Configuration issue at radiusd.conf?

marki jm+freeradiususer at roth.lu
Fri May 14 20:12:45 CEST 2021


Radius sends access-accept so it's ok.

Unless.... you care to explain what exactly you are doing, what the expected and actual outcomes are, what the error you are receiving is etc.

My crystal ball is low on battery.

On May 14, 2021 6:17:03 PM GMT+02:00, Honglak Kim via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>Hello all,
>I am very new to FreeRadius and I am not sure why I can't access the
>network device.It seems something to do with radiusd.conf but I can't
>identify it.. Please help.
>This is the debugging message when I ran the test.
>
>(0) Received Access-Request Id 116 from 10.0.254.3:43509 to
>10.192.2.141:1812 length 92
>(0)   User-Name = "hong"
>(0)   User-Password = "test123!"
>(0)   NAS-Port-Id = "ssh"
>(0)   Calling-Station-Id = "ops001.mydomain.com"
>(0)   Service-Type = NAS-Prompt-User
>(0)   NAS-Port = 0
>(0)   NAS-IP-Address = 10.0.254.3
>(0) # Executing section authorize from file
>/etc/raddb/sites-enabled/default
>(0)   authorize {
>(0)     policy filter_username {
>(0)       if (&User-Name) {
>(0)       if (&User-Name)  -> TRUE
>(0)       if (&User-Name)  {
>(0)         if (&User-Name =~ / /) {
>(0)         if (&User-Name =~ / /)  -> FALSE
>(0)         if (&User-Name =~ /@[^@]*@/ ) {
>(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>(0)         if (&User-Name =~ /\.\./ ) {
>(0)         if (&User-Name =~ /\.\./ )  -> FALSE
>(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) 
>{
>(0)         if ((&User-Name =~ /@/) && (&User-Name !~
>/@(.+)\.(.+)$/))   -> FALSE
>(0)         if (&User-Name =~ /\.$/)  {
>(0)         if (&User-Name =~ /\.$/)   -> FALSE
>(0)         if (&User-Name =~ /@\./)  {
>(0)         if (&User-Name =~ /@\./)   -> FALSE
>(0)       } # if (&User-Name)  = notfound
>(0)     } # policy filter_username = notfound
>(0)     [preprocess] = ok
>(0)     [chap] = noop
>(0)     [mschap] = noop
>(0)     [digest] = noop
>(0) suffix: Checking for suffix after "@"
>(0) suffix: No '@' in User-Name = "hong", looking up realm NULL
>(0) suffix: No such realm "NULL"
>(0)     [suffix] = noop
>(0) eap: No EAP-Message, not doing EAP
>(0)     [eap] = noop
>(0) files: users: Matched entry hong at line 94
>(0)     [files] = ok
>(0)     [expiration] = noop
>(0)     [logintime] = noop
>(0) pap: Normalizing SHA-Password from hex encoding, 40 bytes -> 20
>bytes
>(0)     [pap] = updated
>(0)   } # authorize = updated
>(0) Found Auth-Type = PAP
>(0) # Executing group from file /etc/raddb/sites-enabled/default
>(0)   Auth-Type PAP {
>(0) pap: Login attempt with password
>(0) pap: Comparing with "known-good" SHA-Password
>(0) pap: User authenticated successfully
>(0)     [pap] = ok
>(0)   } # Auth-Type PAP = ok
>(0) # Executing section post-auth from file
>/etc/raddb/sites-enabled/default
>(0)   post-auth {
>(0)     update reply {
>(0)       Juniper-Local-User-Name = "admin"
>(0)       Arista-AVPair = "shell:priv-lvl=15"
>(0)       Arista-AVPair = "shell:roles=network-admin"
>(0)       PaloAlto-Admin-Role = "superuser"
>(0)       PaloAlto-Panorama-Admin-Role = "superuser"
>(0)       PaloAlto-User-Group = "all"
>(0)     } # update reply = noop
>(0)     [exec] = noop
>(0)     policy remove_reply_message_if_eap {
>(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
>(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
>(0)       else {
>(0)         [noop] = noop
>(0)       } # else = noop
>(0)     } # policy remove_reply_message_if_eap = noop
>(0)   } # post-auth = noop
>(0) Sent Access-Accept Id 116 from 10.192.2.141:1812 to
>10.0.254.3:43509 length 0
>(0)   Juniper-Local-User-Name = "admin"
>(0)   Arista-AVPair = "shell:priv-lvl=15"
>(0)   Arista-AVPair = "shell:roles=network-admin"
>(0)   PaloAlto-Admin-Role = "superuser"
>(0)   PaloAlto-Panorama-Admin-Role = "superuser"
>(0)   PaloAlto-User-Group = "all"
>(0) Finished request
>Waking up in 4.9 seconds.
>Waking up in 6.9 seconds.
>(0) Cleaning up request packet ID 116 with timestamp +9
>Thanks,Paul
>
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list