Central definition of RADIUS servers - Test button

I have been playing around with adding a RADIUS server to use for a pass
through policy and was having quite a bit of trouble. I worked through some
problems with the dictionary files by copying the Freeradius dictionary and
commenting out any includes that were causing errors. After that, I could
not get the “Send test RADIUS request” to work. It would just pop up a
blank red box (no text included) and authentication on my radius server
logs show it was rejected. I knew my radius server was fine as radclient
from the privacyidea server worked perfectly. Finally I was just about to
give up and post here when I wondered if maybe the problem was only with
the test button. Sure enough, a passthrough policy works fine. It is just
the test button that doesn’t seem to work for me. It was helpful in showing
errors for the dictionary problem, but did not actually work for
authentication.

Also, it seems to be a bit picky about the length of the shared secret. I
had a really long one and that wouldn’t work. Shorter ones worked fine.

Just wanted to share in case others were having any trouble.

-Aaron

On Microsoft NPS/IAS there is a “generate shared secret” option that makes
keys that look like this:

Q2RuFq03x2@U&5Wazxkm1@pfedNOz9@$Uysj^tAeK%RvvFnmM#xyO$!EyGgHDYCD

I used one that is 24 characters in length and it worked. I am fine using a
shorter one, but an error that tells you to shorten it would make
troubleshooting easier.

I used nginx, so that must be my problem with the dictionary.

I installed on Ubuntu from the repository as follows:
add-apt-repository ppa:privacyidea/privacyidea
apt-get update
apt-get install python-privacyidea privacyideaadm
apt-get install privacyidea-nginx
apt-get install privacyidea-radius

For the dictionary, I tried leaving the field blank and got the error:

[Errno 2] No such file or directory: ‘/etc/privacyidea/dictinoary’

Note the mis-spelling “dictinoary” in the error message. I thought just
needed to type it without the misspelling, but there is not a dictionary
there. So I copied /usr/share/freeradius/dictionary
to /usr/share/freeradius/dictionary.privacyidea and commented out any
vendor lines that caused errors. That has it working now.

-AaronOn Friday, May 20, 2016 at 10:36:35 AM UTC-7, Cornelius Kölbel wrote:

Hi Aaron,

thanks a lot for the feedback.
Let’s see if we can fix this.

How long should the shared secret be?
The field of the secret is limited to 255 bytes. As the secret is stored
encrypted, it is even shorter.

https://github.com/privacyidea/privacyidea/blob/master/privacyidea/models.py#L1791

You could however change the database schema in your database and change
the length of the column “secret”.

I would like to fix the issue with the dictionary file.
Did you install from the ubuntu repository?
I am just adding the dictionary file to the privacyidea-apache2 package.

Hm, the test button… :wink:

Kind regards
Cornelius

Am Freitag, den 20.05.2016, 09:50 -0700 schrieb Aaron McCrea:

I have been playing around with adding a RADIUS server to use for a
pass through policy and was having quite a bit of trouble. I worked
through some problems with the dictionary files by copying the
Freeradius dictionary and commenting out any includes that were
causing errors. After that, I could not get the “Send test RADIUS
request” to work. It would just pop up a blank red box (no text
included) and authentication on my radius server logs show it was
rejected. I knew my radius server was fine as radclient from the
privacyidea server worked perfectly. Finally I was just about to give
up and post here when I wondered if maybe the problem was only with
the test button. Sure enough, a passthrough policy works fine. It is
just the test button that doesn’t seem to work for me. It was helpful
in showing errors for the dictionary problem, but did not actually
work for authentication.

Also, it seems to be a bit picky about the length of the shared
secret. I had a really long one and that wouldn’t work. Shorter ones
worked fine.

Just wanted to share in case others were having any trouble.

-Aaron

Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/cf56c2bf-ae22-46c4-91d5-aab1d0034fb4%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi Aaron,

thanks a lot for the feedback.
Let’s see if we can fix this.

How long should the shared secret be?
The field of the secret is limited to 255 bytes. As the secret is stored
encrypted, it is even shorter.

You could however change the database schema in your database and change
the length of the column “secret”.

I would like to fix the issue with the dictionary file.
Did you install from the ubuntu repository?
I am just adding the dictionary file to the privacyidea-apache2 package.

