Hi Tony,
Glad to hear this.It is great if you can write down some notes which might help others.
Please either send a link or we can publish the information with privacyidea.
Thanks a lot and kind regards Cornelius
Cornelius KölbelCornelius.koelbel@netknights.it+49 151 2960 1417
NetKnights GmbHhttp://netknights.itLandgraf-Karl-Str. 19, 34131 Kassel, GermanyTel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405Geschäftsführer: Cornelius Kölbel-------- Ursprüngliche Nachricht --------
Von: Tony Hawker lil.tud@gmail.com
Datum: 23.10.2015 05:26 (GMT+01:00)
An: privacyidea privacyidea@googlegroups.com
Betreff: Re: Re: Re: ‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’ - FreeRadius
Hi Corneliuswe have now resolved this issue, it turned out to be an issue with the VPN community on the firewall, once resolved everything started working, its odd that the other auth server was working at all once seeing the issue
Thanks for your support on this, I may put up some basic how-to’s on the checkpoint implementation that can compliment the guides that are already available in the next few days
Cheers
On Thursday, 22 October 2015 22:56:13 UTC+11, Tony Hawker wrote:Thanks CorneliusYes that file exists, seems to be a default file, with allot of ## out bits but no entriesI entered the settings as specifed but still get errors when starting
/etc/raddb/mods-config/files/authorize[221]: Parse error (check) for entry authorize: Invalid attribute nameFailed reading /etc/raddb/mods-config/files/authorize/etc/raddb/mods-enabled/files[9]: Instantiation failed for module “files”
On Thursday, 22 October 2015 22:50:13 UTC+11, Cornelinux K wrote:Hi Tony,
I forgot that you are running on CentOS 7 with FR3.
Did you have a file /etc/raddb/users at all?
In the config you have a
authorize {
…
update control {
Auth-Type := Perl
}
}
Which sets the Auth-Type → Perl for all users.
So in this case you might need to add it like this:
authorize {
update control {
Auth-Type := Perl
Class := AVP
}
}
I have not FreeRADIUS 3 at hand to test this…
Kind regards
Cornelius
Am Donnerstag, den 22.10.2015, 09:41 +0200 schrieb Cornelius Kölbel:
Hi Tony,
you can edit your file /etc/freeradius/users like this:
DEFAULT Auth-Type := Perl
Class = YOUR_GROUP_EXPECTED_BY_CHECKPOINT
This way each user will be authenticated against the perl module a.k.a.
privacyIDEA and put into the the corresponding group.
Or: You can add the Class AVP that is expected by your checkpoint.
Please note: In the radius request the CLass is hex encoded. In the
users config file you need to enter a normal ascii string.
Kind regards
Cornelius
Am Donnerstag, den 22.10.2015, 09:23 +0200 schrieb Cornelius Kölbel:
Hi Tony,
the Attribute Value Pair Class 25 usually seems to expect some
attribute, which the firewall uses to authorize the access or put the
user of this request in some control group.
So the question is: Do you have another RADIUS server running at the
moment and how do the requests look like there?
I assume we have to add an attribute of class 25 with the correct value,
that is expected by your checkpoint configuration.
RFC 2865 - Remote Authentication Dial In User Service (RADIUS)
And additionally I assume, that the existing attributes did not make the
response fail, but the missing class-25-attribute.
This attribute is usually used for group information.
(http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-td2781054.html)
So I guess we need to look an the freeradius side (independent on the
privacyIDEA plugin).
We need to investigate
- the successful RADIUS REQUEST with your existing RADIUS server
- the successful RADIUS RESPONSE with your existing RADIUS server
and then configure FreeRADIUS accordingly.
I will try to help you with that.
But maybe at a certain point we might also need to take this to the
freeradius list.
Kind regards
COrnelius
Am Mittwoch, den 21.10.2015, 23:52 -0700 schrieb Tony Hawker:
Thanks Cornelius
this script still doesn’t seem to solve the problem, checkpoint still
doesn’t like the Access-Accept packets for some reason
I’ve had the checkpoint talking to freeradius in the past, so it can
work, but just doesn’t see these accept packets for some reason
On Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote:
Hi Tony,
here is a slightly modified script, that does not add any
additional
AVPs into the reply.
