dynamic-clients with rest (v.3.2)
Dear All I followed the step from https://networkradius.com/packages/#fr32-debian-bullseye ``` root@freeradius32apt ~# freeradius -v radiusd: FreeRADIUS Version 3.2.3 (git #db3d1924d), for host x86_64-pc-linux-gnu FreeRADIUS Version 3.2.3 Copyright (C) 1999-2022 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT ``` I'm trying to do dynamic-clients with rest so I did (as root) ``` apt install freeradius-rest ``` and here is freeradius/mods-enabled/rest ``` rest { # # This subsection configures the tls related items # that control how FreeRADIUS connects to a HTTPS # server. # tls { } # rlm_rest will open a connection to the server specified in connect_uri # to populate the connection cache, ready for the first request. # The server will not start if the server specified is unreachable. # # If you wish to disable this pre-caching and reachability check, # comment out the configuration item below. # connect_uri = "http://127.0.0.1/" # # How long before new connection attempts timeout, defaults to 4.0 seconds. # connect_timeout = 10.0 # # Specify HTTP protocol version to use. one of '1.0', '1.1', '2.0', '2.0+auto', # '2.0+tls' or 'default'. (libcurl option CURLOPT_HTTP_VERSION) # # http_negotiation = 1.1 authorize { uri = "http://192.168.56.1:5000/radius/authorize" method = 'post' body = 'JSON' } authenticate { uri = "http://192.168.56.1:5000/radius/authenticate" method = 'post' body = JSON } preacct { } accounting { uri = "http://192.168.56.1:5000/radius/accounting" method = 'post' body = JSON } post-auth { } pre-proxy { } post-proxy { } # Options for calling rest xlats # uri and method will be derived from the string provided to the xlat xlat { body_uri_encode = yes } # # The connection pool is used to pool outgoing connections. # pool { # Connections to create during module instantiation. # If the server cannot create specified number of # connections during instantiation it will exit. # Set to 0 to allow the server to start without the # web service being available. start = ${thread[pool].start_servers} # Minimum number of connections to keep open min = ${thread[pool].min_spare_servers} # Maximum number of connections # # If these connections are all in use and a new one # is requested, the request will NOT get a connection. # # Setting 'max' to LESS than the number of threads means # that some threads may starve, and you will see errors # like 'No connections available and at max connection limit' # # Setting 'max' to MORE than the number of threads means # that there are more connections than necessary. max = ${thread[pool].max_servers} # Spare connections to be left idle # # NOTE: Idle connections WILL be closed if "idle_timeout" # is set. This should be less than or equal to "max" above. spare = ${thread[pool].max_spare_servers} # Number of uses before the connection is closed # # 0 means "infinite" uses = 0 # The number of seconds to wait after the server tries # to open a connection, and fails. During this time, # no new connections will be opened. retry_delay = 30 # The lifetime (in seconds) of the connection lifetime = 0 # idle timeout (in seconds). A connection which is # unused for this length of time will be closed. idle_timeout = 60 # NOTE: All configuration settings are enforced. If a # connection is closed because of "idle_timeout", # "uses", or "lifetime", then the total number of # connections MAY fall below "min". When that # happens, it will open a new connection. It will # also log a WARNING message. # # The solution is to either lower the "min" connections, # or increase lifetime/idle_timeout. } } ``` my sites-enabled/default ``` server default { listen { type = auth ipaddr = 192.168.56.110 port = 0 limit { # # Limit the number of simultaneous TCP connections to the socket # # The default is 16. # Setting this to 0 means "no limit" max_connections = 16 # The per-socket "max_requests" option does not exist. # # The lifetime, in seconds, of a TCP connection. After # this lifetime, the connection will be closed. # # Setting this to 0 means "forever". lifetime = 0 # # The idle timeout, in seconds, of a TCP connection. # If no packets have been received over the connection for # this time, the connection will be closed. # # Setting this to 0 means "no timeout". # # We STRONGLY RECOMMEND that you set an idle timeout. # idle_timeout = 30 } } # # This second "listen" section is for listening on the accounting # port, too. # listen { ipaddr = 192.168.56.110 port = 0 type = acct limit { # The number of packets received can be rate limited via the # "max_pps" configuration item. When it is set, the server # tracks the total number of packets received in the