I can access the webui, register tokens, linked to active directory etc,
all tested ok
I am having issues with the radius plugin, when I attempt to make any
connection to the radius, either using the test functions described in the
link above, or from an external connection, I am seeing the errors below:
Sending Access-Request Id 91 from 0.0.0.0:34321 to 127.0.0.1:1812
User-Name = 'user’
User-Password = 'password’
Received Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:34321 length
75
Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL SERVER
ERROR’
(0) -: Expected Access-Accept got Access-Reject
Packet summary:
Accepted : 0
Rejected : 1
Lost : 0
Passed filter : 0
Failed filter : 1
and on the radius server I see this:
Received Access-Request Id 111 from 127.0.0.1:35488 to 127.0.0.1:1812
length 44
User-Name = 'user’
User-Password = ‘password’
(0) Received Access-Request packet from host 127.0.0.1 port 35488, id=111,
length=44
(0) User-Name = ‘user’
(0) User-Password = ‘password’
(0) # Executing section authorize from file
/etc/raddb/sites-enabled/privacyidea
(0) authorize {
(0) [preprocess] = ok
(0) [digest] = noop
(0) suffix : Checking for suffix after “@”
(0) suffix : No ‘@’ in User-Name = “user”, looking up realm NULL
(0) suffix : No such realm “NULL”
(0) [suffix] = noop
(0) ntdomain : Checking for prefix before “”
(0) ntdomain : No ‘’ in User-Name = “user”, looking up realm NULL
(0) ntdomain : No such realm “NULL”
(0) [ntdomain] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No “known good” password found for the user. Not
setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a “known good” password
is available
(0) [pap] = noop
(0) update control {
(0) Auth-Type := Perl
(0) } # update control = noop
(0) } # authorize = ok
(0) Found Auth-Type = Perl
(0) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(0) Auth-Type Perl {
(0) perl : $RAD_REQUEST{‘User-Name’} = &request:User-Name -> ‘user’
(0) perl : $RAD_REQUEST{‘User-Password’} = &request:User-Password ->
‘password’
(0) perl : $RAD_REQUEST{‘NAS-IP-Address’} = &request:NAS-IP-Address ->
‘127.0.0.1’
(0) perl : $RAD_REQUEST{‘Event-Timestamp’} = &request:Event-Timestamp ->
‘Oct 21 2015 11:50:57 AEDT’
(0) perl : $RAD_CHECK{‘Auth-Type’} = &control:Auth-Type -> ‘Perl’
(0) perl : $RAD_CONFIG{‘Auth-Type’} = &control:Auth-Type -> 'Perl’
rlm_perl: Config File /etc/freeradius/rlm_perl.ini found!
rlm_perl: Default URL https://127.0.0.1/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://127.0.0.1/validate/check
rlm_perl: user sent to privacyidea: user
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam client
rlm_perl: urlparam pass
rlm_perl: urlparam user
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA request failed: 500 INTERNAL SERVER ERROR
rlm_perl: return RLM_MODULE_FAIL
(0) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} -> ‘user’
(0) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-Timestamp’} ->
‘Oct 21 2015 11:50:57 AEDT’
(0) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} ->
‘password’
(0) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-Address’} ->
‘127.0.0.1’
(0) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} ->
‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’
(0) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} -> ‘Perl’
(0) [perl] = fail
(0) } # Auth-Type Perl = fail
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Delaying response for 1 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 35488, id=111,
length=0
(0) Reply-Message = 'privacyIDEA request failed: 500 INTERNAL SERVER
ERROR’
Sending Access-Reject Id 111 from 127.0.0.1:1812 to 127.0.0.1:35488
Reply-Message = 'privacyIDEA request failed: 500 INTERNAL SERVER
ERROR’
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 111 with timestamp +7
I don’t think this is just an issue with the user / password, but if anyone
can point me in the right direction in what I may have done wrong with
either the radius or privacy idea install?
Hi Cornelius
Thanks for your response
I am running PIP installation on Centos 7
I am running latest version of Privacy idea (2.7), updated as per
instructions on howtoforge
the user is coming from Active Directory
UID is DN
there are no special characters anywhere in the AD config
testing using the URL you provided I get the message below when attempting
to use an AD user
“version”: “privacyIDEA 2.7”, “result”: {“status”: false, “error”: {“message”: “ERR905: The user can not be found in any resolver in this realm!”, “code”: -500}}, “time”: 1445425459.788956, “id”: 1}
but if i use the root user (from the privacyidea server) this returns:
Hi
thanks for your quick response to my issue
I have been watching the privacyidea.log but no entries are made when a
connection attempt is made via the radius, which leads me to think that the
radius is not able to see the privacyidea API?
I can access the URI in my browser, so i can see that is up
I see this in the privacyidea.log when i reboot
[2015-10-21
15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333]
‘Traceback (most recent call last):\n File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/
LDAPIdResolver.py”, line 328, in getUserList\n user =
self._ldap_attributes_to_user_object(attributes)\n File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py”,
line 246, in _ldap_attributes_to_user_object\n for ldap_k,
ldap_v in attributes.items():\nAttributeError: 'NoneType' object has no
attribute 'items'\n’
Cheers
On Wednesday, 21 October 2015 17:14:34 UTC+11, Cornelinux K wrote:
Hi Tony,
please do the following:
Take a look into the audit log
Within the webui take a look, what you can see in the request in the
AUdit Tab. The right most tab.
I assume, the user does not exist.
The audit gives you a top level view of what is happening in
privacyidea.
Take a look into the log file privacyidea.log.
This gives you a detailed view, of what is happening.
Kind regards
Cornelius
Am Dienstag, den 20.10.2015, 17:56 -0700 schrieb Tony Hawker:
Hi
I have followed the guide on setting up Privactidea on Centos 7 here:
I can access the webui, register tokens, linked to active directory
etc, all tested ok
I am having issues with the radius plugin, when I attempt to make any
connection to the radius, either using the test functions described in
the link above, or from an external connection, I am seeing the errors
below:
Sending Access-Request Id 91 from 0.0.0.0:34321 to 127.0.0.1:1812
User-Name = 'user'
User-Password = 'password'
Received Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:34321
length 75
Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
(0) -: Expected Access-Accept got Access-Reject
Packet summary:
Accepted : 0
Rejected : 1
Lost : 0
Passed filter : 0
Failed filter : 1
and on the radius server I see this:
Received Access-Request Id 111 from 127.0.0.1:35488 to 127.0.0.1:1812
length 44
User-Name = ‘user’
User-Password = ‘password’
(0) Received Access-Request packet from host 127.0.0.1 port 35488,
id=111, length=44
(0) User-Name = ‘user’
(0) User-Password = ‘password’
(0) # Executing section authorize from
file /etc/raddb/sites-enabled/privacyidea
(0) authorize {
(0) [preprocess] = ok
(0) [digest] = noop
(0) suffix : Checking for suffix after “@”
(0) suffix : No ‘@’ in User-Name = “user”, looking up realm NULL
(0) suffix : No such realm “NULL”
(0) [suffix] = noop
(0) ntdomain : Checking for prefix before ""
(0) ntdomain : No '' in User-Name = “user”, looking up realm NULL
(0) ntdomain : No such realm “NULL”
(0) [ntdomain] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No “known good” password found for the user. Not
setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a “known good”
password is available
(0) [pap] = noop
(0) update control {
(0) Auth-Type := Perl
(0) } # update control = noop
(0) } # authorize = ok
(0) Found Auth-Type = Perl
(0) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(0) Auth-Type Perl {
(0) perl : $RAD_REQUEST{‘User-Name’} = &request:User-Name → ‘user’
(0) perl : $RAD_REQUEST{‘User-Password’} = &request:User-Password →
‘password’
(0) perl : $RAD_REQUEST{‘NAS-IP-Address’} = &request:NAS-IP-Address
→ ‘127.0.0.1’
(0) perl : $RAD_REQUEST{‘Event-Timestamp’} =
&request:Event-Timestamp → ‘Oct 21 2015 11:50:57 AEDT’
(0) perl : $RAD_CHECK{‘Auth-Type’} = &control:Auth-Type → ‘Perl’
(0) perl : $RAD_CONFIG{‘Auth-Type’} = &control:Auth-Type → ‘Perl’
rlm_perl: Config File /etc/freeradius/rlm_perl.ini found!
rlm_perl: Default URL https://127.0.0.1/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://127.0.0.1/validate/check
rlm_perl: user sent to privacyidea: user
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam client
rlm_perl: urlparam pass
rlm_perl: urlparam user
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA request failed: 500 INTERNAL SERVER ERROR
rlm_perl: return RLM_MODULE_FAIL
(0) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} → ‘user’
(0) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-Timestamp’}
→ ‘Oct 21 2015 11:50:57 AEDT’
(0) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} →
‘password’
(0) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-Address’}
→ ‘127.0.0.1’
(0) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} →
‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’
(0) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} → ‘Perl’
(0) [perl] = fail
(0) } # Auth-Type Perl = fail
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Delaying response for 1 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 35488, id=111,
length=0
(0) Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
Sending Access-Reject Id 111 from 127.0.0.1:1812 to 127.0.0.1:35488
Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 111 with timestamp +7
I don’t think this is just an issue with the user / password, but if
anyone can point me in the right direction in what I may have done
wrong with either the radius or privacy idea install?
Cheers
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit
I can access the webui, register tokens, linked to active directory
etc, all tested ok
I am having issues with the radius plugin, when I attempt to make any
connection to the radius, either using the test functions described in
the link above, or from an external connection, I am seeing the errors
below:
Sending Access-Request Id 91 from 0.0.0.0:34321 to 127.0.0.1:1812
User-Name = 'user'
User-Password = 'password'
Received Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:34321
length 75
Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
(0) -: Expected Access-Accept got Access-Reject
Packet summary:
Accepted : 0
Rejected : 1
Lost : 0
Passed filter : 0
Failed filter : 1
and on the radius server I see this:
Received Access-Request Id 111 from 127.0.0.1:35488 to 127.0.0.1:1812
length 44
User-Name = ‘user’
User-Password = ‘password’
(0) Received Access-Request packet from host 127.0.0.1 port 35488,
id=111, length=44
(0) User-Name = ‘user’
(0) User-Password = ‘password’
(0) # Executing section authorize from
file /etc/raddb/sites-enabled/privacyidea
(0) authorize {
(0) [preprocess] = ok
(0) [digest] = noop
(0) suffix : Checking for suffix after “@”
(0) suffix : No ‘@’ in User-Name = “user”, looking up realm NULL
(0) suffix : No such realm “NULL”
(0) [suffix] = noop
(0) ntdomain : Checking for prefix before ""
(0) ntdomain : No '' in User-Name = “user”, looking up realm NULL
(0) ntdomain : No such realm “NULL”
(0) [ntdomain] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No “known good” password found for the user. Not
setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a “known good”
password is available
(0) [pap] = noop
(0) update control {
(0) Auth-Type := Perl
(0) } # update control = noop
(0) } # authorize = ok
(0) Found Auth-Type = Perl
(0) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(0) Auth-Type Perl {
(0) perl : $RAD_REQUEST{‘User-Name’} = &request:User-Name → ‘user’
(0) perl : $RAD_REQUEST{‘User-Password’} = &request:User-Password →
‘password’
(0) perl : $RAD_REQUEST{‘NAS-IP-Address’} = &request:NAS-IP-Address
→ ‘127.0.0.1’
(0) perl : $RAD_REQUEST{‘Event-Timestamp’} =
&request:Event-Timestamp → ‘Oct 21 2015 11:50:57 AEDT’
(0) perl : $RAD_CHECK{‘Auth-Type’} = &control:Auth-Type → ‘Perl’
(0) perl : $RAD_CONFIG{‘Auth-Type’} = &control:Auth-Type → ‘Perl’
rlm_perl: Config File /etc/freeradius/rlm_perl.ini found!
rlm_perl: Default URL https://127.0.0.1/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://127.0.0.1/validate/check
rlm_perl: user sent to privacyidea: user
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam client
rlm_perl: urlparam pass
rlm_perl: urlparam user
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA request failed: 500 INTERNAL SERVER ERROR
rlm_perl: return RLM_MODULE_FAIL
(0) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} → ‘user’
(0) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-Timestamp’}
→ ‘Oct 21 2015 11:50:57 AEDT’
(0) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} →
‘password’
(0) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-Address’}
→ ‘127.0.0.1’
(0) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} →
‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’
(0) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} → ‘Perl’
(0) [perl] = fail
(0) } # Auth-Type Perl = fail
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Delaying response for 1 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 35488, id=111,
length=0
(0) Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
Sending Access-Reject Id 111 from 127.0.0.1:1812 to 127.0.0.1:35488
Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 111 with timestamp +7
I don’t think this is just an issue with the user / password, but if
anyone can point me in the right direction in what I may have done
wrong with either the radius or privacy idea install?