It only returns ACCESS_ACCEPT or ACCESS_REJECT.
This script replaces the existing one.
Please restart freeradius and check if checkpoint likes it.
Kind regards
COrnelius
Am Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony Hawker:
> Hi Cornelius
> Thanks for this info
> where do i remove that line from? I'm not familiar with this
process?
> do i need to change a config file? or change some source
code and
> recompile?
> I believe if i could change the message on that line that
could also
> possible help
>
>
> Cheers
>
> On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K wrote:
> Hello Tony,
>
> at the moment there is no way to configure the reply
message.
>
> You can remove the RAD_REPLY in the privacyidea perl
module.
>
https://github.com/privacyidea/privacyidea/blob/master/authmodules/FreeRADIUS/privacyidea_radius.pm#L335
>
> Thus this information will not be added to the
reply.
> If this succeeds, please drop me a note or open an
issue at
> github.
> We can then make the reply configurable.
>
> Kind regards
> Cornelius
>
>
> Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb
Tony Hawker:
> > Hi Cornelius
> > Thanks for your help, I almost have this working
now, i
> played around
> > allot, but i think that ticking the "use @ to
separate user
> and realm"
> > has allowed the radius to pass though the details
correctly
> >
> >
> > I have managed to have my radius client
authenticate, and it
> seems to
> > be sending back the reply message "privacy IDEA
access
> granted" to my
> > firewalls (I am tying to authenticate VPN users)
> >
> >
> > I believe the firewall does not like the response
message, I
> am
> > possibly getting a similar issue described here:
> >
>
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638
> >
> >
> > I have also attached a screen shot of how the
packet looks
> from
> > privacy idea, do you think that because the reply
packet is
> slightly
> > different it could be causing this problem?
> > is t possible to change the privacy idea radius
accept
> packet too
> > something generic?
> >
> >
> > Cheers
> >
> > On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K wrote:
> >
> >
> > Hi,
> >
> >
> > The user can not be found in the
resolver.
> >
> >
> >
> >
> > How does the request look like?
> > Is the realm the default realm.
> > how does the DN of the user look like?
> >
> >
> >
> >
> > You might have specified the wrong realm
(see
> default realm)
> >
> >
> >
> >
> > Kind regards
> > Cornelius
> >
> >
> >
> >
> > Cornelius Kölbel
> > Corneliu...@netknights.it
> > +49 151 2960 1417
> >
> >
> > NetKnights GmbH
> > http://netknights.it
> > Landgraf-Karl-Str. 19, 34131 Kassel,
Germany
> > Tel: +49 561 3166797, Fax: +49 561
3166798
> >
> >
> > Amtsgericht Kassel, HRB 16405
> > Geschäftsführer: Cornelius Kölbel
> >
> >
> > -------- Ursprüngliche Nachricht --------
> > Von: Tony Hawker <lil...@gmail.com>
> > Datum: 21.10.2015 13:14 (GMT+01:00)
> > An: privacyidea
<priva...@googlegroups.com>
> > Betreff: Re: Re: 'privacyIDEA request
failed: 500
> INTERNAL
> > SERVER ERROR' - FreeRadius
> >
> > Hi Cornelius
> > Thanks for your response
> > I am running PIP installation on Centos 7
> > I am running latest version of Privacy
idea (2.7),
> updated as
> > per instructions on howtoforge
> > the user is coming from Active Directory
> > UID is DN
> > there are no special characters anywhere
in the AD
> config
> >
> >
> > testing using the URL you provided I get
the message
> below
> > when attempting to use an AD user
> > "version": "privacyIDEA 2.7", "result":
{"status":
> false, "error": {"message": "ERR905: The user can
not be found
> in any resolver in this realm!", "code": -500}},
"time":
> 1445425459.788956, "id": 1}
> >
> > but if i use the root user (from the
privacyidea
> server) this returns:
> > {"message": "wrong otp pin"},
"versionnumber":
> "2.7", "version": "privacyIDEA 2.7", "result":
{"status":
> true, "value": false}, "time": 1445425581.107504,
"id": 1}
> > I assume the OTP token is out of sync, but
looks
> much more promising
> >
> > any idea on why the AD would not work via
this
> method? as i can see all the users in the webui etc
> >
> > Cheers
> >
> >
> >
> >
> >
> > On Wednesday, 21 October 2015 21:01:47 UTC +11, Cornelinux K wrote:
> > Hi Tony,
> >
> >
> > Are you running a pip installation
or debian
> wheezy?
