rlm_rest module - authenticate

philippe2.legoff at orange.com philippe2.legoff at orange.com
Tue Nov 7 13:29:09 CET 2017


Hello,

I’m using a Freeradius 4.0.x release with the rlm_rest module to store the accounting datas inside  a key/value database.
Storing accounting items works well, and also authorization, but  I’m not able to perform authentication using the stored datas (as for MySQL).

If anyone have an idea ?

rlm_rest/accounting section

        accounting {
                uri = "${..connect_uri}/v2/keys/%{Framed-IP-Address}"
                method = 'put'
                body = 'post'
                data = "value=\"Cleartext-Password\": \"%{Framed-IP-Address}\",\"Calling-Station-Id\": \"%{Calling-Station-ID}\",\"3GPP-Location-Info\": \"%{3GPP-User-Location-Info}\",\"3GPP-SGSN-Address\": \"%{3GPP-SGSN-Address}\",\"3GPP-RAT-Type\": \"%{3GPP-RAT-Type}\""
        }

CLI command is :

echo "Calling-Station-Id=237100000002,Framed-IP-Address=201.16.124.239,Service-Type=2,Framed-Protocol=ppp,Acct-Status-Type=Start,3GPP-SGSN-Address=70.70.70.70,3GPP-Location-Info=0x5c2730783030315c27,NAS-IP-Address=10.171.23.53,NAS-Port=1,3GPP-Rat-Type=0x01" | /opt/freeradius/current/bin/radclient -x 10.104.145.4:1813 acct testing123
Sent Accounting-Request Id 49 from 0.0.0.0:47843 to 10.104.145.4:1813 length 108
        Calling-Station-Id = "237100000002"
        Framed-IP-Address = 201.16.124.239
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Acct-Status-Type = Start
        3GPP-SGSN-Address = 70.70.70.70
        3GPP-Location-Info = 0x5c2730783030315c27
        NAS-IP-Address = 10.171.23.53
        NAS-Port = 1
        3GPP-RAT-Type = UTRAN
Received Accounting-Response Id 49 from 10.104.145.4:1813 to 0.0.0.0:47843 via lo length 20

And the datas are correctly stored.


Raddebug seems fine for accounting :