Hi
thanks for your quick response to my issue
I have been watching the privacyidea.log but no entries are made when a
connection attempt is made via the radius, which leads me to think that the
radius is not able to see the privacyidea API?
I can access the URI in my browser, so i can see that is up
I see this in the privacyidea.log when i reboot
[2015-10-21
15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333]
‘Traceback (most recent call last):\n File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/
LDAPIdResolver.py”, line 328, in getUserList\n user =
self._ldap_attributes_to_user_object(attributes)\n File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py”,
line 246, in _ldap_attributes_to_user_object\n for ldap_k,
ldap_v in attributes.items():\nAttributeError: 'NoneType' object has no
attribute 'items'\n’
CheersOn Wednesday, 21 October 2015 17:14:34 UTC+11, Cornelinux K wrote:
Hi Tony,
please do the following:
Take a look into the audit log
Within the webui take a look, what you can see in the request in the
AUdit Tab. The right most tab.
I assume, the user does not exist.
The audit gives you a top level view of what is happening in
privacyidea.
Take a look into the log file privacyidea.log.
This gives you a detailed view, of what is happening.
Kind regards
Cornelius
Am Dienstag, den 20.10.2015, 17:56 -0700 schrieb Tony Hawker:
Hi
I have followed the guide on setting up Privactidea on Centos 7 here:
I can access the webui, register tokens, linked to active directory
etc, all tested ok
I am having issues with the radius plugin, when I attempt to make any
connection to the radius, either using the test functions described in
the link above, or from an external connection, I am seeing the errors
below:
Sending Access-Request Id 91 from 0.0.0.0:34321 to 127.0.0.1:1812
User-Name = 'user'
User-Password = 'password'
Received Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:34321
length 75
Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
(0) -: Expected Access-Accept got Access-Reject
Packet summary:
Accepted : 0
Rejected : 1
Lost : 0
Passed filter : 0
Failed filter : 1
and on the radius server I see this:
Received Access-Request Id 111 from 127.0.0.1:35488 to 127.0.0.1:1812
length 44
User-Name = ‘user’
User-Password = ‘password’
(0) Received Access-Request packet from host 127.0.0.1 port 35488,
id=111, length=44
(0) User-Name = ‘user’
(0) User-Password = ‘password’
(0) # Executing section authorize from
file /etc/raddb/sites-enabled/privacyidea
(0) authorize {
(0) [preprocess] = ok
(0) [digest] = noop
(0) suffix : Checking for suffix after “@”
(0) suffix : No ‘@’ in User-Name = “user”, looking up realm NULL
(0) suffix : No such realm “NULL”
(0) [suffix] = noop
(0) ntdomain : Checking for prefix before ""
(0) ntdomain : No '' in User-Name = “user”, looking up realm NULL
(0) ntdomain : No such realm “NULL”
(0) [ntdomain] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No “known good” password found for the user. Not
setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a “known good”
password is available
(0) [pap] = noop
(0) update control {
(0) Auth-Type := Perl
(0) } # update control = noop
(0) } # authorize = ok
(0) Found Auth-Type = Perl
(0) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(0) Auth-Type Perl {
(0) perl : $RAD_REQUEST{‘User-Name’} = &request:User-Name → ‘user’
(0) perl : $RAD_REQUEST{‘User-Password’} = &request:User-Password →
‘password’
(0) perl : $RAD_REQUEST{‘NAS-IP-Address’} = &request:NAS-IP-Address
→ ‘127.0.0.1’
(0) perl : $RAD_REQUEST{‘Event-Timestamp’} =
&request:Event-Timestamp → ‘Oct 21 2015 11:50:57 AEDT’
(0) perl : $RAD_CHECK{‘Auth-Type’} = &control:Auth-Type → ‘Perl’
(0) perl : $RAD_CONFIG{‘Auth-Type’} = &control:Auth-Type → ‘Perl’
rlm_perl: Config File /etc/freeradius/rlm_perl.ini found!
rlm_perl: Default URL https://127.0.0.1/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://127.0.0.1/validate/check
rlm_perl: user sent to privacyidea: user
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam client
rlm_perl: urlparam pass
rlm_perl: urlparam user
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA request failed: 500 INTERNAL SERVER ERROR
rlm_perl: return RLM_MODULE_FAIL
(0) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} → ‘user’
(0) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-Timestamp’}
→ ‘Oct 21 2015 11:50:57 AEDT’
(0) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} →
‘password’
(0) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-Address’}
→ ‘127.0.0.1’
(0) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} →
‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’
(0) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} → ‘Perl’
(0) [perl] = fail
(0) } # Auth-Type Perl = fail
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Delaying response for 1 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 35488, id=111,
length=0
(0) Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
Sending Access-Reject Id 111 from 127.0.0.1:1812 to 127.0.0.1:35488
Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 111 with timestamp +7
I don’t think this is just an issue with the user / password, but if
anyone can point me in the right direction in what I may have done
wrong with either the radius or privacy idea install?
Cheers
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit
So in this case you might need to add it like this:
authorize {
update control {
Auth-Type := Perl
Class := AVP
}
}
I have not FreeRADIUS 3 at hand to test this…
Kind regards
CorneliusAm Donnerstag, den 22.10.2015, 09:41 +0200 schrieb Cornelius Kölbel:
Hi Tony,
you can edit your file /etc/freeradius/users like this:
DEFAULT Auth-Type := Perl
Class = YOUR_GROUP_EXPECTED_BY_CHECKPOINT
This way each user will be authenticated against the perl module a.k.a.
privacyIDEA and put into the the corresponding group.
Or: You can add the Class AVP that is expected by your checkpoint.
Please note: In the radius request the CLass is hex encoded. In the
users config file you need to enter a normal ascii string.
Kind regards
Cornelius
Am Donnerstag, den 22.10.2015, 09:23 +0200 schrieb Cornelius Kölbel:
Hi Tony,
the Attribute Value Pair Class 25 usually seems to expect some
attribute, which the firewall uses to authorize the access or put the
user of this request in some control group.
So the question is: Do you have another RADIUS server running at the
moment and how do the requests look like there?
So I guess we need to look an the freeradius side (independent on the
privacyIDEA plugin).
We need to investigate
the successful RADIUS REQUEST with your existing RADIUS server
the successful RADIUS RESPONSE with your existing RADIUS server
and then configure FreeRADIUS accordingly.
I will try to help you with that.
But maybe at a certain point we might also need to take this to the
freeradius list.
Kind regards
COrnelius
Am Mittwoch, den 21.10.2015, 23:52 -0700 schrieb Tony Hawker:
Thanks Cornelius
this script still doesn’t seem to solve the problem, checkpoint still
doesn’t like the Access-Accept packets for some reason
I’ve had the checkpoint talking to freeradius in the past, so it can
work, but just doesn’t see these accept packets for some reason
On Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote:
Hi Tony,
here is a slightly modified script, that does not add any
additional
AVPs into the reply.
It only returns ACCESS_ACCEPT or ACCESS_REJECT.
This script replaces the existing one.
Please restart freeradius and check if checkpoint likes it.
Kind regards
COrnelius
Am Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony Hawker:
> Hi Cornelius
> Thanks for this info
> where do i remove that line from? I'm not familiar with this
process?
> do i need to change a config file? or change some source
code and
> recompile?
> I believe if i could change the message on that line that
could also
> possible help
>
>
> Cheers
>
> On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K wrote:
> Hello Tony,
>
> at the moment there is no way to configure the reply
message.
>
> You can remove the RAD_REPLY in the privacyidea perl
module.
>
https://github.com/privacyidea/privacyidea/blob/master/authmodules/FreeRADIUS/privacyidea_radius.pm#L335
>
> Thus this information will not be added to the
reply.
> If this succeeds, please drop me a note or open an
issue at
> github.
> We can then make the reply configurable.
>
> Kind regards
> Cornelius
>
>
> Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb
Tony Hawker:
> > Hi Cornelius
> > Thanks for your help, I almost have this working
now, i
> played around
> > allot, but i think that ticking the "use @ to
separate user
> and realm"
> > has allowed the radius to pass though the details
correctly
> >
> >
> > I have managed to have my radius client
authenticate, and it
> seems to
> > be sending back the reply message "privacy IDEA
access
> granted" to my
> > firewalls (I am tying to authenticate VPN users)
> >
> >
> > I believe the firewall does not like the response
message, I
> am
> > possibly getting a similar issue described here:
> >
>
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638
> >
> >
> > I have also attached a screen shot of how the
packet looks
> from
> > privacy idea, do you think that because the reply
packet is
> slightly
> > different it could be causing this problem?
> > is t possible to change the privacy idea radius
accept
> packet too
> > something generic?
> >
> >
> > Cheers
> >
> > On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K wrote:
> >
> >
> > Hi,
> >
> >
> > The user can not be found in the
resolver.
> >
> >
> >
> >
> > How does the request look like?
> > Is the realm the default realm.
> > how does the DN of the user look like?
> >
> >
> >
> >
> > You might have specified the wrong realm
(see
> default realm)
> >
> >
> >
> >
> > Kind regards
> > Cornelius
> >
> >
> >
> >
> > Cornelius Kölbel
> > Corneliu...@netknights.it
> > +49 151 2960 1417
> >
> >
> > NetKnights GmbH
> > http://netknights.it
> > Landgraf-Karl-Str. 19, 34131 Kassel,
Germany
> > Tel: +49 561 3166797, Fax: +49 561
3166798
> >
> >
> > Amtsgericht Kassel, HRB 16405
> > Geschäftsführer: Cornelius Kölbel
> >
> >
> > -------- Ursprüngliche Nachricht --------
> > Von: Tony Hawker <lil...@gmail.com>
> > Datum: 21.10.2015 13:14 (GMT+01:00)
> > An: privacyidea
<priva...@googlegroups.com>
> > Betreff: Re: Re: 'privacyIDEA request
failed: 500
> INTERNAL
> > SERVER ERROR' - FreeRadius
> >
> > Hi Cornelius
> > Thanks for your response
> > I am running PIP installation on Centos 7
> > I am running latest version of Privacy
idea (2.7),
> updated as
> > per instructions on howtoforge
> > the user is coming from Active Directory
> > UID is DN
> > there are no special characters anywhere
in the AD
> config
> >
> >
> > testing using the URL you provided I get
the message
> below
> > when attempting to use an AD user
> > "version": "privacyIDEA 2.7", "result":
{"status":
> false, "error": {"message": "ERR905: The user can
not be found
> in any resolver in this realm!", "code": -500}},
"time":
> 1445425459.788956, "id": 1}
> >
> > but if i use the root user (from the
privacyidea
> server) this returns:
> > {"message": "wrong otp pin"},
"versionnumber":
> "2.7", "version": "privacyIDEA 2.7", "result":
{"status":
> true, "value": false}, "time": 1445425581.107504,
"id": 1}
> > I assume the OTP token is out of sync, but
looks
> much more promising
> >
> > any idea on why the AD would not work via
this
> method? as i can see all the users in the webui etc
> >
> > Cheers
> >
> >
> >
> >
> >
> > On Wednesday, 21 October 2015 21:01:47 UTC +11, Cornelinux K wrote:
> > Hi Tony,
> >
> >
> > Are you running a pip installation
or debian
> wheezy?
> >
> >
> > Which version of privacyidea are
you
> running?
> >
> >
> > In certain cases there were
problems with
> the ldap
> > resolver, if the DN contains
special
> characters and is
> > base54 encoded.
> >
> >
> > Is it openldap or AD?
> >
> >
> > The Uid type: is it DN or
entryUUID?
