wifi 802.11 to pap and perl handoff
Linux Threads
linuxthreads at gmail.com
Fri Aug 23 16:55:28 CEST 2019
Hi,
that is easy getting PERL working "following this guide
https://wiki.freeradius.org/modules/Rlm_perl" however like you said
the username/password needs to be handed to PERL from PAP,
how do we achieve this
Fri Aug 23 16:47:44 2019 : Debug: (0) modsingle[authorize]:
returned from pap (rlm_pap)
Fri Aug 23 16:47:44 2019 : Debug: (0) [pap] = noop
Fri Aug 23 16:47:44 2019 : Debug: (0) } # authorize = ok
Fri Aug 23 16:47:44 2019 : Debug: (0) Found Auth-Type = Perl
Fri Aug 23 16:47:44 2019 : Debug: (0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default
Fri Aug 23 16:47:44 2019 : Debug: (0) Auth-Type Perl {
Fri Aug 23 16:47:44 2019 : Debug: (0) modsingle[authenticate]:
calling perl (rlm_perl)
Fri Aug 23 16:47:44 2019 : Debug: (0) perl:
$RAD_REQUEST{'User-Name'} = &request:User-Name -> 'user at domain.com'
Fri Aug 23 16:47:44 2019 : Debug: (0) perl:
$RAD_REQUEST{'User-Password'} = &request:User-Password ->
'my-secret-password534701'
Fri Aug 23 16:47:44 2019 : Debug: (0) perl:
$RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address ->
'127.0.0.1'
Fri Aug 23 16:47:44 2019 : Debug: (0) perl: $RAD_REQUEST{'NAS-Port'}
= &request:NAS-Port -> '0'
Fri Aug 23 16:47:44 2019 : Debug: (0) perl:
$RAD_REQUEST{'Reply-Message'}[0] = &request:Reply-Message -> 'V`??'
Fri Aug 23 16:47:44 2019 : Debug: (0) perl:
$RAD_REQUEST{'Reply-Message'}[1] = &request:Reply-Message -> 'V`??'
Fri Aug 23 16:47:44 2019 : Debug: (0) perl:
$RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id ->
'1115551212'
Fri Aug 23 16:47:44 2019 : Debug: (0) perl:
$RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier ->
'Localhost'
Fri Aug 23 16:47:44 2019 : Debug: (0) perl:
$RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id ->
'1566571664M26tfc'
Fri Aug 23 16:47:44 2019 : Debug: (0) perl:
$RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Aug 23
2019 16:47:44 SAST'
Fri Aug 23 16:47:44 2019 : Debug: (0) perl:
$RAD_REQUEST{'Message-Authenticator'} = &request:Message-Authenticator
-> '0x84dfd83902629edfb805d1e1ff85a14e'
Fri Aug 23 16:47:44 2019 : Debug: (0) perl: $RAD_CHECK{'Auth-Type'}
= &control:Auth-Type -> 'Perl'
Fri Aug 23 16:47:44 2019 : Debug: (0) perl: $RAD_CONFIG{'Auth-Type'}
= &control:Auth-Type -> 'Perl'
Fri Aug 23 16:47:44 2019 : Info: rlm_perl: Config File
/etc/freeradius/3.0/mods-config/perl/radius_linotp.ini found!
Fri Aug 23 16:47:44 2019 : Info: rlm_perl: Default URL
https://otp.domain.com/validate/simplecheck
Fri Aug 23 16:47:44 2019 : Info: rlm_perl: Auth-Type: Perl
Fri Aug 23 16:47:44 2019 : Info: rlm_perl: Url:
https://otp.domain.com/validate/simplecheck
Fri Aug 23 16:47:44 2019 : Info: rlm_perl: User: user at domain.com
Fri Aug 23 16:47:44 2019 : Info: rlm_perl: urlparam pass
Fri Aug 23 16:47:44 2019 : Info: rlm_perl: urlparam client
Fri Aug 23 16:47:44 2019 : Info: rlm_perl: urlparam user
DEBUG: .../IO/Socket/SSL.pm:2853: new ctx 94282380870912
DEBUG: .../IO/Socket/SSL.pm:692: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:694: socket connected
DEBUG: .../IO/Socket/SSL.pm:717: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:750: using SNI with hostname otp.domain.com
DEBUG: .../IO/Socket/SSL.pm:807: set socket to non-blocking to enforce
timeout=180
DEBUG: .../IO/Socket/SSL.pm:819: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:822: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:832: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:842: waiting for fd to become ready: SSL
wants a read first
DEBUG: .../IO/Socket/SSL.pm:862: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:819: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:822: done Net::SSLeay::connect -> 1
DEBUG: .../IO/Socket/SSL.pm:877: ssl handshake done
DEBUG: .../IO/Socket/SSL.pm:2875: free ctx 94282380870912 open=94282380870912
DEBUG: .../IO/Socket/SSL.pm:2886: OK free ctx 94282380870912
Fri Aug 23 16:47:45 2019 : Info: rlm_perl: OTP access granted
Fri Aug 23 16:47:45 2019 : Info: rlm_perl: return RLM_MODULE_OK
Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:Acct-Session-Id =
$RAD_REQUEST{'Acct-Session-Id'} -> '1566571664M26tfc'
Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:Reply-Message +=
$RAD_REQUEST{'Reply-Message'} -> 'V`??'
Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:Reply-Message +=
$RAD_REQUEST{'Reply-Message'} -> 'V`??'
Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:NAS-Identifier =
$RAD_REQUEST{'NAS-Identifier'} -> 'Localhost'
Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:User-Name =
$RAD_REQUEST{'User-Name'} -> 'user at domain.com'
Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:Event-Timestamp =
$RAD_REQUEST{'Event-Timestamp'} -> 'Aug 23 2019 16:47:44 SAST'
Fri Aug 23 16:47:45 2019 : Debug: (0) perl:
&request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} ->
'1115551212'
Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:NAS-IP-Address =
$RAD_REQUEST{'NAS-IP-Address'} -> '127.0.0.1'
Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:User-Password =
$RAD_REQUEST{'User-Password'} -> 'my-secret-password534701'
Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:NAS-Port =
$RAD_REQUEST{'NAS-Port'} -> '0'
Fri Aug 23 16:47:45 2019 : Debug: (0) perl:
&request:Message-Authenticator = $RAD_REQUEST{'Message-Authenticator'}
-> '0x84dfd83902629edfb805d1e1ff85a14e'
Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &reply:Reply-Message =
$RAD_REPLY{'Reply-Message'} -> 'OTP access granted'
Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &control:Auth-Type =
$RAD_CHECK{'Auth-Type'} -> 'Perl'
Fri Aug 23 16:47:45 2019 : Debug: (0) modsingle[authenticate]:
returned from perl (rlm_perl)
Fri Aug 23 16:47:45 2019 : Debug: (0) [perl] = ok
Fri Aug 23 16:47:45 2019 : Debug: (0) } # Auth-Type Perl = ok
Regards
Juan
On Fri, 23 Aug 2019 at 15:47, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Aug 23, 2019, at 9:37 AM, Linux Threads <linuxthreads at gmail.com> wrote:
> >
> > please can you guide me how to handoff my wifi auth username and password
> > to FR outer-el via PAP and then pass the username and password to linotp
> > perl script via the inner-tunnel
>
> Follow my guide to get 802.1X / EAP working:
>
> http://deployingradius.com
>
> Then, use "radclient" to test PAP passwords with the "inner-tunnel" virtual server. See the comments at the top of the "inner-tunnel" virtual server for more information.
>
> Do NOT try to test OTP + WiFi together. Make sure that WiFi works. Then independently, make sure that OTP works. Only when both work independently should you try WiFi + OTP.
>
> And be aware that WiFi is likely to not work well with OTP. WiFi clients want to cache the passwords for days. This is because the systems can connect and disconnect multiple times in an hour.
>
> Entering an OTP code *every time* you connect to Wifi is difficult and annoying.
>
> > tried to follow this
> > http://lists.freeradius.org/pipermail/freeradius-users/2016-November/085830.html
> > however
> > not getting it to work
> >
> > Fri Aug 23 12:28:17 2019 : Debug: (3) Auth-Type Perl {
> > Fri Aug 23 12:28:17 2019 : Debug: (3) modsingle[authenticate]: calling
> > perl (rlm_perl)
>
> Follow the documentation for what to post to the list. This isn't difficult. And what you posted isn't what we need to see.
> >
> > Fri Aug 23 12:28:17 2019 : Debug: (3) perl: &reply:Reply-Message =
> > $RAD_REPLY{'Reply-Message'} -> 'LinOTP server denied access!'
>
> That's pretty clear.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list