AW: Re: 'privacyIDEA request failed: 500 INTERNAL SERVER ERROR' - FreeRadius

Hi Tony,
Are you running a pip installation or debian wheezy?
Which version of privacyidea are you running?
In certain cases there were problems with the ldap resolver, if the DN contains special characters and is base54 encoded.
Is it openldap or AD?
The Uid type: is it DN or entryUUID?
Kind regards Cornelius

Cornelius KölbelCornelius.koelbel@netknights.it+49 151 2960 1417
NetKnights GmbHhttp://netknights.itLandgraf-Karl-Str. 19, 34131 Kassel, GermanyTel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405Geschäftsführer: Cornelius Kölbel-------- Ursprüngliche Nachricht --------
Von: Tony Hawker lil.tud@gmail.com
Datum: 21.10.2015 08:59 (GMT+01:00)
An: privacyidea privacyidea@googlegroups.com
Betreff: Re: ‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’ - FreeRadius

Hithanks for your quick response to my issueI have been watching the privacyidea.log but no entries are made when a connection attempt is made via the radius, which leads me to think that the radius is not able to see the privacyidea API?I can access the URI in my browser, so i can see that is up
I see this in the privacyidea.log when i reboot
[2015-10-21 15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333] ‘Traceback (most recent call last):\n File “/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/ LDAPIdResolver.py”, line 328, in getUserList\n user = self._ldap_attributes_to_user_object(attributes)\n File “/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py”, line 246, in _ldap_attributes_to_user_object\n for ldap_k, ldap_v in attributes.items():\nAttributeError: 'NoneType' object has no attribute 'items'\n’
Cheers

On Wednesday, 21 October 2015 17:14:34 UTC+11, Cornelinux K wrote:Hi Tony,

please do the following:

  1. Take a look into the audit log

Within the webui take a look, what you can see in the request in the

AUdit Tab. The right most tab.

I assume, the user does not exist.

The audit gives you a top level view of what is happening in

privacyidea.

  1. Take a look into the log file privacyidea.log.

This gives you a detailed view, of what is happening.

Kind regards

Cornelius

Am Dienstag, den 20.10.2015, 17:56 -0700 schrieb Tony Hawker:

Hi

I have followed the guide on setting up Privactidea on Centos 7 here:

Two-Factor-Authentication with OTP on CentOS 7 – privacyID3A

I can access the webui, register tokens, linked to active directory

etc, all tested ok

I am having issues with the radius plugin, when I attempt to make any

connection to the radius, either using the test functions described in

the link above, or from an external connection, I am seeing the errors

below:

]# echo “User-Name=user, User-Password=password” | radclient -sx

localhost auth testing123

Sending Access-Request Id 91 from 0.0.0.0:34321 to 127.0.0.1:1812

    User-Name = 'user'
    User-Password = 'password'

Received Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:34321

length 75

    Reply-Message = 'privacyIDEA request failed: 500 INTERNAL

SERVER ERROR’

(0) -: Expected Access-Accept got Access-Reject

Packet summary:

    Accepted      : 0
    Rejected      : 1
    Lost          : 0
    Passed filter : 0
    Failed filter : 1

and on the radius server I see this:

Received Access-Request Id 111 from 127.0.0.1:35488 to 127.0.0.1:1812

length 44

    User-Name = 'user'
    User-Password = 'password'

(0) Received Access-Request packet from host 127.0.0.1 port 35488,

id=111, length=44

(0) User-Name = ‘user’

(0) User-Password = ‘password’

(0) # Executing section authorize from

file /etc/raddb/sites-enabled/privacyidea

(0) authorize {

(0) [preprocess] = ok

(0) [digest] = noop

(0) suffix : Checking for suffix after “@”

(0) suffix : No ‘@’ in User-Name = “user”, looking up realm NULL

(0) suffix : No such realm “NULL”

(0) [suffix] = noop

(0) ntdomain : Checking for prefix before ""

(0) ntdomain : No '' in User-Name = “user”, looking up realm NULL

(0) ntdomain : No such realm “NULL”

(0) [ntdomain] = noop

(0) [files] = noop

(0) [expiration] = noop

(0) [logintime] = noop

(0) WARNING: pap : No “known good” password found for the user. Not

setting Auth-Type

(0) WARNING: pap : Authentication will fail unless a “known good”

password is available

(0) [pap] = noop

(0) update control {

(0) Auth-Type := Perl

(0) } # update control = noop

(0) } # authorize = ok

(0) Found Auth-Type = Perl

(0) # Executing group from file /etc/raddb/sites-enabled/privacyidea

(0) Auth-Type Perl {

(0) perl : $RAD_REQUEST{‘User-Name’} = &request:User-Name → ‘user’

(0) perl : $RAD_REQUEST{‘User-Password’} = &request:User-Password →

‘password’

(0) perl : $RAD_REQUEST{‘NAS-IP-Address’} = &request:NAS-IP-Address

→ ‘127.0.0.1’

(0) perl : $RAD_REQUEST{‘Event-Timestamp’} =

&request:Event-Timestamp → ‘Oct 21 2015 11:50:57 AEDT’

