Authorize section not getting called
Nathan Ward
lists+freeradius at daork.net
Fri Feb 2 03:56:43 CET 2018
Hi,
Usual expectation is that you show a radius debug with the packets being processed.
The one you have pasted only shows the process starting up and config being parsed and such. You’ve sort of included some of that debug under (A) and (B) sections so you’ve definitely got it, but for some reason you haven’t posted it. If you could post the whole thing, people can likely help you more.
Any reason you’re using 2.2.10 for what I presume is a new build? You should use 3.0.16 if you can.
> On 2/02/2018, at 3:38 PM, Michael Sartain <mikesart at fastmail.com> wrote:
>
> Apologies if this is a FAQ type question, but I've spent quite a bit of time
> googling / debugging and haven't been able to track down how a user is getting
> rejected before the "group authorize" section executes.
>
> I'm running FreeRADIUS v2.2.10 on a Synology DS1515 and have two users on the
> system:
>
> $ users
> admin mikesart
>
> My final goal is to add Google two factor authentication, most likely with the
> perl module.
>
> When I run radclient with a username not on the Synology (A), I immediately get
> a "login incorrect" error message before my authorize section executes. When
> authorizing "mikesart" (case B), it starts executing the "group authorize"
> section immediately.
>
> If anyone has any tips / suggestions on where this could be configured, I'd
> really appreciate the help. Thanks much.
> -Mike
>
> ----------------------------- (A) -----------------------------
> PC:
> echo "User-Name=alice,User-Password=passme" | ./radclient -s 10.10.10.61 auth supersecret
> -----------------------------
> Synology:
> rad_recv: Access-Request packet from host 10.10.10.10 port 34683, id=29, length=45
> User-Name = "alice"
> User-Password = "passme"
>
> Login incorrect: Incorrect user name (input name [alice], full name [alice])
> There was no response configured: rejecting request 2
> Using Post-Auth-Type Reject
>
> # Executing group from file /usr/local/synoradius/rad_site_def_local
>
> +group REJECT {
> ...
>
> ----------------------------- (B) -----------------------------
> PC:
> echo "User-Name=mikesart,User-Password=password" | ./radclient -s 10.10.10.61 auth supersecret
> -----------------------------
> Synology:
> rad_recv: Access-Request packet from host 10.10.10.10 port 33230, id=16, length=48
> User-Name = "mikesart"
> User-Password = "password"
>
> # Executing section authorize from file /usr/local/synoradius/rad_site_def_local
>
> +group authorize {
> ++[preprocess] = ok
> ...
>
> ----------------------------- radiusd -X -----------------------------
>
> radiusd: FreeRADIUS Version 2.2.10 (git #e5f6b50), for host arm-unknown-linux-gnueabi, built on Jul 19 2017 at 15:44:01
> Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License.
> For more information about these matters, see the file named COPYRIGHT.
>
> Starting - reading configuration files ...
>
> including configuration file /var/packages/RadiusServer/target/etc/raddb/radiusd.conf
>
> including configuration file /usr/local/synoradius/rad_listen
>
> including configuration file /usr/local/synoradius/rad_port_auth
> including configuration file /usr/local/synoradius/rad_port_auth
> including configuration file /usr/local/synoradius/rad_port_auth
> including configuration file /usr/local/synoradius/rad_port_auth
> including configuration file /usr/local/synoradius/rad_port_auth
>
> including configuration file /var/packages/RadiusServer/target/etc/raddb/clients.conf
> including configuration file /usr/local/synoradius/rad_clients
>
> including files in directory /var/packages/RadiusServer/target/etc/raddb/modules/
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/soh
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/cache
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/sqlcounter_expire_on_login
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/preprocess
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/policy
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/ippool
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/attr_rewrite
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/realm
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/always
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/sql_log
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/pam
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/checkval
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/expiration
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/cui
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/smbpasswd
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/radrelay
>
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/ldap
> including configuration file /usr/local/synoradius/rad_ldap
