blob: a016a028ecf73a193d7f7181654f2d178b1ba5c3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
=======================
Tests for radsec flows.
=======================
RADIUS CoA
┌─────────────────────────────────────────────────────────────┐
│ │
┌──────▼───────┐ ┌────────────────┐ ┌───────┴────────┐
│ │ │ │ RADSEC CoA │ │
│ radiusd │ RADIUS CoA │ radiusd ◄──────────────┤ radiusd │
│ ◄─────────────┤ │ RADSEC Auth │ │
│ CoA Server │ │ Proxy Server ├──────────────► Home Server │
│ │ │ │ │ │
└──────────────┘ └───────▲────────┘ └───────▲────────┘
│ │
│ RADIUS │ RADIUS
│ Auth │ CoA
┌───────┴────────┐ ┌───────┴────────┐
│ radclient │ │ radclient │
└────────────────┘ └────────────────┘
FreeRADIUS common configuration is located (obviously) in
src/tests/radsec/radddb directory. Specific configurations for separate radiusd
instances are located under their respective directories: config-coa,
config-proxy, config-home.
Each test is a pair of two files ending with \*.request and \*.reply.
To run these tests separately, make sure you run 'make test' from the root
directory beforehand.
Request files.
==============
\*.request file specifies attributes to be sent.
The name of the file (the part after the dash) specifies the type of the request
to be sent.
For example 1.basic-auth.request sends an auth request and 2.basic-coa.request
sends coa.
* Authentication requests.
--------------------------
Radclient sends plain RADIUS Access-Request to Proxy Server. Proxy Server then
proxies this authentication request with RADSEC to Home Server. An opened TLS
tunnel is used later to accept CoA requests from Home Server.
* CoA requests.
---------------
Radclient sends plain RADIUS CoA request to Home Server. Depending on the
attributes Home Server does one of the following:
- Originates CoA request to Proxy Server with RADSEC - original flow. This is
the regular flow where Proxy Server acts as a TCP server and Home Server (as
a TCP client) first needs to establish a connection to it.
- Originates CoA request to Proxy Server with RADSEC - 'single tunnel flow'.
This is the new flow where Proxy Server can accept CoA requests from Home Server
within the same tunnel that it has opened for Access-Request. In this case, the
Proxy Server is still a TCP client yet in terms of RADIUS protocol it acts as
a CoA Server.
In both of these two cases, the Proxy Server forwards a CoA request to CoA
Server to complete the flow. As an example CoA Server responds with CoA-ACK,
then in turn Proxy Server responds with CoA-ACK to Home Server and the flow
completes.
- Originates CoA request directly to CoA Server. Although this is not a RADSEC
flow, that is also good to check.
Reply files.
============
\*.reply file specify a result to be expected for the corresponding \*.request
file.
For each such pair of \*.request \*.reply files runtest.sh is run.
This shell script sends a request with radclient.
Several freeRADIUS instances process requests and add attributes to be checked.
In the end of the flow all cumulative attributes are written to the detail_test
file for later checking.
The runtest.sh checks the result following a \*.reply file.
After test is performed a new directory is created with name "$TEST_NAME.result"
where all intermediate files realted to the test are located, an example of the
directory structure is like follows:
ok - status file: either ok or fail
detail_test - helper file to save attributes by freeRADIUS
2.ipaddrtls-coa.reply.tmp - reply file w/o internal commands (e.g delay)
fr-home-2.ipaddrtls-coa.log - a part of freeRADIUS logs related to the test
fr-coa-2.ipaddrtls-coa.log - the same just for radiusd CoA Server
fr-proxy-2.ipaddrtls-coa.log - the same just for radiusd Proxy Server
radclient.log - logs for radclient
result-2.ipaddrtls-coa.log - combined and aggregated radclient.log and
- detail_test to be checked against \*.reply file
|
