PrivacyIDEA 3.2.2 Freeradius Returns 500 Error

Not sure what’s going on here, getting a 500 error response from PrivacyIDEA on a radius request stating “Non-hexadecimal digit found”. Where’d I go wrong, how can I track down the source of the issue? This is on ubuntu server 18.04 running PrivacyIDEA 3.2.2 with Freeradius 3.0. Here’s a pastebin copy of my freeradius debug along with a processed request: https://pastebin.com/raw/F1amkuS4

Side Note: The documentation for this version/plugin could use some updating. Freeradius 3 did some slight syntax and folder structure changes.

  1. What are the clients?
  2. What is the user database?
  3. Did this ever work before?
  4. Did you ever have PI with RADIUS working?

This is a freeRADIUS error, not PI’s

  1. Client, in this case, is the local machine.
  2. I guess this is AD. PrivacyIDEA is configured with an LDAP resolver.
  3. This worked on a different server under PI 3 or 3.1…can’t recall exact version.
  4. Yes.

Reading the issue you linked, it appears that doesn’t apply to my scenario as the problem there relates to mis-formatted presentation of an AP’s MAC address. In the debug output I provided, it appears the realm and username are being properly parsed.

Look, I’m just a user like you are, have nothing to do with PI the company…

My first response was more about ZERO information what your goal is and how you are trying to do it.
Your second answer adds absolutely nothing in this regard…

What does the “local machine is the client” mean?
You trying LDAP (AD) logon using PI? How?

And you are not the first time asking questions…

Seems like you took my answers in the wrong way, I was just answering them. My goal, which I had working before, is to have a Cisco VPN perform radius authentication against the PI server. I’m not sure why that really matters because I’m trying to get the privacyidea-freeradius package to function. I also wouldn’t say I gave zero information, I gave a full debug output of freeradius which includes the parsing of my config files as far as I can see in it and what an authentication attempt looks like from the server side. local machine is relative and not very helpful, I’ll give you that. The client in the associated debug is the server trying to perform authentication on itself…as in an SSH session on the PI server running radclient and attempting authentication.

PI server has an LDAP resolver configured to pull users from an AD instance. The Privacyidea-freeradius package that was installed is the interface between freeradius and PI. Outside of a few configuration settings made on freeradius, there’s not a whole lot to do to make it work. As far as I can tell in the debug, freeradius is configured properly and parsing the username/password out correctly. The problem seems to come into play with the privacyidea-perl module…though I’m not a programmer so I really have zero clue.

This is an interesting turn of events. I switched gears and started working on ADFS integration using the ADFS-PrivacyIDEA provider. When I tried to log into ADFS, it requests my OTP and then says failed login. Windows Event Logs on the ADFS server says that it got an Internal Server Error 500 from the PI server. Looks like something is amiss with PI on my server.

Turned on debug logging in pi.cfg and ran another ADFS authentication request and found this line to be interesting, though I’m not sure if I am reading it correctly.

[privacyidea.lib.utils:1258] PIN prepended. PIN length is 4, OTP length is 4.

I’m using Google Authenticator and have an OTP length of 6…not 4. This would seemingly explain the error I’m getting. Looking at my user self-service policy, PI shouldn’t be setting itself to an OTP of 4:

image
image

Looks like the root cause was a mysql db dump that was restored to PI…probably a version issue bringing a database from a previous version of PI into 3.2.2. I created a new token and everything is processing correctly. Both ADFS integration and RADIUS.

Hi,

I am using latest privacyidea, installed freeradius3.0 and added the client and user in client.conf and users files. But when I am connecting this user and client using privacyidea UI i am getting error like “500 Internal Server Error: The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.”. Please help me on this.
This is my client.conf file:
client 192.168.158.104 {
secret = radiuspass2019
shortname = RADIUS-CONFIG
}
client localhost_ipv6 {
ipv6addr = ::1
secret = testing123
}
This is my users:
ravali Cleartext-Password := “password”
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == “CSLIP”
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == “SLIP”
Framed-Protocol = SLIP

In my privacyidea UI while configuring radius:
Radius

Thanks in advance.

Regards,
Lakshmi Ravali R.

Hello @lakshmiravali_rimmal

welcome to privacyIDEA. I am not sure, what you want to achieve and what you are doing.
But it could be that there is a misunderstanding.

You do not need to configure users in RADIUS to log in to the web UI.

Users are configured in resolvers and realms.

Also. The FreeRADIUS server acts as a client to privacyIDEA. It will forward the authentication request to the privacyIDEA REST API. There is no need to configure RADIUS within the privacyIDEA WebUI. (i.e. your screenshot).
Read more about application plugins and especially FreeRADIUS.

Finally, if you get an internal server error, you should take a look at the webserver logs!
Maybe this information is helpful to track down your issue.