LDAP + freeradius is not working properly

ayurlov · September 1, 2017, 2:48pm

Hi all,

I try to implement freeradius + PrivacyIDEA - LDAP chain. There is very interesting situation… I configure otppin:userstore in policy, when I check AD pass+OTP in UI, all is good, authentification succesfull.
If I try this with the same way via freeradius: echo “User-Name=user”, “User-Password=12345123456” | radclient -sx localhost auth password
it not works. Logs are below:

Fri Sep 1 17:14:07 2017 : Info: rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
Fri Sep 1 17:14:07 2017 : Info: rlm_perl: Debugging config: true
Fri Sep 1 17:14:07 2017 : Info: rlm_perl: Default URL https://127.0.0.1/validate/check
Fri Sep 1 17:14:07 2017 : Info: rlm_perl: Looking for config for auth-type Perl
Fri Sep 1 17:14:07 2017 : rlm_perl: RAD_REQUEST: User-Name = user
Fri Sep 1 17:14:07 2017 : rlm_perl: RAD_REQUEST: User-Password = 12345123456
Fri Sep 1 17:14:07 2017 : rlm_perl: RAD_REQUEST: Event-Timestamp = Sep 1 2017 17:14:07 +03
Fri Sep 1 17:14:07 2017 : rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
Fri Sep 1 17:14:07 2017 : Info: rlm_perl: Auth-Type: Perl
Fri Sep 1 17:14:07 2017 : Info: rlm_perl: url: https://127.0.0.1/validate/check
Fri Sep 1 17:14:07 2017 : Info: rlm_perl: user sent to privacyidea: user
Fri Sep 1 17:14:07 2017 : Info: rlm_perl: realm sent to privacyidea:
Fri Sep 1 17:14:07 2017 : Info: rlm_perl: resolver sent to privacyidea:
Fri Sep 1 17:14:07 2017 : Info: rlm_perl: client sent to privacyidea: 127.0.0.1
Fri Sep 1 17:14:07 2017 : Info: rlm_perl: state sent to privacyidea:
Fri Sep 1 17:14:07 2017 : rlm_perl: urlparam client = 127.0.0.1
Fri Sep 1 17:14:07 2017 : rlm_perl: urlparam pass = 12345123456
Fri Sep 1 17:14:07 2017 : rlm_perl: urlparam user = user
Fri Sep 1 17:14:07 2017 : Info: rlm_perl: Not verifying SSL certificate!
Fri Sep 1 17:14:08 2017 : rlm_perl: Content {“jsonrpc”: “2.0”, “signature”: "…
Fri Sep 1 17:14:08 2017 : Info: rlm_perl: privacyIDEA Result status is true!
Fri Sep 1 17:14:08 2017 : Info: rlm_perl: privacyIDEA access denied
Fri Sep 1 17:14:08 2017 : Info: rlm_perl: return RLM_MODULE_REJECT

BUT!
If I set pin in UI (for example, 54321) and try new pin value to test in UI, “wrong otp pin” is happened, because only AD pin must be in field. Freeradius is working with non AD pin only)):

echo “User-Name=user”, “User-Password=54321123456” | radclient -sx localhost auth password

