0) recv Access-Request {
> Debug : (0) filter_username {
> Debug : (0) if (&State) {
> Debug : (0) ...
> Debug : (0) }
> Debug : (0) elseif (&User-Name) {
> Debug : (0) if (&User-Name =~ / /) {
> Debug : (0) ...
> Debug : (0) }
> Debug : (0) if (&User-Name =~ /@[^@]*@/ ) {
> Debug : (0) ...
> Debug : (0) }
> Debug : (0) if (&User-Name =~ /\.\./ ) {
> Debug : (0) ...
> Debug : (0) }
> Debug : (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) {
> Debug : (0) ...
> Debug : (0) }
> Debug : (0) if (&User-Name =~ /\.$/) {
> Debug : (0) ...
> Debug : (0) }
> Debug : (0) if (&User-Name =~ /@\./) {
> Debug : (0) ...
> Debug : (0) }
> Debug : (0) update session-state {
> Debug : (0) &Session-State-User-Name := &User-Name -> "eduroam-selfcompile at extern.janfred.de"
> Debug : (0) } # update session-state (noop)
> Debug : (0) } # elseif (&User-Name) (noop)
> Debug : (0) } # filter_username (noop)
> Debug : (0) if (&User-Name =~ /@uni-bremen\.de$/ || &User-Name =~ /@guest.uni-bremen.de$/) {
> Debug : (0) ...
> Debug : (0) }
> Debug : (0) else {
> Debug : (0) update control {
> Debug : (0) &Auth-Type := proxy-to-radsec
> Debug : (0) } # update control (noop)
> Debug : (0) } # else (noop)
> Debug : (0) } # recv Access-Request (noop)
> Debug : (0) Running 'authenticate proxy-to-radsec' from file /usr/local/etc/raddb/sites-enabled/default-nocomment
> Debug : (0) authenticate proxy-to-radsec {
> Debug : (0) group {
> Debug : (0) Sending Access-Request ID 0 length 195 over connection proto udp local 0.0.0.0 port 56773 remote 10.11.0.216 port 20$
> 4
> Debug : (0) &User-Name = "eduroam-selfcompile at extern.janfred.de"
> Debug : (0) &NAS-IP-Address = 127.0.0.1
> Debug : (0) &Calling-Station-Id = "02-00-00-00-00-01"
> Debug : (0) &Framed-MTU = 1400
> Debug : (0) &NAS-Port-Type = Wireless-802.11
> Debug : (0) &Service-Type = Framed-User
> Debug : (0) &Connect-Info = "CONNECT 11Mbps 802.11b"
> Debug : (0) &EAP-Message = 0x0200002a01656475726f616d2d73656c66636f6d70696c654065787465726e2e6a616e667265642e6465
> Debug : (0) &Event-Timestamp = Jul 24 2019 15:05:32 UTC
> Debug : (0) &Operator-Name = "1uni-bremen.de"
> Debug : (0) &Proxy-State = 0x30
> Debug : (0) &Proxy-State = 0x45ad4539
> Debug : (0) &Message-Authenticator = 0x45d55902781dc4ea5b7d27ba63e6a80d
> Debug : (0) radsec1 - Proxying request. Expecting response within 2.000000s
> Debug : (0) radsec1 (yield)
> Debug : Waking up in 1.996337512 seconds.
> Debug : (0) Received Access-Challenge ID 11 length 73 reply packet on connection proto udp local 0.0.0.0 port 56773 remote 10.11.
> 0.216 port 2084
> Debug : (0) &EAP-Message = 0x010100061520
> Debug : (0) &Message-Authenticator = 0xaa2410363e4546fcad585a1bb568af94
> Debug : (0) &State = 0x57487590574960fe50542e3cd559b240
> Debug : (0) &Proxy-State = 0x30
> Debug : (0) &Proxy-State = 0x45ad4539
> Debug : radsec1 - Setting idle timeout to +300.000 for connection proto udp local 0.0.0.0 port 56773 remote 10.11.0.216 port 2084
> Debug : (0) running request
> Debug : (0) radsec1 - Resuming execution
> Debug : (0) radsec1 (updated)
> Debug : (0) } # group (updated)
> Debug : (0) if (updated) {
> Debug : (0) update reply {
> Debug : (0) &Packet-Type := Access-Challenge
> Debug : (0) } # update reply (noop)
> Debug : (0) } # if (updated) (noop)
> Debug : (0) } # authenticate proxy-to-radsec (noop)
> Debug : (0) Failed to authenticate the user
> Debug : (0) Running 'send Access-Reject' from file /usr/local/etc/raddb/sites-enabled/default-nocomment
> Debug : (0) send Access-Reject {
> Debug : (0) outer_linelog - EXPAND messages.%{%{Response-Packet-Type}:-default}
> WARN : (0) outer_linelog - WARNING: %{Response-Packet-Type} is ONLY for responses!
