3.2.0: dynamic_home_servers ?
Stefan Winter
stefan.winter at restena.lu
Tue May 31 08:32:44 UTC 2022
Hello,
> You don't have:
>
> type = auth
>
> in the configuration section. The default is "type = auth+acct", but that's not printed out in debug mode. :(
>
> I'll fix the error messages to be more clear.
Ah! Could have figured that out myself, I guess.
With this, I now have a patchset to fully automate dynamic lookup, using
the naptr-eduroam.sh script from radsecproxy as a discovery base
(adapted to also work with RFC7585 NAPTR targets and with that,
OpenRoaming).
This is WIP here:
https://github.com/FreeRADIUS/freeradius-server/compare/v3.2.x...restena-sw:restena-sw-patch-1
I'm almost ready to send a PR, but noticed a runtime oddity that may
need actual code to smoothen.
The first time I run a request (with -fxx -l stdout to enable
multithreading),
* realm discovery script is run
* radmin is called to update the config
* Home-Server-Name gets set *after radmin is finished*
... and then proxying fails with (0) WARNING: No such home server %{1}
The second and subsequent times I try to authenticate, the home server
config *is* honoured and proxying to the dest server is attempted.
Looks like the config update is not immediately in effect for the
request that triggered discovery. You may need to see the full debug
output below of two such requests to see what I mean (the TLS failure at
the very end is expected due to cert chain mismatch):
Ready to process requests
Threads: total/active/spare threads = 5/0/5
Waking up in 0.3 seconds.
Thread 5 got semaphore
Thread 5 handling request 0, (1 handled so far)
(0) Received Access-Request Id 130 from 127.0.0.1:34531 to
127.0.0.1:1812 length 95
(0) User-Name = "stefan at education.lu"
(0) User-Password = "abc"
(0) NAS-IP-Address = 127.0.1.1
(0) NAS-Port = 123
(0) Message-Authenticator = 0x1fd9821b1e8ba7503abf9fcec4d16548
(0) Framed-Protocol = PPP
(0) # Executing section authorize from file
/home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "education.lu" for User-Name =
"stefan at education.lu"
(0) suffix: No such realm "education.lu"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 167
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not
setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good"
password is available
(0) [pap] = noop
(0) if (User-Name =~ /@(.*)$/) {
(0) if (User-Name =~ /@(.*)$/) -> TRUE
(0) if (User-Name =~ /@(.*)$/) {
(0) switch %{home_server_dynamic:%{1}} {
(0) EXPAND %{home_server_dynamic:%{1}}
(0) -->
(0) case {
(0) update control {
(0) Executing:
%{config:prefix}/bin/naptr-eduroam-freeradius.sh %{1} %{config:prefix}:
(0) EXPAND prefix
(0) --> prefix
(0) EXPAND %{config:prefix}/bin/naptr-eduroam-freeradius.sh
(0) -->
/home/swinter/scratch/freeradius-patch-build/bin/naptr-eduroam-freeradius.sh
(0) EXPAND %{1}
(0) --> education.lu
(0) EXPAND prefix
(0) --> prefix
(0) EXPAND %{config:prefix}
(0) --> /home/swinter/scratch/freeradius-patch-build
... new connection request on command socket
Listening on command file
/home/swinter/scratch/freeradius-patch-build/var/run/radiusd/radiusd.sock
Waking up in 0.2 seconds.
radmin> add home_server file
/home/swinter/scratch/freeradius-patch-build/etc/raddb/home_servers/education.lu
including configuration file
/home/swinter/scratch/freeradius-patch-build/etc/raddb/home_servers/education.lu
home_server education.lu {
ipaddr = tld1.eduroam.lu IPv4 address [158.64.1.26]
port = 2083
type = "auth"
proto = "tcp"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
recv_coa {
}
}
tls {
verify_depth = 0
ca_path =
"/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/"
pem_file_type = yes
private_key_file =
"/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/server.key"
certificate_file =
"/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/server.pem"
fragment_size = 1024
include_length = yes
check_crl = no
ca_path_reload_interval = 0
ecdh_curve = "prime256v1"
tls_min_version = "1.2"
}
Waking up in 0.2 seconds.
... shutting down socket command file
/home/swinter/scratch/freeradius-patch-build/var/run/radiusd/radiusd.sock
Waking up in 0.2 seconds.
(0) Program returned code (0) and output 'home_server
education.lu { ipaddr = tld1.eduroam.lu port = 2083 ipad
dr = tld2.eduroam.lu port = 2083 proto = tcp type = auth
secret = radsec tls { certificate_file = /home/swi
nter/scratch/freeradius-patch-build/etc/raddb/certs/server.pem
private_key_file =
/home/swinter/scratch/freeradius-patch-build/etc/
raddb/certs/server.key ca_path =
/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/ } }'
(0) &Temp-Home-Server-String := home_server education.lu {
ipaddr = tld1.eduroam.lu port = 2083 ipaddr = tld2.eduro
am.lu port = 2083 proto = tcp type = auth secret = radsec
tls { certificate_file = /home/swinter/scratch/fre
eradius-patch-build/etc/raddb/certs/server.pem private_key_file
= /home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/serv
er.key ca_path =
/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/ } }
(0) } # update control = noop
(0) if ("%{control:Temp-Home-Server-String}" == "" ) {
(0) if ("%{control:Temp-Home-Server-String}" == "" ) -> FALSE
(0) else {
(0) update control {
(0) &Home-Server-Name := %{1}
(0) } # update control = noop
(0) } # else = noop
(0) } # case = noop
(0) } # switch %{home_server_dynamic:%{1}} = noop
(0) } # if (User-Name =~ /@(.*)$/) = noop
(0) } # authorize = ok
(0) Proxying due to Home-Server-Name
(0) WARNING: No such home server %{1}
(0) There was no response configured: rejecting request
(0) Using Post-Auth-Type Reject
(0) # Executing group from file
/home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> stefan at education.lu
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Thread 5 waiting to be assigned a request
Waking up in 0.7 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 130 from 127.0.0.1:1812 to 127.0.0.1:34531
length 20
Waking up in 1.9 seconds.
