Configuration issue at radiusd.conf?
Hello all, I am very new to FreeRadius and I am not sure why I can't access the network device.It seems something to do with radiusd.conf but I can't identify it.. Please help. This is the debugging message when I ran the test. (0) Received Access-Request Id 116 from 10.0.254.3:43509 to 10.192.2.141:1812 length 92 (0) User-Name = "hong" (0) User-Password = "test123!" (0) NAS-Port-Id = "ssh" (0) Calling-Station-Id = "ops001.mydomain.com" (0) Service-Type = NAS-Prompt-User (0) NAS-Port = 0 (0) NAS-IP-Address = 10.0.254.3 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "hong", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry hong at line 94 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: Normalizing SHA-Password from hex encoding, 40 bytes -> 20 bytes (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known-good" SHA-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default (0) post-auth { (0) update reply { (0) Juniper-Local-User-Name = "admin" (0) Arista-AVPair = "shell:priv-lvl=15" (0) Arista-AVPair = "shell:roles=network-admin" (0) PaloAlto-Admin-Role = "superuser" (0) PaloAlto-Panorama-Admin-Role = "superuser" (0) PaloAlto-User-Group = "all" (0) } # update reply = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 116 from 10.192.2.141:1812 to 10.0.254.3:43509 length 0 (0) Juniper-Local-User-Name = "admin" (0) Arista-AVPair = "shell:priv-lvl=15" (0) Arista-AVPair = "shell:roles=network-admin" (0) PaloAlto-Admin-Role = "superuser" (0) PaloAlto-Panorama-Admin-Role = "superuser" (0) PaloAlto-User-Group = "all" (0) Finished request Waking up in 4.9 seconds. Waking up in 6.9 seconds. (0) Cleaning up request packet ID 116 with timestamp +9 Thanks,Paul
Radius sends access-accept so it's ok. Unless.... you care to explain what exactly you are doing, what the expected and actual outcomes are, what the error you are receiving is etc. My crystal ball is low on battery. On May 14, 2021 6:17:03 PM GMT+02:00, Honglak Kim via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hello all, I am very new to FreeRadius and I am not sure why I can't access the network device.It seems something to do with radiusd.conf but I can't identify it.. Please help. This is the debugging message when I ran the test.
(0) Received Access-Request Id 116 from 10.0.254.3:43509 to 10.192.2.141:1812 length 92 (0) User-Name = "hong" (0) User-Password = "test123!" (0) NAS-Port-Id = "ssh" (0) Calling-Station-Id = "ops001.mydomain.com" (0) Service-Type = NAS-Prompt-User (0) NAS-Port = 0 (0) NAS-IP-Address = 10.0.254.3 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "hong", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry hong at line 94 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: Normalizing SHA-Password from hex encoding, 40 bytes -> 20 bytes (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known-good" SHA-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default (0) post-auth { (0) update reply { (0) Juniper-Local-User-Name = "admin" (0) Arista-AVPair = "shell:priv-lvl=15" (0) Arista-AVPair = "shell:roles=network-admin" (0) PaloAlto-Admin-Role = "superuser" (0) PaloAlto-Panorama-Admin-Role = "superuser" (0) PaloAlto-User-Group = "all" (0) } # update reply = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 116 from 10.192.2.141:1812 to 10.0.254.3:43509 length 0 (0) Juniper-Local-User-Name = "admin" (0) Arista-AVPair = "shell:priv-lvl=15" (0) Arista-AVPair = "shell:roles=network-admin" (0) PaloAlto-Admin-Role = "superuser" (0) PaloAlto-Panorama-Admin-Role = "superuser" (0) PaloAlto-User-Group = "all" (0) Finished request Waking up in 4.9 seconds. Waking up in 6.9 seconds. (0) Cleaning up request packet ID 116 with timestamp +9 Thanks,Paul
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello Maki/Matthew, I am trying to access Arista switches with the local database at the radius server.The outcome is simply I couldn't login the target Arista switch. However I tested another Arista switch and it worked well.The two Arista switches have different image, 4.20.15M is not working while 4.19.6.3M is working well. ( I used the same username/password at "users" file and clients.conf has the correct network to cover the both switches ) I will check the switch side logs to see why the outcomes were different. Thanks a lot, Paul On Friday, May 14, 2021, 11:12:46 AM PDT, marki <jm+freeradiususer@roth.lu> wrote: