Closed BSpendlove closed 2 months ago
My docker-compose file I am testing this with:
services:
freeradius:
image: freeradius/freeradius-server:3.2.5-alpine
command: -X
ports:
- "1812:1812/udp"
- "1813:1813/udp"
- "3799:3799/udp"
volumes:
- "${PWD}/test:/etc/raddb/sites-enabled/coa" # just the coa-relay within v3.2.x branch -> sites-available/coa_relay
- "${PWD}/configs/radius/clients.conf:/etc/raddb/clients.conf" # just 2 clients configured with the secret below
- "${PWD}/detail_coa:/etc/raddb/mods-enabled/detail_coa" # detail_coa example from the sites-available/coa_relay L64
- "${PWD}/sql:/etc/raddb/mods-enabled/sql" # same sql file inside v3.2.x branch -> mods-available/sql
environment:
RADIUS_SECRET: "secret123"
RADIUS_STATUS_SECRET: "adminsecret"
restart: always
If I send an initial authentication packet like so:
time echo "User-Name=bad-username-example" | radclient localhost:1812 auth secret123 -x
Sent Access-Request Id 76 from 0.0.0.0:43455 to 127.0.0.1:1812 length 42
User-Name = "bad-username-example"
then send a COA packet or disconnect packet, everything works fine and the packet doesn't end up getting duplicated by freeradius. Even if I send a packet with a bad secret!
Please try the v3.2.x branch. I've pushed a patch which should fix this.
Hi, I've just tried v3.2.x and with a correct secret I get this after sending a COA disconnect when the container starts:
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
freeradius-1 | (0) Sending duplicate reply to client 172.21.0.1 port 57982 - ID: 205
With a wrong secret I get:
freeradius-1 | (0) Ignoring duplicate packet from client 172.21.0.1 port 39535 - ID: 18 due to unfinished request in component <REQUEST_DONE> module
freeradius-1 | Waking up in 0.5 seconds.
freeradius-1 | (0) Ignoring duplicate packet from client 172.21.0.1 port 39535 - ID: 18 due to unfinished request in component <REQUEST_DONE> module
freeradius-1 | Waking up in 0.5 seconds.
freeradius-1 | (0) Ignoring duplicate packet from client 172.21.0.1 port 39535 - ID: 18 due to unfinished request in component <REQUEST_DONE> module
freeradius-1 | Waking up in 0.5 seconds.
freeradius-1 | (0) Ignoring duplicate packet from client 172.21.0.1 port 39535 - ID: 18 due to unfinished request in component <REQUEST_DONE> module
freeradius-1 | Waking up in 0.5 seconds.
freeradius-1 | (0) Ignoring duplicate packet from client 172.21.0.1 port 39535 - ID: 18 due to unfinished request in component <REQUEST_DONE> module
freeradius-1 | Waking up in 0.5 seconds.
freeradius-1 | (0) Ignoring duplicate packet from client 172.21.0.1 port 39535 - ID: 18 due to unfinished request in component <REQUEST_DONE> module
If there is any logs or commands you would like me to run then please do let me know! Thanks
I've pushed a fix.
What type of defect/bug is this?
Unexpected behaviour (obvious or verified by project member)
How can the issue be reproduced?
Hi all, I'm a bit stuck with an issue that I don't know if its FreeRADIUS but it seems weird to behave this way and completely crash the application, the story is that I am running FreeRADIUS in K8s and doing some testing, if I restart my pods and send a COA to be processed by FreeRADIUS before any authentication requests come in first, then it gets the right hump. If I sent an initial authentication request (even if its rejected) then this seems to get around the issue.
So I have come back to basics and just running the 3.2.5 alpine image in a docker-compose file with some default provided configurations in case it was a configuration error on my side. I will post separately the docker-compose and files I am mounting for my fresh configuration.
1) Build a fresh FreeRADIUS container with minimal COA configuration 2) Send a COA disconnect to the coa port (even if the secret is wrong) 3) Process duplicates packet like mad and FreeRADIUS comes to a halt
Log output from the FreeRADIUS daemon
Relevant log output from client utilities
time echo 'Acct-Session-Id = "769df3 312343"' | radclient localhost:3799 disconnect devs3cr3t! -x -d configs/radius/ Sent Disconnect-Request Id 133 from 0.0.0.0:58912 to 127.0.0.1:3799 length 35 Acct-Session-Id = "769df3 312343"
Backtrace from LLDB or GDB
No response