3.2.0: dynamic_home_servers ?
Stefan Winter
stefan.winter at restena.lu
Tue May 31 08:38:28 UTC 2022
Eek.
Or, I forgot double quotes in the discovery case.
So, all works. Ready to send a PR :-)
Stefan
On 31.05.22 10:32, Stefan Winter wrote:
> Hello,
>
>
>> You don't have:
>>
>> type = auth
>>
>> in the configuration section. The default is "type = auth+acct",
>> but that's not printed out in debug mode. :(
>>
>> I'll fix the error messages to be more clear.
>
>
> Ah! Could have figured that out myself, I guess.
>
>
> With this, I now have a patchset to fully automate dynamic lookup,
> using the naptr-eduroam.sh script from radsecproxy as a discovery base
> (adapted to also work with RFC7585 NAPTR targets and with that,
> OpenRoaming).
>
>
> This is WIP here:
> https://github.com/FreeRADIUS/freeradius-server/compare/v3.2.x...restena-sw:restena-sw-patch-1
>
>
> I'm almost ready to send a PR, but noticed a runtime oddity that may
> need actual code to smoothen.
>
>
> The first time I run a request (with -fxx -l stdout to enable
> multithreading),
>
> * realm discovery script is run
>
> * radmin is called to update the config
>
> * Home-Server-Name gets set *after radmin is finished*
>
> ... and then proxying fails with (0) WARNING: No such home server %{1}
>
> The second and subsequent times I try to authenticate, the home server
> config *is* honoured and proxying to the dest server is attempted.
>
>
> Looks like the config update is not immediately in effect for the
> request that triggered discovery. You may need to see the full debug
> output below of two such requests to see what I mean (the TLS failure
> at the very end is expected due to cert chain mismatch):
>
>
> Ready to process requests
> Threads: total/active/spare threads = 5/0/5
> Waking up in 0.3 seconds.
> Thread 5 got semaphore
> Thread 5 handling request 0, (1 handled so far)
> (0) Received Access-Request Id 130 from 127.0.0.1:34531 to
> 127.0.0.1:1812 length 95
> (0) User-Name = "stefan at education.lu"
> (0) User-Password = "abc"
> (0) NAS-IP-Address = 127.0.1.1
> (0) NAS-Port = 123
> (0) Message-Authenticator = 0x1fd9821b1e8ba7503abf9fcec4d16548
> (0) Framed-Protocol = PPP
> (0) # Executing section authorize from file
> /home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /@\./) {
> (0) if (&User-Name =~ /@\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: Looking up realm "education.lu" for User-Name =
> "stefan at education.lu"
> (0) suffix: No such realm "education.lu"
> (0) [suffix] = noop
> (0) eap: No EAP-Message, not doing EAP
> (0) [eap] = noop
> (0) files: users: Matched entry DEFAULT at line 167
> (0) [files] = ok
> (0) [expiration] = noop
> (0) [logintime] = noop
> (0) pap: WARNING: No "known good" password found for the user. Not
> setting Auth-Type
> (0) pap: WARNING: Authentication will fail unless a "known good"
> password is available
> (0) [pap] = noop
> (0) if (User-Name =~ /@(.*)$/) {
> (0) if (User-Name =~ /@(.*)$/) -> TRUE
> (0) if (User-Name =~ /@(.*)$/) {
> (0) switch %{home_server_dynamic:%{1}} {
> (0) EXPAND %{home_server_dynamic:%{1}}
> (0) -->
> (0) case {
> (0) update control {
> (0) Executing:
> %{config:prefix}/bin/naptr-eduroam-freeradius.sh %{1} %{config:prefix}:
> (0) EXPAND prefix
> (0) --> prefix
> (0) EXPAND %{config:prefix}/bin/naptr-eduroam-freeradius.sh
> (0) -->
> /home/swinter/scratch/freeradius-patch-build/bin/naptr-eduroam-freeradius.sh
> (0) EXPAND %{1}
> (0) --> education.lu
> (0) EXPAND prefix
> (0) --> prefix
> (0) EXPAND %{config:prefix}
> (0) --> /home/swinter/scratch/freeradius-patch-build
> ... new connection request on command socket
> Listening on command file
> /home/swinter/scratch/freeradius-patch-build/var/run/radiusd/radiusd.sock
> Waking up in 0.2 seconds.