Radius sends access-accept so it's ok. Unless.... you care to explain what exactly you are doing, what the expected and actual outcomes are, what the error you are receiving is etc. My crystal ball is low on battery. On May 14, 2021 6:17:03 PM GMT+02:00, Honglak Kim via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: Hello all, I am very new to FreeRadius and I am not sure why I can't access the network device.It seems something to do with radiusd.conf but I can't identify it.. Please help. This is the debugging message when I ran the test. (0) Received Access-Request Id 116 from 10.0.254.3:43509 to 10.192.2.141:1812 length 92 (0) User-Name = "hong" (0) User-Password = "test123!" (0) NAS-Port-Id = "ssh" (0) Calling-Station-Id = "ops001.mydomain.com" (0) Service-Type = NAS-Prompt-User (0) NAS-Port = 0 (0) NAS-IP-Address = 10.0.254.3 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "hong", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry hong at line 94 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: Normalizing SHA-Password from hex encoding, 40 bytes -> 20 bytes (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known-good" SHA-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default (0) post-auth { (0) update reply { (0) Juniper-Local-User-Name = "admin" (0) Arista-AVPair = "shell:priv-lvl=15" (0) Arista-AVPair = "shell:roles=network-admin" (0) PaloAlto-Admin-Role = "superuser" (0) PaloAlto-Panorama-Admin-Role = "superuser" (0) PaloAlto-User-Group = "all" (0) } # update reply = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 116 from 10.192.2.141:1812 to 10.0.254.3:43509 length 0 (0) Juniper-Local-User-Name = "admin" (0) Arista-AVPair = "shell:priv-lvl=15" (0) Arista-AVPair = "shell:roles=network-admin" (0) PaloAlto-Admin-Role = "superuser" (0) PaloAlto-Panorama-Admin-Role = "superuser" (0) PaloAlto-User-Group = "all" (0) Finished request Waking up in 4.9 seconds. Waking up in 6.9 seconds. (0) Cleaning up request packet ID 116 with timestamp +9 Thanks,Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Per my tcpdump outputs at the both switches, I saw the exact same responses from the radius to the switches.They said "Access-Accepted" and the AVP in the radius protocol were exactly the same. I am trying to create a case at Arista to get more info. Thanks,Paul On Friday, May 14, 2021, 2:05:02 PM PDT, Honglak Kim via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: Hello Maki/Matthew, I am trying to access Arista switches with the local database at the radius server.The outcome is simply I couldn't login the target Arista switch. However I tested another Arista switch and it worked well.The two Arista switches have different image, 4.20.15M is not working while 4.19.6.3M is working well. ( I used the same username/password at "users" file and clients.conf has the correct network to cover the both switches ) I will check the switch side logs to see why the outcomes were different. Thanks a lot, Paul On Friday, May 14, 2021, 11:12:46 AM PDT, marki <jm+freeradiususer@roth.lu> wrote: Radius sends access-accept so it's ok. Unless.... you care to explain what exactly you are doing, what the expected and actual outcomes are, what the error you are receiving is etc. My crystal ball is low on battery. On May 14, 2021 6:17:03 PM GMT+02:00, Honglak Kim via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: Hello all, I am very new to FreeRadius and I am not sure why I can't access the network device.It seems something to do with radiusd.conf but I can't identify it.. Please help. This is the debugging message when I ran the test. (0) Received Access-Request Id 116 from 10.0.254.3:43509 to 10.192.2.141:1812 length 92 (0) User-Name = "hong" (0) User-Password = "test123!" (0) NAS-Port-Id = "ssh" (0) Calling-Station-Id = "ops001.mydomain.com" (0) Service-Type = NAS-Prompt-User (0) NAS-Port = 0 (0) NAS-IP-Address = 10.0.254.3 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "hong", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry hong at line 94 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: Normalizing SHA-Password from hex encoding, 40 bytes -> 20 bytes (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known-good" SHA-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default (0) post-auth { (0) update reply { (0) Juniper-Local-User-Name = "admin" (0) Arista-AVPair = "shell:priv-lvl=15" (0) Arista-AVPair = "shell:roles=network-admin" (0) PaloAlto-Admin-Role = "superuser" (0) PaloAlto-Panorama-Admin-Role = "superuser" (0) PaloAlto-User-Group = "all" (0) } # update reply = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 116 from 10.192.2.141:1812 to 10.0.254.3:43509 length 0 (0) Juniper-Local-User-Name = "admin" (0) Arista-AVPair = "shell:priv-lvl=15" (0) Arista-AVPair = "shell:roles=network-admin" (0) PaloAlto-Admin-Role = "superuser" (0) PaloAlto-Panorama-Admin-Role = "superuser" (0) PaloAlto-User-Group = "all" (0) Finished request Waking up in 4.9 seconds. Waking up in 6.9 seconds. (0) Cleaning up request packet ID 116 with timestamp +9 Thanks,Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Actually it turned out the issue was related to the Control plane ACL at Arista switches. Once the ACL allowed the radius access, the login started working.So simple thing but I missed for a while. Thanks!! On Friday, May 14, 2021, 4:23:25 PM PDT, Honglak Kim via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: Per my tcpdump outputs at the both switches, I saw the exact same responses from the radius to the switches.They said "Access-Accepted" and the AVP in the radius protocol were exactly the same. I am trying to create a case at Arista to get more info. Thanks,Paul On Friday, May 14, 2021, 2:05:02 PM PDT, Honglak Kim via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: Hello Maki/Matthew, I am trying to access Arista switches with the local database at the radius server.The outcome is simply I couldn't login the target Arista switch. However I tested another Arista switch and it worked well.The two Arista switches have different image, 4.20.15M is not working while 4.19.6.3M is working well. ( I used the same username/password at "users" file and clients.conf has the correct network to cover the both switches ) I will check the switch side logs to see why the outcomes were different. Thanks a lot, Paul On Friday, May 14, 2021, 11:12:46 AM PDT, marki <jm+freeradiususer@roth.lu> wrote: Radius sends access-accept so it's ok. Unless.... you care to explain what exactly you are doing, what the expected and actual outcomes are, what the error you are receiving is etc. My crystal ball is low on battery. On May 14, 2021 6:17:03 PM GMT+02:00, Honglak Kim via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: Hello all, I am very new to FreeRadius and I am not sure why I can't access the network device.It seems something to do with radiusd.conf but I can't identify it.. Please help. This is the debugging message when I ran the test. (0) Received Access-Request Id 116 from 10.0.254.3:43509 to 10.192.2.141:1812 length 92 (0) User-Name = "hong" (0) User-Password = "test123!" (0) NAS-Port-Id = "ssh" (0) Calling-Station-Id = "ops001.mydomain.com" (0) Service-Type = NAS-Prompt-User (0) NAS-Port = 0 (0) NAS-IP-Address = 10.0.254.3 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "hong", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry hong at line 94 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: Normalizing SHA-Password from hex encoding, 40 bytes -> 20 bytes (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known-good" SHA-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default (0) post-auth { (0) update reply { (0) Juniper-Local-User-Name = "admin" (0) Arista-AVPair = "shell:priv-lvl=15" (0) Arista-AVPair = "shell:roles=network-admin" (0) PaloAlto-Admin-Role = "superuser" (0) PaloAlto-Panorama-Admin-Role = "superuser" (0) PaloAlto-User-Group = "all" (0) } # update reply = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 116 from 10.192.2.141:1812 to 10.0.254.3:43509 length 0 (0) Juniper-Local-User-Name = "admin" (0) Arista-AVPair = "shell:priv-lvl=15" (0) Arista-AVPair = "shell:roles=network-admin" (0) PaloAlto-Admin-Role = "superuser" (0) PaloAlto-Panorama-Admin-Role = "superuser" (0) PaloAlto-User-Group = "all" (0) Finished request Waking up in 4.9 seconds. Waking up in 6.9 seconds. (0) Cleaning up request packet ID 116 with timestamp +9 Thanks,Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 14 May 2021, at 13:17, Honglak Kim via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hello all, I am very new to FreeRadius and I am not sure why I can't access the network device.It seems something to do with radiusd.conf but I can't identify it.. Please help. This is the debugging message when I ran the test.
