Newbie questions for freeradius

Root, Paul T Paul.Root at CenturyLink.com
Tue Jul 2 23:24:03 CEST 2019


I am looking into using freeradius  here for multiple client setups and I'm learning as I go.

My configuration is CentOS 7, and freeradius  3.0.13  - straight from the CentOS repos.

I have 2 different setups, one using the normal flat files, and one using mysql.

So my first problem. The flat file machine. It rejects every request. And I have just the most basic example from the FreeRadius Beginners Guide. That is actually written for FreeRadius 2.0 , it could be a problem.

All configs are stock, I just created clients.conf

client localhost {
        ipaddr = 127.0.0.1
        secret = testing123
        require_message_authenticator = no
        nastype = other
}

And users

"alice" Cleartext-Password := "passme"
        Framed-IP-Address = 192.168.0.65
        Reply-Message = "Hello, %{User-Name}"


It looks like it isn't finding alice:


Ready to process requests
(0) Received Access-Request Id 109 from 127.0.0.1:50213 to 127.0.0.1:1812 length 75
(0)   User-Name = "alice"
(0)   User-Password = "passme"
(0)   NAS-IP-Address = 127.0.0.1
(0)   NAS-Port = 100
(0)   Message-Authenticator = 0x6a97c763afbc595a33152977c6df6fb7
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "alice", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> alice
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 109 from 127.0.0.1:1812 to 127.0.0.1:50213 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 109 with timestamp +4
Ready to process requests


So does that mean the server isn't  seeing the users file?   Or do I have to put alice in a group?


The second question.

The mysql instance is working better, following directions from daloradius, I've got it working for users that aren't in User-groups. With various clients:
radtest locally
radtest on a second system
NTRadPing from a windows 10 box
>From a Cisco switch with AAA authentication.

What I need though, is to authenticate from a cisco (and probably other vendors) machines to a group. There will be groups of NASes that need to authenticate to specific groups inside radius. And maybe multiple groups  (one group and users that aren't in a group would probably be acceptable).

Does that make sense?    I don't understand the difference in daloradius between "User-Groups", "Profiles", "HuntGroups", and "Realms".

Thanks,
Paul.


Paul Root
Lead Operations Engineer    - IT Managed Services
390 Commerce Dr
Woodbury, Mn 55125
651-312-5207  paul.root at centurylink.com

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.


More information about the Freeradius-Users mailing list