Hi,
I was under the impression that the APC is a standard Moonshot IdP with the only difference being that it holds the credentials for all other Relying Parties in the system. All other bits remain the same (including running a trust router etc).
I followed the instructions as per the Wiki, but for some reason the APC throws an error in the FreeRADIUS debug log (I've pasted the specific request)
-- start of request --
Thread 2 handling request 8, (2 handled so far)
(8) Retrieved psk identity: key-cc2bba
User-Name = [log in to unmask]
GSS-Acceptor-Service-Name = 'trustidentity'
GSS-Acceptor-Host-Name = 'main-idp65x64.localdomain'
EAP-Message = 0x0200001c0140747261706336357836342e6c6f63616c646f6d61696e
Message-Authenticator = 0x46ef757cfa1ee44fc3e1aa7786063a6a
Event-Timestamp = 'Nov 27 2014 16:59:28 GMT'
NAS-IP-Address = 127.0.0.1
Proxy-State = 0x30
(8) Received Access-Request packet from host 192.168.213.24 port 41310, id=241, length=150
(8) TLS-PSK-Identity := 'key-cc2bba'
(8) User-Name = [log in to unmask]
(8) GSS-Acceptor-Service-Name = 'trustidentity'
(8) GSS-Acceptor-Host-Name = 'main-idp65x64.localdomain'
(8) EAP-Message = 0x0200001c0140747261706336357836342e6c6f63616c646f6d61696e
(8) Message-Authenticator = 0x46ef757cfa1ee44fc3e1aa7786063a6a
(8) Event-Timestamp = 'Nov 27 2014 16:59:28 GMT'
(8) NAS-IP-Address = 127.0.0.1
(8) Proxy-State = 0x30
(8) # Executing section authorize from file /etc/raddb/sites-enabled/abfab-tr-idp
(8) authorize {
(8) psk_authorize psk_authorize {
(8) if (TLS-PSK-Identity)
(8) if (TLS-PSK-Identity) -> TRUE
(8) if (TLS-PSK-Identity) {
(8) if ("%{psksql:select distinct keyid from authorizations_keys where keyid = '%{tls-psk-identity}' and '%{trust-router-coi}' like coi and '%{gss-acceptor-realm-name}' like acceptor_realm and '%{gss-acceptor-host-name}' like hostname;}")
rlm_sql (psksql): Reserved connection (4)
rlm_sql (psksql): Executing query: 'select distinct keyid from authorizations_keys where keyid = 'key-cc2bba' and '' like coi and '' like acceptor_realm and 'main-idp65x64.localdomain' like hostname;'
(8) ERROR: SQL query failed
rlm_sql (psksql): Released connection (4)
(8) EXPAND %{psksql:select distinct keyid from authorizations_keys where keyid = '%{tls-psk-identity}' and '%{trust-router-coi}' like coi and '%{gss-acceptor-realm-name}' like acceptor_realm and '%{gss-acceptor-host-name}' like hostname;}
(8) -->
(8) if ("%{psksql:select distinct keyid from authorizations_keys where keyid = '%{tls-psk-identity}' and '%{trust-router-coi}' like coi and '%{gss-acceptor-realm-name}' like acceptor_realm and '%{gss-acceptor-host-name}' like hostname;}") -> FALSE
(8) else else {
(8) [reject] = reject
(8) } # else else = reject
(8) } # if (TLS-PSK-Identity) = reject
(8) } # psk_authorize psk_authorize = reject
(8) } # authorize = reject
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/raddb/sites-enabled/abfab-tr-idp
(8) Post-Auth-Type REJECT {
(8) attr_filter.access_reject : EXPAND %{User-Name}
(8) attr_filter.access_reject : --> @trapc65x64.localdomain
(8) attr_filter.access_reject : Matched entry DEFAULT at line 11
(8) [attr_filter.access_reject] = updated
(8) eap : Request was previously rejected, inserting EAP-Failure
(8) [eap] = updated
(8) remove_reply_message_if_eap remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message)
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else else {
(8) [noop] = noop
(8) } # else else = noop
(8) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(8) } # Post-Auth-Type REJECT = updated
(8) Delaying response for 1 seconds
Thread 2 waiting to be assigned a request
Waking up in 0.1 seconds.
Waking up in 0.6 seconds.
(8) Sending delayed response
(8) Sending Access-Reject packet to host 192.168.213.24 port 41310, id=241, length=0
(8) Proxy-State = 0x30
(8) EAP-Message = 0x04000004
(8) Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Reject Id 241 from 0.0.0.0:2083 to 192.168.213.24:41310
Proxy-State = 0x30
EAP-Message = 0x04000004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.0 seconds.
-- end of request --
As you can see, the SQL query fails. When I disable the psk_authorize query in the abfab-tr-idp section for the APC, it all functions ok.
So, question is... should I be using that? If not, what needs to be changed, so that I can update the documentation accordingly?
I've included the APC Radius log in its entirety, the tidc request that triggered it, and the trust_router log output for it (if it helps).
Any suggestions? Sam? Mark? Margaret?
With Regards
Stefan Paetow
Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: [log in to unmask]
skype: stefan.paetow.janet
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
|