> WARN : (0) outer_linelog - WARNING: Please replace %{Response-Packet-Type} with %{reply:Packet-Type}
> Debug : (0) outer_linelog - --> messages.Access-Reject
> Debug : (0) outer_linelog - EXPAND Login incorrect: [%{User-Name}] (%{%{reply:Reply-Message}:-%{request:Module-Failure-Message}}) (
> cli %{request:Calling-Station-Id})
> Debug : (0) outer_linelog - --> Login incorrect: [eduroam-selfcompile at extern.janfred.de] () (cli 02-00-00-00-00-01)
> Debug : (0) outer_linelog (ok)
> Debug : (0) attr_filter.access_reject - EXPAND %{User-Name}
> Debug : (0) attr_filter.access_reject - --> eduroam-selfcompile at extern.janfred.de
> Debug : (0) attr_filter.access_reject - Matched entry DEFAULT at line 11
> Debug : (0) attr_filter.access_reject (updated)
> Debug : (0) eap (noop)
> Debug : (0) remove_reply_message_if_eap {
> Debug : (0) if (&reply:EAP-Message && &reply:Reply-Message) {
> Debug : (0) ...
> Debug : (0) }
> Debug : (0) else {
> Debug : (0) noop (noop)
> Debug : (0) } # else (noop)
> Debug : (0) } # remove_reply_message_if_eap (noop)
> Debug : (0) delay_reject - EXPAND %{%{reply:FreeRADIUS-Response-Delay}:-1}
> Debug : (0) delay_reject - --> 1
> Debug : (0) delay_reject - Delaying request by ~0.955292996s
> Debug : (0) delay_reject (yield)
> Debug : Waking up in 0.954933986 seconds.
> Debug : (0) Delay done
> Debug : (0) running request
> Debug : (0) delay_reject - Resuming execution
> Debug : (0) delay_reject (ok)
> Debug : (0) } # send Access-Reject (updated)
> Debug : (0) done request
> Debug : (0) Sending Access-Reject ID 30 from 10.11.0.232:1812 to 10.11.0.216:56845 length 73 via socket proto_radius_udp server * por
> t 1812
> Debug : (0) EAP-Message = 0x010100061520
> Debug : (0) Message-Authenticator = 0xaa2410363e4546fcad585a1bb568af94
> Debug : (0) State = 0x57487590574960fe50542e3cd559b240
> Debug : (0) Proxy-State = 0x30
> Debug : (0) Proxy-State = 0x45ad4539
> Debug : (0) finished request.
> Debug : Waking up in 147.881892498 seconds.
> Debug : Waking up in 4.999991043 seconds.