> >
> >
> > Which version of privacyidea are
you
> running?
> >
> >
> > In certain cases there were
problems with
> the ldap
> > resolver, if the DN contains
special
> characters and is
> > base54 encoded.
> >
> >
> > Is it openldap or AD?
> >
> >
> > The Uid type: is it DN or
entryUUID?
> >
> >
> > Kind regards
> > Cornelius
> >
> >
> >
> >
> >
> >
> > Cornelius Kölbel
> > Corneliu...@netknights.it
> > +49 151 2960 1417
> >
> >
> > NetKnights GmbH
> > http://netknights.it
> > Landgraf-Karl-Str. 19, 34131
Kassel,
> Germany
> > Tel: +49 561 3166797, Fax: +49 561
3166798
> >
> >
> > Amtsgericht Kassel, HRB 16405
> > Geschäftsführer: Cornelius Kölbel
> >
> >
> > -------- Ursprüngliche Nachricht
--------
> > Von: Tony Hawker
<lil...@gmail.com>
> > Datum: 21.10.2015 08:59 (GMT
+01:00)
> > An: privacyidea
<priva...@googlegroups.com>
> > Betreff: Re: 'privacyIDEA request
failed:
> 500 INTERNAL
> > SERVER ERROR' - FreeRadius
> >
> > Hi
> > thanks for your quick response to
my issue
> > I have been watching the
privacyidea.log but
> no
> > entries are made when a connection
attempt
> is made via
> > the radius, which leads me to
think that the
> radius is
> > not able to see the privacyidea
API?
> > I can access the URI in my
browser, so i can
> see that
> > is up
> >
> >
> > I see this in the privacyidea.log
when i
> reboot
> >
> >
> > [2015-10-21
> >
>
15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333] 'Traceback (most recent call last):\n File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/ LDAPIdResolver.py", line 328, in getUserList\n user = self._ldap_attributes_to_user_object(attributes)\n File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 246, in _ldap_attributes_to_user_object\n for ldap_k, ldap_v in attributes.items():\nAttributeError: \'NoneType\' object has no attribute \'items\'\n'
> >
> >
> > Cheers
> >
> >
> >
> >
> >
> >
> >
> >
> > On Wednesday, 21 October 2015 17:14:34 UTC +11, Cornelinux K wrote:
> > Hi Tony,
> >
> > please do the following:
> >
> > 1. Take a look into the
audit log
> >
> > Within the webui take a
look, what
> you can see
> > in the request in the
> > AUdit Tab. The right most
tab.
> >
> > I assume, the user does
not exist.
> >
> > The audit gives you a top
level view
> of what
> > is happening in
> > privacyidea.
> >
> > 2. Take a look into the
log file
> > privacyidea.log.
> > This gives you a detailed
view, of
> what is
> > happening.