(0) perl : $RAD_CHECK{‘Auth-Type’} = &control:Auth-Type → ‘Perl’

(0) perl : $RAD_CONFIG{‘Auth-Type’} = &control:Auth-Type → ‘Perl’

rlm_perl: Config File /etc/freeradius/rlm_perl.ini found!

rlm_perl: Default URL https://127.0.0.1/validate/check

rlm_perl: Looking for config for auth-type Perl

rlm_perl: Auth-Type: Perl

rlm_perl: url: https://127.0.0.1/validate/check

rlm_perl: user sent to privacyidea: user

rlm_perl: realm sent to privacyidea:

rlm_perl: resolver sent to privacyidea:

rlm_perl: client sent to privacyidea: 127.0.0.1

rlm_perl: state sent to privacyidea:

rlm_perl: urlparam client

rlm_perl: urlparam pass

rlm_perl: urlparam user

rlm_perl: Not verifying SSL certificate!

rlm_perl: privacyIDEA request failed: 500 INTERNAL SERVER ERROR

rlm_perl: return RLM_MODULE_FAIL

(0) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} → ‘user’

(0) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-Timestamp’}

→ ‘Oct 21 2015 11:50:57 AEDT’

(0) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} →

‘password’

(0) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-Address’}

→ ‘127.0.0.1’

(0) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} →

‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’

(0) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} → ‘Perl’

(0) [perl] = fail

(0) } # Auth-Type Perl = fail

(0) Failed to authenticate the user

(0) Using Post-Auth-Type Reject

(0) Delaying response for 1 seconds

Waking up in 0.9 seconds.

(0) Sending delayed response

(0) Sending Access-Reject packet to host 127.0.0.1 port 35488, id=111,

length=0

(0) Reply-Message = 'privacyIDEA request failed: 500 INTERNAL

SERVER ERROR’

Sending Access-Reject Id 111 from 127.0.0.1:1812 to 127.0.0.1:35488

    Reply-Message = 'privacyIDEA request failed: 500 INTERNAL

SERVER ERROR’

Waking up in 3.9 seconds.

(0) Cleaning up request packet ID 111 with timestamp +7

I don’t think this is just an issue with the user / password, but if

anyone can point me in the right direction in what I may have done

wrong with either the radius or privacy idea install?

Cheers

You received this message because you are subscribed to the Google

Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to privacyidea...@googlegroups.com.

To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel

corneliu…@netknights.it

+49 151 2960 1417

NetKnights GmbH

http://www.netknights.it

Landgraf-Karl-Str. 19, 34131 Kassel, Germany

Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405

Geschäftsführer: Cornelius Kölbel

You received this message because you are subscribed to the Google Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea+unsubscribe@googlegroups.com.

To post to this group, send email to privacyidea@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Please use the api /validate/check to test authentication.
Https://youtserver/validate/check?user=&pass=

Cornelius KölbelCornelius.koelbel@netknights.it+49 151 2960 1417
NetKnights GmbHhttp://netknights.itLandgraf-Karl-Str. 19, 34131 Kassel, GermanyTel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405Geschäftsführer: Cornelius Kölbel-------- Ursprüngliche Nachricht --------
Von: Tony Hawker lil.tud@gmail.com
Datum: 21.10.2015 08:59 (GMT+01:00)
An: privacyidea privacyidea@googlegroups.com
Betreff: Re: ‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’ - FreeRadius

Hithanks for your quick response to my issueI have been watching the privacyidea.log but no entries are made when a connection attempt is made via the radius, which leads me to think that the radius is not able to see the privacyidea API?I can access the URI in my browser, so i can see that is up
I see this in the privacyidea.log when i reboot
[2015-10-21 15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333] ‘Traceback (most recent call last):\n File “/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/ LDAPIdResolver.py”, line 328, in getUserList\n user = self._ldap_attributes_to_user_object(attributes)\n File “/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py”, line 246, in _ldap_attributes_to_user_object\n for ldap_k, ldap_v in attributes.items():\nAttributeError: 'NoneType' object has no attribute 'items'\n’
Cheers

On Wednesday, 21 October 2015 17:14:34 UTC+11, Cornelinux K wrote:Hi Tony,

please do the following:

  1. Take a look into the audit log

Within the webui take a look, what you can see in the request in the

AUdit Tab. The right most tab.

I assume, the user does not exist.

The audit gives you a top level view of what is happening in

privacyidea.

  1. Take a look into the log file privacyidea.log.

This gives you a detailed view, of what is happening.

