Hi, I have problem with privacyIDEA 3.2.2 (latest from pip) and FreeRADIUS 3 integration on Debian 10.
I installed privacyIDEA using these commands:
apt-get install libjpeg-dev libz-dev python-dev libffi-dev libssl-dev libxslt1-dev libpq-dev python-virtualenv python-setuptools python3-setuptools python-pip python3-pip
virtualenv /opt/privacyidea
cd /opt/privacyidea
source bin/activate
pip install privacyidea
pip install -r lib/privacyidea/requirements.txt
pi-manage create_enckey
pi-manage create_audit_keys
pi-manage createdb
pi-manage admin add admin -e admin@localhost
pi-manage resolver create_internal internal_test
pi-manage runserver
My FreeRADIUS configuration:
apt-get install libconfig-inifiles-perl libdata-dump-perl libtry-tiny-perl libjson-perl libwww-perl libdbi-perl libdbd-mysql-perl libgd-gd2-perl freeradius freeradius-utils
curl -o /opt/privacyidea/privacyidea_radius.pm https://raw.githubusercontent.com/privacyidea/FreeRADIUS/master/privacyidea_radius.pm
echo "DEFAULT Auth-Type := Perl" >> /etc/freeradius/3.0/users
# /etc/freeradius/3.0/mods-enabled/mods-perl-privacyidea
perl perl-privacyidea {
filename = /opt/privacyidea/privacyidea_radius.pm
}
# /etc/freeradius/3.0/sites-enabled/privacyidea
server {
authorize {
#files
perl-privacyidea
if (ok || updated) {
update control {
Auth-Type := Perl
}
}
}
authenticate {
Auth-Type Perl {
perl-privacyidea
}
}
}
# /etc/privacyidea/rlm_perl.ini
[Default]
URL = https://localhost/validate/check
REALM = defrealm
mkdir -p /etc/privacyidea
ln -s /opt/privacyidea/etc/privacyidea/rlm_perl.ini /etc/privacyidea/
I have system user “test” with passeord “pokus” and default realm “defrealm”.
I cannot get Access-Accept from freeradius:
root@ovpn-mfa:/# echo "User-Name=defrealm\\test, User-Password=pokus" | radclient 127.0.0.1 auth testing123 -x
Sent Access-Request Id 16 from 0.0.0.0:36874 to 127.0.0.1:1812 length 52
User-Name = "defrealm\test"
User-Password = "pokus"
Cleartext-Password = "pokus"
Received Access-Reject Id 16 from 127.0.0.1:1812 to 127.0.0.1:36874 length 20
(0) -: Expected Access-Accept got Access-Reject
root@ovpn-mfa:/#
FreeRADIUS output:
root@ovpn-mfa:/# freeradius -X
...
(0) Received Access-Request Id 31 from 127.0.0.1:49879 to 127.0.0.1:1812 length 52
(0) User-Name = "defrealm\test"
(0) User-Password = "pokus"
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "defrealm est", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 9
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = Perl
(0) Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> defrealm\test
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 31 from 127.0.0.1:1812 to 127.0.0.1:49879 length 20
Waking up in 3.9 seconds.
What I do bad?
Thanks for help!