Re: Eduroam FreeRadius not working so well
On 11 Dec 2012, at 03:14, Mike Diggins mike.digg...@mcmaster.ca wrote: On Sun, 9 Dec 2012, Alan Buxey wrote: Hi, This looks like something I should be doing but I have no idea where to insert this section. Is it in proxy.conf or somewhere else? And in the authorize section of your virtual server, straight after the preprocess/suffix/realm module calls (ie before any real authorization action) With this configuration, I guess I don't need realm's LOCAL or NULL? correct - you will deal with your LOCAL realm by handling your defined realm, with eduroam you dont want to EVER authenticate a user you hasnt provided a realm - because , for your own users, they may work finewhen they are at your sitethey then think/believe their configuration works...and then find it doesnt work when they go to another eduroam site...and then they'll blame that site, your site or eduroam. best policy for eduroam is ALWAYS ensure a realm is defined on the client ok, both the default and inner-tunnel, I assume? I added the section to authorize, but the DEBUG output indicates the regular expression is rejecting a valid user. Is there someone that could confirm the RE? if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) { ... Why not just use the filter_username policy in the policy.conf In filter_username in policy.conf you probably want to comment out the reject mixed case test and make sure your version has the fixed realm begins with a dot # # Realm begins with a dot # e.g. u...@.site.com # if (User-Name =~ /@\\./) { Broken ones have: # # Realm begins with a dot # e.g. u...@.site.com # if (User-Name !~ /@\\./) { To call filter_username policy just add filter_username to your authorise section. Regards Scott Armitage - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eduroam FreeRadius not working so well
On 11 December 2012 03:14, Mike Diggins mike.digg...@mcmaster.ca wrote: ok, both the default and inner-tunnel, I assume? default only - you don't want to proxy the inner bit - if the inner realm doesn't match blank or yours, you need to reject. I added the section to authorize, but the DEBUG output indicates the regular expression is rejecting a valid user. Is there someone that could confirm the RE? if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) { ... add the case-insensitive flag i.e. end the line with $/i) { instead of your current: $/) { Kind regards, James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: EAP-TLS Failed in handler question
On 12/10/2012 08:00 PM, PENZ Robert wrote: @PhilMayers: Did you get the Mail with the full logfile? do you need more? I did, but honestly I prioritise personal help emails lower than ones to the list, sorry. I'll see if I have time to look today. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: EAP-TLS Failed in handler question
On 10/12/12 20:00, PENZ Robert wrote: @PhilMayers: Did you get the Mail with the full logfile? do you need more? Ok, your NAS is buggy I'm afraid. In some small percentage of cases, it is not handling the wrapping of EAP id values from 255 to 0. The following sequence of (redacted) packets shows the problem (see line ~2389268 in your debug for this example, but there are lots of others in there): Access-Request packet from host NAS port 54217, id=183, length=151 User-Name = host/blah EAP-Message = 0x02ff... NAS-IP-Address = NAS Service-Type = Login-User Calling-Station-Id = MAC NAS-Port-Id = x:y NAS-Port = x00y NAS-Port-Type = Ethernet Message-Authenticator = 0x26710066ee2e161ba4979519e82cde59 ... [eap] EAP packet type response id 255 length 33 ... +- entering group EAP {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ... Sending Access-Challenge of id 183 to 10.15.132.5 port 54217 EAP-Message = 0x01060d20 Message-Authenticator = 0x State = 0xe043a0c1e043ad9227375e26b2f8cb62 Note that the access-request contains an EAP response with id=255, and we return an EAP request with id=0, having wrapped around. The NAS follows up with: Access-Request packet from host 10.15.132.5 port 54217, id=184, length=241 User-Name = host/blah EAP-Message = 0x02ff... NAS-IP-Address = NAS Service-Type = Login-User Calling-Station-Id = MAC NAS-Port-Id = x:y NAS-Port = x00y NAS-Port-Type = Ethernet State = 0xe043a0c1e043ad9227375e26b2f8cb62 Message-Authenticator = 0x03a814fd68371689281f1e66a4728614 ... [eap] EAP packet type response id 255 length 105 ... rlm_eap: No EAP session matching the State variable. That is - we send an Access-Challenge containing an EAP request id=0, the client responds with an Access-Request containing EAP response id=255. This is obviously wrong. FreeRADIUS mixes certain data into the State value with a xor including the EAP id - that's why you're getting that particular error message, but the underlying problem is that the NAS is not always handling EAP id value wrap correctly. I'm curious as to why the EAP id values are so large - I don't think most NASes do this, they start from id=1 on every conversation, but I don't know if it's legal. The ID wrapping seems to work in other cases; I'm not certain, but it *may* be that it only fails if the sequence is: C: access-request EAP-response id=255 EAP-Identity S: access-challenge EAP-request id=0 PEAP-start C: access-request EAP-response id=255 PEAP-data i.e. if the initial EAP-identity is the one with id=255. But anyway - I think your NAS is buggy. There's no way you can solve this in FreeRADIUS - you obviously can't rewrite the EAP id, so I think you'll need to open a bug report with the vendor. There is one thing you *might* be able to do which *might* work, but it's dependent on what the NAS does - if I'm right and it's only Identity packets that don't wrap properly, you might be able to detect EAP identity packets and modify the ID and *maybe* the Extreme switch will reply in-sequence. Like so: authorize { if (%{EAP-Message[0]} =~ /^0x02ff()01(.+)/) { # we have an EAP-identity packet id=255, see if we can force a wrap update request { EAP-Message := 0x0201%{1}01%{2} } } } However - I have no idea if this syntax will even work, and to be honest I'm extremely dubious that, if it does, the Extreme would respond properly. Cheers, Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: EAP-TLS Failed in handler question
Hi! Phil, Really BIG THANKS for your help! I'll talk to Extreme Networks. Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Released IP info
Hi, I have a very simple query regarding following radius.log entry when a PPP session is disconnected following log entry is logged: Sun Dec 9 20:46:05 2012 : Info: Released IP xx.xx.xx.xx (did cli 010010010 user xxx@xxx) I would like to know what part of the configuration will enable/disable Released IP logging to radius.log file. I am using the default site file. It used to work for me before, but I had to make a change to disable simultaneous login feature. I disabled the radutmp feature in the sites default file in the accounting section and the session section. I also disabled sqlippool feature which is was left enabled for some reason, but we don't use any sqlippool feature. Regards Raz smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Released IP info
Raz Muhammad wrote: I have a very simple query regarding following radius.log entry when a PPP session is disconnected following log entry is logged: “Sun Dec 9 20:46:05 2012 : Info: Released IP xx.xx.xx.xx (did cli 010010010 user xxx@xxx)” That message doesn't appear anywhere in the source code. My guess is that you edited the local configuration to add it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html