Issue with %{home_server_dynamic:name} dynamic home server and accounting
James Wood
james.wood at purplewifi.com
Tue Jul 16 13:00:19 UTC 2024
I re-patched and it now correctly finds the dynamic home server for both
auth and acct packets - great! (Your two recent commits have worked nicely,
thanks!)
Next issue... despite "Home-Server-Name" being set it is NOT proxying these
and just handles it locally. I don't see any "Proxying due to
Home-Server-Name" in the log for accounting, where I do for authentication:
(1) Received Accounting-Request Id 66
(1) Acct-Status-Type = Start
(1) Acct-Authentic = RADIUS
(1) User-Name = "anonymous at openroaming.goog"
(1) NAS-IP-Address = 192.168.1.116
(1) NAS-Identifier = "E0-CB-BC-8A-1A-6E:vap2"
(1) Called-Station-Id = "EA-CB-AC-8A-1A-6E:OpenRoaming"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) NAS-Port = 1
(1) Calling-Station-Id = "EA-67-EB-42-53-54"
(1) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 57 / Channel:
40"
(1) Acct-Session-Id = "BDB585FC8CAC8F6C"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027076
(1) WLAN-AKM-Suite = 1027073
(1) Meraki-Device-Name = "meraki-mr42-test-ap"
(1) Framed-IP-Address = 10.94.136.91
(1) Event-Timestamp = "Jul 16 2024 12:41:35 UTC"
(1) Acct-Delay-Time = 0
(1) # Executing section preacct from file
/usr/local/etc/raddb/sites-enabled/default
(1) preacct {
(1) [preprocess] = ok
(1) policy openroaming_lookup {
(1) if (User-Name =~ /@(.*)$/) {
(1) if (User-Name =~ /@(.*)$/) -> TRUE
(1) if (User-Name =~ /@(.*)$/) {
(1) switch %{home_server_dynamic:%{1}} {
(1) EXPAND %{home_server_dynamic:%{1}}
(1) --> 1
(1) case 1 {
(1) update control {
(1) EXPAND %{1}
(1) --> openroaming.goog
(1) &Home-Server-Name := openroaming.goog
(1) } # update control = noop
(1) } # case 1 = noop
(1) } # switch %{home_server_dynamic:%{1}} = noop
(1) } # if (User-Name =~ /@(.*)$/) = noop
(1) } # policy openroaming_lookup = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "openroaming.goog" for User-Name = "
anonymous at openroaming.goog"
(1) suffix: No such realm "openroaming.goog"
(1) [suffix] = noop
(1) } # preacct = updated
(1) # Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
(1) accounting {
(1) attr_filter.accounting_response: EXPAND %{User-Name}
(1) attr_filter.accounting_response: --> anonymous at openroaming.goog
(1) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(1) [attr_filter.accounting_response] = updated
(1) if (noop) {
(1) if (noop) -> FALSE
(1) } # accounting = updated
(1) Sent Accounting-Response Id 66
(1) Finished request
Thread 4 waiting to be assigned a request
(1) Cleaning up request packet ID 66 with timestamp +19 due to timer
Ready to process requests
Is there something I need to set to also proxy accounting packets to
dynamically added home servers?