> including configuration file /usr/local/synoradius/rad_ldap_starttls
>
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/chap
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/replicate
>
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/passwd
>
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/ntlm_auth
> including configuration file /usr/local/synoradius/rad_ntlm_auth
>
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/krb5
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/exec
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/detail.log
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/unix
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/detail
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/attr_filter
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/detail.example.com
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/perl
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/digest
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/radutmp
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/synorad
>
> including configuration file /usr/local/synoradius/synoconf ;;; back_end_type="local"
>
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/pap
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/echo
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/dynamic_clients
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/acct_unique
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/redis
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/logintime
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/mschap_ad
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/counter
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/mschap
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/smsotp
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/files
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/inner-eap
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/sradutmp
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/mac2ip
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/expr
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/etc_group
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/dhcp_sqlippool
> including configuration file /var/packages/RadiusServer/target/etc/raddb/sql/mysql/ippool-dhcp.conf
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/opendirectory
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/rediswho
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/otp
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/linelog
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/mac2vlan
> including configuration file /var/packages/RadiusServer/target/etc/raddb/modules/wimax
> including configuration file /var/packages/RadiusServer/target/etc/raddb/eap.conf
>
> including configuration file /usr/local/synoradius/rad_ca_cert
>
> including configuration file /var/packages/RadiusServer/target/etc/raddb/policy.conf
>
> including files in directory /var/packages/RadiusServer/target/etc/raddb/sites-enabled/
> including configuration file /var/packages/RadiusServer/target/etc/raddb/sites-enabled/default
>
> including configuration file /usr/local/synoradius/rad_site_def
> including configuration file /usr/local/synoradius/rad_site_def_local
>
> including configuration file /var/packages/RadiusServer/target/etc/raddb/sites-enabled/inner-tunnel
>
> including configuration file /usr/local/synoradius/rad_site_inn
> including configuration file /usr/local/synoradius/rad_site_inn_local
>
> including configuration file /usr/local/synoradius/rad_port_inner
>
> including configuration file /var/packages/RadiusServer/target/etc/raddb/sites-enabled/control-socket
> main {
> allow_core_dumps = no
> }
> including dictionary file /var/packages/RadiusServer/target/etc/raddb/dictionary
> main {
> name = "radiusd"
> prefix = "/var/packages/RadiusServer/target/"
> localstatedir = "/var/packages/RadiusServer/target//var"
> sbindir = "/var/packages/RadiusServer/target//sbin"
> logdir = "/var/packages/RadiusServer/target//var/log/radius"
> run_dir = "/var/packages/RadiusServer/target//var/run/radiusd"
> libdir = "/var/packages/RadiusServer/target//lib"
> radacctdir = "/var/packages/RadiusServer/target//var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 1024
> pidfile = "/var/packages/RadiusServer/target//var/run/radiusd/radiusd.pid"
> checkrad = "/var/packages/RadiusServer/target//sbin/checkrad"
> debug_level = 0
> proxy_requests = no
> log {
> stripped_names = no
> auth = yes
> auth_badpass = no
> auth_goodpass = no
> }
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = yes
> allow_vulnerable_openssl = no
> }
> }
>
> radiusd: #### Loading Realms and Home Servers ####
> radiusd: #### Loading Clients ####
> client 10.10.10.0/24 {
