3.2.0: dynamic_home_servers ?

Stefan Winter stefan.winter at restena.lu
Tue May 31 08:32:44 UTC 2022


Hello,


>    You don't have:
>
> 	type = auth
>
>    in the configuration section.  The default is "type = auth+acct", but that's not printed out in debug mode.  :(
>
>    I'll fix the error messages to be more clear.


Ah! Could have figured that out myself, I guess.


With this, I now have a patchset to fully automate dynamic lookup, using 
the naptr-eduroam.sh script from radsecproxy as a discovery base 
(adapted to also work with RFC7585 NAPTR targets and with that, 
OpenRoaming).


This is WIP here: 
https://github.com/FreeRADIUS/freeradius-server/compare/v3.2.x...restena-sw:restena-sw-patch-1


I'm almost ready to send a PR, but noticed a runtime oddity that may 
need actual code to smoothen.


The first time I run a request (with -fxx -l stdout to enable 
multithreading),

* realm discovery script is run

* radmin is called to update the config

* Home-Server-Name gets set *after radmin is finished*

... and then proxying fails with (0) WARNING: No such home server %{1}

The second and subsequent times I try to authenticate, the home server 
config *is* honoured and proxying to the dest server is attempted.


Looks like the config update is not immediately in effect for the 
request that triggered discovery. You may need to see the full debug 
output below of two such requests to see what I mean (the TLS failure at 
the very end is expected due to cert chain mismatch):


