Freeradius Upgrade from 3.0.1 to 3.2.2

Steven Walters steven.walters1 at gmail.com
Thu Feb 23 16:17:52 UTC 2023


Thanks for the response. It resolved my issue. I was however getting an
authentication not found error which I fixed by making a slight adjustment
because we don't check password for mobile:

        -ldap-mobile
        if (notfound) {
                reject
        }
        else {
                accept
        }

On Thu, 23 Feb 2023 at 14:00, <freeradius-users-request at lists.freeradius.org>
wrote:

> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Freeradius Upgrade from 3.0.1 to 3.2.2 (Steven Walters)
>    2. Re: Freeradius Upgrade from 3.0.1 to 3.2.2 (Alan DeKok)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 22 Feb 2023 20:47:42 +0200
> From: Steven Walters <steven.walters1 at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: Freeradius Upgrade from 3.0.1 to 3.2.2
> Message-ID:
>         <CALF=EMJUde0_Y=XEOENp5Ro3a3PJFnF5fYCx-=
> UOdSOb5aGKzA at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi
>
> I agree, we should have updated our freeradius a long time ago, but we will
> do better going forward.
>
> Just to explain what we are training to achieve.
>
> Our fixed line customers authenticate with username and password. Our fixed
> line customers can have a mobile VAS linked to fixed line. Customer can
> have single SIM or multiple SIM linked to fixed line username on LDAP.
>
> In the case of mobile service, we receive the MSISDN in the radius access
> request. We then lookup the username which has the MSISDN linked on LDAP.
> If subscriber name has this MSISDN linked, the radius will respond with the
> username in the access-accept. If no match is found it will respond with
> access-reject.
>
> When the radius receives the accounting start for this session it will have
> the username of the fixed line service returned in the access-accept and
> not the MSISDN which was original in the access request.
>
> So basically, in the case of the mobile VAS, the authentication finds the
> username on LDAP which has the MSISDN linked as a VAS and if no username
> has the MSISDN (for example customer cancelled the VAS but is still trying
> to use the SIM) it will send an access reject. No password checks are done
> for mobile service.
>
> This mobile VAS was implemented before I joined so there might be better
> alternative to provide the same result.
>
> Kind regards
> Steven
>
>
> On Wed, 22 Feb 2023 at 14:00, <
> freeradius-users-request at lists.freeradius.org>
> wrote:
>
> > Send Freeradius-Users mailing list submissions to
> >         freeradius-users at lists.freeradius.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >         https://lists.freeradius.org/mailman/listinfo/freeradius-users
> > or, via email, send a message with subject or body 'help' to
> >         freeradius-users-request at lists.freeradius.org
> >
> > You can reach the person managing the list at
> >         freeradius-users-owner at lists.freeradius.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Freeradius-Users digest..."
> >
> >
> > Today's Topics:
> >
> >    1. Freeradius Upgrade from 3.0.1 to 3.2.2 (Steven Walters)
> >    2. Re: Freeradius Upgrade from 3.0.1 to 3.2.2 (Alan DeKok)
> >    3. Some new documentation for "how to make FreeRADIUS do what I
> >       want" (Alan DeKok)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Tue, 21 Feb 2023 23:47:05 +0200
> > From: Steven Walters <steven.walters1 at gmail.com>
> > To: freeradius-users at lists.freeradius.org
> > Subject: Freeradius Upgrade from 3.0.1 to 3.2.2
> > Message-ID:
> >         <CALF=EMKe4Ky91x7A2GgAKaQkVv0D+qxjWqFkaTOgzq=
> > BvBFA2w at mail.gmail.com>
> > Content-Type: text/plain; charset="UTF-8"
> >
> > Hi
> >
> > I am in the process of upgrading our radius servers but have one issue
> > outstanding.
> >
> > Basically we receive in the radius request from mobile a MSISDN. We then