previous # second. If the count is greater than "max_pps", then the # new packet is silently discarded. This helps the server # deal with overload situations. # # The packets/s counter is tracked in a sliding window. This # means that the pps calculation is done for the second # before the current packet was received. NOT for the current # wall-clock second, and NOT for the previous wall-clock second. # # Useful values are 0 (no limit), or 100 to 10000. # Values lower than 100 will likely cause the server to ignore # normal traffic. Few systems are capable of handling more than # 10K packets/s. # # It is most useful for accounting systems. Set it to 50% # more than the normal accounting load, and you can be sure that # the server will never get overloaded # # max_pps = 0 # Only for "proto = tcp". These are ignored for "udp" sockets. # # idle_timeout = 0 # lifetime = 0 # max_connections = 0 } } # IPv6 versions of the above - read their full config to understand options authorize { filter_username preprocess rest chap mschap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess acct_unique } # # Accounting. Log the accounting data. # accounting { rest } # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { Post-Auth-Type REJECT { } # # Filter access challenges. # Post-Auth-Type Challenge { } Post-Auth-Type Client-Lost { } # # If the client sends EAP-Key-Name in the request, # then echo the real value back in the reply. # } # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # pre-proxy { } # # When the server receives a reply to a request it proxied # to a home server, the request may be massaged here, in the # post-proxy stage. # post-proxy { } } ``` below is my freeradius/sites-enabled/dynamic-clients ``` # -*- text -*- # # Define a network where clients may be dynamically defined. client dynamic { # # You MUST specify a netmask! # IPv4 /32 or IPv6 /128 are NOT allowed! ipaddr = 192.168.56.0/24 dynamic_clients = dynamic_clients lifetime = 3600 } # # This is the virtual server referenced above by "dynamic_clients". server dynamic_clients { # # The only contents of the virtual server is the "authorize" section. authorize { rest # # Tell the caller that the client was defined properly. # # If the authorize section does NOT return "ok", then # the new client is ignored. ok } } ``` When I try to connect my pppoe client to my pppoe-server, freeradius said that the client (pppoe-server) is unknown some Output from --> freeradius -XXX ``` Wed Dec 6 23:08:21 2023 : Debug: (0) server dynamic_clients { Wed Dec 6 23:08:21 2023 : Debug: (0) # Executing section authorize from file /etc/freeradius/sites-enabled/dynamic-clients Wed Dec 6 23:08:21 2023 : Debug: (0) authorize { Wed Dec 6 23:08:21 2023 : Debug: (0) modsingle[authorize]: calling rest (rlm_rest) Wed Dec 6 23:08:21 2023 : Debug: rlm_rest (rest): Reserved connection (0) Wed Dec 6 23:08:21 2023 : Debug: (0) rest: Expanding URI components Wed Dec 6 23:08:21 2023 : Debug: http://192.168.56.1:5000 Wed Dec 6 23:08:21 2023 : Debug: Parsed xlat tree: Wed Dec 6 23:08:21 2023 : Debug: literal --> http://192.168.56.1:5000 Wed Dec 6 23:08:21 2023 : Debug: (0) rest: EXPAND http://192.168.56.1:5000 Wed Dec 6 23:08:21 2023 : Debug: (0) rest: --> http://192.168.56.1:5000 Wed Dec 6 23:08:21 2023 : Debug: /radius/authorize Wed Dec 6 23:08:21 2023 : Debug: Parsed xlat tree: Wed Dec 6 23:08:21 2023 : Debug: literal --> /radius/authorize Wed Dec 6 23:08:21 2023 : Debug: (0) rest: EXPAND /radius/authorize Wed Dec 6 23:08:21 2023 : Debug: (0) rest: --> /radius/authorize Wed Dec 6 23:08:21 2023 : Debug: (0) rest: Sending HTTP POST to " http://192.168.56.1:5000/radius/authorize" Wed Dec 6 23:08:21 2023 : Debug: (0) rest: Adding custom headers: Wed Dec 6 23:08:21 2023 : Debug: (0) rest: X-FreeRADIUS-Section: authorize Wed Dec 6 23:08:21 2023 : Debug: (0) rest: X-FreeRADIUS-Server: dynamic_clients Wed Dec 6 23:08:21 2023 : Debug: (0) rest: Request body content-type will be "application/json" Wed Dec 6 23:08:21 2023 : Debug: (0) rest: JSON Data: {} Wed Dec 6 23:08:21 2023 : Debug: (0) rest: Returning 2 bytes of JSON data Wed Dec 6 23:08:21 2023 : Debug: (0) rest: Processing response header Wed Dec 6 23:08:21 2023 : Debug: (0) rest: Status : 500 (INTERNAL SERVER ERROR) Wed Dec 6 23:08:21 2023 : Debug: (0) rest: Type : json (application/json) Wed Dec 6 23:08:21 2023 : Debug: (0) rest: Adding reply:REST-HTTP-Status-Code = "500" Wed Dec 6 23:08:21 2023 : ERROR: (0) rest: Server returned: Wed Dec 6 23:08:21 2023 : ERROR: (0) rest: {} Wed Dec 6 23:08:21 2023 : Debug: rlm_rest (rest): Released connection (0) ``` Kindly please look at line 22 of debug lines ``` Wed Dec 6 23:08:21 2023 : Debug: (0) rest: JSON Data: {} ``` I think freeradius did not wrap any data to json body Is that a bug? if not, kindly please tell me how to fix Sincerely -bino-
