PrivacyIDEA 3.2.2 Freeradius Returns 500 Error

Not sure what’s going on here, getting a 500 error response from PrivacyIDEA on a radius request stating “Non-hexadecimal digit found”. Where’d I go wrong, how can I track down the source of the issue? This is on ubuntu server 18.04 running PrivacyIDEA 3.2.2 with Freeradius 3.0. Here’s a pastebin copy of my freeradius debug along with a processed request: https://pastebin.com/raw/F1amkuS4

Side Note: The documentation for this version/plugin could use some updating. Freeradius 3 did some slight syntax and folder structure changes.

  1. What are the clients?
  2. What is the user database?
  3. Did this ever work before?
  4. Did you ever have PI with RADIUS working?

This is a freeRADIUS error, not PI’s

  1. Client, in this case, is the local machine.
  2. I guess this is AD. PrivacyIDEA is configured with an LDAP resolver.
  3. This worked on a different server under PI 3 or 3.1…can’t recall exact version.
  4. Yes.

Reading the issue you linked, it appears that doesn’t apply to my scenario as the problem there relates to mis-formatted presentation of an AP’s MAC address. In the debug output I provided, it appears the realm and username are being properly parsed.

Look, I’m just a user like you are, have nothing to do with PI the company…

My first response was more about ZERO information what your goal is and how you are trying to do it.
Your second answer adds absolutely nothing in this regard…

What does the “local machine is the client” mean?
You trying LDAP (AD) logon using PI? How?

And you are not the first time asking questions…

Seems like you took my answers in the wrong way, I was just answering them. My goal, which I had working before, is to have a Cisco VPN perform radius authentication against the PI server. I’m not sure why that really matters because I’m trying to get the privacyidea-freeradius package to function. I also wouldn’t say I gave zero information, I gave a full debug output of freeradius which includes the parsing of my config files as far as I can see in it and what an authentication attempt looks like from the server side. local machine is relative and not very helpful, I’ll give you that. The client in the associated debug is the server trying to perform authentication on itself…as in an SSH session on the PI server running radclient and attempting authentication.

PI server has an LDAP resolver configured to pull users from an AD instance. The Privacyidea-freeradius package that was installed is the interface between freeradius and PI. Outside of a few configuration settings made on freeradius, there’s not a whole lot to do to make it work. As far as I can tell in the debug, freeradius is configured properly and parsing the username/password out correctly. The problem seems to come into play with the privacyidea-perl module…though I’m not a programmer so I really have zero clue.

This is an interesting turn of events. I switched gears and started working on ADFS integration using the ADFS-PrivacyIDEA provider. When I tried to log into ADFS, it requests my OTP and then says failed login. Windows Event Logs on the ADFS server says that it got an Internal Server Error 500 from the PI server. Looks like something is amiss with PI on my server.

Turned on debug logging in pi.cfg and ran another ADFS authentication request and found this line to be interesting, though I’m not sure if I am reading it correctly.

[privacyidea.lib.utils:1258] PIN prepended. PIN length is 4, OTP length is 4.

I’m using Google Authenticator and have an OTP length of 6…not 4. This would seemingly explain the error I’m getting. Looking at my user self-service policy, PI shouldn’t be setting itself to an OTP of 4:

image
image

Looks like the root cause was a mysql db dump that was restored to PI…probably a version issue bringing a database from a previous version of PI into 3.2.2. I created a new token and everything is processing correctly. Both ADFS integration and RADIUS.