PI + FreeRadius

snowymountain · January 16, 2022, 3:22pm

I have the latest Privacy Idea installed with Free Radius.
Configurations look good, all systems start with no issue however Free Radius cannot authenticate a test user within it’s self using the GUI. and the test
echo ‘User-Name=realm3\cornelius, User-Password=test’ | radclient -s
127.0.0.1 auth test
Does not work when using new credentials
I have two scenarios I need to work out.
1/ I need to authenticate users to a website (wordpress) using Privacy Idea and want the users to be Wordpress users or Free radius Users so the auth could be SAML or Radius I suppose.
I need a token to be visible on wordpress and SMS to be sent for auth, sms will be the default.
2/ General Radius user auth for VPN and firewall etc…
I need a token (QR OTP) to be available for users to have a token on their phone.

I have followed all the docs and spent a day setting up
on Free radius a clear text password seems to be stored as a hash but I guess thats normal.

I see Privacy Idea has a GUI config for Radius servers and wonder how this fits in with the standard configuration which I guess makes free radius use privacy idea for it’s users, I realise this is not much to go on but as it is I am unsure how to proceed and having llooked through all the docs am none the wiser about where to investigate.

when I do a test of a user in FreeRadius I get
This is a user i input into Free Radius.
Received Access-Reject Id 219 from 127.0.0.1:1812 to 0.0.0.0:0 length 86
Reply-Message = “ERR904: The user can not be found in any resolver in this realm!”

cornelinux · January 16, 2022, 7:10pm

I am probably not in your user database!?

And you migh not have configure a realm called realm3.

snowymountain · January 24, 2022, 1:37pm

I have the following setup - The Plesk nguni config looks odd I have taken your settings and put in the Nginx directives.
in plesk I have this config in the site in question is this correct ?
proxy_pass http://192.168.100.205:3000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;

Screenshot 2022-01-24 at 13.36.00

snowymountain · January 24, 2022, 2:17pm

I now have this config on the Plesk server

location / {

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_pass http://192.168.100.205:3000;

}

which is causing no errors and this in the reverse proxy…

location / {
# redis host:port
set $privacyidea_redis_host “127.0.0.1”;
set $privacyidea_redis_post 6379;

# how long are accepted authentication allowed to be cached
# if expired, the user has to reauthenticate
set $privacyidea_ttl 900;

# privacyIDEA realm. leave empty == default
set $privacyidea_realm ''; # (optional)

# pointer to the internal validation proxy pass
set $privacyidea_uri "/privacyidea-validate-check";

# the salt will be used as key/salt for hashing the password
set $privacyidea_salt  ^`^|jsjsj ^`^}yysbsbyy66;

# the http realm presented to the user
set $privacyidea_http_realm "Secure zone (use PIN + OTP)";

access_by_lua_file 'privacyidea.lua';

}

internal pointer to the validation server

nginx lua support remote calls only via proxy_pass or

by using direct sockect connections

location /privacyidea-validate-check {
internal;
# proxy_ssl_verify off;
proxy_pass https://192.168.100.177/validate/check;
}

which is causing errors…
root@debian:/etc/nginx/sites-available# systemctl restart nginx
Job for nginx.service failed because the control process exited with error code.
See “systemctl status nginx.service” and “journalctl -xe” for details.
root@debian:/etc/nginx/sites-available# nginx -t
nginx: the configuration file /opt/bitnami/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /opt/bitnami/nginx/conf/nginx.conf test is successful
root@debian:/etc/nginx/sites-available# syytemctl status nginx
bash: syytemctl: command not found
root@debian:/etc/nginx/sites-available# systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2022-01-24 14:10:09 UTC; 31s ago
Docs: man:nginx(8)
Process: 4397 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)

Jan 24 14:10:09 debian systemd[1]: Starting A high performance web server and a reverse proxy server…
Jan 24 14:10:09 debian nginx[4397]: nginx: [emerg] “location” directive is not allowed here in /etc/nginx/sites-enabled/pi:1
Jan 24 14:10:09 debian nginx[4397]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jan 24 14:10:09 debian systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jan 24 14:10:09 debian systemd[1]: nginx.service: Failed with result ‘exit-code’.
Jan 24 14:10:09 debian systemd[1]: Failed to start A high performance web server and a reverse proxy server.
root@debian:/etc/nginx/sites-available# ls

am I missing something ?

snowymountain · January 26, 2022, 2:26pm

I certainly was missing something and have moved on, ideally I’d use an nguni reverse proxy but it seems easier to use wordpress it’s self -