On Dec 6, 2023, at 6:58 PM, Bino Oetomo <wowon01@gmail.com> wrote:
I'm trying to do dynamic-clients with rest
so I did (as root)
Please read the documentation: http://wiki.freeradius.org/list-help We don't need to see how your installed the server. We don't need to see the configuration files. We don't need to see "radiusd -XXX". This is all clearly documented in many places.
some Output from --> freeradius -XXX ``` Wed Dec 6 23:08:21 2023 : Debug: (0) server dynamic_clients {
The documentation says to post ALL OF the debug output. What's happening here is not only that you're not reading the documentation, you're not reading the debug output. If you had read the debug output, the issue would be clear. The dynamic client code does not decode the packet. So when it prints out "Received Access-Request", there are no attributes listed after that. And since no attributes have been decoded, there are no attributes to put into JSON. And therefore the REST call gets an empty json blob. I really can't emphasis enough that it's necessary to read the documentation, and the debug output. I really don't know where else to say that. The issue is that mo matter where it's put in the documentation, FAQ, mailing list, Wiki, etc., people just don't read it. The only way to address these issues is to read the debug output. When you put enormous effort into doing everything *other* that following the documentation and reading the debug output, you're just spending a lot of time doing wasted work. Alan DeKok.
Ok here is the full debug ``` root@freeradius32apt ~# freeradius -X FreeRADIUS Version 3.2.3 Copyright (C) 1999-2022 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/dictionary including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/mods-enabled/ including configuration file /etc/freeradius/mods-enabled/replicate including configuration file /etc/freeradius/mods-enabled/chap including configuration file /etc/freeradius/mods-enabled/unpack including configuration file /etc/freeradius/mods-enabled/always including configuration file /etc/freeradius/mods-enabled/ntlm_auth including configuration file /etc/freeradius/mods-enabled/unix including configuration file /etc/freeradius/mods-enabled/utf8 including configuration file /etc/freeradius/mods-enabled/eap including configuration file /etc/freeradius/mods-enabled/detail.log including configuration file /etc/freeradius/mods-enabled/echo including configuration file /etc/freeradius/mods-enabled/radutmp including configuration file /etc/freeradius/mods-enabled/mschap including configuration file /etc/freeradius/mods-enabled/soh including configuration file /etc/freeradius/mods-enabled/expiration including configuration file /etc/freeradius/mods-enabled/digest including configuration file /etc/freeradius/mods-enabled/files including configuration file /etc/freeradius/mods-enabled/detail including configuration file /etc/freeradius/mods-enabled/dynamic_clients including configuration file /etc/freeradius/mods-enabled/logintime including configuration file /etc/freeradius/mods-enabled/preprocess including configuration file /etc/freeradius/mods-enabled/exec including configuration file /etc/freeradius/mods-enabled/date including configuration file /etc/freeradius/mods-enabled/rest including configuration file /etc/freeradius/mods-enabled/attr_filter including configuration file /etc/freeradius/mods-enabled/linelog including configuration file /etc/freeradius/mods-enabled/realm including configuration file /etc/freeradius/mods-enabled/totp including configuration file /etc/freeradius/mods-enabled/expr including configuration file /etc/freeradius/mods-enabled/pap including configuration file /etc/freeradius/mods-enabled/passwd including configuration file /etc/freeradius/mods-enabled/sradutmp including files in directory /etc/freeradius/policy.d/ including configuration file /etc/freeradius/policy.d/filter including configuration file /etc/freeradius/policy.d/dhcp including configuration file /etc/freeradius/policy.d/eap including configuration file /etc/freeradius/policy.d/operator-name including configuration file /etc/freeradius/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/policy.d/accounting including configuration file /etc/freeradius/policy.d/control including configuration file /etc/freeradius/policy.d/debug including configuration file /etc/freeradius/policy.d/canonicalization including configuration file /etc/freeradius/policy.d/abfab-tr including configuration file /etc/freeradius/policy.d/rfc7542 