Kind regards

Cornelius

Am Dienstag, den 20.10.2015, 17:56 -0700 schrieb Tony Hawker:

Hi

I have followed the guide on setting up Privactidea on Centos 7 here:

Two-Factor-Authentication with OTP on CentOS 7 – privacyID3A

I can access the webui, register tokens, linked to active directory

etc, all tested ok

I am having issues with the radius plugin, when I attempt to make any

connection to the radius, either using the test functions described in

the link above, or from an external connection, I am seeing the errors

below:

]# echo “User-Name=user, User-Password=password” | radclient -sx

localhost auth testing123

Sending Access-Request Id 91 from 0.0.0.0:34321 to 127.0.0.1:1812

    User-Name = 'user'
    User-Password = 'password'

Received Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:34321

length 75

    Reply-Message = 'privacyIDEA request failed: 500 INTERNAL

SERVER ERROR’

(0) -: Expected Access-Accept got Access-Reject

Packet summary:

    Accepted      : 0
    Rejected      : 1
    Lost          : 0
    Passed filter : 0
    Failed filter : 1

and on the radius server I see this:

Received Access-Request Id 111 from 127.0.0.1:35488 to 127.0.0.1:1812

length 44

    User-Name = 'user'
    User-Password = 'password'

(0) Received Access-Request packet from host 127.0.0.1 port 35488,

id=111, length=44

(0) User-Name = ‘user’

(0) User-Password = ‘password’

(0) # Executing section authorize from

file /etc/raddb/sites-enabled/privacyidea

(0) authorize {

(0) [preprocess] = ok

(0) [digest] = noop

(0) suffix : Checking for suffix after “@”

(0) suffix : No ‘@’ in User-Name = “user”, looking up realm NULL

(0) suffix : No such realm “NULL”

(0) [suffix] = noop

(0) ntdomain : Checking for prefix before ""

(0) ntdomain : No '' in User-Name = “user”, looking up realm NULL

(0) ntdomain : No such realm “NULL”

(0) [ntdomain] = noop

(0) [files] = noop

(0) [expiration] = noop

(0) [logintime] = noop

(0) WARNING: pap : No “known good” password found for the user. Not

setting Auth-Type

(0) WARNING: pap : Authentication will fail unless a “known good”

password is available

(0) [pap] = noop

(0) update control {

(0) Auth-Type := Perl

(0) } # update control = noop

(0) } # authorize = ok

(0) Found Auth-Type = Perl

(0) # Executing group from file /etc/raddb/sites-enabled/privacyidea

(0) Auth-Type Perl {

(0) perl : $RAD_REQUEST{‘User-Name’} = &request:User-Name → ‘user’

(0) perl : $RAD_REQUEST{‘User-Password’} = &request:User-Password →

‘password’

(0) perl : $RAD_REQUEST{‘NAS-IP-Address’} = &request:NAS-IP-Address

→ ‘127.0.0.1’

(0) perl : $RAD_REQUEST{‘Event-Timestamp’} =

&request:Event-Timestamp → ‘Oct 21 2015 11:50:57 AEDT’

(0) perl : $RAD_CHECK{‘Auth-Type’} = &control:Auth-Type → ‘Perl’

(0) perl : $RAD_CONFIG{‘Auth-Type’} = &control:Auth-Type → ‘Perl’

rlm_perl: Config File /etc/freeradius/rlm_perl.ini found!

rlm_perl: Default URL https://127.0.0.1/validate/check

rlm_perl: Looking for config for auth-type Perl

rlm_perl: Auth-Type: Perl

rlm_perl: url: https://127.0.0.1/validate/check

rlm_perl: user sent to privacyidea: user

rlm_perl: realm sent to privacyidea:

rlm_perl: resolver sent to privacyidea:

rlm_perl: client sent to privacyidea: 127.0.0.1

rlm_perl: state sent to privacyidea:

rlm_perl: urlparam client

rlm_perl: urlparam pass

rlm_perl: urlparam user

rlm_perl: Not verifying SSL certificate!

rlm_perl: privacyIDEA request failed: 500 INTERNAL SERVER ERROR

rlm_perl: return RLM_MODULE_FAIL

(0) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} → ‘user’

(0) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-Timestamp’}

→ ‘Oct 21 2015 11:50:57 AEDT’

(0) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} →

‘password’

(0) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-Address’}

→ ‘127.0.0.1’

(0) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} →

‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’

(0) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} → ‘Perl’

(0) [perl] = fail

(0) } # Auth-Type Perl = fail

(0) Failed to authenticate the user

(0) Using Post-Auth-Type Reject

(0) Delaying response for 1 seconds

Waking up in 0.9 seconds.

(0) Sending delayed response

(0) Sending Access-Reject packet to host 127.0.0.1 port 35488, id=111,

length=0

(0) Reply-Message = 'privacyIDEA request failed: 500 INTERNAL

SERVER ERROR’

Sending Access-Reject Id 111 from 127.0.0.1:1812 to 127.0.0.1:35488

    Reply-Message = 'privacyIDEA request failed: 500 INTERNAL

SERVER ERROR’

Waking up in 3.9 seconds.

(0) Cleaning up request packet ID 111 with timestamp +7

I don’t think this is just an issue with the user / password, but if

anyone can point me in the right direction in what I may have done

wrong with either the radius or privacy idea install?

Cheers

You received this message because you are subscribed to the Google

Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to privacyidea...@googlegroups.com.

To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel

corneliu…@netknights.it

+49 151 2960 1417

NetKnights GmbH

http://www.netknights.it

Landgraf-Karl-Str. 19, 34131 Kassel, Germany

Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405

Geschäftsführer: Cornelius Kölbel

You received this message because you are subscribed to the Google Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea+unsubscribe@googlegroups.com.

To post to this group, send email to privacyidea@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.