PrivacyIDEA 3.1.2 and Freeradius Module Not Splitting Username

wwalker · November 21, 2019, 11:26pm

Trying to implement the Freeradius plugin but hitting an issue where the perl module, I think, isn’t splitting the domain and username properly. The below has been done, with the debug output of the connection included.

/etc/freeradius/3.0/mods-enabled/perl

perl {
    filename = /usr/share/privacyidea/freeradius/privacyidea_radius.pm
}

/etc/freeradius/3.0/sites-enabled/privacyidea

server {
        authorize {
                #files
                perl
                if (ok || updated) {
                        update control {
                                Auth-Type := Perl
                        }
                }
        }
        listen {
                type = auth
                ipaddr = *
                port = 0
        }
        authenticate {
                Auth-Type Perl {
                        perl
                }
        }
}

/etc/freeradius/3.0/users

DEFAULT Auth-Type := Perl
DEFAULT Framed-Protocol == PPP
        Framed-Protocol = PPP,
        Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
        Framed-Protocol = SLIP,
        Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
        Framed-Protocol = SLIP

/etc/privacyidea/rlm_perl.ini

[Default]
URL = https://mfa1/validate/check
REALM = example
SSL_CHECK = false
DEBUG = true
[Mapping]
serial = privacyIDEA-Serial

[Mapping user]
group = Class

[Attribute Filter-Id]
dir = user
userAttribute = acl
regex = internal
prefix =
suffix =

[Attribute otherAttribute]
radiusAttribute = Filter-Id
userAttribute = user-resolver
regex = internal
prefix = FIXEDValue

[Attribute Class]
userAttribute = user-resolver
regex = internal
prefix = SomeOtherValue

/etc/freeradius/3.0/mods-enabled/realm

realm IPASS {
        format = prefix
        delimiter = "/"
}
realm suffix {
        format = suffix
        delimiter = "@"
}
realm realmpercent {
        format = suffix
        delimiter = "%"
}
realm ntdomain {
        format = prefix
        delimiter = "\\"
}
realm example {
        format = prefix
        delimited = "\\"
}

|------|

client side error

root@mfa1:/home/administrator# echo 'User-Name=example\\test, User-Password=uijfjkvbciitegjbe' | radclient -x mfa1 auth testing123
Sent Access-Request Id 105 from 0.0.0.0:44372 to 127.0.0.1:1812 length 68
        User-Name = "example\\test"
        User-Password = "uijfjkvbciitegjbe"
        Cleartext-Password = "uijfjkvbciitegjbe"
Received Access-Reject Id 105 from 127.0.0.1:1812 to 0.0.0.0:0 length 86
        Reply-Message = "ERR904: The user can not be found in any resolver in this realm!"
(0) -: Expected Access-Accept got Access-Reject

Server Debug Output

(0) Received Access-Request Id 105 from 127.0.0.1:44372 to 127.0.0.1:1812 length 68
(0)   User-Name = "example\\test"
(0)   User-Password = "uijfjkvbciitegjbe"
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/privacyidea
(0)   authorize {
(0) perl:   $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'example\test'
(0) perl:   $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'uijfjkvbciitegjbe'
(0) perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'uijfjkvbciitegjbe'
(0) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'example\test'
(0)     [perl] = ok
(0)     if (ok || updated) {
(0)     if (ok || updated)  -> TRUE
(0)     if (ok || updated)  {
(0)       update control {
(0)         Auth-Type := Perl
(0)       } # update control = noop
(0)     } # if (ok || updated)  = noop
(0)   } # authorize = ok
(0) Found Auth-Type = Perl
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/privacyidea
(0)   Auth-Type Perl {
(0) perl:   $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'example\test'
(0) perl:   $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'uijfjkvbciitegjbe'
(0) perl:   $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl'
(0) perl:   $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl'
rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
rlm_perl: Debugging config: true
rlm_perl: Default URL https://mfa1/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: RAD_REQUEST: User-Password = uijfjkvbciitegjbe
rlm_perl: RAD_REQUEST: User-Name = example\test
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://mfa1/validate/check
rlm_perl: user sent to privacyidea: example\test
rlm_perl: realm sent to privacyidea: example
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea:
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam realm = example
rlm_perl: urlparam user = example\test
rlm_perl: urlparam pass = uijfjkvbciitegjbe
rlm_perl: Request timeout: 10
rlm_perl: Not verifying SSL certificate!
rlm_perl: elapsed time for privacyidea call: 0.103277
rlm_perl: Content {"jsonrpc": "2.0", "signature": "rsa_sha256_pss:294ff7512cfd2b33948f3eb5ccd2cb8eb4fdb517111326da60cd9a442f7c89a299a5c0e3929f1425af6071dcbe210926ae20b348dce46e41dd5fffca2b2081e404315eb1415709c416313d54ffb7d958f0adcb35b675872312452773405044e01a7a11e0d8c9db65953c241521334ea94f769ed39cf1d9e49b1e73444dc4b1139fd60fdf1f8b41aef2965177ca0a4f6fe8962e77a08523b9736239778891f7f198f3fc449579decbdded956c4976f58665411f24390760a6798015f096377eed7277184d37466da6f6d946f677f919d37f34fda8892eed647e5ebb0a32b750ce9e7fae5eddc789d9e6f45ce2f071d7a9207b852fb72265af00ae20c58707bf75", "detail": null, "version": "privacyIDEA 3.1.2", "result": {"status": false, "error": {"message": "ERR904: The user can not be found in any resolver in this realm!", "code": 904}}, "time": 1574378561.126907, "id": 1}
rlm_perl: privacyIDEA request failed: 400 BAD REQUEST
rlm_perl: privacyIDEA Result status is false!
rlm_perl: ERR904: The user can not be found in any resolver in this realm!
rlm_perl: privacyIDEA failed to handle the request
rlm_perl: return RLM_MODULE_NOTFOUND
(0) perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'uijfjkvbciitegjbe'
(0) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'example\test'
(0) perl: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'ERR904: The user can not be found in any resolver in this realm!'
(0) perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl'
(0)     [perl] = notfound
(0)   } # Auth-Type Perl = notfound
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 105 from 127.0.0.1:1812 to 127.0.0.1:44372 length 86
(0)   Reply-Message = "ERR904: The user can not be found in any resolver in this realm!"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 105 with timestamp +9
Ready to process requests