> go
> > do a lookup to find the username on LDAP matching the MSISDN.
> >
> > In the old version everything works fine but after upgrading the radius
> > responds with access rejection even though MSISDN finds a username on
> LDAP.
> >
> > Below are extracts from the mobile virtual server file and ldap file.
> >
> > mobile virtual server:
> >
> >         #  The ldap module reads passwords from the LDAP database.
> >         -ldap-mobile
> >         if (!ok) {
> >                 reject
> >
> > ldap:
> >
> >         user {
> >                 #   Where to start searching in the tree for users
> >                 base_dn = "${..base_dn}"
> >
> >                 #  Filter for user objects, should be specific enough
> >                 #  to identify a single user object.
> >                 #filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
> >                 #filter =
> > "(mobileradiusCallingStationId=%{Calling-Station-Id})"
> >                 filter =
> > "(&(mobileradiusCallingStationId=%{Calling-Station-Id})(status=10100))"
> >
> > Below is debug from version 3.0.1
> >
> > rlm_ldap (ldap-mobile): Reserved connection (11)
> > (9) ldap-mobile :       expand:
> > "(&(mobileradiusCallingStationId=%{Calling-Station-Id})(status=10100))"
> ->
> > '(&(mobileradiusCallingStationId=27671946862)(status=10100))'
> > (9) ldap-mobile :       expand: "cn=radius,ou=isp" -> 'cn=radius,ou=isp'
> > (9) ldap-mobile : Performing search in 'cn=radius,ou=isp' with filter
> > '(&(mobileradiusCallingStationId=27671946862)(status=10100))'
> > (9) ldap-mobile : Waiting for search result...
> > (9) ldap-mobile : User object found at DN "uid=onyebilanma at telkomsa.net
> > ,cn=radius,ou=isp"
> > (9) ldap-mobile : Processing user attributes
> > (9) ldap-mobile :               reply:User-Name := '
> > onyebilanma at telkomsa.net
> > '
> > (9) ldap-mobile :               control:User-Name := '
> > onyebilanma at telkomsa.net'
> > rlm_ldap (ldap-mobile): Released connection (11)
> > rlm_ldap (ldap-mobile): Opening additional connection (12)
> > rlm_ldap (ldap-mobile): Connecting to 10.146.46.133:389
> > TLSMC: MozNSS compatibility interception begins.
> > tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration
> is
> > present.
> > tlsmc_intercept_initialization: INFO: successfully intercepted TLS
> > initialization. Continuing with OpenSSL only.
> > TLSMC: MozNSS compatibility interception ends.
> > rlm_ldap (ldap-mobile): Waiting for bind result...
> > rlm_ldap (ldap-mobile): Bind successful
> > (9)   [-ldap-mobile] = ok
> > (9)   ? if (!ok)
> > (9)   ? if (!ok)  -> FALSE
> > (9)  } #  authorize = ok
> > (9) Found Auth-Type = Accept
> > (9) Auth-Type = Accept, accepting the user
> > (9) Login OK: [27671946862] (from client 105.187.248.220 port 0 cli
> > 27671946862)
> > (9) # Executing section post-auth from file
> /etc/raddb/sites-enabled/mobile
> > (9)   post-auth {
> > (9)   [exec] = noop
> > (9)   remove_reply_message_if_eap remove_reply_message_if_eap {
> > (9)    ? if (reply:EAP-Message && reply:Reply-Message)
> > (9)    ? if (reply:EAP-Message && reply:Reply-Message)  -> FALSE
> > (9)    else else {
> > (9)     [noop] = noop
> > (9)    } # else else = noop
> > (9)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
> > (9)   update reply {
> > (9)             Acct-Interim-Interval = 14400
> > (9)   } # update reply = noop
> > (9)  } #  post-auth = noop
> > Sending Access-Accept of id 134 from 10.146.44.71 port 1812 to
> > 105.187.248.220 port 4017
> >         User-Name = 'onyebilanma at telkomsa.net'
> >         Acct-Interim-Interval = 14400
> >
> > Below is debug from version 3.2.2
> >
> > rlm_ldap (ldap-mobile): Reserved connection (2)
> > (5) ldap-mobile: EXPAND
> > (&(mobileradiusCallingStationId=%{Calling-Station-Id})(status=10100))
> > (5) ldap-mobile:    -->
> > (&(mobileradiusCallingStationId=27659066168)(status=10100))