Fri Sep 1 11:38:09 2017 : Info: rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
Fri Sep 1 11:38:09 2017 : Info: rlm_perl: Debugging config: true
Fri Sep 1 11:38:09 2017 : Info: rlm_perl: Default URL https://127.0.0.1/validate/check
Fri Sep 1 11:38:09 2017 : Info: rlm_perl: Looking for config for auth-type Perl
Fri Sep 1 11:38:09 2017 : rlm_perl: RAD_REQUEST: User-Name = user
Fri Sep 1 11:38:09 2017 : rlm_perl: RAD_REQUEST: User-Password = 54321123456
Fri Sep 1 11:38:09 2017 : rlm_perl: RAD_REQUEST: Event-Timestamp = Sep 1 2017 11:38:09 +03
Fri Sep 1 11:38:09 2017 : rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
Fri Sep 1 11:38:09 2017 : Info: rlm_perl: Auth-Type: Perl
Fri Sep 1 11:38:09 2017 : Info: rlm_perl: url: https://127.0.0.1/validate/check
Fri Sep 1 11:38:09 2017 : Info: rlm_perl: user sent to privacyidea: user
Fri Sep 1 11:38:09 2017 : Info: rlm_perl: realm sent to privacyidea:
Fri Sep 1 11:38:09 2017 : Info: rlm_perl: resolver sent to privacyidea:
Fri Sep 1 11:38:09 2017 : Info: rlm_perl: client sent to privacyidea: 127.0.0.1
Fri Sep 1 11:38:09 2017 : Info: rlm_perl: state sent to privacyidea:
Fri Sep 1 11:38:09 2017 : rlm_perl: urlparam client = 127.0.0.1
Fri Sep 1 11:38:09 2017 : rlm_perl: urlparam pass = 54321123456
Fri Sep 1 11:38:09 2017 : rlm_perl: urlparam user = user
Fri Sep 1 11:38:09 2017 : Info: rlm_perl: Not verifying SSL certificate!
Fri Sep 1 11:38:09 2017 : rlm_perl: Content {“jsonrpc”: “2.0”, “signature”: "…
Fri Sep 1 11:38:09 2017 : Info: rlm_perl: privacyIDEA access granted
Fri Sep 1 11:38:09 2017 : Info: rlm_perl: Map: user : group -> Class
Fri Sep 1 11:38:09 2017 : Info: rlm_perl: Map: serial -> privacyIDEA-Serial
Fri Sep 1 11:38:09 2017 : Info: rlm_perl: return RLM_MODULE_OK

Do you have any ideas to fix that?

Regards,
Alexander

cornelinux · September 2, 2017, 4:01pm

Hello Alexander,

In the first scenario privacyIDEA directly says, that authentication failed.
You should take a look in to the privacyIDEA audit log or debug log, to drill down the problem.

Kind regards
Cornelius

ayurlov · September 5, 2017, 9:22am

Thanks for your answer!
This is debug log after
echo “User-Name=Tester.Priv”, “User-Password=12345678636667” | radclient -sx localhost auth password

