EAP Fast Reauth fails
deepika parmar
parmardeepika9 at gmail.com
Fri May 31 08:08:50 UTC 2024
Thanks for the reply.
EAP-AKA authentication is working on the latest master branch.
I'm using updated syntax for debug statements, but I accidentally sent the
old statement.
As suggested, I tried adding Tmp-Group-0 attribute to store the Counter,
however its failing while starting the freeradius..
store session {
"%debug_attr(&session-state)"
&session-state.Tmp-Group-0 := {
&Counter = &Counter
}
eap_aka_cache
ok
}
Error is:
Debug : Compiling policies in - send EAP-Success {...}
Debug : Compiling policies in - store session {...}
Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1008]: Failed
parsing attribute reference &Counter - Unresolved attributes are not
allowed here
Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1008]: &Counter
Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1008]: ^
Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1008]: Failed
creating map from '&Counter = &Counter'
Even printing session-state.Counter with
"%debug_attr(&session-state.Counter)" fails...
Debug : Compiling policies in - store session {...}
Error : /usr/local/etc/raddb/mods-enabled/eap-cache[18]: Failed parsing
attribute reference &session-state.Counter - Unresolved attributes are not
allowed here
Error : /usr/local/etc/raddb/mods-enabled/eap-cache[18]:
&session-state.Counter
Error : /usr/local/etc/raddb/mods-enabled/eap-cache[18]: ^
Error : /usr/local/etc/raddb/mods-enabled/eap-cache[18]: Failed creating
map from '&session-state.Counter = &session-state.Counter'
Error : /usr/local/etc/raddb/mods-enabled/eap-cache[1]: Failed parsing
configuration section update
Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1013]: Invalid
keyword "eap_aka_cache".
Thanks,
Deepika
On May 27, 2024, at 2:15 AM, deepika parmar <parmardeepika9 at
gmail.com <https://lists.freeradius.org/mailman/listinfo/freeradius-users>>
wrote:
>* I have configured *EAP-AKA virtual-server in FreeRADIUS to
*>* perform authentication. I have enabled eap cache so that fast reauth will
*>* work and
*>* session data will be stored in cache. However during store session i could
*>* not restore Counter and hence reauth fails.
*
This is for v4, which is still not quite done. If it works, great.
If not, please submit patches.
>* Logs are:
*>* Debug : (0.0) h9-auth-server - store session {
*>* Debug : (0.0) h9-auth-server - | debug_attr
*
What's wrong with "radiusd -X" as recommended by all
>* Store session setting in virtual server:
*> >* store session {
*>* "%(debug_attr:&session-state)"
*
You should use a more recent version of v4. The function syntax has
changed to make more sense, and we've fixed a number of other issues,
Or at least update the configuration to use the new syntax. At some
point the old syntax will cause errors.
>* If i add accessing Counter, it fails as follows:
*>* &session-state.Counter := &session-state.Counter
*> >* Debug : Compiling policies in - store session {...}
*>* Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]: Failed parsing
*>* attribute reference &session-state.Counter - Unresolved attributes are not
*>* allowed here
*
When the module is bootstrapped, it doesn't know that it's supposed
to be used in EAP-AKA. So it can't find the "Counter" attribute.
This is an issue we're fixing.
An alternative is to edit the EAP-AKA virtual server to copy the
necessary attributes to a group:
&session-state.Tmp-Group-0 := {
&Counter = &Counter
...
}
eap_cache
...
Then update the "eap_cache" module to save the Tmp-Group-0 attribute.
And also copy the Counter attributes (etc.) back to their correct
place after the eap_cache module restores the cached Tmp-Group-0
Alan DeKok.
On Mon, May 27, 2024 at 11:45 AM deepika parmar <parmardeepika9 at gmail.com>
wrote:
> Hello,
>
> I have configured *EAP-AKA virtual-server in FreeRADIUS to
> perform authentication. I have enabled eap cache so that fast reauth will
> work and
> session data will be stored in cache. However during store session i could
> not restore Counter and hence reauth fails.
>
>
> Logs are:
> Debug : (0.0) h9-auth-server - store session {
> Debug : (0.0) h9-auth-server - | debug_attr
> INFO : (0.0) h9-auth-server - Attributes matching
> "&session-state"
> INFO : (0.0) h9-auth-server - &session-State.session-State = {
> INFO : (0.0) h9-auth-server - Permanent-Identity =
> 10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org
> INFO : (0.0) h9-auth-server - SIM-Ki =
> 0x465b5ce8b199b49faa5f0a2ee238a6bc
> INFO : (0.0) h9-auth-server - SIM-OPc =
> 0xcd63cb71954a9f4e48a5994e37a02baf
> INFO : (0.0) h9-auth-server - SIM-SQN = 528
> INFO : (0.0) h9-auth-server - Identity =
> 27CL9C1yARfBU1l at wlan.mnc11343.mcc0.3gppnetwork.org
> INFO : (0.0) h9-auth-server - Session-Data =
> 0xd9407284e28f09c788dd047dbd2350adcf91a5ef
> INFO : (0.0) h9-auth-server - Counter = 0
> >>>>>>>>>>>>>>>>> Counter is available here....>>>>>>
> INFO : (0.0) h9-auth-server - }
> Debug : (0.0) h9-auth-server - | eap-aka-sim.Session-ID
> Debug : (0.0) h9-auth-server - | %{eap-aka-sim.Session-ID}
> Debug : (0.0) h9-auth-server - | -->
> 0x34374631353345367a547775664157
> Debug : (0.0) eap_aka_cache - No cache entry found for
> "47F153E6zTwufAW"
> Debug : (0.0) eap_aka_cache - Creating new cache entry
> Debug : (0.0) eap_aka_cache - &session-State.Session-Data :=
> &session-State.Session-Data -> 0xd9407284e28f09c788dd047dbd2350adcf91a5ef
> Debug : (0.0) eap_aka_cache - EXPAND
> %{session-state.Permanent-Identity}
> Debug : (0.0) eap_aka_cache - | session-state.Permanent-Identity
> Debug : (0.0) eap_aka_cache - |
> %{session-state.Permanent-Identity}
> Debug : (0.0) eap_aka_cache - | -->
> 10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org
> Debug : (0.0) eap_aka_cache - -->
> 10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org
> Debug : (0.0) eap_aka_cache - &session-State.Permanent-Identity
> := "10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org"
> Debug : (0.0) eap_aka_cache - EXPAND
> %{session-state.Encr-Data.Counter}
> Debug : (0.0) eap_aka_cache - | session-state.Encr-Data.Counter
> Debug : (0.0) eap_aka_cache - |
> %{session-state.Encr-Data.Counter}
> Debug : (0.0) eap_aka_cache - (null)
> Debug : (0.0) eap_aka_cache - -->
> Debug : (0.0) eap_aka_cache - Skipping
> %{session-state.Encr-Data.Counter}
> Debug : (0.0) eap_aka_cache - Committed entry, TTL 150 seconds
> Debug : (0.0) h9-auth-server - eap_aka_cache (updated)
>
>
> Session is stored in eap cache however it could not store Counter as its
> value is nil in Encr-Data and direct access to Counter in session-state is
> failing.
