Issue with dynamic home servers in 3.2.3
Alan DeKok
aland at deployingradius.com
Thu Aug 10 14:21:58 UTC 2023
On Aug 10, 2023, at 7:38 AM, James Wood via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> I am trying to add OpenRoaming support via dynamic DNS lookups to
> FreeRADIUS 3.2.3
>
> As per the doc
> at freeradius-server-3.2.3/doc/configuration/dynamic_home_servers.md it
> states you need to do the following:
>
> 1. Enable the control socket
> 2. Enable dynamic = true and set the directory = ${raddb}/home_servers/ in
> proxy.conf
> 3. Ensure the /mods-config/realm/freeradius-naptr-to-home-server.sh is
> present in order to perform real-time DNS lookups unknown realms.
>
> So far so good.
That's good.
> The doc gives an example of what to use inside the authorize {} block. Here
> is my config (added the "aaa+auth:radius.tls.tcp" to the script's third
> parameter...
...
> When testing this, I can see that it is performing the DNS lookup and
> adding a dynamic home server to the home_servers folder, but it still fails
> and doesn't actually proxy the request to the dynamically discovered server:
Hmm... most things seem to be OK.
> %{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh
> (0) -->
> /usr/local/etc/raddb/mods-config/realm/freeradius-naptr-to-home-server.sh
> (0) EXPAND confdir
> (0) --> confdir
> (0) EXPAND %{config:confdir}
> (0) --> /usr/local/etc/raddb
> (0) EXPAND %{1}
> (0) --> openroaming.goog
> Waking up in 0.3 seconds.
> ... new connection request on command socket
it's running the script, that's good.
> Listening on command file /usr/local/var/run/radiusd/radiusd.sock
> Waking up in 0.2 seconds.
> radmin> add home_server file
> /usr/local/etc/raddb/home_servers/openroaming.goog
> including configuration file
> /usr/local/etc/raddb/home_servers/openroaming.goog
> including configuration file /usr/local/etc/raddb/home_servers/tls.conf
> home_server openroaming.goog {
it's adding the home server. That's good.
>
> (0) Program returned code (0) and output ''
>
> (0) &Temp-Home-Server-String :=
> (0) } # update control = noop
> (0) if ("%{control:Temp-Home-Server-String}" == "" ) {
> (0) if ("%{control:Temp-Home-Server-String}" == "" ) -> TRUE
> (0) if ("%{control:Temp-Home-Server-String}" == "" ) {
> (0) [reject] = reject
> (0) } # if ("%{control:Temp-Home-Server-String}" == "" ) =
> reject
So the script isn't returning anything.
> (0) } # case = reject
> (0) } # switch %{home_server_dynamic:%{1}} = reject
> (0) } # if (User-Name =~ /@(.*)$/) = reject
>
> It seems if ("%{control:Temp-Home-Server-String}" == "" ) { is the
> offending line. Even though the naptr script succeeds and returns a code 0,
> it's marking it as failed.
No... it's marked as not returning anything.
Edit the script to add a line at the end:
echo $1
And it should work.
> So, i reversed the if statement so I could at least test further:
> ..
> (0) Proxying due to Home-Server-Name
> (0) There was no response configured: rejecting request
It should be proxying to the home server. I'm not sure what's going wrong here. I'll have to dig into it in more detail.
> Any thoughts on this?
>
> P.S. I think there is a bug in the freeradius-naptr-to-home-server.sh
> script, because it doesn't add the lines "secret" and "type" when it
> dynamically generates the home_server block. I had to modify it to add
> these lines in, else the radmin command failed to dynamically load it.
Those lines are in the "tls.conf" file. You don't need to add them to the "home_server" block, as the "$INCLUDE tls.conf" will automatically add them.
Alan DeKok.
More information about the Freeradius-Users
mailing list