SoH patch (was Re: Microsoft SoH Support)
On 11/10/2010 22:14, James J J Hooper wrote: On 11/10/2010 12:37, Phil Mayers wrote: On 09/10/10 15:01, Garber, Neal wrote: Thanks to a lot of work by Phil Mayers, the server now has support for Microsoft SoH in PEAP, normal RADIUS (MS VPN gateway), and in DHCP. Wow! That *must* have been a lot of work! Thank you Phil. Does this mean FreeRADIUS can now act as a Health Policy Server? Yes, though it's not 100%. Specifically the code can challenge clients for an SoH, and the client will submit it and FreeRadius decode it. There is not (yet) support for FreeRadius generating and emitting an SoHR, because I don't have a working example of such, and decoding the MS-SOH spec is REALLY REALLY hard without at least some working data to compare to the awful spec language! Hi Phil, Alan, http://msdn.microsoft.com/en-us/library/cc251376%28v=PROT.10%29.aspx - Independent of the above states, the last bit of the third byte of the AU ClientStatusCode can take the value of 1 if the AU settings on the client are controlled by policy. Hi Guys, I've re-written the patch I originally forwarded to account for the third byte-first bit flag MS stuck in the middle of AU ClientStatusCode. As attached - still not pretty~~ -James diff --git a/src/main/soh.c b/src/main/soh.c index 9ea5698..e57a714 100644 --- a/src/main/soh.c +++ b/src/main/soh.c @@ -499,21 +499,23 @@ int soh_verify(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *data, unsigne case 3: /* auto updates */ s = auto-updates; - switch (hcstatus) { + /* The first bit of the second octet indicates if the case is by-policy (e.g. Group Policy) or not. + We ignore this bit in the switch, and then deal with it if necessary in each case */ + switch (hcstatus 0xfeff) { case 1: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn disabled, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn disabled by-policy=%i, s, hcstatus 0x0100 ? 1 : 0); break; case 2: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=check-only, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=check-only by-policy=%i, s, hcstatus 0x0100 ? 1 : 0); break; case 3: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=download, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=download by-policy=%i, s, hcstatus 0x0100 ? 1 : 0); break; case 4: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=install, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=install by-policy=%i, s, hcstatus 0x0100 ? 1 : 0); break; case 5: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn unconfigured, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn unconfigured by-policy=%i, s, hcstatus 0x0100 ? 1 : 0); break; case 0xc0ff0003: snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn service-down, s); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
On 10/11/2010 10:14 PM, James J J Hooper wrote: Hi Phil, Alan, http://msdn.microsoft.com/en-us/library/cc251376%28v=PROT.10%29.aspx - Independent of the above states, the last bit of the third byte of the AU ClientStatusCode can take the value of 1 if the AU settings on the client are controlled by policy. Aww man... They really did screw up that result code crap... It's an enumeration, ORed with a bitfield! We're geniuses - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
Phil Mayers wrote: Yeah - that's in 0004-*.patch (I noticed it when using the excellent raddebug to test that the SoH stuff appeared) OK... the patch doesn't apply, and adding/deleting the \n is awkward. I'll make a few simple changes today, and push them to git.freeradius.org. Please double-check them for sanity. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
On 12/10/10 11:11, Alan DeKok wrote: Phil Mayers wrote: Yeah - that's in 0004-*.patch (I noticed it when using the excellent raddebug to test that the SoH stuff appeared) OK... the patch doesn't apply, and adding/deleting the \n is Rats. Sorry about that. awkward. I'll make a few simple changes today, and push them to git.freeradius.org. Please double-check them for sanity. Will do. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
OK... see git. I've moved src/lib/soh.c - src/main/soh.c, and done minimal updates to get it to compile. If you can redo the debug patches, I'll put them in. Or maybe I should just give you direct git access... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
