rlm_rest authentication failures in rest module

Karuna Kumar karuna.kumar at prontonetworks.com
Fri May 20 09:32:11 CEST 2016 

Hi Team,

I have figured it out and found to be working with my basic testing.

I have modified the following file configurations after which I have
posted in my previous mail.

---------------------------------------------
CONFIGURATIONS IN raddb/sites-enabled/default
---------------------------------------------

authorize {
        rest
}

Just added simple "rest" in authorize { } section and removed "rest"
and kept the default ones in authenticate { } section and it works
with the basic testing ( radtest command ).

Thanks,
Karun.


On Wed, May 18, 2016 at 6:06 PM, Karuna Kumar
<karuna.kumar at prontonetworks.com> wrote:
> Hi,
>
> I am using FreeRADIUS 3.0.11. Unable to authenticate the user through
> rest module. I am able to send request to REST API server and also
> able to fetch response in FreeRADIUS. But, the log says "(1) Failed to
> authenticate the user". Please let me know whether I did something
> wrong or I have to configure anything anywhere else. Configuration and
> logs are pasted below for your reference. Thanks in advance.
>
> ---------------------------------------------
> CONFIGURATIONS IN raddb/sites-enabled/default
> ---------------------------------------------
>
> authorize {
>         if (User-Password) {
>                 update control {
>                         Cleartext-Password := &User-Password
>                         Auth-Type := rest
>                 }
>         }
> }
>
> authenticate {
>         rest
> }
>
> ---------------------------------------------
> CONFIGURATIONS IN raddb/mods-available/rest
> ---------------------------------------------
>
> connect_uri = "http://192.168.1.25:8900/"
>
> authorize {
>         uri = "${..connect_uri}/hns/FreeRadiusTest.jsp?test=value&action=authorize&calledStationId=%{Called-Station-ID}&userName=%{User-Name}"
>         method = 'get'
>         tls = ${..tls}
> }
>
> authenticate {
>         uri = "${..connect_uri}/hns/FreeRadiusTest.jsp?test=value&action=authenticate&calledStationId=%{Called-Station-ID}&userName=%{User-Name}"
>         method = 'get'
>         tls = ${..tls}
> }
>
> accounting {
>         uri = "${..connect_uri}/hns/FreeRadiusTest.jsp?test=value&action=accounting&calledStationId=%{Called-Station-ID}&userName=%{User-Name}&acctSessionId=%{Acct-Unique-Session-ID}"
>         method = 'post'
>         tls = ${..tls}
> }
>
> post-auth {
>         uri = "${..connect_uri}/hns/FreeRadiusTest.jsp?test=value&action=postauth&calledStationId=%{Called-Station-ID}&userName=%{User-Name}"
>         method = 'post'
>         tls = ${..tls}
> }
>
>
> ---------------------------------------------
> radtest command output
> ---------------------------------------------
>
> # radtest test test localhost 0 testing123
> Sent Access-Request Id 243 from 0.0.0.0:55212 to 127.0.0.1:1812 length 74
>         User-Name = "test"
>         User-Password = "test"
>         NAS-IP-Address = 127.0.0.1
>         NAS-Port = 0
>         Message-Authenticator = 0x00
>         Cleartext-Password = "test"
> Received Access-Reject Id 243 from 127.0.0.1:1812 to 0.0.0.0:0 length 35
>         Reply-Message = "Hello from KK"
> (0) -: Expected Access-Accept got Access-Reject
>
>
> ---------------------------------------------
> radiusd console debug logs
> ---------------------------------------------
>
> Ready to process requests
> (2) Received Access-Request Id 243 from 127.0.0.1:55212 to
> 127.0.0.1:1812 length 74
> (2)   User-Name = "test"
> (2)   User-Password = "test"
> (2)   NAS-IP-Address = 127.0.0.1
> (2)   NAS-Port = 0
> (2)   Message-Authenticator = 0xa554ee1ed0ff34cbd52a28d7ff14f641
> (2) # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> (2)   authorize {
> (2)     policy filter_username {
> (2)       if (&User-Name) {
> (2)       if (&User-Name)  -> TRUE
> (2)       if (&User-Name)  {
> (2)         if (&User-Name =~ / /) {
> (2)         if (&User-Name =~ / /)  -> FALSE
> (2)         if (&User-Name =~ /@[^@]*@/ ) {
> (2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (2)         if (&User-Name =~ /\.\./ ) {
> (2)         if (&User-Name =~ /\.\./ )  -> FALSE
> (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>   -> FALSE
> (2)         if (&User-Name =~ /\.$/)  {
> (2)         if (&User-Name =~ /\.$/)   -> FALSE
> (2)         if (&User-Name =~ /@\./)  {
> (2)         if (&User-Name =~ /@\./)   -> FALSE
> (2)       } # if (&User-Name)  = notfound
> (2)     } # policy filter_username = notfound
> (2)     [preprocess] = ok