Network received packet size 108
Ready to process requests
Resetting worker cleanup timer to +30s
(0)  running request
(0)  Received Accounting-Request ID 49
(0)    Calling-Station-Id = "237100000002"
(0)    Framed-IP-Address = 201.16.124.239
(0)    Service-Type = Framed-User
(0)    Framed-Protocol = PPP
(0)    Acct-Status-Type = Start
(0)    3GPP-SGSN-Address = 70.70.70.70
(0)    3GPP-Location-Info = 0x5c2730783030315c27
(0)    NAS-IP-Address = 10.171.23.53
(0)    NAS-Port = 1
(0)    3GPP-RAT-Type = UTRAN
(0)  Running 'recv Accounting-Request' from file /opt/freeradius/v.4.0.x/etc/raddb/sites-enabled/default
(0)  recv Accounting-Request {
(0)    acct_unique {
(0)      if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(0)        EXPAND %{string:Class}
(0)           -->
(0)        ...
(0)      }
(0)      else {
(0)        update request {
(0)          EXPAND %{md5:%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(0)          --> 6f0ca34d8adc2578048d2d1f4bb0f025
(0)          &Acct-Unique-Session-Id := 6f0ca34d8adc2578048d2d1f4bb0f025
(0)        } # update request (noop)
(0)      } # else (noop)
(0)    } # acct_unique (noop)
(0)    check_accounting_attributes {
(0)      if (Acct-Status-Type == Start) {
(0)        if ((!NAS-IP-Address) || (!Service-Type) || (!Framed-Protocol) || (!Framed-IP-Address) || (!3GPP-SGSN-Address) || (!3GPP-RAT-Type) || (!Calling-Station-Id)) {
(0)          ...
(0)        }
(0)        else {
(0)          ok (ok)
(0)        } # else (ok)
(0)      } # if (Acct-Status-Type == Start) (ok)
(0)    } # check_accounting_attributes (ok)
(0)  } # recv Accounting-Request (ok)
(0)  Running 'send Accounting-Response' from file /opt/freeradius/v.4.0.x/etc/raddb/sites-enabled/default
(0)  send Accounting-Response {
(0)    detail - EXPAND /opt/freeradius/logs/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(0)    detail - --> /opt/freeradius/logs/10.104.145.4/detail-20171107
(0)    detail - /opt/freeradius/logs/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /opt/freeradius/logs/10.104.145.4/detail-20171107
(0)    detail - EXPAND %t
(0)    detail - --> Tue Nov  7 10:23:22 2017
(0)    detail (ok)
(0)    unix (noop)
(0)    rest - Reserved connection (4)
(0)    rest - Expanding URI components
(0)    rest - EXPAND http://10.104.145.4:2379
(0)    rest - --> http://10.104.145.4:2379
(0)    rest - EXPAND /v2/keys/%{Framed-IP-Address}
(0)    rest - --> /v2/keys/201.16.124.239
(0)    rest - Sending HTTP PUT to "http://10.104.145.4:2379/v2/keys/201.16.124.239"
(0)    rest - EXPAND value="Cleartext-Password": "%{Framed-IP-Address}","Calling-Station-Id": "%{Calling-Station-ID}","3GPP-Location-Info": "%{3GPP-Location-Info}","3GPP-SGSN-Address": "%{3GPP-SGSN-Address}","3GPP-RAT-Type": "%{3GPP-RAT-Type}"
(0)    rest - --> value="Cleartext-Password": "201.16.124.239","Calling-Station-Id": "237100000002","3GPP-Location-Info": "0x5c2730783030315c27","3GPP-SGSN-Address": "70.70.70.70","3GPP-RAT-Type": "UTRAN"
(0)    rest - Content-Length will be 186 bytes
(0)    rest (yield)
Waking up in 2.9 seconds.
(0)    Processing response header
(0)      Status : 200 (OK)
(0)      Type   : json (application/json)
(0)  running request
(0)    rest -   &REST-HTTP-Status-Code := 200
(0)    rest - Parsing attribute "action"
(0)    rest - EXPAND set
(0)    rest - --> set
(0)    rest - &action := "set"
(0)    rest - Parsing attribute "node"