On 12/10/10 15:29, Alan DeKok wrote: OK... see git. I've moved src/lib/soh.c - src/main/soh.c, and done minimal updates to get it to compile. Ok, aefe73e885198b5735fad6fbd59d63a9116912b7 looks good; patch against that attached - it's nothing complex, but seems to work for me. (Is there an equivalent of debug_pair_list outputting via request-radlog?) If you can redo the debug patches, I'll put them in. Or maybe I should just give you direct git access... Gulp! From 43dd97600c5bb3f497e7948e404d7f0147e4f435 Mon Sep 17 00:00:00 2001 From: Phil Mayers p.may...@imperial.ac.uk Date: Tue, 12 Oct 2010 17:20:08 +0100 Subject: [PATCH] use RDEBUG --- src/main/soh.c | 36 ++-- 1 files changed, 18 insertions(+), 18 deletions(-) diff --git a/src/main/soh.c b/src/main/soh.c index 926faa3..9ea5698 100644 --- a/src/main/soh.c +++ b/src/main/soh.c @@ -117,7 +117,7 @@ static int eapsoh_mstlv(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *p, u * MS-SOH section 2.2.4.1 */ if (data_len 18) { - DEBUG(insufficient data for MS-Machine-Inventory-Packet); + RDEBUG(insufficient data for MS-Machine-Inventory-Packet); return 0; } data_len -= 18; @@ -172,7 +172,7 @@ static int eapsoh_mstlv(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *p, u /* MS-Packet-Info * MS-SOH 2.2.4.3 */ - DEBUG(SoH MS-Packet-Info %s vers=%i, *p 0x10 ? request : response, *p 0xf); + RDEBUG3(SoH MS-Packet-Info %s vers=%i, *p 0x10 ? request : response, *p 0xf); p++; data_len--; break; @@ -253,7 +253,7 @@ static int eapsoh_mstlv(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *p, u break; default: - DEBUG(SoH Unknown MS TV %i stopping, c); + RDEBUG(SoH Unknown MS TV %i stopping, c); return 0; } } @@ -319,14 +319,14 @@ int soh_verify(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *data, unsigne hdr.tlv_vendor = soh_pull_be_32(data); data += 4; if (hdr.tlv_type != 7 || hdr.tlv_vendor != 0x137) { - DEBUG(SoH payload is %i %08x not a ms-vendor packet, hdr.tlv_type, hdr.tlv_vendor); + RDEBUG(SoH payload is %i %08x not a ms-vendor packet, hdr.tlv_type, hdr.tlv_vendor); return -1; } hdr.soh_type = soh_pull_be_16(data); data += 2; hdr.soh_len = soh_pull_be_16(data); data += 2; if (hdr.soh_type != 1) { - DEBUG(SoH tlv %04x is not a response, hdr.soh_type); + RDEBUG(SoH tlv %04x is not a response, hdr.soh_type); return -1; } @@ -339,13 +339,13 @@ int soh_verify(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *data, unsigne if (resp.outer_type!=7 || resp.vendor != 0x137) { - DEBUG(SoH response outer type %i/vendor %08x not recognised, resp.outer_type, resp.vendor); + RDEBUG(SoH response outer type %i/vendor %08x not recognised, resp.outer_type, resp.vendor); return -1; } switch (resp.inner_type) { case 1: /* no mode sub-header */ - DEBUG(SoH without mode subheader); + RDEBUG(SoH without mode subheader); break; case 2: mode.outer_type = soh_pull_be_16(data); data += 2; @@ -357,13 +357,13 @@ int soh_verify(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *data, unsigne data += 2; if (mode.outer_type != 7 || mode.vendor != 0x137 || mode.content_type != 0) { - DEBUG(SoH mode subheader outer type %i/vendor %08x/content type %i invalid, mode.outer_type, mode.vendor, mode.content_type); + RDEBUG3(SoH mode subheader outer type %i/vendor %08x/content type %i invalid, mode.outer_type, mode.vendor, mode.content_type); return -1; } - DEBUG(SoH with mode subheader); + RDEBUG3(SoH with mode subheader); break; default: - DEBUG(SoH invalid inner type %i, resp.inner_type); + RDEBUG(SoH invalid inner type %i, resp.inner_type);
Re: Microsoft SoH Support
Hi, you know...some sicko side of me things it'd be great if stats on SoH could be output via access with radmin or the Server-Status packet... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
Alan Buxey wrote: Hi, you know...some sicko side of me things it'd be great if stats on SoH could be output via access with radmin or the Server-Status packet... That's the kind of information which belongs in a DB, I think. It's not RADIUS related (packets sent / received), and it's about long-term network state. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
Phil Mayers wrote: Ok, aefe73e885198b5735fad6fbd59d63a9116912b7 looks good; patch against that attached - it's nothing complex, but seems to work for me. Pushed, thanks. (Is there an equivalent of debug_pair_list outputting via request-radlog?) No, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
On 09/10/10 15:01, Garber, Neal wrote: Thanks to a lot of work by Phil Mayers, the server now has support for Microsoft SoH in PEAP, normal RADIUS (MS VPN gateway), and in DHCP. Wow! That *must* have been a lot of work! Thank you Phil. Does this mean FreeRADIUS can now act as a Health Policy Server? Yes, though it's not 100%. Specifically the code can challenge clients for an SoH, and the client will submit it and FreeRadius decode it. There is not (yet) support for FreeRadius generating and emitting an SoHR, because I don't have a working example of such, and decoding the MS-SOH spec is REALLY REALLY hard without at least some working data to compare to the awful spec language! It's fairly useful though - you can enable it, and SoH-enabled clients will submit info like: [peap] Processing SoH request SoH-Supported = yes SoH-MS-Machine-OS-vendor = Microsoft SoH-MS-Machine-OS-version = 5 SoH-MS-Machine-OS-release = 1 SoH-MS-Machine-OS-build = 2600 SoH-MS-Machine-SP-version = 3 SoH-MS-Machine-SP-release = 0 SoH-MS-Machine-Processor = x86 SoH-MS-Machine-Name = machine.test.ic.ac.uk SoH-MS-Correlation-Id = 0x... SoH-MS-Machine-Role = client SoH-MS-Windows-Health-Status = firewall error down SoH-MS-Windows-Health-Status = antivirus