cornelinux · November 22, 2019, 8:22am

It is not the duty of the perl module to split the (radius) realm of the username. The perl module simply uses the username from the request.
In contrast splitting the username is a quite normal task of the proxy module of freeradius.
See https://wiki.freeradius.org/config/Proxy

The default file /etc/freeradius/3.0/sites-enabled/privacyidea does not reference the proxy config.
This would be the place to add it.

I recommend this read, although it refers to FreeRADIUS 2, it helps to understand the basic concepts of FreeRADIUS. https://www.amazon.com/FreeRADIUS-Beginners-Guide-Dirk-Walt-ebook/dp/B005M0F0WQ/

However, you could also use the mangle policy to remove the radius realm within privacyidea.
https://privacyidea.readthedocs.io/en/latest/policies/authentication.html#mangle

wwalker · November 22, 2019, 7:25pm

Thanks for pointing me in the right direction @cornelinux. I came across something else, not sure if it’s a problem or not. Details on that are at the bottom.

Armed with a slightly better understanding of what’s going on I modified a few files. First, I added a note for future me to recall how the configuration in the realm file works.

# Defines the username formats that will be accepted. Add the realm
# name(s) below into the authorize section of the freeradius
# enabled site.  For example, to use user@domain for a username
# add suffix to the authorize section in your
# freeradius/sites-enabled/<sitename>
#
#
#  'username@realm'
#
realm suffix {
        format = suffix
        delimiter = "@"
}
#
#  'domain\user'
#
realm ntdomain {
        format = prefix
        delimiter = "\\"
}

After that, I moved over to /freeradius/sites-enabled/privacyidea and configured it as shown below.

server {
        authorize {
                preprocess
                perl
                if (ok || updated) {
                        update control {
                                Auth-Type := Perl
                        }
                }
                ntdomain
                upn
                logintime
                expiration


        }
        authenticate {
                Auth-Type Perl {
                        perl
                }
        }
        listen {
                type = auth
                ipaddr = *
                port = 1812
        }
        listen {
                type = acct
                ipaddr = *
                port = 1813
        }
}

Then of course, I verified that my domain was still listed in /freeradius/proxy.conf. A test confirms that the username and domain are properly being split and I can successfully authenticate.

However, while running freeradius in debug, I get the below error, is this a problem, what does it mean?

rlm_perl: return RLM_MODULE_OK
(0) perl: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Nov 22 2019 13:20:25 CST'
(0) perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '127.0.0.1'
(0) perl: &request:Realm = $RAD_REQUEST{'Realm'} -> 'example'
(0) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'example\testuser'
(0) perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'ngtivfrg'
(0) perl: &request:Stripped-User-Name = $RAD_REQUEST{'Stripped-User-Name'} -> 'testuser'
------
(0) perl: ERROR: Internal failure creating pair &reply:Class = $RAD_REPLY{'Class'} -> 'undef'
(0) perl: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'privacyIDEA access granted'
(0) perl: ERROR: Failed to create pair - Unknown name "privacyIDEA-Serial"
(0) perl: ERROR:     &reply:privacyIDEA-Serial = $RAD_REPLY{'privacyIDEA-Serial'} -> 'UBAM11085896_1'
------
(0) perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl'
(0)     [perl] = ok
(0)   } # Auth-Type Perl = ok
(0) Sent Access-Accept Id 140 from 127.0.0.1:1812 to 127.0.0.1:56735 length 0
(0)   Reply-Message = "privacyIDEA access granted"
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 140 with timestamp +11