[OPENAM-13513] Call Authentication Tree in a Radius Client Created: 04/Sep/18  Updated: 19/Jun/20

Status: Open
Project: OpenAM
Component/s: RADIUS, trees
Affects Version/s: 6.0.0, 6.0.0.7, 6.5.1, 6.5.2, 7.0.0
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Jordan Kasper [X] (Inactive) Assignee: Unassigned
Resolution: Unresolved Votes: 7
Labels: AME, Must-Fix
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File Screen Shot 2018-09-04 at 10.41.29 AM.png    
Issue Links:
Relates
relates to OPENAM-12955 Resource Owner Password Credentials G... Resolved
Target Version/s:
Epic Link: A Modern RADIUS Server
Support Ticket IDs:

 Description   

Currently you are unable to call an authn tree from radius client configuration.  

 

 

Reproduction Steps:

  1. Install a Radius Client to test
    1. On MacOS "brew install freeradius-server"
    2. radclient and radtest are suitable clients and part of this package
  2. Test with a chain ("chain=ldapService")
    1. $ radtest demo changeit 127.0.0.1 10 secret
      Sent Access-Request Id 165 from 0.0.0.0:55039 to 127.0.0.1:1812 length 74
      	User-Name = "demo"
      	User-Password = "changeit"
      	NAS-IP-Address = 192.168.86.254
      	NAS-Port = 10
      	Message-Authenticator = 0x00
      	Cleartext-Password = "changeit"
      Received Access-Accept Id 165 from 127.0.0.1:1812 to 127.0.0.1:55039 length 20
      
  1. Now change the config to test with a tree ("chain=Example")
    1. $ radtest demo changeit 127.0.0.1 10 secret
      Sent Access-Request Id 201 from 0.0.0.0:63175 to 127.0.0.1:1812 length 74
      	User-Name = "demo"
      	User-Password = "changeit"
      	NAS-IP-Address = 192.168.86.254
      	NAS-Port = 10
      	Message-Authenticator = 0x00
      	Cleartext-Password = "changeit"
      Received Access-Reject Id 201 from 127.0.0.1:1812 to 127.0.0.1:63175 length 20
      (0) -: Expected Access-Accept got Access-Reject
      

 

 

 



 Comments   
Comment by Andrew Vinall [ 10/Sep/18 ]

Bug Triage: Jordan Kasper [X] Is there a customer ticket associated with this improvement?

Comment by Phill Cunnington [ 10/Sep/18 ]

Jordan Kasper [X] Can you try specifying a tree name in place of "ldapService"?

Comment by Andrew Vinall [ 14/Sep/18 ]

Bug Triage: James Phillpotts Can you verify if a service parameter can be used instead of a chain parameter?

Comment by James Phillpotts [ 14/Sep/18 ]

It wouldn't make any difference, as the Radius server's OpenAMAuthHandler calls directly into the chain auth framework.

Comment by Jordan Kasper [X] (Inactive) [ 02/Oct/18 ]

Phill Cunnington if I change it to the tree name will it matter that it is set as a chain?

Comment by Phill Cunnington [ 02/Oct/18 ]

Jordan Kasper [X] Trees are treated very similarly as chains are, i.e. when logging in you can specify a "service" which value can be a tree name or a chain. But as James points out the Radius code explicitly looks for a chain with the given name rather than ask the authentication framework more generically for a service with a given name.

Comment by James Phillpotts [ 07/Dec/18 ]

The fix for this should be very similar to OPENAM-12955, so should probably be fixed at the same time.

Comment by James Phillpotts [ 14/Apr/20 ]

Putting back to triage as I never got a chance to work on this

Comment by Andy Hall [ 29/Apr/20 ]

Moved the target version as the proposed solution is bigger than envisaged and will not get done for 7.0.

Generated at Fri Nov 27 17:50:06 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.