hello Adam, Thank you for your reply 2017-01-24 18:29 GMT+09:00 Adam Bishop <Adam.Bishop@jisc.ac.uk>:
On 24 Jan 2017, at 04:16, Seiichirou Hiraoka <seiichirou.hiraoka@gmail.com> wrote:
radtest@eduroam.test.edu Cleartext - Password: = "test"
The whitespace here is wrong - is it in the file like this, or is it just your MUA butchering it? The line should look like:
radtest@eduroam.test.edu Cleartext-Password := "test" -------------------------------------^ tab here
Looking at the log (/var/log/radius/radius.log), files seems to be noop and is not recognized.
You've not posted enough information to fully diagnose the problem - FreeRADIUS makes multiple passes through the virtual server (pre-proxy/authZ/authN/postN/post-proxy) with each request, so we need to see the entire log.
This is my MUA butchering. I use tab separator.
- update control { - Proxy - To - Realm: = LOCAL -}
Are you sure you want to do this?
+ Ntlm_auth
If you're using AD as your backend, and you want to use the static users file in addition there's a little more config you'll need to get it production ready:
https://wiki.freeradius.org/guide/Combining-authentication-of-AD-accounts-nt... https://wiki.freeradius.org/guide/NTLM-Auth-with-PAP-HOWTO
I see this URL (FreeRADIUS 3.X) and try , but fail... # radtest radtest@eduroam.test.edu test 127.0.0.1 0 testing123 Sending Access-Request Id 11 from 0.0.0.0:39536 to 127.0.0.1:1812 User-Name = 'radtest@eduroam.test.edu' User-Password = 'test' NAS-IP-Address = X.X.X.X NAS-Port = 0 Message-Authenticator = 0x00 Received Access-Reject Id 11 from 127.0.0.1:1812 to 127.0.0.1:39536 length 20 (0) -: Expected Access-Accept got Access-Reject User "radtest@eduroam.test.edu" is not exist in my AD Server. But exist in /etc/raddb/users (/etc/raddb/mods-config/files/authorize) (Tab separated) ----- radtest@eduroam.test.edu Cleartext-Password := "test" ----- This is my debug log (radiusd -X) ----- Received Access-Request Id 11 from 127.0.0.1:39536 to 127.0.0.1:1812 length 101 User-Name = 'radtest@eduroam.test.edu' User-Password = 'test' NAS-IP-Address = X.X.X.X NAS-Port = 0 Message-Authenticator = 0xf98e5871147209fe3a2b8ec9510b970d (0) Received Access-Request packet from host 127.0.0.1 port 39536, id=11, length=101 (0) User-Name = 'radtest@eduroam.test.edu' (0) User-Password = 'test' (0) NAS-IP-Address = X.X.X.X (0) NAS-Port = 0 (0) Message-Authenticator = 0xf98e5871147209fe3a2b8ec9510b970d (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) if ( &User-Name !~ /@/ ) (0) if ( &User-Name !~ /@/ ) -> FALSE (0) elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) (0) elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) -> TRUE (0) elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) { (0) [ok] = ok (0) } # elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) = ok (0) ... skipping elsif for request 0: Preceding "if" was taken (0) ntlm_auth.authorize ntlm_auth.authorize { (0) if (!control:Auth-Type && User-Password) (0) if (!control:Auth-Type && User-Password) -> TRUE (0) if (!control:Auth-Type && User-Password) { (0) update control { (0) Auth-Type := ntlm_auth (0) } # update control = noop (0) } # if (!control:Auth-Type && User-Password) = noop (0) } # ntlm_auth.authorize ntlm_auth.authorize = noop (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = ok (0) [preprocess] = ok (0) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log : --> /var/log/radius/radacct/127.0.0.1/auth-detail-20170125 (0) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20170125 (0) auth_log : EXPAND %t (0) auth_log : --> Wed Jan 25 16:50:01 2017 (0) [auth_log] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : Looking up realm "eduroam.test.edu" for User-Name = "radtest@eduroam.test.edu" (0) suffix : Found realm "~^eduroam.test.edu$" (0) suffix : Adding Stripped-User-Name = "radtest" (0) suffix : Adding Realm = "eduroam.test.edu" (0) suffix : Authentication realm is LOCAL (0) [suffix] = ok (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) } # authorize = ok (0) Found Auth-Type = ntlm_auth (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type ntlm_auth { Executing: /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}: (0) ntlm_auth : EXPAND --username=%{mschap:User-Name} (0) ntlm_auth : --> --username=radtest@eduroam.test.edu (0) ntlm_auth : EXPAND --password=%{User-Password} (0) ntlm_auth : --> --password=test Program returned code (1) and output 'NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)' (0) [ntlm_auth] = reject (0) } # Auth-Type ntlm_auth = reject (0) Failed to authenticate the user (0) Login incorrect: [radtest@eduroam.test.edu/test] (from client localhost port 0) (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> radtest@eduroam.test.edu (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (0) [eap] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sending Access-Reject packet to host 127.0.0.1 port 39536, id=11, length=0 Sending Access-Reject Id 11 from 127.0.0.1:1812 to 127.0.0.1:39536 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 11 with timestamp +17 Ready to process requests ----- Best regards!
http://deployingradius.com/ is always a good resource to use as well.
Regards,
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html