including configuration file /etc/freeradius/policy.d/cui including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/dynamic-clients main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 postauth_client_lost = no pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { nonblock = no ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } recv_coa { } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client dynamic { ipaddr = 192.168.56.0/24 require_message_authenticator = no limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } dynamic_clients = "dynamic_clients" lifetime = 3600 } Debugger not attached systemd watchdog is disabled # Creating Auth-Type = mschap # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/mods-enabled/replicate # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/mods-enabled/chap # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_exec # Loading module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8 # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 max_eap_type = 52 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_detail # Loading module "auth_log" from file /etc/freeradius/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "echo" from file /etc/freeradius/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/mods-enabled/expiration # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/mods-enabled/digest # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/mods-enabled/files files { filename = "/etc/freeradius/mods-config/files/authorize" acctusersfile = "/etc/freeradius/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy" } # Loading module "detail" from file /etc/freeradius/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loading module "exec" from file /etc/freeradius/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_date # Loading module "date" from file /etc/freeradius/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loading module "wispr2date" from file /etc/freeradius/mods-enabled/date date wispr2date { format = "%Y-%m-%dT%H:%M:%S" utc = no } # Loaded module rlm_rest # Loading module "rest" from file /etc/freeradius/mods-enabled/rest rest { connect_timeout = 10.000000 http_negotiation = "default" } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.coa" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.coa { filename = "/etc/freeradius/mods-config/attr_filter/coa" key = "%{User-Name}" relaxed = no } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /etc/freeradius/mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_totp # Loading module "totp" from file /etc/freeradius/mods-enabled/totp # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loading module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } instantiate { } # Instantiating module "reject" from file /etc/freeradius/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/mods-enabled/always # Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.pem" certificate_file = "/etc/freeradius/certs/server.pem" ca_file = "/etc/freeradius/certs/ca.pem" private_key_password = <<< secret >>> fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 0 cipher_list = "DEFAULT" cipher_server_preference = no reject_unknown_intermediate_ca = no ecdh_curve = "" tls_max_version = "1.2" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log # Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration # Instantiating module "files" from file /etc/freeradius/mods-enabled/files reading pairlist file /etc/freeradius/mods-config/files/authorize reading pairlist file /etc/freeradius/mods-config/files/accounting reading pairlist file /etc/freeradius/mods-config/files/pre-proxy # Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail # Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime # Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/mods-config/preprocess/hints # Instantiating module "rest" from file /etc/freeradius/mods-enabled/rest authorize { uri = "http://192.168.56.1:5000/radius/authorize" method = "post" body = "JSON" attr_num = no raw_value = no auth = "none" require_auth = no timeout = 10.000000 chunk = 0 tls { check_cert = no check_cert_cn = no } body_uri_encode = yes } authenticate { uri = "http://192.168.56.1:5000/radius/authenticate" method = "post" body = "JSON" attr_num = no raw_value = no auth = "none" require_auth = no timeout = 10.000000 chunk = 0 tls { check_cert = no check_cert_cn = no } body_uri_encode = yes } preacct { uri = "" method = "GET" body = "none" attr_num = no raw_value = no auth = "none" require_auth = no timeout = 4.000000 chunk = 0 tls { check_cert = yes check_cert_cn = yes } body_uri_encode = yes } accounting { uri = "http://192.168.56.1:5000/radius/accounting" method = "post" body = "JSON" attr_num = no raw_value = no auth = "none" require_auth = no timeout = 10.000000 chunk = 0 tls { check_cert = no check_cert_cn = no } body_uri_encode = yes } pre-proxy { uri = "" method = "GET" body = "none" attr_num = no raw_value = no auth = "none" require_auth = no timeout = 4.000000 chunk = 0 tls { check_cert = yes check_cert_cn = yes } body_uri_encode = yes } post-proxy { uri = "" method = "GET" body = "none" attr_num = no raw_value = no auth = "none" require_auth = no timeout = 4.000000 chunk = 0 tls { check_cert = yes check_cert_cn = yes } body_uri_encode = yes } xlat { uri = "" method = "GET" body = "none" attr_num = no raw_value = no auth = "none" require_auth = no timeout = 4.000000 chunk = 0 tls { check_cert = yes check_cert_cn = yes } body_uri_encode = yes } post-auth { uri = "" method = "GET" body = "none" attr_num = no raw_value = no auth = "none" require_auth = no timeout = 4.000000 chunk = 0 tls { check_cert = yes check_cert_cn = yes } body_uri_encode = yes } rlm_rest: libcurl version: libcurl/7.74.0 OpenSSL/1.1.1w zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.43.0 librtmp/2.3 rlm_rest (rest): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 max_retries = 5 spread = no } rlm_rest (rest): Opening additional connection (0), 1 of 32 pending slots used rlm_rest (rest): Skipping pre-connect, connect_uri not specified rlm_rest (rest): Opening additional connection (1), 1 of 31 pending slots used rlm_rest (rest): Skipping pre-connect, connect_uri not specified rlm_rest (rest): Opening additional connection (2), 1 of 30 pending slots used rlm_rest (rest): Skipping pre-connect, connect_uri not specified rlm_rest (rest): Opening additional connection (3), 1 of 29 pending slots used rlm_rest (rest): Skipping pre-connect, connect_uri not specified rlm_rest (rest): Opening additional connection (4), 1 of 28 pending slots used rlm_rest (rest): Skipping pre-connect, connect_uri not specified # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response # Instantiating module "attr_filter.coa" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/coa # Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/mods-enabled/linelog # Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm # Instantiating module "bangpath" from file /etc/freeradius/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm # Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap # Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel # Loading authenticate {...} Compiling Auth-Type PAP for attr Auth-Type Compiling Auth-Type CHAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:366 Compiling Post-Auth-Type REJECT for attr Post-Auth-Type } # server inner-tunnel server default { # from file /etc/freeradius/sites-enabled/default # Loading authenticate {...} Compiling Auth-Type PAP for attr Auth-Type Compiling Auth-Type CHAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-auth {...} Compiling Post-Auth-Type REJECT for attr Post-Auth-Type Compiling Post-Auth-Type Challenge for attr Post-Auth-Type Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type } # server default server dynamic_clients { # from file /etc/freeradius/sites-enabled/dynamic-clients # Loading authorize {...} } # server dynamic_clients radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" ipaddr = 192.168.56.110 port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = 192.168.56.110 port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on auth address 192.168.56.110 port 1812 bound to server default Listening on acct address 192.168.56.110 port 1813 bound to server default Listening on proxy address * port 37557 Ready to process requests (0) server dynamic_clients { (0) # Executing section authorize from file /etc/freeradius/sites-enabled/dynamic-clients (0) authorize { rlm_rest (rest): Reserved connection (0) (0) rest: Expanding URI components (0) rest: EXPAND http://192.168.56.1:5000 (0) rest: --> http://192.168.56.1:5000 (0) rest: EXPAND /radius/authorize (0) rest: --> /radius/authorize (0) rest: Sending HTTP POST to "http://192.168.56.1:5000/radius/authorize" (0) rest: Processing response header (0) rest: Status : 500 (INTERNAL SERVER ERROR) (0) rest: Type : json (application/json) (0) rest: Adding reply:REST-HTTP-Status-Code = "500" (0) rest: ERROR: Server returned: (0) rest: ERROR: {} rlm_rest (rest): Released connection (0) Need more connections to reach 10 spares rlm_rest (rest): Opening additional connection (5), 1 of 27 pending slots used rlm_rest (rest): Skipping pre-connect, connect_uri not specified rlm_rest (rest): Closing expired connection (4) - Hit