Issue with dynamic home servers in 3.2.3
James Wood
james.wood at purplewifi.com
Thu Aug 10 16:38:14 UTC 2023
Thanks. I've included the tls.conf now and as you say it now sets the
secret and type dynamically.
So I'm now left with the same end issue (it's not using the just added home
server to proxy the request out to):
... new connection request on TCP socket
Listening on auth+acct from client (209.206.59.19, 49510) -> (*, 2083,
virtual-server=default)
Waking up in 0.8 seconds.
(0) (TLS) Initiating new session
(0) (TLS) Handshake state - before SSL initialization
(0) (TLS) Handshake state - Server before SSL initialization
(0) (TLS) Handshake state - Server before SSL initialization
(0) (TLS) recv TLS 1.3 Handshake, ClientHello
(0) (TLS) Handshake state - Server SSLv3/TLS read client hello
(0) (TLS) send TLS 1.2 Handshake, ServerHello
(0) (TLS) Handshake state - Server SSLv3/TLS write server hello
(0) (TLS) send TLS 1.2 Handshake, Certificate
(0) (TLS) Handshake state - Server SSLv3/TLS write certificate
(0) (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(0) (TLS) Handshake state - Server SSLv3/TLS write key exchange
(0) (TLS) send TLS 1.2 Handshake, ServerHelloDone
(0) (TLS) Handshake state - Server SSLv3/TLS write server done
(0) (TLS) Server : Need to read more data: SSLv3/TLS write server done
(0) (TLS) In Handshake Phase
Waking up in 0.7 seconds.
(0) (TLS) Handshake state - Server SSLv3/TLS write server done
(0) (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(0) (TLS) Handshake state - Server SSLv3/TLS read client key exchange
(0) (TLS) Handshake state - Server SSLv3/TLS read change cipher spec
(0) (TLS) recv TLS 1.2 Handshake, Finished
(0) (TLS) Handshake state - Server SSLv3/TLS read finished
(0) (TLS) send TLS 1.2 ChangeCipherSpec
(0) (TLS) Handshake state - Server SSLv3/TLS write change cipher spec
(0) (TLS) send TLS 1.2 Handshake, Finished
(0) (TLS) Handshake state - Server SSLv3/TLS write finished
(0) (TLS) Handshake state - SSL negotiation finished successfully
(0) (TLS) Connection Established
(0) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES256-GCM-SHA384"
(0) TLS-Session-Version = "TLS 1.2"
Waking up in 0.7 seconds.
(0) (TLS): Access-Request packet from host 209.206.59.19 port 49510, id=15,
length=442
Threads: total/active/spare threads = 2/0/2
Thread 2 got semaphore
Thread 2 handling request 0, (1 handled so far)
(0) Received Access-Request Id 15 from 209.206.59.19:49510 to 0.0.0.0:2083
length 442
(0) User-Name = "anonymous at openroaming.goog"
(0) NAS-IP-Address = 192.168.1.15
(0) NAS-Identifier = "xx"
(0) Called-Station-Id = "xx"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) NAS-Port = 1
(0) Calling-Station-Id = "xx"
(0) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 13 / Channel:
64"
(0) Acct-Session-Id = "37435BC5701BFFFF"
(0) Acct-Multi-Session-Id = "01E86F90CB69EC74"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027076
(0) WLAN-AKM-Suite = 1027073
(0) Framed-MTU = 1400
(0) EAP-Message =
0x0282001f01616e6f6e796d6f7573406f70656e726f616d696e672e676f6f67
(0) HS20-AP-Version = 1
(0) HS20-Mobile-Device-Version = 0x010000
(0) HS20-Roaming-Consortium = 0x5a03ba0000
(0) Message-Authenticator = 0x9db6eae3f189b5ef4add2b2fafc55f00
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) [chap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "openroaming.goog" for User-Name =
"anonymous at openroaming.goog"
(0) suffix: Found realm "DEFAULT"
(0) suffix: Adding Realm = "DEFAULT"
(0) suffix: Proxying request from user anonymous at openroaming.goog to realm
DEFAULT
(0) suffix: Preparing to proxy authentication request to realm "DEFAULT"
(0) [suffix] = updated
(0) eap: Request is supposed to be proxied to Realm DEFAULT. Not doing EAP.
