Setting up radsec proxy with Freeradius 3.0.15

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Setting up radsec proxy with Freeradius 3.0.15

Muhammad Farhan Sjaugi
Greetings,

Currently I am working on "migrating" our radius proxy server from
radsecproxy to freeradius 3.0.15 with radsec. At the client side, majority
of them are using radsecproxy+freeradius 2.2.9.

Connection from the radius proxy via radius port (1812)/non-radsec works
well. However, if we change the connection from the radius proxy via radsec
it doesn't work.

Below is the error message from the proxy server's log (full debug log
attached):

(1) eap: ERROR: rlm_eap (EAP): No EAP session matching state
0xcacb836ecaca9624
(1) eap: Either EAP-request timed out OR EAP-response to an unknown
EAP-request
(1) eap: Failed to get handler, probably already removed, not inserting
EAP-Failure

​, while at the client side (full debug log attached):

rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eap] Failed in handler
++[eap] = invalid
+} # group authenticate = invalid

​I used eapol_test to test the authentication​.

I there anyone faced similar problem before? if yes, would you mind to
share the solution?

Regards

--

*Muhammad Farhan SJAUGI, S.Kom. M.Sc. *

Head | Information Technology Dept. | Senior Lecturer | Centre for
Computing - Centre for Bioinformatics | School of Data Sciences

Perdana University | Block D1, MAEPS Building, MARDI Complex, Jalan MAEPS
Perdana, Serdang 43400, Selangor D.E. Malaysia

Tel: (60) 3-89418646 (ext: 197) GMT+8h | Fax: (65) 3-89417661 | Email:
[hidden email]

Homepage:
http://perdanauniversity.edu.my/pusps/programmes/bioinformatics/our-team/muhammad-farhan-sjaugi/



<[hidden email]>

--
DISCLAIMER: This e-mail and any files transmitted with it ("Message") is
intended only for the use of the recipient(s) named above and may contain
confidential information. You are hereby notified that the taking of any
action in reliance upon, or any review, retransmission, dissemination,
distribution, printing or copying of this Message or any part thereof by
anyone other than the intended recipient(s) is strictly prohibited. If you
have received this Message in error, you should delete this Message
immediately and advise the sender by return e-mail. Opinions, conclusions
and other information in this Message that do not relate to the official
business of Perdana University shall be understood as neither given nor
endorsed by any of the forementioned.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radius client.txt (61K) Download Attachment
radius proxy.txt (78K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up radsec proxy with Freeradius 3.0.15

alexsuoy
Hi
I'm using both FR 3.0.15 + radsecproxy and FR 3.0.15 with internal radsec support . I'm on holiday at the moment  it can send u details when I get back to work on 21st.
A

Sent from my iPhone 6 plus

> On 8 Aug 2017, at 18:51, Muhammad Farhan SJAUGI <[hidden email]> wrote:
>
> Greetings,
>
> Currently I am working on "migrating" our radius proxy server from
> radsecproxy to freeradius 3.0.15 with radsec. At the client side, majority
> of them are using radsecproxy+freeradius 2.2.9.
>
> Connection from the radius proxy via radius port (1812)/non-radsec works
> well. However, if we change the connection from the radius proxy via radsec
> it doesn't work.
>
> Below is the error message from the proxy server's log (full debug log
> attached):
>
> (1) eap: ERROR: rlm_eap (EAP): No EAP session matching state
> 0xcacb836ecaca9624
> (1) eap: Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> (1) eap: Failed to get handler, probably already removed, not inserting
> EAP-Failure
>
> ​, while at the client side (full debug log attached):
>
> rlm_eap: No EAP session matching the State variable.
> [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
> [eap] Failed in handler
> ++[eap] = invalid
> +} # group authenticate = invalid
>
> ​I used eapol_test to test the authentication​.
>
> I there anyone faced similar problem before? if yes, would you mind to
> share the solution?
>
> Regards
>
> --
>
> *Muhammad Farhan SJAUGI, S.Kom. M.Sc. *
>
> Head | Information Technology Dept. | Senior Lecturer | Centre for
> Computing - Centre for Bioinformatics | School of Data Sciences
>
> Perdana University | Block D1, MAEPS Building, MARDI Complex, Jalan MAEPS
> Perdana, Serdang 43400, Selangor D.E. Malaysia
>
> Tel: (60) 3-89418646 (ext: 197) GMT+8h | Fax: (65) 3-89417661 | Email:
> [hidden email]
>
> Homepage:
> http://perdanauniversity.edu.my/pusps/programmes/bioinformatics/our-team/muhammad-farhan-sjaugi/
>
>
>
> <[hidden email]>
>
> --
> DISCLAIMER: This e-mail and any files transmitted with it ("Message") is
> intended only for the use of the recipient(s) named above and may contain
> confidential information. You are hereby notified that the taking of any
> action in reliance upon, or any review, retransmission, dissemination,
> distribution, printing or copying of this Message or any part thereof by
> anyone other than the intended recipient(s) is strictly prohibited. If you
> have received this Message in error, you should delete this Message
> immediately and advise the sender by return e-mail. Opinions, conclusions
> and other information in this Message that do not relate to the official
> business of Perdana University shall be understood as neither given nor
> endorsed by any of the forementioned.
> <radius client.txt>
> <radius proxy.txt>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up radsec proxy with Freeradius 3.0.15