> radmin> add home_server file
> /home/swinter/scratch/freeradius-patch-build/etc/raddb/home_servers/education.lu
> including configuration file
> /home/swinter/scratch/freeradius-patch-build/etc/raddb/home_servers/education.lu
> home_server education.lu {
> ipaddr = tld1.eduroam.lu IPv4 address [158.64.1.26]
> port = 2083
> type = "auth"
> proto = "tcp"
> secret = <<< secret >>>
> response_window = 30.000000
> response_timeouts = 1
> max_outstanding = 65536
> zombie_period = 40
> status_check = "none"
> ping_interval = 30
> check_timeout = 4
> num_answers_to_alive = 3
> revive_interval = 300
> limit {
> max_connections = 16
> max_requests = 0
> lifetime = 0
> idle_timeout = 0
> }
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> recv_coa {
> }
> }
> tls {
> verify_depth = 0
> ca_path =
> "/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/"
> pem_file_type = yes
> private_key_file =
> "/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/server.key"
> certificate_file =
> "/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/server.pem"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> ca_path_reload_interval = 0
> ecdh_curve = "prime256v1"
> tls_min_version = "1.2"
> }
> Waking up in 0.2 seconds.
> ... shutting down socket command file
> /home/swinter/scratch/freeradius-patch-build/var/run/radiusd/radiusd.sock
> Waking up in 0.2 seconds.
> (0) Program returned code (0) and output 'home_server
> education.lu { ipaddr = tld1.eduroam.lu port = 2083
> ipad
> dr = tld2.eduroam.lu port = 2083 proto = tcp type = auth
> secret = radsec tls { certificate_file = /home/swi
> nter/scratch/freeradius-patch-build/etc/raddb/certs/server.pem
> private_key_file =
> /home/swinter/scratch/freeradius-patch-build/etc/
> raddb/certs/server.key ca_path =
> /home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/
> } }'
> (0) &Temp-Home-Server-String := home_server education.lu {
> ipaddr = tld1.eduroam.lu port = 2083 ipaddr = tld2.eduro
> am.lu port = 2083 proto = tcp type = auth secret =
> radsec tls { certificate_file =
> /home/swinter/scratch/fre
> eradius-patch-build/etc/raddb/certs/server.pem
> private_key_file =
> /home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/serv
> er.key ca_path =
> /home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/ } }
> (0) } # update control = noop
> (0) if ("%{control:Temp-Home-Server-String}" == "" ) {
> (0) if ("%{control:Temp-Home-Server-String}" == "" ) -> FALSE
> (0) else {
> (0) update control {
> (0) &Home-Server-Name := %{1}
> (0) } # update control = noop
> (0) } # else = noop
> (0) } # case = noop
> (0) } # switch %{home_server_dynamic:%{1}} = noop
> (0) } # if (User-Name =~ /@(.*)$/) = noop
> (0) } # authorize = ok
> (0) Proxying due to Home-Server-Name
> (0) WARNING: No such home server %{1}
> (0) There was no response configured: rejecting request
> (0) Using Post-Auth-Type Reject
> (0) # Executing group from file
> /home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default
> (0) Post-Auth-Type REJECT {
> (0) attr_filter.access_reject: EXPAND %{User-Name}
> (0) attr_filter.access_reject: --> stefan at education.lu
> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (0) [attr_filter.access_reject] = updated
> (0) [eap] = noop
> (0) policy remove_reply_message_if_eap {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (0) else {
> (0) [noop] = noop
> (0) } # else = noop
> (0) } # policy remove_reply_message_if_eap = noop
> (0) } # Post-Auth-Type REJECT = updated
> (0) Delaying response for 1.000000 seconds
> Thread 5 waiting to be assigned a request
> Waking up in 0.7 seconds.
> (0) Sending delayed response
> (0) Sent Access-Reject Id 130 from 127.0.0.1:1812 to 127.0.0.1:34531
> length 20
> Waking up in 1.9 seconds.
> ... cleaning up socket command file
> /home/swinter/scratch/freeradius-patch-build/var/run/radiusd/radiusd.sock
> Waking up in 1.9 seconds.
> (0) Cleaning up request packet ID 130 with timestamp +2 due to
> cleanup_delay was reached
> Ready to process requests
> Waking up in 0.3 seconds.