Summary

[2017-09-04 14:47:27,269][101608][140503526901504][DEBUG][privacyidea.lib.policy:503] Policies after matching user: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_pass’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’reset_all_user_tokens’: True, u’otppin’: u’userstore’}, ‘scope’: u’authentication’}]
[2017-09-04 14:47:27,269][101608][140503526901504][DEBUG][privacyidea.lib.policy:503] Policies after matching realm: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_pass’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’reset_all_user_tokens’: True, u’otppin’: u’userstore’}, ‘scope’: u’authentication’}]
[2017-09-04 14:47:27,269][101608][140503526901504][DEBUG][privacyidea.lib.policy:575] Policies after matching client
[2017-09-04 14:47:27,269][101608][140503526901504][DEBUG][privacyidea.lib.policy:197] Exiting get_policies with result []
[2017-09-04 14:47:27,270][101608][140503526901504][DEBUG][privacyidea.lib.policy:197] Exiting get_action_values with result []
[2017-09-04 14:47:27,270][101608][140503526901504][DEBUG][privacyidea.models:378] we got a hashed PIN!
[2017-09-04 14:47:27,270][101608][140503526901504][DEBUG][privacyidea.lib.crypto:188] Entering hash with arguments HIDDEN and keywords HIDDEN
[2017-09-04 14:47:27,270][101608][140503526901504][DEBUG][privacyidea.lib.crypto:251] hash()
[2017-09-04 14:47:27,270][101608][140503526901504][DEBUG][privacyidea.lib.crypto:199] Exiting hash with result HIDDEN
[2017-09-04 14:47:27,271][101608][140503526901504][DEBUG][privacyidea.models:338] hPin: e66d22a285544441e1306bf46422ab62379a6c883065260b3c354eb3b868de6c, pin: 12345678, seed: 147a41fb8e2ef29d12d6d3198a18a7d7
[2017-09-04 14:47:27,271][101608][140503526901504][DEBUG][privacyidea.lib.config:185] Entering get_from_config with arguments () and keywords {‘default’: False, ‘return_bool’: True, ‘key’: ‘IncFailCountOnFalsePin’}
[2017-09-04 14:47:27,271][101608][140503526901504][DEBUG][privacyidea.lib.config:72] The singleton <class ‘privacyidea.lib.config.ConfigClass’> already exists.
[2017-09-04 14:47:27,274][101608][140503526901504][DEBUG][privacyidea.lib.config:197] Exiting get_from_config with result True
[2017-09-04 14:47:27,311][101608][140503526901504][DEBUG][privacyidea.lib.token:197] Exiting check_token_list with result (False, {‘message’: ‘wrong otp pin’})
[2017-09-04 14:47:27,311][101608][140503526901504][DEBUG][privacyidea.lib.token:197] Exiting check_user_pass with result (False, {‘message’: ‘wrong otp pin’})
[2017-09-04 14:47:27,311][101608][140503526901504][DEBUG][privacyidea.lib.policy:185] Entering get_action_values with arguments (<privacyidea.lib.policy.PolicyClass object at 0x7fc97ec4f150>,) and keywords {‘action’: ‘auth_max_success’, ‘scope’: ‘authorization’, ‘client’: ‘127.0.0.1’, ‘realm’: u’ad’, ‘user’: u’Tester.Priv’}
[2017-09-04 14:47:27,312][101608][140503526901504][DEBUG][privacyidea.lib.policy:185] Entering get_policies with arguments (<privacyidea.lib.policy.PolicyClass object at 0x7fc97ec4f150>,) and keywords {‘realm’: u’ad’, ‘active’: True, ‘client’: ‘127.0.0.1’, ‘user’: u’Tester.Priv’, ‘resolver’: None, ‘action’: ‘auth_max_success’, ‘scope’: ‘authorization’, ‘adminrealm’: None}
[2017-09-04 14:47:27,312][101608][140503526901504][DEBUG][privacyidea.lib.policy:469] Policies after matching time: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_user’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’enable’: True, u’enrollEMAIL’: True, u’enrollSMS’: True, u’enrollHOTP’: True, u’disable’: True, u’resync’: True, u’enrollTOTP’: True, u’delete’: True}, ‘scope’: u’user’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_enroll’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’tokenissuer’: u’Company’, u’tokenlabel’: u’{user}-{serial}’}, ‘scope’: u’enrollment’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_pass’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’reset_all_user_tokens’: True, u’otppin’: u’userstore’}, ‘scope’: u’authentication’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,312][101608][140503526901504][DEBUG][privacyidea.lib.policy:479] Policies after matching active: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_user’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’enable’: True, u’enrollEMAIL’: True, u’enrollSMS’: True, u’enrollHOTP’: True, u’disable’: True, u’resync’: True, u’enrollTOTP’: True, u’delete’: True}, ‘scope’: u’user’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_enroll’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’tokenissuer’: u’Company’, u’tokenlabel’: u’{user}-{serial}’}, ‘scope’: u’enrollment’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_pass’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’reset_all_user_tokens’: True, u’otppin’: u’userstore’}, ‘scope’: u’authentication’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,313][101608][140503526901504][DEBUG][privacyidea.lib.policy:479] Policies after matching scope: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,313][101608][140503526901504][DEBUG][privacyidea.lib.policy:503] Policies after matching action: []
