APC NetBotz User attribute issue.
Hello All, * Our Setup -> Centos, Free Radius, MySQL and Daloradius as Front End management GUI Tool. * Devices use for Authentication -> APC NetBotz 200 Rack monitoring device as NAS. * Attribute Details of user -> 1- APC-Service-Type = Admin and 2- Auth-Type =System * Goal -> NetBotz Device users should get authenticated & login with Administrative rights. * Problem -> We need to get APC Netbotz authentication from Radius server configured and APC has 3 level of users : 1-Administrator, 2-Device, 3-Read only. Along with radius authentication radius need to supply user attributes to Netbotz for user level & its access credentials. We have configured Administrative attribute with users in radius but it does not supply with authentication, there for user get only very lower level access "read only". Our goal is to get Administrative access with radius authentication. * Radisud debug mode output as follows : # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "rishabh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> rishabh [sql] sql_set_user escaped user --> 'rishabh' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rishabh' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'rishabh' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User rishabh not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> rishabh attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 38 to 192.168.12.240 port 64015 Waking up in 4.9 seconds. Cleaning up request 0 ID 38 with timestamp +9 Ready to process requests. Please help us to resolve above issue. Thanks, Rishabh
On 3 Mar 2014, at 10:45, Rishabh.Shukla <rishabh.shukla@i-link.co.in> wrote:
Hello All, • Our Setup -> Centos, Free Radius, MySQL and Daloradius as Front End management GUI Tool. • Devices use for Authentication -> APC NetBotz 200 Rack monitoring device as NAS. • Attribute Details of user -> 1- APC-Service-Type = Admin and 2- Auth-Type =System • Goal -> NetBotz Device users should get authenticated & login with Administrative rights. • Problem -> We need to get APC Netbotz authentication from Radius server configured and APC has 3 level of users : 1-Administrator, 2-Device, 3-Read only. Along with radius authentication radius need to supply user attributes to Netbotz for user level & its access credentials. We have configured Administrative attribute with users in radius but it does not supply with authentication, there for user get only very lower level access "read only". Our goal is to get Administrative access with radius authentication. • Radisud debug mode output as follows :
The user hasn't been found in your SQL database, and you've trimmed off the useful debug which showed the packet coming from the NAS, so we can't be sure what auth protocol you're using. Add the user to SQL with a Cleartext-Password attribute in the radcheck table, and post full debug (with passwords redacted). Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Please find the attachments , Please do help me out for the same Thanks Rishabh ----- Original Message ----- From: "Arran Cudbard-Bell" <a.cudbardb@freeradius.org> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Cc: "Ronak Shah" <ronak.shah@i-link.co.in>, "Hiren Patel" <hiren.patel@i-link.co.in> Sent: Monday, March 3, 2014 4:26:07 PM Subject: Re: APC NetBotz User attribute issue. On 3 Mar 2014, at 10:45, Rishabh.Shukla <rishabh.shukla@i-link.co.in> wrote:
Hello All, • Our Setup -> Centos, Free Radius, MySQL and Daloradius as Front End management GUI Tool. • Devices use for Authentication -> APC NetBotz 200 Rack monitoring device as NAS. • Attribute Details of user -> 1- APC-Service-Type = Admin and 2- Auth-Type =System • Goal -> NetBotz Device users should get authenticated & login with Administrative rights. • Problem -> We need to get APC Netbotz authentication from Radius server configured and APC has 3 level of users : 1-Administrator, 2-Device, 3-Read only. Along with radius authentication radius need to supply user attributes to Netbotz for user level & its access credentials. We have configured Administrative attribute with users in radius but it does not supply with authentication, there for user get only very lower level access "read only". Our goal is to get Administrative access with radius authentication. • Radisud debug mode output as follows :
The user hasn't been found in your SQL database, and you've trimmed off the useful debug which showed the packet coming from the NAS, so we can't be sure what auth protocol you're using. Add the user to SQL with a Cleartext-Password attribute in the radcheck table, and post full debug (with passwords redacted). Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 03/03/14 10:45, Rishabh.Shukla wrote:
# Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...}
This is useless, you've removed all the important info, like the original packet.
[sql] User rishabh not found
This seems clear.
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Phil Mayers -
Rishabh.Shukla