Re: fragmented ipv4[udp] ignored by server.
Hello And good day. One small update. I set up the same freeradius configuration with official freeradius docker image and my radius eap configuration. Used vmd as hyper-visor and alpine linux to run docker. And pf to redirect/nat traffic to freeradius. And it worked! Also previously same configuration of pf and freeradius worked with Freebsd to get eap tls authentication work. May be it's some default openbsd configuration or pf rules. Thank you. On 3/6/23 14:20, Mikhael Lialin wrote: Hello Tom. It's a local setup. So radius server and eapol_client are located on the near ports of cisco sg350 switch. And there is no rules on this switch present regarding fragmented packets. Anyway it's capable of rspan, and it's possible to mirror traffic from one port to another for analyse. to be sure where those packet's loss. However this requires one more pc in this scheme. In freeradius documentation (in/usr/local/share/examples/freeradius/mods-available/eap) mentioned that server and client certificates should have 509 extensions for server and client authentication. And they have. Thank you. On 3/6/23 02:27, Tom Smyth wrote: Hi Mikhael, Moving this on to Misc List as it is more approiaate for support type requests, It may not be OpenbSD, that is ignoring the fragments, depending on your setup an intermediate device ( NAT router etc) could be proccessing the IP fragments incorrectly and or dropping them... IP fragments are a pain as they dont really match the protocol of the original packet and have all sorts of issues when traversing multipath (hashed) multipath routes between the source and destination.. cloudflare have a really good article on this https://blog.cloudflare.com/ip-fragmentation-is-broken/ Hope this is of help... On Sun, 5 Mar 2023 at 22:04, Mikhael Lialin wrote: Hi. I'm successfully configured eap tls with freeradius. However with default value for fragment_size in wpa_supplicant.conf which equals 1398 - packets get fragmented and seems ignored by the server. Both systems are openbsd 7.2 here is output from thsark: --target radius-- 9 124.886123 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request id=0 10 124.894967 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 11 124.914163 10.10.2.10 ? 10.10.2.1 RADIUS 373 Access-Request id=1 12 125.010446 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 13 125.014979 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=2 14 125.032537 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 15 125.034214 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=3 16 125.045650 10.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 --source eapol_test with wpa_supplicant.conf--- 1 0.00 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request id=0 2 0.011025 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 3 0.027023 10.10.2.10 ? 10.10.2.1 RADIUS 373 Access-Request id=1 4 0.126651 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 5 0.127440 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=2 6 0.148742 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 7 0.149411 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=3 8 0.161846 10.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 9 0.179447 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=b444) 10 3.193244 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=b576) 11 9.213196 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=ef21) 12 21.233280 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=00d0) eapol_test fails setting fragment_size = 1212 in wpa_supplicant.conf and getting success. output from tshark: --target radius-- 1 0.00 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request id=0 2 0.006613 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 3 0.024538 10.10.2.10 ? 10.10.2.1 RADIUS 373 Access-Request id=1 4 0.104617 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 5 0.106355 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=2 6 0.114877 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 7 0.118679 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=3 8 0.128309 10.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 9 0.145442 10.10.2.10 ? 10.10.2.1 RADIUS 1415 Access-Request id=4 10 0.160230 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=4 11 0.161621 10.10.2.10 ? 10.10.2.1
Re: fragmented ipv4[udp] ignored by server.