(0)    rest - Parsing attribute "key"
(0)    rest - EXPAND /201.16.124.239
(0)    rest - --> /201.16.124.239
(0)    rest - &key := "/201.16.124.239"
(0)    rest - Parsing attribute "value"
(0)    rest - EXPAND "Cleartext-Password": "201.16.124.239","Calling-Station-Id": "237100000002","3GPP-Location-Info": "0x5c2730783030315c27","3GPP-SGSN-Address": "70.70.70.70","3GPP-RAT-Type": "UTRAN"
(0)    rest - --> "Cleartext-Password": "201.16.124.239","Calling-Station-Id": "237100000002","3GPP-Location-Info": "0x5c2730783030315c27","3GPP-SGSN-Address": "70.70.70.70","3GPP-RAT-Type": "UTRAN"
(0)    rest - &value := "\"Cleartext-Password\": \"201.16.124.239\",\"Calling-Station-Id\": \"237100000002\",\"3GPP-Location-Info\": \"0x5c2730783030315c27\",\"3GPP-SGSN-Address\": \"70.70.70.70\",\"3GPP-RAT-Type\": \"UTRAN\""
(0)    rest - Parsing attribute "modifiedIndex"
(0)    rest - WARNING: Ignoring do_xlat on 'int', attribute "modifiedIndex"
(0)    rest - &modifiedIndex := 200088
(0)    rest - Parsing attribute "createdIndex"
(0)    rest - WARNING: Ignoring do_xlat on 'int', attribute "createdIndex"
(0)    rest - &createdIndex := 200088
(0)    rest - Parsing attribute "prevNode"
(0)    rest - Parsing attribute "key"
(0)    rest - EXPAND /201.16.124.239
(0)    rest - --> /201.16.124.239
(0)    rest - &key := "/201.16.124.239"
(0)    rest - Parsing attribute "value"
(0)    rest - EXPAND "Cleartext-Password": "201.16.124.239","Calling-Station-Id": "237100000002","3GPP-Location-Info": "0x5c2730783030315c27","3GPP-SGSN-Address": "70.70.70.70","3GPP-RAT-Type": "UTRAN"
(0)    rest - --> "Cleartext-Password": "201.16.124.239","Calling-Station-Id": "237100000002","3GPP-Location-Info": "0x5c2730783030315c27","3GPP-SGSN-Address": "70.70.70.70","3GPP-RAT-Type": "UTRAN"
(0)    rest - &value := "\"Cleartext-Password\": \"201.16.124.239\",\"Calling-Station-Id\": \"237100000002\",\"3GPP-Location-Info\": \"0x5c2730783030315c27\",\"3GPP-SGSN-Address\": \"70.70.70.70\",\"3GPP-RAT-Type\": \"UTRAN\""
(0)    rest - Parsing attribute "modifiedIndex"
(0)    rest - WARNING: Ignoring do_xlat on 'int', attribute "modifiedIndex"
(0)    rest - &modifiedIndex := 200087
(0)    rest - Parsing attribute "createdIndex"
(0)    rest - WARNING: Ignoring do_xlat on 'int', attribute "createdIndex"
(0)    rest - &createdIndex := 200087
(0)    rest - Released connection (4)
(0)    rest - Closing expired connection (3): Needs reconnecting
(0)    rest - You probably need to lower "min"
(0)    rest - Closing expired connection (2): Needs reconnecting
(0)    rest - You probably need to lower "min"
(0)    rest - Closing expired connection (1): Needs reconnecting
(0)    rest - You probably need to lower "min"
(0)    rest - Closing expired connection (0): Needs reconnecting
(0)    rest - You probably need to lower "min"
(0)    rest (updated)
(0)    if (noop) {
(0)      ...
(0)    }
(0)    attr_filter.accounting_response - EXPAND %{User-Name}
(0)    attr_filter.accounting_response - -->
(0)    attr_filter.accounting_response - Matched entry DEFAULT at line 12
(0)    attr_filter.accounting_response (updated)
(0)  } # send Accounting-Response (updated)
(0)  Sent Accounting-Response Id 49 from 10.104.145.4:1813 to 10.104.145.4:47843 via lo length 0
(0)  done request
(0)  finished request.
Ready to process requests
Ready to process requests
Ready to process requests