The output of the home server (running freeradius 3.0.17):
> (41) Received Access-Request Id 47 from [::1]:49932 to [::1]:1812 length 219
> (41) User-Name = "eduroam-selfcompile at extern.janfred.de"
> (41) NAS-IP-Address = 127.0.0.1
> (41) Calling-Station-Id = "02-00-00-00-00-01"
> (41) Framed-MTU = 1400
> (41) NAS-Port-Type = Wireless-802.11
> (41) Service-Type = Framed-User
> (41) Connect-Info = "CONNECT 11Mbps 802.11b"
> (41) EAP-Message = 0x0200002a01656475726f616d2d73656c66636f6d70696c654065787465726e2e6a616e667265642e6465
> (41) Event-Timestamp = "Jul 24 2019 17:05:32 CEST"
> (41) Operator-Name = "1uni-bremen.de"
> (41) Proxy-State = 0x30
> (41) Proxy-State = 0x45ad4539
> (41) Message-Authenticator = 0xf9e969fc1d6bd5a13e9dddee89bf1e41
> (41) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (41) authorize {
> (41) policy filter_username {
> (41) if (&User-Name) {
> (41) if (&User-Name) -> TRUE
> (41) if (&User-Name) {
> (41) if (&User-Name =~ / /) {
> (41) if (&User-Name =~ / /) -> FALSE
> (41) if (&User-Name =~ /@[^@]*@/ ) {
> (41) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (41) if (&User-Name =~ /\.\./ ) {
> (41) if (&User-Name =~ /\.\./ ) -> FALSE
> (41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (41) if (&User-Name =~ /\.$/) {
> (41) if (&User-Name =~ /\.$/) -> FALSE
> (41) if (&User-Name =~ /@\./) {
> (41) if (&User-Name =~ /@\./) -> FALSE
> (41) } # if (&User-Name) = notfound
> (41) } # policy filter_username = notfound
> (41) [preprocess] = ok
> (41) policy operator-name.authorize {
> (41) if ("%{client:Operator-Name}") {
> (41) EXPAND %{client:Operator-Name}
> (41) -->
> (41) if ("%{client:Operator-Name}") -> FALSE
> (41) } # policy operator-name.authorize = ok
> (41) suffix: Checking for suffix after "@"
> (41) suffix: Looking up realm "extern.janfred.de" for User-Name = "eduroam-selfcompile at extern.janfred.de"
> (41) suffix: Found realm "extern.janfred.de"
> (41) suffix: Adding Stripped-User-Name = "eduroam-selfcompile"
> (41) suffix: Adding Realm = "extern.janfred.de"
> (41) suffix: Authentication realm is LOCAL
> (41) [suffix] = ok
> (41) policy downcase_calling_station_id {
> (41) if (&Calling-Station-Id && (&Calling-Station-Id != "%{tolower:%{Calling-Station-Id}}")){
> (41) EXPAND %{tolower:%{Calling-Station-Id}}
> (41) --> 02-00-00-00-00-01
> (41) if (&Calling-Station-Id && (&Calling-Station-Id != "%{tolower:%{Calling-Station-Id}}")) -> FALSE
> (41) } # policy downcase_calling_station_id = ok
> (41) policy rewrite_calling_station_id {
> (41) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?$
> [0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
> (41) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?$
> [0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
> (41) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?$
> [0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
> (41) update request {
> (41) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
> (41) --> 02-00-00-00-00-01
> (41) &Calling-Station-Id := 02-00-00-00-00-01
> (41) } # update request = noop
> (41) [updated] = updated
> (41) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-
> f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
> (41) ... skipping else: Preceding "if" was taken
> (41) } # policy rewrite_calling_station_id = updated
> (41) if ( User-Name == "ocspmuststaple at extern.janfred.de" ) {
> (41) if ( User-Name == "ocspmuststaple at extern.janfred.de" ) -> FALSE
> (41) else {
> (41) eap: Peer sent EAP Response (code 2) ID 0 length 42
> (41) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
> (41) [eap] = ok
> (41) } # else = ok
> (41) [expiration] = noop
> (41) [logintime] = noop
> (41) } # authorize = updated
> (41) Found Auth-Type = eap
> (41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (41) Auth-Type eap {
> (41) eap: Peer sent packet with method EAP Identity (1)
> (41) eap: Calling submodule eap_ttls to process data
> (41) eap_ttls: Initiating new EAP-TLS session
> (41) eap_ttls: [eaptls start] = request
> (41) eap: Sending EAP Request (code 1) ID 1 length 6
> (41) eap: EAP session adding &reply:State = 0x57487590574960fe
> (41) [eap] = handled
> (41) } # Auth-Type eap = handled
> (41) Using Post-Auth-Type Challenge
> (41) Post-Auth-Type sub-section not found. Ignoring.
> (41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (41) Sent Access-Challenge Id 47 from [::1]:1812 to [::1]:49932 length 0
> (41) EAP-Message = 0x010100061520
> (41) Message-Authenticator = 0x00000000000000000000000000000000
> (41) State = 0x57487590574960fe50542e3cd559b240
> (41) Proxy-State = 0x30
> (41) Proxy-State = 0x45ad4539
> (41) Finished request
> Waking up in 4.9 seconds.
> (41) Cleaning up request packet ID 47 with timestamp +1283
> Ready to process requests
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20190724/3a491fdb/attachment.sig>
More information about the Freeradius-Devel
mailing list