Ready to process requests
Threads: total/active/spare threads = 5/0/5
Waking up in 0.3 seconds.
Thread 5 got semaphore
Thread 5 handling request 0, (1 handled so far)
(0) Received Access-Request Id 130 from 127.0.0.1:34531 to 
127.0.0.1:1812 length 95
(0)   User-Name = "stefan at education.lu"
(0)   User-Password = "abc"
(0)   NAS-IP-Address = 127.0.1.1
(0)   NAS-Port = 123
(0)   Message-Authenticator = 0x1fd9821b1e8ba7503abf9fcec4d16548
(0)   Framed-Protocol = PPP
(0) # Executing section authorize from file 
/home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) 
   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "education.lu" for User-Name = 
"stefan at education.lu"
(0) suffix: No such realm "education.lu"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry DEFAULT at line 167
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not 
setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" 
password is available
(0)     [pap] = noop
(0)     if (User-Name =~ /@(.*)$/) {
(0)     if (User-Name =~ /@(.*)$/)  -> TRUE
(0)     if (User-Name =~ /@(.*)$/)  {
(0)       switch %{home_server_dynamic:%{1}} {
(0)       EXPAND %{home_server_dynamic:%{1}}
(0)          -->
(0)         case {
(0)           update control {
(0)             Executing: 
%{config:prefix}/bin/naptr-eduroam-freeradius.sh %{1} %{config:prefix}:
(0)             EXPAND prefix
(0)                --> prefix
(0)             EXPAND %{config:prefix}/bin/naptr-eduroam-freeradius.sh
(0)                --> 
/home/swinter/scratch/freeradius-patch-build/bin/naptr-eduroam-freeradius.sh
(0)             EXPAND %{1}
(0)                --> education.lu
(0)             EXPAND prefix
(0)                --> prefix
(0)             EXPAND %{config:prefix}
(0)                --> /home/swinter/scratch/freeradius-patch-build
... new connection request on command socket
Listening on command file 
/home/swinter/scratch/freeradius-patch-build/var/run/radiusd/radiusd.sock
Waking up in 0.2 seconds.
radmin> add home_server file 
/home/swinter/scratch/freeradius-patch-build/etc/raddb/home_servers/education.lu
including configuration file 
/home/swinter/scratch/freeradius-patch-build/etc/raddb/home_servers/education.lu
home_server education.lu {
        ipaddr = tld1.eduroam.lu IPv4 address [158.64.1.26]
        port = 2083
        type = "auth"
        proto = "tcp"
        secret = <<< secret >>>
        response_window = 30.000000
        response_timeouts = 1
        max_outstanding = 65536
        zombie_period = 40
        status_check = "none"
        ping_interval = 30
        check_timeout = 4
        num_answers_to_alive = 3
        revive_interval = 300
  limit {
        max_connections = 16
        max_requests = 0
        lifetime = 0
        idle_timeout = 0
  }
  coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
  }
  recv_coa {
  }
}
  tls {
        verify_depth = 0
        ca_path = 
"/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/"
        pem_file_type = yes
        private_key_file = 
"/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/server.key"
        certificate_file = 
"/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/server.pem"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        ca_path_reload_interval = 0
        ecdh_curve = "prime256v1"
        tls_min_version = "1.2"
  }
Waking up in 0.2 seconds.
... shutting down socket command file 
/home/swinter/scratch/freeradius-patch-build/var/run/radiusd/radiusd.sock
Waking up in 0.2 seconds.
(0)             Program returned code (0) and output 'home_server 
education.lu {        ipaddr =  tld1.eduroam.lu       port = 2083     ipad
dr =  tld2.eduroam.lu   port = 2083     proto = tcp     type = auth 
     secret = radsec         tls {           certificate_file = /home/swi
nter/scratch/freeradius-patch-build/etc/raddb/certs/server.pem 
          private_key_file = 
/home/swinter/scratch/freeradius-patch-build/etc/
raddb/certs/server.key          ca_path = 
/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/         } }'
(0)             &Temp-Home-Server-String := home_server education.lu { 
  ipaddr =  tld1.eduroam.lu       port = 2083     ipaddr =  tld2.eduro
am.lu   port = 2083     proto = tcp     type = auth     secret = radsec 
         tls {           certificate_file = /home/swinter/scratch/fre
eradius-patch-build/etc/raddb/certs/server.pem          private_key_file 
= /home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/serv
er.key          ca_path = 
/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/         } }
(0)           } # update control = noop
(0)           if ("%{control:Temp-Home-Server-String}" == "" ) {
(0)           if ("%{control:Temp-Home-Server-String}" == "" )  -> FALSE
(0)           else {
(0)             update control {
(0)               &Home-Server-Name := %{1}
(0)             } # update control = noop
(0)           } # else = noop