[2017-09-04 14:47:27,313][101608][140503526901504][DEBUG][privacyidea.lib.policy:503] Policies after matching user: []
[2017-09-04 14:47:27,313][101608][140503526901504][DEBUG][privacyidea.lib.policy:503] Policies after matching realm: []
[2017-09-04 14:47:27,313][101608][140503526901504][DEBUG][privacyidea.lib.policy:575] Policies after matching client
[2017-09-04 14:47:27,314][101608][140503526901504][DEBUG][privacyidea.lib.policy:197] Exiting get_policies with result []
[2017-09-04 14:47:27,314][101608][140503526901504][DEBUG][privacyidea.lib.policy:197] Exiting get_action_values with result []
[2017-09-04 14:47:27,314][101608][140503526901504][DEBUG][privacyidea.lib.policy:185] Entering get_action_values with arguments (<privacyidea.lib.policy.PolicyClass object at 0x7fc97ec4f150>,) and keywords {‘action’: ‘auth_max_fail’, ‘scope’: ‘authorization’, ‘client’: ‘127.0.0.1’, ‘realm’: u’ad’, ‘user’: u’Tester.Priv’}
[2017-09-04 14:47:27,314][101608][140503526901504][DEBUG][privacyidea.lib.policy:185] Entering get_policies with arguments (<privacyidea.lib.policy.PolicyClass object at 0x7fc97ec4f150>,) and keywords {‘realm’: u’ad’, ‘active’: True, ‘client’: ‘127.0.0.1’, ‘user’: u’Tester.Priv’, ‘resolver’: None, ‘action’: ‘auth_max_fail’, ‘scope’: ‘authorization’, ‘adminrealm’: None}
[2017-09-04 14:47:27,315][101608][140503526901504][DEBUG][privacyidea.lib.policy:469] Policies after matching time: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_user’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’enable’: True, u’enrollEMAIL’: True, u’enrollSMS’: True, u’enrollHOTP’: True, u’disable’: True, u’resync’: True, u’enrollTOTP’: True, u’delete’: True}, ‘scope’: u’user’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_enroll’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’tokenissuer’: u’Company’, u’tokenlabel’: u’{user}-{serial}’}, ‘scope’: u’enrollment’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_pass’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’reset_all_user_tokens’: True, u’otppin’: u’userstore’}, ‘scope’: u’authentication’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,315][101608][140503526901504][DEBUG][privacyidea.lib.policy:479] Policies after matching active: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_user’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’enable’: True, u’enrollEMAIL’: True, u’enrollSMS’: True, u’enrollHOTP’: True, u’disable’: True, u’resync’: True, u’enrollTOTP’: True, u’delete’: True}, ‘scope’: u’user’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_enroll’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’tokenissuer’: u’Company’, u’tokenlabel’: u’{user}-{serial}’}, ‘scope’: u’enrollment’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_pass’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’reset_all_user_tokens’: True, u’otppin’: u’userstore’}, ‘scope’: u’authentication’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,315][101608][140503526901504][DEBUG][privacyidea.lib.policy:479] Policies after matching scope: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,315][101608][140503526901504][DEBUG][privacyidea.lib.policy:503] Policies after matching action: []
[2017-09-04 14:47:27,316][101608][140503526901504][DEBUG][privacyidea.lib.policy:503] Policies after matching user: []
[2017-09-04 14:47:27,316][101608][140503526901504][DEBUG][privacyidea.lib.policy:503] Policies after matching realm: []
[2017-09-04 14:47:27,316][101608][140503526901504][DEBUG][privacyidea.lib.policy:575] Policies after matching client
[2017-09-04 14:47:27,316][101608][140503526901504][DEBUG][privacyidea.lib.policy:197] Exiting get_policies with result []
[2017-09-04 14:47:27,316][101608][140503526901504][DEBUG][privacyidea.lib.policy:197] Exiting get_action_values with result []
[2017-09-04 14:47:27,318][101608][140503526901504][DEBUG][privacyidea.lib.policy:185] Entering get_action_values with arguments (<privacyidea.lib.policy.PolicyClass object at 0x7fc97ec4f150>,) and keywords {‘realm’: u’ad’, ‘client’: ‘127.0.0.1’, ‘user’: u’Tester.Priv’, ‘resolver’: u’AD_resolv’, ‘action’: ‘autoassignment’, ‘scope’: ‘enrollment’}
[2017-09-04 14:47:27,318][101608][140503526901504][DEBUG][privacyidea.lib.policy:185] Entering get_policies with arguments (<privacyidea.lib.policy.PolicyClass object at 0x7fc97ec4f150>,) and keywords {‘realm’: u’ad’, ‘active’: True, ‘client’: ‘127.0.0.1’, ‘user’: u’Tester.Priv’, ‘resolver’: u’AD_resolv’, ‘action’: ‘autoassignment’, ‘scope’: ‘enrollment’, ‘adminrealm’: None}
