Multiple questions about the way FreeRADIUS works

Alan DeKok aland at deployingradius.com
Thu Mar 30 22:29:30 UTC 2023 

On Mar 31, 2023, at 1:42 AM, florentvercourt at gmail.com wrote:
> I’ve been trying to implement a FreeRADIUS service inside of a University
> for the past 3 months, I’ve read as much documentation as possible (books :
> FreeRADIUS Beginner guide and Authentication réseau avec RADIUS, all
> resources on freeradius <https://wiki.freeradius.org/Home>  and
> networkradius <https://networkradius.com/doc/3.0.10/index.html> ) before
> asking questions.

  That's good.

> I have several questions:

  Before I answer these, I'll suggest that many of these questions are for subjects which you don't need to understand.  It's OK to understand them, but it's not required that you understand them in order to use RADIUS.

  i.e. The "State' attribute allows for various RADIUS magic.  It's handled automatically by FreeRADIUS and by the NAS.   It exists, and it does what it's supposed to do.  But as a RADIUS administrator, you never need to look at the State attribute.

  Some of the questions also ask about random dictionary attributes.  There are ~8000 attributes, and most of them can be ignored.  Most of the attributes are for specific vendors, and the only documentation that exists for them is on the vendors web sites.

  So there are a whole lot of things in protocols which are needed for the protocol to work.  People writing the software need to understand those subjects.  People using the software don't need to understand those subjects.

  Generally if there's something weird / unusual and undocumented in FreeRADIUS, it's because you don't need to know anything about it.  It's fine for you to understand how that thing works, but you will never use that information when configuring FreeRADIUS.

> 
> 
> I-                   Session-State :
> 
> 1.	What is the purpose of the “State” attribute defined in RFC2865 (I
> read it but doesn’t fully understand the purpose of this attribute), and is
> it linked in any way to the “Session-State” list? Also, Is there any
> documentation about the “Session-State” list?

  The State attribute is RADIUS magic.  That's really it.

  The session-state list is just another list like "request" or "reply".  Except that the session-state list is saved across multiple Access-Request / Access-Challenge sequences.

> 2.	Are attributes stored in “Session-State” list automatically
> retrieved when a new request is incoming and added to the “Request” list?

  No, the remain in the session-state list.

> 3.	Does attributes stored in “Session-State” list persist between all
> packets of a conversation (from the first Access-request to the
> Access-Accept/Reject),

  Yes.

> and does the same “Session-State” list still exist
> for the accounting,

  No.

> 1)                  “Session-Type”: What does it refer?

  You can ignore it.  It's not used in the default configuration.

> 2)                  “Allow-Session-Resumption”: Does this attribute is set
> to “Yes” by default,

  No.

> or does it have to be added somewhere,

  Yes.  It goes into the "control" list.

> and what is the
> difference with “EAP-Session-Resumed”?

  Allow-Session-Resumption controls whether or not 
  

> 3)                  “Cached-Session-Policy”: For applying a policy to the
> cache, do I have to store the file path to the policy, or just the name of
> the policy that I want to apply? 

  It's the name of a policy.

> 4)                  “SSHA2-256-Password”: my passwords are stored in my LDAP
> with a salt and a ‘sha256’ hash, does it will be stored in
> “Password-With-Header” or also in “SSHA2-256-Password” ?

  It depends on how you configured the LDAP module.  By default, passwords are put into Password-With-HEader.

> 
> 
> 5)                  EAP :
> 
> a.	EAP-Session-Id : Does this value is set automatically the value of
> this attribute the ID of the EAP-Session will be the same,

   I don't know what that means.

  The EAP-Session-ID is set automatically.  You don't need to worry about it.

> b.	What is the difference between EAP-Id and EAP-Session-Id?

  Protocol magic.  You will never need to do anything with either attribute.

> 6)                  TLS :
> 
> a.	TLS-Cache-Method : Does the value of this attribute trigger
> instantiation of the module “rlm_cache” defined inside of “tls-cache”
> virtual server?

  No.  The "cache" module is just a module.  Modules are run only when you configure a virtual server to run a module.

> b.	TLS-Session-Data :  Can I retrieve data from this attribute, or does
> it exist simply to store data that pass through my TLS tunnel?

  It's TLS magic.  You don't need to retrieve data from it, or do anything with it,

> c.	TLS-Cache-Filename : What is the difference between this attribute
> and “Cached-Session-Policy”?