For authorize and authenticate sections,  I'm trying a  GET using the URI   on the User-name
        authorize {
                uri = "${..connect_uri}/v2/keys/%{User-Name}"
                method = 'get'
                body = '''
                data = """
#               tls = ${..tls}
        }

(action, node, key and value   words  are declared in dictionary).

echo "User-Name=201.16.124.239,NAS-Port=1812,Service-Type=8,NAS-Ip-Address=70.70.70.70,NAS-Identifier=1,Chap-Password=201.16.124.239,Chap-Challenge=1,Cleartext-Password=201.16.124.239"  | /opt/freeradius/current/bin/radclient -x  10.104.145.4:1812 auth testing123
Sent Access-Request Id 128 from 0.0.0.0:50628 to 10.104.145.4:1812 length 79
        User-Name = "201.16.124.239"
        NAS-Port = 1812
        Service-Type = Authenticate-Only
        NAS-IP-Address = 70.70.70.70
        NAS-Identifier = "1"
        CHAP-Password = 0x49c87256c50220fee804602c892c713d48
        CHAP-Challenge = 0x31
        Cleartext-Password = "201.16.124.239"
        Cleartext-Password = "201.16.124.239"
Received Access-Reject Id 128 from 10.104.145.4:1812 to 0.0.0.0:50628 via lo length 20
(0)     -: Expected Access-Accept got Access-Reject: Invalid character '' in attribute name

I don’t see why the &value attribute isn’t parsed after Expanded :

with raddebug :