[2017-09-04 14:47:27,318][101608][140503526901504][DEBUG][privacyidea.lib.policy:479] Policies after matching active: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_user’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’enable’: True, u’enrollEMAIL’: True, u’enrollSMS’: True, u’enrollHOTP’: True, u’disable’: True, u’resync’: True, u’enrollTOTP’: True, u’delete’: True}, ‘scope’: u’user’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_enroll’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’tokenissuer’: u’Company’, u’tokenlabel’: u’{user}-{serial}’}, ‘scope’: u’enrollment’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_pass’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’reset_all_user_tokens’: True, u’otppin’: u’userstore’}, ‘scope’: u’authentication’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,319][101608][140503526901504][DEBUG][privacyidea.lib.policy:479] Policies after matching scope: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_enroll’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’tokenissuer’: u’Company’, u’tokenlabel’: u’{user}-{serial}’}, ‘scope’: u’enrollment’}]
[2017-09-04 14:47:27,319][101608][140503526901504][DEBUG][privacyidea.lib.policy:503] Policies after matching action: []
[2017-09-04 14:47:27,319][101608][140503526901504][DEBUG][privacyidea.lib.policy:503] Policies after matching user: []
[2017-09-04 14:47:27,320][101608][140503526901504][DEBUG][privacyidea.lib.policy:503] Policies after matching realm: []
[2017-09-04 14:47:27,320][101608][140503526901504][DEBUG][privacyidea.lib.policy:538] Policies after matching resolver: []
[2017-09-04 14:47:27,320][101608][140503526901504][DEBUG][privacyidea.lib.policy:575] Policies after matching client
[2017-09-04 14:47:27,320][101608][140503526901504][DEBUG][privacyidea.lib.policy:197] Exiting get_policies with result []
[2017-09-04 14:47:27,321][101608][140503526901504][DEBUG][privacyidea.lib.policy:197] Exiting get_action_values with result []
[2017-09-04 14:47:27,322][101608][140503526901504][DEBUG][privacyidea.lib.policy:479] Policies after matching active: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_user’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’enable’: True, u’enrollEMAIL’: True, u’enrollSMS’: True, u’enrollHOTP’: True, u’disable’: True, u’resync’: True, u’enrollTOTP’: True, u’delete’: True}, ‘scope’: u’user’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_enroll’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’tokenissuer’: u’Company’, u’tokenlabel’: u’{user}-{serial}’}, ‘scope’: u’enrollment’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_pass’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’reset_all_user_tokens’: True, u’otppin’: u’userstore’}, ‘scope’: u’authentication’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,322][101608][140503526901504][DEBUG][privacyidea.lib.policy:479] Policies after matching scope: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,322][101608][140503526901504][DEBUG][privacyidea.lib.policy:503] Policies after matching action: []
[2017-09-04 14:47:27,323][101608][140503526901504][DEBUG][privacyidea.lib.policy:575] Policies after matching client
[2017-09-04 14:47:27,323][101608][140503526901504][DEBUG][privacyidea.lib.policy:197] Exiting get_policies with result []
[2017-09-04 14:47:27,323][101608][140503526901504][DEBUG][privacyidea.lib.policy:197] Exiting get_action_values with result []
[2017-09-04 14:47:27,323][101608][140503526901504][DEBUG][privacyidea.lib.policy:185] Entering get_action_values with arguments (<privacyidea.lib.policy.PolicyClass object at 0x7fc97ec4f150>, ‘tokentype’) and keywords {‘scope’: ‘authorization’, ‘client’: ‘127.0.0.1’, ‘realm’: u’ad’, ‘user’: u’Tester.Priv’, ‘resolver’: u’AD_resolv’}
[2017-09-04 14:47:27,324][101608][140503526901504][DEBUG][privacyidea.lib.policy:185] Entering get_policies with arguments (<privacyidea.lib.policy.PolicyClass object at 0x7fc97ec4f150>,) and keywords {‘realm’: u’ad’, ‘active’: True, ‘client’: ‘127.0.0.1’, ‘user’: u’Tester.Priv’, ‘resolver’: u’AD_resolv’, ‘action’: ‘tokentype’, ‘scope’: ‘authorization’, ‘adminrealm’: None}
