Credentials differ when proxying

Julien Cochennec julien.cochennec at ac-orleans-tours.fr
Tue Oct 20 08:26:00 CEST 2020 

Ok, thanks a lot Alan, let's do it right then, sorry for missing the 
docs, I thought I read it all though.

A is radiusA.domain, IP 172.29.179.49

B is radiusB.domain, IP 172.29.49.89

C is IP 172.29.188.249


1) When I try to connect from A to B :

echo "User-Name=***,User-Password=***" | radclient radiusB.domain:1812 
auth ***
Sent Access-Request Id 133 from 0.0.0.0:50763 to 172.29.49.89:1812 length 67
Received Access-Accept Id 133 from 172.29.49.89:1812 to 
172.29.179.49:50763 length 20

2) When I try to connect from C to A :

echo "User-Name=***,User-Password=***" | radclient radiusA.domain:1812 
auth ***
Sent Access-Request Id 253 from 0.0.0.0:44465 to 172.29.179.49:1812 
length 67
Received Access-Reject Id 253 from 172.29.179.49:1812 to 
172.29.188.249:44465 length 20
(0) -: Expected Access-Accept got Access-Reject

3) On A in debug mode :

(0) Received Access-Request Id 49 from 172.29.188.249:59565 to 
172.29.179.49:1812 length 67
(0)   User-Name = "***"
(0)   User-Password = "***"
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   
-> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "***", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not 
setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" 
password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = 
Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    -->***
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 49 from 172.29.179.49:1812 to 
172.29.188.249:59565 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 49 with timestamp +3
Ready to process requests

Le 19/10/2020 à 17:45, Alan DeKok a écrit :
>> On Oct 19, 2020, at 11:39 AM, Julien COCHENNEC <julien.cochennec at ac-orleans-tours.fr> wrote:
>> I have a server A proxying requests to server B (having LDAP enabled), and a client C requesting A.
>>
>> When I try to connect from A to B with radclient it works. Logs say :
>>
>> Login OK: [blabla2] (from client rad1-eee port 0)
>    That's good.
>
>> When I try to connect from C to A :
>>
>> Login incorrect (ldap: Bind credentials incorrect: Invalid credentials): [blabla2/?Q?#%?????)[~???dW???ŝ7?g-m?[˵] (from client rad1-eee port 0)
>    And that's the same problem people have seen for 20 years.
>
>    The shared secret is wrong.
>
>> I don't get why the credentials differ while proxying, which conf file should I check to understand this?
>> Is this part coming from an ldap conf problem or from radiusd.conf problem?
>    The password is coming from the client.
>
>> Here's the site-available/default file content :
>    Why?  *all* of the documentation says to post the output of "radiusd -X".  And all of the documentation says "don't post configuration files".
>
>    If you run the server in debugging mode as ALL of the documentation says, it will TELL YOU what's wrong.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Julien Cochennec
Pôle de compétences - gestion des identités

Mél julien.cochennec at ac-orleans-tours.fr
Tél 02 38 83 48 88

DSI - Rectorat d'Orléans-Tours
10 Rue Molière
45000 Orléans
www.ac-orleans-tours.fr

More information about the Freeradius-Users mailing list