privacyIDEA - FreeRADIUS auth not working

Hi, I have problem with privacyIDEA 3.2.2 (latest from pip) and FreeRADIUS 3 integration on Debian 10.

I installed privacyIDEA using these commands:

apt-get install libjpeg-dev libz-dev python-dev libffi-dev libssl-dev libxslt1-dev libpq-dev python-virtualenv python-setuptools python3-setuptools python-pip python3-pip
virtualenv /opt/privacyidea
cd /opt/privacyidea
source bin/activate
pip install privacyidea
pip install -r lib/privacyidea/requirements.txt
pi-manage create_enckey
pi-manage create_audit_keys
pi-manage createdb
pi-manage admin add admin -e admin@localhost
pi-manage resolver create_internal internal_test
pi-manage runserver

My FreeRADIUS configuration:

apt-get install libconfig-inifiles-perl libdata-dump-perl libtry-tiny-perl libjson-perl libwww-perl libdbi-perl libdbd-mysql-perl libgd-gd2-perl freeradius freeradius-utils
curl -o /opt/privacyidea/privacyidea_radius.pm https://raw.githubusercontent.com/privacyidea/FreeRADIUS/master/privacyidea_radius.pm
echo "DEFAULT Auth-Type := Perl" >> /etc/freeradius/3.0/users

# /etc/freeradius/3.0/mods-enabled/mods-perl-privacyidea
perl perl-privacyidea {
    filename = /opt/privacyidea/privacyidea_radius.pm
}

# /etc/freeradius/3.0/sites-enabled/privacyidea
server {
    authorize {
        #files
        perl-privacyidea
        if (ok || updated) {
            update control {
                Auth-Type := Perl
            }
        }
    }
    authenticate {
        Auth-Type Perl {
            perl-privacyidea
        }
    }
}

# /etc/privacyidea/rlm_perl.ini 
[Default]
URL = https://localhost/validate/check
REALM = defrealm

mkdir -p /etc/privacyidea
ln -s /opt/privacyidea/etc/privacyidea/rlm_perl.ini /etc/privacyidea/

I have system user “test” with passeord “pokus” and default realm “defrealm”.
I cannot get Access-Accept from freeradius:

root@ovpn-mfa:/# echo "User-Name=defrealm\\test, User-Password=pokus" | radclient 127.0.0.1 auth testing123 -x
Sent Access-Request Id 16 from 0.0.0.0:36874 to 127.0.0.1:1812 length 52
	User-Name = "defrealm\test"
	User-Password = "pokus"
	Cleartext-Password = "pokus"
Received Access-Reject Id 16 from 127.0.0.1:1812 to 127.0.0.1:36874 length 20
(0) -: Expected Access-Accept got Access-Reject
root@ovpn-mfa:/# 

FreeRADIUS output:

root@ovpn-mfa:/# freeradius -X
...
(0) Received Access-Request Id 31 from 127.0.0.1:49879 to 127.0.0.1:1812 length 52
(0)   User-Name = "defrealm\test"
(0)   User-Password = "pokus"
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "defrealm	est", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry DEFAULT at line 9
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = Perl
(0) Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> defrealm\test
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 31 from 127.0.0.1:1812 to 127.0.0.1:49879 length 20
Waking up in 3.9 seconds.

What I do bad?

Thanks for help!

Hi,

if You use FreeRADIUS just for authentication against privacyIDEA it is useful to disable all other sites (That’s what we do for the ubuntu installation).
From the log-file it looks like it is running the default site and fails.

Regards

@plettich Thank you. It works.