Multiple questions about the way FreeRADIUS works
florentvercourt at gmail.com
florentvercourt at gmail.com
Thu Mar 30 16:42:15 UTC 2023
Hello everyone,
I want to thank you in advance for taking the time to help me, as well as
apologize if I ask bogus questions or questions that have already been
answered.
I’ve been trying to implement a FreeRADIUS service inside of a University
for the past 3 months, I’ve read as much documentation as possible (books :
FreeRADIUS Beginner guide and Authentication réseau avec RADIUS, all
resources on freeradius <https://wiki.freeradius.org/Home> and
networkradius <https://networkradius.com/doc/3.0.10/index.html> ) before
asking questions.
I’m implementing 802.1X protocol on our wired network using EAP-TTLS/PAP
protocol for communications between supplicants and our radius server.
We’re using LDAP as our main user storage, and a file with “rlm_files”
modules for devices which doesn’t support EAP.
My radius infrastructure is composed as following: I got 2 VM running
FreeRADIUS version 3.2.1
I have several questions:
I- Session-State :
1. What is the purpose of the “State” attribute defined in RFC2865 (I
read it but doesn’t fully understand the purpose of this attribute), and is
it linked in any way to the “Session-State” list? Also, Is there any
documentation about the “Session-State” list?
2. Are attributes stored in “Session-State” list automatically
retrieved when a new request is incoming and added to the “Request” list?
3. Does attributes stored in “Session-State” list persist between all
packets of a conversation (from the first Access-request to the
Access-Accept/Reject), and does the same “Session-State” list still exist
for the accounting, or is it reinitialize once an Access-Accept/Reject has
been sent?
II- Attributes :
I would like to have some information about those attributes to know, what
they are supposed to store and how they are supposed to be used:
1) “Session-Type”: What does it refer?
2) “Allow-Session-Resumption”: Does this attribute is set
to “Yes” by default, or does it have to be added somewhere, and what is the
difference with “EAP-Session-Resumed”?
3) “Cached-Session-Policy”: For applying a policy to the
cache, do I have to store the file path to the policy, or just the name of
the policy that I want to apply?
4) “SSHA2-256-Password”: my passwords are stored in my LDAP
with a salt and a ‘sha256’ hash, does it will be stored in
“Password-With-Header” or also in “SSHA2-256-Password” ?
5) EAP :
a. EAP-Session-Id : Does this value is set automatically the value of
this attribute the ID of the EAP-Session will be the same,
b. What is the difference between EAP-Id and EAP-Session-Id?
6) TLS :
a. TLS-Cache-Method : Does the value of this attribute trigger
instantiation of the module “rlm_cache” defined inside of “tls-cache”
virtual server?
b. TLS-Session-Data : Can I retrieve data from this attribute, or does
it exist simply to store data that pass through my TLS tunnel?
c. TLS-Cache-Filename : What is the difference between this attribute
and “Cached-Session-Policy”?
III- TLS :
1. When we’re setting ‘virtual_server = "inner-tunnel"’ inside of
module “rlm_eap”, is it just that the module “rlm_eap” knows when the TLS
tunnel is set up and then for the inner exchange it’ll use this one or is it
considerate as a proxy to the inner-tunnel server from the default server?
IV- Cache :
Because we’re a university I want to implement the fast resumption of
sessions, I want to cache living sessions for a duration of 6 hours, so if a
user doesn’t re-authenticate during this period it will have to perform a
complete re-authentication.
1. Does the cache section inside of the module “rlm_eap”, automatically
store (“session-Id”, “User-Name”, “Stripped-User-Name”,
“Cached-Session-Policy”), how can the session be resumed from this entry?
2. What is the difference between module “rlm_cache“ and the
“session-state” list in the persistence of information stored?
V- Log :
1. I use the “cui” attribute as follows to have a unique identifier for
a user inside of my TTLS tunnel (I know the attribute is originally designed
to serve as an alias identifier of the username identity according to
rfc4372) :
“%{sha1:${policy.cui_hash_key}%{request:Stripped-User-Name}%{
request:Operator-Name}%{request:User-Password}}”, with “policy.cui_hash_key”
which is a salt added to the hash
2. In order to retrieve my cache session, I plan to use “CUI” as my
key, is there a better way to do so?
3. Once a device has been granted access to the network and once it
retrieves an IP address, does the IP address will be included in the
accounting packets?
VI- Charge of the server :
1. Is there a way to know the live charge of a radius server as a
‘String expansion’ to decide whether or not to proxy the request to another
radius server (I don’t know if the parameter max_requests is designed for
this purpose)?
2. To do load-balancing between my VM’s, is possible natively with
FreeRADIUS or do I have to use an external load-balancer?
VII- Home server :
I got the following “proxy.conf” file:
proxy server {
default_fallback = no
dynamic = no
}
home_server localhost {
type = auth
ipaddr = 127.0.0.1
port = 1812
proto = udp
secret = << secret >>
response_window = 20
zombie_period = 40
status_check = status-server
check_interval = 10
check_timeout = 4
num_answers_to_alive = 3
max_outstanding = 65536
}
home_server ru-freeradius-as2 {
type = auth
ipaddr = 10.101.0.10
port = 1812
proto = udp
secret = << secret >>
response_window = 20
zombie_period = 40
status_check = status-server
check_interval = 10
check_timeout = 4
num_answers_to_alive = 3
max_outstanding = 32268
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
home_server = ru-freeradius-as2
virtual_server = pre_post_proxy_for_pool
}
realm my.realm {
auth_pool = my_auth_failover
}
If I use the “suffix” instance of the module ”rlm_realm” in the
configuration of the “default” server in the ‘authorize’ section, and the
given “User-Name” is ‘user at my.realm’
1. Does my request will be passed through the ‘my_auth_failover’ pool,
and so being proxied to the ‘home_server localhost’ server and set
“Proxy-To-Realm = LOCAL”. Is this server to which the request is being proxy
the ‘default’ server?
Again,
Thank you for reading this long message with many questions, and for your
help!
I really appreciate it.
Florent VERCOURT
More information about the Freeradius-Users
mailing list