Freeradius Upgrade from 3.0.1 to 3.2.2

Steven Walters steven.walters1 at gmail.com
Wed Feb 22 18:47:42 UTC 2023


Hi

I agree, we should have updated our freeradius a long time ago, but we will
do better going forward.

Just to explain what we are training to achieve.

Our fixed line customers authenticate with username and password. Our fixed
line customers can have a mobile VAS linked to fixed line. Customer can
have single SIM or multiple SIM linked to fixed line username on LDAP.

In the case of mobile service, we receive the MSISDN in the radius access
request. We then lookup the username which has the MSISDN linked on LDAP.
If subscriber name has this MSISDN linked, the radius will respond with the
username in the access-accept. If no match is found it will respond with
access-reject.

When the radius receives the accounting start for this session it will have
the username of the fixed line service returned in the access-accept and
not the MSISDN which was original in the access request.

So basically, in the case of the mobile VAS, the authentication finds the
username on LDAP which has the MSISDN linked as a VAS and if no username
has the MSISDN (for example customer cancelled the VAS but is still trying
to use the SIM) it will send an access reject. No password checks are done
for mobile service.

This mobile VAS was implemented before I joined so there might be better
alternative to provide the same result.

Kind regards
Steven


On Wed, 22 Feb 2023 at 14:00, <freeradius-users-request at lists.freeradius.org>
wrote:

> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Freeradius Upgrade from 3.0.1 to 3.2.2 (Steven Walters)
>    2. Re: Freeradius Upgrade from 3.0.1 to 3.2.2 (Alan DeKok)
>    3. Some new documentation for "how to make FreeRADIUS do what I
>       want" (Alan DeKok)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 21 Feb 2023 23:47:05 +0200
> From: Steven Walters <steven.walters1 at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: Freeradius Upgrade from 3.0.1 to 3.2.2
> Message-ID:
>         <CALF=EMKe4Ky91x7A2GgAKaQkVv0D+qxjWqFkaTOgzq=
> BvBFA2w at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi
>
> I am in the process of upgrading our radius servers but have one issue
> outstanding.
>
> Basically we receive in the radius request from mobile a MSISDN. We then go
> do a lookup to find the username on LDAP matching the MSISDN.
>
> In the old version everything works fine but after upgrading the radius
> responds with access rejection even though MSISDN finds a username on LDAP.
>
> Below are extracts from the mobile virtual server file and ldap file.
>
> mobile virtual server:
>
>         #  The ldap module reads passwords from the LDAP database.
>         -ldap-mobile
>         if (!ok) {
>                 reject
>
> ldap:
>
>         user {
>                 #   Where to start searching in the tree for users
>                 base_dn = "${..base_dn}"
>
>                 #  Filter for user objects, should be specific enough
>                 #  to identify a single user object.
>                 #filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>                 #filter =
> "(mobileradiusCallingStationId=%{Calling-Station-Id})"
>                 filter =
> "(&(mobileradiusCallingStationId=%{Calling-Station-Id})(status=10100))"
>
> Below is debug from version 3.0.1
>
> rlm_ldap (ldap-mobile): Reserved connection (11)
> (9) ldap-mobile :       expand:
> "(&(mobileradiusCallingStationId=%{Calling-Station-Id})(status=10100))" ->
> '(&(mobileradiusCallingStationId=27671946862)(status=10100))'
> (9) ldap-mobile :       expand: "cn=radius,ou=isp" -> 'cn=radius,ou=isp'
> (9) ldap-mobile : Performing search in 'cn=radius,ou=isp' with filter
> '(&(mobileradiusCallingStationId=27671946862)(status=10100))'
> (9) ldap-mobile : Waiting for search result...
> (9) ldap-mobile : User object found at DN "uid=onyebilanma at telkomsa.net
> ,cn=radius,ou=isp"
> (9) ldap-mobile : Processing user attributes
> (9) ldap-mobile :               reply:User-Name := '
> onyebilanma at telkomsa.net
> '
> (9) ldap-mobile :               control:User-Name := '
> onyebilanma at telkomsa.net'
> rlm_ldap (ldap-mobile): Released connection (11)
> rlm_ldap (ldap-mobile): Opening additional connection (12)
> rlm_ldap (ldap-mobile): Connecting to 10.146.46.133:389
> TLSMC: MozNSS compatibility interception begins.
> tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is
> present.
> tlsmc_intercept_initialization: INFO: successfully intercepted TLS
> initialization. Continuing with OpenSSL only.
> TLSMC: MozNSS compatibility interception ends.
> rlm_ldap (ldap-mobile): Waiting for bind result...
> rlm_ldap (ldap-mobile): Bind successful
> (9)   [-ldap-mobile] = ok
> (9)   ? if (!ok)
> (9)   ? if (!ok)  -> FALSE
> (9)  } #  authorize = ok
> (9) Found Auth-Type = Accept
> (9) Auth-Type = Accept, accepting the user
> (9) Login OK: [27671946862] (from client 105.187.248.220 port 0 cli
> 27671946862)
> (9) # Executing section post-auth from file /etc/raddb/sites-enabled/mobile
> (9)   post-auth {
> (9)   [exec] = noop
> (9)   remove_reply_message_if_eap remove_reply_message_if_eap {
> (9)    ? if (reply:EAP-Message && reply:Reply-Message)
> (9)    ? if (reply:EAP-Message && reply:Reply-Message)  -> FALSE
> (9)    else else {
> (9)     [noop] = noop
> (9)    } # else else = noop
> (9)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
> (9)   update reply {
> (9)             Acct-Interim-Interval = 14400
> (9)   } # update reply = noop
> (9)  } #  post-auth = noop
> Sending Access-Accept of id 134 from 10.146.44.71 port 1812 to
> 105.187.248.220 port 4017
>         User-Name = 'onyebilanma at telkomsa.net'
>         Acct-Interim-Interval = 14400
>
> Below is debug from version 3.2.2
>
> rlm_ldap (ldap-mobile): Reserved connection (2)
> (5) ldap-mobile: EXPAND
> (&(mobileradiusCallingStationId=%{Calling-Station-Id})(status=10100))
> (5) ldap-mobile:    -->
> (&(mobileradiusCallingStationId=27659066168)(status=10100))
> (5) ldap-mobile: Performing search in "cn=radius,ou=isp" with filter
> "(&(mobileradiusCallingStationId=27659066168)(status=10100))", scope "sub"
> (5) ldap-mobile: Waiting for search result...
> (5) ldap-mobile: User object found at DN "uid=ahmed.elhefnawy at telkomsa.net
> ,cn=radius,ou=isp"
> (5) ldap-mobile: Processing user attributes
> (5) ldap-mobile: reply:User-Name := 'ahmed.elhefnawy at telkomsa.net'
> (5) ldap-mobile: control:User-Name := 'ahmed.elhefnawy at telkomsa.net'
> rlm_ldap (ldap-mobile): Released connection (2)
> Need 4 more connections to reach min connections (8)
> Need more connections to reach 16 spares
> rlm_ldap (ldap-mobile): Opening additional connection (9), 1 of 28 pending
> slots used
> rlm_ldap (ldap-mobile): Connecting to ldap://10.146.46.133:389
> rlm_ldap (ldap-mobile): Waiting for bind result...
> rlm_ldap (ldap-mobile): Bind successful
> (5)     [ldap-mobile] = updated
> (5)     if (!ok) {
> (5)     if (!ok)  -> TRUE
> (5)     if (!ok)  {
> (5)       [reject] = reject
> (5)     } # if (!ok)  = reject
> (5)   } # authorize = reject
> (5) Invalid user: [27659066168] (from client 105.187.248.220 port 0 cli
> 27659066168)
> (5) Using Post-Auth-Type Reject
> (5) # Executing group from file /etc/raddb/sites-enabled/mobile
> (5)   Post-Auth-Type REJECT {
> (5)     policy remove_reply_message_if_eap {
> (5)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (5)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (5)       else {
> (5)         [noop] = noop
> (5)       } # else = noop
> (5)     } # policy remove_reply_message_if_eap = noop
> (5)   } # Post-Auth-Type REJECT = noop
> (5) Login incorrect: [27659066168] (from client 105.187.248.220 port 0 cli
> 27659066168)
> (5) Delaying response for 2.000000 seconds
>
> Any advice would be appreciated?
>
> Regards
> Steven
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 21 Feb 2023 17:47:47 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Freeradius Upgrade from 3.0.1 to 3.2.2
> Message-ID: <407E5AF6-AD76-468D-97CD-1D5858D63AC1 at deployingradius.com>
> Content-Type: text/plain;       charset=us-ascii
>
> On Feb 21, 2023, at 4:47 PM, Steven Walters <steven.walters1 at gmail.com>
> wrote:
> > Below is debug from version 3.0.1
>
>   To be honest... 3.0.1 is about ten years old.  We're not going to worry
> a lot about compatibility with every little piece of it.
>
>   Plus, there have been many bug fixes since then, including security
> fixes.  If you don't like people attacking your RADIUS server, it should
> have been updated regularly.
> > ...
> > Below is debug from version 3.2.2
> > ...
> > (5)     [ldap-mobile] = updated
> > (5)     if (!ok) {
>
>   Change that to:
>
>         if (!ok || !updated) {
>                 ...
>
>   and it will work.
>
> > Any advice would be appreciated?
>
>   Upgrade regularly.
>
>   Plus, it helps to explain *why* you have this configuration.  You
> generally don't have to explicitly reject users who don't have passwords.
> The server will do this automatically.
>
>   So you don't need a "if not found in LDAP, reject" configuration.  Just
> check LDAP.  If the user isn't found, they won't have a password read from
> LDAP.  And the server won't be able to authenticate them.
>
>   Alan DeKok.
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 21 Feb 2023 17:58:56 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Some new documentation for "how to make FreeRADIUS do what I
>         want"
> Message-ID: <98543E7C-E533-4DBC-9D27-09E9E9261717 at deployingradius.com>
> Content-Type: text/plain;       charset=us-ascii
>
>   We've been busy working on v4, including making sure that every aspect
> of the server is extensively documented.
>
>
>   I've just written a document on "policies".  But it's really "how do I
> get this software to do what I want, without going crazy".
>
>
> https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/reference/pages/policy/index.adoc
>
>   It gives a detailed guide to the methods used to create FreeRADIUS
> configurations.
>
>   There's also a document on why FreeRADIUS is so complex to configure:
>
>
> https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/reference/pages/policy/different.adoc
>
>   This should help to explain why we can't just have a shiny button which
> says "do what I want".  The configuration is much, much, more complex than
> that.
>
>   v4 also has complete documentation for each unlang keyword:
> https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/reference/pages/unlang/index.adoc
>
>   This documentation applies to v4, but it's _mostly_ compatible with v3.
> Where there are changes from v3, the documentation explains it.
>
>   Hopefully this helps.  We're not just wishing that v4 comes out one
> day.  We're actively working on it.
>
>   Alan DeKok.
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 214, Issue 21
> *************************************************
>


-- 
Warm Regards

Steven Walters
0814287179


More information about the Freeradius-Users mailing list