> >
> >
> > Kind regards
> > Cornelius
> >
> >
> >
> >
> >
> >
> > Cornelius Kölbel
> > Corneliu...@netknights.it
> > +49 151 2960 1417
> >
> >
> > NetKnights GmbH
> > http://netknights.it
> > Landgraf-Karl-Str. 19, 34131
Kassel,
> Germany
> > Tel: +49 561 3166797, Fax: +49 561
3166798
> >
> >
> > Amtsgericht Kassel, HRB 16405
> > Geschäftsführer: Cornelius Kölbel
> >
> >
> > -------- Ursprüngliche Nachricht
--------
> > Von: Tony Hawker
<lil...@gmail.com>
> > Datum: 21.10.2015 08:59 (GMT
+01:00)
> > An: privacyidea
<priva...@googlegroups.com>
> > Betreff: Re: 'privacyIDEA request
failed:
> 500 INTERNAL
> > SERVER ERROR' - FreeRadius
> >
> > Hi
> > thanks for your quick response to
my issue
> > I have been watching the
privacyidea.log but
> no
> > entries are made when a connection
attempt
> is made via
> > the radius, which leads me to
think that the
> radius is
> > not able to see the privacyidea
API?
> > I can access the URI in my
browser, so i can
> see that
> > is up
> >
> >
> > I see this in the privacyidea.log
when i
> reboot
> >
> >
> > [2015-10-21
> >
>
15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333] 'Traceback (most recent call last):\n File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/ LDAPIdResolver.py", line 328, in getUserList\n user = self._ldap_attributes_to_user_object(attributes)\n File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 246, in _ldap_attributes_to_user_object\n for ldap_k, ldap_v in attributes.items():\nAttributeError: \'NoneType\' object has no attribute \'items\'\n'
> >
> >
> > Cheers
> >
> >
> >
> >
> >
> >
> >
> >
> > On Wednesday, 21 October 2015 17:14:34 UTC +11, Cornelinux K wrote:
> > Hi Tony,
> >
> > please do the following:
> >
> > 1. Take a look into the
audit log
> >
> > Within the webui take a
look, what
> you can see
> > in the request in the
> > AUdit Tab. The right most
tab.
> >
> > I assume, the user does
not exist.
> >
> > The audit gives you a top
level view
> of what
> > is happening in
> > privacyidea.
> >
> > 2. Take a look into the
log file
> > privacyidea.log.
> > This gives you a detailed
view, of
> what is
> > happening.
> >
> > Kind regards
> > Cornelius
> >
> > Am Dienstag, den
20.10.2015, 17:56
> -0700
> > schrieb Tony Hawker:
> > > Hi
> > > I have followed the
guide on
> setting up
> > Privactidea on Centos 7
here:
> > >
> >
>
https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/
> > >
> > >
> > >
> > > I can access the webui,
register
> tokens,
> > linked to active
directory
> > > etc, all tested ok
> > >
> > >
> > > I am having issues with
the radius
> plugin,
> > when I attempt to make
any
> > > connection to the
radius, either
> using the
> > test functions described
in
> > > the link above, or from
an
> external
> > connection, I am seeing
the errors
> > > below:
> > >
> > >
> > > ]# echo
"User-Name=user,
> > User-Password=password" |
radclient
> -sx
> > > localhost auth
testing123
> > >
> > >
> > > Sending Access-Request
Id 91 from
> > 0.0.0.0:34321 to
127.0.0.1:1812
> > >
> > > User-Name =
'user'
> > > User-Password =
> 'password'
> > > Received Access-Reject
Id 91 from
> > 127.0.0.1:1812 to
127.0.0.1:34321
> > > length 75
> > > Reply-Message =
> 'privacyIDEA request
> > failed: 500 INTERNAL
> > > SERVER ERROR'
> > > (0) -: Expected
Access-Accept got
> > Access-Reject
> > > Packet summary:
> > > Accepted :
0
> > > Rejected :
1
> > > Lost :
0
> > > Passed filter :
0
> > > Failed filter :
1
> > >
> > >
> > > and on the radius server
I see
> this:
> > >
> > >
> > > Received Access-Request
Id 111
> from
> > 127.0.0.1:35488 to
127.0.0.1:1812
> > > length 44
> > > User-Name =
'user'
> > > User-Password =
> 'password'
> > > (0) Received
Access-Request packet
> from host
> > 127.0.0.1 port 35488,
> > > id=111, length=44
> > > (0) User-Name =
'user'
> > > (0) User-Password =
> 'password'
> > > (0) # Executing section
authorize
> from
> > >
> file /etc/raddb/sites-enabled/privacyidea
> > > (0) authorize {
> > > (0) [preprocess] = ok
> > > (0) [digest] = noop
> > > (0) suffix : Checking
for suffix
> after "@"
> > > (0) suffix : No '@' in
User-Name
> = "user",
> > looking up realm NULL
> > > (0) suffix : No such
realm
> "NULL"
> > > (0) [suffix] = noop
> > > (0) ntdomain : Checking
for
> prefix before
> > "\"
> > > (0) ntdomain : No '\'
in
> User-Name =
> > "user", looking up realm
NULL
> > > (0) ntdomain : No such
realm
> "NULL"
> > > (0) [ntdomain] = noop
> > > (0) [files] = noop
> > > (0) [expiration] =
noop
> > > (0) [logintime] =
noop
> > > (0) WARNING: pap : No
"known
> good" password
> > found for the user. Not
> > > setting Auth-Type
> > > (0) WARNING: pap :
Authentication
> will fail
> > unless a "known good"
> > > password is available
> > > (0) [pap] = noop
> > > (0) update control {
> > > (0) Auth-Type :=
Perl
> > > (0) } # update control
= noop
> > > (0) } # authorize =
ok
> > > (0) Found Auth-Type =
Perl
> > > (0) # Executing group
from
> >
> file /etc/raddb/sites-enabled/privacyidea
> > > (0) Auth-Type Perl {
> > > (0) perl :
> $RAD_REQUEST{'User-Name'} =
> > &request:User-Name ->
'user'
> > > (0) perl :
> $RAD_REQUEST{'User-Password'} =
> > &request:User-Password ->
> > > 'password'
> > > (0) perl :
> $RAD_REQUEST{'NAS-IP-Address'}
> > = &request:NAS-IP-Address
> > > -> '127.0.0.1'
> > > (0) perl :
> $RAD_REQUEST{'Event-Timestamp'}
> > =
> > > &request:Event-Timestamp
-> 'Oct
> 21 2015
> > 11:50:57 AEDT'
> > > (0) perl :
> $RAD_CHECK{'Auth-Type'} =
> > &control:Auth-Type ->
'Perl'
> > > (0) perl :
> $RAD_CONFIG{'Auth-Type'} =
> > &control:Auth-Type ->
'Perl'
> > > rlm_perl: Config
> >
File /etc/freeradius/rlm_perl.ini
> found!
> > > rlm_perl: Default URL
> >
https://127.0.0.1/validate/check
> > > rlm_perl: Looking for
config for
> auth-type
> > Perl
> > > rlm_perl: Auth-Type:
Perl
> > > rlm_perl: url:
> >
https://127.0.0.1/validate/check
> > > rlm_perl: user sent to
> privacyidea: user
> > > rlm_perl: realm sent to
> privacyidea:
> > > rlm_perl: resolver sent
to
> privacyidea:
> > > rlm_perl: client sent
to
> privacyidea:
> > 127.0.0.1
> > > rlm_perl: state sent to
> privacyidea:
> > > rlm_perl: urlparam
client
> > > rlm_perl: urlparam pass
> > > rlm_perl: urlparam user
> > > rlm_perl: Not verifying
SSL
> certificate!
> > > rlm_perl: privacyIDEA
request
> failed: 500
> > INTERNAL SERVER ERROR
> > > rlm_perl: return
RLM_MODULE_FAIL
> > > (0) perl :
&request:User-Name =
> > $RAD_REQUEST{'User-Name'}
-> 'user'
> > > (0) perl :
> &request:Event-Timestamp =
> >
$RAD_REQUEST{'Event-Timestamp'}
> > > -> 'Oct 21 2015 11:50:57
AEDT'
> > > (0) perl :
&request:User-Password
> =
> >
$RAD_REQUEST{'User-Password'} ->
> > > 'password'
> > > (0) perl :
> &request:NAS-IP-Address =
> >
$RAD_REQUEST{'NAS-IP-Address'}
> > > -> '127.0.0.1'
> > > (0) perl :
&reply:Reply-Message
> =
> >
$RAD_REPLY{'Reply-Message'} ->
> > > 'privacyIDEA request
failed: 500
> INTERNAL
> > SERVER ERROR'
> > > (0) perl :
&control:Auth-Type =
> > $RAD_CHECK{'Auth-Type'} ->
'Perl'
> > > (0) [perl] = fail
> > > (0) } # Auth-Type Perl
= fail
> > > (0) Failed to
authenticate the
> user
> > > (0) Using Post-Auth-Type
Reject
> > > (0) Delaying response
for 1
> seconds
> > > Waking up in 0.9
seconds.
> > > (0) Sending delayed
response
> > > (0) Sending
Access-Reject packet
> to host
> > 127.0.0.1 port 35488,
id=111,
> > > length=0
> > > (0) Reply-Message =
> 'privacyIDEA request
> > failed: 500 INTERNAL
> > > SERVER ERROR'
> > > Sending Access-Reject Id
111 from
> > 127.0.0.1:1812 to
127.0.0.1:35488
> > > Reply-Message =
> 'privacyIDEA request
> > failed: 500 INTERNAL
> > > SERVER ERROR'
> > > Waking up in 3.9
seconds.
> > > (0) Cleaning up request
packet ID
> 111 with
> > timestamp +7
> > >
> > >
> > >
> > >
> > > I don't think this is
just an
> issue with the
> > user / password, but if
> > > anyone can point me in
the right
> direction
> > in what I may have done
> > > wrong with either the
radius or
> privacy idea
> > install?
> > >
> > >
> > > Cheers
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > You received this
message because
> you are
> > subscribed to the Google
> > > Groups "privacyidea"
group.
> > > To unsubscribe from this
group and
> stop
> > receiving emails from it,
send
> > > an email to
> >
privacyidea...@googlegroups.com.
> > > To post to this group,
send email
> to
> >
priva...@googlegroups.com.
> > > To view this discussion
on the web
> visit
> > >
> >
>
https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com.
> > > For more options, visit
> >
https://groups.google.com/d/optout.
> >
> > --
> > Cornelius Kölbel
> > corneliu...@netknights.it
> > +49 151 2960 1417
> >
> > NetKnights GmbH
> > http://www.netknights.it
> > Landgraf-Karl-Str. 19,
34131 Kassel,
> Germany
> > Tel: +49 561 3166797, Fax:
+49 561
> 3166798
> >
> > Amtsgericht Kassel, HRB
16405
> > Geschäftsführer: Cornelius
Kölbel
> >
> >
> >
> > --
> > You received this message because
you are
> subscribed
> > to the Google Groups "privacyidea"
group.
> > To unsubscribe from this group and
stop
> receiving
> > emails from it, send an email to
> > privacyidea...@googlegroups.com.
> > To post to this group, send email
to
> > priva...@googlegroups.com.
> > To view this discussion on the web
visit
> >
>
https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com.
> > For more options, visit
> >
https://groups.google.com/d/optout.
> >
> >
> >
> >
> --
> Cornelius Kölbel
> corneliu...@netknights.it
> +49 151 2960 1417
>
> NetKnights GmbH
> http://www.netknights.it
> Landgraf-Karl-Str. 19, 34131 Kassel, Germany
> Tel: +49 561 3166797, Fax: +49 561 3166798
>
> Amtsgericht Kassel, HRB 16405
> Geschäftsführer: Cornelius Kölbel
>
>
> --
> You received this message because you are subscribed to the
Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails
from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to
priva...@googlegroups.com.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/privacyidea/ecfb73db-d3cb-4ec0-871c-f1e57f1804e0%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Thanks Cornelius
this script still doesn’t seem to solve the problem, checkpoint still
doesn’t like the Access-Accept packets for some reason
I’ve had the checkpoint talking to freeradius in the past, so it can work,
but just doesn’t see these accept packets for some reasonOn Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote:
Hi Tony,
here is a slightly modified script, that does not add any additional
AVPs into the reply.
It only returns ACCESS_ACCEPT or ACCESS_REJECT.
This script replaces the existing one.
Please restart freeradius and check if checkpoint likes it.
Kind regards
COrnelius
Am Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony Hawker:
Hi Cornelius
Thanks for this info
where do i remove that line from? I’m not familiar with this process?
do i need to change a config file? or change some source code and
recompile?
I believe if i could change the message on that line that could also
possible help
Cheers
On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K wrote:
Hello Tony,
at the moment there is no way to configure the reply message.