(1)  running request
(1)  Received Access-Request ID 128
(1)    User-Name = "201.16.124.239"
(1)    NAS-Port = 1812
(1)    Service-Type = Authenticate-Only
(1)    NAS-IP-Address = 70.70.70.70
(1)    NAS-Identifier = "1"
(1)    CHAP-Password = 0x49c87256c50220fee804602c892c713d48
(1)    CHAP-Challenge = 0x31
(1)  Running 'recv Access-Request' from file /opt/freeradius/v.4.0.x/etc/raddb/sites-enabled/default
(1)  recv Access-Request {
(1)    filter_user_password {
(1)      if (&User-Password) {
(1)        ...
(1)      }
(1)    } # filter_user_password (...)
(1)    rest - Closing connection (4): Hit idle_timeout, was idle for 1259 seconds
(1)    rest - You probably need to lower "min"
(1)    rest - 0 of 0 connections in use.  You  may need to increase "spare"
(1)    rest - Opening additional connection (5), 1 of 10 pending slots used
(1)    rest - Reserved connection (5)
(1)    rest - Expanding URI components
(1)    rest - EXPAND http://10.104.145.4:2379
(1)    rest - --> http://10.104.145.4:2379
(1)    rest - EXPAND /v2/keys/%{User-Name}
(1)    rest - --> /v2/keys/201.16.124.239
(1)    rest - Sending HTTP GET to "http://10.104.145.4:2379/v2/keys/201.16.124.239"
(1)    rest (yield)
Waking up in 2.9 seconds.
(1)    Processing response header
(1)      Status : 200 (OK)
(1)      Type   : json (application/json)
(1)  running request
(1)    rest -   &REST-HTTP-Status-Code := 200
(1)    rest - Parsing attribute "action"
(1)    rest - EXPAND get
(1)    rest - --> get
(1)    rest - &action := "get"
(1)    rest - Parsing attribute "node"
(1)    rest - Parsing attribute "key"
(1)    rest - EXPAND /201.16.124.239
(1)    rest - --> /201.16.124.239
(1)    rest - &key := "/201.16.124.239"
(1)    rest - Parsing attribute "value"
(1)    rest - EXPAND "Cleartext-Password": "201.16.124.239","Calling-Station-Id": "237100000002","3GPP-Location-Info": "0x5c2730783030315c27","3GPP-SGSN-Address": "70.70.70.70","3GPP-RAT-Type": "UTRAN"
(1)    rest - --> "Cleartext-Password": "201.16.124.239","Calling-Station-Id": "237100000002","3GPP-Location-Info": "0x5c2730783030315c27","3GPP-SGSN-Address": "70.70.70.70","3GPP-RAT-Type": "UTRAN"
(1)    rest - &value := "\"Cleartext-Password\": \"201.16.124.239\",\"Calling-Station-Id\": \"237100000002\",\"3GPP-Location-Info\": \"0x5c2730783030315c27\",\"3GPP-SGSN-Address\": \"70.70.70.70\",\"3GPP-RAT-Type\": \"UTRAN\""
(1)    rest - Parsing attribute "modifiedIndex"
(1)    rest - WARNING: Ignoring do_xlat on 'int', attribute "modifiedIndex"
(1)    rest - &modifiedIndex := 200088
(1)    rest - Parsing attribute "createdIndex"
(1)    rest - WARNING: Ignoring do_xlat on 'int', attribute "createdIndex"
(1)    rest - &createdIndex := 200088
(1)    rest - Released connection (5)
(1)    rest - Need 4 more connections to reach min connections (5)
(1)    rest - Opening additional connection (6), 1 of 9 pending slots used
(1)    rest - Closing expired connection (5): Needs reconnecting
(1)    rest - You probably need to lower "min"
(1)    rest (updated)
(1)    check_authenticate_attributes {
(1)      if (!User-Password) {
(1)        update request {
(1)          &User-Password = &User-Name -> "201.16.124.239"
(1)        } # update request (noop)
(1)        update control {
(1)          &control:Auth-Type = rest
(1)        } # update control (noop)
(1)      } # if (!User-Password) (noop)
(1)      if ((!User-Name) || (!NAS-IP-Address) || (!Service-Type) || (!NAS-Identifier)) {
(1)        ...
(1)      }
(1)      else {
(1)        ok (ok)
(1)      } # else (ok)
(1)    } # check_authenticate_attributes (ok)
(1)  } # recv Access-Request (updated)
(1)  Running 'authenticate rest' from file /opt/freeradius/v.4.0.x/etc/raddb/sites-enabled/default
(1)  authenticate rest {
(1)    rest - Reserved connection (6)
(1)    rest - Expanding URI components
(1)    rest - EXPAND http://10.104.145.4:2379
(1)    rest - --> http://10.104.145.4:2379
(1)    rest - EXPAND /v2/keys/%{User-Name}
(1)    rest - --> /v2/keys/201.16.124.239
(1)    rest - Sending HTTP GET to "http://10.104.145.4:2379/v2/keys/201.16.124.239"
(1)    rest (yield)
Waking up in 2.9 seconds.
(1)    Processing response header
(1)      Status : 200 (OK)
(1)      Type   : json (application/json)
(1)  running request
(1)    rest -   &REST-HTTP-Status-Code := 200
(1)    rest - Parsing attribute "action"
(1)    rest - EXPAND get
(1)    rest - --> get
(1)    rest - &action := "get"
(1)    rest - Parsing attribute "node"
(1)    rest - Parsing attribute "key"
(1)    rest - EXPAND /201.16.124.239
(1)    rest - --> /201.16.124.239
(1)    rest - &key := "/201.16.124.239"
(1)    rest - Parsing attribute "value"
(1)    rest - EXPAND "Cleartext-Password": "201.16.124.239","Calling-Station-Id": "237100000002","3GPP-Location-Info": "0x5c2730783030315c27","3GPP-SGSN-Address": "70.70.70.70","3GPP-RAT-Type": "UTRAN"
(1)    rest - --> "Cleartext-Password": "201.16.124.239","Calling-Station-Id": "237100000002","3GPP-Location-Info": "0x5c2730783030315c27","3GPP-SGSN-Address": "70.70.70.70","3GPP-RAT-Type": "UTRAN"
(1)    rest - &value := "\"Cleartext-Password\": \"201.16.124.239\",\"Calling-Station-Id\": \"237100000002\",\"3GPP-Location-Info\": \"0x5c2730783030315c27\",\"3GPP-SGSN-Address\": \"70.70.70.70\",\"3GPP-RAT-Type\": \"UTRAN\""
(1)    rest - Parsing attribute "modifiedIndex"
(1)    rest - WARNING: Ignoring do_xlat on 'int', attribute "modifiedIndex"
(1)    rest - &modifiedIndex := 200088
(1)    rest - Parsing attribute "createdIndex"
(1)    rest - WARNING: Ignoring do_xlat on 'int', attribute "createdIndex"
(1)    rest - &createdIndex := 200088
(1)    rest - Released connection (6)
(1)    rest (updated)
(1)  } # authenticate rest (updated)
(1)  Failed to authenticate the user
(1)  Login incorrect: [201.16.124.239] (from client freeradius-cb-02 port 1812)
(1)  Running 'send Access-Reject' from file /opt/freeradius/v.4.0.x/etc/raddb/sites-enabled/default
(1)  send Access-Reject {
(1)    attr_filter.access_reject - EXPAND %{User-Name}
(1)    attr_filter.access_reject - --> 201.16.124.239
(1)    attr_filter.access_reject - Matched entry DEFAULT at line 11
(1)    attr_filter.access_reject (updated)
(1)  } # send Access-Reject (updated)
(1)  Sent Access-Reject Id 128 from 10.104.145.4:1812 to 10.104.145.4:50628 via lo length 0
(1)  done request
(1)  finished request.
Ready to process requests
Waking up in 29.9 seconds.

Where is my error ?


Best regards,
Philippe



_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.



More information about the Freeradius-Users mailing list