[2017-09-04 14:47:27,324][101608][140503526901504][DEBUG][privacyidea.lib.policy:469] Policies after matching time: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_user’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’enable’: True, u’enrollEMAIL’: True, u’enrollSMS’: True, u’enrollHOTP’: True, u’disable’: True, u’resync’: True, u’enrollTOTP’: True, u’delete’: True}, ‘scope’: u’user’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_enroll’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’tokenissuer’: u’Company’, u’tokenlabel’: u’{user}-{serial}’}, ‘scope’: u’enrollment’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_pass’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’reset_all_user_tokens’: True, u’otppin’: u’userstore’}, ‘scope’: u’authentication’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,324][101608][140503526901504][DEBUG][privacyidea.lib.policy:479] Policies after matching active: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_user’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’enable’: True, u’enrollEMAIL’: True, u’enrollSMS’: True, u’enrollHOTP’: True, u’disable’: True, u’resync’: True, u’enrollTOTP’: True, u’delete’: True}, ‘scope’: u’user’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_enroll’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’tokenissuer’: u’Company’, u’tokenlabel’: u’{user}-{serial}’}, ‘scope’: u’enrollment’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_pass’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’reset_all_user_tokens’: True, u’otppin’: u’userstore’}, ‘scope’: u’authentication’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,325][101608][140503526901504][DEBUG][privacyidea.lib.policy:479] Policies after matching scope: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,325][101608][140503526901504][DEBUG][privacyidea.lib.policy:503] Policies after matching action: []
[2017-09-04 14:47:27,325][101608][140503526901504][DEBUG][privacyidea.lib.policy:503] Policies after matching user: []
[2017-09-04 14:47:27,325][101608][140503526901504][DEBUG][privacyidea.lib.policy:503] Policies after matching realm: []
[2017-09-04 14:47:27,325][101608][140503526901504][DEBUG][privacyidea.lib.policy:538] Policies after matching resolver: []
[2017-09-04 14:47:27,326][101608][140503526901504][DEBUG][privacyidea.lib.policy:575] Policies after matching client
[2017-09-04 14:47:27,326][101608][140503526901504][DEBUG][privacyidea.lib.policy:197] Exiting get_policies with result []
[2017-09-04 14:47:27,326][101608][140503526901504][DEBUG][privacyidea.lib.policy:197] Exiting get_action_values with result []
[2017-09-04 14:47:27,326][101608][140503526901504][DEBUG][privacyidea.lib.policy:185] Entering get_policies with arguments (<privacyidea.lib.policy.PolicyClass object at 0x7fc97ec4f150>,) and keywords {‘action’: ‘add_user_in_response’, ‘scope’: ‘authorization’, ‘client’: ‘127.0.0.1’, ‘active’: True}
[2017-09-04 14:47:27,327][101608][140503526901504][DEBUG][privacyidea.lib.policy:469] Policies after matching time: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_user’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’enable’: True, u’enrollEMAIL’: True, u’enrollSMS’: True, u’enrollHOTP’: True, u’disable’: True, u’resync’: True, u’enrollTOTP’: True, u’delete’: True}, ‘scope’: u’user’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_enroll’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’tokenissuer’: u’Company’, u’tokenlabel’: u’{user}-{serial}’}, ‘scope’: u’enrollment’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_pass’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’reset_all_user_tokens’: True, u’otppin’: u’userstore’}, ‘scope’: u’authentication’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,327][101608][140503526901504][DEBUG][privacyidea.lib.policy:479] Policies after matching active: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_user’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’enable’: True, u’enrollEMAIL’: True, u’enrollSMS’: True, u’enrollHOTP’: True, u’disable’: True, u’resync’: True, u’enrollTOTP’: True, u’delete’: True}, ‘scope’: u’user’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_enroll’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’tokenissuer’: u’Company’, u’tokenlabel’: u’{user}-{serial}’}, ‘scope’: u’enrollment’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_pass’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’reset_all_user_tokens’: True, u’otppin’: u’userstore’}, ‘scope’: u’authentication’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,327][101608][140503526901504][DEBUG][privacyidea.lib.policy:479] Policies after matching scope: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,328][101608][140503526901504][DEBUG][privacyidea.lib.policy:503] Policies after matching action: []
[2017-09-04 14:47:27,328][101608][140503526901504][DEBUG][privacyidea.lib.policy:575] Policies after matching client
[2017-09-04 14:47:27,328][101608][140503526901504][DEBUG][privacyidea.lib.policy:197] Exiting get_policies with result []
[2017-09-04 14:47:27,328][101608][140503526901504][DEBUG][privacyidea.lib.policy:185] Entering get_policies with arguments (<privacyidea.lib.policy.PolicyClass object at 0x7fc97ec4f150>,) and keywords {‘action’: ‘no_detail_on_success’, ‘scope’: ‘authorization’, ‘client’: ‘127.0.0.1’, ‘active’: True}