Thanks
On Mon, 15 Jul 2024 at 21:52, James Wood <james.wood at purplewifi.com> wrote:
> Thanks for the patch, but unfortunately it still doesn't detect the newly
> added home server:
>
> (0) Received Access-Request Id 23
> (0) User-Name = "anonymous at openroaming.goog"
> (0) NAS-IP-Address = 192.168.1.116
> (0) NAS-Identifier = "E0-CB-BC-8A-1A-6E:vap2"
> (0) Called-Station-Id = "EA-CB-BC-8A-1A-6E:OpenRoaming"
> (0) NAS-Port-Type = Wireless-802.11
> (0) Service-Type = Framed-User
> (0) NAS-Port = 1
> (0) Calling-Station-Id = "EA-67-EB-42-53-54"
> (0) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 24 / Channel:
> 11"
> (0) Acct-Session-Id = "F31127A5FD1096A9"
> (0) Acct-Multi-Session-Id = "DF5D82378001D0A8"
> (0) WLAN-Pairwise-Cipher = 1027076
> (0) WLAN-Group-Cipher = 1027076
> (0) WLAN-AKM-Suite = 1027073
> (0) Meraki-Ap-Name = "meraki-mr42-test-ap"
> (0) Meraki-Ap-Tags = " recently-added "
> (0) Meraki-Device-Name = "meraki-mr42-test-ap"
> (0) Framed-MTU = 1400
> (0) EAP-Message =
> 0x02d7001f01616e6f6e796d6f7573406f70656e726f616d696e672e676f6f67
> (0) HS20-AP-Version = 1
> (0) HS20-Mobile-Device-Version = 0x010000
> (0) HS20-Roaming-Consortium = 0x5a03ba0000
> (0) Message-Authenticator = 0xa19f2c8cbd0ed22319bc5601aea1e902
> (0) # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> (0) authorize {
> (0) [preprocess] = ok
> (0) policy openroaming_lookup {
> (0) if (User-Name =~ /@(.*)$/) {
> (0) if (User-Name =~ /@(.*)$/) -> TRUE
> (0) if (User-Name =~ /@(.*)$/) {
> (0) switch %{home_server_dynamic:%{1}} {
> (0) EXPAND %{home_server_dynamic:%{1}}
> (0) -->
> (0) case {
> (0) update control {
> (0) Executing:
> %{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh -d
> %{config:confdir} %{1} aaa+auth:radius.tls.tcp:
> (0) EXPAND confdir
> (0) --> confdir
> (0) EXPAND
> %{config:confdir}/mods-config/realm/freeradius-naptr-to-home-server.sh
> (0) -->
> /usr/local/etc/raddb/mods-config/realm/freeradius-naptr-to-home-server.sh
> (0) EXPAND confdir
> (0) --> confdir
> (0) EXPAND %{config:confdir}
> (0) --> /usr/local/etc/raddb
> (0) EXPAND %{1}
> (0) --> openroaming.goog
> Waking up in 0.3 seconds.
> ... new connection request on command socket
> Listening on command file /usr/local/var/run/radiusd/radiusd.sock
> Waking up in 0.1 seconds.
> radmin> add home_server file /usr/local/etc/raddb/home_servers/
> openroaming.goog
> including configuration file /usr/local/etc/raddb/home_servers/
> openroaming.goog
> including configuration file /usr/local/etc/raddb/home_servers/tls.conf
> home_server openroaming.goog {
> nonblock = no
> ipaddr = radsec.openroaming.goog IPv4 address [146.148.44.172]
> port = 2083
> type = "auth+acct"
> proto = "tcp"
> secret = <<< secret >>>
> response_window = 30.000000
> response_timeouts = 1
> max_outstanding = 65536
> zombie_period = 40
> status_check = "none"
> ping_interval = 30
> check_timeout = 4
> num_answers_to_alive = 3
> revive_interval = 300
> limit {
> max_connections = 16
> max_requests = 0
> lifetime = 0
> idle_timeout = 0
> }
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> recv_coa {
> }
> }
> tls {
> verify_depth = 0
> pem_file_type = yes
> private_key_file = "/usr/local/etc/raddb/certs/new/wba/x.key"
> certificate_file = "/usr/local/etc/raddb/certs/new/wba/x.crt"
> ca_file = "/usr/local/etc/raddb/certs/new/wba/x.ca"
> private_key_password = <<< secret >>>
> fragment_size = 8192
> include_length = yes
> check_crl = no
> cipher_list = "ALL"
> ca_path_reload_interval = 0
> ecdh_curve = "prime256v1"
> tls_max_version = "1.3"
> tls_min_version = "1.2"
> }
> (0) Program returned code (0) and output 'openroaming.goog'
> (0) &Temp-Home-Server-String := openroaming.goog
> (0) } # update control = noop
> (0) if (&control:Temp-Home-Server-String == "" ) {
> (0) if (&control:Temp-Home-Server-String == "" ) -> FALSE
> (0) else {
> (0) update control {
> (0) EXPAND %{1}
> (0) --> openroaming.goog
> (0) &Home-Server-Name := openroaming.goog
> (0) } # update control = noop
> (0) } # else = noop
> (0) } # case = noop
> (0) } # switch %{home_server_dynamic:%{1}} = noop
