EAP Fast Reauth fails
deepika parmar
parmardeepika9 at gmail.com
Mon Jun 3 15:50:54 UTC 2024
session-state setting code is added in EAP-AKA virtual server only as
suggested in documentation:
server auth-server {
#
# This is a unified configuration example for EAP-SIM, EAP-AKA
# and EAP-AKA-Prime. Many of the sections are identical between
# the three EAP methods.
#
# The main differences are between EAP-SIM and EAP-AKA['] where
# additional identity processing sections are used.
#
namespace = eap-aka
eap-aka {
...
}
recv Access-Request {
filter_username
...
}
....
# ### `store session { ... }`
#
# If when sending a Reauthentication-Request a `&reply.Next-Reauth-Id`
# attribute is found, this section will be called.
#
# You should restore the contents of the following attributes using
# `&request.Session-ID` as a key:
#
# - `&session-state.Counter`:: How many times this session has
# been resumed.
# - `&session-state.Session-Data`:: The master session key.
# - `&session-state.Permanent-Identity`::(optionally) the permanent
# identity of the user.
#
# If a failure rcode is returned, authentication continues but the
# Next-Reauth-Id will not be sent to the supplicant.
#
# NOTE: The cache module is ideally suited for storing session data.
# provide a unified session store.
store session {
"%debug_attr(&session-state)"
...
}
}
Thanks,
Deepika
On May 31, 2024, at 4:08 AM, deepika parmar <parmardeepika9 at
gmail.com <https://lists.freeradius.org/mailman/listinfo/freeradius-users>>
wrote:
> >* Thanks for the reply.
*>* EAP-AKA authentication is working on the latest master branch.
*>* I'm using updated syntax for debug statements, but I accidentally sent the
*>* old statement.
*> >* As suggested, I tried adding Tmp-Group-0 attribute to store the Counter,
*>* however its failing while starting the freeradius..
*>* store session {
*>* "%debug_attr(&session-state)"
*>* &session-state.Tmp-Group-0 := {
*>* &Counter = &Counter
*>* }
*>* eap_aka_cache
*>* ok
*>* }
*
The references to EAP-AKA attributes normally work only inside of
the EAP-AKA virtual server.
You should move the session-state setting code to the EAP-AKA virtual server.
Alan DeKok.
On Fri, May 31, 2024 at 1:38 PM deepika parmar <parmardeepika9 at gmail.com>
wrote:
> Thanks for the reply.
> EAP-AKA authentication is working on the latest master branch.
> I'm using updated syntax for debug statements, but I accidentally sent the
> old statement.
>
> As suggested, I tried adding Tmp-Group-0 attribute to store the Counter,
> however its failing while starting the freeradius..
> store session {
> "%debug_attr(&session-state)"
> &session-state.Tmp-Group-0 := {
> &Counter = &Counter
> }
> eap_aka_cache
> ok
> }
>
> Error is:
> Debug : Compiling policies in - send EAP-Success {...}
> Debug : Compiling policies in - store session {...}
> Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1008]: Failed
> parsing attribute reference &Counter - Unresolved attributes are not
> allowed here
> Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1008]: &Counter
> Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1008]: ^
> Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1008]: Failed
> creating map from '&Counter = &Counter'
>
> Even printing session-state.Counter with
> "%debug_attr(&session-state.Counter)" fails...
>
> Debug : Compiling policies in - store session {...}
> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[18]: Failed parsing
> attribute reference &session-state.Counter - Unresolved attributes are not
> allowed here
> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[18]:
> &session-state.Counter
> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[18]: ^
> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[18]: Failed creating
> map from '&session-state.Counter = &session-state.Counter'
> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[1]: Failed parsing
> configuration section update
> Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1013]: Invalid
> keyword "eap_aka_cache".
>
> Thanks,
> Deepika
>
> On May 27, 2024, at 2:15 AM, deepika parmar <parmardeepika9 at gmail.com <https://lists.freeradius.org/mailman/listinfo/freeradius-users>> wrote:
> >* I have configured *EAP-AKA virtual-server in FreeRADIUS to
> *>* perform authentication. I have enabled eap cache so that fast reauth will
> *>* work and
> *>* session data will be stored in cache. However during store session i could
> *>* not restore Counter and hence reauth fails.
> *
> This is for v4, which is still not quite done. If it works, great. If not, please submit patches.
>
> >* Logs are:
> *>* Debug : (0.0) h9-auth-server - store session {
> *>* Debug : (0.0) h9-auth-server - | debug_attr
> *
> What's wrong with "radiusd -X" as recommended by all
>
> >* Store session setting in virtual server:
> *> >* store session {
> *>* "%(debug_attr:&session-state)"
> *
> You should use a more recent version of v4. The function syntax has changed to make more sense, and we've fixed a number of other issues,
>
> Or at least update the configuration to use the new syntax. At some point the old syntax will cause errors.