[2017-09-04 14:47:27,329][101608][140503526901504][DEBUG][privacyidea.lib.policy:469] Policies after matching time: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_user’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’enable’: True, u’enrollEMAIL’: True, u’enrollSMS’: True, u’enrollHOTP’: True, u’disable’: True, u’resync’: True, u’enrollTOTP’: True, u’delete’: True}, ‘scope’: u’user’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_enroll’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’tokenissuer’: u’Company’, u’tokenlabel’: u’{user}-{serial}’}, ‘scope’: u’enrollment’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_pass’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’reset_all_user_tokens’: True, u’otppin’: u’userstore’}, ‘scope’: u’authentication’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,329][101608][140503526901504][DEBUG][privacyidea.lib.policy:479] Policies after matching scope: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,329][101608][140503526901504][DEBUG][privacyidea.lib.policy:503] Policies after matching action: []
[2017-09-04 14:47:27,330][101608][140503526901504][DEBUG][privacyidea.lib.policy:575] Policies after matching client
[2017-09-04 14:47:27,330][101608][140503526901504][DEBUG][privacyidea.lib.policy:197] Exiting get_policies with result []
[2017-09-04 14:47:27,330][101608][140503526901504][DEBUG][privacyidea.lib.policy:185] Entering get_policies with arguments (<privacyidea.lib.policy.PolicyClass object at 0x7fc97ec4f150>,) and keywords {‘action’: ‘no_detail_on_fail’, ‘scope’: ‘authorization’, ‘client’: ‘127.0.0.1’, ‘active’: True}
[2017-09-04 14:47:27,331][101608][140503526901504][DEBUG][privacyidea.lib.policy:469] Policies after matching time: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_user’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’enable’: True, u’enrollEMAIL’: True, u’enrollSMS’: True, u’enrollHOTP’: True, u’disable’: True, u’resync’: True, u’enrollTOTP’: True, u’delete’: True}, ‘scope’: u’user’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_enroll’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’tokenissuer’: u’Company’, u’tokenlabel’: u’{user}-{serial}’}, ‘scope’: u’enrollment’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_pass’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’reset_all_user_tokens’: True, u’otppin’: u’userstore’}, ‘scope’: u’authentication’}, {‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,331][101608][140503526901504][DEBUG][privacyidea.lib.policy:479] Policies after matching scope: [{‘time’: u’’, ‘user’: [], ‘resolver’: [u’AD_resolv’], ‘active’: True, ‘adminrealm’: [], ‘condition’: 0L, ‘realm’: [u’ad’], ‘name’: u’AD_auth’, ‘client’: [u’10.0.0.0/8’], ‘check_all_resolvers’: False, ‘action’: {u’setrealm’: u’ad’}, ‘scope’: u’authorization’}]
[2017-09-04 14:47:27,331][101608][140503526901504][DEBUG][privacyidea.lib.policy:503] Policies after matching action: []
[2017-09-04 14:47:27,332][101608][140503526901504][DEBUG][privacyidea.lib.policy:575] Policies after matching client
[2017-09-04 14:47:27,332][101608][140503526901504][DEBUG][privacyidea.lib.policy:197] Exiting get_policies with result []
[2017-09-04 14:47:27,393][101608][140503526901504][DEBUG][privacyidea.api.lib.utils:239] Can not get param: No JSON object could be decoded

ayurlov · September 5, 2017, 9:32am

What is message “we got a hashed PIN!” mean? I think server not bind AD to compare password hashs. But ldapresolver can find users, I can assign token to Tester.Priv user from AD, user Tester.Priv can login to UI. I don’t understand why rlm_perl+privacyIDEA work properly with hash pins only and not bind AD hash.

Regards,
Alexander

ayurlov · September 5, 2017, 12:19pm

I solve this problem. Thanks for your help!

Regards,
Alexander

cornelinux · September 6, 2017, 6:34pm

Cool.
Would you care to share?
Or only take?

ayurlov · September 7, 2017, 6:40am

Of course, I want to share user experience and probles. This is a realy great software, as I see after tests.

My problem was connected with ip restriction in authentication policy scope. Parameter “Client” was set to 10.0.0.0/8, but freeradius run like a client with 127.0.0.1. I don’t now how to preserve original NAS-IP-Address from radius forwarder instead it. But I can’t see filter problem in log, the solution was founded by chance.

I’ve noticed some other bugs during tests, but I think to share it in other topic.
My hobby is programming (VC++, now I start python) so I understand all efforts and hard work you do. Maybe, I will be useful at participation.

Regards,
Alexander