Muhammad Farhan Sjaugi
Hi,

In the recent development, finally I found the problem.

So the "failure" was due to the fragment_size option inside tls stanza was
"too small" (i.e. 1024).

According to the debug log, I found this statement:

"*Received packet will be too large! Set "fragment_size = 1071""*

I doubled the value to 2048 seems solved the problem.

Regards

--

*Muhammad Farhan SJAUGI, S.Kom. M.Sc. *

Head | Information Technology Dept. | Senior Lecturer | Centre for
Computing - Centre for Bioinformatics | School of Data Sciences

Perdana University | Block D1, MAEPS Building, MARDI Complex, Jalan MAEPS
Perdana, Serdang 43400, Selangor D.E. Malaysia

Tel: (60) 3-89418646 (ext: 197) GMT+8h | Fax: (65) 3-89417661 | Email:
[hidden email]

Homepage:
http://perdanauniversity.edu.my/pusps/programmes/bioinformatics/our-team/muhammad-farhan-sjaugi/



<[hidden email]>

On Wed, Aug 9, 2017 at 1:04 AM, Alex Sharaz <[hidden email]> wrote:

> Hi
> I'm using both FR 3.0.15 + radsecproxy and FR 3.0.15 with internal radsec
> support . I'm on holiday at the moment  it can send u details when I get
> back to work on 21st.
> A
>
> Sent from my iPhone 6 plus
>
> > On 8 Aug 2017, at 18:51, Muhammad Farhan SJAUGI <
> [hidden email]> wrote:
> >
> > Greetings,
> >
> > Currently I am working on "migrating" our radius proxy server from
> > radsecproxy to freeradius 3.0.15 with radsec. At the client side,
> majority
> > of them are using radsecproxy+freeradius 2.2.9.
> >
> > Connection from the radius proxy via radius port (1812)/non-radsec works
> > well. However, if we change the connection from the radius proxy via
> radsec
> > it doesn't work.
> >
> > Below is the error message from the proxy server's log (full debug log
> > attached):
> >
> > (1) eap: ERROR: rlm_eap (EAP): No EAP session matching state
> > 0xcacb836ecaca9624
> > (1) eap: Either EAP-request timed out OR EAP-response to an unknown
> > EAP-request
> > (1) eap: Failed to get handler, probably already removed, not inserting
> > EAP-Failure
> >
> > ​, while at the client side (full debug log attached):
> >
> > rlm_eap: No EAP session matching the State variable.
> > [eap] Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> > [eap] Failed in handler
> > ++[eap] = invalid
> > +} # group authenticate = invalid
> >
> > ​I used eapol_test to test the authentication​.
> >
> > I there anyone faced similar problem before? if yes, would you mind to
> > share the solution?
> >
> > Regards
> >
> > --
> >
> > *Muhammad Farhan SJAUGI, S.Kom. M.Sc. *
> >
> > Head | Information Technology Dept. | Senior Lecturer | Centre for
> > Computing - Centre for Bioinformatics | School of Data Sciences
> >
> > Perdana University | Block D1, MAEPS Building, MARDI Complex, Jalan MAEPS
> > Perdana, Serdang 43400, Selangor D.E. Malaysia
> >
> > Tel: (60) 3-89418646 (ext: 197) GMT+8h | Fax: (65) 3-89417661 | Email:
> > [hidden email]
> >
> > Homepage:
> > http://perdanauniversity.edu.my/pusps/programmes/
> bioinformatics/our-team/muhammad-farhan-sjaugi/
> >
> >
> >
> > <[hidden email]>
> >
> > --
> > DISCLAIMER: This e-mail and any files transmitted with it ("Message") is
> > intended only for the use of the recipient(s) named above and may contain
> > confidential information. You are hereby notified that the taking of any
> > action in reliance upon, or any review, retransmission, dissemination,
> > distribution, printing or copying of this Message or any part thereof by
> > anyone other than the intended recipient(s) is strictly prohibited. If
> you
> > have received this Message in error, you should delete this Message
> > immediately and advise the sender by return e-mail. Opinions, conclusions
> > and other information in this Message that do not relate to the official
> > business of Perdana University shall be understood as neither given nor
> > endorsed by any of the forementioned.
> > <radius client.txt>
> > <radius proxy.txt>
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html