You can remove the RAD_REPLY in the privacyidea perl module.
Thus this information will not be added to the reply.
If this succeeds, please drop me a note or open an issue at
github.
We can then make the reply configurable.
Kind regards
Cornelius
Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb Tony Hawker:
> Hi Cornelius
> Thanks for your help, I almost have this working now, i
played around
> allot, but i think that ticking the "use @ to separate user
and realm"
> has allowed the radius to pass though the details correctly
>
>
> I have managed to have my radius client authenticate, and it
seems to
> be sending back the reply message "privacy IDEA access
granted" to my
> firewalls (I am tying to authenticate VPN users)
>
>
> I believe the firewall does not like the response message, I
am
> possibly getting a similar issue described here:
>
>
>
> I have also attached a screen shot of how the packet looks
from
> privacy idea, do you think that because the reply packet is
slightly
> different it could be causing this problem?
> is t possible to change the privacy idea radius accept
packet too
> something generic?
>
>
> Cheers
>
> On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K wrote:
>
>
> Hi,
>
>
> The user can not be found in the resolver.
>
>
>
>
> How does the request look like?
> Is the realm the default realm.
> how does the DN of the user look like?
>
>
>
>
> You might have specified the wrong realm (see
default realm)
>
>
>
>
> Kind regards
> Cornelius
>
>
>
>
> Cornelius Kölbel
> Corneliu...@netknights.it
> +49 151 2960 1417
>
>
> NetKnights GmbH
> http://netknights.it
> Landgraf-Karl-Str. 19, 34131 Kassel, Germany
> Tel: +49 561 3166797, Fax: +49 561 3166798
>
>
> Amtsgericht Kassel, HRB 16405
> Geschäftsführer: Cornelius Kölbel
>
>
> -------- Ursprüngliche Nachricht --------
> Von: Tony Hawker <lil...@gmail.com>
> Datum: 21.10.2015 13:14 (GMT+01:00)
> An: privacyidea <priva...@googlegroups.com>
> Betreff: Re: Re: 'privacyIDEA request failed: 500
INTERNAL
> SERVER ERROR' - FreeRadius
>
> Hi Cornelius
> Thanks for your response
> I am running PIP installation on Centos 7
> I am running latest version of Privacy idea (2.7),
updated as
> per instructions on howtoforge
> the user is coming from Active Directory
> UID is DN
> there are no special characters anywhere in the AD
config
>
>
> testing using the URL you provided I get the message
below
> when attempting to use an AD user
> "version": "privacyIDEA 2.7", "result": {"status":
false, "error": {"message": "ERR905: The user can not be found
in any resolver in this realm!", "code": -500}}, "time":
1445425459.788956, "id": 1}
>
> but if i use the root user (from the privacyidea
server) this returns:
> {"message": "wrong otp pin"}, "versionnumber":
"2.7", "version": "privacyIDEA 2.7", "result": {"status":
true, "value": false}, "time": 1445425581.107504, "id": 1}
> I assume the OTP token is out of sync, but looks
much more promising
>
> any idea on why the AD would not work via this
method? as i can see all the users in the webui etc
>
> Cheers
>
>
>
>
>
> On Wednesday, 21 October 2015 21:01:47 UTC+11, Cornelinux K wrote:
> Hi Tony,
>
>
> Are you running a pip installation or debian
wheezy?
>
>
> Which version of privacyidea are you
running?
>
>
> In certain cases there were problems with
the ldap
> resolver, if the DN contains special
characters and is
> base54 encoded.
>
>
> Is it openldap or AD?
>
>
> The Uid type: is it DN or entryUUID?
>
>
> Kind regards
> Cornelius
>
>
>
>
>
>
> Cornelius Kölbel
> Corneliu...@netknights.it
> +49 151 2960 1417
>
>
> NetKnights GmbH
> http://netknights.it
> Landgraf-Karl-Str. 19, 34131 Kassel,
Germany
> Tel: +49 561 3166797, Fax: +49 561 3166798
>
>
> Amtsgericht Kassel, HRB 16405
> Geschäftsführer: Cornelius Kölbel
>
>
> -------- Ursprüngliche Nachricht --------
> Von: Tony Hawker <lil...@gmail.com>
> Datum: 21.10.2015 08:59 (GMT+01:00)
> An: privacyidea <priva...@googlegroups.com>
> Betreff: Re: 'privacyIDEA request failed:
500 INTERNAL
> SERVER ERROR' - FreeRadius
>
> Hi
> thanks for your quick response to my issue
> I have been watching the privacyidea.log but
no
> entries are made when a connection attempt
is made via
> the radius, which leads me to think that the
radius is
> not able to see the privacyidea API?
> I can access the URI in my browser, so i can
see that
> is up
>
>
> I see this in the privacyidea.log when i
reboot
>
>
> [2015-10-21
>
15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333]
‘Traceback (most recent call last):\n File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/
LDAPIdResolver.py”, line 328, in getUserList\n user =
self._ldap_attributes_to_user_object(attributes)\n File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py”,
line 246, in _ldap_attributes_to_user_object\n for ldap_k,
ldap_v in attributes.items():\nAttributeError: 'NoneType' object has no
attribute 'items'\n’
>
>
> Cheers
>
>
>
>
>
>
>
>
> On Wednesday, 21 October 2015 17:14:34 UTC +11, Cornelinux K wrote:
> Hi Tony,
>
> please do the following:
>
> 1. Take a look into the audit log
>
> Within the webui take a look, what
you can see
> in the request in the
> AUdit Tab. The right most tab.
>
> I assume, the user does not exist.
>
> The audit gives you a top level view
of what
> is happening in
> privacyidea.
>
> 2. Take a look into the log file
> privacyidea.log.
> This gives you a detailed view, of
what is
> happening.
>
> Kind regards
> Cornelius
>
> Am Dienstag, den 20.10.2015, 17:56
-0700
> schrieb Tony Hawker:
> > Hi
> > I have followed the guide on
setting up
> Privactidea on Centos 7 here:
> >
>
> > For more options, visit
> https://groups.google.com/d/optout.
>
> --
> Cornelius Kölbel
> corneliu...@netknights.it
> +49 151 2960 1417
>
> NetKnights GmbH
> http://www.netknights.it
> Landgraf-Karl-Str. 19, 34131 Kassel,
Germany
> Tel: +49 561 3166797, Fax: +49 561
3166798
>
> Amtsgericht Kassel, HRB 16405
> Geschäftsführer: Cornelius Kölbel
>
>
>
> --
> You received this message because you are
subscribed
> to the Google Groups "privacyidea" group.
> To unsubscribe from this group and stop
receiving
> emails from it, send an email to
> privacyidea...@googlegroups.com.
> To post to this group, send email to
> priva...@googlegroups.com.
> To view this discussion on the web visit
>
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit
Hi Cornelius
Thanks for this info
where do i remove that line from? I’m not familiar with this process? do i
need to change a config file? or change some source code and recompile?
I believe if i could change the message on that line that could also
possible help
CheersOn Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K wrote:
Hello Tony,
at the moment there is no way to configure the reply message.
You can remove the RAD_REPLY in the privacyidea perl module.
Thus this information will not be added to the reply.
If this succeeds, please drop me a note or open an issue at github.
We can then make the reply configurable.
Kind regards
Cornelius
Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb Tony Hawker:
Hi Cornelius
Thanks for your help, I almost have this working now, i played around
allot, but i think that ticking the “use @ to separate user and realm”
has allowed the radius to pass though the details correctly
I have managed to have my radius client authenticate, and it seems to
be sending back the reply message “privacy IDEA access granted” to my
firewalls (I am tying to authenticate VPN users)
I believe the firewall does not like the response message, I am
possibly getting a similar issue described here:
I have also attached a screen shot of how the packet looks from
privacy idea, do you think that because the reply packet is slightly
different it could be causing this problem?
is t possible to change the privacy idea radius accept packet too
something generic?
Cheers
On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K wrote:
Hi,
The user can not be found in the resolver.
How does the request look like?
Is the realm the default realm.
how does the DN of the user look like?
You might have specified the wrong realm (see default realm)
Kind regards
Cornelius
Cornelius Kölbel
Corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
-------- Ursprüngliche Nachricht --------
Von: Tony Hawker <lil...@gmail.com>
Datum: 21.10.2015 13:14 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com>
Betreff: Re: Re: 'privacyIDEA request failed: 500 INTERNAL
SERVER ERROR' - FreeRadius
Hi Cornelius
Thanks for your response
I am running PIP installation on Centos 7
I am running latest version of Privacy idea (2.7), updated as
per instructions on howtoforge
the user is coming from Active Directory
UID is DN
there are no special characters anywhere in the AD config
testing using the URL you provided I get the message below
when attempting to use an AD user
"version": "privacyIDEA 2.7", "result": {"status": false,
“error”: {“message”: “ERR905: The user can not be found in any resolver in
this realm!”, “code”: -500}}, “time”: 1445425459.788956, “id”: 1}
but if i use the root user (from the privacyidea server) this
I assume the OTP token is out of sync, but looks much more
promising
any idea on why the AD would not work via this method? as i can
see all the users in the webui etc
Cheers
On Wednesday, 21 October 2015 21:01:47 UTC+11, Cornelinux K wrote:
Hi Tony,
Are you running a pip installation or debian wheezy?
Which version of privacyidea are you running?
In certain cases there were problems with the ldap
resolver, if the DN contains special characters and is
base54 encoded.
Is it openldap or AD?
The Uid type: is it DN or entryUUID?
Kind regards
Cornelius
Cornelius Kölbel
Corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
-------- Ursprüngliche Nachricht --------
Von: Tony Hawker <lil...@gmail.com>
Datum: 21.10.2015 08:59 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com>
Betreff: Re: 'privacyIDEA request failed: 500 INTERNAL
SERVER ERROR' - FreeRadius
Hi
thanks for your quick response to my issue
I have been watching the privacyidea.log but no
entries are made when a connection attempt is made via
the radius, which leads me to think that the radius is
not able to see the privacyidea API?
I can access the URI in my browser, so i can see that
is up
I see this in the privacyidea.log when i reboot
[2015-10-21
15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333]
‘Traceback (most recent call last):\n File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/
LDAPIdResolver.py”, line 328, in getUserList\n user =
self._ldap_attributes_to_user_object(attributes)\n File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py”,
line 246, in _ldap_attributes_to_user_object\n for ldap_k,
ldap_v in attributes.items():\nAttributeError: 'NoneType' object has no
attribute 'items'\n’
Cheers
On Wednesday, 21 October 2015 17:14:34 UTC+11, Cornelinux K wrote:
Hi Tony,
please do the following:
1. Take a look into the audit log
Within the webui take a look, what you can see
in the request in the
AUdit Tab. The right most tab.
I assume, the user does not exist.
The audit gives you a top level view of what
is happening in
privacyidea.
2. Take a look into the log file
privacyidea.log.
This gives you a detailed view, of what is
happening.
