local user file authentication does not work
Seiichirou Hiraoka
seiichirou.hiraoka at gmail.com
Wed Jan 25 05:24:59 CET 2017
Hello Alan, Adam,
Thank you for your reply.
This is my radiusd -X all debug logs.
-----
Received Access-Request Id 97 from 127.0.0.1:44294 to 127.0.0.1:1812 length 101
User-Name = 'radtest at eduroam.test.edu'
User-Password = 'test'
NAS-IP-Address = X.X.X.X
NAS-Port = 0
Message-Authenticator = 0xb8fc8bbf410ad0804e01366105fe8b25
(0) Received Access-Request packet from host 127.0.0.1 port 44294,
id=97, length=101
(0) User-Name = 'radtest at eduroam.test.edu'
(0) User-Password = 'test'
(0) NAS-IP-Address = X.X.X.X
(0) NAS-Port = 0
(0) Message-Authenticator = 0xb8fc8bbf410ad0804e01366105fe8b25
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) if ( &User-Name !~ /@/ )
(0) if ( &User-Name !~ /@/ ) -> FALSE
(0) elsif ( &User-Name =~ /@eduroam\.test\.edu/ )
(0) elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) -> TRUE
(0) elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) {
(0) [ok] = ok
(0) } # elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) = ok
(0) ... skipping elsif for request 0: Preceding "if" was taken
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ )
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\\.$/)
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /@\\./)
(0) if (&User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = ok
(0) [preprocess] = ok
(0) auth_log : EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log : --> /var/log/radius/radacct/127.0.0.1/auth-detail-20170125
(0) auth_log :
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20170125
(0) auth_log : EXPAND %t
(0) auth_log : --> Wed Jan 25 13:11:26 2017
(0) [auth_log] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : Looking up realm "eduroam.test.edu" for User-Name =
"radtest at eduroam.test.edu"
(0) suffix : Found realm "~^eduroam.test.edu$"
(0) suffix : Adding Stripped-User-Name = "radtest"
(0) suffix : Adding Realm = "eduroam.test.edu"
(0) suffix : Authentication realm is LOCAL
(0) [suffix] = ok
(0) eap : No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No "known good" password found for the user. Not
setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a "known good"
password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Login incorrect (No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject): [radtest at eduroam.test.edu/test] (from client
localhost port 0)
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject : EXPAND %{User-Name}
(0) attr_filter.access_reject : --> radtest at eduroam.test.edu
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(0) [eap] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message)
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 44294, id=97, length=0
Sending Access-Reject Id 97 from 127.0.0.1:1812 to 127.0.0.1:44294
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 97 with timestamp +11
Ready to process requests
-----
and this is my configuration.
- /etc/raddb/sites-enables/default
# cat default | grep -v ^# | grep -v ^$ | grep -v " *#
"
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
listen {
type = auth
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
authorize {
if ( &User-Name !~ /@/ ) {
reject
}
elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) {
ok
}
elsif ( &User-Name =~ /@*\.test\.edu/ ) {
reject
}
filter_username
preprocess
auth_log
chap
mschap
digest
suffix
eap {
ok = return
}
files
-sql
-ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
-sql
exec
attr_filter.accounting_response
}
session {
}
post-auth {
-sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
}
pre-proxy {
}
post-proxy {
eap
}
}
- /etc/raddb/sites-enables/inner-tunnel
# cat inner-tunnel | grep -v ^# | grep -v ^$ | grep -v " *#
"
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
chap
mschap
suffix
eap {
ok = return
}
files
-sql
-ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
ntlm_auth
eap
}
session {
radutmp
}
post-auth {
-sql
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
Please tell me if you need other files.
Best regards
2017-01-24 23:57 GMT+09:00 Alan DeKok <aland at deployingradius.com>:
> On Jan 23, 2017, at 11:16 PM, Seiichirou Hiraoka <seiichirou.hiraoka at gmail.com> wrote:
>>
>> In the environment of CentOS 7.3, FreeRADIUS 3.0.4, local users file
>> (/etc/raddb/mods-config/files/authorize) can not authenticate.
>
> Yes, they can.
>
>> It is set to authenticate with mschap using inner-tunnel,
>> and the following I confirmed that authentication succeeds
>> with the command.
>> (username at eduroam.test.edu is the user on the AD server)
>>
>> # radtest - t mschap username at eduroam.test.edu test 127.0.0.1: 1812 0
>> testing 123
>> Received Access-Accept Id 32 from 127.0.0.1: 1812 to 127.0.0.1: 42901 length 84
>>
>> Next, to monitor the service, add the following entry to local users file.
>>
>> radtest at eduroam.test.edu Cleartext - Password: = "test"
>
> Odds are that you have a realm defined, which is "eduroam.test.edu".
>
>> Running radtest in this state will fail.
>>
>> # radtest radtest at eduroam.test.edu test 127.0.0.1: 1812 0 testing 123
>> Received Access-Reject Id 79 from 127.0.0.1: 1812 to 127.0.0.1: 55380 length 20
>>
>> Looking at the log (/var/log/radius/radius.log),
>> files seems to be noop and is not recognized.
>>
>> (0) [suffix] = ok
>> (0) eap: No EAP-Message, not doing EAP
>> (0) [eap] = noop
>> (0) [files] = noop <- This is wrong????
>
> If only you could read the REST OF THE DEBUG OUTPUT to see what the server is doing.
>
>> Please tell me how to do RADIUS authentication with local user file
>> for service monitoring.
>
> You use it as documented. And, you read the debug output.
>
> ALL OF IT.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list