dynamic-authorization with TLS

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

dynamic-authorization with TLS

murugesh pitchaiah
Hi

Need help on doing coa with tls:

I am working on setting up Radius TLS. Authentication and Accounting
works good. But with dynamic-authorization - i see the following
issue.

TLS Connection between Radius server and NAS is established. But when
testing the coa - looks like the radclient to Radis server
communication is failing.

(snip)

  ... new connection request on TCP socket
Listening on coa from client (127.0.0.1, 41336) -> (*, 3799, virtual-server=coa)
Waking up in 0.2 seconds.
(0) Initiating new EAP-TLS session
(0) Non-TLS data sent to TLS socket: closing
Closing TLS socket from client port 41336

(snip)

Here is the radclient  output:

(snip)

cat dis.txt | radclient -P tcp  -x localhost:3799 disconnect radsec
Sent Disconnect-Request Id 209 from 127.0.0.1:41690 to 127.0.0.1:3799 length 36
        Acct-Session-Id = "1E000001"
        Event-Timestamp = "Dec 20 2020 16:46:05 IST"
radclient: Received bad packet

(snip)


To send a coa disconnect/coa request to TLS port is there any other
way ? Am i missing any configuration ? Any help please.

Thanks
murugesh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: dynamic-authorization with TLS

Alan DeKok-2
On Dec 20, 2020, at 8:37 AM, murugesh pitchaiah <[hidden email]> wrote:
> TLS Connection between Radius server and NAS is established. But when
> testing the coa - looks like the radclient to Radis server
> communication is failing.

  radclient cannot do TLS.  It can do TCP, but not TLS.  They're really not the same thing.

  If you need to send packets to localhost, there's no benefit to using TLS.

> To send a coa disconnect/coa request to TLS port is there any other
> way ? Am i missing any configuration ? Any help please.

  Use TLS when connecting to a TLS port.  Don't use bare TCP.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: dynamic-authorization with TLS

murugesh pitchaiah
Thanks Alan.

My understanding is freeradius should receive the coa packets. And then it
just forwards same to the NAS. Am I right?

In that case there should be some originator of the coa packets who has TLS
connection with freeradius server. Please advise if any well known
application exist.

I see the originate-coa site in freeradius can do same. But not sure if
that supports TLS.

Thanks in advance.

Regards
Murugesh. P

On Sun, Dec 20, 2020, 10:56 PM Alan DeKok <[hidden email]> wrote:

> On Dec 20, 2020, at 8:37 AM, murugesh pitchaiah <
> [hidden email]> wrote:
> > TLS Connection between Radius server and NAS is established. But when
> > testing the coa - looks like the radclient to Radis server
> > communication is failing.
>
>   radclient cannot do TLS.  It can do TCP, but not TLS.  They're really
> not the same thing.
>
>   If you need to send packets to localhost, there's no benefit to using
> TLS.
>
> > To send a coa disconnect/coa request to TLS port is there any other
> > way ? Am i missing any configuration ? Any help please.
>
>   Use TLS when connecting to a TLS port.  Don't use bare TCP.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: dynamic-authorization with TLS

Alan DeKok-2
On Dec 20, 2020, at 1:17 PM, murugesh pitchaiah <[hidden email]> wrote:
>
> My understanding is freeradius should receive the coa packets. And then it
> just forwards same to the NAS. Am I right?

  It can do that if you configure it.  See sites-available/coa-relay in recent releases.  You night need to use the v3.0.x branch from GitHub, though.  It has some fixes for CoA and TLS.

> In that case there should be some originator of the coa packets who has TLS
> connection with freeradius server. Please advise if any well known
> application exist.

  No, that's not necessary.  FreeRADIUS can receive packets over plain UDP, and proxy them to the NAS over TLS.

> I see the originate-coa site in freeradius can do same. But not sure if
> that supports TLS.

  See the v3.0.x branch on GitHub.  It has fixes for this.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: dynamic-authorization with TLS

murugesh pitchaiah
Thanks Alan. Upgraded to 3.0.21 from 3.0.16. Done by adding the - deb
https://packages.networkradius.com/releases/ubuntu-bionic bionic main.

But unable to see coa-relay. Should i get source and build myself ?

freeradius -v
radiusd: FreeRADIUS Version 3.0.21 (git #af428abda), for host
x86_64-pc-linux-gnu
FreeRADIUS Version 3.0.21
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT

:/etc/freeradius/3.0/sites-available$
/etc/freeradius/3.0/sites-available$ ls
abfab-tls     channel_bindings  copy-acct-to-home-server  dhcp.relay
    originate-coa            soh                  vmps
abfab-tr-idp  check-eap-tls     decoupled-accounting
dynamic-clients  proxy-inner-tunnel       status
buffered-sql  coa               default                   example
    README                   tls
challenge     control-socket    dhcp                      inner-tunnel
    robust-proxy-accounting  virtual.example.com


Thanks.






On 12/21/20, Alan DeKok <[hidden email]> wrote:

> On Dec 20, 2020, at 1:17 PM, murugesh pitchaiah
> <[hidden email]> wrote:
>>
>> My understanding is freeradius should receive the coa packets. And then it
>> just forwards same to the NAS. Am I right?
>
>   It can do that if you configure it.  See sites-available/coa-relay in
> recent releases.  You night need to use the v3.0.x branch from GitHub,
> though.  It has some fixes for CoA and TLS.
>
>> In that case there should be some originator of the coa packets who has
>> TLS
>> connection with freeradius server. Please advise if any well known
>> application exist.
>
>   No, that's not necessary.  FreeRADIUS can receive packets over plain UDP,
> and proxy them to the NAS over TLS.
>
>> I see the originate-coa site in freeradius can do same. But not sure if
>> that supports TLS.
>
>   See the v3.0.x branch on GitHub.  It has fixes for this.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: dynamic-authorization with TLS

Matthew Newton-3


On 21/12/2020 08:56, murugesh pitchaiah wrote:
> Thanks Alan. Upgraded to 3.0.21 from 3.0.16. Done by adding the - deb
> https://packages.networkradius.com/releases/ubuntu-bionic bionic main.
>
> But unable to see coa-relay. Should i get source and build myself ?

You will need to for the v3.0.x branch, the packages are only the latest
released version.

--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: dynamic-authorization with TLS

Alan DeKok-2
In reply to this post by murugesh pitchaiah


> On Dec 21, 2020, at 3:56 AM, murugesh pitchaiah <[hidden email]> wrote:
>
> Thanks Alan. Upgraded to 3.0.21

  You will note that I said "use v3.0.x from GitHub".  I did NOT say "use 3.0.21"

  You will have to build your own packages.  Full instructions are on the wiki:

https://wiki.freeradius.org/building/Building-Ubuntu-packages-from-source

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html