... cleaning up socket command file
/home/swinter/scratch/freeradius-patch-build/var/run/radiusd/radiusd.sock
Waking up in 1.9 seconds.
(0) Cleaning up request packet ID 130 with timestamp +2 due to
cleanup_delay was reached
Ready to process requests
Waking up in 0.3 seconds.
Thread 3 got semaphore
Thread 3 handling request 1, (1 handled so far)
(1) Received Access-Request Id 252 from 127.0.0.1:34174 to
127.0.0.1:1812 length 95
(1) User-Name = "stefan at education.lu"
(1) User-Password = "abc"
(1) NAS-IP-Address = 127.0.1.1
(1) NAS-Port = 123
(1) Message-Authenticator = 0xe68f95793b848723c77bdf38690952b2
(1) Framed-Protocol = PPP
(1) # Executing section authorize from file
/home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "education.lu" for User-Name =
"stefan at education.lu"
(1) suffix: No such realm "education.lu"
(1) [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) files: users: Matched entry DEFAULT at line 167
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user. Not
setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good"
password is available
(1) [pap] = noop
(1) if (User-Name =~ /@(.*)$/) {
(1) if (User-Name =~ /@(.*)$/) -> TRUE
(1) if (User-Name =~ /@(.*)$/) {
(1) switch %{home_server_dynamic:%{1}} {
(1) EXPAND %{home_server_dynamic:%{1}}
(1) --> 1
(1) case 1 {
(1) update control {
(1) EXPAND %{1}
(1) --> education.lu
(1) &Home-Server-Name := education.lu
(1) } # update control = noop
(1) } # case 1 = noop
(1) } # switch %{home_server_dynamic:%{1}} = noop
(1) } # if (User-Name =~ /@(.*)$/) = noop
(1) } # authorize = ok
(1) Proxying due to Home-Server-Name
(1) Starting proxy to home server 158.64.1.26 port 2083
(1) server default {
(1) }
(TLS) Trying new outgoing proxy connection to proxy (0.0.0.0, 0) ->
home_server (158.64.1.26, 2083)
Requiring Server certificate
(0) (TLS) Handshake state - before SSL initialization
(0) (TLS) Handshake state - Client before SSL initialization
(0) (TLS) send TLS 1.2 Handshake, ClientHello
(0) (TLS) Handshake state - Client SSLv3/TLS write client hello
(0) (TLS) Handshake state - Client SSLv3/TLS write client hello
(0) (TLS) recv TLS 1.2 Handshake, ServerHello
(0) (TLS) Handshake state - Client SSLv3/TLS read server hello
(0) (TLS) recv TLS 1.2 Handshake, Certificate
(0) (TLS) Creating attributes from server certificate
(0) TLS-Cert-Serial := "01"
(0) TLS-Cert-Expiration := "301103101536Z"
(0) TLS-Cert-Valid-Since := "101108101536Z"
(0) TLS-Cert-Subject := "/DC=org/DC=edupki/CN=eduPKI CA G 01"
(0) TLS-Cert-Issuer := "/DC=org/DC=edupki/CN=eduPKI CA G 01"
(0) TLS-Cert-Common-Name := "eduPKI CA G 01"
(0) ERROR: (TLS) OpenSSL says error 19 : self signed certificate in
certificate chain
(0) (TLS) send TLS 1.2 Alert, fatal unknown_ca
(0) ERROR: (TLS) Alert write:fatal:unknown CA
(0) ERROR: (TLS) Client : Error in error
tls: (TLS) Failed in connecting TLS session.: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
tls: (TLS) System call (I/O) error (-1)
(TLS) Failed opening connection on proxy socket 'proxy (0.0.0.0, 0) ->
home_server (158.64.1.26, 2083)'
(1) Failed to insert request into the proxy list
(1) There was no response configured: rejecting request
(1) Using Post-Auth-Type Reject
(1) # Executing group from file
/home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> stefan at education.lu
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Sent Access-Reject Id 252 from 127.0.0.1:1812 to 127.0.0.1:34174
length 20
(1) Finished request
Thread 3 waiting to be assigned a request
Waking up in 4.6 seconds.
(1) Cleaning up request packet ID 252 with timestamp +30 due to
cleanup_delay was reached
Ready to process requests
> --
> This email may contain information for limited distribution only, please treat accordingly.
>
> Fondation Restena, Stefan WINTER
> Chief Technology Officer
> 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
More information about the Freeradius-Users
mailing list