> > (5) ldap-mobile: Performing search in "cn=radius,ou=isp" with filter
> > "(&(mobileradiusCallingStationId=27659066168)(status=10100))", scope
> "sub"
> > (5) ldap-mobile: Waiting for search result...
> > (5) ldap-mobile: User object found at DN "uid=
> ahmed.elhefnawy at telkomsa.net
> > ,cn=radius,ou=isp"
> > (5) ldap-mobile: Processing user attributes
> > (5) ldap-mobile: reply:User-Name := 'ahmed.elhefnawy at telkomsa.net'
> > (5) ldap-mobile: control:User-Name := 'ahmed.elhefnawy at telkomsa.net'
> > rlm_ldap (ldap-mobile): Released connection (2)
> > Need 4 more connections to reach min connections (8)
> > Need more connections to reach 16 spares
> > rlm_ldap (ldap-mobile): Opening additional connection (9), 1 of 28
> pending
> > slots used
> > rlm_ldap (ldap-mobile): Connecting to ldap://10.146.46.133:389
> > rlm_ldap (ldap-mobile): Waiting for bind result...
> > rlm_ldap (ldap-mobile): Bind successful
> > (5)     [ldap-mobile] = updated
> > (5)     if (!ok) {
> > (5)     if (!ok)  -> TRUE
> > (5)     if (!ok)  {
> > (5)       [reject] = reject
> > (5)     } # if (!ok)  = reject
> > (5)   } # authorize = reject
> > (5) Invalid user: [27659066168] (from client 105.187.248.220 port 0 cli
> > 27659066168)
> > (5) Using Post-Auth-Type Reject
> > (5) # Executing group from file /etc/raddb/sites-enabled/mobile
> > (5)   Post-Auth-Type REJECT {
> > (5)     policy remove_reply_message_if_eap {
> > (5)       if (&reply:EAP-Message && &reply:Reply-Message) {
> > (5)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> > (5)       else {
> > (5)         [noop] = noop
> > (5)       } # else = noop
> > (5)     } # policy remove_reply_message_if_eap = noop
> > (5)   } # Post-Auth-Type REJECT = noop
> > (5) Login incorrect: [27659066168] (from client 105.187.248.220 port 0
> cli
> > 27659066168)
> > (5) Delaying response for 2.000000 seconds
> >
> > Any advice would be appreciated?
> >
> > Regards
> > Steven
> >
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Tue, 21 Feb 2023 17:47:47 -0500
> > From: Alan DeKok <aland at deployingradius.com>
> > To: FreeRadius users mailing list
> >         <freeradius-users at lists.freeradius.org>
> > Subject: Re: Freeradius Upgrade from 3.0.1 to 3.2.2
> > Message-ID: <407E5AF6-AD76-468D-97CD-1D5858D63AC1 at deployingradius.com>
> > Content-Type: text/plain;       charset=us-ascii
> >
> > On Feb 21, 2023, at 4:47 PM, Steven Walters <steven.walters1 at gmail.com>
> > wrote:
> > > Below is debug from version 3.0.1
> >
> >   To be honest... 3.0.1 is about ten years old.  We're not going to worry
> > a lot about compatibility with every little piece of it.
> >
> >   Plus, there have been many bug fixes since then, including security
> > fixes.  If you don't like people attacking your RADIUS server, it should
> > have been updated regularly.
> > > ...
> > > Below is debug from version 3.2.2
> > > ...
> > > (5)     [ldap-mobile] = updated
> > > (5)     if (!ok) {
> >
> >   Change that to:
> >
> >         if (!ok || !updated) {
> >                 ...
> >
> >   and it will work.
> >
> > > Any advice would be appreciated?
> >
> >   Upgrade regularly.
> >
> >   Plus, it helps to explain *why* you have this configuration.  You
> > generally don't have to explicitly reject users who don't have passwords.
> > The server will do this automatically.
> >
> >   So you don't need a "if not found in LDAP, reject" configuration.  Just
> > check LDAP.  If the user isn't found, they won't have a password read
> from
> > LDAP.  And the server won't be able to authenticate them.
> >
> >   Alan DeKok.
> >
> >
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Tue, 21 Feb 2023 17:58:56 -0500
> > From: Alan DeKok <aland at deployingradius.com>
> > To: FreeRadius users mailing list
> >         <freeradius-users at lists.freeradius.org>
> > Subject: Some new documentation for "how to make FreeRADIUS do what I
> >         want"
> > Message-ID: <98543E7C-E533-4DBC-9D27-09E9E9261717 at deployingradius.com>