> (2)     if (User-Password) {
> (2)     if (User-Password)  -> TRUE
> (2)     if (User-Password)  {
> (2)       update control {
> (2)         Cleartext-Password := &User-Password -> 'test'
> (2)         Auth-Type := rest
> (2)       } # update control = noop
> (2)     } # if (User-Password)  = noop
> (2)     [chap] = noop
> (2)     [mschap] = noop
> (2)     [digest] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: No '@' in User-Name = "test", looking up realm NULL
> (2) suffix: No such realm "NULL"
> (2)     [suffix] = noop
> (2) eap: No EAP-Message, not doing EAP
> (2)     [eap] = noop
> (2) files: users: Matched entry test at line 1
> (2)     [files] = ok
> (2)     [expiration] = noop
> (2)     [logintime] = noop
> (2) pap: WARNING: Auth-Type already set.  Not setting to PAP
> (2)     [pap] = noop
> (2)   } # authorize = ok
> (2) Found Auth-Type = rest
> (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (2)   authenticate {
> rlm_rest (rest): Closing connection (2): Hit idle_timeout, was idle
> for 1049 seconds
> rlm_rest (rest): Closing connection (3): Hit idle_timeout, was idle
> for 1049 seconds
> rlm_rest (rest): Closing connection (4): Hit idle_timeout, was idle
> for 1049 seconds
> rlm_rest (rest): Closing connection (0): Hit idle_timeout, was idle
> for 1047 seconds
> rlm_rest (rest): Closing connection (5): Hit idle_timeout, was idle
> for 1047 seconds
> rlm_rest (rest): You probably need to lower "min"
> rlm_rest (rest): Closing connection (1): Hit idle_timeout, was idle
> for 1041 seconds
> rlm_rest (rest): You probably need to lower "min"
> rlm_rest (rest): Closing connection (6): Hit idle_timeout, was idle
> for 1041 seconds
> rlm_rest (rest): You probably need to lower "min"
> rlm_rest (rest): 0 of 0 connections in use.  You  may need to increase "spare"
> rlm_rest (rest): Opening additional connection (7), 1 of 32 pending slots used
> rlm_rest (rest): Connecting to "http://192.168.1.25:8900/"
> rlm_rest (rest): Reserved connection (7)
> (2) rest: Expanding URI components
> (2) rest: EXPAND http://192.168.1.25:8900
> (2) rest:    --> http://192.168.1.25:8900
> (2) rest: EXPAND
> //hns/FreeRadiusTest.jsp?test=value&action=authenticate&calledStationId=%{Called-Station-ID}&userName=%{User-Name}
> (2) rest:    -->
> //hns/FreeRadiusTest.jsp?test=value&action=authenticate&calledStationId=&userName=test
> (2) rest: Sending HTTP GET to
> "http://192.168.1.25:8900//hns/FreeRadiusTest.jsp?test=value&action=authenticate&calledStationId=&userName=test"
> (2) rest: Processing response header
> (2) rest:   Status : 200 (OK)
> (2) rest:   Type   : json (application/json)
> (2) rest: Parsing attribute "reply:User-Name"
> (2) rest: EXPAND test
> (2) rest:    --> test
> (2) rest: User-Name := "test"
> (2) rest: Parsing attribute "reply:User-Password"
> (2) rest: EXPAND test
> (2) rest:    --> test
> (2) rest: User-Password := "test"
> (2) rest: Parsing attribute "control:ClearText-Password"
> (2) rest: EXPAND test
> (2) rest:    --> test
> (2) rest: Cleartext-Password := "test"
> (2) rest: Parsing attribute "reply:Reply-Message"
> (2) rest: EXPAND Hello from KK
> (2) rest:    --> Hello from KK
> (2) rest: Reply-Message := "Hello from KK"
> rlm_rest (rest): Released connection (7)
> rlm_rest (rest): Need 2 more connections to reach 10 spares
> rlm_rest (rest): Opening additional connection (8), 1 of 31 pending slots used
> rlm_rest (rest): Connecting to "http://192.168.1.25:8900/"
> (2)     [rest] = updated
> (2)   } # authenticate = updated
> (2) Failed to authenticate the user
> (2) Using Post-Auth-Type Reject
> (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (2)   Post-Auth-Type REJECT {
> (2) attr_filter.access_reject: EXPAND %{User-Name}
> (2) attr_filter.access_reject:    --> test
> (2) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (2)     [attr_filter.access_reject] = updated
> (2)     [eap] = noop
> (2)     policy remove_reply_message_if_eap {
> (2)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (2)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (2)       else {
> (2)         [noop] = noop
> (2)       } # else = noop
> (2)     } # policy remove_reply_message_if_eap = noop
> (2)   } # Post-Auth-Type REJECT = updated
> (2) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (2) Sending delayed response
> (2) Sent Access-Reject Id 243 from 127.0.0.1:1812 to 127.0.0.1:55212 length 35
> (2)   Reply-Message = "Hello from KK"
> Waking up in 3.9 seconds.
> (2) Cleaning up request packet ID 243 with timestamp +1049
> Ready to process requests
>
>
> Thanks,
> Karun.

More information about the Freeradius-Users mailing list