Trying to implement the Freeradius plugin but hitting an issue where the perl module, I think, isn’t splitting the domain and username properly. The below has been done, with the debug output of the connection included.
/etc/freeradius/3.0/mods-enabled/perl
perl {
filename = /usr/share/privacyidea/freeradius/privacyidea_radius.pm
}
/etc/freeradius/3.0/sites-enabled/privacyidea
server {
authorize {
#files
perl
if (ok || updated) {
update control {
Auth-Type := Perl
}
}
}
listen {
type = auth
ipaddr = *
port = 0
}
authenticate {
Auth-Type Perl {
perl
}
}
}
/etc/freeradius/3.0/users
DEFAULT Auth-Type := Perl
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
/etc/privacyidea/rlm_perl.ini
[Default]
URL = https://mfa1/validate/check
REALM = example
SSL_CHECK = false
DEBUG = true
[Mapping]
serial = privacyIDEA-Serial
[Mapping user]
group = Class
[Attribute Filter-Id]
dir = user
userAttribute = acl
regex = internal
prefix =
suffix =
[Attribute otherAttribute]
radiusAttribute = Filter-Id
userAttribute = user-resolver
regex = internal
prefix = FIXEDValue
[Attribute Class]
userAttribute = user-resolver
regex = internal
prefix = SomeOtherValue
/etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = prefix
delimiter = "/"
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
realm ntdomain {
format = prefix
delimiter = "\\"
}
realm example {
format = prefix
delimited = "\\"
}
|------|
client side error
root@mfa1:/home/administrator# echo 'User-Name=example\\test, User-Password=uijfjkvbciitegjbe' | radclient -x mfa1 auth testing123
Sent Access-Request Id 105 from 0.0.0.0:44372 to 127.0.0.1:1812 length 68
User-Name = "example\\test"
User-Password = "uijfjkvbciitegjbe"
Cleartext-Password = "uijfjkvbciitegjbe"
Received Access-Reject Id 105 from 127.0.0.1:1812 to 0.0.0.0:0 length 86
Reply-Message = "ERR904: The user can not be found in any resolver in this realm!"
(0) -: Expected Access-Accept got Access-Reject
Server Debug Output
(0) Received Access-Request Id 105 from 127.0.0.1:44372 to 127.0.0.1:1812 length 68
(0) User-Name = "example\\test"
(0) User-Password = "uijfjkvbciitegjbe"
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/privacyidea
(0) authorize {
(0) perl: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'example\test'
(0) perl: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'uijfjkvbciitegjbe'
(0) perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'uijfjkvbciitegjbe'
(0) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'example\test'
(0) [perl] = ok
(0) if (ok || updated) {
(0) if (ok || updated) -> TRUE
(0) if (ok || updated) {
(0) update control {
(0) Auth-Type := Perl
(0) } # update control = noop
(0) } # if (ok || updated) = noop
(0) } # authorize = ok
(0) Found Auth-Type = Perl
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/privacyidea
(0) Auth-Type Perl {
(0) perl: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'example\test'
(0) perl: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'uijfjkvbciitegjbe'
(0) perl: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl'
(0) perl: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl'
rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
rlm_perl: Debugging config: true
rlm_perl: Default URL https://mfa1/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: RAD_REQUEST: User-Password = uijfjkvbciitegjbe
rlm_perl: RAD_REQUEST: User-Name = example\test
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://mfa1/validate/check
rlm_perl: user sent to privacyidea: example\test
rlm_perl: realm sent to privacyidea: example
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea:
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam realm = example
rlm_perl: urlparam user = example\test
rlm_perl: urlparam pass = uijfjkvbciitegjbe
rlm_perl: Request timeout: 10
rlm_perl: Not verifying SSL certificate!
rlm_perl: elapsed time for privacyidea call: 0.103277
rlm_perl: Content {"jsonrpc": "2.0", "signature": "rsa_sha256_pss:294ff7512cfd2b33948f3eb5ccd2cb8eb4fdb517111326da60cd9a442f7c89a299a5c0e3929f1425af6071dcbe210926ae20b348dce46e41dd5fffca2b2081e404315eb1415709c416313d54ffb7d958f0adcb35b675872312452773405044e01a7a11e0d8c9db65953c241521334ea94f769ed39cf1d9e49b1e73444dc4b1139fd60fdf1f8b41aef2965177ca0a4f6fe8962e77a08523b9736239778891f7f198f3fc449579decbdded956c4976f58665411f24390760a6798015f096377eed7277184d37466da6f6d946f677f919d37f34fda8892eed647e5ebb0a32b750ce9e7fae5eddc789d9e6f45ce2f071d7a9207b852fb72265af00ae20c58707bf75", "detail": null, "version": "privacyIDEA 3.1.2", "result": {"status": false, "error": {"message": "ERR904: The user can not be found in any resolver in this realm!", "code": 904}}, "time": 1574378561.126907, "id": 1}
rlm_perl: privacyIDEA request failed: 400 BAD REQUEST
rlm_perl: privacyIDEA Result status is false!
rlm_perl: ERR904: The user can not be found in any resolver in this realm!
rlm_perl: privacyIDEA failed to handle the request
rlm_perl: return RLM_MODULE_NOTFOUND
(0) perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'uijfjkvbciitegjbe'
(0) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'example\test'
(0) perl: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'ERR904: The user can not be found in any resolver in this realm!'
(0) perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl'
(0) [perl] = notfound
(0) } # Auth-Type Perl = notfound
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 105 from 127.0.0.1:1812 to 127.0.0.1:44372 length 86
(0) Reply-Message = "ERR904: The user can not be found in any resolver in this realm!"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 105 with timestamp +9
Ready to process requests