> > Content-Type: text/plain;       charset=us-ascii
> >
> >   We've been busy working on v4, including making sure that every aspect
> > of the server is extensively documented.
> >
> >
> >   I've just written a document on "policies".  But it's really "how do I
> > get this software to do what I want, without going crazy".
> >
> >
> >
> https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/reference/pages/policy/index.adoc
> >
> >   It gives a detailed guide to the methods used to create FreeRADIUS
> > configurations.
> >
> >   There's also a document on why FreeRADIUS is so complex to configure:
> >
> >
> >
> https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/reference/pages/policy/different.adoc
> >
> >   This should help to explain why we can't just have a shiny button which
> > says "do what I want".  The configuration is much, much, more complex
> than
> > that.
> >
> >   v4 also has complete documentation for each unlang keyword:
> >
> https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/reference/pages/unlang/index.adoc
> >
> >   This documentation applies to v4, but it's _mostly_ compatible with v3.
> > Where there are changes from v3, the documentation explains it.
> >
> >   Hopefully this helps.  We're not just wishing that v4 comes out one
> > day.  We're actively working on it.
> >
> >   Alan DeKok.
> >
> >
> >
> > ------------------------------
> >
> > Subject: Digest Footer
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> > ------------------------------
> >
> > End of Freeradius-Users Digest, Vol 214, Issue 21
> > *************************************************
> >
>
>
> --
> Warm Regards
>
> Steven Walters
> 0814287179
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 22 Feb 2023 14:11:54 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Freeradius Upgrade from 3.0.1 to 3.2.2
> Message-ID: <AB4430D0-F05B-4484-B471-C38C4F07572B at deployingradius.com>
> Content-Type: text/plain;       charset=us-ascii
>
> On Feb 22, 2023, at 1:47 PM, Steven Walters <steven.walters1 at gmail.com>
> wrote:
> > Our fixed line customers authenticate with username and password. Our
> fixed
> > line customers can have a mobile VAS linked to fixed line. Customer can
> > have single SIM or multiple SIM linked to fixed line username on LDAP.
> >
> > In the case of mobile service, we receive the MSISDN in the radius access
> > request. We then lookup the username which has the MSISDN linked on LDAP.
> > If subscriber name has this MSISDN linked, the radius will respond with
> the
> > username in the access-accept. If no match is found it will respond with
> > access-reject.
>
>   OK.  So "if not found in LDAP, reject".  Luckily, the ldap module will
> return "notfound", which is a bit better indication than "!ok" or
> "!updated".
>
>         ldap
>         if (notfound) {
>                 reject
>         }
>
>
> > When the radius receives the accounting start for this session it will
> have
> > the username of the fixed line service returned in the access-accept and
> > not the MSISDN which was original in the access request.
>
>   That makes sense.
>
> > So basically, in the case of the mobile VAS, the authentication finds the
> > username on LDAP which has the MSISDN linked as a VAS and if no username
> > has the MSISDN (for example customer cancelled the VAS but is still
> trying
> > to use the SIM) it will send an access reject. No password checks are
> done
> > for mobile service.
> >
> > This mobile VAS was implemented before I joined so there might be better
> > alternative to provide the same result.
>
>   The "notfound' return code is the best indication of "not found" .
>
>   Alan DeKok.
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 214, Issue 22
> *************************************************
>


-- 
Warm Regards

Steven Walters
0814287179


More information about the Freeradius-Users mailing list