Dear community,
please accept my apologies for the following ingenuous question.
I have installed privacyIDEA 3.4.1 incl. FreeRADIUS and the respective privacyidea_radius.pm module.
Using radclient I can authenticate my users successfully.
My scenario is as follows:
I added a VPN IKEv2 connection to my router with RSA signature for local authentication (using a certificate) and with EAP for remote authentication via Radius.
The VPN client of the road warrior is configured with IKEv2 authentication EAP, the local identity is a Fully Qualified Username with UserName & Password as EAP authentication. In addition to that the client holds a local copy of the Root CA certificate of the afore mentioned VPN connection certificate.
Here is the radius output if I try to connect the client:
(1) Received Access-Request Id 40 from 172.17.0.1:65527 to 172.17.0.2:1812 length 123
(1) User-Name = "flhe@domain.internal"
(1) Calling-Station-Id = "80.1.1.2"
(1) NAS-IP-Address = 217.9.6.2
(1) EAP-Message = 0x02a1001d01666c6865406d65696572736572766963652e6f6666696365
(1) Message-Authenticator = 0x916c9e5c3756daa1a354927ecec083df
(1) Service-Type = Login-User
(1) # Executing section authorize from file /etc/raddb/sites-enabled/privacyidea
(1) authorize {
(1) [files] = noop
(1) perl: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'flhe@domain.internal'
(1) perl: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '217.9.6.2'
(1) perl: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Login-User'
(1) perl: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> '80.1.1.2'
(1) perl: $RAD_REQUEST{'EAP-Message'} = &request:EAP-Message -> '0x02a1001d01666c6865406d65696572736572766963652e6f6666696365'
(1) perl: $RAD_REQUEST{'Message-Authenticator'} = &request:Message-Authenticator -> '0x916c9e5c3756daa1a354927ecec083df'
(1) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'flhe@domain.internal'
(1) perl: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Login-User'
(1) perl: &request:Message-Authenticator = $RAD_REQUEST{'Message-Authenticator'} -> '0x916c9e5c3756daa1a354927ecec083df'
(1) perl: &request:EAP-Message = $RAD_REQUEST{'EAP-Message'} -> '0x02a1001d01666c6865406d65696572736572766963652e6f6666696365'
(1) perl: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> '80.1.1.2'
(1) perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '217.9.6.2'
(1) [perl] = ok
(1) if (ok || updated) {
(1) if (ok || updated) -> TRUE
(1) if (ok || updated) {
(1) update control {
(1) Auth-Type := Perl
(1) } # update control = noop
(1) } # if (ok || updated) = noop
(1) } # authorize = ok
(1) Found Auth-Type = Perl
(1) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(1) Auth-Type Perl {
(1) perl: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'flhe@domain.internal'
(1) perl: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '217.9.6.2'
(1) perl: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Login-User'
(1) perl: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> '80.1.1.2'
(1) perl: $RAD_REQUEST{'EAP-Message'} = &request:EAP-Message -> '0x02a1001d01666c6865406d65696572736572766963652e6f6666696365'
(1) perl: $RAD_REQUEST{'Message-Authenticator'} = &request:Message-Authenticator -> '0x916c9e5c3756daa1a354927ecec083df'
(1) perl: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl'
(1) perl: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl'
rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
rlm_perl: Debugging config: true
rlm_perl: Default URL http://10.0.2.100:5000/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: RAD_REQUEST: User-Name = flhe@domain.internal
rlm_perl: RAD_REQUEST: Service-Type = Login-User
rlm_perl: RAD_REQUEST: Message-Authenticator = 0x916c9e5c3756daa1a354927ecec083df
rlm_perl: RAD_REQUEST: EAP-Message = 0x02a1001d01666c6865406d65696572736572766963652e6f6666696365
rlm_perl: RAD_REQUEST: Calling-Station-Id = 80.1.1.2
rlm_perl: RAD_REQUEST: NAS-IP-Address = 217.9.6.2
rlm_perl: Setting client IP to 217.9.6.2.
rlm_perl: Auth-Type: Perl
rlm_perl: url: http://10.0.2.100:5000/validate/check
rlm_perl: user sent to privacyidea: flhe@domain.internal
rlm_perl: realm sent to privacyidea: domain.internal
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 217.9.6.2
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam user = flhe@domain.internal
rlm_perl: urlparam client = 217.9.6.2
rlm_perl: urlparam realm = domain.internal
rlm_perl: urlparam pass =
rlm_perl: Request timeout: 10
rlm_perl: Not verifying SSL certificate!
rlm_perl: elapsed time for privacyidea call: 1.661939
rlm_perl: Content {"detail": {"message": "wrong otp pin", "threadid": 140248420035360}, "id": 1, "jsonrpc": "2.0", "result": {"status": true, "value": false}, "time": 1614695626.3164053, "version": "privacyIDEA 3.4.1", "versionnumber": "3.4.1", "signature": "rsa_sha256_pss:90c6f812e55d6bb03e41078467095e43bf8c6318475fd89ed21b54332595714c8ebc6f81b59fff878ef683e62e334402a8e775ce9b344a6a064d366e790c052b01f537005d8c2705c097b9d86c6812c2df982ba444d9821a4627ee67d956ed9eba756b98310a9156c659211ec05e3d35771e5796d5bb2e198fdb5f7c7e31ec9a3310c2171804e9b7c4edcd5e3d6e93100dcec4443c412b633839083a43ac2b1bdfa2464df254f28d22c3df3718f03722ed221e699b773b3633feff0369fffd506bd7747e62cc91f277214a7be9bcc64e5e5986ccc6e6549748c7974eb2052e0adde59aa93e2e61e127473176c52ebfb4a2657eba70a6fd7ab5ac4cf7f0426950"}
rlm_perl: privacyIDEA Result status is true!
rlm_perl: privacyIDEA access denied
rlm_perl: return RLM_MODULE_REJECT
(1) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'flhe@domain.internal'
(1) perl: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Login-User'
(1) perl: &request:Message-Authenticator = $RAD_REQUEST{'Message-Authenticator'} -> '0x916c9e5c3756daa1a354927ecec083df'
(1) perl: &request:EAP-Message = $RAD_REQUEST{'EAP-Message'} -> '0x02a1001d01666c6865406d65696572736572766963652e6f6666696365'
(1) perl: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> '80.1.1.2'
(1) perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '217.9.6.2'
(1) perl: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'wrong otp pin'
(1) perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl'
(1) [perl] = reject
(1) } # Auth-Type Perl = reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 40 from 172.17.0.2:1812 to 172.17.0.1:65527 length 35
(1) Reply-Message = "wrong otp pin"
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 40 with timestamp +282
Ready to process requests
Given that I see a plain password when using radclient, which is absent in this case, I guess I’m missing the step of extracting somehow the password from the EAP message for the subsequent request to privacyIDEA.
Could you please tell me whether my scenario can be realised or - even better - give me a hint, which part I’m missing.
Thank you very much in advance.
Best regards,
Florian