Hi, that is easy getting PERL working "following this guide https://wiki.freeradius.org/modules/Rlm_perl" however like you said the username/password needs to be handed to PERL from PAP, how do we achieve this Fri Aug 23 16:47:44 2019 : Debug: (0) modsingle[authorize]: returned from pap (rlm_pap) Fri Aug 23 16:47:44 2019 : Debug: (0) [pap] = noop Fri Aug 23 16:47:44 2019 : Debug: (0) } # authorize = ok Fri Aug 23 16:47:44 2019 : Debug: (0) Found Auth-Type = Perl Fri Aug 23 16:47:44 2019 : Debug: (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default Fri Aug 23 16:47:44 2019 : Debug: (0) Auth-Type Perl { Fri Aug 23 16:47:44 2019 : Debug: (0) modsingle[authenticate]: calling perl (rlm_perl) Fri Aug 23 16:47:44 2019 : Debug: (0) perl: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'user@domain.com' Fri Aug 23 16:47:44 2019 : Debug: (0) perl: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'my-secret-password534701' Fri Aug 23 16:47:44 2019 : Debug: (0) perl: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '127.0.0.1' Fri Aug 23 16:47:44 2019 : Debug: (0) perl: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '0' Fri Aug 23 16:47:44 2019 : Debug: (0) perl: $RAD_REQUEST{'Reply-Message'}[0] = &request:Reply-Message -> 'V`??' Fri Aug 23 16:47:44 2019 : Debug: (0) perl: $RAD_REQUEST{'Reply-Message'}[1] = &request:Reply-Message -> 'V`??' Fri Aug 23 16:47:44 2019 : Debug: (0) perl: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> '1115551212' Fri Aug 23 16:47:44 2019 : Debug: (0) perl: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'Localhost' Fri Aug 23 16:47:44 2019 : Debug: (0) perl: $RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id -> '1566571664M26tfc' Fri Aug 23 16:47:44 2019 : Debug: (0) perl: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Aug 23 2019 16:47:44 SAST' Fri Aug 23 16:47:44 2019 : Debug: (0) perl: $RAD_REQUEST{'Message-Authenticator'} = &request:Message-Authenticator -> '0x84dfd83902629edfb805d1e1ff85a14e' Fri Aug 23 16:47:44 2019 : Debug: (0) perl: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl' Fri Aug 23 16:47:44 2019 : Debug: (0) perl: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl' Fri Aug 23 16:47:44 2019 : Info: rlm_perl: Config File /etc/freeradius/3.0/mods-config/perl/radius_linotp.ini found! Fri Aug 23 16:47:44 2019 : Info: rlm_perl: Default URL https://otp.domain.com/validate/simplecheck Fri Aug 23 16:47:44 2019 : Info: rlm_perl: Auth-Type: Perl Fri Aug 23 16:47:44 2019 : Info: rlm_perl: Url: https://otp.domain.com/validate/simplecheck Fri Aug 23 16:47:44 2019 : Info: rlm_perl: User: user@domain.com Fri Aug 23 16:47:44 2019 : Info: rlm_perl: urlparam pass Fri Aug 23 16:47:44 2019 : Info: rlm_perl: urlparam client Fri Aug 23 16:47:44 2019 : Info: rlm_perl: urlparam user DEBUG: .../IO/Socket/SSL.pm:2853: new ctx 94282380870912 DEBUG: .../IO/Socket/SSL.pm:692: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:694: socket connected DEBUG: .../IO/Socket/SSL.pm:717: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:750: using SNI with hostname otp.domain.com DEBUG: .../IO/Socket/SSL.pm:807: set socket to non-blocking to enforce timeout=180 DEBUG: .../IO/Socket/SSL.pm:819: call Net::SSLeay::connect DEBUG: .../IO/Socket/SSL.pm:822: done Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:832: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:842: waiting for fd to become ready: SSL wants a read first DEBUG: .../IO/Socket/SSL.pm:862: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:819: call Net::SSLeay::connect DEBUG: .../IO/Socket/SSL.pm:822: done Net::SSLeay::connect -> 1 DEBUG: .../IO/Socket/SSL.pm:877: ssl handshake done DEBUG: .../IO/Socket/SSL.pm:2875: free ctx 94282380870912 open=94282380870912 DEBUG: .../IO/Socket/SSL.pm:2886: OK free ctx 94282380870912 Fri Aug 23 16:47:45 2019 : Info: rlm_perl: OTP access granted Fri Aug 23 16:47:45 2019 : Info: rlm_perl: return RLM_MODULE_OK Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:Acct-Session-Id = $RAD_REQUEST{'Acct-Session-Id'} -> '1566571664M26tfc' Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:Reply-Message += $RAD_REQUEST{'Reply-Message'} -> 'V`??' Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:Reply-Message += $RAD_REQUEST{'Reply-Message'} -> 'V`??' Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'Localhost' Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'user@domain.com' Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Aug 23 2019 16:47:44 SAST' Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> '1115551212' Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '127.0.0.1' Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'my-secret-password534701' Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '0' Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &request:Message-Authenticator = $RAD_REQUEST{'Message-Authenticator'} -> '0x84dfd83902629edfb805d1e1ff85a14e' Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'OTP access granted' Fri Aug 23 16:47:45 2019 : Debug: (0) perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl' Fri Aug 23 16:47:45 2019 : Debug: (0) modsingle[authenticate]: returned from perl (rlm_perl) Fri Aug 23 16:47:45 2019 : Debug: (0) [perl] = ok Fri Aug 23 16:47:45 2019 : Debug: (0) } # Auth-Type Perl = ok Regards Juan On Fri, 23 Aug 2019 at 15:47, Alan DeKok <aland@deployingradius.com> wrote:
On Aug 23, 2019, at 9:37 AM, Linux Threads <linuxthreads@gmail.com> wrote:
please can you guide me how to handoff my wifi auth username and password to FR outer-el via PAP and then pass the username and password to linotp perl script via the inner-tunnel
Follow my guide to get 802.1X / EAP working:
Then, use "radclient" to test PAP passwords with the "inner-tunnel" virtual server. See the comments at the top of the "inner-tunnel" virtual server for more information.
Do NOT try to test OTP + WiFi together. Make sure that WiFi works. Then independently, make sure that OTP works. Only when both work independently should you try WiFi + OTP.
And be aware that WiFi is likely to not work well with OTP. WiFi clients want to cache the passwords for days. This is because the systems can connect and disconnect multiple times in an hour.
Entering an OTP code *every time* you connect to Wifi is difficult and annoying.
tried to follow this http://lists.freeradius.org/pipermail/freeradius-users/2016-November/085830.... however not getting it to work
Fri Aug 23 12:28:17 2019 : Debug: (3) Auth-Type Perl { Fri Aug 23 12:28:17 2019 : Debug: (3) modsingle[authenticate]: calling perl (rlm_perl)
Follow the documentation for what to post to the list. This isn't difficult. And what you posted isn't what we need to see.
Fri Aug 23 12:28:17 2019 : Debug: (3) perl: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'LinOTP server denied access!'
That's pretty clear.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html