local user file authentication does not work
Hello. In the environment of CentOS 7.3, FreeRADIUS 3.0.4, local users file (/etc/raddb/mods-config/files/authorize) can not authenticate. It is set to authenticate with mschap using inner-tunnel, and the following I confirmed that authentication succeeds with the command. (username@eduroam.test.edu is the user on the AD server) # radtest - t mschap username@eduroam.test.edu test 127.0.0.1: 1812 0 testing 123 Received Access-Accept Id 32 from 127.0.0.1: 1812 to 127.0.0.1: 42901 length 84 Next, to monitor the service, add the following entry to local users file. radtest@eduroam.test.edu Cleartext - Password: = "test" Running radtest in this state will fail. # radtest radtest@eduroam.test.edu test 127.0.0.1: 1812 0 testing 123 Received Access-Reject Id 79 from 127.0.0.1: 1812 to 127.0.0.1: 55380 length 20 Looking at the log (/var/log/radius/radius.log), files seems to be noop and is not recognized. (0) [suffix] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop <- This is wrong???? (0) [expiration] = noop (0) [logintime] = noop (0) WARNING: pap: No "known good" password found for the user. Not setting Auth-Type (0) WARNING: pap: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0)} # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [radtest@eduroam.test.edu/test] (from client localhost port 0) Please tell me how to do RADIUS authentication with local user file for service monitoring. The difference of the setting file is as follows. - / etc / raddb / site-available / inner-tunnel # Diff -ruN inner-tunnel.ORG inner-tunnel --- inner-tunnel.ORG 2015-03-06 08: 41: 49.000000000 + 0900 +++ inner-tunnel 2016 - 11 - 04 13: 45: 27.316287839 +0900 @@ -100, 9 + 100, 9 @ @ # If you want the inner tunnel request to be proxied, delete # The next few lines. # - update control { - Proxy - To - Realm: = LOCAL -} + # Update control { + # Proxy-To-Realm: = LOCAL + #} # # This module takes care of EAP-MSCHAPv2 authentication. @@ -210,6 + 210, @ @ @ # Pluggable Authentication Modules. # Pam + Ntlm_auth + # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against - /etc/raddb/proxy.conf Realm "~^eduroam\.test\.edu$" { Authhost = LOCAL Accthost = LOCAL } Home_server server1 { .... } Home_ server server 2 { .... } Home_server_pool server { Type = fail-over Home_server = server1 Home_server = server2 } Realm DEFAULT { Pool = server Nostrip } Best regards!
On 24 Jan 2017, at 04:16, Seiichirou Hiraoka <seiichirou.hiraoka@gmail.com> wrote:
radtest@eduroam.test.edu Cleartext - Password: = "test"
The whitespace here is wrong - is it in the file like this, or is it just your MUA butchering it? The line should look like: radtest@eduroam.test.edu Cleartext-Password := "test" -------------------------------------^ tab here
Looking at the log (/var/log/radius/radius.log), files seems to be noop and is not recognized.
You've not posted enough information to fully diagnose the problem - FreeRADIUS makes multiple passes through the virtual server (pre-proxy/authZ/authN/postN/post-proxy) with each request, so we need to see the entire log.
- update control { - Proxy - To - Realm: = LOCAL -}
Are you sure you want to do this?
+ Ntlm_auth
If you're using AD as your backend, and you want to use the static users file in addition there's a little more config you'll need to get it production ready: https://wiki.freeradius.org/guide/Combining-authentication-of-AD-accounts-nt... https://wiki.freeradius.org/guide/NTLM-Auth-with-PAP-HOWTO http://deployingradius.com/ is always a good resource to use as well. Regards, Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
hello Adam, Thank you for your reply 2017-01-24 18:29 GMT+09:00 Adam Bishop <Adam.Bishop@jisc.ac.uk>:
On 24 Jan 2017, at 04:16, Seiichirou Hiraoka <seiichirou.hiraoka@gmail.com> wrote:
radtest@eduroam.test.edu Cleartext - Password: = "test"
The whitespace here is wrong - is it in the file like this, or is it just your MUA butchering it? The line should look like:
radtest@eduroam.test.edu Cleartext-Password := "test" -------------------------------------^ tab here
Looking at the log (/var/log/radius/radius.log), files seems to be noop and is not recognized.
You've not posted enough information to fully diagnose the problem - FreeRADIUS makes multiple passes through the virtual server (pre-proxy/authZ/authN/postN/post-proxy) with each request, so we need to see the entire log.
This is my MUA butchering. I use tab separator.
- update control { - Proxy - To - Realm: = LOCAL -}
Are you sure you want to do this?