>
> >* If i add accessing Counter, it fails as follows:
> *>* &session-state.Counter := &session-state.Counter
> *> >* Debug : Compiling policies in - store session {...}
> *>* Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]: Failed parsing
> *>* attribute reference &session-state.Counter - Unresolved attributes are not
> *>* allowed here
> *
> When the module is bootstrapped, it doesn't know that it's supposed to be used in EAP-AKA. So it can't find the "Counter" attribute. This is an issue we're fixing.
>
> An alternative is to edit the EAP-AKA virtual server to copy the necessary attributes to a group:
>
> &session-state.Tmp-Group-0 := {
> &Counter = &Counter
> ...
> }
>
> eap_cache
> ...
>
> Then update the "eap_cache" module to save the Tmp-Group-0 attribute.
>
> And also copy the Counter attributes (etc.) back to their correct place after the eap_cache module restores the cached Tmp-Group-0
>
> Alan DeKok.
>
>
> On Mon, May 27, 2024 at 11:45 AM deepika parmar <parmardeepika9 at gmail.com>
> wrote:
>
>> Hello,
>>
>> I have configured *EAP-AKA virtual-server in FreeRADIUS to
>> perform authentication. I have enabled eap cache so that fast reauth will
>> work and
>> session data will be stored in cache. However during store session i
>> could not restore Counter and hence reauth fails.
>>
>>
>> Logs are:
>> Debug : (0.0) h9-auth-server - store session {
>> Debug : (0.0) h9-auth-server - | debug_attr
>> INFO : (0.0) h9-auth-server - Attributes matching
>> "&session-state"
>> INFO : (0.0) h9-auth-server - &session-State.session-State = {
>> INFO : (0.0) h9-auth-server - Permanent-Identity =
>> 10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org
>> INFO : (0.0) h9-auth-server - SIM-Ki =
>> 0x465b5ce8b199b49faa5f0a2ee238a6bc
>> INFO : (0.0) h9-auth-server - SIM-OPc =
>> 0xcd63cb71954a9f4e48a5994e37a02baf
>> INFO : (0.0) h9-auth-server - SIM-SQN = 528
>> INFO : (0.0) h9-auth-server - Identity =
>> 27CL9C1yARfBU1l at wlan.mnc11343.mcc0.3gppnetwork.org
>> INFO : (0.0) h9-auth-server - Session-Data =
>> 0xd9407284e28f09c788dd047dbd2350adcf91a5ef
>> INFO : (0.0) h9-auth-server - Counter = 0
>> >>>>>>>>>>>>>>>>> Counter is available here....>>>>>>
>> INFO : (0.0) h9-auth-server - }
>> Debug : (0.0) h9-auth-server - | eap-aka-sim.Session-ID
>> Debug : (0.0) h9-auth-server - | %{eap-aka-sim.Session-ID}
>> Debug : (0.0) h9-auth-server - | -->
>> 0x34374631353345367a547775664157
>> Debug : (0.0) eap_aka_cache - No cache entry found for
>> "47F153E6zTwufAW"
>> Debug : (0.0) eap_aka_cache - Creating new cache entry
>> Debug : (0.0) eap_aka_cache - &session-State.Session-Data :=
>> &session-State.Session-Data -> 0xd9407284e28f09c788dd047dbd2350adcf91a5ef
>> Debug : (0.0) eap_aka_cache - EXPAND
>> %{session-state.Permanent-Identity}
>> Debug : (0.0) eap_aka_cache - | session-state.Permanent-Identity
>> Debug : (0.0) eap_aka_cache - |
>> %{session-state.Permanent-Identity}
>> Debug : (0.0) eap_aka_cache - | -->
>> 10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org
>> Debug : (0.0) eap_aka_cache - -->
>> 10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org
>> Debug : (0.0) eap_aka_cache - &session-State.Permanent-Identity
>> := "10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org"
>> Debug : (0.0) eap_aka_cache - EXPAND
>> %{session-state.Encr-Data.Counter}
>> Debug : (0.0) eap_aka_cache - | session-state.Encr-Data.Counter
>> Debug : (0.0) eap_aka_cache - |
>> %{session-state.Encr-Data.Counter}
>> Debug : (0.0) eap_aka_cache - (null)
>> Debug : (0.0) eap_aka_cache - -->
>> Debug : (0.0) eap_aka_cache - Skipping
>> %{session-state.Encr-Data.Counter}
>> Debug : (0.0) eap_aka_cache - Committed entry, TTL 150 seconds
>> Debug : (0.0) h9-auth-server - eap_aka_cache (updated)
>>
>>
>> Session is stored in eap cache however it could not store Counter as its
>> value is nil in Encr-Data and direct access to Counter in session-state is
>> failing.
