freeradius authentication problem
Mallikarjuna Peddappanavara Karibasappa
mallikarjuna.peddappanavara at igrid-td.com
Fri Jul 13 07:28:36 CEST 2018
Dears,
I'm using the following module for radius authentication.
https://github.com/qudreams/nginx-http-radius-module
Is this module is too old to use ?
Thank you,
Best Regards,*Mallikarjuna PK*Email: mallikarjuna.peddappanavara at igrid-td.com
Mobile: +91-9535744695
On 12 July 2018 at 18:51, Alan Buxey <alan.buxey at gmail.com> wrote:
> hi,
>
> works fine for me:
>
> (0) Received Access-Request Id 2 from 127.0.0.1:49092 to 127.0.0.1:1812
> length 67
> (0) User-Name = "bob"
> (0) User-Password = "hello"
> (0) Service-Type = Authorize-Only
> (0) Message-Authenticator = 0x505a938561632db53b6806c179d7053b
> (0) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /@\./) {
> (0) if (&User-Name =~ /@\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "bob", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0) [suffix] = noop
> (0) eap: No EAP-Message, not doing EAP
> (0) [eap] = noop
> (0) files: users: Matched entry bob at line 87
> (0) [files] = ok
> (0) [expiration] = noop
> (0) [logintime] = noop
> (0) [pap] = updated
> (0) } # authorize = updated
> (0) Found Auth-Type = PAP
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0) Auth-Type PAP {
> (0) pap: Login attempt with password
> (0) pap: Comparing with "known good" Cleartext-Password
> (0) pap: User authenticated successfully
> (0) [pap] = ok
> (0) } # Auth-Type PAP = ok
> (0) # Executing section post-auth from file /etc/raddb/sites-enabled/
> default
> (0) post-auth {
> (0) update {
> (0) No attributes updated
> (0) } # update = noop
> (0) [exec] = noop
> (0) policy remove_reply_message_if_eap {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (0) else {
> (0) [noop] = noop
> (0) } # else = noop
> (0) } # policy remove_reply_message_if_eap = noop
> (0) } # post-auth = noop
> (0) Sent Access-Accept Id 2 from 127.0.0.1:1812 to 127.0.0.1:49092 length
> 0
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 90 from 127.0.0.1:49092 to 127.0.0.1:1812
> length 67
> (1) User-Name = "bob"
> (1) User-Password = "hello"
> (1) Service-Type = Authorize-Only
> (1) Message-Authenticator = 0x44f58b7d76d7f00a1ed55ee8a7a2165d
> (1) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (1) authorize {
> (1) policy filter_username {
> (1) if (&User-Name) {
> (1) if (&User-Name) -> TRUE
> (1) if (&User-Name) {
> (1) if (&User-Name =~ / /) {
> (1) if (&User-Name =~ / /) -> FALSE
> (1) if (&User-Name =~ /@[^@]*@/ ) {
> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /@\./) {
> (1) if (&User-Name =~ /@\./) -> FALSE
> (1) } # if (&User-Name) = notfound
> (1) } # policy filter_username = notfound
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "bob", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1) [suffix] = noop
> (1) eap: No EAP-Message, not doing EAP
> (1) [eap] = noop
> (1) files: users: Matched entry bob at line 87
> (1) [files] = ok
> (1) [expiration] = noop
> (1) [logintime] = noop
> (1) [pap] = updated
> (1) } # authorize = updated
> (1) Found Auth-Type = PAP
> (1) # Executing group from file /etc/raddb/sites-enabled/default
> (1) Auth-Type PAP {
> (1) pap: Login attempt with password
> (1) pap: Comparing with "known good" Cleartext-Password
> (1) pap: User authenticated successfully
> (1) [pap] = ok
> (1) } # Auth-Type PAP = ok
> (1) # Executing section post-auth from file /etc/raddb/sites-enabled/
> default
> (1) post-auth {
> (1) update {
> (1) No attributes updated
> (1) } # update = noop
> (1) [exec] = noop
> (1) policy remove_reply_message_if_eap {
> (1) if (&reply:EAP-Message && &reply:Reply-Message) {
> (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (1) else {
> (1) [noop] = noop
> (1) } # else = noop
> (1) } # policy remove_reply_message_if_eap = noop
> (1) } # post-auth = noop
> (1) Sent Access-Accept Id 90 from 127.0.0.1:1812 to 127.0.0.1:49092
> length 0
> (1) Finished request
> Waking up in 4.9 seconds.