Kind regards
Cornelius
Am Dienstag, den 20.10.2015, 17:56 -0700
schrieb Tony Hawker:
> Hi
> I have followed the guide on setting up
Privactidea on Centos 7 here:
>
>
>
>
> I can access the webui, register tokens,
linked to active directory
> etc, all tested ok
>
>
> I am having issues with the radius plugin,
when I attempt to make any
> connection to the radius, either using the
test functions described in
> the link above, or from an external
connection, I am seeing the errors
> below:
>
>
> ]# echo "User-Name=user,
User-Password=password" | radclient -sx
> localhost auth testing123
>
>
> Sending Access-Request Id 91 from
0.0.0.0:34321 to 127.0.0.1:1812
>
> User-Name = 'user'
> User-Password = 'password'
> Received Access-Reject Id 91 from
127.0.0.1:1812 to 127.0.0.1:34321
> length 75
> Reply-Message = 'privacyIDEA request
failed: 500 INTERNAL
> SERVER ERROR'
> (0) -: Expected Access-Accept got
Access-Reject
> Packet summary:
> Accepted : 0
> Rejected : 1
> Lost : 0
> Passed filter : 0
> Failed filter : 1
>
>
> and on the radius server I see this:
>
>
> Received Access-Request Id 111 from
127.0.0.1:35488 to 127.0.0.1:1812
> length 44
> User-Name = 'user'
> User-Password = 'password'
> (0) Received Access-Request packet from host
127.0.0.1 port 35488,
> id=111, length=44
> (0) User-Name = 'user'
> (0) User-Password = 'password'
> (0) # Executing section authorize from
> file /etc/raddb/sites-enabled/privacyidea
> (0) authorize {
> (0) [preprocess] = ok
> (0) [digest] = noop
> (0) suffix : Checking for suffix after "@"
> (0) suffix : No '@' in User-Name = "user",
looking up realm NULL
> (0) suffix : No such realm "NULL"
> (0) [suffix] = noop
> (0) ntdomain : Checking for prefix before
"\"
> (0) ntdomain : No '\' in User-Name =
"user", looking up realm NULL
> (0) ntdomain : No such realm "NULL"
> (0) [ntdomain] = noop
> (0) [files] = noop
> (0) [expiration] = noop
> (0) [logintime] = noop
> (0) WARNING: pap : No "known good" password
found for the user. Not
> setting Auth-Type
> (0) WARNING: pap : Authentication will fail
unless a "known good"
> password is available
> (0) [pap] = noop
> (0) update control {
> (0) Auth-Type := Perl
> (0) } # update control = noop
> (0) } # authorize = ok
> (0) Found Auth-Type = Perl
> (0) # Executing group from
file /etc/raddb/sites-enabled/privacyidea
> (0) Auth-Type Perl {
> (0) perl : $RAD_REQUEST{'User-Name'} =
&request:User-Name -> 'user'
> (0) perl : $RAD_REQUEST{'User-Password'} =
&request:User-Password ->
> 'password'
> (0) perl : $RAD_REQUEST{'NAS-IP-Address'}
= &request:NAS-IP-Address
> -> '127.0.0.1'
> (0) perl : $RAD_REQUEST{'Event-Timestamp'}
=
> &request:Event-Timestamp -> 'Oct 21 2015
11:50:57 AEDT'
> (0) perl : $RAD_CHECK{'Auth-Type'} =
&control:Auth-Type -> 'Perl'
> (0) perl : $RAD_CONFIG{'Auth-Type'} =
&control:Auth-Type -> 'Perl'
> rlm_perl: Config
File /etc/freeradius/rlm_perl.ini found!
> rlm_perl: Default URL
https://127.0.0.1/validate/check
> rlm_perl: Looking for config for auth-type
Perl
> rlm_perl: Auth-Type: Perl
> rlm_perl: url:
https://127.0.0.1/validate/check
> rlm_perl: user sent to privacyidea: user
> rlm_perl: realm sent to privacyidea:
> rlm_perl: resolver sent to privacyidea:
> rlm_perl: client sent to privacyidea:
127.0.0.1
> rlm_perl: state sent to privacyidea:
> rlm_perl: urlparam client
> rlm_perl: urlparam pass
> rlm_perl: urlparam user
> rlm_perl: Not verifying SSL certificate!
> rlm_perl: privacyIDEA request failed: 500
INTERNAL SERVER ERROR
> rlm_perl: return RLM_MODULE_FAIL
> (0) perl : &request:User-Name =
$RAD_REQUEST{'User-Name'} -> 'user'
> (0) perl : &request:Event-Timestamp =
$RAD_REQUEST{'Event-Timestamp'}
> -> 'Oct 21 2015 11:50:57 AEDT'
> (0) perl : &request:User-Password =
$RAD_REQUEST{'User-Password'} ->
> 'password'
> (0) perl : &request:NAS-IP-Address =
$RAD_REQUEST{'NAS-IP-Address'}
> -> '127.0.0.1'
> (0) perl : &reply:Reply-Message =
$RAD_REPLY{'Reply-Message'} ->
> 'privacyIDEA request failed: 500 INTERNAL
SERVER ERROR'
> (0) perl : &control:Auth-Type =
$RAD_CHECK{'Auth-Type'} -> 'Perl'
> (0) [perl] = fail
> (0) } # Auth-Type Perl = fail
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject
> (0) Delaying response for 1 seconds
> Waking up in 0.9 seconds.
> (0) Sending delayed response
> (0) Sending Access-Reject packet to host
127.0.0.1 port 35488, id=111,
> length=0
> (0) Reply-Message = 'privacyIDEA request
failed: 500 INTERNAL
> SERVER ERROR'
> Sending Access-Reject Id 111 from
127.0.0.1:1812 to 127.0.0.1:35488
> Reply-Message = 'privacyIDEA request
failed: 500 INTERNAL
> SERVER ERROR'
> Waking up in 3.9 seconds.
> (0) Cleaning up request packet ID 111 with
timestamp +7
>
>
>
>
> I don't think this is just an issue with the
user / password, but if
> anyone can point me in the right direction
in what I may have done
> wrong with either the radius or privacy idea
install?
>
>
> Cheers
>
>
>
>
>
>
>
>
>
>
> --
> You received this message because you are
subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop
receiving emails from it, send
> an email to
privacyidea...@googlegroups.com.
> To post to this group, send email to
priva...@googlegroups.com.
> To view this discussion on the web visit
>
> For more options, visit
https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
--
You received this message because you are subscribed
to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
privacyidea...@googlegroups.com.
To post to this group, send email to
priva...@googlegroups.com.
To view this discussion on the web visit
Thus this information will not be added to the reply.
If this succeeds, please drop me a note or open an issue at github.
We can then make the reply configurable.
Kind regards
CorneliusAm Mittwoch, den 21.10.2015, 17:54 -0700 schrieb Tony Hawker:
Hi Cornelius
Thanks for your help, I almost have this working now, i played around
allot, but i think that ticking the “use @ to separate user and realm”
has allowed the radius to pass though the details correctly
I have managed to have my radius client authenticate, and it seems to
be sending back the reply message “privacy IDEA access granted” to my
firewalls (I am tying to authenticate VPN users)
I have also attached a screen shot of how the packet looks from
privacy idea, do you think that because the reply packet is slightly
different it could be causing this problem?
is t possible to change the privacy idea radius accept packet too
something generic?
Cheers
On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K wrote:
Hi,
The user can not be found in the resolver.
How does the request look like?
Is the realm the default realm.
how does the DN of the user look like?
You might have specified the wrong realm (see default realm)
Kind regards
Cornelius
Cornelius Kölbel
Corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
-------- Ursprüngliche Nachricht --------
Von: Tony Hawker <lil...@gmail.com>
Datum: 21.10.2015 13:14 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com>
Betreff: Re: Re: 'privacyIDEA request failed: 500 INTERNAL
SERVER ERROR' - FreeRadius
Hi Cornelius
Thanks for your response
I am running PIP installation on Centos 7
I am running latest version of Privacy idea (2.7), updated as
per instructions on howtoforge
the user is coming from Active Directory
UID is DN
there are no special characters anywhere in the AD config
testing using the URL you provided I get the message below
when attempting to use an AD user
"version": "privacyIDEA 2.7", "result": {"status": false, "error": {"message": "ERR905: The user can not be found in any resolver in this realm!", "code": -500}}, "time": 1445425459.788956, "id": 1}
but if i use the root user (from the privacyidea server) this returns:
{"message": "wrong otp pin"}, "versionnumber": "2.7", "version": "privacyIDEA 2.7", "result": {"status": true, "value": false}, "time": 1445425581.107504, "id": 1}
I assume the OTP token is out of sync, but looks much more promising
any idea on why the AD would not work via this method? as i can see all the users in the webui etc
Cheers
On Wednesday, 21 October 2015 21:01:47 UTC+11, Cornelinux K wrote:
Hi Tony,
Are you running a pip installation or debian wheezy?
Which version of privacyidea are you running?
In certain cases there were problems with the ldap
resolver, if the DN contains special characters and is
base54 encoded.
Is it openldap or AD?
The Uid type: is it DN or entryUUID?
Kind regards
Cornelius
Cornelius Kölbel
Corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
-------- Ursprüngliche Nachricht --------
Von: Tony Hawker <lil...@gmail.com>
Datum: 21.10.2015 08:59 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com>
Betreff: Re: 'privacyIDEA request failed: 500 INTERNAL
SERVER ERROR' - FreeRadius
Hi
thanks for your quick response to my issue
I have been watching the privacyidea.log but no
entries are made when a connection attempt is made via
the radius, which leads me to think that the radius is
not able to see the privacyidea API?
I can access the URI in my browser, so i can see that
is up
I see this in the privacyidea.log when i reboot
[2015-10-21
15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333] 'Traceback (most recent call last):\n File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/ LDAPIdResolver.py", line 328, in getUserList\n user = self._ldap_attributes_to_user_object(attributes)\n File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 246, in _ldap_attributes_to_user_object\n for ldap_k, ldap_v in attributes.items():\nAttributeError: \'NoneType\' object has no attribute \'items\'\n'
Cheers
On Wednesday, 21 October 2015 17:14:34 UTC+11, Cornelinux K wrote:
Hi Tony,
please do the following:
1. Take a look into the audit log
Within the webui take a look, what you can see
in the request in the
AUdit Tab. The right most tab.
I assume, the user does not exist.
The audit gives you a top level view of what
is happening in
privacyidea.
2. Take a look into the log file
privacyidea.log.
This gives you a detailed view, of what is
happening.
Kind regards
Cornelius
Am Dienstag, den 20.10.2015, 17:56 -0700
schrieb Tony Hawker:
> Hi
> I have followed the guide on setting up
Privactidea on Centos 7 here:
>
https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/
>
>
>
> I can access the webui, register tokens,
linked to active directory
> etc, all tested ok
>
>
> I am having issues with the radius plugin,
when I attempt to make any
> connection to the radius, either using the
test functions described in
> the link above, or from an external
connection, I am seeing the errors
> below:
>
>
> ]# echo "User-Name=user,
User-Password=password" | radclient -sx
> localhost auth testing123
>
>
> Sending Access-Request Id 91 from
0.0.0.0:34321 to 127.0.0.1:1812
>
> User-Name = 'user'
> User-Password = 'password'
> Received Access-Reject Id 91 from
127.0.0.1:1812 to 127.0.0.1:34321
> length 75
> Reply-Message = 'privacyIDEA request
failed: 500 INTERNAL
> SERVER ERROR'
> (0) -: Expected Access-Accept got
Access-Reject
> Packet summary:
> Accepted : 0
> Rejected : 1
> Lost : 0
> Passed filter : 0
> Failed filter : 1
>
>
> and on the radius server I see this:
>
>
> Received Access-Request Id 111 from
127.0.0.1:35488 to 127.0.0.1:1812
> length 44
> User-Name = 'user'
> User-Password = 'password'
> (0) Received Access-Request packet from host
127.0.0.1 port 35488,
> id=111, length=44
> (0) User-Name = 'user'
> (0) User-Password = 'password'
> (0) # Executing section authorize from
> file /etc/raddb/sites-enabled/privacyidea
> (0) authorize {
> (0) [preprocess] = ok
> (0) [digest] = noop
> (0) suffix : Checking for suffix after "@"
> (0) suffix : No '@' in User-Name = "user",
looking up realm NULL
> (0) suffix : No such realm "NULL"
> (0) [suffix] = noop
> (0) ntdomain : Checking for prefix before
"\"
> (0) ntdomain : No '\' in User-Name =
"user", looking up realm NULL
> (0) ntdomain : No such realm "NULL"
> (0) [ntdomain] = noop
> (0) [files] = noop
> (0) [expiration] = noop
> (0) [logintime] = noop
> (0) WARNING: pap : No "known good" password
found for the user. Not
> setting Auth-Type
> (0) WARNING: pap : Authentication will fail
unless a "known good"
> password is available
> (0) [pap] = noop
> (0) update control {
> (0) Auth-Type := Perl
> (0) } # update control = noop
> (0) } # authorize = ok
> (0) Found Auth-Type = Perl
> (0) # Executing group from
file /etc/raddb/sites-enabled/privacyidea
> (0) Auth-Type Perl {
> (0) perl : $RAD_REQUEST{'User-Name'} =
&request:User-Name -> 'user'
> (0) perl : $RAD_REQUEST{'User-Password'} =
&request:User-Password ->
> 'password'
> (0) perl : $RAD_REQUEST{'NAS-IP-Address'}
= &request:NAS-IP-Address
> -> '127.0.0.1'
> (0) perl : $RAD_REQUEST{'Event-Timestamp'}
=
> &request:Event-Timestamp -> 'Oct 21 2015
11:50:57 AEDT'
> (0) perl : $RAD_CHECK{'Auth-Type'} =
&control:Auth-Type -> 'Perl'
> (0) perl : $RAD_CONFIG{'Auth-Type'} =
&control:Auth-Type -> 'Perl'
> rlm_perl: Config
File /etc/freeradius/rlm_perl.ini found!