+ Ntlm_auth
If you're using AD as your backend, and you want to use the static users file in addition there's a little more config you'll need to get it production ready:
https://wiki.freeradius.org/guide/Combining-authentication-of-AD-accounts-nt... https://wiki.freeradius.org/guide/NTLM-Auth-with-PAP-HOWTO
I see this URL (FreeRADIUS 3.X) and try , but fail... # radtest radtest@eduroam.test.edu test 127.0.0.1 0 testing123 Sending Access-Request Id 11 from 0.0.0.0:39536 to 127.0.0.1:1812 User-Name = 'radtest@eduroam.test.edu' User-Password = 'test' NAS-IP-Address = X.X.X.X NAS-Port = 0 Message-Authenticator = 0x00 Received Access-Reject Id 11 from 127.0.0.1:1812 to 127.0.0.1:39536 length 20 (0) -: Expected Access-Accept got Access-Reject User "radtest@eduroam.test.edu" is not exist in my AD Server. But exist in /etc/raddb/users (/etc/raddb/mods-config/files/authorize) (Tab separated) ----- radtest@eduroam.test.edu Cleartext-Password := "test" ----- This is my debug log (radiusd -X) ----- Received Access-Request Id 11 from 127.0.0.1:39536 to 127.0.0.1:1812 length 101 User-Name = 'radtest@eduroam.test.edu' User-Password = 'test' NAS-IP-Address = X.X.X.X NAS-Port = 0 Message-Authenticator = 0xf98e5871147209fe3a2b8ec9510b970d (0) Received Access-Request packet from host 127.0.0.1 port 39536, id=11, length=101 (0) User-Name = 'radtest@eduroam.test.edu' (0) User-Password = 'test' (0) NAS-IP-Address = X.X.X.X (0) NAS-Port = 0 (0) Message-Authenticator = 0xf98e5871147209fe3a2b8ec9510b970d (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) if ( &User-Name !~ /@/ ) (0) if ( &User-Name !~ /@/ ) -> FALSE (0) elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) (0) elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) -> TRUE (0) elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) { (0) [ok] = ok (0) } # elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) = ok (0) ... skipping elsif for request 0: Preceding "if" was taken (0) ntlm_auth.authorize ntlm_auth.authorize { (0) if (!control:Auth-Type && User-Password) (0) if (!control:Auth-Type && User-Password) -> TRUE (0) if (!control:Auth-Type && User-Password) { (0) update control { (0) Auth-Type := ntlm_auth (0) } # update control = noop (0) } # if (!control:Auth-Type && User-Password) = noop (0) } # ntlm_auth.authorize ntlm_auth.authorize = noop (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = ok (0) [preprocess] = ok (0) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log : --> /var/log/radius/radacct/127.0.0.1/auth-detail-20170125 (0) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20170125 (0) auth_log : EXPAND %t (0) auth_log : --> Wed Jan 25 16:50:01 2017 (0) [auth_log] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : Looking up realm "eduroam.test.edu" for User-Name = "radtest@eduroam.test.edu" (0) suffix : Found realm "~^eduroam.test.edu$" (0) suffix : Adding Stripped-User-Name = "radtest" (0) suffix : Adding Realm = "eduroam.test.edu" (0) suffix : Authentication realm is LOCAL (0) [suffix] = ok (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) } # authorize = ok (0) Found Auth-Type = ntlm_auth (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type ntlm_auth { Executing: /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}: (0) ntlm_auth : EXPAND --username=%{mschap:User-Name} (0) ntlm_auth : --> --username=radtest@eduroam.test.edu (0) ntlm_auth : EXPAND --password=%{User-Password} (0) ntlm_auth : --> --password=test Program returned code (1) and output 'NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)' (0) [ntlm_auth] = reject (0) } # Auth-Type ntlm_auth = reject (0) Failed to authenticate the user (0) Login incorrect: [radtest@eduroam.test.edu/test] (from client localhost port 0) (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> radtest@eduroam.test.edu (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (0) [eap] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sending Access-Reject packet to host 127.0.0.1 port 39536, id=11, length=0 Sending Access-Reject Id 11 from 127.0.0.1:1812 to 127.0.0.1:39536 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 11 with timestamp +17 Ready to process requests ----- Best regards!
http://deployingradius.com/ is always a good resource to use as well.
Regards,
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
radtest@eduroam.test.edu Cleartext - Password: = "test"
The whitespace here is wrong - is it in the file like this, or is it just your MUA butchering it? The line should look like:
radtest@eduroam.test.edu Cleartext-Password := "test" -------------------------------------^ tab here
Looking at the log (/var/log/radius/radius.log), files seems to be noop and is not recognized.
