Issue with %{home_server_dynamic:name} dynamic home server and accounting
James Wood
james.wood at purplewifi.com
Mon Jul 15 20:52:29 UTC 2024
Thanks for the patch, but unfortunately it still doesn't detect the newly
added home server:
(0) Received Access-Request Id 23
(0) User-Name = "anonymous at openroaming.goog"
(0) NAS-IP-Address = 192.168.1.116
(0) NAS-Identifier = "E0-CB-BC-8A-1A-6E:vap2"
(0) Called-Station-Id = "EA-CB-BC-8A-1A-6E:OpenRoaming"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) NAS-Port = 1
(0) Calling-Station-Id = "EA-67-EB-42-53-54"
(0) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 24 / Channel:
11"
(0) Acct-Session-Id = "F31127A5FD1096A9"
(0) Acct-Multi-Session-Id = "DF5D82378001D0A8"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027076
(0) WLAN-AKM-Suite = 1027073
(0) Meraki-Ap-Name = "meraki-mr42-test-ap"
(0) Meraki-Ap-Tags = " recently-added "
(0) Meraki-Device-Name = "meraki-mr42-test-ap"
(0) Framed-MTU = 1400
(0) EAP-Message =
0x02d7001f01616e6f6e796d6f7573406f70656e726f616d696e672e676f6f67
(0) HS20-AP-Version = 1
(0) HS20-Mobile-Device-Version = 0x010000
(0) HS20-Roaming-Consortium = 0x5a03ba0000
(0) Message-Authenticator = 0xa19f2c8cbd0ed22319bc5601aea1e902
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) [preprocess] = ok
(0) policy openroaming_lookup {
(0) if (User-Name =~ /@(.*)$/) {
(0) if (User-Name =~ /@(.*)$/) -> TRUE
(0) if (User-Name =~ /@(.*)$/) {
(0) switch %{home_server_dynamic:%{1}} {
(0) EXPAND %{home_server_dynamic:%{1}}
(0) -->
(0) case {
(0) update control {
(0) Executing:
%{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh -d
%{config:confdir} %{1} aaa+auth:radius.tls.tcp:
(0) EXPAND confdir
(0) --> confdir
(0) EXPAND
%{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh
(0) -->
/usr/local/etc/raddb/mods-config/realm/freeradius-naptr-to-home-server.sh
(0) EXPAND confdir
(0) --> confdir
(0) EXPAND %{config:confdir}
(0) --> /usr/local/etc/raddb
(0) EXPAND %{1}
(0) --> openroaming.goog
Waking up in 0.3 seconds.
... new connection request on command socket
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Waking up in 0.1 seconds.
radmin> add home_server file /usr/local/etc/raddb/home_servers/
openroaming.goog
including configuration file /usr/local/etc/raddb/home_servers/
openroaming.goog
including configuration file /usr/local/etc/raddb/home_servers/tls.conf
home_server openroaming.goog {
nonblock = no
ipaddr = radsec.openroaming.goog IPv4 address [146.148.44.172]
port = 2083
type = "auth+acct"
proto = "tcp"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
recv_coa {
}
}
tls {
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/new/wba/x.key"
certificate_file = "/usr/local/etc/raddb/certs/new/wba/x.crt"
ca_file = "/usr/local/etc/raddb/certs/new/wba/x.ca"
private_key_password = <<< secret >>>
fragment_size = 8192
include_length = yes
check_crl = no
cipher_list = "ALL"
ca_path_reload_interval = 0
ecdh_curve = "prime256v1"
tls_max_version = "1.3"
tls_min_version = "1.2"
}
(0) Program returned code (0) and output 'openroaming.goog'
(0) &Temp-Home-Server-String := openroaming.goog
(0) } # update control = noop
(0) if (&control:Temp-Home-Server-String == "" ) {
(0) if (&control:Temp-Home-Server-String == "" ) -> FALSE
(0) else {
(0) update control {
(0) EXPAND %{1}
(0) --> openroaming.goog
(0) &Home-Server-Name := openroaming.goog
(0) } # update control = noop
(0) } # else = noop
(0) } # case = noop
(0) } # switch %{home_server_dynamic:%{1}} = noop
(0) } # if (User-Name =~ /@(.*)$/) = noop
(0) } # policy openroaming_lookup = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "openroaming.goog" for User-Name = "