  The names describe what the attributes do.

  One sets a filename where filename where the TLS session is cached.

  The other one allows you to remember a policy for a user session,

> III-              TLS :
> 
> 1.	When we’re setting ‘virtual_server = "inner-tunnel"’ inside of
> module “rlm_eap”, is it just that the module “rlm_eap” knows when the TLS
> tunnel is set up and then for the inner exchange it’ll use this one or is it
> considerate as a proxy to the inner-tunnel server from the default server?

  You don't need to care.

  When an EAP method has "inner" data, the inner data is run through the "inner-tunnel" virtual server.

  If you want to know the details, you can read the source code.  But you will never write a policy which depends on how the EAP module calls "inner-tunnel".

  So I can answer this question, but the answer will be useless to you.

> IV-             Cache :
> 
> Because we’re a university I want to implement the fast resumption of
> sessions, I want to cache living sessions for a duration of 6 hours, so if a
> user doesn’t re-authenticate during this period it will have to perform a
> complete re-authentication.

  Sure., that's a common configuration.

> 1.	Does the cache section inside of the module “rlm_eap”, automatically
> store (“session-Id”, “User-Name”, “Stripped-User-Name”,

  The EAP module configuration has a "store" subsection.  If you want attributes to be cached, list them there,

> “Cached-Session-Policy”), how can the session be resumed from this entry? 

  All attributes associated with a resumed session are added to the session-state list.  The EAP module documentation says this explicitly.

> 2.	What is the difference between module “rlm_cache“ and the
> “session-state” list in the persistence of information stored?

  They do different things.

  The "cache" module is well documented.  It caches things to disk, or memcache, or redis.

  The session-state list tracks RADIUS sessions.

> V-                 Log :
> 
> 1.	I use the “cui” attribute as follows to have a unique identifier for
> a user inside of my TTLS tunnel (I know the attribute is originally designed
> to serve as an alias identifier of the username identity according to
> rfc4372) : 
> 
> “%{sha1:${policy.cui_hash_key}%{request:Stripped-User-Name}%{
> request:Operator-Name}%{request:User-Password}}”, with “policy.cui_hash_key”
> which is a salt added to the hash
> 
> 2.	In order to retrieve my cache session, I plan to use “CUI” as my
> key, is there a better way to do so?

  Retrieve which cached session?

  For TLS session resumption, the server can cache (and retrieve) the TLS data automatically.

  Or, if you use sites-available/tls-cache, that file contains documentation on how it works.

  Hint: the documentation says EXPLICITLY which key you have to use to save / retrieve the cached TLS data.  You can't just make up a key and expect it to work.  The protocols don't work that way.

> 3.	Once a device has been granted access to the network and once it
> retrieves an IP address, does the IP address will be included in the
> accounting packets?

  That's up to the NAS.  Some NASes will do this, other NASes won't.

> VI-             Charge of the server :
> 
> 1.	Is there a way to know the live charge of a radius server as a
> ‘String expansion’ to decide whether or not to proxy the request to another
> radius server (I don’t know if the parameter max_requests is designed for
> this purpose)?

  The "max_requests" configuration item is well documented.  It does what the documentation says, and it's unrelated to home servers.

  You can query the status of a home server by using the string expansion %{home_server:state}

  That will automatically expand to the state (alive / dead / etc.) of the home server which is being used by the current request.

  If you want to query the status of some random home server, you can't do that.  Because you can't do anything with the information.

> 2.	To do load-balancing between my VM’s, is possible natively with
> FreeRADIUS or do I have to use an external load-balancer?

  It's up to you.  The FreeRADIUS documentation shows how to configure it as a proxy.  And the proxy.conf file contains explicit references to load balancing.

> If I use the “suffix” instance of the module ”rlm_realm” in the
> configuration of the “default” server in the ‘authorize’ section, and the
> given “User-Name” is ‘user at my.realm> 
> 1.	Does my request will be passed through the ‘my_auth_failover’ pool,
> and so being proxied to the ‘home_server localhost’ server and set
> “Proxy-To-Realm = LOCAL”. Is this server to which the request is being proxy
> the ‘default’ server? 

  I'm not sure I understand that question.  It's a little confused.

  The short answer is just try it and see.  It costs nothing to start the server and send test packets.

  Alan DeKok.

More information about the Freeradius-Users mailing list