You've not posted enough information to fully diagnose the problem - FreeRADIUS makes multiple passes through the virtual server (pre-proxy/authZ/authN/postN/post-proxy) with each request, so we need to see the entire log.
This is my MUA butchering. I use tab separator.
yes, but do you have Cleartext - Password: = "test" or do you have Cleartext-Password := "test" ?
(0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type ntlm_auth { Executing: /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}: (0) ntlm_auth : EXPAND --username=%{mschap:User-Name} (0) ntlm_auth : --> --username=radtest@eduroam.test.edu (0) ntlm_auth : EXPAND --password=%{User-Password} (0) ntlm_auth : --> --password=test Program returned code (1) and output 'NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)' (0) [ntlm_auth] = reject
thats quite easy - ntlm_auth failed - no such user (is your doamin MYDOMAIN ?) alan
On Jan 23, 2017, at 11:16 PM, Seiichirou Hiraoka <seiichirou.hiraoka@gmail.com> wrote:
In the environment of CentOS 7.3, FreeRADIUS 3.0.4, local users file (/etc/raddb/mods-config/files/authorize) can not authenticate.
Yes, they can.
It is set to authenticate with mschap using inner-tunnel, and the following I confirmed that authentication succeeds with the command. (username@eduroam.test.edu is the user on the AD server)
# radtest - t mschap username@eduroam.test.edu test 127.0.0.1: 1812 0 testing 123 Received Access-Accept Id 32 from 127.0.0.1: 1812 to 127.0.0.1: 42901 length 84
Next, to monitor the service, add the following entry to local users file.
radtest@eduroam.test.edu Cleartext - Password: = "test"
Odds are that you have a realm defined, which is "eduroam.test.edu".
Running radtest in this state will fail.
# radtest radtest@eduroam.test.edu test 127.0.0.1: 1812 0 testing 123 Received Access-Reject Id 79 from 127.0.0.1: 1812 to 127.0.0.1: 55380 length 20
Looking at the log (/var/log/radius/radius.log), files seems to be noop and is not recognized.
(0) [suffix] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop <- This is wrong????
If only you could read the REST OF THE DEBUG OUTPUT to see what the server is doing.
Please tell me how to do RADIUS authentication with local user file for service monitoring.
You use it as documented. And, you read the debug output. ALL OF IT. Alan DeKok.
Hello Alan, Adam, Thank you for your reply. This is my radiusd -X all debug logs. ----- Received Access-Request Id 97 from 127.0.0.1:44294 to 127.0.0.1:1812 length 101 User-Name = 'radtest@eduroam.test.edu' User-Password = 'test' NAS-IP-Address = X.X.X.X NAS-Port = 0 Message-Authenticator = 0xb8fc8bbf410ad0804e01366105fe8b25 (0) Received Access-Request packet from host 127.0.0.1 port 44294, id=97, length=101 (0) User-Name = 'radtest@eduroam.test.edu' (0) User-Password = 'test' (0) NAS-IP-Address = X.X.X.X (0) NAS-Port = 0 (0) Message-Authenticator = 0xb8fc8bbf410ad0804e01366105fe8b25 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) if ( &User-Name !~ /@/ ) (0) if ( &User-Name !~ /@/ ) -> FALSE (0) elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) (0) elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) -> TRUE (0) elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) { (0) [ok] = ok (0) } # elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) = ok (0) ... skipping elsif for request 0: Preceding "if" was taken (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = ok (0) [preprocess] = ok (0) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log : --> /var/log/radius/radacct/127.0.0.1/auth-detail-20170125 (0) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20170125 (0) auth_log : EXPAND %t (0) auth_log : --> Wed Jan 25 13:11:26 2017 (0) [auth_log] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : Looking up realm "eduroam.test.edu" for User-Name = "radtest@eduroam.test.edu" (0) suffix : Found realm "~^eduroam.test.edu$" (0) suffix : Adding Stripped-User-Name = "radtest" (0) suffix : Adding Realm = "eduroam.test.edu" (0) suffix : Authentication realm is LOCAL (0) [suffix] = ok (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (0) WARNING: pap : Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [radtest@eduroam.test.edu/test] (from client localhost port 0) (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> radtest@eduroam.test.edu (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (0) [eap] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sending Access-Reject packet to host 127.0.0.1 port 44294, id=97, length=0 Sending Access-Reject Id 97 from 127.0.0.1:1812 to 127.0.0.1:44294 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 97 with timestamp +11 Ready to process requests ----- and this is my configuration. - /etc/raddb/sites-enables/default # cat default | grep -v ^# | grep -v ^$ | grep -v " *# " server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } listen { type = auth port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipv6addr = :: port = 0 type = acct limit { } } authorize { if ( &User-Name !