error down SoH-MS-Windows-Health-Status = auto-updates warn service-down SoH-MS-Windows-Health-Status = security-updates ok all-installed FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = host/machine.test.ic.ac.uk This can be punted to a virtual server, and you can assign a vlan or reject authentication etc. I've tested it with WinXP SP3, Vista and Win7. There is one compile fix needed which must have snuck through (attached) diff --git a/src/modules/rlm_soh/rlm_soh.c b/src/modules/rlm_soh/rlm_soh.c index 027e0f6..c5aa1fe 100644 --- a/src/modules/rlm_soh/rlm_soh.c +++ b/src/modules/rlm_soh/rlm_soh.c @@ -205,7 +205,7 @@ static int soh_authorize(UNUSED void * instance, REQUEST *request) RDEBUG(SoH radius VP found); /* decode it */ - rv = soh_verify(request-packet-vps, vp-vp_octets, vp-length); + rv = soh_verify(request, request-packet-vps, vp-vp_octets, vp-length); return RLM_MODULE_OK; } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
Phil Mayers wrote: I've tested it with WinXP SP3, Vista and Win7. There is one compile fix needed which must have snuck through (attached) I deleted all references to the REQUEST structure from src/lib/soh.c. The library functions are for clients, not just the server. The code in git should now be up to date, and should compile. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
On 11/10/10 13:24, Alan DeKok wrote: Phil Mayers wrote: I've tested it with WinXP SP3, Vista and Win7. There is one compile fix needed which must have snuck through (attached) I deleted all references to the REQUEST structure from src/lib/soh.c. The library functions are for clients, not just the server. Indeed. Is there a good way besides the DEBUG macro to emit debugging output in lib/*.c code? I imagine there will be SoH type/value or type/len/value stuff that we'll want to log (but others that we won't - it's probably too noisy as-is) Also I guess the right thing to do is use the RDEBUG macros where possible so that the per-request / radmin conditional debugging works? Perhaps lib/soh.c should move to main/, given it's not much use for the clients? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
Phil Mayers wrote: Indeed. Is there a good way besides the DEBUG macro to emit debugging output in lib/*.c code? Nope. I imagine there will be SoH type/value or type/len/value stuff that we'll want to log (but others that we won't - it's probably too noisy as-is) OK. Also I guess the right thing to do is use the RDEBUG macros where possible so that the per-request / radmin conditional debugging works? Yes. Perhaps lib/soh.c should move to main/, given it's not much use for the clients? Hmm... that would work, too. I can always git mv the file if that would be best, then re-add the RDEBUG macros. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
Hi, It's fairly useful though - you can enable it, and SoH-enabled clients will submit info like: snip This can be punted to a virtual server, and you can assign a vlan or reject authentication etc. I've tested it with WinXP SP3, Vista and Win7. There is one compile fix needed which must have snuck through (attached) just to report that we've been using this for a little while (via its old direct GIT) and I'm happy to see it starting to go into the main tree... we are not using it YET for direct policy decisions (ie putting people onto different VLANs) - we are just starting to record the status of our clients health and security posture. it will hopefully give us interesting client metrics alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
--On Monday, October 11, 2010 14:24:07 +0200 Alan DeKok al...@deployingradius.com wrote: Phil Mayers wrote: I've tested it with WinXP SP3, Vista and Win7. There is one compile fix needed which must have snuck through (attached) I deleted all references to the REQUEST structure from src/lib/soh.c. The library functions are for clients, not just the server. The code in git should now be up to date, and should compile. [I know it's work in progress, just FYI...] There are two unprotected fprintf in peap.c which appear to block the server if you run it daemonized [i.e. not -X]: $ grep -A 5 -B 5 JJJ ./src/modules/rlm_eap/types/rlm_eap_peap/peap.c rad_assert(t-soh_virtual_server != NULL); fake-server = t-soh_virtual_server; RDEBUG(Processing SoH request); debug_pair_list(fake-packet-vps); //JJJ fprintf(fr_log_fp, server %s {\n, fake-server); rad_authenticate(fake); //JJJ fprintf(fr_log_fp, } # server %s\n, fake-server); RDEBUG(Got SoH reply); debug_pair_list(fake-reply-vps); if (fake-reply-code != PW_AUTHENTICATION_ACK) { RDEBUG2(SoH was rejected); -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
Phil Mayers wrote: Ok, the attached should be more sane Debug messages shouldn't have \n. The log function adds the \n itself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
On 11/10/10 16:23, Alan DeKok wrote: Phil Mayers wrote: Ok, the attached should be more sane Debug messages shouldn't have \n. The log function adds the \n itself. Yeah - that's in 0004-*.patch (I noticed it when using the excellent raddebug to test that the SoH stuff appeared) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