>
> During Reauth request , it could fetch the session from the cache but as
> Counter is not there, fast reauth is failing...
> Debug : (2.0) h9-auth-server - New EAP-AKA session
> Debug : (2.0) h9-auth-server - Changed state INIT -> REAUTHENTICATION
> Debug : (2.0) h9-auth-server - load session {
> Debug : (2.0) h9-auth-server - | eap-aka-sim.Session-ID
> Debug : (2.0) h9-auth-server - | %{eap-aka-sim.Session-ID}
> Debug : (2.0) h9-auth-server - | -->
> 0x34374631353345367a547775664157
> Debug : (2.0) eap_aka_cache - Found entry for "47F153E6zTwufAW"
> Debug : (2.0) eap_aka_cache - Merging cache entry into request
> Debug : (2.0) eap_aka_cache - &session-State.Session-Data :=
> 0xd9407284e28f09c788dd047dbd2350adcf91a5ef
> Debug : (2.0) eap_aka_cache - &session-State.Permanent-Identity
> := '10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org'
> Debug : (2.0) h9-auth-server - eap_aka_cache (updated)
> Debug : (2.0) h9-auth-server - ok (ok)
> Debug : (2.0) h9-auth-server - | debug_attr
> INFO : (2.0) h9-auth-server - Attributes matching
> "&session-state"
> INFO : (2.0) h9-auth-server - &session-State.session-State = {
> INFO : (2.0) h9-auth-server - Session-Data =
> 0xd9407284e28f09c788dd047dbd2350adcf91a5ef
> INFO : (2.0) h9-auth-server - Permanent-Identity =
> 10026000000000 at wlan.mnc11343.mcc0.3gppnetwork.org
> INFO : (2.0) h9-auth-server - }
> Debug : (2.0) h9-auth-server - | %debug_attr({&session-state})
>
> Debug : (2.0) h9-auth-server - } # send Reauthentication-Request (ok)
> Debug : (2.0) h9-auth-server - Generating new session keys
> Debug : (2.0) h9-auth-server - No &session-state.Counter attribute
> found, can't calculate re-auth keys
> Debug : (2.0) h9-auth-server - Composing EAP-Request/Reauthentication
> failed. Clearing reply attributes and requesting additional Identity
> Debug : (2.0) h9-auth-server - Changed state REAUTHENTICATION ->
> AKA-IDENTITY
> Debug : (2.0) h9-auth-server - send Identity-Request {
>
>
> Store session setting in virtual server:
>
> store session {
> "%(debug_attr:&session-state)"
>
> eap_aka_cache
>
> "%(debug_attr:&session-state)"
> ok
> }
> Currently my eap_cache is
> cache eap_aka_cache {
> #
> # key:: Cache key.
> #
> key = "%{eap-aka-sim.Session-ID}"
>
> #
> # ttl:: TTL for cache entries.
> #
> ttl = 150
> #
> # update <section> { ... }::
> #
> update session-state {
> &session-state.Session-Data :=
> &session-state.Session-Data
>
> &Permanent-Identity :=
> "%{session-state.Permanent-Identity}"
> &Encr-Data.Counter :=
> "%{session-state.Encr-Data.Counter}"
> }
> }
>
>
> If i add accessing Counter, it fails as follows:
> &session-state.Counter := &session-state.Counter
>
>
> Debug : Compiling policies in - store session {...}
> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]: Failed parsing
> attribute reference &session-state.Counter - Unresolved attributes are not
> allowed here
> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]:
> &session-state.Counter
> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]: ^
> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]: Failed creating
> map from '&session-state.Counter = &session-state.Counter'
> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[1]: Failed parsing
> configuration section update
> Error : /usr/local/etc/raddb/sites-enabled/h9-auth-server[1006]: Invalid
> keyword "eap_aka_cache".
>
> Am i missing any configuration? Can anyone help?
>
>
> Summary of my setup:
>
> * FreeRadius version4 - Configured, compiled and installed from
> master Branch synced on 10th May 2024.
>
> * wpa_supplicant version 2.10
>
> * Ubuntu 20.04 LTS
>
> Thanks,
>
> Deepika
>
>
>
>
>
>
>
More information about the Freeradius-Users
mailing list