Alan Buxey alan.buxey at gmail.com
Thu Apr 19 00:45:49 CEST 2018


when you say 'log into firewall' - on the console, on the web
interface?  you'll need to check the NAS docs for what other things
need to
be sent back form the RADIUS server along with the accept message -
usually a load of VSAs to let the device know what profile/access
level etc etc

does the server have multiple interfaces too? might be that the reply
packet is being sent out a different way and not even getting back to
the firewall.  normally cisco has some low level diagnostic commands
you can use to check AAA behaviour and results.

alan

On 18 April 2018 at 18:50, Mohiddin Shaik <kms31786 at gmail.com> wrote:
> Hey Hi,
>
> I have installed freeradius server and integrated freeipa server, when i
> run radtest its authenticate perfectly, i configured client.conf to auth my
> cisco firewall whenever i tried to login using freeipa user on my cisco
> firewall, radiusd -X debug mode say auth success but i am un able to login
> into terminal ((9) Sent Access-Accept Id 75 from x.x.x.x:1812 to
> x.x.x.x:22029 length 0 (9) Finished request).
>
> When i use freeipa admin user id i am able to login into cisco firewall to
> same freeradius server / same configuration.
>
> Debug Output:
> Ready to process requests
> (8) Received Access-Request Id 74 from 10.0.5.5:22029 to 10.0.0.94:1812
> length 128
> (8)   User-Name = "mohiddin"
> (8)   User-Password = "pass at 123"
> (8)   NAS-IP-Address = 10.0.5.5
> (8)   NAS-Port = 74
> (8)   NAS-Port-Type = Virtual
> (8)   Cisco-AVPair = "ip:source-ip=10.0.2.49"
> (8)   Calling-Station-Id = "10.0.2.49"
> (8)   Cisco-AVPair = "coa-push=true"
> (8) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (8)   authorize {
> (8)     policy filter_username {
> (8)       if (&User-Name) {
> (8)       if (&User-Name)  -> TRUE
> (8)       if (&User-Name)  {
> (8)         if (&User-Name =~ / /) {
> (8)         if (&User-Name =~ / /)  -> FALSE
> (8)         if (&User-Name =~ /@[^@]*@/ ) {
> (8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (8)         if (&User-Name =~ /\.\./ ) {
> (8)         if (&User-Name =~ /\.\./ )  -> FALSE
> (8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
> FALSE
> (8)         if (&User-Name =~ /\.$/)  {
> (8)         if (&User-Name =~ /\.$/)   -> FALSE
> (8)         if (&User-Name =~ /@\./)  {
> (8)         if (&User-Name =~ /@\./)   -> FALSE
> (8)       } # if (&User-Name)  = notfound
> (8)     } # policy filter_username = notfound
> (8)     [preprocess] = ok
> (8)     [chap] = noop
> (8)     [mschap] = noop
> (8)     [digest] = noop
> (8) suffix: Checking for suffix after "@"
> (8) suffix: No '@' in User-Name = "mohiddin", looking up realm NULL
> (8) suffix: No such realm "NULL"
> (8)     [suffix] = noop
> (8) eap: No EAP-Message, not doing EAP
> (8)     [eap] = noop
> (8)     [files] = noop
> rlm_ldap (ldap): Closing connection (9): Hit idle_timeout, was idle for 133
> seconds
> rlm_ldap (ldap): Closing connection (11): Hit idle_timeout, was idle for
> 133 seconds
> rlm_ldap (ldap): Closing connection (8): Hit idle_timeout, was idle for 120
> seconds
> rlm_ldap (ldap): Closing connection (12): Hit idle_timeout, was idle for
> 120 seconds
> rlm_ldap (ldap): You probably need to lower "min"
> rlm_ldap (ldap): Closing connection (10): Hit idle_timeout, was idle for
> 113 seconds
> rlm_ldap (ldap): You probably need to lower "min"
> rlm_ldap (ldap): Closing connection (13): Hit idle_timeout, was idle for
> 113 seconds
> rlm_ldap (ldap): You probably need to lower "min"
> rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase
> "spare"
> rlm_ldap (ldap): Opening additional connection (14), 1 of 32 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Reserved connection (14)
> (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (8) ldap:    --> (uid=mohiddin)
> (8) ldap: Performing search in "cn=users,cn=accounts,dc=test,dc=org" with
> filter "(uid=mohiddin)", scope "sub"
> (8) ldap: Waiting for search result...
> (8) ldap: User object found at DN
> "uid=mohiddin,cn=users,cn=accounts,dc=test,dc=org"
> (8) ldap: Processing user attributes
> (8) ldap: control:Password-With-Header +=
> '{SSHA512}FBhJiiB8Uene3Nl6MkFBufEQNVBJsU9GrXy3wXtaaY0mUkjQ5CVAiWdWHHfEf5bZpYWYECf/mvwOojrM/L4dVJLuUJyt+N6Q'
> rlm_ldap (ldap): Released connection (14)
> Need 2 more connections to reach min connections (3)
> rlm_ldap (ldap): Opening additional connection (15), 1 of 31 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (8)     [ldap] = updated
> (8)     [expiration] = noop
> (8)     [logintime] = noop
> (8) pap: Converted: &control:Password-With-Header ->
> &control:SSHA2-512-Password
> (8) pap: Removing &control:Password-With-Header
> (8) pap: Normalizing SSHA2-512-Password from base64 encoding, 96 bytes ->
> 72 bytes
> (8)     [pap] = updated
> (8)   } # authorize = updated
> (8) Found Auth-Type = PAP
> (8) # Executing group from file /etc/raddb/sites-enabled/default
> (8)   Auth-Type PAP {
> (8) pap: Login attempt with password
