lists.freeradius.org
Sign In Sign Up
Manage this list Sign In Sign Up

Keyboard Shortcuts

Thread View

  • j: Next unread message
  • k: Previous unread message
  • j a: Jump to all threads
  • j l: Jump to MailingList overview
thread

Re:

Mohiddin Shaik

19 Apr 2018 19 Apr '18
4:08 a.m.

Hey Hi Alan, Thanks for your quick response. We are trying to logon through console (ssh) on Cisco ASA (Firewall) On server only one interface is configured, and on firewall we are using INSIDE interface only. Where as we are able to login with "admin" user account, but not any other user account (cisco/user) even this accounts has same privileges of admin user. We checked on cisco ASA level everything seems fine, even we involved Cisco TAC team as well they are also there is nothing from ASA end to check. Is there any way i can dig why its allowing admin user not other users ? Thanks, Mohiddin On Thu, Apr 19, 2018 at 4:15 AM, Alan Buxey <alan.buxey@gmail.com> wrote:

...

when you say 'log into firewall' - on the console, on the web interface? you'll need to check the NAS docs for what other things need to be sent back form the RADIUS server along with the accept message - usually a load of VSAs to let the device know what profile/access level etc etc

does the server have multiple interfaces too? might be that the reply packet is being sent out a different way and not even getting back to the firewall. normally cisco has some low level diagnostic commands you can use to check AAA behaviour and results.

alan

...

Hey Hi,

I have installed freeradius server and integrated freeipa server, when i run radtest its authenticate perfectly, i configured client.conf to auth my cisco firewall whenever i tried to login using freeipa user on my cisco firewall, radiusd -X debug mode say auth success but i am un able to login into terminal ((9) Sent Access-Accept Id 75 from x.x.x.x:1812 to x.x.x.x:22029 length 0 (9) Finished request).

When i use freeipa admin user id i am able to login into cisco firewall to same freeradius server / same configuration.

