local user file authentication does not work
Seiichirou Hiraoka
seiichirou.hiraoka at gmail.com
Wed Jan 25 09:08:50 CET 2017
hello Adam,
Thank you for your reply
2017-01-24 18:29 GMT+09:00 Adam Bishop <Adam.Bishop at jisc.ac.uk>:
> On 24 Jan 2017, at 04:16, Seiichirou Hiraoka <seiichirou.hiraoka at gmail.com> wrote:
>> radtest at eduroam.test.edu Cleartext - Password: = "test"
>
> The whitespace here is wrong - is it in the file like this, or is it just your MUA butchering it? The line should look like:
>
> radtest at eduroam.test.edu Cleartext-Password := "test"
> -------------------------------------^ tab here
>
>> Looking at the log (/var/log/radius/radius.log),
>> files seems to be noop and is not recognized.
>
> You've not posted enough information to fully diagnose the problem - FreeRADIUS makes multiple passes through the virtual server (pre-proxy/authZ/authN/postN/post-proxy) with each request, so we need to see the entire log.
This is my MUA butchering.
I use tab separator.
>
>> - update control {
>> - Proxy - To - Realm: = LOCAL
>> -}
>
> Are you sure you want to do this?
>
>> + Ntlm_auth
>
> If you're using AD as your backend, and you want to use the static users file in addition there's a little more config you'll need to get it production ready:
>
> https://wiki.freeradius.org/guide/Combining-authentication-of-AD-accounts-ntlm-auth-with-accounts-stored-elsewhere
> https://wiki.freeradius.org/guide/NTLM-Auth-with-PAP-HOWTO
I see this URL (FreeRADIUS 3.X) and try , but fail...
# radtest radtest at eduroam.test.edu test 127.0.0.1 0 testing123
Sending Access-Request Id 11 from 0.0.0.0:39536 to 127.0.0.1:1812
User-Name = 'radtest at eduroam.test.edu'
User-Password = 'test'
NAS-IP-Address = X.X.X.X
NAS-Port = 0
Message-Authenticator = 0x00
Received Access-Reject Id 11 from 127.0.0.1:1812 to 127.0.0.1:39536 length 20
(0) -: Expected Access-Accept got Access-Reject
User "radtest at eduroam.test.edu" is not exist in my AD Server.
But exist in /etc/raddb/users (/etc/raddb/mods-config/files/authorize)
(Tab separated)
-----
radtest at eduroam.test.edu Cleartext-Password := "test"
-----
This is my debug log (radiusd -X)
-----
Received Access-Request Id 11 from 127.0.0.1:39536 to 127.0.0.1:1812 length 101
User-Name = 'radtest at eduroam.test.edu'
User-Password = 'test'
NAS-IP-Address = X.X.X.X
NAS-Port = 0
Message-Authenticator = 0xf98e5871147209fe3a2b8ec9510b970d
(0) Received Access-Request packet from host 127.0.0.1 port 39536,
id=11, length=101
(0) User-Name = 'radtest at eduroam.test.edu'
(0) User-Password = 'test'
(0) NAS-IP-Address = X.X.X.X
(0) NAS-Port = 0
(0) Message-Authenticator = 0xf98e5871147209fe3a2b8ec9510b970d
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) if ( &User-Name !~ /@/ )
(0) if ( &User-Name !~ /@/ ) -> FALSE
(0) elsif ( &User-Name =~ /@eduroam\.test\.edu/ )
(0) elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) -> TRUE
(0) elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) {
(0) [ok] = ok
(0) } # elsif ( &User-Name =~ /@eduroam\.test\.edu/ ) = ok
(0) ... skipping elsif for request 0: Preceding "if" was taken
(0) ntlm_auth.authorize ntlm_auth.authorize {
(0) if (!control:Auth-Type && User-Password)
(0) if (!control:Auth-Type && User-Password) -> TRUE
(0) if (!control:Auth-Type && User-Password) {
(0) update control {
(0) Auth-Type := ntlm_auth
(0) } # update control = noop
(0) } # if (!control:Auth-Type && User-Password) = noop
(0) } # ntlm_auth.authorize ntlm_auth.authorize = noop
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ )
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\\.$/)
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /@\\./)
(0) if (&User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = ok
(0) [preprocess] = ok
(0) auth_log : EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log : --> /var/log/radius/radacct/127.0.0.1/auth-detail-20170125
(0) auth_log :
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20170125
(0) auth_log : EXPAND %t
(0) auth_log : --> Wed Jan 25 16:50:01 2017
(0) [auth_log] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : Looking up realm "eduroam.test.edu" for User-Name =
"radtest at eduroam.test.edu"
(0) suffix : Found realm "~^eduroam.test.edu$"
(0) suffix : Adding Stripped-User-Name = "radtest"
(0) suffix : Adding Realm = "eduroam.test.edu"
(0) suffix : Authentication realm is LOCAL
(0) [suffix] = ok
(0) eap : No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) } # authorize = ok
(0) Found Auth-Type = ntlm_auth
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Auth-Type ntlm_auth {
Executing: /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}:
(0) ntlm_auth : EXPAND --username=%{mschap:User-Name}
(0) ntlm_auth : --> --username=radtest at eduroam.test.edu
(0) ntlm_auth : EXPAND --password=%{User-Password}
(0) ntlm_auth : --> --password=test
Program returned code (1) and output 'NT_STATUS_NO_SUCH_USER: No such
user (0xc0000064)'
(0) [ntlm_auth] = reject
(0) } # Auth-Type ntlm_auth = reject
(0) Failed to authenticate the user
(0) Login incorrect: [radtest at eduroam.test.edu/test] (from client
localhost port 0)
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject : EXPAND %{User-Name}
(0) attr_filter.access_reject : --> radtest at eduroam.test.edu
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(0) [eap] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message)
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 39536, id=11, length=0
Sending Access-Reject Id 11 from 127.0.0.1:1812 to 127.0.0.1:39536
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 11 with timestamp +17
Ready to process requests
-----
Best regards!
>
> http://deployingradius.com/ is always a good resource to use as well.
>
> Regards,
>
> Adam Bishop
>
> gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
>
> jisc.ac.uk
>
> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>
> Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list