> rlm_perl: Default URL
https://127.0.0.1/validate/check
> rlm_perl: Looking for config for auth-type
Perl
> rlm_perl: Auth-Type: Perl
> rlm_perl: url:
https://127.0.0.1/validate/check
> rlm_perl: user sent to privacyidea: user
> rlm_perl: realm sent to privacyidea:
> rlm_perl: resolver sent to privacyidea:
> rlm_perl: client sent to privacyidea:
127.0.0.1
> rlm_perl: state sent to privacyidea:
> rlm_perl: urlparam client
> rlm_perl: urlparam pass
> rlm_perl: urlparam user
> rlm_perl: Not verifying SSL certificate!
> rlm_perl: privacyIDEA request failed: 500
INTERNAL SERVER ERROR
> rlm_perl: return RLM_MODULE_FAIL
> (0) perl : &request:User-Name =
$RAD_REQUEST{'User-Name'} -> 'user'
> (0) perl : &request:Event-Timestamp =
$RAD_REQUEST{'Event-Timestamp'}
> -> 'Oct 21 2015 11:50:57 AEDT'
> (0) perl : &request:User-Password =
$RAD_REQUEST{'User-Password'} ->
> 'password'
> (0) perl : &request:NAS-IP-Address =
$RAD_REQUEST{'NAS-IP-Address'}
> -> '127.0.0.1'
> (0) perl : &reply:Reply-Message =
$RAD_REPLY{'Reply-Message'} ->
> 'privacyIDEA request failed: 500 INTERNAL
SERVER ERROR'
> (0) perl : &control:Auth-Type =
$RAD_CHECK{'Auth-Type'} -> 'Perl'
> (0) [perl] = fail
> (0) } # Auth-Type Perl = fail
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject
> (0) Delaying response for 1 seconds
> Waking up in 0.9 seconds.
> (0) Sending delayed response
> (0) Sending Access-Reject packet to host
127.0.0.1 port 35488, id=111,
> length=0
> (0) Reply-Message = 'privacyIDEA request
failed: 500 INTERNAL
> SERVER ERROR'
> Sending Access-Reject Id 111 from
127.0.0.1:1812 to 127.0.0.1:35488
> Reply-Message = 'privacyIDEA request
failed: 500 INTERNAL
> SERVER ERROR'
> Waking up in 3.9 seconds.
> (0) Cleaning up request packet ID 111 with
timestamp +7
>
>
>
>
> I don't think this is just an issue with the
user / password, but if
> anyone can point me in the right direction
in what I may have done
> wrong with either the radius or privacy idea
install?
>
>
> Cheers
>
>
>
>
>
>
>
>
>
>
> --
> You received this message because you are
subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop
receiving emails from it, send
> an email to
privacyidea...@googlegroups.com.
> To post to this group, send email to
priva...@googlegroups.com.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com.
> For more options, visit
https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
--
You received this message because you are subscribed
to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
privacyidea...@googlegroups.com.
To post to this group, send email to
priva...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com.
For more options, visit
https://groups.google.com/d/optout.
the Attribute Value Pair Class 25 usually seems to expect some
attribute, which the firewall uses to authorize the access or put the
user of this request in some control group.
So the question is: Do you have another RADIUS server running at the
moment and how do the requests look like there?
I assume we have to add an attribute of class 25 with the correct value,
that is expected by your checkpoint configuration.
So I guess we need to look an the freeradius side (independent on the
privacyIDEA plugin).
We need to investigate
the successful RADIUS REQUEST with your existing RADIUS server
the successful RADIUS RESPONSE with your existing RADIUS server
and then configure FreeRADIUS accordingly.
I will try to help you with that.
But maybe at a certain point we might also need to take this to the
freeradius list.
Kind regards
COrneliusAm Mittwoch, den 21.10.2015, 23:52 -0700 schrieb Tony Hawker:
Thanks Cornelius
this script still doesn’t seem to solve the problem, checkpoint still
doesn’t like the Access-Accept packets for some reason
I’ve had the checkpoint talking to freeradius in the past, so it can
work, but just doesn’t see these accept packets for some reason
On Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote:
Hi Tony,
here is a slightly modified script, that does not add any
additional
AVPs into the reply.
It only returns ACCESS_ACCEPT or ACCESS_REJECT.
This script replaces the existing one.
Please restart freeradius and check if checkpoint likes it.
Kind regards
COrnelius
Am Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony Hawker:
> Hi Cornelius
> Thanks for this info
> where do i remove that line from? I'm not familiar with this
process?
> do i need to change a config file? or change some source
code and
> recompile?
> I believe if i could change the message on that line that
could also
> possible help
>
>
> Cheers
>
> On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K wrote:
> Hello Tony,
>
> at the moment there is no way to configure the reply
message.
>
> You can remove the RAD_REPLY in the privacyidea perl
module.
>
https://github.com/privacyidea/privacyidea/blob/master/authmodules/FreeRADIUS/privacyidea_radius.pm#L335
>
> Thus this information will not be added to the
reply.
> If this succeeds, please drop me a note or open an
issue at
> github.
> We can then make the reply configurable.
>
> Kind regards
> Cornelius
>
>
> Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb
Tony Hawker:
> > Hi Cornelius
> > Thanks for your help, I almost have this working
now, i
> played around
> > allot, but i think that ticking the "use @ to
separate user
> and realm"
> > has allowed the radius to pass though the details
correctly
> >
> >
> > I have managed to have my radius client
authenticate, and it
> seems to
> > be sending back the reply message "privacy IDEA
access
> granted" to my
> > firewalls (I am tying to authenticate VPN users)
> >
> >
> > I believe the firewall does not like the response
message, I
> am
> > possibly getting a similar issue described here:
> >
>
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638
> >
> >
> > I have also attached a screen shot of how the
packet looks
> from
> > privacy idea, do you think that because the reply
packet is
> slightly
> > different it could be causing this problem?
> > is t possible to change the privacy idea radius
accept
> packet too
> > something generic?
> >
> >
> > Cheers
> >
> > On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K wrote:
> >
> >
> > Hi,
> >
> >
> > The user can not be found in the
resolver.
> >
> >
> >
> >
> > How does the request look like?
> > Is the realm the default realm.
> > how does the DN of the user look like?
> >
> >
> >
> >
> > You might have specified the wrong realm
(see
> default realm)
> >
> >
> >
> >
> > Kind regards
> > Cornelius
> >
> >
> >
> >
> > Cornelius Kölbel
> > Corneliu...@netknights.it
> > +49 151 2960 1417
> >
> >
> > NetKnights GmbH
> > http://netknights.it
> > Landgraf-Karl-Str. 19, 34131 Kassel,
Germany
> > Tel: +49 561 3166797, Fax: +49 561
3166798
> >
> >
> > Amtsgericht Kassel, HRB 16405
> > Geschäftsführer: Cornelius Kölbel
> >
> >
> > -------- Ursprüngliche Nachricht --------
> > Von: Tony Hawker <lil...@gmail.com>
> > Datum: 21.10.2015 13:14 (GMT+01:00)
> > An: privacyidea
<priva...@googlegroups.com>
> > Betreff: Re: Re: 'privacyIDEA request
failed: 500
> INTERNAL
> > SERVER ERROR' - FreeRadius
> >
> > Hi Cornelius
> > Thanks for your response
> > I am running PIP installation on Centos 7
> > I am running latest version of Privacy
idea (2.7),
> updated as
> > per instructions on howtoforge
> > the user is coming from Active Directory
> > UID is DN
> > there are no special characters anywhere
in the AD
> config
> >
> >
> > testing using the URL you provided I get
the message
> below
> > when attempting to use an AD user
> > "version": "privacyIDEA 2.7", "result":
{"status":
> false, "error": {"message": "ERR905: The user can
not be found
> in any resolver in this realm!", "code": -500}},
"time":
> 1445425459.788956, "id": 1}
> >
> > but if i use the root user (from the
privacyidea
> server) this returns:
> > {"message": "wrong otp pin"},
"versionnumber":
> "2.7", "version": "privacyIDEA 2.7", "result":
{"status":
> true, "value": false}, "time": 1445425581.107504,
"id": 1}
> > I assume the OTP token is out of sync, but
looks
> much more promising
> >
> > any idea on why the AD would not work via
this
> method? as i can see all the users in the webui etc
> >
> > Cheers
> >
> >
> >
> >
> >
> > On Wednesday, 21 October 2015 21:01:47 UTC +11, Cornelinux K wrote:
> > Hi Tony,
> >
> >
> > Are you running a pip installation
or debian
> wheezy?
> >
> >
> > Which version of privacyidea are
you
> running?
> >
> >
> > In certain cases there were
problems with
> the ldap
> > resolver, if the DN contains
special
> characters and is
> > base54 encoded.
> >
> >
> > Is it openldap or AD?
> >
> >
> > The Uid type: is it DN or
entryUUID?
> >
> >
> > Kind regards
> > Cornelius
> >
> >
> >
> >
> >
> >
> > Cornelius Kölbel
> > Corneliu...@netknights.it
> > +49 151 2960 1417
> >
> >
> > NetKnights GmbH
> > http://netknights.it
> > Landgraf-Karl-Str. 19, 34131
Kassel,
> Germany
> > Tel: +49 561 3166797, Fax: +49 561
3166798
> >
> >
> > Amtsgericht Kassel, HRB 16405
> > Geschäftsführer: Cornelius Kölbel
> >
> >
> > -------- Ursprüngliche Nachricht
--------
> > Von: Tony Hawker
<lil...@gmail.com>
> > Datum: 21.10.2015 08:59 (GMT
+01:00)
> > An: privacyidea
<priva...@googlegroups.com>
> > Betreff: Re: 'privacyIDEA request
failed:
> 500 INTERNAL
> > SERVER ERROR' - FreeRadius
> >
> > Hi
> > thanks for your quick response to
my issue
> > I have been watching the
privacyidea.log but
> no
> > entries are made when a connection
attempt
> is made via
> > the radius, which leads me to
think that the
> radius is
> > not able to see the privacyidea
API?
> > I can access the URI in my
browser, so i can
> see that
> > is up
> >
> >
> > I see this in the privacyidea.log
when i
> reboot
> >
> >
> > [2015-10-21
> >
>
15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333] 'Traceback (most recent call last):\n File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/ LDAPIdResolver.py", line 328, in getUserList\n user = self._ldap_attributes_to_user_object(attributes)\n File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 246, in _ldap_attributes_to_user_object\n for ldap_k, ldap_v in attributes.items():\nAttributeError: \'NoneType\' object has no attribute \'items\'\n'
> >
> >
> > Cheers
> >
> >
> >
> >
> >
> >
> >
> >
> > On Wednesday, 21 October 2015 17:14:34 UTC +11, Cornelinux K wrote:
> > Hi Tony,
> >
> > please do the following:
> >
> > 1. Take a look into the
audit log
> >
> > Within the webui take a
look, what
> you can see
> > in the request in the
> > AUdit Tab. The right most
tab.
> >
> > I assume, the user does
not exist.
> >
> > The audit gives you a top
level view
> of what
> > is happening in
> > privacyidea.
> >
> > 2. Take a look into the
log file
> > privacyidea.log.
> > This gives you a detailed
view, of
> what is
> > happening.