> (0) } # if (User-Name =~ /@(.*)$/) = noop
> (0) } # policy openroaming_lookup = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: Looking up realm "openroaming.goog" for User-Name = "
> anonymous at openroaming.goog"
> (0) suffix: No such realm "openroaming.goog"
> (0) [suffix] = noop
> (0) [chap] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 215 length 31
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Proxying due to Home-Server-Name
> (0) WARNING: No such home server openroaming.goog
> (0) There was no response configured: rejecting request
> (0) Using Post-Auth-Type Reject
> (0) Login incorrect: [anonymous at openroaming.goog/<via Auth-Type = eap>]
> (0) Sent Access-Reject Id 23
>
>
> If I restart the server with the dynamic home_server existing (added in
> previous request), it finds it but still fails to proxy with the same error
> "No such home server openroaming.goog":
>
> Ready to process requests
> Thread 4 got semaphore
> Thread 4 handling request 1, (1 handled so far)
> (1) Received Access-Request Id 47
> (1) User-Name = "anonymous at openroaming.goog"
> (1) NAS-IP-Address = 192.168.1.116
> (1) NAS-Identifier = "E0-CB-BC-8A-1A-6E:vap2"
> (1) Called-Station-Id = "EA-CB-AC-8A-1A-6E:OpenRoaming"
> (1) NAS-Port-Type = Wireless-802.11
> (1) Service-Type = Framed-User
> (1) NAS-Port = 1
> (1) Calling-Station-Id = "EA-67-EB-42-53-54"
> (1) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 24 / Channel:
> 40"
> (1) Acct-Session-Id = "6B0E19729A2182BD"
> (1) Acct-Multi-Session-Id = "50ADAEDCDD91F194"
> (1) WLAN-Pairwise-Cipher = 1027076
> (1) WLAN-Group-Cipher = 1027076
> (1) WLAN-AKM-Suite = 1027073
> (1) Meraki-Ap-Name = "meraki-mr42-test-ap"
> (1) Meraki-Ap-Tags = " recently-added "
> (1) Meraki-Device-Name = "meraki-mr42-test-ap"
> (1) Framed-MTU = 1400
> (1) EAP-Message =
> 0x028a001f01616e6f6e796d6f7573406f70656e726f616d696e672e676f6f67
> (1) HS20-AP-Version = 1
> (1) HS20-Mobile-Device-Version = 0x010000
> (1) HS20-Roaming-Consortium = 0x5a03ba0000
> (1) Message-Authenticator = 0x47f64e212bc52c41b171fcfa5b5879dc
> (1) # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> (1) authorize {
> (1) [preprocess] = ok
> (1) policy openroaming_lookup {
> (1) if (User-Name =~ /@(.*)$/) {
> (1) if (User-Name =~ /@(.*)$/) -> TRUE
> (1) if (User-Name =~ /@(.*)$/) {
> (1) switch %{home_server_dynamic:%{1}} {
> (1) EXPAND %{home_server_dynamic:%{1}}
> (1) --> 1
> (1) case 1 {
> (1) update control {
> (1) EXPAND %{1}
> (1) --> openroaming.goog
> (1) &Home-Server-Name := openroaming.goog
> (1) } # update control = noop
> (1) } # case 1 = noop
> (1) } # switch %{home_server_dynamic:%{1}} = noop
> (1) } # if (User-Name =~ /@(.*)$/) = noop
> (1) } # policy openroaming_lookup = noop
> (1) policy username_lookup {
> (1) suffix: Checking for suffix after "@"
> (1) suffix: Looking up realm "openroaming.goog" for User-Name = "
> anonymous at openroaming.goog"
> (1) suffix: No such realm "openroaming.goog"
> (1) [suffix] = noop
> (1) [chap] = noop
> (1) eap: Peer sent EAP Response (code 2) ID 138 length 31
> (1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (1) [eap] = ok
> (1) } # authorize = ok
> (1) Proxying due to Home-Server-Name
> (1) WARNING: No such home server openroaming.goog
> (1) There was no response configured: rejecting request
> (1) Using Post-Auth-Type Reject
> (1) Login incorrect: [anonymous at openroaming.goog/<via Auth-Type = eap>]
> (1) Sent Access-Reject Id 47
>
>
> On Mon, 15 Jul 2024 at 20:52, Alan DeKok <aland at deployingradius.com>
> wrote:
>
>> On Jul 15, 2024, at 3:14 PM, James Wood via Freeradius-Users <
>> freeradius-users at lists.freeradius.org> wrote:
>> >
>> > Unfortunately this breaks it... it now doesn't even find the dynamically
>> > added home server for authentication requests:
>>
>> Please use "radiusd -X". Adding more "-x" doesn't help.
>>
>> Please try the fix in
>> https://github.com/FreeRADIUS/freeradius-server/commit/76e3504728eb6c986d8bc0a35bcc9977c83603c1
>>
>> Alan DeKok.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
More information about the Freeradius-Users
mailing list