--
DISCLAIMER: This e-mail and any files transmitted with it ("Message") is
intended only for the use of the recipient(s) named above and may contain
confidential information. You are hereby notified that the taking of any
action in reliance upon, or any review, retransmission, dissemination,
distribution, printing or copying of this Message or any part thereof by
anyone other than the intended recipient(s) is strictly prohibited. If you
have received this Message in error, you should delete this Message
immediately and advise the sender by return e-mail. Opinions, conclusions
and other information in this Message that do not relate to the official
business of Perdana University shall be understood as neither given nor
endorsed by any of the forementioned.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up radsec proxy with Freeradius 3.0.15

Adam Bishop-2
On 12 Aug 2017, at 15:35, Muhammad Farhan SJAUGI <[hidden email]> wrote:
> I doubled the value to 2048 seems solved the problem.

FreeRADIUS uses 8192 for RadSec connections, not 1024. This is defined in sites-available/tls - which your configuration is not loading.

Regards,

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up radsec proxy with Freeradius 3.0.15

Muhammad Farhan Sjaugi
Hi Adam,

Thanks for the info. How about FR3 to FR3 radsec, should I use the same
figure?

Regards

On Sun, 13 Aug 2017 at 05:59, Adam Bishop <[hidden email]> wrote:

> On 12 Aug 2017, at 15:35, Muhammad Farhan SJAUGI <
> [hidden email]> wrote:
> > I doubled the value to 2048 seems solved the problem.
>
> FreeRADIUS uses 8192 for RadSec connections, not 1024. This is defined in
> sites-available/tls - which your configuration is not loading.
>
> Regards,
>
> Adam Bishop
>
>   gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460
>
> jisc.ac.uk
>
> Jisc is a registered charity (number 1149740) and a company limited by
> guarantee which is registered in England under Company No. 5747339, VAT No.
> GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
> Bristol, BS2 0JA. T 0203 697 5800.
>
> Jisc Services Limited is a wholly owned Jisc subsidiary and a company
> limited by guarantee which is registered in England under company number
> 2881024, VAT number GB 197 0632 86. The registered office is: One Castle
> Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

--

--

*Muhammad Farhan SJAUGI, S.Kom. M.Sc. *

Head | Information Technology Dept. | Senior Lecturer | Centre for
Computing - Centre for Bioinformatics | School of Data Sciences

Perdana University | Block D1, MAEPS Building, MARDI Complex, Jalan MAEPS
Perdana, Serdang 43400, Selangor D.E. Malaysia

Tel: (60) 3-89418646 (ext: 197) GMT+8h | Fax: (65) 3-89417661 | Email:
[hidden email]

Homepage:
http://perdanauniversity.edu.my/pusps/programmes/bioinformatics/our-team/muhammad-farhan-sjaugi/



<[hidden email]>

--
DISCLAIMER: This e-mail and any files transmitted with it ("Message") is
intended only for the use of the recipient(s) named above and may contain
confidential information. You are hereby notified that the taking of any
action in reliance upon, or any review, retransmission, dissemination,
distribution, printing or copying of this Message or any part thereof by
anyone other than the intended recipient(s) is strictly prohibited. If you
have received this Message in error, you should delete this Message
immediately and advise the sender by return e-mail. Opinions, conclusions
and other information in this Message that do not relate to the official
business of Perdana University shall be understood as neither given nor
endorsed by any of the forementioned.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...