Hm, the test button… :wink:

Kind regards
CorneliusAm Freitag, den 20.05.2016, 09:50 -0700 schrieb Aaron McCrea:

I have been playing around with adding a RADIUS server to use for a
pass through policy and was having quite a bit of trouble. I worked
through some problems with the dictionary files by copying the
Freeradius dictionary and commenting out any includes that were
causing errors. After that, I could not get the “Send test RADIUS
request” to work. It would just pop up a blank red box (no text
included) and authentication on my radius server logs show it was
rejected. I knew my radius server was fine as radclient from the
privacyidea server worked perfectly. Finally I was just about to give
up and post here when I wondered if maybe the problem was only with
the test button. Sure enough, a passthrough policy works fine. It is
just the test button that doesn’t seem to work for me. It was helpful
in showing errors for the dictionary problem, but did not actually
work for authentication.

Also, it seems to be a bit picky about the length of the shared
secret. I had a really long one and that wouldn’t work. Shorter ones
worked fine.

Just wanted to share in case others were having any trouble.

-Aaron

Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/cf56c2bf-ae22-46c4-91d5-aab1d0034fb4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Aaron,

I fixed the typo,
added the dictionary file to nginx
and added a check to raise an exception if the RADIUS secret is too
long.

Thanks a lot and
kind regards
CorneliusAm Freitag, den 20.05.2016, 12:43 -0700 schrieb Aaron McCrea:

On Microsoft NPS/IAS there is a “generate shared secret” option that
makes keys that look like this:

Q2RuFq03x2@U&5Wazxkm1@pfedNOz9@$Uysj^tAeK%RvvFnmM#xyO$!EyGgHDYCD

I used one that is 24 characters in length and it worked. I am fine
using a shorter one, but an error that tells you to shorten it would
make troubleshooting easier.

I used nginx, so that must be my problem with the dictionary.

I installed on Ubuntu from the repository as follows:
add-apt-repository ppa:privacyidea/privacyidea
apt-get update
apt-get install python-privacyidea privacyideaadm
apt-get install privacyidea-nginx
apt-get install privacyidea-radius

For the dictionary, I tried leaving the field blank and got the error:

[Errno 2] No such file or directory: ‘/etc/privacyidea/dictinoary’

Note the mis-spelling “dictinoary” in the error message. I thought
just needed to type it without the misspelling, but there is not a
dictionary there. So I copied /usr/share/freeradius/dictionary
to /usr/share/freeradius/dictionary.privacyidea and commented out any
vendor lines that caused errors. That has it working now.

-Aaron

On Friday, May 20, 2016 at 10:36:35 AM UTC-7, Cornelius Kölbel wrote:
Hi Aaron,

    thanks a lot for the feedback. 
    Let's see if we can fix this. 
    
    How long should the shared secret be? 
    The field of the secret is limited to 255 bytes. As the secret
    is stored 
    encrypted, it is even shorter. 
    
    https://github.com/privacyidea/privacyidea/blob/master/privacyidea/models.py#L1791 
    
    You could however change the database schema in your database
    and change 
    the length of the column "secret". 
    
    I would like to fix the issue with the dictionary file. 
    Did you install from the ubuntu repository? 
    I am just adding the dictionary file to the
    privacyidea-apache2 package. 
    
    Hm, the test button... ;-) 
    
    Kind regards 
    Cornelius 
    
    
    Am Freitag, den 20.05.2016, 09:50 -0700 schrieb Aaron McCrea: 
    > I have been playing around with adding a RADIUS server to
    use for a 
    > pass through policy and was having quite a bit of trouble. I
    worked 
    > through some problems with the dictionary files by copying
    the 
    > Freeradius dictionary and commenting out any includes that
    were 
    > causing errors.  After that, I could not get the "Send test
    RADIUS 
    > request"  to work. It would just pop up a blank red box (no
    text 
    > included) and authentication on my radius server logs show
    it was 
    > rejected. I knew my radius server was fine as radclient from
    the 
    > privacyidea server worked perfectly.  Finally I was just
    about to give 
    > up and post here when I wondered if maybe the problem was
    only with 
    > the test button.  Sure enough, a passthrough policy works
    fine.  It is 
    > just the test button that doesn't seem to work for me. It
    was helpful 
    > in showing errors for the dictionary problem, but did not
    actually 
    > work for authentication. 
    > 
    > 
    > Also, it seems to be a bit picky about the length of the
    shared 
    > secret.  I had a really long one and that wouldn't work.
    Shorter ones 
    > worked fine. 
    > 
    > 
    > Just wanted to share in case others were having any
    trouble. 
    > 
    > 
    > -Aaron 
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY: 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > Visit this group at
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/cf56c2bf-ae22-46c4-91d5-aab1d0034fb4%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/6ecd7870-1336-4c46-9ebd-5f18e0aca525%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)