> (0) Cleaning up request packet ID 2 with timestamp +17
> (1) Cleaning up request packet ID 90 with timestamp +17
> Ready to process requests
>
>
> this is with
>
> 1) users file updated to have
> bob Cleartext-Password := "hello"
>
> 2) nginx.conf looks like
>
> #user nobody;
> worker_processes 1;
>
> #error_log logs/error.log;
> #error_log logs/error.log notice;
> #error_log logs/error.log info;
>
> #pid logs/nginx.pid;
>
>
> events {
> worker_connections 1024;
> }
>
>
> http {
> include mime.types;
> default_type application/octet-stream;
>
> #set the directory of radius dictionary.
> radius_dict_directory "/usr/local/nginx/raddb/";
>
> #radius server configuration including
>
> radius_server "radius_server1" {
> #authentication timed-out
> auth_timeout 5;
>
> #limit to resend the request
> resend_limit 3;
>
> #radius authentication server url.
> url "127.0.0.1:1812";
>
> #share secret
> share_secret "testing123";
> }
>
> #log_format main '$remote_addr - $remote_user [$time_local]
> "$request" '
> # '$status $body_bytes_sent "$http_referer" '
> # '"$http_user_agent" "$http_x_forwarded_for"';
>
> #access_log logs/access.log main;
>
> sendfile on;
> #tcp_nopush on;
>
> #keepalive_timeout 0;
> keepalive_timeout 65;
>
> #gzip on;
>
> server {
> listen 80;
> server_name localhost;
>
> #charset koi8-r;
>
> #access_log logs/host.access.log main;
>
> location / {
> root html;
> index index.html index.htm;
> #radius server configuration
>
> #the third paramter is authentication method,you can set
> the following value:
> # PAP CHAP MSCHAP MSCHAPV2 EAPMD5
>
> auth_radius_server "radius_server1" "PAP";
>
> #authentication realm,you can set the following value:
> # Restricted "Close Content" off
>
> auth_radius "Restricted";
> }
>
> #error_page 404 /404.html;
>
> # redirect server error pages to the static page /50x.html
> #
> error_page 500 502 503 504 /50x.html;
> location = /50x.html {
> root html;
> }
>
> # proxy the PHP scripts to Apache listening on 127.0.0.1:80
> #
> #location ~ \.php$ {
> # proxy_pass http://127.0.0.1;
> #}
>
> # pass the PHP scripts to FastCGI server listening on
> 127.0.0.1:9000
> #
> #location ~ \.php$ {
> # root html;
> # fastcgi_pass 127.0.0.1:9000;
> # fastcgi_index index.php;
> # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
> # include fastcgi_params;
> #}
>
> # deny access to .htaccess files, if Apache's document root
> # concurs with nginx's one
> #
> #location ~ /\.ht {
> # deny all;
> #}
> }
>
>
> # another virtual host using mix of IP-, name-, and port-based
> configuration
> #
> #server {
> # listen 8000;
> # listen somename:8080;
> # server_name somename alias another.alias;
>
> # location / {
> # root html;
> # index index.html index.htm;
> # }
> #}
>
>
> # HTTPS server
> #
> #server {
> # listen 443 ssl;
> # server_name localhost;
>
> # ssl_certificate cert.pem;
> # ssl_certificate_key cert.key;
>
> # ssl_session_cache shared:SSL:1m;
> # ssl_session_timeout 5m;
>
> # ssl_ciphers HIGH:!aNULL:!MD5;
> # ssl_prefer_server_ciphers on;
>
> # location / {
> # root html;
> # index index.html index.htm;
> # }
> #}
>
> }
>
> those were the only 2 system files edited(*)
>
>
> however, that nginx plugin is using some really old FreeRADIUS client
> library stuff.
>
> (*)I had to edit the dictionary files a tonne because it doesn't support eg
> vsa, octets[], integer64, ipv4prefix, decimal VSA values etc etc.
>
>
> its very very likely, if you haven't edited the plugin source code (no need
> - but nginx needs to be compiled without -Werror because of the plugin
> code) , that you have borked your dictionary files up in some horrendous
> way that is breaking this....
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
More information about the Freeradius-Users
mailing list