I finally got around to trying some RC code (the release_branch_3.0.0 on github) on our production configurations, after a bit of massaging got them looking like they were working, but not so much the one that re-proxies the inner tunnel contents to an internal server after unwrapping EAP-PEAP:
peap { default_eap_type = mschapv2 proxy_tunneled_request_as_eap = yes copy_request_to_tunnel = no use_tunneled_reply = yes tls = eduroam-eap-tls } Any request that tries to go to the proxy causes this to happen: Wed Aug 7 11:57:35 2013 : Debug: (5) - entering if ("%{FreeRADIUS-Proxied-To}" == 127.0.0.1) {...} Wed Aug 7 11:57:35 2013 : Debug: (5) update control { Wed Aug 7 11:57:35 2013 : Debug: (5) Proxy-To-Realm := "idpi" ... Wed Aug 7 11:57:35 2013 : Debug: (5) } # update control = ok Wed Aug 7 11:57:35 2013 : Debug: (5) - if ("%{FreeRADIUS-Proxied-To}" == 127.0.0.1) returns ok Wed Aug 7 11:57:35 2013 : Debug: (5) ... skipping else for request 5: Preceding "if" was taken } # server eduroam_idp Wed Aug 7 11:57:35 2013 : Debug: (5) eap_peap : Got tunneled reply code 0 Wed Aug 7 11:57:35 2013 : Debug: PEAP: Tunneled authentication will be proxied to idpi Wed Aug 7 11:57:35 2013 : Info: talloc: access after free error - first free may be at src/main/util.c:230 Wed Aug 7 11:57:35 2013 : Info: Bad talloc magic value - access after free ... I don't know if this is of any use, being so far removed from the free(): Program received signal SIGABRT, Aborted. [Switching to Thread 0x7ffff5eb4700 (LWP 27579)] 0x0000003fe54328a5 in raise () from /lib64/libc.so.6 ... (gdb) bt #0 0x0000003fe54328a5 in raise () from /lib64/libc.so.6 #1 0x0000003fe5434085 in abort () from /lib64/libc.so.6 #2 0x00007ffff7782c3c in ?? () from /usr/lib64/libtalloc.so.2 #3 0x00007ffff7782dd8 in talloc_get_name () from /usr/lib64/libtalloc.so.2 #4 0x00007ffff77857eb in _talloc_get_type_abort () from /usr/lib64/libtalloc.so.2 #5 0x00007ffff7bb4d95 in pairnext (cursor=0x7ffff5eb2950) at src/lib/valuepair.c:290 #6 0x00007ffff7bb4b42 in pairfind (vp=0x7fffe8007d80, attr=80, vendor=0, tag=-128 '\200') at src/lib/valuepair.c:209 #7 0x00007ffff6f58d45 in mod_authenticate (instance=0x7f8b30, request=0x844e40) at src/modules/rlm_eap/rlm_eap.c:360 #8 0x0000000000421812 in call_modsingle (component=0, sp=0x81ce30, request=0x844e40) at src/main/modcall.c:311 #9 0x0000000000422f93 in modcall (component=0, c=0x81cf30, request=0x844e40) at src/main/modcall.c:782 #10 0x000000000041f4c6 in indexed_modcall (comp=0, idx=6, request=0x844e40) at src/main/modules.c:758 #11 0x0000000000421127 in process_authenticate (auth_type=6, request=0x844e40) at src/main/modules.c:1648 #12 0x000000000040c910 in rad_check_password (request=0x844e40) at src/main/auth.c:252 #13 0x000000000040cee4 in rad_authenticate (request=0x844e40) ---Type <return> to continue, or q <return> to quit--- at src/main/auth.c:490 #14 0x0000000000430b79 in request_running (request=0x844e40, action=1) at src/main/process.c:1185 #15 0x000000000042d02e in request_handler_thread (arg=0x8397c0) at src/main/threads.c:685 #16 0x0000003fe5c07851 in start_thread () from /lib64/libpthread.so.0 #17 0x0000003fe54e811d in clone () from /lib64/libc.so.6 (gdb) (gdb) up #1 0x0000003fe5434085 in abort () from /lib64/libc.so.6 (gdb) up #2 0x00007ffff7782c3c in ?? () from /usr/lib64/libtalloc.so.2 (gdb) up #3 0x00007ffff7782dd8 in talloc_get_name () from /usr/lib64/libtalloc.so.2 (gdb) up #4 0x00007ffff77857eb