Hello Alan, Adam, Thank you for your reply. This is my radiusd -X all debug logs. ----- Received Access-Request Id 97 from 127.0.0.1:44294 to 127.0.0.1:1812 length 101 User-Name = 'radtest@eduroam.test.edu' User-Password = 'test' NAS-IP-Address = X.X.X.X NAS-Port = 0 Message-Authenticator = 0xb8fc8bbf410ad0804e01366105fe8b25 (0) Received Access-Request packet from host 127.0.0.1 port 44294, id=97, length=101 (0) User-Name = 'radtest@eduroam.test.edu' (0) User-Password = 'test' (0) NAS-IP-Address = X.X.X.X (0) NAS-Port = 0 (0) Message-Authenticator = 0xb8fc8bbf410ad0804e01366105fe8b25 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) if ( &User-Name !~ /@/ ) (0) if ( &User-Name !~ /@/ ) -> FALSE (0) elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) (0) elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) -> TRUE (0) elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) { (0) [ok] = ok (0) } # elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) = ok (0) ... skipping elsif for request 0: Preceding "if" was taken (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = ok (0) [preprocess] = ok (0) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log : --> /var/log/radius/radacct/127.0.0.1/auth-detail-20170125 (0) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20170125 (0) auth_log : EXPAND %t (0) auth_log : --> Wed Jan 25 13:11:26 2017 (0) [auth_log] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : Looking up realm "eduroam.test.edu" for User-Name = "radtest@eduroam.test.edu" (0) suffix : Found realm "~^eduroam.test.edu$" (0) suffix : Adding Stripped-User-Name = "radtest" (0) suffix : Adding Realm = "eduroam.test.edu" (0) suffix : Authentication realm is LOCAL (0) [suffix] = ok (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (0) WARNING: pap : Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [radtest@eduroam.test.edu/test] (from client localhost port 0) (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> radtest@eduroam.test.edu (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (0) [eap] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sending Access-Reject packet to host 127.0.0.1 port 44294, id=97, length=0 Sending Access-Reject Id 97 from 127.0.0.1:1812 to 127.0.0.1:44294 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 97 with timestamp +11 Ready to process requests ----- and this is my configuration. - /etc/raddb/sites-enables/default # cat default | grep -v ^# | grep -v ^$ | grep -v " *# " server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } listen { type = auth port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipv6addr = :: port = 0 type = acct limit { } } authorize { if ( &User-Name !~ /@/ ) { reject } elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) { ok } elsif ( &User-Name =~ /@*\.test\.edu/ ) { reject } filter_username preprocess auth_log chap mschap digest suffix eap { ok = return } files -sql -ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest eap } preacct { preprocess acct_unique suffix files } accounting { detail unix -sql exec attr_filter.accounting_response } session { } post-auth { -sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject eap remove_reply_message_if_eap } } pre-proxy { } post-proxy { eap } } - /etc/raddb/sites-enables/inner-tunnel # cat inner-tunnel | grep -v ^# | grep -v ^$ | grep -v " *# " server inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { chap mschap suffix eap { ok = return } files -sql -ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } ntlm_auth eap } session { radutmp } post-auth { -sql Post-Auth-Type REJECT { -sql attr_filter.access_reject } } pre-proxy { } post-proxy { eap } Please tell me if you need other files. Best regards 2017-01-24 23:57 GMT+09:00 Alan DeKok <aland@deployingradius.com>:
On Jan 23, 2017, at 11:16 PM, Seiichirou Hiraoka <seiichirou.hiraoka@gmail.com> wrote:
In the environment of CentOS 7.3, FreeRADIUS 3.0.4, local users file (/etc/raddb/mods-config/files/authorize) can not authenticate.
Yes, they can.
It is set to authenticate with mschap using inner-tunnel, and the following I confirmed that authentication succeeds with the command. (username@eduroam.test.edu is the user on the AD server)
# radtest - t mschap username@eduroam.test.edu test 127.0.0.1: 1812 0 testing 123 Received Access-Accept Id 32 from 127.0.0.1: 1812 to 127.0.0.1: 42901 length 84
Next, to monitor the service, add the following entry to local users file.
radtest@eduroam.test.edu Cleartext - Password: = "test"
Odds are that you have a realm defined, which is "eduroam.test.edu".
Running radtest in this state will fail.
# radtest radtest@eduroam.test.edu test 127.0.0.1: 1812 0 testing 123 Received Access-Reject Id 79 from 127.0.0.1: 1812 to 127.0.0.1: 55380 length 20
Looking at the log (/var/log/radius/radius.log), files seems to be noop and is not recognized.
(0) [suffix] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop <- This is wrong????
If only you could read the REST OF THE DEBUG OUTPUT to see what the server is doing.
Please tell me how to do RADIUS authentication with local user file for service monitoring.
You use it as documented. And, you read the debug output.
ALL OF IT.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html