~ /@/ ) { reject } elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) { ok } elsif ( &User-Name =~ /@*\.test\.edu/ ) { reject } filter_username preprocess auth_log chap mschap digest suffix eap { ok = return } files -sql -ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest eap } preacct { preprocess acct_unique suffix files } accounting { detail unix -sql exec attr_filter.accounting_response } session { } post-auth { -sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject eap remove_reply_message_if_eap } } pre-proxy { } post-proxy { eap } } - /etc/raddb/sites-enables/inner-tunnel # cat inner-tunnel | grep -v ^# | grep -v ^$ | grep -v " *# " server inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { chap mschap suffix eap { ok = return } files -sql -ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } ntlm_auth eap } session { radutmp } post-auth { -sql Post-Auth-Type REJECT { -sql attr_filter.access_reject } } pre-proxy { } post-proxy { eap } Please tell me if you need other files. Best regards 2017-01-24 23:57 GMT+09:00 Alan DeKok <aland@deployingradius.com>:
On Jan 23, 2017, at 11:16 PM, Seiichirou Hiraoka <seiichirou.hiraoka@gmail.com> wrote:
In the environment of CentOS 7.3, FreeRADIUS 3.0.4, local users file (/etc/raddb/mods-config/files/authorize) can not authenticate.
Yes, they can.
It is set to authenticate with mschap using inner-tunnel, and the following I confirmed that authentication succeeds with the command. (username@eduroam.test.edu is the user on the AD server)
# radtest - t mschap username@eduroam.test.edu test 127.0.0.1: 1812 0 testing 123 Received Access-Accept Id 32 from 127.0.0.1: 1812 to 127.0.0.1: 42901 length 84
Next, to monitor the service, add the following entry to local users file.
radtest@eduroam.test.edu Cleartext - Password: = "test"
Odds are that you have a realm defined, which is "eduroam.test.edu".
Running radtest in this state will fail.
# radtest radtest@eduroam.test.edu test 127.0.0.1: 1812 0 testing 123 Received Access-Reject Id 79 from 127.0.0.1: 1812 to 127.0.0.1: 55380 length 20
Looking at the log (/var/log/radius/radius.log), files seems to be noop and is not recognized.
(0) [suffix] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop <- This is wrong????
If only you could read the REST OF THE DEBUG OUTPUT to see what the server is doing.
Please tell me how to do RADIUS authentication with local user file for service monitoring.
You use it as documented. And, you read the debug output.
ALL OF IT.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 24, 2017, at 11:24 PM, Seiichirou Hiraoka <seiichirou.hiraoka@gmail.com> wrote:
This is my radiusd -X all debug logs.
As I guessed, you have a realm "eduroam.test.edu" You need to edit the "users" file entry to have name "radtest", and not "radtest@eduroam.test.edu"
"radtest@eduroam.test.edu" (0) suffix : Found realm "~^eduroam.test.edu$" (0) suffix : Adding Stripped-User-Name = "radtest"
This is the name used for comparisons in the "users" file, sql, etc. Alan DeKok.
Hello Alan, everyone, It finally succeeded. Two were wrong. One point is pointed out from Alan, in that the users file only describes the user name (without realm), The other one was not restarted after changing the users file, and the change was not reflected. As a result, authentication in the users file now works by writing in the users file as follows. # cat users radtest Cleartext-Password := "test" - users file # radtest radtest@eduroam.test.edu test localhost 0 testing 123 -> Received Access-Accept - ntlm_auth (AD backend) # radtest -t mschap aduser@eduroam.test.edu test localhost 0 testing 123 -> Received Access-Accept Thank you very much for your advice. 2017-01-26 0:33 GMT+09:00 Alan DeKok <aland@deployingradius.com>:
On Jan 24, 2017, at 11:24 PM, Seiichirou Hiraoka <seiichirou.hiraoka@gmail.com> wrote:
This is my radiusd -X all debug logs.
As I guessed, you have a realm "eduroam.test.edu"
You need to edit the "users" file entry to have name "radtest", and not "radtest@eduroam.test.edu"
"radtest@eduroam.test.edu" (0) suffix : Found realm "~^eduroam.test.edu$" (0) suffix : Adding Stripped-User-Name = "radtest"
This is the name used for comparisons in the "users" file, sql, etc.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Adam Bishop -
Alan DeKok -
Seiichirou Hiraoka