On 11/10/2010 12:37, Phil Mayers wrote: On 09/10/10 15:01, Garber, Neal wrote: Thanks to a lot of work by Phil Mayers, the server now has support for Microsoft SoH in PEAP, normal RADIUS (MS VPN gateway), and in DHCP. Wow! That *must* have been a lot of work! Thank you Phil. Does this mean FreeRADIUS can now act as a Health Policy Server? Yes, though it's not 100%. Specifically the code can challenge clients for an SoH, and the client will submit it and FreeRadius decode it. There is not (yet) support for FreeRadius generating and emitting an SoHR, because I don't have a working example of such, and decoding the MS-SOH spec is REALLY REALLY hard without at least some working data to compare to the awful spec language! Hi Phil, Alan, http://msdn.microsoft.com/en-us/library/cc251376%28v=PROT.10%29.aspx - Independent of the above states, the last bit of the third byte of the AU ClientStatusCode can take the value of 1 if the AU settings on the client are controlled by policy. [We do a little of http://technet.microsoft.com/en-us/library/cc708449%28WS.10%29.aspx on our clients via our wireless set-up wizard to help them keep up to date with patches] ... Therefore patch attached {confd-by= format only a suggestion}. -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- --- soh.c-orig 2010-10-11 20:54:28.0 + +++ soh.c-new1 2010-10-11 21:02:49.0 + @@ -500,19 +500,34 @@ int soh_verify(VALUE_PAIR *sohvp, const s = auto-updates; switch (hcstatus) { case 1: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn disabled, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn disabled confd-by=user, s); break; case 2: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=check-only, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=check-only confd-by=user, s); break; case 3: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=download, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=download confd-by=user, s); break; case 4: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=install, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=install confd-by=user, s); break; case 5: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn unconfigured, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn unconfigured confd-by=user, s); + break; + case 0x0101: + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn disabled confd-by=policy, s); + break; + case 0x0102: + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=check-only confd-by=policy, s); + break; + case 0x0103: + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=download confd-by=policy, s); +
Re: Microsoft SoH Support
On 11/10/2010 22:14, James J J Hooper wrote: On 11/10/2010 12:37, Phil Mayers wrote: On 09/10/10 15:01, Garber, Neal wrote: Thanks to a lot of work by Phil Mayers, the server now has support for Microsoft SoH in PEAP, normal RADIUS (MS VPN gateway), and in DHCP. Wow! That *must* have been a lot of work! Thank you Phil. Does this mean FreeRADIUS can now act as a Health Policy Server? Yes, though it's not 100%. Specifically the code can challenge clients for an SoH, and the client will submit it and FreeRadius decode it. There is not (yet) support for FreeRadius generating and emitting an SoHR, because I don't have a working example of such, and decoding the MS-SOH spec is REALLY REALLY hard without at least some working data to compare to the awful spec language! Hi Phil, Alan, http://msdn.microsoft.com/en-us/library/cc251376%28v=PROT.10%29.aspx - Independent of the above states, the last bit of the third byte of the AU ClientStatusCode can take the value of 1 if the AU settings on the client are controlled by policy. [We do a little of http://technet.microsoft.com/en-us/library/cc708449%28WS.10%29.aspx on our clients via our wireless set-up wizard to help them keep up to date with patches] ... Therefore patch attached {confd-by= format only a suggestion}. ...I wonder if MS ever end up with: case 0x0105: snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn unconfigured confd-by=policy, s); Oh well, it's in the spec... -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Microsoft SoH Support
Thanks to a lot of work by Phil Mayers, the server now has support for Microsoft SoH in PEAP, normal RADIUS (MS VPN gateway), and in DHCP. Wow! That *must* have been a lot of work! Thank you Phil. Does this mean FreeRADIUS can now act as a Health Policy Server? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
Garber, Neal wrote: Thanks to a lot of work by Phil Mayers, the server now has support for Microsoft SoH in PEAP, normal RADIUS (MS VPN gateway), and in DHCP. Wow! That *must* have been a lot of work! Thank you Phil. ~1400 lines, including documentation. Does this mean FreeRADIUS can now act as a Health Policy Server? I presume so. See raddb/sites-available/soh Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html