Hi Team, I have figured it out and found to be working with my basic testing. I have modified the following file configurations after which I have posted in my previous mail. --------------------------------------------- CONFIGURATIONS IN raddb/sites-enabled/default --------------------------------------------- authorize { rest } Just added simple "rest" in authorize { } section and removed "rest" and kept the default ones in authenticate { } section and it works with the basic testing ( radtest command ). Thanks, Karun. On Wed, May 18, 2016 at 6:06 PM, Karuna Kumar <karuna.kumar@prontonetworks.com> wrote:
Hi,
I am using FreeRADIUS 3.0.11. Unable to authenticate the user through rest module. I am able to send request to REST API server and also able to fetch response in FreeRADIUS. But, the log says "(1) Failed to authenticate the user". Please let me know whether I did something wrong or I have to configure anything anywhere else. Configuration and logs are pasted below for your reference. Thanks in advance.
--------------------------------------------- CONFIGURATIONS IN raddb/sites-enabled/default ---------------------------------------------
authorize { if (User-Password) { update control { Cleartext-Password := &User-Password Auth-Type := rest } } }
authenticate { rest }
--------------------------------------------- CONFIGURATIONS IN raddb/mods-available/rest ---------------------------------------------
connect_uri = "http://192.168.1.25:8900/"
authorize { uri = "${..connect_uri}/hns/FreeRadiusTest.jsp?test=value&action=authorize&calledStationId=%{Called-Station-ID}&userName=%{User-Name}" method = 'get' tls = ${..tls} }
authenticate { uri = "${..connect_uri}/hns/FreeRadiusTest.jsp?test=value&action=authenticate&calledStationId=%{Called-Station-ID}&userName=%{User-Name}" method = 'get' tls = ${..tls} }
accounting { uri = "${..connect_uri}/hns/FreeRadiusTest.jsp?test=value&action=accounting&calledStationId=%{Called-Station-ID}&userName=%{User-Name}&acctSessionId=%{Acct-Unique-Session-ID}" method = 'post' tls = ${..tls} }
post-auth { uri = "${..connect_uri}/hns/FreeRadiusTest.jsp?test=value&action=postauth&calledStationId=%{Called-Station-ID}&userName=%{User-Name}" method = 'post' tls = ${..tls} }
--------------------------------------------- radtest command output ---------------------------------------------
# radtest test test localhost 0 testing123 Sent Access-Request Id 243 from 0.0.0.0:55212 to 127.0.0.1:1812 length 74 User-Name = "test" User-Password = "test" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "test" Received Access-Reject Id 243 from 127.0.0.1:1812 to 0.0.0.0:0 length 35 Reply-Message = "Hello from KK" (0) -: Expected Access-Accept got Access-Reject
--------------------------------------------- radiusd console debug logs ---------------------------------------------
Ready to process requests (2) Received Access-Request Id 243 from 127.0.0.1:55212 to 127.0.0.1:1812 length 74 (2) User-Name = "test" (2) User-Password = "test" (2) NAS-IP-Address = 127.0.0.1 (2) NAS-Port = 0 (2) Message-Authenticator = 0xa554ee1ed0ff34cbd52a28d7ff14f641 (2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) if (User-Password) { (2) if (User-Password) -> TRUE (2) if (User-Password) { (2) update control { (2) Cleartext-Password := &User-Password -> 'test' (2) Auth-Type := rest (2) } # update control = noop (2) } # if (User-Password) = noop (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "test", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: No EAP-Message, not doing EAP (2) [eap] = noop (2) files: users: Matched entry test at line 1 (2) [files] = ok (2) [expiration] = noop (2) [logintime] = noop (2) pap: WARNING: Auth-Type already set. Not setting to PAP (2) [pap] = noop (2) } # authorize = ok (2) Found Auth-Type = rest (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) authenticate { rlm_rest (rest): Closing connection (2): Hit idle_timeout, was idle for 1049 seconds rlm_rest (rest): Closing connection (3): Hit idle_timeout, was idle for 1049 seconds rlm_rest (rest): Closing connection (4): Hit idle_timeout, was idle for 1049 seconds rlm_rest (rest): Closing connection (0): Hit idle_timeout, was idle for 1047 seconds rlm_rest (rest): Closing connection (5): Hit idle_timeout, was idle for 1047 seconds rlm_rest (rest): You probably need to lower "min" rlm_rest (rest): Closing connection (1): Hit idle_timeout, was idle for 1041 seconds rlm_rest (rest): You probably need to lower "min" rlm_rest (rest): Closing connection (6): Hit idle_timeout, was idle for 1041 seconds rlm_rest (rest): You probably need to lower "min" rlm_rest (rest): 0 of 0 connections in use. You may need to increase "spare" rlm_rest (rest): Opening additional connection (7), 1 of 32 pending slots used rlm_rest (rest): Connecting to "http://192.168.1.25:8900/" rlm_rest (rest): Reserved connection (7) (2) rest: Expanding URI components (2) rest: EXPAND http://192.168.1.25:8900 (2) rest: --> http://192.168.1.25:8900 (2) rest: EXPAND //hns/FreeRadiusTest.jsp?test=value&action=authenticate&calledStationId=%{Called-Station-ID}&userName=%{User-Name} (2) rest: --> //hns/FreeRadiusTest.jsp?test=value&action=authenticate&calledStationId=&userName=test (2) rest: Sending HTTP GET to "http://192.168.1.25:8900//hns/FreeRadiusTest.jsp?test=value&action=authentic..." (2) rest: Processing response header (2) rest: Status : 200 (OK) (2) rest: Type : json (application/json) (2) rest: Parsing attribute "reply:User-Name" (2) rest: EXPAND test (2) rest: --> test (2) rest: User-Name := "test" (2) rest: Parsing attribute "reply:User-Password" (2) rest: EXPAND test (2) rest: --> test (2) rest: User-Password := "test" (2) rest: Parsing attribute "control:ClearText-Password" (2) rest: EXPAND test (2) rest: --> test (2) rest: Cleartext-Password := "test" (2) rest: Parsing attribute "reply:Reply-Message" (2) rest: EXPAND Hello from KK (2) rest: --> Hello from KK (2) rest: Reply-Message := "Hello from KK" rlm_rest (rest): Released connection (7) rlm_rest (rest): Need 2 more connections to reach 10 spares rlm_rest (rest): Opening additional connection (8), 1 of 31 pending slots used rlm_rest (rest): Connecting to "http://192.168.1.25:8900/" (2) [rest] = updated (2) } # authenticate = updated (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject: EXPAND %{User-Name} (2) attr_filter.access_reject: --> test (2) attr_filter.access_reject: Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) [eap] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (2) Sending delayed response (2) Sent Access-Reject Id 243 from 127.0.0.1:1812 to 127.0.0.1:55212 length 35 (2) Reply-Message = "Hello from KK" Waking up in 3.9 seconds. (2) Cleaning up request packet ID 243 with timestamp +1049 Ready to process requests
Thanks, Karun.