(RADIATOR) bug between 1.620 and 1.675 patchset for inner TTLS auth?

Paul Dekkers Paul.Dekkers at surfnet.nl
Thu Apr 20 09:16:53 CDT 2006 

Hi there,

I just noticed "ERR: Could not handle an EAP request: Can't call method
"delete_attr" on an undefined value at
/usr/local/lib/perl5/site_perl/5.8.7/Radius/Configurable.pm line 517."
when patch 1.675 (from the top of my head) is applied:

Thu Apr 20 16:07:31 2006: DEBUG: Handling request with Handler
'Realm=/guest.showcase.surfnet.nl/i'
Thu Apr 20 16:07:31 2006: DEBUG:  Deleting session for
Paul.Dekkers at guest.showcase.surfnet.nl, 10.0.1.1, 255
Thu Apr 20 16:07:31 2006: DEBUG: Handling with Radius::AuthFILE: SC-GUEST-ID
Thu Apr 20 16:07:31 2006: DEBUG: Handling with EAP: code 2, 10, 148
Thu Apr 20 16:07:31 2006: DEBUG: Response type 21
Thu Apr 20 16:07:31 2006: DEBUG: EAP TTLS data, 3, 10, 9
Thu Apr 20 16:07:31 2006: DEBUG: EAP TTLS inner authentication request
for Paul.Dekkers at guest.showcase.surfnet.nl
Thu Apr 20 16:07:31 2006: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <232>B<165><249>lW<233><12><129>]<4>"<245>D<252><244>
Attributes:
        User-Name = "Paul.Dekkers at guest.showcase.surfnet.nl"
        User-Password = ...

Thu Apr 20 16:07:31 2006: DEBUG: Handling request with Handler
'TunnelledByTTLS=1, Realm=/guest.showcase.surfnet.nl/i'
Thu Apr 20 16:07:31 2006: DEBUG:  Deleting session for
Paul.Dekkers at guest.showcase.surfnet.nl, 10.0.1.1,
Thu Apr 20 16:07:31 2006: DEBUG: Handling with Radius::AuthFILE: SC-GUEST-ID
Thu Apr 20 16:07:31 2006: DEBUG: Reading users file
/etc/radiator/db/showcase-guest-users
Thu Apr 20 16:07:31 2006: DEBUG: Radius::AuthFILE looks for match with
Paul.Dekkers at guest.showcase.surfnet.nl
[Paul.Dekkers at guest.showcase.surfnet.nl]
Thu Apr 20 16:07:31 2006: DEBUG: Radius::AuthFILE ACCEPT: :
Paul.Dekkers at guest.showcase.surfnet.nl
[Paul.Dekkers at guest.showcase.surfnet.nl]
Thu Apr 20 16:07:31 2006: DEBUG: AuthBy FILE result: ACCEPT,
Thu Apr 20 16:07:31 2006: DEBUG: Access accepted for
Paul.Dekkers at guest.showcase.surfnet.nl
Thu Apr 20 16:07:31 2006: ERR: Could not handle an EAP request: Can't
call method "delete_attr" on an undefined value at
/usr/local/lib/perl5/site_perl/5.8.7/Radius/Configurable.pm line 517.

Thu Apr 20 16:07:31 2006: DEBUG: AuthBy FILE result: REJECT, Could not
handle an EAP request
Thu Apr 20 16:07:31 2006: INFO: Access rejected for
Paul.Dekkers at guest.showcase.surfnet.nl: Could not handle an EAP request
Thu Apr 20 16:07:31 2006: DEBUG: Packet dump:
*** Sending to 145.99.219.146 port 1025 ....
Code:       Access-Reject
Identifier: 162
Authentic:  cz<24><142><225>.<196>E<198>w<252><162>@<18><24><27>
Attributes:
        Reply-Message = "Request Denied"

As you can see this machine runs perl v5.8.7 on FreeBSD, and the
following perl modules are installed:

radius# ls /var/db/pkg | grep p5
p5-Authen-SASL-2.09
p5-Convert-ASN1-0.19
p5-DBD-mysql-3.0002
p5-DBI-1.50
p5-Digest-1.14
p5-Digest-HMAC-1.01
p5-Digest-MD4-1.5
p5-Digest-MD5-2.36
p5-Digest-SHA1-2.11
p5-IO-Socket-SSL-0.97
p5-MIME-Base64-3.07
p5-Mail-Sendmail-0.79
p5-Net-SSLeay-1.30_1
p5-Socket6-0.19
p5-Storable-2.15
p5-URI-1.35
p5-XML-NamespaceSupport-1.09_1
p5-XML-SAX-0.13
p5-perl-ldap-0.33

This does not happen if I install Radiator without patches, and if I
remember correctly it was running fine with 1.620 as well...

This is the related config, I think:

<AuthBy FILE>
        Identifier SC-GUEST-ID
        Filename %D/db/showcase-guest-users
        Nocache
        EAPType TTLS, TLS
                EAPTLS_CAFile /etc/radiator/cert/surfnet-ca-chain-2017.pem
                EAPTLS_CertificateFile
/etc/radiator/cert/sn-radius-server-cert.pem
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile
/etc/radiator/cert/sn-radius-server-key.pem
                EAPTLS_PrivateKeyPassword ...
        EAPTLS_MaxFragmentSize 512
        EAPTLS_SessionResumption 0
#       EAPAnonymous anonymous at guest.showcase.surfnet.nl
        AutoMPPEKeys
        StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,User-Name
        AddToReply
Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:163,User-Name=%u
</AuthBy>

<Handler TunnelledByTTLS=1, Realm=/guest.showcase.surfnet.nl/i>
#       RewriteUsername s/^([^@]+).*/$1/
        AuthBy SC-GUEST-ID
#       StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID
#       AddToReply
Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:163,User-Name=%u
</Handler>

<Handler Realm=/guest.showcase.surfnet.nl/i>
        #RewriteUsername s/^([^@]+).*/$1/
        AuthBy SC-GUEST-ID
</Handler>

... it doesn't seem to like the stripfromreply or something in the inner
handler?

Regards,
Paul

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list