(0)         } # case = noop
(0)       } # switch %{home_server_dynamic:%{1}} = noop
(0)     } # if (User-Name =~ /@(.*)$/)  = noop
(0)   } # authorize = ok
(0) Proxying due to Home-Server-Name
(0) WARNING: No such home server %{1}
(0) There was no response configured: rejecting request
(0) Using Post-Auth-Type Reject
(0) # Executing group from file 
/home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> stefan at education.lu
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Thread 5 waiting to be assigned a request
Waking up in 0.7 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 130 from 127.0.0.1:1812 to 127.0.0.1:34531 
length 20
Waking up in 1.9 seconds.
... cleaning up socket command file 
/home/swinter/scratch/freeradius-patch-build/var/run/radiusd/radiusd.sock
Waking up in 1.9 seconds.
(0) Cleaning up request packet ID 130 with timestamp +2 due to 
cleanup_delay was reached
Ready to process requests
Waking up in 0.3 seconds.
Thread 3 got semaphore
Thread 3 handling request 1, (1 handled so far)
(1) Received Access-Request Id 252 from 127.0.0.1:34174 to 
127.0.0.1:1812 length 95
(1)   User-Name = "stefan at education.lu"
(1)   User-Password = "abc"
(1)   NAS-IP-Address = 127.0.1.1
(1)   NAS-Port = 123
(1)   Message-Authenticator = 0xe68f95793b848723c77bdf38690952b2
(1)   Framed-Protocol = PPP
(1) # Executing section authorize from file 
/home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) 
   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "education.lu" for User-Name = 
"stefan at education.lu"
(1) suffix: No such realm "education.lu"
(1)     [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1) files: users: Matched entry DEFAULT at line 167
(1)     [files] = ok
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user.  Not 
setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" 
password is available
(1)     [pap] = noop
(1)     if (User-Name =~ /@(.*)$/) {
(1)     if (User-Name =~ /@(.*)$/)  -> TRUE
(1)     if (User-Name =~ /@(.*)$/)  {
(1)       switch %{home_server_dynamic:%{1}} {
(1)       EXPAND %{home_server_dynamic:%{1}}
(1)          --> 1
(1)         case 1 {
(1)           update control {
(1)             EXPAND %{1}
(1)                --> education.lu
(1)             &Home-Server-Name := education.lu
(1)           } # update control = noop
(1)         } # case 1 = noop
(1)       } # switch %{home_server_dynamic:%{1}} = noop
(1)     } # if (User-Name =~ /@(.*)$/)  = noop
(1)   } # authorize = ok
(1) Proxying due to Home-Server-Name
(1) Starting proxy to home server 158.64.1.26 port 2083
(1) server default {
(1) }
(TLS) Trying new outgoing proxy connection to proxy (0.0.0.0, 0) -> 
home_server (158.64.1.26, 2083)
Requiring Server certificate
(0) (TLS) Handshake state - before SSL initialization
(0) (TLS) Handshake state - Client before SSL initialization
(0) (TLS) send TLS 1.2 Handshake, ClientHello
(0) (TLS) Handshake state - Client SSLv3/TLS write client hello
(0) (TLS) Handshake state - Client SSLv3/TLS write client hello
(0) (TLS) recv TLS 1.2 Handshake, ServerHello
(0) (TLS) Handshake state - Client SSLv3/TLS read server hello
(0) (TLS) recv TLS 1.2 Handshake, Certificate
(0) (TLS) Creating attributes from server certificate
(0)   TLS-Cert-Serial := "01"
(0)   TLS-Cert-Expiration := "301103101536Z"
(0)   TLS-Cert-Valid-Since := "101108101536Z"
(0)   TLS-Cert-Subject := "/DC=org/DC=edupki/CN=eduPKI CA G 01"
(0)   TLS-Cert-Issuer := "/DC=org/DC=edupki/CN=eduPKI CA G 01"
(0)   TLS-Cert-Common-Name := "eduPKI CA G 01"
(0)   ERROR: (TLS) OpenSSL says error 19 : self signed certificate in 
certificate chain
(0) (TLS) send TLS 1.2 Alert, fatal unknown_ca
(0) ERROR: (TLS) Alert write:fatal:unknown CA
(0) ERROR: (TLS) Client : Error in error
tls: (TLS) Failed in connecting TLS session.: error:1416F086:SSL 
routines:tls_process_server_certificate:certificate verify failed
tls: (TLS) System call (I/O) error (-1)
(TLS) Failed opening connection on proxy socket 'proxy (0.0.0.0, 0) -> 
home_server (158.64.1.26, 2083)'
(1) Failed to insert request into the proxy list
(1) There was no response configured: rejecting request
(1) Using Post-Auth-Type Reject
(1) # Executing group from file 
/home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> stefan at education.lu
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Sent Access-Reject Id 252 from 127.0.0.1:1812 to 127.0.0.1:34174 
length 20
(1) Finished request
Thread 3 waiting to be assigned a request
Waking up in 4.6 seconds.
(1) Cleaning up request packet ID 252 with timestamp +30 due to 
cleanup_delay was reached
Ready to process requests


> -- 
> This email may contain information for limited distribution only, please treat accordingly.
>
> Fondation Restena, Stefan WINTER
> Chief Technology Officer
> 2, avenue de l'Université
> L-4365 Esch-sur-Alzette


More information about the Freeradius-Users mailing list