> require_message_authenticator = no
> secret = "supersecret"
> shortname = "radiusclient"
> }
>
> radiusd: #### Instantiating modules ####
> instantiate {
> Module: Linked to module rlm_exec
> Module: Instantiating module "exec" from file /var/packages/RadiusServer/target/etc/raddb/modules/exec
> exec {
> wait = no
> input_pairs = "request"
> shell_escape = yes
> timeout = 10
> }
>
> Module: Linked to module rlm_expr
> Module: Instantiating module "expr" from file /var/packages/RadiusServer/target/etc/raddb/modules/expr
> Module: Linked to module rlm_expiration
> Module: Instantiating module "expiration" from file /var/packages/RadiusServer/target/etc/raddb/modules/expiration
> expiration {
> reply-message = "Password Has Expired "
> }
> Module: Linked to module rlm_logintime
> Module: Instantiating module "logintime" from file /var/packages/RadiusServer/target/etc/raddb/modules/logintime
> logintime {
> reply-message = "You are calling outside your allowed timespan "
> minimum-timeout = 60
> }
> }
>
> radiusd: #### Loading Virtual Servers ####
> server { # from file /var/packages/RadiusServer/target/etc/raddb/radiusd.conf
> modules {
> Module: Creating Auth-Type = digest
>
> Module: Checking authenticate {...} for more modules to load
>
> Module: Linked to module rlm_pap
>
> Module: Instantiating module "pap" from file /var/packages/RadiusServer/target/etc/raddb/modules/pap
> pap {
> encryption_scheme = "auto"
> auto_header = no
> }
>
> Module: Linked to module rlm_chap
> Module: Instantiating module "chap" from file /var/packages/RadiusServer/target/etc/raddb/modules/chap
> Module: Linked to module rlm_mschap
> Module: Instantiating module "mschap" from file /var/packages/RadiusServer/target/etc/raddb/modules/mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> allow_retry = yes
> }
> Module: Linked to module rlm_digest
> Module: Instantiating module "digest" from file /var/packages/RadiusServer/target/etc/raddb/modules/digest
>
> Module: Linked to module rlm_unix
> Module: Instantiating module "unix" from file /var/packages/RadiusServer/target/etc/raddb/modules/unix
> unix {
> radwtmp = "/var/packages/RadiusServer/target//var/log/radius/radwtmp"
> }
>
> Module: Linked to module rlm_eap
> Module: Instantiating module "eap" from file /var/packages/RadiusServer/target/etc/raddb/eap.conf
> eap {
> default_eap_type = "mschapv2"
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = 4096
> }
> Module: Linked to sub-module rlm_eap_md5
> Module: Instantiating eap-md5
> Module: Linked to sub-module rlm_eap_leap
> Module: Instantiating eap-leap
> Module: Linked to sub-module rlm_eap_gtc
> Module: Instantiating eap-gtc
> gtc {
> challenge = "Password: "
> auth_type = "PAP"
> }
> Module: Linked to sub-module rlm_eap_tls
> Module: Instantiating eap-tls
> tls {
> rsa_key_exchange = no
> dh_key_exchange = yes
> rsa_key_length = 512
> dh_key_length = 512
> verify_depth = 0
> pem_file_type = yes
> private_key_file = "/usr/local/etc/certificate/RadiusServer/radiusd/privkey.pem"
> certificate_file = "/usr/local/etc/certificate/RadiusServer/radiusd/fullchain.pem"
> CA_file = "/usr/local/etc/certificate/RadiusServer/radiusd/syno-ca-cert.pem"
> private_key_password = "12345"
> dh_file = "/var/packages/RadiusServer/target/etc/raddb/certs/dh"
> random_file = "/var/packages/RadiusServer/target/etc/raddb/certs/random"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> check_all_crl = no
> cipher_list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
> ecdh_curve = "prime256v1"
> verify {
> }
> }
> Module: Linked to sub-module rlm_eap_ttls
> Module: Instantiating eap-ttls
> ttls {
> default_eap_type = "mschapv2"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> include_length = yes
> }
> Module: Linked to sub-module rlm_eap_peap
> Module: Instantiating eap-peap
> peap {
> default_eap_type = "mschapv2"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> proxy_tunneled_request_as_eap = yes
> virtual_server = "inner-tunnel"
> soh = no
> }
> Module: Linked to sub-module rlm_eap_mschapv2
> Module: Instantiating eap-mschapv2
> mschapv2 {
> with_ntdomain_hack = no
> send_error = no
> }
> Module: Checking authorize {...} for more modules to load
> Module: Linked to module rlm_preprocess
> Module: Instantiating module "preprocess" from file /var/packages/RadiusServer/target/etc/raddb/modules/preprocess
> preprocess {
> huntgroups = "/var/packages/RadiusServer/target/etc/raddb/huntgroups"
> hints = "/var/packages/RadiusServer/target/etc/raddb/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> reading pairlist file /var/packages/RadiusServer/target/etc/raddb/huntgroups
> reading pairlist file /var/packages/RadiusServer/target/etc/raddb/hints
> Module: Linked to module rlm_realm
> Module: Instantiating module "suffix" from file /var/packages/RadiusServer/target/etc/raddb/modules/realm
