3.0.2 / possible bug when proxying with no response from home server
Chaigneau, Nicolas
nicolas.chaigneau at capgemini.com
Mon Mar 31 14:48:53 CEST 2014
Hello,
I'm testing the case of an Access-Request proxied to a home server which does not respond.
I expect to see my request go through :
- authorize
- pre-proxy
(no response from proxy)
- Post-Proxy-Type Fail
And client gets no response (or possibly an Access-Reject).
This is what happened in 3.0.1, but it seems it has changed in 3.0.2, now I have:
- authorize
- pre-proxy
(no response from proxy)
And then the weird part:
- authorize (again)
- post-auth
Then an Access-Accept is sent back to the client. Which it can't use, because there's nothing useful inside.
Is this a bug, or a configuration issue ?
Here is my site configuration (stripped down to a minimal setup to reproduce the issue):
SRS_3gpp_fictive_realm = 3gpp.orange.fr
server server-owa-eap {
listen {
ipaddr = *
type = auth
port = 1812
}
listen {
ipaddr = *
port = 1813
type = acct
}
authorize {
# Handle EAP/SIM Authentication request
if (EAP-Message) {
update control {
Proxy-To-Realm := ${SRS_3gpp_fictive_realm}
}
}
} # end of authorize section
post-auth {
# an Access-Reject goes through post-auth REJECT subsection.
# In the current section we are handling Accept and Challenge responses
Post-Auth-Type REJECT {
attr_filter.access_reject
}
} # end of post-auth section
pre-proxy {
}
post-proxy {
Post-Proxy-Type Fail {
update control {
Auth-Type := Reject
}
}
} # end of post-proxy section
} # end of server-owa-eap virtual server configuration.
And here is the debug output:
rad_recv: Access-Request packet from host 10.67.106.9 port 49191, id=219, length=65
User-Name = 'test-cui at SIM.orange.fr'
EAP-Message = 0x78
Message-Authenticator = 0x487abb36d8a3ae1555680419160778c7
(0) # Executing section authorize from file /opt/application/mwpsrs/current/etc/raddb/sites-enabled/server-owa-eap
(0) authorize {
(0) if (EAP-Message)
(0) if (EAP-Message) -> TRUE
(0) if (EAP-Message) {
(0) update control {
(0) Proxy-To-Realm := '3gpp.orange.fr'
(0) } # update control = noop
(0) } # if (EAP-Message) = noop
(0) } # authorize = noop
(0) Proxying request to home server 10.67.141.66 port 61822
Sending Access-Request of id 221 from 0.0.0.0 port 63870 to 10.67.141.66 port 61822
User-Name = 'test-cui at SIM.orange.fr'
EAP-Message = 0x78
Message-Authenticator = 0x487abb36d8a3ae1555680419160778c7
Proxy-State = 0x323139
Waking up in 0.3 seconds.
Waking up in 0.4 seconds.
(0) Expecting proxy response no later than 10 seconds from now
Waking up in 9.1 seconds.
(0) No proxy response, giving up on request and marking it done
Marking home server 10.67.141.66 port 61822 as zombie (it has not responded in 10 seconds).
(0) ERROR: Failing request - proxy ID 221, due to lack of any response from home server 10.67.141.66 port 61822
(0) # Executing section authorize from file /opt/application/mwpsrs/current/etc/raddb/sites-enabled/server-owa-eap
(0) authorize {
(0) if (EAP-Message)
(0) if (EAP-Message) -> TRUE
(0) if (EAP-Message) {
(0) update control {
(0) Proxy-To-Realm := '3gpp.orange.fr'
(0) } # update control = noop
(0) } # if (EAP-Message) = noop
(0) } # authorize = noop
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file /opt/application/mwpsrs/current/etc/raddb/sites-enabled/server-owa-eap
Sending Access-Accept of id 219 from 10.67.106.9 port 1812 to 10.67.106.9 port 49191
(0) Finished request 0.
Waking up in 0.3 seconds.
Waking up in 3.6 seconds.
No response to status check 1 for home server 10.67.141.66 port 61822
Waking up in 0.9 seconds.
(0) Cleaning up request packet ID 219 with timestamp +5
Waking up in 15.8 seconds.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
More information about the Freeradius-Users
mailing list