Are you sure that you’ve shared the correct output? Even that looks correct…. Pretty hard to help you without any clue about what you're expecting….
(0) Received Access-Request Id 116 from 10.0.254.3:43509 to 10.192.2.141:1812 length 92 (0) User-Name = "hong" (0) User-Password = "test123!" (0) NAS-Port-Id = "ssh" (0) Calling-Station-Id = "ops001.mydomain.com" (0) Service-Type = NAS-Prompt-User (0) NAS-Port = 0 (0) NAS-IP-Address = 10.0.254.3 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "hong", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry hong at line 94 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: Normalizing SHA-Password from hex encoding, 40 bytes -> 20 bytes (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known-good" SHA-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default (0) post-auth { (0) update reply { (0) Juniper-Local-User-Name = "admin" (0) Arista-AVPair = "shell:priv-lvl=15" (0) Arista-AVPair = "shell:roles=network-admin" (0) PaloAlto-Admin-Role = "superuser" (0) PaloAlto-Panorama-Admin-Role = "superuser" (0) PaloAlto-User-Group = "all" (0) } # update reply = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 116 from 10.192.2.141:1812 to 10.0.254.3:43509 length 0 (0) Juniper-Local-User-Name = "admin" (0) Arista-AVPair = "shell:priv-lvl=15" (0) Arista-AVPair = "shell:roles=network-admin" (0) PaloAlto-Admin-Role = "superuser" (0) PaloAlto-Panorama-Admin-Role = "superuser" (0) PaloAlto-User-Group = "all" (0) Finished request Waking up in 4.9 seconds. Waking up in 6.9 seconds. (0) Cleaning up request packet ID 116 with timestamp +9 Thanks,Paul
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 14/05/2021 17:17, Honglak Kim via Freeradius-Users wrote:
(0) Sent Access-Accept Id 116 from 10.192.2.141:1812 to 10.0.254.3:43509 length 0 (0) Juniper-Local-User-Name = "admin" (0) Arista-AVPair = "shell:priv-lvl=15" (0) Arista-AVPair = "shell:roles=network-admin" (0) PaloAlto-Admin-Role = "superuser" (0) PaloAlto-Panorama-Admin-Role = "superuser" (0) PaloAlto-User-Group = "all" (0) Finished request
That looks like you're trying to give console access to a switch/router. The debug output seems correct, in that you're sending back an Access-Accept. However you need to carefully read the switch documentation. They are usually very picky about what attributes are expected. If you send back the wrong ones, or slightly the wrong format, it won't work and access will be denied. Try checking the debug logs on your device, assuming it gives you some, to see if it says anything. Make sure you're not firewalling/filtering responses (e.g. ACLs on the switch). FreeRADIUS seems to be working correctly from what you have sent. -- Matthew
participants (4)
-
Honglak Kim -
Jorge Pereira -
marki -
Matthew Newton