search

FreeRADIUS / freeradius-server

FreeRADIUS - A multi-protocol policy server.
http://freeradius.org
GNU General Public License v2.0
2.12k stars 1.08k forks source link

3.0.x - proxy to unresponsive home server: request is proxied 3 times, no reply sent to client #657

Closed nchaigne closed 10 years ago

nchaigne commented 10 years ago

(follows https://github.com/FreeRADIUS/freeradius-server/issues/656)

Client sends one request (no reemissions) to FreeRADIUS, which proxies to home server. Home server does not respond.

The request is proxied 3 times to the home server. No reply is sent back to client.

Here is the full debug output, with "DEBUG_STATE_MACHINE" enabled:

Received Access-Request Id 212 from 10.67.106.9:49312 to 10.67.141.74:1812 length 184
(0) ********    STATE request_setup C-? -> C-running    ********
(0) ********    STATE request_queue_or_run action timer live M-active C-running ********
(0) ********    STATE request_running action run live M-active C-running        ********
(0) ********    STATE request_pre_handler action run live M-active C-running    ********
        User-Name = '1208010000000002@wlan.mnc001.mcc208.3gppnetwork.org'
        Message-Authenticator = 0xf37a12ff1e2a68e29f5c5681cd7adb88
        NAS-IP-Address = 10.20.0.0
        NAS-Identifier = 'LiveBox1'
        Calling-Station-Id = '4E:F0:F5:A7:9B:A2'
        EAP-Message = 0x02b90038013132303830313030303030303030303240776c616e2e6d6e633030312e6d63633230382e336770706e6574776f726b2e6f7267
(0) # Executing section authorize from file /opt/application/sim3gppb/current/etc/raddb/sites-enabled/server-proxy
(0)   authorize {
(0)    if (EAP-Message)
(0)    if (EAP-Message)  -> TRUE
(0)   if (EAP-Message)  {
(0)    update control {
(0)     &Proxy-To-Realm := '3gpp.orange.fr'
(0)    } # update control = noop
(0)   } # if (EAP-Message)  = noop
(0)  } #  authorize = noop
(0) ********    Will Proxy      ********
(0) Proxying request to home server 10.67.141.74 port 31813
Sending Access-Request Id 242 from 0.0.0.0:63267 to 10.67.141.74:31813
        User-Name = '1208010000000002@wlan.mnc001.mcc208.3gppnetwork.org'
        Message-Authenticator = 0xf37a12ff1e2a68e29f5c5681cd7adb88
        NAS-IP-Address = 10.20.0.0
        NAS-Identifier = 'LiveBox1'
        Calling-Station-Id = '4E:F0:F5:A7:9B:A2'
        EAP-Message = 0x02b90038013132303830313030303030303030303240776c616e2e6d6e633030312e6d63633230382e336770706e6574776f726b2e6f7267
        Proxy-State = 0x323132
Waking up in 0.3 seconds.
(0) ********    STATE request_timer action timer live M-active C-proxied        ********
(0) ********    STATE request_running action timer live M-active C-proxied      ********
(0) ********    STATE request_process_timer action timer live M-active C-proxied        ********
Waking up in 0.4 seconds.
(0) ********    STATE request_timer action timer live M-active C-proxied        ********
(0) ********    STATE proxy_wait_for_reply action timer live M-active C-proxied ********
(0) Expecting proxy response no later than 10.000000 seconds from now
Waking up in 9.1 seconds.
(0) ********    STATE request_timer action timer live M-active C-proxied        ********
(0) ********    STATE proxy_wait_for_reply action timer live M-active C-proxied ********
(0) No proxy response, giving up on request and marking it done
Marking home server 10.67.141.74 port 31813 as zombie (it has not responded in 10.000000 seconds).
(0) ERROR: Failing request - proxy ID 242, due to lack of any response from home server 10.67.141.74 port 31813
(0) ********    STATE request_queue_or_run action timer live M-active C-proxied ********
(0) ********    STATE proxy_no_reply action run live M-active C-running ********
(0) ********    STATE request_running action proxy-reply live M-active C-running        ********
(0) ********    STATE proxy_running action run live M-active C-running  ********
(0) Found Post-Proxy-Type Fail
(0) # Executing group from file /opt/application/sim3gppb/current/etc/raddb/sites-enabled/server-proxy
(0)  Post-Proxy-Type Fail {
(0)   update  {
(0)     reply:Reply-Message := 'no response from home server'
(0)   } # update  = noop
(0)  } # Post-Proxy-Type Fail = noop
(0) ********    STATE request_running action run live M-active C-running        ********
(0) ********    STATE request_pre_handler action run live M-active C-running    ********
(0) ********    Will Proxy      ********
(0) Proxying request to home server 10.67.141.74 port 31813
Sending Access-Request Id 30 from 0.0.0.0:63267 to 10.67.141.74:31813
        User-Name = '1208010000000002@wlan.mnc001.mcc208.3gppnetwork.org'
        Message-Authenticator = 0xf37a12ff1e2a68e29f5c5681cd7adb88
        NAS-IP-Address = 10.20.0.0
        NAS-Identifier = 'LiveBox1'
        Calling-Station-Id = '4E:F0:F5:A7:9B:A2'
        EAP-Message = 0x02b90038013132303830313030303030303030303240776c616e2e6d6e633030312e6d63633230382e336770706e6574776f726b2e6f7267
        Proxy-State = 0x323132
        Proxy-State = 0x323132
Waking up in 0.3 seconds.
(0) ********    STATE request_timer action timer live M-active C-proxied        ********
(0) ********    STATE proxy_running action timer live M-active C-proxied        ********
(0) ********    STATE request_common action timer live M-active C-proxied       ********
(0) ********    STATE request_process_timer action timer live M-active C-proxied        ********
Waking up in 0.4 seconds.
(0) ********    STATE request_timer action timer live M-active C-proxied        ********
(0) ********    STATE proxy_wait_for_reply action timer live M-active C-proxied ********
(0) Expecting proxy response no later than 10.000000 seconds from now
Waking up in 9.1 seconds.
(0) ********    STATE request_timer action timer live M-active C-proxied        ********
(0) ********    STATE proxy_wait_for_reply action timer live M-active C-proxied ********
(0) No proxy response, giving up on request and marking it done
(0) ERROR: Failing request - proxy ID 30, due to lack of any response from home server 10.67.141.74 port 31813
(0) ********    STATE request_queue_or_run action timer live M-active C-proxied ********
(0) ********    STATE proxy_no_reply action run live M-active C-running ********
(0) ********    STATE request_running action proxy-reply live M-active C-running        ********
(0) ********    STATE proxy_running action run live M-active C-running  ********
(0) Found Post-Proxy-Type Fail
(0) # Executing group from file /opt/application/sim3gppb/current/etc/raddb/sites-enabled/server-proxy
(0)  Post-Proxy-Type Fail {
(0)   update  {
(0)     reply:Reply-Message := 'no response from home server'
(0)   } # update  = noop
(0)  } # Post-Proxy-Type Fail = noop
(0) ********    STATE request_running action run live M-active C-running        ********
(0) ********    STATE request_pre_handler action run live M-active C-running    ********
(0) ********    Will Proxy      ********
(0) Proxying request to home server 10.67.141.74 port 31813
Sending Access-Request Id 172 from 0.0.0.0:63267 to 10.67.141.74:31813
        User-Name = '1208010000000002@wlan.mnc001.mcc208.3gppnetwork.org'
        Message-Authenticator = 0xf37a12ff1e2a68e29f5c5681cd7adb88
        NAS-IP-Address = 10.20.0.0
        NAS-Identifier = 'LiveBox1'
        Calling-Station-Id = '4E:F0:F5:A7:9B:A2'
        EAP-Message = 0x02b90038013132303830313030303030303030303240776c616e2e6d6e633030312e6d63633230382e336770706e6574776f726b2e6f7267
        Proxy-State = 0x323132
        Proxy-State = 0x323132
        Proxy-State = 0x323132
Waking up in 0.3 seconds.
(0) ********    STATE request_timer action timer live M-active C-proxied        ********
(0) ********    STATE proxy_running action timer live M-active C-proxied        ********
(0) ********    STATE request_common action timer live M-active C-proxied       ********
(0) ********    STATE request_process_timer action timer live M-active C-proxied        ********
Waking up in 0.4 seconds.
(0) ********    STATE request_timer action timer live M-stop-processing C-proxied       ********
(0) ********    STATE proxy_wait_for_reply action timer live M-stop-processing C-proxied        ********
Ready to process requests
nchaigne commented 10 years ago

