Re: Eduroam FreeRadius not working so well
On 11 Dec 2012, at 03:14, Mike Diggins mike.digg...@mcmaster.ca
wrote:
On Sun, 9 Dec 2012, Alan Buxey wrote:
Hi,
This looks like something I should be doing but I have no idea where
to insert this section. Is it in proxy.conf or somewhere else? And
in the authorize section of your virtual server, straight after the
preprocess/suffix/realm
module calls (ie before any real authorization action)
With this configuration, I guess I don't need realm's LOCAL or NULL?
correct - you will deal with your LOCAL realm by handling your defined realm,
with eduroam you dont want to EVER authenticate a user you hasnt provided
a realm - because , for your own users, they may work finewhen they are
at your
sitethey then think/believe their configuration works...and then find it
doesnt work when they go to another eduroam site...and then they'll blame
that site, your site or eduroam. best policy for eduroam is ALWAYS ensure
a realm is defined on the client
ok, both the default and inner-tunnel, I assume?
I added the section to authorize, but the DEBUG output indicates the
regular expression is rejecting a valid user. Is there someone that could
confirm the RE?
if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) {
...
Why not just use the filter_username policy in the policy.conf
In filter_username in policy.conf you probably want to comment out the reject
mixed case test and make sure your version has the fixed realm begins with a
dot
#
# Realm begins with a dot
# e.g. u...@.site.com
#
if (User-Name =~ /@\\./) {
Broken ones have:
#
# Realm begins with a dot
# e.g. u...@.site.com
#
if (User-Name !~ /@\\./) {
To call filter_username policy just add filter_username to your authorise
section.
Regards
Scott Armitage
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eduroam FreeRadius not working so well
On 11 December 2012 03:14, Mike Diggins mike.digg...@mcmaster.ca wrote:
ok, both the default and inner-tunnel, I assume?
default only - you don't want to proxy the inner bit - if the inner
realm doesn't match blank or yours, you need to reject.
I added the section to authorize, but the DEBUG output indicates the
regular expression is rejecting a valid user. Is there someone that could
confirm the RE?
if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) {
...
add the case-insensitive flag i.e. end the line with
$/i) {
instead of your current:
$/) {
Kind regards,
James
--
James J J Hooper
Senior Network Specialist, University of Bristol
http://www.wireless.bristol.ac.uk
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: EAP-TLS Failed in handler question
On 12/10/2012 08:00 PM, PENZ Robert wrote: @PhilMayers: Did you get the Mail with the full logfile? do you need more? I did, but honestly I prioritise personal help emails lower than ones to the list, sorry. I'll see if I have time to look today. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: EAP-TLS Failed in handler question
On 10/12/12 20:00, PENZ Robert wrote:
@PhilMayers: Did you get the Mail with the full logfile? do you need more?
Ok, your NAS is buggy I'm afraid. In some small percentage of cases, it
is not handling the wrapping of EAP id values from 255 to 0.
The following sequence of (redacted) packets shows the problem (see line
~2389268 in your debug for this example, but there are lots of others in
there):
Access-Request packet from host NAS port 54217, id=183, length=151
User-Name = host/blah
EAP-Message = 0x02ff...
NAS-IP-Address = NAS
Service-Type = Login-User
Calling-Station-Id = MAC
NAS-Port-Id = x:y
NAS-Port = x00y
NAS-Port-Type = Ethernet
Message-Authenticator = 0x26710066ee2e161ba4979519e82cde59
...
[eap] EAP packet type response id 255 length 33
...
+- entering group EAP {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
...
Sending Access-Challenge of id 183 to 10.15.132.5 port 54217
EAP-Message = 0x01060d20
Message-Authenticator = 0x
State = 0xe043a0c1e043ad9227375e26b2f8cb62
Note that the access-request contains an EAP response with id=255, and
we return an EAP request with id=0, having wrapped around. The NAS
follows up with:
Access-Request packet from host 10.15.132.5 port 54217, id=184, length=241
User-Name = host/blah
EAP-Message = 0x02ff...
NAS-IP-Address = NAS
Service-Type = Login-User
Calling-Station-Id = MAC
NAS-Port-Id = x:y
NAS-Port = x00y
NAS-Port-Type = Ethernet
State = 0xe043a0c1e043ad9227375e26b2f8cb62
Message-Authenticator = 0x03a814fd68371689281f1e66a4728614
...
[eap] EAP packet type response id 255 length 105
...
rlm_eap: No EAP session matching the State variable.
That is - we send an Access-Challenge containing an EAP request id=0,
the client responds with an Access-Request containing EAP response
id=255. This is obviously wrong.
FreeRADIUS mixes certain data into the State value with a xor
including the EAP id - that's why you're getting that particular error
message, but the underlying problem is that the NAS is not always
handling EAP id value wrap correctly.
I'm curious as to why the EAP id values are so large - I don't think
most NASes do this, they start from id=1 on every conversation, but I
don't know if it's legal.
The ID wrapping seems to work in other cases; I'm not certain, but it
*may* be that it only fails if the sequence is:
C: access-request EAP-response id=255 EAP-Identity
S: access-challenge EAP-request id=0 PEAP-start
C: access-request EAP-response id=255 PEAP-data
i.e. if the initial EAP-identity is the one with id=255.
But anyway - I think your NAS is buggy. There's no way you can solve
this in FreeRADIUS - you obviously can't rewrite the EAP id, so I think
you'll need to open a bug report with the vendor.
There is one thing you *might* be able to do which *might* work, but
it's dependent on what the NAS does - if I'm right and it's only
Identity packets that don't wrap properly, you might be able to detect
EAP identity packets and modify the ID and *maybe* the Extreme switch
will reply in-sequence. Like so:
authorize {
if (%{EAP-Message[0]} =~ /^0x02ff()01(.+)/) {
# we have an EAP-identity packet id=255, see if we can force a wrap
update request {
EAP-Message := 0x0201%{1}01%{2}
}
}
}
However - I have no idea if this syntax will even work, and to be honest
I'm extremely dubious that, if it does, the Extreme would respond properly.
Cheers,
Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: EAP-TLS Failed in handler question
Hi! Phil, Really BIG THANKS for your help! I'll talk to Extreme Networks. Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Released IP info
Hi, I have a very simple query regarding following radius.log entry when a PPP session is disconnected following log entry is logged: Sun Dec 9 20:46:05 2012 : Info: Released IP xx.xx.xx.xx (did cli 010010010 user xxx@xxx) I would like to know what part of the configuration will enable/disable Released IP logging to radius.log file. I am using the default site file. It used to work for me before, but I had to make a change to disable simultaneous login feature. I disabled the radutmp feature in the sites default file in the accounting section and the session section. I also disabled sqlippool feature which is was left enabled for some reason, but we don't use any sqlippool feature. Regards Raz smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Released IP info
Raz Muhammad wrote: I have a very simple query regarding following radius.log entry when a PPP session is disconnected following log entry is logged: “Sun Dec 9 20:46:05 2012 : Info: Released IP xx.xx.xx.xx (did cli 010010010 user xxx@xxx)” That message doesn't appear anywhere in the source code. My guess is that you edited the local configuration to add it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
