Issue with dynamic home servers in 3.2.3
James Wood
james.wood at purplewifi.com
Thu Aug 10 11:38:29 UTC 2023
I am trying to add OpenRoaming support via dynamic DNS lookups to
FreeRADIUS 3.2.3
As per the doc
at freeradius-server-3.2.3/doc/configuration/dynamic_home_servers.md it
states you need to do the following:
1. Enable the control socket
2. Enable dynamic = true and set the directory = ${raddb}/home_servers/ in
proxy.conf
3. Ensure the /mods-config/realm/freeradius-naptr-to-home-server.sh is
present in order to perform real-time DNS lookups unknown realms.
So far so good.
The doc gives an example of what to use inside the authorize {} block. Here
is my config (added the "aaa+auth:radius.tls.tcp" to the script's third
parameter...
if (User-Name =~ /@(.*)$/) {
switch "%{home_server_dynamic:%{1}}" {
case "1" {
# Proxy to this one particular home server
update control {
&Home-Server-Name := "%{1}"
}
}
case "0" {
# Proxy with home server pool, failover, etc.
update control {
&Proxy-To-Realm := "%{1}"
}
}
case {
# no home server exists, ask DNS
update control {
# you can add a parameter for the NAPTR tag to look up,
e.g. "aaa+auth:radius.tls.tcp" (RFC7585, OpenRoaming)
# if the third parameter is omitted, it defaults to
"x-eduroam:radius.tls"
&Temp-Home-Server-String :=
`%{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh -d
%{config:confdir} %{1} aaa+auth:radius.tls.tcp`
}
if ("%{control:Temp-Home-Server-String}" == "" ) {
update control {
&Home-Server-Name := "%{1}"
}
} else {
reject
}
}
}
}
When testing this, I can see that it is performing the DNS lookup and
adding a dynamic home server to the home_servers folder, but it still fails
and doesn't actually proxy the request to the dynamically discovered server:
(0) if (User-Name =~ /@(.*)$/) {
(0) if (User-Name =~ /@(.*)$/) -> TRUE
(0) if (User-Name =~ /@(.*)$/) {
(0) switch %{home_server_dynamic:%{1}} {
(0) EXPAND %{home_server_dynamic:%{1}}
(0) -->
(0) case {
(0) update control {
(0) Executing:
%{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh -d
%{config:confdir} %{1} aaa+auth:radius.tls.tcp:
(0) EXPAND confdir
(0) --> confdir
(0) EXPAND
%{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh
(0) -->
/usr/local/etc/raddb/mods-config/realm/freeradius-naptr-to-home-server.sh
(0) EXPAND confdir
(0) --> confdir
(0) EXPAND %{config:confdir}
(0) --> /usr/local/etc/raddb
(0) EXPAND %{1}
(0) --> openroaming.goog
Waking up in 0.3 seconds.
... new connection request on command socket
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Waking up in 0.2 seconds.
radmin> add home_server file
/usr/local/etc/raddb/home_servers/openroaming.goog
including configuration file
/usr/local/etc/raddb/home_servers/openroaming.goog
including configuration file /usr/local/etc/raddb/home_servers/tls.conf
home_server openroaming.goog {
nonblock = no
ipaddr = radsec.openroaming.goog IPv4 address [146.148.44.172]
port = 2083
type = "auth"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
recv_coa {
}
}
Waking up in 0.1 seconds.
... shutting down socket command file
/usr/local/var/run/radiusd/radiusd.sock
... cleaning up socket command file /usr/local/var/run/radiusd/radiusd.sock
Waking up in 0.1 seconds.
(0) Program returned code (0) and output ''
(0) &Temp-Home-Server-String :=
(0) } # update control = noop
(0) if ("%{control:Temp-Home-Server-String}" == "" ) {
(0) if ("%{control:Temp-Home-Server-String}" == "" ) -> TRUE
(0) if ("%{control:Temp-Home-Server-String}" == "" ) {
(0) [reject] = reject
(0) } # if ("%{control:Temp-Home-Server-String}" == "" ) =
reject
(0) } # case = reject
(0) } # switch %{home_server_dynamic:%{1}} = reject
(0) } # if (User-Name =~ /@(.*)$/) = reject
It seems if ("%{control:Temp-Home-Server-String}" == "" ) { is the
offending line. Even though the naptr script succeeds and returns a code 0,
it's marking it as failed.
So, i reversed the if statement so I could at least test further:
if ("%{control:Temp-Home-Server-String}" == "" ) {
update control {
&Home-Server-Name := "%{1}"
}
} else {
reject
}
I now get the following:
(0) if ("%{control:Temp-Home-Server-String}" == "" ) {
(0) if ("%{control:Temp-Home-Server-String}" == "" ) -> TRUE
(0) if ("%{control:Temp-Home-Server-String}" == "" ) {
(0) update control {
(0) EXPAND %{1}
(0) --> openroaming.goog
(0) &Home-Server-Name := openroaming.goog
(0) } # update control = noop
(0) } # if ("%{control:Temp-Home-Server-String}" == "" ) = noop
(0) ... skipping else: Preceding "if" was taken
(0) } # case = noop
(0) } # switch %{home_server_dynamic:%{1}} = noop
(0) } # if (User-Name =~ /@(.*)$/) = noop
(0) Proxying due to Home-Server-Name
(0) There was no response configured: rejecting request
Any thoughts on this?
P.S. I think there is a bug in the freeradius-naptr-to-home-server.sh
script, because it doesn't add the lines "secret" and "type" when it
dynamically generates the home_server block. I had to modify it to add
these lines in, else the radmin command failed to dynamically load it.
Thanks
More information about the Freeradius-Users
mailing list