> >
> > Kind regards
> > Cornelius
> >
> > Am Dienstag, den
20.10.2015, 17:56
> -0700
> > schrieb Tony Hawker:
> > > Hi
> > > I have followed the
guide on
> setting up
> > Privactidea on Centos 7
here:
> > >
> >
>
https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/
> > >
> > >
> > >
> > > I can access the webui,
register
> tokens,
> > linked to active
directory
> > > etc, all tested ok
> > >
> > >
> > > I am having issues with
the radius
> plugin,
> > when I attempt to make
any
> > > connection to the
radius, either
> using the
> > test functions described
in
> > > the link above, or from
an
> external
> > connection, I am seeing
the errors
> > > below:
> > >
> > >
> > > ]# echo
"User-Name=user,
> > User-Password=password" |
radclient
> -sx
> > > localhost auth
testing123
> > >
> > >
> > > Sending Access-Request
Id 91 from
> > 0.0.0.0:34321 to
127.0.0.1:1812
> > >
> > > User-Name =
'user'
> > > User-Password =
> 'password'
> > > Received Access-Reject
Id 91 from
> > 127.0.0.1:1812 to
127.0.0.1:34321
> > > length 75
> > > Reply-Message =
> 'privacyIDEA request
> > failed: 500 INTERNAL
> > > SERVER ERROR'
> > > (0) -: Expected
Access-Accept got
> > Access-Reject
> > > Packet summary:
> > > Accepted :
0
> > > Rejected :
1
> > > Lost :
0
> > > Passed filter :
0
> > > Failed filter :
1
> > >
> > >
> > > and on the radius server
I see
> this:
> > >
> > >
> > > Received Access-Request
Id 111
> from
> > 127.0.0.1:35488 to
127.0.0.1:1812
> > > length 44
> > > User-Name =
'user'
> > > User-Password =
> 'password'
> > > (0) Received
Access-Request packet
> from host
> > 127.0.0.1 port 35488,
> > > id=111, length=44
> > > (0) User-Name =
'user'
> > > (0) User-Password =
> 'password'
> > > (0) # Executing section
authorize
> from
> > >
> file /etc/raddb/sites-enabled/privacyidea
> > > (0) authorize {
> > > (0) [preprocess] = ok
> > > (0) [digest] = noop
> > > (0) suffix : Checking
for suffix
> after "@"
> > > (0) suffix : No '@' in
User-Name
> = "user",
> > looking up realm NULL
> > > (0) suffix : No such
realm
> "NULL"
> > > (0) [suffix] = noop
> > > (0) ntdomain : Checking
for
> prefix before
> > "\"
> > > (0) ntdomain : No '\'
in
> User-Name =
> > "user", looking up realm
NULL
> > > (0) ntdomain : No such
realm
> "NULL"
> > > (0) [ntdomain] = noop
> > > (0) [files] = noop
> > > (0) [expiration] =
noop
> > > (0) [logintime] =
noop
> > > (0) WARNING: pap : No
"known
> good" password
> > found for the user. Not
> > > setting Auth-Type
> > > (0) WARNING: pap :
Authentication
> will fail
> > unless a "known good"
> > > password is available
> > > (0) [pap] = noop
> > > (0) update control {
> > > (0) Auth-Type :=
Perl
> > > (0) } # update control
= noop
> > > (0) } # authorize =
ok
> > > (0) Found Auth-Type =
Perl
> > > (0) # Executing group
from
> >
> file /etc/raddb/sites-enabled/privacyidea
> > > (0) Auth-Type Perl {
> > > (0) perl :
> $RAD_REQUEST{'User-Name'} =
> > &request:User-Name ->
'user'
> > > (0) perl :
> $RAD_REQUEST{'User-Password'} =
> > &request:User-Password ->
> > > 'password'
> > > (0) perl :
> $RAD_REQUEST{'NAS-IP-Address'}
> > = &request:NAS-IP-Address
> > > -> '127.0.0.1'
> > > (0) perl :
> $RAD_REQUEST{'Event-Timestamp'}
> > =
> > > &request:Event-Timestamp
-> 'Oct
> 21 2015
> > 11:50:57 AEDT'
> > > (0) perl :
> $RAD_CHECK{'Auth-Type'} =
> > &control:Auth-Type ->
'Perl'
> > > (0) perl :
> $RAD_CONFIG{'Auth-Type'} =
> > &control:Auth-Type ->
'Perl'
> > > rlm_perl: Config
> >
File /etc/freeradius/rlm_perl.ini
> found!