> (8) pap: Comparing with "known-good" SSHA2-512-Password
> (8) pap: User authenticated successfully
> (8)     [pap] = ok
> (8)   } # Auth-Type PAP = ok
> (8) # Executing section post-auth from file /etc/raddb/sites-enabled/default
> (8)   post-auth {
> (8)     update {
> (8)       No attributes updated
> (8)     } # update = noop
> (8)     [exec] = noop
> (8)     policy remove_reply_message_if_eap {
> (8)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (8)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (8)       else {
> (8)         [noop] = noop
> (8)       } # else = noop
> (8)     } # policy remove_reply_message_if_eap = noop
> (8)   } # post-auth = noop
> (8) Sent Access-Accept Id 74 from 10.0.0.94:1812 to 10.0.5.5:22029 length 0
> (8) Finished request
> Waking up in 4.9 seconds.
> (8) Cleaning up request packet ID 74 with timestamp +504
> Ready to process requests
> (9) Received Access-Request Id 75 from 10.0.5.5:22029 to 10.0.0.94:1812
> length 84
> (9)   User-Name = "admin"
> (9)   User-Password = "reflexis1"
> (9)   NAS-IP-Address = 10.0.5.5
> (9)   NAS-Port = 75
> (9)   NAS-Port-Type = Virtual
> (9)   Cisco-AVPair = "coa-push=true"
> (9) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (9)   authorize {
> (9)     policy filter_username {
> (9)       if (&User-Name) {
> (9)       if (&User-Name)  -> TRUE
> (9)       if (&User-Name)  {
> (9)         if (&User-Name =~ / /) {
> (9)         if (&User-Name =~ / /)  -> FALSE
> (9)         if (&User-Name =~ /@[^@]*@/ ) {
> (9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (9)         if (&User-Name =~ /\.\./ ) {
> (9)         if (&User-Name =~ /\.\./ )  -> FALSE
> (9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
> FALSE
> (9)         if (&User-Name =~ /\.$/)  {
> (9)         if (&User-Name =~ /\.$/)   -> FALSE
> (9)         if (&User-Name =~ /@\./)  {
> (9)         if (&User-Name =~ /@\./)   -> FALSE
> (9)       } # if (&User-Name)  = notfound
> (9)     } # policy filter_username = notfound
> (9)     [preprocess] = ok
> (9)     [chap] = noop
> (9)     [mschap] = noop
> (9)     [digest] = noop
> (9) suffix: Checking for suffix after "@"
> (9) suffix: No '@' in User-Name = "admin", looking up realm NULL
> (9) suffix: No such realm "NULL"
> (9)     [suffix] = noop
> (9) eap: No EAP-Message, not doing EAP
> (9)     [eap] = noop
> (9)     [files] = noop
> rlm_ldap (ldap): Closing connection (14): Hit idle_timeout, was idle for
> 160 seconds
> rlm_ldap (ldap): You probably need to lower "min"
> rlm_ldap (ldap): Closing connection (15): Hit idle_timeout, was idle for
> 160 seconds
> rlm_ldap (ldap): You probably need to lower "min"
> rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase
> "spare"
> rlm_ldap (ldap): Opening additional connection (16), 1 of 32 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Reserved connection (16)
> (9) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (9) ldap:    --> (uid=admin)
> (9) ldap: Performing search in "cn=users,cn=accounts,dc=test,dc=org" with
> filter "(uid=admin)", scope "sub"
> (9) ldap: Waiting for search result...
> (9) ldap: User object found at DN
> "uid=admin,cn=users,cn=accounts,dc=test,dc=org"
> (9) ldap: Processing user attributes
> (9) ldap: control:Password-With-Header +=
> '{SSHA512}rtaic2+6VABUusn0KrluEZLtSkvcTxH7SVTmJYwYtlgWqp2f2oMYIQ0AuUTrfNEutEVbn794QFmkwinsfMFihn68yrWO+Po3'
> rlm_ldap (ldap): Released connection (16)
> Need 2 more connections to reach min connections (3)
> rlm_ldap (ldap): Opening additional connection (17), 1 of 31 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (9)     [ldap] = updated
> (9)     [expiration] = noop
> (9)     [logintime] = noop
> (9) pap: Converted: &control:Password-With-Header ->
> &control:SSHA2-512-Password
> (9) pap: Removing &control:Password-With-Header
> (9) pap: Normalizing SSHA2-512-Password from base64 encoding, 96 bytes ->
> 72 bytes
> (9)     [pap] = updated
> (9)   } # authorize = updated
> (9) Found Auth-Type = PAP
> (9) # Executing group from file /etc/raddb/sites-enabled/default
> (9)   Auth-Type PAP {
> (9) pap: Login attempt with password
> (9) pap: Comparing with "known-good" SSHA2-512-Password
> (9) pap: User authenticated successfully
> (9)     [pap] = ok
> (9)   } # Auth-Type PAP = ok
> (9) # Executing section post-auth from file /etc/raddb/sites-enabled/default
> (9)   post-auth {
> (9)     update {
> (9)       No attributes updated
> (9)     } # update = noop
> (9)     [exec] = noop
> (9)     policy remove_reply_message_if_eap {
> (9)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (9)       else {
> (9)         [noop] = noop
> (9)       } # else = noop
> (9)     } # policy remove_reply_message_if_eap = noop
> (9)   } # post-auth = noop
> (9) Sent Access-Accept Id 75 from 10.0.0.94:1812 to 10.0.5.5:22029 length 0
> (9) Finished request
> Waking up in 4.9 seconds.
> (9) Cleaning up request packet ID 75 with timestamp +664
> Ready to process requests
>
>
> Thanks,
> Mohiddin.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list