The simple virtual server configuration I used:

#
# this is a very simple virtual server to test proxy of EAP requests.
#

# configuration items
SRS_3gpp_fictive_realm = 3gpp.test

server server-proxy {

    listen {
        type = auth
        ipaddr = *
        port = 1812
    }

    authorize {
        # Handle EAP Authentication request
        if (EAP-Message) {
            update control {
                &Proxy-To-Realm := ${SRS_3gpp_fictive_realm}
            }
        }
    }

    pre-proxy {
    }

    post-proxy {
        Post-Proxy-Type Fail {
            update {
                reply:Reply-Message := "no response from home server"
            }
        }
    }

}
nchaigne commented 10 years ago

Thanks for the fix! I've got a question though to be sure this is what you intended: Previously, a request with no response from home server went through "Post-Proxy-Type Fail", then "Post-Auth-Type REJECT", then a Reject reply was sent back to client.

Now the request goes through "Post-Proxy-Type Fail", but not through "Post-Auth-Type REJECT", and no reply is sent back to client.

Is that the expected behaviour ?

arr2036 commented 10 years ago

No, that's not the correct behaviour. It should go through Post-Proxy-Type Fail, Post-Auth-Type Reject, then send a reject back.

nchaigne commented 10 years ago

Thanks, all seem ok this time :)