No subject
Mohiddin Shaik
kms31786 at gmail.com
Wed Apr 18 19:50:57 CEST 2018
Hey Hi,
I have installed freeradius server and integrated freeipa server, when i
run radtest its authenticate perfectly, i configured client.conf to auth my
cisco firewall whenever i tried to login using freeipa user on my cisco
firewall, radiusd -X debug mode say auth success but i am un able to login
into terminal ((9) Sent Access-Accept Id 75 from x.x.x.x:1812 to
x.x.x.x:22029 length 0 (9) Finished request).
When i use freeipa admin user id i am able to login into cisco firewall to
same freeradius server / same configuration.
Debug Output:
Ready to process requests
(8) Received Access-Request Id 74 from 10.0.5.5:22029 to 10.0.0.94:1812
length 128
(8) User-Name = "mohiddin"
(8) User-Password = "pass at 123"
(8) NAS-IP-Address = 10.0.5.5
(8) NAS-Port = 74
(8) NAS-Port-Type = Virtual
(8) Cisco-AVPair = "ip:source-ip=10.0.2.49"
(8) Calling-Station-Id = "10.0.2.49"
(8) Cisco-AVPair = "coa-push=true"
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "mohiddin", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: No EAP-Message, not doing EAP
(8) [eap] = noop
(8) [files] = noop
rlm_ldap (ldap): Closing connection (9): Hit idle_timeout, was idle for 133
seconds
rlm_ldap (ldap): Closing connection (11): Hit idle_timeout, was idle for
133 seconds
rlm_ldap (ldap): Closing connection (8): Hit idle_timeout, was idle for 120
seconds
rlm_ldap (ldap): Closing connection (12): Hit idle_timeout, was idle for
120 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (10): Hit idle_timeout, was idle for
113 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (13): Hit idle_timeout, was idle for
113 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (14), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (14)
(8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap: --> (uid=mohiddin)
(8) ldap: Performing search in "cn=users,cn=accounts,dc=test,dc=org" with
filter "(uid=mohiddin)", scope "sub"
(8) ldap: Waiting for search result...
(8) ldap: User object found at DN
"uid=mohiddin,cn=users,cn=accounts,dc=test,dc=org"
(8) ldap: Processing user attributes
(8) ldap: control:Password-With-Header +=
'{SSHA512}FBhJiiB8Uene3Nl6MkFBufEQNVBJsU9GrXy3wXtaaY0mUkjQ5CVAiWdWHHfEf5bZpYWYECf/mvwOojrM/L4dVJLuUJyt+N6Q'
rlm_ldap (ldap): Released connection (14)
Need 2 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (15), 1 of 31 pending slots
used
rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(8) [ldap] = updated
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: Converted: &control:Password-With-Header ->
&control:SSHA2-512-Password
(8) pap: Removing &control:Password-With-Header
(8) pap: Normalizing SSHA2-512-Password from base64 encoding, 96 bytes ->
72 bytes
(8) [pap] = updated
(8) } # authorize = updated
(8) Found Auth-Type = PAP
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) Auth-Type PAP {
(8) pap: Login attempt with password
(8) pap: Comparing with "known-good" SSHA2-512-Password
(8) pap: User authenticated successfully
(8) [pap] = ok
(8) } # Auth-Type PAP = ok
(8) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(8) post-auth {
(8) update {
(8) No attributes updated
(8) } # update = noop
(8) [exec] = noop
(8) policy remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message) {
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else {
(8) [noop] = noop
(8) } # else = noop
(8) } # policy remove_reply_message_if_eap = noop
(8) } # post-auth = noop
(8) Sent Access-Accept Id 74 from 10.0.0.94:1812 to 10.0.5.5:22029 length 0
(8) Finished request
Waking up in 4.9 seconds.
(8) Cleaning up request packet ID 74 with timestamp +504
Ready to process requests
(9) Received Access-Request Id 75 from 10.0.5.5:22029 to 10.0.0.94:1812
length 84
(9) User-Name = "admin"
(9) User-Password = "reflexis1"
(9) NAS-IP-Address = 10.0.5.5
(9) NAS-Port = 75
(9) NAS-Port-Type = Virtual
(9) Cisco-AVPair = "coa-push=true"
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "admin", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: No EAP-Message, not doing EAP
(9) [eap] = noop
(9) [files] = noop
rlm_ldap (ldap): Closing connection (14): Hit idle_timeout, was idle for
160 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (15): Hit idle_timeout, was idle for
160 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (16), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (16)
(9) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(9) ldap: --> (uid=admin)
(9) ldap: Performing search in "cn=users,cn=accounts,dc=test,dc=org" with
filter "(uid=admin)", scope "sub"
(9) ldap: Waiting for search result...
(9) ldap: User object found at DN
"uid=admin,cn=users,cn=accounts,dc=test,dc=org"
(9) ldap: Processing user attributes
(9) ldap: control:Password-With-Header +=
'{SSHA512}rtaic2+6VABUusn0KrluEZLtSkvcTxH7SVTmJYwYtlgWqp2f2oMYIQ0AuUTrfNEutEVbn794QFmkwinsfMFihn68yrWO+Po3'
rlm_ldap (ldap): Released connection (16)
Need 2 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (17), 1 of 31 pending slots
used
rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(9) [ldap] = updated
(9) [expiration] = noop
(9) [logintime] = noop
(9) pap: Converted: &control:Password-With-Header ->
&control:SSHA2-512-Password
(9) pap: Removing &control:Password-With-Header
(9) pap: Normalizing SSHA2-512-Password from base64 encoding, 96 bytes ->
72 bytes
(9) [pap] = updated
(9) } # authorize = updated
(9) Found Auth-Type = PAP
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) Auth-Type PAP {
(9) pap: Login attempt with password
(9) pap: Comparing with "known-good" SSHA2-512-Password
(9) pap: User authenticated successfully
(9) [pap] = ok
(9) } # Auth-Type PAP = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(9) post-auth {
(9) update {
(9) No attributes updated
(9) } # update = noop
(9) [exec] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) } # post-auth = noop
(9) Sent Access-Accept Id 75 from 10.0.0.94:1812 to 10.0.5.5:22029 length 0
(9) Finished request
Waking up in 4.9 seconds.
(9) Cleaning up request packet ID 75 with timestamp +664
Ready to process requests
Thanks,
Mohiddin.
More information about the Freeradius-Users
mailing list