in _talloc_get_type_abort () from /usr/lib64/libtalloc.so.2 (gdb) up #5 0x00007ffff7bb4d95 in pairnext (cursor=0x7ffff5eb2950) at src/lib/valuepair.c:290 290 VERIFY_VP(cursor->current); (gdb) list 285 */ 286 VALUE_PAIR *pairnext(vp_cursor_t *cursor) 287 { 288 cursor->current = cursor->next; 289 if (cursor->current) { 290 VERIFY_VP(cursor->current); 291 292 /* 293 * Set this now in case 'current' gets freed before 294 * pairnext is called again. (gdb) print cursor->current $1 = (VALUE_PAIR *) 0x7fffe8007820 (gdb) print cursor->current->da $2 = (const DICT_ATTR *) 0x6c6c617420646142 (gdb) print *cursor->current->da Cannot access memory at address 0x6c6c617420646142 (gdb) up #6 0x00007ffff7bb4b42 in pairfind (vp=0x7fffe8007d80, attr=80, vendor=0, tag=-128 '\200') at src/lib/valuepair.c:209 209 i = pairnext(&cursor)) { (gdb) list 204 vp_cursor_t cursor; 205 VALUE_PAIR *i; 206 207 for (i = paircursor(&cursor, &vp); 208 i; 209 i = pairnext(&cursor)) { 210 VERIFY_VP(i); 211 if ((i->da->attr == attr) && (i->da->vendor == vendor) 212 && ((tag == TAG_ANY) || (i->da->flags.has_tag && 213 (i->tag == tag)))) { (gdb) print attr $3 = 80 (gdb) print vendor $4 = 0 (gdb) print tag $5 = -128 '\200' (gdb) print i->da->name $6 = "U" (gdb) print *(char *)i->da->name $7 = 85 'U' (gdb) print *(char *)i->da->name + 1 $8 = 86 (gdb) print *(char *)(i->da->name + 1) $9 = 115 's' (gdb) print *(char *)(i->da->name + 2) $10 = 101 'e' (gdb) print *(char *)(i->da->name + 3) $11 = 114 'r' (gdb) print *(char *)(i->da->name + 4) $12 = 45 '-' (gdb) print *(char *)(i->da->name + 5) $13 = 78 'N' (gdb) up #7 0x00007ffff6f58d45 in mod_authenticate (instance=0x7f8b30, request=0x844e40) at src/modules/rlm_eap/rlm_eap.c:360 360 vp = pairfind(request->proxy->vps, PW_MESSAGE_AUTHENTICATOR, 0, TAG_ANY); (gdb) print request $14 = (REQUEST *) 0x844e40 (gdb) print request->proxy $15 = (RADIUS_PACKET *) 0x7fffe8007bc0 (gdb) print request->proxy->vps $16 = (VALUE_PAIR *) 0x7fffe8007d80 (gdb) print request->proxy->vps->da $17 = (const DICT_ATTR *) 0x66dbf0 (gdb) print request->proxy->vps->da->name $18 = "E" (gdb) print (char *)request->proxy->vps->da->name $19 = 0x66dc00 "EAP-Message" (gdb) print (char *)request->proxy->vps->da->type $20 = 0x6 <Address 0x6 out of bounds> (gdb) print request->proxy->vps->da->type $21 = PW_TYPE_OCTETS (gdb) print (char *)request->proxy->vps->next->da->name $22 = 0x6d8b08 "FreeRADIUS-Proxied-To" (gdb) print (char *)request->proxy->vps->next->next->da->name $23 = 0x66c280 "User-Name" (gdb) print (char *)request->proxy->vps->next->next->next->da->name $24 = 0x6c6c617420646152 <Address 0x6c6c617420646152 out of bounds> (gdb) up #8 0x0000000000421812 in call_modsingle (component=0, sp=0x81ce30, request=0x844e40) at src/main/modcall.c:311 311 myresult = sp->modinst->entry->module->methods[component]( (gdb) list 306 /* 307 * For logging unresponsive children. 308 */ 309 request->module = sp->modinst->name; 310 311 myresult = sp->modinst->entry->module->methods[component]( 312 sp->modinst->insthandle, request); 313 314 request->module = ""; 315 safe_unlock(sp->modinst); (gdb) The good news is the outbound instance for RadSec proxy seems to be holding up so far. I've got another few weeks to test that before EDUROAM-US retracts RadSec service pending getting their PKI in order, so I'll try to bang on it a bit stress and endurance-wise before it goes away.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html