rlm_rest authentication failures in rest module

Karuna Kumar karuna.kumar at prontonetworks.com
Wed May 18 14:36:36 CEST 2016


Hi,

I am using FreeRADIUS 3.0.11. Unable to authenticate the user through
rest module. I am able to send request to REST API server and also
able to fetch response in FreeRADIUS. But, the log says "(1) Failed to
authenticate the user". Please let me know whether I did something
wrong or I have to configure anything anywhere else. Configuration and
logs are pasted below for your reference. Thanks in advance.

---------------------------------------------
CONFIGURATIONS IN raddb/sites-enabled/default
---------------------------------------------

authorize {
        if (User-Password) {
                update control {
                        Cleartext-Password := &User-Password
                        Auth-Type := rest
                }
        }
}

authenticate {
        rest
}

---------------------------------------------
CONFIGURATIONS IN raddb/mods-available/rest
---------------------------------------------

connect_uri = "http://192.168.1.25:8900/"

authorize {
        uri = "${..connect_uri}/hns/FreeRadiusTest.jsp?test=value&action=authorize&calledStationId=%{Called-Station-ID}&userName=%{User-Name}"
        method = 'get'
        tls = ${..tls}
}

authenticate {
        uri = "${..connect_uri}/hns/FreeRadiusTest.jsp?test=value&action=authenticate&calledStationId=%{Called-Station-ID}&userName=%{User-Name}"
        method = 'get'
        tls = ${..tls}
}

accounting {
        uri = "${..connect_uri}/hns/FreeRadiusTest.jsp?test=value&action=accounting&calledStationId=%{Called-Station-ID}&userName=%{User-Name}&acctSessionId=%{Acct-Unique-Session-ID}"
        method = 'post'
        tls = ${..tls}
}

post-auth {
        uri = "${..connect_uri}/hns/FreeRadiusTest.jsp?test=value&action=postauth&calledStationId=%{Called-Station-ID}&userName=%{User-Name}"
        method = 'post'
        tls = ${..tls}
}


---------------------------------------------
radtest command output
---------------------------------------------

# radtest test test localhost 0 testing123
Sent Access-Request Id 243 from 0.0.0.0:55212 to 127.0.0.1:1812 length 74
        User-Name = "test"
        User-Password = "test"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "test"
Received Access-Reject Id 243 from 127.0.0.1:1812 to 0.0.0.0:0 length 35
        Reply-Message = "Hello from KK"
(0) -: Expected Access-Accept got Access-Reject


---------------------------------------------
radiusd console debug logs
---------------------------------------------

Ready to process requests
(2) Received Access-Request Id 243 from 127.0.0.1:55212 to
127.0.0.1:1812 length 74
(2)   User-Name = "test"
(2)   User-Password = "test"
(2)   NAS-IP-Address = 127.0.0.1
(2)   NAS-Port = 0
(2)   Message-Authenticator = 0xa554ee1ed0ff34cbd52a28d7ff14f641
(2) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
  -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     if (User-Password) {
(2)     if (User-Password)  -> TRUE
(2)     if (User-Password)  {
(2)       update control {
(2)         Cleartext-Password := &User-Password -> 'test'
(2)         Auth-Type := rest
(2)       } # update control = noop
(2)     } # if (User-Password)  = noop
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "test", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: No EAP-Message, not doing EAP
(2)     [eap] = noop
(2) files: users: Matched entry test at line 1
(2)     [files] = ok
(2)     [expiration] = noop
(2)     [logintime] = noop
(2) pap: WARNING: Auth-Type already set.  Not setting to PAP
(2)     [pap] = noop
(2)   } # authorize = ok
(2) Found Auth-Type = rest
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2)   authenticate {
rlm_rest (rest): Closing connection (2): Hit idle_timeout, was idle
for 1049 seconds
rlm_rest (rest): Closing connection (3): Hit idle_timeout, was idle
for 1049 seconds
rlm_rest (rest): Closing connection (4): Hit idle_timeout, was idle
for 1049 seconds
rlm_rest (rest): Closing connection (0): Hit idle_timeout, was idle
for 1047 seconds
rlm_rest (rest): Closing connection (5): Hit idle_timeout, was idle
for 1047 seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing connection (1): Hit idle_timeout, was idle
for 1041 seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing connection (6): Hit idle_timeout, was idle
for 1041 seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_rest (rest): Opening additional connection (7), 1 of 32 pending slots used
rlm_rest (rest): Connecting to "http://192.168.1.25:8900/"
rlm_rest (rest): Reserved connection (7)
(2) rest: Expanding URI components
(2) rest: EXPAND http://192.168.1.25:8900
(2) rest:    --> http://192.168.1.25:8900
(2) rest: EXPAND
//hns/FreeRadiusTest.jsp?test=value&action=authenticate&calledStationId=%{Called-Station-ID}&userName=%{User-Name}
(2) rest:    -->
//hns/FreeRadiusTest.jsp?test=value&action=authenticate&calledStationId=&userName=test
(2) rest: Sending HTTP GET to
"http://192.168.1.25:8900//hns/FreeRadiusTest.jsp?test=value&action=authenticate&calledStationId=&userName=test"
(2) rest: Processing response header
(2) rest:   Status : 200 (OK)
(2) rest:   Type   : json (application/json)
(2) rest: Parsing attribute "reply:User-Name"
(2) rest: EXPAND test
(2) rest:    --> test
(2) rest: User-Name := "test"
(2) rest: Parsing attribute "reply:User-Password"
(2) rest: EXPAND test
(2) rest:    --> test
(2) rest: User-Password := "test"
(2) rest: Parsing attribute "control:ClearText-Password"
(2) rest: EXPAND test
(2) rest:    --> test
(2) rest: Cleartext-Password := "test"
(2) rest: Parsing attribute "reply:Reply-Message"
(2) rest: EXPAND Hello from KK
(2) rest:    --> Hello from KK
(2) rest: Reply-Message := "Hello from KK"
rlm_rest (rest): Released connection (7)
rlm_rest (rest): Need 2 more connections to reach 10 spares
rlm_rest (rest): Opening additional connection (8), 1 of 31 pending slots used
rlm_rest (rest): Connecting to "http://192.168.1.25:8900/"
(2)     [rest] = updated
(2)   } # authenticate = updated
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2)   Post-Auth-Type REJECT {
(2) attr_filter.access_reject: EXPAND %{User-Name}
(2) attr_filter.access_reject:    --> test
(2) attr_filter.access_reject: Matched entry DEFAULT at line 11
(2)     [attr_filter.access_reject] = updated
(2)     [eap] = noop
(2)     policy remove_reply_message_if_eap {
(2)       if (&reply:EAP-Message && &reply:Reply-Message) {
(2)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(2)       else {
(2)         [noop] = noop
(2)       } # else = noop
(2)     } # policy remove_reply_message_if_eap = noop
(2)   } # Post-Auth-Type REJECT = updated
(2) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(2) Sending delayed response
(2) Sent Access-Reject Id 243 from 127.0.0.1:1812 to 127.0.0.1:55212 length 35
(2)   Reply-Message = "Hello from KK"
Waking up in 3.9 seconds.
(2) Cleaning up request packet ID 243 with timestamp +1049
Ready to process requests


Thanks,
Karun.


More information about the Freeradius-Users mailing list