> > > rlm_perl: Default URL
> >
https://127.0.0.1/validate/check
> > > rlm_perl: Looking for
config for
> auth-type
> > Perl
> > > rlm_perl: Auth-Type:
Perl
> > > rlm_perl: url:
> >
https://127.0.0.1/validate/check
> > > rlm_perl: user sent to
> privacyidea: user
> > > rlm_perl: realm sent to
> privacyidea:
> > > rlm_perl: resolver sent
to
> privacyidea:
> > > rlm_perl: client sent
to
> privacyidea:
> > 127.0.0.1
> > > rlm_perl: state sent to
> privacyidea:
> > > rlm_perl: urlparam
client
> > > rlm_perl: urlparam pass
> > > rlm_perl: urlparam user
> > > rlm_perl: Not verifying
SSL
> certificate!
> > > rlm_perl: privacyIDEA
request
> failed: 500
> > INTERNAL SERVER ERROR
> > > rlm_perl: return
RLM_MODULE_FAIL
> > > (0) perl :
&request:User-Name =
> > $RAD_REQUEST{'User-Name'}
-> 'user'
> > > (0) perl :
> &request:Event-Timestamp =
> >
$RAD_REQUEST{'Event-Timestamp'}
> > > -> 'Oct 21 2015 11:50:57
AEDT'
> > > (0) perl :
&request:User-Password
> =
> >
$RAD_REQUEST{'User-Password'} ->
> > > 'password'
> > > (0) perl :
> &request:NAS-IP-Address =
> >
$RAD_REQUEST{'NAS-IP-Address'}
> > > -> '127.0.0.1'
> > > (0) perl :
&reply:Reply-Message
> =
> >
$RAD_REPLY{'Reply-Message'} ->
> > > 'privacyIDEA request
failed: 500
> INTERNAL
> > SERVER ERROR'
> > > (0) perl :
&control:Auth-Type =
> > $RAD_CHECK{'Auth-Type'} ->
'Perl'
> > > (0) [perl] = fail
> > > (0) } # Auth-Type Perl
= fail
> > > (0) Failed to
authenticate the
> user
> > > (0) Using Post-Auth-Type
Reject
> > > (0) Delaying response
for 1
> seconds
> > > Waking up in 0.9
seconds.
> > > (0) Sending delayed
response
> > > (0) Sending
Access-Reject packet
> to host
> > 127.0.0.1 port 35488,
id=111,
> > > length=0
> > > (0) Reply-Message =
> 'privacyIDEA request
> > failed: 500 INTERNAL
> > > SERVER ERROR'
> > > Sending Access-Reject Id
111 from
> > 127.0.0.1:1812 to
127.0.0.1:35488
> > > Reply-Message =
> 'privacyIDEA request
> > failed: 500 INTERNAL
> > > SERVER ERROR'
> > > Waking up in 3.9
seconds.
> > > (0) Cleaning up request
packet ID
> 111 with
> > timestamp +7
> > >
> > >
> > >
> > >
> > > I don't think this is
just an
> issue with the
> > user / password, but if
> > > anyone can point me in
the right
> direction
> > in what I may have done
> > > wrong with either the
radius or
> privacy idea
> > install?
> > >
> > >
> > > Cheers
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > You received this
message because
> you are
> > subscribed to the Google
> > > Groups "privacyidea"
group.
> > > To unsubscribe from this
group and
> stop
> > receiving emails from it,
send
> > > an email to
> >
privacyidea...@googlegroups.com.
> > > To post to this group,
send email
> to
> >
priva...@googlegroups.com.
> > > To view this discussion
on the web
> visit
> > >
> >
>
https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com.
> > > For more options, visit
> >
https://groups.google.com/d/optout.
> >
> > --
> > Cornelius Kölbel
> > corneliu...@netknights.it
> > +49 151 2960 1417
> ...
–
You received this message because you are subscribed to the Google Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/732bd79c-6351-4941-81a3-3a55b0f1078d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.