Hi,
i’m currently testing, if privacyIdea can replace medium-term our RSA SecureID OTP System.
But first, we need a smooth migration and we have Tokens in use, respectively the’re a lot of tokens valid until middle of 2019.
LDAP Resolver (Windows AD) is configured and successfully tested (radtest / radclient), Client (privacyIdea Server) on RSA System is configured and successfully tested, Freeradius is installed.
auth passthru policy is generated
When i try to test this policy, i get following output from freeradius:
root@pricacyidea1:~# echo “User-Name=user@zteservices.eu, Password=xxxxxxxxxx” | radclient -sx localhost auth XXXXXXX
Sending Access-Request of id 51 to 127.0.0.1 port 1812
User-Name = “user@zteservices.eu”
Password = “xxxxxxxxxxxx”
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=51, length=53
Reply-Message = “The user has no tokens assigned”
Total approved auths: 0
Total denied auths: 1
Total lost auths: 0
The direct Testing of the RSA Radius however is working correctly:
root@pricacyidea1:~# echo “User-Name=user, Password=xxxxxxxxxxxx” | radclient -sx 10.8.224.10 auth XXXXXXXXXX
Sending Access-Request of id 9 to 10.8.224.10 port 1812
User-Name = “user”
Password = “XXXXXXXXXX”
rad_recv: Access-Accept packet from host 10.8.224.10 port 1812, id=9, length=80
Class = 0x53425232434c8c88c9a2aa923542656565645646ddcdf79bcdcaebb0c012800e818c88c9a2aa9191c7dc80808dc1d4
Total approved auths: 1
Total denied auths: 0
Total lost auths: 0
What can i do or look, where the Problem is located ?
################################
EDIT:
If i test the Radius Server Configuration with the WebFrontend, neither the localhost nor the RSA Radius is successfull:
rad_recv: Access-Request packet from host 127.0.0.1 port 42929, id=15, length=61
NAS-Identifier = “privacyIDEA”
User-Name = “user”
User-Password = “OU:\334É\nA7\022\320yF\221\342o”
Executing section authorize from file /etc/freeradius/sites-enabled/privacyidea.save
+group authorize {
++[preprocess] = ok
++[digest] = noop
[suffix] No ‘@’ in User-Name = “user”, looking up realm NULL
[suffix] No such realm “NULL”
++[suffix] = noop
[ntdomain] No ‘’ in User-Name = “user”, looking up realm NULL
[ntdomain] No such realm “NULL”
++[ntdomain] = noop
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No “known good” password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = Perl
Executing group from file /etc/freeradius/sites-enabled/privacyidea.save
+group Perl {
rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
rlm_perl: Debugging config:
rlm_perl: Default URL https://localhost/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://localhost/validate/check
rlm_perl: user sent to privacyidea: user
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam pass
rlm_perl: urlparam client
rlm_perl: urlparam user
rlm_perl: Request timeout: 10
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA Result status is true!
rlm_perl: privacyIDEA access denied
rlm_perl: return RLM_MODULE_REJECT
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair User-Password = OU:\304▒?\nH7\0342\240yF\342\011o
rlm_perl: Added pair NAS-Identifier = privacyIDEA
rlm_perl: Added pair User-Name = user
rlm_perl: Added pair Reply-Message = The user has no tokens assigned
rlm_perl: Added pair Auth-Type = Perl
++[perl] = reject
+} # group Perl = reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.
Delaying reject of request 6 for 1 seconds
Going to the next request
If i test the RSA Radius, i’m getting the Dashboard Authentication Activity for that user:
Authetication method failed, passcode format error.
############################################
BR
André