> >
> > Kind regards
> > Cornelius
> >
> > Am Dienstag, den
20.10.2015, 17:56
> -0700
> > schrieb Tony Hawker:
> > > Hi
> > > I have followed the
guide on
> setting up
> > Privactidea on Centos 7
here:
> > >
> >
>
https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/
> > >
> > >
> > >
> > > I can access the webui,
register
> tokens,
> > linked to active
directory
> > > etc, all tested ok
> > >
> > >
> > > I am having issues with
the radius
> plugin,
> > when I attempt to make
any
> > > connection to the
radius, either
> using the
> > test functions described
in
> > > the link above, or from
an
> external
> > connection, I am seeing
the errors
> > > below:
> > >
> > >
> > > ]# echo
"User-Name=user,
> > User-Password=password" |
radclient
> -sx
> > > localhost auth
testing123
> > >
> > >
> > > Sending Access-Request
Id 91 from
> > 0.0.0.0:34321 to
127.0.0.1:1812
> > >
> > > User-Name =
'user'
> > > User-Password =
> 'password'
> > > Received Access-Reject
Id 91 from
> > 127.0.0.1:1812 to
127.0.0.1:34321
> > > length 75
> > > Reply-Message =
> 'privacyIDEA request
> > failed: 500 INTERNAL
> > > SERVER ERROR'
> > > (0) -: Expected
Access-Accept got
> > Access-Reject
> > > Packet summary:
> > > Accepted :
0
> > > Rejected :
1
> > > Lost :
0
> > > Passed filter :
0
> > > Failed filter :
1
> > >
> > >
> > > and on the radius server
I see
> this:
> > >
> > >
> > > Received Access-Request
Id 111
> from
> > 127.0.0.1:35488 to
127.0.0.1:1812
> > > length 44
> > > User-Name =
'user'
> > > User-Password =
> 'password'
> > > (0) Received
Access-Request packet
> from host
> > 127.0.0.1 port 35488,
> > > id=111, length=44
> > > (0) User-Name =
'user'
> > > (0) User-Password =
> 'password'
> > > (0) # Executing section
authorize
> from
> > >
> file /etc/raddb/sites-enabled/privacyidea
> > > (0) authorize {
> > > (0) [preprocess] = ok
> > > (0) [digest] = noop
> > > (0) suffix : Checking
for suffix
> after "@"
> > > (0) suffix : No '@' in
User-Name
> = "user",
> > looking up realm NULL
> > > (0) suffix : No such
realm
> "NULL"
> > > (0) [suffix] = noop
> > > (0) ntdomain : Checking
for
> prefix before
> > "\"
> > > (0) ntdomain : No '\'
in
> User-Name =
> > "user", looking up realm
NULL
> > > (0) ntdomain : No such
realm
> "NULL"
> > > (0) [ntdomain] = noop
> > > (0) [files] = noop
> > > (0) [expiration] =
noop
> > > (0) [logintime] =
noop
> > > (0) WARNING: pap : No
"known
> good" password
> > found for the user. Not
> > > setting Auth-Type
> > > (0) WARNING: pap :
Authentication
> will fail
> > unless a "known good"
> > > password is available
> > > (0) [pap] = noop
> > > (0) update control {
> > > (0) Auth-Type :=
Perl
> > > (0) } # update control
= noop
> > > (0) } # authorize =
ok
> > > (0) Found Auth-Type =
Perl
> > > (0) # Executing group
from
> >
> file /etc/raddb/sites-enabled/privacyidea
> > > (0) Auth-Type Perl {
> > > (0) perl :
> $RAD_REQUEST{'User-Name'} =
> > &request:User-Name ->
'user'
> > > (0) perl :
> $RAD_REQUEST{'User-Password'} =
> > &request:User-Password ->
> > > 'password'
> > > (0) perl :
> $RAD_REQUEST{'NAS-IP-Address'}
> > = &request:NAS-IP-Address
> > > -> '127.0.0.1'
> > > (0) perl :
> $RAD_REQUEST{'Event-Timestamp'}
> > =
> > > &request:Event-Timestamp
-> 'Oct
> 21 2015
> > 11:50:57 AEDT'
> > > (0) perl :
> $RAD_CHECK{'Auth-Type'} =
> > &control:Auth-Type ->
'Perl'
> > > (0) perl :
> $RAD_CONFIG{'Auth-Type'} =
> > &control:Auth-Type ->
'Perl'
> > > rlm_perl: Config
> >
File /etc/freeradius/rlm_perl.ini
> found!
> > > rlm_perl: Default URL
> >
https://127.0.0.1/validate/check
> > > rlm_perl: Looking for
config for
> auth-type
> > Perl
> > > rlm_perl: Auth-Type:
Perl
> > > rlm_perl: url:
> >
https://127.0.0.1/validate/check
> > > rlm_perl: user sent to
> privacyidea: user
> > > rlm_perl: realm sent to
> privacyidea:
> > > rlm_perl: resolver sent
to
> privacyidea:
> > > rlm_perl: client sent
to
> privacyidea:
> > 127.0.0.1
> > > rlm_perl: state sent to
> privacyidea:
> > > rlm_perl: urlparam
client
> > > rlm_perl: urlparam pass
> > > rlm_perl: urlparam user
> > > rlm_perl: Not verifying
SSL
> certificate!
> > > rlm_perl: privacyIDEA
request
> failed: 500
> > INTERNAL SERVER ERROR
> > > rlm_perl: return
RLM_MODULE_FAIL
> > > (0) perl :
&request:User-Name =
> > $RAD_REQUEST{'User-Name'}
-> 'user'
> > > (0) perl :
> &request:Event-Timestamp =
> >
$RAD_REQUEST{'Event-Timestamp'}
> > > -> 'Oct 21 2015 11:50:57
AEDT'
> > > (0) perl :
&request:User-Password
> =
> >
$RAD_REQUEST{'User-Password'} ->
> > > 'password'
> > > (0) perl :
> &request:NAS-IP-Address =
> >
$RAD_REQUEST{'NAS-IP-Address'}
> > > -> '127.0.0.1'
> > > (0) perl :
&reply:Reply-Message
> =
> >
$RAD_REPLY{'Reply-Message'} ->
> > > 'privacyIDEA request
failed: 500
> INTERNAL
> > SERVER ERROR'
> > > (0) perl :
&control:Auth-Type =
> > $RAD_CHECK{'Auth-Type'} ->
'Perl'
> > > (0) [perl] = fail
> > > (0) } # Auth-Type Perl
= fail
> > > (0) Failed to
authenticate the
> user
> > > (0) Using Post-Auth-Type
Reject
> > > (0) Delaying response
for 1
> seconds
> > > Waking up in 0.9
seconds.
> > > (0) Sending delayed
response
> > > (0) Sending
Access-Reject packet
> to host
> > 127.0.0.1 port 35488,
id=111,
> > > length=0
> > > (0) Reply-Message =
> 'privacyIDEA request
> > failed: 500 INTERNAL
> > > SERVER ERROR'
> > > Sending Access-Reject Id
111 from
> > 127.0.0.1:1812 to
127.0.0.1:35488
> > > Reply-Message =
> 'privacyIDEA request
> > failed: 500 INTERNAL
> > > SERVER ERROR'
> > > Waking up in 3.9
seconds.
> > > (0) Cleaning up request
packet ID
> 111 with
> > timestamp +7
> > >
> > >
> > >
> > >
> > > I don't think this is
just an
> issue with the
> > user / password, but if
> > > anyone can point me in
the right
> direction
> > in what I may have done
> > > wrong with either the
radius or
> privacy idea
> > install?
> > >
> > >
> > > Cheers
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > You received this
message because
> you are
> > subscribed to the Google
> > > Groups "privacyidea"
group.
> > > To unsubscribe from this
group and
> stop
> > receiving emails from it,
send
> > > an email to
> >
privacyidea...@googlegroups.com.
> > > To post to this group,
send email
> to
> >
priva...@googlegroups.com.
> > > To view this discussion
on the web
> visit
> > >
> >
>
https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com.
> > > For more options, visit
> >
https://groups.google.com/d/optout.
> >
> > --
> > Cornelius Kölbel
> > corneliu...@netknights.it
> > +49 151 2960 1417
> >
> > NetKnights GmbH
> > http://www.netknights.it
> > Landgraf-Karl-Str. 19,
34131 Kassel,
> Germany
> > Tel: +49 561 3166797, Fax:
+49 561
> 3166798
> >
> > Amtsgericht Kassel, HRB
16405
> > Geschäftsführer: Cornelius
Kölbel
> >
> >
> >
> > --
> > You received this message because
you are
> subscribed
> > to the Google Groups "privacyidea"
group.
> > To unsubscribe from this group and
stop
> receiving
> > emails from it, send an email to
> > privacyidea...@googlegroups.com.
> > To post to this group, send email
to
> > priva...@googlegroups.com.
> > To view this discussion on the web
visit
> >
>
https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com.
> > For more options, visit
> >
https://groups.google.com/d/optout.
> >
> >
> >
> >
> --
> Cornelius Kölbel
> corneliu...@netknights.it
> +49 151 2960 1417
>
> NetKnights GmbH
> http://www.netknights.it
> Landgraf-Karl-Str. 19, 34131 Kassel, Germany
> Tel: +49 561 3166797, Fax: +49 561 3166798
>
> Amtsgericht Kassel, HRB 16405
> Geschäftsführer: Cornelius Kölbel
>
>
> --
> You received this message because you are subscribed to the
Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails
from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to
priva...@googlegroups.com.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/privacyidea/ecfb73db-d3cb-4ec0-871c-f1e57f1804e0%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
here is a slightly modified script, that does not add any additional
AVPs into the reply.
It only returns ACCESS_ACCEPT or ACCESS_REJECT.
This script replaces the existing one.
Please restart freeradius and check if checkpoint likes it.
Kind regards
COrneliusAm Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony Hawker:
Hi Cornelius
Thanks for this info
where do i remove that line from? I’m not familiar with this process?
do i need to change a config file? or change some source code and
recompile?
I believe if i could change the message on that line that could also
possible help
Cheers
On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K wrote:
Hello Tony,
at the moment there is no way to configure the reply message.
You can remove the RAD_REPLY in the privacyidea perl module.
https://github.com/privacyidea/privacyidea/blob/master/authmodules/FreeRADIUS/privacyidea_radius.pm#L335
Thus this information will not be added to the reply.
If this succeeds, please drop me a note or open an issue at
github.
We can then make the reply configurable.
Kind regards
Cornelius
Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb Tony Hawker:
> Hi Cornelius
> Thanks for your help, I almost have this working now, i
played around
> allot, but i think that ticking the "use @ to separate user
and realm"
> has allowed the radius to pass though the details correctly
>
>
> I have managed to have my radius client authenticate, and it
seems to
> be sending back the reply message "privacy IDEA access
granted" to my
> firewalls (I am tying to authenticate VPN users)
>
>
> I believe the firewall does not like the response message, I
am
> possibly getting a similar issue described here:
>
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638
>
>
> I have also attached a screen shot of how the packet looks
from
> privacy idea, do you think that because the reply packet is
slightly
> different it could be causing this problem?
> is t possible to change the privacy idea radius accept
packet too
> something generic?
>
>
> Cheers
>
> On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K wrote:
>
>
> Hi,
>
>
> The user can not be found in the resolver.
>
>
>
>
> How does the request look like?
> Is the realm the default realm.
> how does the DN of the user look like?
>
>
>
>
> You might have specified the wrong realm (see
default realm)
>
>
>
>
> Kind regards
> Cornelius
>
>
>
>
> Cornelius Kölbel
> Corneliu...@netknights.it
> +49 151 2960 1417
>
>
> NetKnights GmbH
> http://netknights.it
> Landgraf-Karl-Str. 19, 34131 Kassel, Germany
> Tel: +49 561 3166797, Fax: +49 561 3166798
>
>
> Amtsgericht Kassel, HRB 16405
> Geschäftsführer: Cornelius Kölbel
>
>
> -------- Ursprüngliche Nachricht --------
> Von: Tony Hawker <lil...@gmail.com>
> Datum: 21.10.2015 13:14 (GMT+01:00)
> An: privacyidea <priva...@googlegroups.com>
> Betreff: Re: Re: 'privacyIDEA request failed: 500
INTERNAL
> SERVER ERROR' - FreeRadius
>
> Hi Cornelius
> Thanks for your response
> I am running PIP installation on Centos 7
> I am running latest version of Privacy idea (2.7),
updated as
> per instructions on howtoforge
> the user is coming from Active Directory
> UID is DN
> there are no special characters anywhere in the AD
config
>
>
> testing using the URL you provided I get the message
below
> when attempting to use an AD user
> "version": "privacyIDEA 2.7", "result": {"status":
false, "error": {"message": "ERR905: The user can not be found
in any resolver in this realm!", "code": -500}}, "time":
1445425459.788956, "id": 1}
>
> but if i use the root user (from the privacyidea
server) this returns:
> {"message": "wrong otp pin"}, "versionnumber":
"2.7", "version": "privacyIDEA 2.7", "result": {"status":
true, "value": false}, "time": 1445425581.107504, "id": 1}
> I assume the OTP token is out of sync, but looks
much more promising
>
> any idea on why the AD would not work via this
method? as i can see all the users in the webui etc
>
> Cheers
>
>
>
>
>
> On Wednesday, 21 October 2015 21:01:47 UTC+11, Cornelinux K wrote:
> Hi Tony,
>
>
> Are you running a pip installation or debian
wheezy?