(0) [eap] = noop
(0) [pap] = noop
(0) } # authorize = updated
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) [preprocess] = ok
(0) if (User-Name =~ /@(.*)$/) {
(0) if (User-Name =~ /@(.*)$/) -> TRUE
(0) if (User-Name =~ /@(.*)$/) {
(0) switch %{home_server_dynamic:%{1}} {
(0) EXPAND %{home_server_dynamic:%{1}}
(0) -->
(0) case {
(0) update control {
(0) Executing:
%{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh -d
%{config:confdir} %{1} aaa+auth:radius.tls.tcp:
(0) EXPAND confdir
(0) --> confdir
(0) EXPAND
%{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh
(0) -->
/usr/local/etc/raddb/mods-config/realm/freeradius-naptr-to-home-server.sh
(0) EXPAND confdir
(0) --> confdir
(0) EXPAND %{config:confdir}
(0) --> /usr/local/etc/raddb
(0) EXPAND %{1}
(0) --> openroaming.goog
Waking up in 0.3 seconds.
... new connection request on command socket
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Waking up in 0.1 seconds.
radmin> add home_server file
/usr/local/etc/raddb/home_servers/openroaming.goog
including configuration file
/usr/local/etc/raddb/home_servers/openroaming.goog
including configuration file /usr/local/etc/raddb/home_servers/tls.conf
home_server openroaming.goog {
nonblock = no
ipaddr = radsec.openroaming.goog IPv4 address [146.148.44.172]
port = 2083
type = "auth"
proto = "tcp"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
recv_coa {
}
}
tls {
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/my.key"
certificate_file = "/usr/local/etc/raddb/certs/my.crt"
ca_file = "/usr/local/etc/raddb/certs/my.ca"
private_key_password = <<< secret >>>
fragment_size = 1024
include_length = yes
check_crl = no
ca_path_reload_interval = 0
ecdh_curve = "prime256v1"
tls_min_version = "1.2"
}
(0) Program returned code (0) and output ''
(0) &Temp-Home-Server-String :=
(0) } # update control = noop
(0) if ("%{control:Temp-Home-Server-String}" == "" ) {
(0) if ("%{control:Temp-Home-Server-String}" == "" ) -> TRUE
(0) if ("%{control:Temp-Home-Server-String}" == "" ) {
(0) update control {
(0) EXPAND %{1}
(0) --> openroaming.goog
(0) &Home-Server-Name := openroaming.goog
(0) } # update control = noop
(0) } # if ("%{control:Temp-Home-Server-String}" == "" ) = noop
(0) ... skipping else: Preceding "if" was taken
(0) } # case = noop
(0) } # switch %{home_server_dynamic:%{1}} = noop
(0) } # if (User-Name =~ /@(.*)$/) = noop
(0) [chap] = noop
(0) suffix: Request already has destination realm set. Ignoring
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 130 length 31
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Proxying due to Home-Server-Name
(0) There was no response configured: rejecting request
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> anonymous at openroaming.goog
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap: Request was previously rejected, inserting EAP-Failure
(0) eap: Sending EAP Failure (code 4) ID 130 length 4
(0) [eap] = updated
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Login incorrect: [anonymous at openroaming.goog/<via Auth-Type = eap>]
(from client all port 1 cli xx via TLS tunnel)
(0) Finished internally proxied request.
(0) Login incorrect (Home Server says so): [anonymous at openroaming.goog/<no
User-Password attribute>] (from client all port 1 cli xx)
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) Login incorrect: [anonymous at openroaming.goog/<no User-Password
attribute>] (from client all port 1 cli xx)
(0) Sent Access-Reject Id 15 from 0.0.0.0:2083 to 209.206.59.19:49510
length 44
(0) EAP-Message = 0x04820004
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) Finished request
with:
(0) Proxying due to Home-Server-Name
(0) There was no response configured: rejecting request
still the problem
More information about the Freeradius-Users
mailing list