Debug Output: Ready to process requests (8) Received Access-Request Id 74 from 10.0.5.5:22029 to 10.0.0.94:1812 length 128 (8) User-Name = "mohiddin" (8) User-Password = "pass@123" (8) NAS-IP-Address = 10.0.5.5 (8) NAS-Port = 74 (8) NAS-Port-Type = Virtual (8) Cisco-AVPair = "ip:source-ip=10.0.2.49" (8) Calling-Station-Id = "10.0.2.49" (8) Cisco-AVPair = "coa-push=true" (8) # Executing section authorize from file /etc/raddb/sites-enabled/ default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "mohiddin", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: No EAP-Message, not doing EAP (8) [eap] = noop (8) [files] = noop rlm_ldap (ldap): Closing connection (9): Hit idle_timeout, was idle for 133 seconds rlm_ldap (ldap): Closing connection (11): Hit idle_timeout, was idle for 133 seconds rlm_ldap (ldap): Closing connection (8): Hit idle_timeout, was idle for 120 seconds rlm_ldap (ldap): Closing connection (12): Hit idle_timeout, was idle for 120 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (10): Hit idle_timeout, was idle for 113 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (13): Hit idle_timeout, was idle for 113 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (14), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (14) (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (uid=mohiddin) (8) ldap: Performing search in "cn=users,cn=accounts,dc=test,dc=org" with filter "(uid=mohiddin)", scope "sub" (8) ldap: Waiting for search result... (8) ldap: User object found at DN "uid=mohiddin,cn=users,cn=accounts,dc=test,dc=org" (8) ldap: Processing user attributes (8) ldap: control:Password-With-Header += '{SSHA512}FBhJiiB8Uene3Nl6MkFBufEQNVBJsU9GrXy3wXtaaY0mUkjQ5CVAiWdWHHfE f5bZpYWYECf/mvwOojrM/L4dVJLuUJyt+N6Q' rlm_ldap (ldap): Released connection (14) Need 2 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (15), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (8) [ldap] = updated (8) [expiration] = noop (8) [logintime] = noop (8) pap: Converted: &control:Password-With-Header -> &control:SSHA2-512-Password (8) pap: Removing &control:Password-With-Header (8) pap: Normalizing SSHA2-512-Password from base64 encoding, 96 bytes -> 72 bytes (8) [pap] = updated (8) } # authorize = updated (8) Found Auth-Type = PAP (8) # Executing group from file /etc/raddb/sites-enabled/default (8) Auth-Type PAP { (8) pap: Login attempt with password (8) pap: Comparing with "known-good" SSHA2-512-Password (8) pap: User authenticated successfully (8) [pap] = ok (8) } # Auth-Type PAP = ok (8) # Executing section post-auth from file /etc/raddb/sites-enabled/ default (8) post-auth { (8) update { (8) No attributes updated (8) } # update = noop (8) [exec] = noop (8) policy remove_reply_message_if_eap { (8) if (&reply:EAP-Message && &reply:Reply-Message) { (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (8) else { (8) [noop] = noop (8) } # else = noop (8) } # policy remove_reply_message_if_eap = noop (8) } # post-auth = noop (8) Sent Access-Accept Id 74 from 10.0.0.94:1812 to 10.0.5.5:22029 length 0 (8) Finished request Waking up in 4.9 seconds. (8) Cleaning up request packet ID 74 with timestamp +504 Ready to process requests (9) Received Access-Request Id 75 from 10.0.5.5:22029 to 10.0.0.94:1812 length 84 (9) User-Name = "admin" (9) User-Password = "reflexis1" (9) NAS-IP-Address = 10.0.5.5 (9) NAS-Port = 75 (9) NAS-Port-Type = Virtual (9) Cisco-AVPair = "coa-push=true" (9) # Executing section authorize from file /etc/raddb/sites-enabled/ default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "admin", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: No EAP-Message, not doing EAP (9) [eap] = noop (9) [files] = noop rlm_ldap (ldap): Closing connection (14): Hit idle_timeout, was idle for 160 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (15): Hit idle_timeout, was idle for 160 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (16), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (16) (9) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (9) ldap: --> (uid=admin) (9) ldap: Performing search in "cn=users,cn=accounts,dc=test,dc=org" with filter "(uid=admin)", scope "sub" (9) ldap: Waiting for search result... (9) ldap: User object found at DN "uid=admin,cn=users,cn=accounts,dc=test,dc=org" (9) ldap: Processing user attributes (9) ldap: control:Password-With-Header += '{SSHA512}rtaic2+6VABUusn0KrluEZLtSkvcTxH7SVTmJ YwYtlgWqp2f2oMYIQ0AuUTrfNEutEVbn794QFmkwinsfMFihn68yrWO+Po3' rlm_ldap (ldap): Released connection (16) Need 2 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (17), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (9) [ldap] = updated (9) [expiration] = noop (9) [logintime] = noop (9) pap: Converted: &control:Password-With-Header -> &control:SSHA2-512-Password (9) pap: Removing &control:Password-With-Header (9) pap: Normalizing SSHA2-512-Password from base64 encoding, 96 bytes -> 72 bytes (9) [pap] = updated (9) } # authorize = updated (9) Found Auth-Type = PAP (9) # Executing group from file /etc/raddb/sites-enabled/default (9) Auth-Type PAP { (9) pap: Login attempt with password (9) pap: Comparing with "known-good" SSHA2-512-Password (9) pap: User authenticated successfully (9) [pap] = ok (9) } # Auth-Type PAP = ok (9) # Executing section post-auth from file /etc/raddb/sites-enabled/ default (9) post-auth { (9) update { (9) No attributes updated (9) } # update = noop (9) [exec] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # post-auth = noop (9) Sent Access-Accept Id 75 from 10.0.0.94:1812 to 10.0.5.5:22029 length 0 (9) Finished request Waking up in 4.9 seconds. (9) Cleaning up request packet ID 75 with timestamp +664 Ready to process requests

Thanks, Mohiddin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html

On 18 April 2018 at 18:50, Mohiddin Shaik <kms31786@gmail.com> wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html

0 0
Reply
Sign in to reply online Use email software

Back to the thread

Back to the list

HyperKitty Powered by HyperKitty version 1.3.12.