anonymous at openroaming.goog"
(0) suffix: No such realm "openroaming.goog"
(0) [suffix] = noop
(0) [chap] = noop
(0) eap: Peer sent EAP Response (code 2) ID 215 length 31
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Proxying due to Home-Server-Name
(0) WARNING: No such home server openroaming.goog
(0) There was no response configured: rejecting request
(0) Using Post-Auth-Type Reject
(0) Login incorrect: [anonymous at openroaming.goog/<via Auth-Type = eap>]
(0) Sent Access-Reject Id 23
If I restart the server with the dynamic home_server existing (added in
previous request), it finds it but still fails to proxy with the same error
"No such home server openroaming.goog":
Ready to process requests
Thread 4 got semaphore
Thread 4 handling request 1, (1 handled so far)
(1) Received Access-Request Id 47
(1) User-Name = "anonymous at openroaming.goog"
(1) NAS-IP-Address = 192.168.1.116
(1) NAS-Identifier = "E0-CB-BC-8A-1A-6E:vap2"
(1) Called-Station-Id = "EA-CB-AC-8A-1A-6E:OpenRoaming"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) NAS-Port = 1
(1) Calling-Station-Id = "EA-67-EB-42-53-54"
(1) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 24 / Channel:
40"
(1) Acct-Session-Id = "6B0E19729A2182BD"
(1) Acct-Multi-Session-Id = "50ADAEDCDD91F194"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027076
(1) WLAN-AKM-Suite = 1027073
(1) Meraki-Ap-Name = "meraki-mr42-test-ap"
(1) Meraki-Ap-Tags = " recently-added "
(1) Meraki-Device-Name = "meraki-mr42-test-ap"
(1) Framed-MTU = 1400
(1) EAP-Message =
0x028a001f01616e6f6e796d6f7573406f70656e726f616d696e672e676f6f67
(1) HS20-AP-Version = 1
(1) HS20-Mobile-Device-Version = 0x010000
(1) HS20-Roaming-Consortium = 0x5a03ba0000
(1) Message-Authenticator = 0x47f64e212bc52c41b171fcfa5b5879dc
(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) [preprocess] = ok
(1) policy openroaming_lookup {
(1) if (User-Name =~ /@(.*)$/) {
(1) if (User-Name =~ /@(.*)$/) -> TRUE
(1) if (User-Name =~ /@(.*)$/) {
(1) switch %{home_server_dynamic:%{1}} {
(1) EXPAND %{home_server_dynamic:%{1}}
(1) --> 1
(1) case 1 {
(1) update control {
(1) EXPAND %{1}
(1) --> openroaming.goog
(1) &Home-Server-Name := openroaming.goog
(1) } # update control = noop
(1) } # case 1 = noop
(1) } # switch %{home_server_dynamic:%{1}} = noop
(1) } # if (User-Name =~ /@(.*)$/) = noop
(1) } # policy openroaming_lookup = noop
(1) policy username_lookup {
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "openroaming.goog" for User-Name = "
anonymous at openroaming.goog"
(1) suffix: No such realm "openroaming.goog"
(1) [suffix] = noop
(1) [chap] = noop
(1) eap: Peer sent EAP Response (code 2) ID 138 length 31
(1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(1) [eap] = ok
(1) } # authorize = ok
(1) Proxying due to Home-Server-Name
(1) WARNING: No such home server openroaming.goog
(1) There was no response configured: rejecting request
(1) Using Post-Auth-Type Reject
(1) Login incorrect: [anonymous at openroaming.goog/<via Auth-Type = eap>]
(1) Sent Access-Reject Id 47
On Mon, 15 Jul 2024 at 20:52, Alan DeKok <aland at deployingradius.com> wrote:
> On Jul 15, 2024, at 3:14 PM, James Wood via Freeradius-Users <
> freeradius-users at lists.freeradius.org> wrote:
> >
> > Unfortunately this breaks it... it now doesn't even find the dynamically
> > added home server for authentication requests:
>
> Please use "radiusd -X". Adding more "-x" doesn't help.
>
> Please try the fix in
> https://github.com/FreeRADIUS/freeradius-server/commit/76e3504728eb6c986d8bc0a35bcc9977c83603c1
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list