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
>
> Module: Linked to module rlm_files
> Module: Instantiating module "files" from file /var/packages/RadiusServer/target/etc/raddb/modules/files
> files {
> usersfile = "/var/packages/RadiusServer/target/etc/raddb/users"
> acctusersfile = "/var/packages/RadiusServer/target/etc/raddb/acct_users"
> preproxy_usersfile = "/var/packages/RadiusServer/target/etc/raddb/preproxy_users"
> compat = "no"
> }
>
> reading pairlist file /var/packages/RadiusServer/target/etc/raddb/users
>
> reading pairlist file /usr/local/synoradius/rad_users
>
> reading pairlist file /var/packages/RadiusServer/target/etc/raddb/acct_users
> reading pairlist file /var/packages/RadiusServer/target/etc/raddb/preproxy_users
>
> Module: Linked to module rlm_passwd
>
> Module: Instantiating module "smbpasswd" from file /var/packages/RadiusServer/target/etc/raddb/modules/smbpasswd
> passwd smbpasswd {
> filename = "/etc/samba/private/smbpasswd"
> format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
> delimiter = ":"
> ignorenislike = no
> ignoreempty = yes
> allowmultiplekeys = no
> hashsize = 100
> }
>
> rlm_passwd: nfields: 7 keyfield 0(User-Name) listable: no
> Module: Checking preacct {...} for more modules to load
> Module: Linked to module rlm_acct_unique
>
> Module: Instantiating module "acct_unique" from file /var/packages/RadiusServer/target/etc/raddb/modules/acct_unique
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
> }
> Module: Checking accounting {...} for more modules to load
>
> Module: Linked to module rlm_detail
> Module: Instantiating module "detail" from file /var/packages/RadiusServer/target/etc/raddb/modules/detail
> detail {
> detailfile = "/var/packages/RadiusServer/target//var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
> header = "%t"
> detailperm = 384
> dirperm = 493
> locking = no
> log_packet_header = no
> escape_filenames = no
> }
>
> Module: Linked to module rlm_radutmp
> Module: Instantiating module "radutmp" from file /var/packages/RadiusServer/target/etc/raddb/modules/radutmp
> radutmp {
> filename = "/var/packages/RadiusServer/target//var/log/radius/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> perm = 384
> callerid = yes
> }
>
> Module: Linked to module rlm_attr_filter
> Module: Instantiating module "attr_filter.accounting_response" from file /var/packages/RadiusServer/target/etc/raddb/modules/attr_filter
> attr_filter attr_filter.accounting_response {
> attrsfile = "/var/packages/RadiusServer/target/etc/raddb/attrs.accounting_response"
> key = "%{User-Name}"
> relaxed = no
> }
>
> reading pairlist file /var/packages/RadiusServer/target/etc/raddb/attrs.accounting_response
> Module: Checking session {...} for more modules to load
> Module: Checking post-proxy {...} for more modules to load
> Module: Checking post-auth {...} for more modules to load
> Module: Instantiating module "attr_filter.access_reject" from file /var/packages/RadiusServer/target/etc/raddb/modules/attr_filter
> attr_filter attr_filter.access_reject {
> attrsfile = "/var/packages/RadiusServer/target/etc/raddb/attrs.access_reject"
> key = "%{User-Name}"
> relaxed = no
> }
>
> reading pairlist file /var/packages/RadiusServer/target/etc/raddb/attrs.access_reject
> } # modules
> } # server
>
>
> server inner-tunnel { # from file /usr/local/synoradius/rad_site_inn_local
> modules {
> Module: Checking authenticate {...} for more modules to load
> Module: Checking authorize {...} for more modules to load
> Module: Checking session {...} for more modules to load
> Module: Checking post-proxy {...} for more modules to load
> Module: Checking post-auth {...} for more modules to load
> } # modules
> } # server
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> type = "auth"
> ipaddr = 10.10.10.61
> port = 1812
> }
> listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 1812
> }
> listen {
> type = "auth"
> ipaddr = 169.254.143.57
> port = 1812
> }
> listen {
> type = "auth"
> ipaddr = 169.254.159.191
> port = 1812
> }
> listen {
> type = "auth"
> ipaddr = 169.254.82.235
> port = 1812
> }
> listen {
> type = "control"
> listen {
> socket = "/var/packages/RadiusServer/target//var/run/radiusd/radiusd.sock"
> }
> }
> listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 18120
> }
> Listening on authentication address 10.10.10.61 port 1812
> Listening on authentication address 127.0.0.1 port 1812
> Listening on authentication address 169.254.143.57 port 1812
> Listening on authentication address 169.254.159.191 port 1812
> Listening on authentication address 169.254.82.235 port 1812
> Listening on command file /var/packages/RadiusServer/target//var/run/radiusd/radiusd.sock
> Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
> Ready to process requests.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list