Hello Tom. It's a local setup. So radius server and eapol_client are located on the near ports of cisco sg350 switch. And there is no rules on this switch present regarding fragmented packets. Anyway it's capable of rspan, and it's possible to mirror traffic from one port to another for analyse. to be sure where those packet's loss. However this requires one more pc in this scheme. In freeradius documentation (in/usr/local/share/examples/freeradius/mods-available/eap) mentioned that server and client certificates should have 509 extensions for server and client authentication. And they have. Thank you. On 3/6/23 02:27, Tom Smyth wrote: Hi Mikhael, Moving this on to Misc List as it is more approiaate for support type requests, It may not be OpenbSD, that is ignoring the fragments, depending on your setup an intermediate device ( NAT router etc) could be proccessing the IP fragments incorrectly and or dropping them... IP fragments are a pain as they dont really match the protocol of the original packet and have all sorts of issues when traversing multipath (hashed) multipath routes between the source and destination.. cloudflare have a really good article on this https://blog.cloudflare.com/ip-fragmentation-is-broken/ Hope this is of help... On Sun, 5 Mar 2023 at 22:04, Mikhael Lialin wrote: Hi. I'm successfully configured eap tls with freeradius. However with default value for fragment_size in wpa_supplicant.conf which equals 1398 - packets get fragmented and seems ignored by the server. Both systems are openbsd 7.2 here is output from thsark: --target radius-- 9 124.886123 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request id=0 10 124.894967 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 11 124.914163 10.10.2.10 ? 10.10.2.1 RADIUS 373 Access-Request id=1 12 125.010446 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 13 125.014979 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=2 14 125.032537 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 15 125.034214 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=3 16 125.045650 10.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 --source eapol_test with wpa_supplicant.conf--- 1 0.00 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request id=0 2 0.011025 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 3 0.027023 10.10.2.10 ? 10.10.2.1 RADIUS 373 Access-Request id=1 4 0.126651 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 5 0.127440 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=2 6 0.148742 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 7 0.149411 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=3 8 0.161846 10.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 9 0.179447 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=b444) 10 3.193244 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=b576) 11 9.213196 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=ef21) 12 21.233280 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=00d0) eapol_test fails setting fragment_size = 1212 in wpa_supplicant.conf and getting success. output from tshark: --target radius-- 1 0.00 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request id=0 2 0.006613 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 3 0.024538 10.10.2.10 ? 10.10.2.1 RADIUS 373 Access-Request id=1 4 0.104617 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 5 0.106355 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=2 6 0.114877 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 7 0.118679 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=3 8 0.128309 10.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 9 0.145442 10.10.2.10 ? 10.10.2.1 RADIUS 1415 Access-Request id=4 10 0.160230 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=4 11 0.161621 10.10.2.10 ? 10.10.2.1 RADIUS 1372 Access-Request id=5 12 0.262102 10.10.2.1 ? 10.10.2.10 RADIUS 161 Access-Challenge id=5 13 0.263753 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=6 14 0.281330 10.10.2.1 ? 10.10.2.10 RADIUS 226 Access-Accept id=6 --source eapol_test with wpa_supplicant.conf--- 1 0.00 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request id=0 2 0.010060 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0
Re: freeradius denies to authentocate with eap-tls
Hello and good day. Finally found the actual reason. The outer client is failed eap tls because of packet fragmentation. on interface mtu is set as 1500, and packet is 1514. from tshark: RADIUS 1514 Access-Request id=4[BoundErrorUnreassembled Packet] RADIUS 1514 Access-Request id=4, Duplicate Request[BoundErrorUnreassembled Packet] RADIUS 1514 Access-Request id=4, Duplicate Request[BoundErrorUnreassembled Packet] RADIUS 1514 Access-Request id=4, Duplicate Request[BoundErrorUnreassembled Packet] any idea why this happen ? Thank you. On 3/2/23 00:55, Mikhael Lialin wrote: Hello. Answered to moved to ports thread, and realised that it not posted in thread. So copying messages here as attachments. Finally found the cause - fragmented packet reassembly error. Thank you. On 2/26/23 15:37, Robert Klein wrote: Hi, I'm answering this to the misc list. The ktrace is a bit heavy to read. Could you run freeradius from the command line as follows /usr/local/sbin/radiusd -X >radius.log and sent this file? But first, if you didn't change the configuration, I don't believe you can use freeradius at all. Didn't you at least set up some files in /etc/raddb, e.g. client.conf, users.conf, proxy.conf? No changes in sites and/or modules? Best regards Robert On Sat, 25 Feb 2023 02:18:20 +0400 Mikhael Lialin wrote: Hi. Trying to setup witi with radius eap-tls authentication. And getting time out while authenticated. Tried with custome setup, and default setup with generated certificates within installation. in ktrace of rediusd something waiting: 28664 radiusd RET wait4 -1 errno 10 No child processes all configuration of freeradius are default after installation, nothing were modified. Please help. Debug ant ktrace session attached. Mikhael.