idle_timeout limit rlm_rest (rest): Closing expired connection (3) - Hit idle_timeout limit rlm_rest (rest): Closing expired connection (2) - Hit idle_timeout limit rlm_rest (rest): You probably need to lower "min" rlm_rest (rest): Closing expired connection (1) - Hit idle_timeout limit (0) [rest] = fail (0) } # authorize = fail (0) } # server dynamic_clients Virtual-Server dynamic_clients returned fail, creating dynamic client failed Ignoring request to acct address 192.168.56.110 port 1813 bound to server default from unknown client 192.168.56.3 port 52781 proto udp ``` Yes it shows that my rest backend sends server error. It's because freeradius also post an empty JSON body as shown in my first post. So why did rlm_rest send an empty JSON? The case only happens in dynamic-client. While the user access authorization and accounting is working smoothly. Sincerely On Thu, Dec 7, 2023 at 9:04 AM Alan DeKok <aland@deployingradius.com> wrote:
On Dec 6, 2023, at 6:58 PM, Bino Oetomo <wowon01@gmail.com> wrote:
I'm trying to do dynamic-clients with rest
so I did (as root)
Please read the documentation: http://wiki.freeradius.org/list-help
We don't need to see how your installed the server. We don't need to see the configuration files. We don't need to see "radiusd -XXX". This is all clearly documented in many places.
some Output from --> freeradius -XXX ``` Wed Dec 6 23:08:21 2023 : Debug: (0) server dynamic_clients {
The documentation says to post ALL OF the debug output.
What's happening here is not only that you're not reading the documentation, you're not reading the debug output. If you had read the debug output, the issue would be clear.
The dynamic client code does not decode the packet. So when it prints out "Received Access-Request", there are no attributes listed after that. And since no attributes have been decoded, there are no attributes to put into JSON. And therefore the REST call gets an empty json blob.
I really can't emphasis enough that it's necessary to read the documentation, and the debug output. I really don't know where else to say that. The issue is that mo matter where it's put in the documentation, FAQ, mailing list, Wiki, etc., people just don't read it.
The only way to address these issues is to read the debug output. When you put enormous effort into doing everything *other* that following the documentation and reading the debug output, you're just spending a lot of time doing wasted work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 7, 2023, at 5:53 PM, Bino Oetomo <wowon01@gmail.com> wrote:
Yes it shows that my rest backend sends server error. It's because freeradius also post an empty JSON body as shown in my first post.
Yes...
So why did rlm_rest send an empty JSON?
I had already answered this:
The dynamic client code does not decode the packet. So when it prints out "Received Access-Request", there are no attributes listed after that. And since no attributes have been decoded, there are no attributes to put into JSON. And therefore the REST call gets an empty json blob.
If you read raddb/sites-enabled/dynamic-client, it documents how this works. I won't cut & paste the documentation here... But if you read that file, it explains why the contents of the packet are empty. If you don't read the documentation, it will be very difficult to configure the server, or to understand how it works. Alan DeKok.
Ok. Fixed. Thankyou for your clue. ---------------- Note for those who come here later caused by the same 'problem': the dynamic-clients authorize section need to be kind of: ``` authorize { update request { &Packet-Src-IP-Address = "%{Packet-Src-IP-Address}" } rest ok } ``` On Fri, Dec 8, 2023 at 6:00 AM Alan DeKok <aland@deployingradius.com> wrote:
On Dec 7, 2023, at 5:53 PM, Bino Oetomo <wowon01@gmail.com> wrote:
Yes it shows that my rest backend sends server error. It's because freeradius also post an empty JSON body as shown in my first post.
Yes...
So why did rlm_rest send an empty JSON?
I had already answered this:
The dynamic client code does not decode the packet. So when it prints out "Received Access-Request", there are no attributes listed after that. And since no attributes have been decoded, there are no attributes to put into JSON. And therefore the REST call gets an empty json blob.
If you read raddb/sites-enabled/dynamic-client, it documents how this works. I won't cut & paste the documentation here...
But if you read that file, it explains why the contents of the packet are empty.
If you don't read the documentation, it will be very difficult to configure the server, or to understand how it works.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Bino Oetomo