> Thread 3 got semaphore
> Thread 3 handling request 1, (1 handled so far)
> (1) Received Access-Request Id 252 from 127.0.0.1:34174 to
> 127.0.0.1:1812 length 95
> (1) User-Name = "stefan at education.lu"
> (1) User-Password = "abc"
> (1) NAS-IP-Address = 127.0.1.1
> (1) NAS-Port = 123
> (1) Message-Authenticator = 0xe68f95793b848723c77bdf38690952b2
> (1) Framed-Protocol = PPP
> (1) # Executing section authorize from file
> /home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default
> (1) authorize {
> (1) policy filter_username {
> (1) if (&User-Name) {
> (1) if (&User-Name) -> TRUE
> (1) if (&User-Name) {
> (1) if (&User-Name =~ / /) {
> (1) if (&User-Name =~ / /) -> FALSE
> (1) if (&User-Name =~ /@[^@]*@/ ) {
> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /@\./) {
> (1) if (&User-Name =~ /@\./) -> FALSE
> (1) } # if (&User-Name) = notfound
> (1) } # policy filter_username = notfound
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: Looking up realm "education.lu" for User-Name =
> "stefan at education.lu"
> (1) suffix: No such realm "education.lu"
> (1) [suffix] = noop
> (1) eap: No EAP-Message, not doing EAP
> (1) [eap] = noop
> (1) files: users: Matched entry DEFAULT at line 167
> (1) [files] = ok
> (1) [expiration] = noop
> (1) [logintime] = noop
> (1) pap: WARNING: No "known good" password found for the user. Not
> setting Auth-Type
> (1) pap: WARNING: Authentication will fail unless a "known good"
> password is available
> (1) [pap] = noop
> (1) if (User-Name =~ /@(.*)$/) {
> (1) if (User-Name =~ /@(.*)$/) -> TRUE
> (1) if (User-Name =~ /@(.*)$/) {
> (1) switch %{home_server_dynamic:%{1}} {
> (1) EXPAND %{home_server_dynamic:%{1}}
> (1) --> 1
> (1) case 1 {
> (1) update control {
> (1) EXPAND %{1}
> (1) --> education.lu
> (1) &Home-Server-Name := education.lu
> (1) } # update control = noop
> (1) } # case 1 = noop
> (1) } # switch %{home_server_dynamic:%{1}} = noop
> (1) } # if (User-Name =~ /@(.*)$/) = noop
> (1) } # authorize = ok
> (1) Proxying due to Home-Server-Name
> (1) Starting proxy to home server 158.64.1.26 port 2083
> (1) server default {
> (1) }
> (TLS) Trying new outgoing proxy connection to proxy (0.0.0.0, 0) ->
> home_server (158.64.1.26, 2083)
> Requiring Server certificate
> (0) (TLS) Handshake state - before SSL initialization
> (0) (TLS) Handshake state - Client before SSL initialization
> (0) (TLS) send TLS 1.2 Handshake, ClientHello
> (0) (TLS) Handshake state - Client SSLv3/TLS write client hello
> (0) (TLS) Handshake state - Client SSLv3/TLS write client hello
> (0) (TLS) recv TLS 1.2 Handshake, ServerHello
> (0) (TLS) Handshake state - Client SSLv3/TLS read server hello
> (0) (TLS) recv TLS 1.2 Handshake, Certificate
> (0) (TLS) Creating attributes from server certificate
> (0) TLS-Cert-Serial := "01"
> (0) TLS-Cert-Expiration := "301103101536Z"
> (0) TLS-Cert-Valid-Since := "101108101536Z"
> (0) TLS-Cert-Subject := "/DC=org/DC=edupki/CN=eduPKI CA G 01"
> (0) TLS-Cert-Issuer := "/DC=org/DC=edupki/CN=eduPKI CA G 01"
> (0) TLS-Cert-Common-Name := "eduPKI CA G 01"
> (0) ERROR: (TLS) OpenSSL says error 19 : self signed certificate in
> certificate chain
> (0) (TLS) send TLS 1.2 Alert, fatal unknown_ca
> (0) ERROR: (TLS) Alert write:fatal:unknown CA
> (0) ERROR: (TLS) Client : Error in error
> tls: (TLS) Failed in connecting TLS session.: error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed
> tls: (TLS) System call (I/O) error (-1)
> (TLS) Failed opening connection on proxy socket 'proxy (0.0.0.0, 0) ->
> home_server (158.64.1.26, 2083)'
> (1) Failed to insert request into the proxy list
> (1) There was no response configured: rejecting request
> (1) Using Post-Auth-Type Reject
> (1) # Executing group from file
> /home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default
> (1) Post-Auth-Type REJECT {
> (1) attr_filter.access_reject: EXPAND %{User-Name}
> (1) attr_filter.access_reject: --> stefan at education.lu
> (1) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (1) [attr_filter.access_reject] = updated
> (1) [eap] = noop
> (1) policy remove_reply_message_if_eap {
> (1) if (&reply:EAP-Message && &reply:Reply-Message) {
> (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (1) else {
> (1) [noop] = noop
> (1) } # else = noop
> (1) } # policy remove_reply_message_if_eap = noop
> (1) } # Post-Auth-Type REJECT = updated
> (1) Sent Access-Reject Id 252 from 127.0.0.1:1812 to 127.0.0.1:34174
> length 20
> (1) Finished request
> Thread 3 waiting to be assigned a request
> Waking up in 4.6 seconds.
> (1) Cleaning up request packet ID 252 with timestamp +30 due to
> cleanup_delay was reached
> Ready to process requests
>
>
>> --
>> This email may contain information for limited distribution only,
>> please treat accordingly.
>>
>> Fondation Restena, Stefan WINTER
>> Chief Technology Officer
>> 2, avenue de l'Université
>> L-4365 Esch-sur-Alzette
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
This email may contain information for limited distribution only, please treat accordingly.
Fondation Restena, Stefan WINTER
Chief Technology Officer
2, avenue de l'Université
L-4365 Esch-sur-Alzette
More information about the Freeradius-Users
mailing list