>>
>> During Reauth request , it could fetch the session from the cache but as
>> Counter is not there, fast reauth is failing...
>> Debug : (2.0) h9-auth-server - New EAP-AKA session
>> Debug : (2.0) h9-auth-server - Changed state INIT -> REAUTHENTICATION
>> Debug : (2.0) h9-auth-server - load session {
>> Debug : (2.0) h9-auth-server - | eap-aka-sim.Session-ID
>> Debug : (2.0) h9-auth-server - | %{eap-aka-sim.Session-ID}
>> Debug : (2.0) h9-auth-server - | -->
>> 0x34374631353345367a547775664157
>> Debug : (2.0) eap_aka_cache - Found entry for "47F153E6zTwufAW"
>> Debug : (2.0) eap_aka_cache - Merging cache entry into request
>> Debug : (2.0) eap_aka_cache - &session-State.Session-Data :=
>> 0xd9407284e28f09c788dd047dbd2350adcf91a5ef
>> Debug : (2.0) eap_aka_cache - &session-State.Permanent-Identity
>> := '10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org'
>> Debug : (2.0) h9-auth-server - eap_aka_cache (updated)
>> Debug : (2.0) h9-auth-server - ok (ok)
>> Debug : (2.0) h9-auth-server - | debug_attr
>> INFO : (2.0) h9-auth-server - Attributes matching
>> "&session-state"
>> INFO : (2.0) h9-auth-server - &session-State.session-State = {
>> INFO : (2.0) h9-auth-server - Session-Data =
>> 0xd9407284e28f09c788dd047dbd2350adcf91a5ef
>> INFO : (2.0) h9-auth-server - Permanent-Identity =
>> 10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org
>> INFO : (2.0) h9-auth-server - }
>> Debug : (2.0) h9-auth-server - | %debug_attr({&session-state})
>>
>> Debug : (2.0) h9-auth-server - } # send Reauthentication-Request (ok)
>> Debug : (2.0) h9-auth-server - Generating new session keys
>> Debug : (2.0) h9-auth-server - No &session-state.Counter attribute
>> found, can't calculate re-auth keys
>> Debug : (2.0) h9-auth-server - Composing
>> EAP-Request/Reauthentication failed. Clearing reply attributes and
>> requesting additional Identity
>> Debug : (2.0) h9-auth-server - Changed state REAUTHENTICATION ->
>> AKA-IDENTITY
>> Debug : (2.0) h9-auth-server - send Identity-Request {
>>
>>
>> Store session setting in virtual server:
>>
>> store session {
>> "%(debug_attr:&session-state)"
>>
>> eap_aka_cache
>>
>> "%(debug_attr:&session-state)"
>> ok
>> }
>> Currently my eap_cache is
>> cache eap_aka_cache {
>> #
>> # key:: Cache key.
>> #
>> key = "%{eap-aka-sim.Session-ID}"
>>
>> #
>> # ttl:: TTL for cache entries.
>> #
>> ttl = 150
>> #
>> # update <section> { ... }::
>> #
>> update session-state {
>> &session-state.Session-Data :=
>> &session-state.Session-Data
>>
>> &Permanent-Identity :=
>> "%{session-state.Permanent-Identity}"
>> &Encr-Data.Counter :=
>> "%{session-state.Encr-Data.Counter}"
>> }
>> }
>>
>>
>> If i add accessing Counter, it fails as follows:
>> &session-state.Counter := &session-state.Counter
>>
>>
>> Debug : Compiling policies in - store session {...}
>> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]: Failed parsing
>> attribute reference &session-state.Counter - Unresolved attributes are not
>> allowed here
>> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]:
>> &session-state.Counter
>> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]: ^
>> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]: Failed creating
>> map from '&session-state.Counter = &session-state.Counter'
>> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[1]: Failed parsing
>> configuration section update
>> Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1006]: Invalid
>> keyword "eap_aka_cache".
>>
>> Am i missing any configuration? Can anyone help?
>>
>>
>> Summary of my setup:
>>
>> * FreeRadius version4 - Configured, compiled and installed from
>> master Branch synced on 10th May 2024.
>>
>> * wpa_supplicant version 2.10
>>
>> * Ubuntu 20.04 LTS
>>
>> Thanks,
>>
>> Deepika
>>
>>
>>
>>
>>
>>
>>
More information about the Freeradius-Users
mailing list