>
>
> Which version of privacyidea are you
running?
>
>
> In certain cases there were problems with
the ldap
> resolver, if the DN contains special
characters and is
> base54 encoded.
>
>
> Is it openldap or AD?
>
>
> The Uid type: is it DN or entryUUID?
>
>
> Kind regards
> Cornelius
>
>
>
>
>
>
> Cornelius Kölbel
> Corneliu...@netknights.it
> +49 151 2960 1417
>
>
> NetKnights GmbH
> http://netknights.it
> Landgraf-Karl-Str. 19, 34131 Kassel,
Germany
> Tel: +49 561 3166797, Fax: +49 561 3166798
>
>
> Amtsgericht Kassel, HRB 16405
> Geschäftsführer: Cornelius Kölbel
>
>
> -------- Ursprüngliche Nachricht --------
> Von: Tony Hawker <lil...@gmail.com>
> Datum: 21.10.2015 08:59 (GMT+01:00)
> An: privacyidea <priva...@googlegroups.com>
> Betreff: Re: 'privacyIDEA request failed:
500 INTERNAL
> SERVER ERROR' - FreeRadius
>
> Hi
> thanks for your quick response to my issue
> I have been watching the privacyidea.log but
no
> entries are made when a connection attempt
is made via
> the radius, which leads me to think that the
radius is
> not able to see the privacyidea API?
> I can access the URI in my browser, so i can
see that
> is up
>
>
> I see this in the privacyidea.log when i
reboot
>
>
> [2015-10-21
>
15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333] 'Traceback (most recent call last):\n File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/ LDAPIdResolver.py", line 328, in getUserList\n user = self._ldap_attributes_to_user_object(attributes)\n File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 246, in _ldap_attributes_to_user_object\n for ldap_k, ldap_v in attributes.items():\nAttributeError: \'NoneType\' object has no attribute \'items\'\n'
>
>
> Cheers
>
>
>
>
>
>
>
>
> On Wednesday, 21 October 2015 17:14:34 UTC +11, Cornelinux K wrote:
> Hi Tony,
>
> please do the following:
>
> 1. Take a look into the audit log
>
> Within the webui take a look, what
you can see
> in the request in the
> AUdit Tab. The right most tab.
>
> I assume, the user does not exist.
>
> The audit gives you a top level view
of what
> is happening in
> privacyidea.
>
> 2. Take a look into the log file
> privacyidea.log.
> This gives you a detailed view, of
what is
> happening.
>
> Kind regards
> Cornelius
>
> Am Dienstag, den 20.10.2015, 17:56
-0700
> schrieb Tony Hawker:
> > Hi
> > I have followed the guide on
setting up
> Privactidea on Centos 7 here:
> >
>
https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/
> >
> >
> >
> > I can access the webui, register
tokens,
> linked to active directory
> > etc, all tested ok
> >
> >
> > I am having issues with the radius
plugin,
> when I attempt to make any
> > connection to the radius, either
using the
> test functions described in
> > the link above, or from an
external
> connection, I am seeing the errors
> > below:
> >
> >
> > ]# echo "User-Name=user,
> User-Password=password" | radclient
-sx
> > localhost auth testing123
> >
> >
> > Sending Access-Request Id 91 from
> 0.0.0.0:34321 to 127.0.0.1:1812
> >
> > User-Name = 'user'
> > User-Password =
'password'
> > Received Access-Reject Id 91 from
> 127.0.0.1:1812 to 127.0.0.1:34321
> > length 75
> > Reply-Message =
'privacyIDEA request
> failed: 500 INTERNAL
> > SERVER ERROR'
> > (0) -: Expected Access-Accept got
> Access-Reject
> > Packet summary:
> > Accepted : 0
> > Rejected : 1
> > Lost : 0
> > Passed filter : 0
> > Failed filter : 1
> >
> >
> > and on the radius server I see
this:
> >
> >
> > Received Access-Request Id 111
from
> 127.0.0.1:35488 to 127.0.0.1:1812
> > length 44
> > User-Name = 'user'
> > User-Password =
'password'
> > (0) Received Access-Request packet
from host
> 127.0.0.1 port 35488,
> > id=111, length=44
> > (0) User-Name = 'user'
> > (0) User-Password =
'password'
> > (0) # Executing section authorize
from
> >
file /etc/raddb/sites-enabled/privacyidea
> > (0) authorize {
> > (0) [preprocess] = ok
> > (0) [digest] = noop
> > (0) suffix : Checking for suffix
after "@"
> > (0) suffix : No '@' in User-Name
= "user",
> looking up realm NULL
> > (0) suffix : No such realm
"NULL"
> > (0) [suffix] = noop
> > (0) ntdomain : Checking for
prefix before
> "\"
> > (0) ntdomain : No '\' in
User-Name =
> "user", looking up realm NULL
> > (0) ntdomain : No such realm
"NULL"
> > (0) [ntdomain] = noop
> > (0) [files] = noop
> > (0) [expiration] = noop
> > (0) [logintime] = noop
> > (0) WARNING: pap : No "known
good" password
> found for the user. Not
> > setting Auth-Type
> > (0) WARNING: pap : Authentication
will fail
> unless a "known good"
> > password is available
> > (0) [pap] = noop
> > (0) update control {
> > (0) Auth-Type := Perl
> > (0) } # update control = noop
> > (0) } # authorize = ok
> > (0) Found Auth-Type = Perl
> > (0) # Executing group from
>
file /etc/raddb/sites-enabled/privacyidea
> > (0) Auth-Type Perl {
> > (0) perl :
$RAD_REQUEST{'User-Name'} =
> &request:User-Name -> 'user'
> > (0) perl :
$RAD_REQUEST{'User-Password'} =
> &request:User-Password ->
> > 'password'
> > (0) perl :
$RAD_REQUEST{'NAS-IP-Address'}
> = &request:NAS-IP-Address
> > -> '127.0.0.1'
> > (0) perl :
$RAD_REQUEST{'Event-Timestamp'}
> =
> > &request:Event-Timestamp -> 'Oct
21 2015
> 11:50:57 AEDT'
> > (0) perl :
$RAD_CHECK{'Auth-Type'} =
> &control:Auth-Type -> 'Perl'
> > (0) perl :
$RAD_CONFIG{'Auth-Type'} =
> &control:Auth-Type -> 'Perl'
> > rlm_perl: Config
> File /etc/freeradius/rlm_perl.ini
found!
> > rlm_perl: Default URL
> https://127.0.0.1/validate/check
> > rlm_perl: Looking for config for
auth-type
> Perl
> > rlm_perl: Auth-Type: Perl
> > rlm_perl: url:
> https://127.0.0.1/validate/check
> > rlm_perl: user sent to
privacyidea: user
> > rlm_perl: realm sent to
privacyidea:
> > rlm_perl: resolver sent to
privacyidea:
> > rlm_perl: client sent to
privacyidea:
> 127.0.0.1
> > rlm_perl: state sent to
privacyidea:
> > rlm_perl: urlparam client
> > rlm_perl: urlparam pass
> > rlm_perl: urlparam user
> > rlm_perl: Not verifying SSL
certificate!
> > rlm_perl: privacyIDEA request
failed: 500
> INTERNAL SERVER ERROR
> > rlm_perl: return RLM_MODULE_FAIL
> > (0) perl : &request:User-Name =
> $RAD_REQUEST{'User-Name'} -> 'user'
> > (0) perl :
&request:Event-Timestamp =
> $RAD_REQUEST{'Event-Timestamp'}
> > -> 'Oct 21 2015 11:50:57 AEDT'
> > (0) perl : &request:User-Password
=
> $RAD_REQUEST{'User-Password'} ->
> > 'password'
> > (0) perl :
&request:NAS-IP-Address =
> $RAD_REQUEST{'NAS-IP-Address'}
> > -> '127.0.0.1'
> > (0) perl : &reply:Reply-Message
=
> $RAD_REPLY{'Reply-Message'} ->
> > 'privacyIDEA request failed: 500
INTERNAL
> SERVER ERROR'
> > (0) perl : &control:Auth-Type =
> $RAD_CHECK{'Auth-Type'} -> 'Perl'
> > (0) [perl] = fail
> > (0) } # Auth-Type Perl = fail
> > (0) Failed to authenticate the
user
> > (0) Using Post-Auth-Type Reject
> > (0) Delaying response for 1
seconds
> > Waking up in 0.9 seconds.
> > (0) Sending delayed response
> > (0) Sending Access-Reject packet
to host
> 127.0.0.1 port 35488, id=111,
> > length=0
> > (0) Reply-Message =
'privacyIDEA request
> failed: 500 INTERNAL
> > SERVER ERROR'
> > Sending Access-Reject Id 111 from
> 127.0.0.1:1812 to 127.0.0.1:35488
> > Reply-Message =
'privacyIDEA request
> failed: 500 INTERNAL
> > SERVER ERROR'
> > Waking up in 3.9 seconds.
> > (0) Cleaning up request packet ID
111 with
> timestamp +7
> >
> >
> >
> >
> > I don't think this is just an
issue with the
> user / password, but if
> > anyone can point me in the right
direction
> in what I may have done
> > wrong with either the radius or
privacy idea
> install?
> >
> >
> > Cheers
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > You received this message because
you are
> subscribed to the Google
> > Groups "privacyidea" group.
> > To unsubscribe from this group and
stop
> receiving emails from it, send
> > an email to
> privacyidea...@googlegroups.com.
> > To post to this group, send email
to
> priva...@googlegroups.com.
> > To view this discussion on the web
visit
> >
>
https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com.
> > For more options, visit
> https://groups.google.com/d/optout.
>
> --
> Cornelius Kölbel
> corneliu...@netknights.it
> +49 151 2960 1417
>
> NetKnights GmbH
> http://www.netknights.it
> Landgraf-Karl-Str. 19, 34131 Kassel,
Germany
> Tel: +49 561 3166797, Fax: +49 561
3166798
>
> Amtsgericht Kassel, HRB 16405
> Geschäftsführer: Cornelius Kölbel
>
>
>
> --
> You received this message because you are
subscribed
> to the Google Groups "privacyidea" group.
> To unsubscribe from this group and stop
receiving
> emails from it, send an email to
> privacyidea...@googlegroups.com.
> To post to this group, send email to
> priva...@googlegroups.com.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com.
> For more options, visit
> https://groups.google.com/d/optout.
>
>
>
>
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Thanks Cornelius
Yes that file exists, seems to be a default file, with allot of ## out bits
but no entries
I entered the settings as specifed but still get errors when starting
/etc/raddb/mods-config/files/authorize[221]: Parse error (check) for entry
authorize: Invalid attribute name
Failed reading /etc/raddb/mods-config/files/authorize
/etc/raddb/mods-enabled/files[9]: Instantiation failed for module "files"On Thursday, 22 October 2015 22:50:13 UTC+11, Cornelinux K wrote:
Hi Tony,
I forgot that you are running on CentOS 7 with FR3.
So in this case you might need to add it like this:
authorize {
update control {
Auth-Type := Perl
Class := AVP
}
}
I have not FreeRADIUS 3 at hand to test this…
Kind regards
Cornelius
Am Donnerstag, den 22.10.2015, 09:41 +0200 schrieb Cornelius Kölbel:
Hi Tony,
you can edit your file /etc/freeradius/users like this:
DEFAULT Auth-Type := Perl
Class = YOUR_GROUP_EXPECTED_BY_CHECKPOINT
This way each user will be authenticated against the perl module a.k.a.
privacyIDEA and put into the the corresponding group.
Or: You can add the Class AVP that is expected by your checkpoint.
Please note: In the radius request the CLass is hex encoded. In the
users config file you need to enter a normal ascii string.
Kind regards
Cornelius
Am Donnerstag, den 22.10.2015, 09:23 +0200 schrieb Cornelius Kölbel:
Hi Tony,
the Attribute Value Pair Class 25 usually seems to expect some
attribute, which the firewall uses to authorize the access or put the
user of this request in some control group.
So the question is: Do you have another RADIUS server running at the
moment and how do the requests look like there?
So I guess we need to look an the freeradius side (independent on the
privacyIDEA plugin).
We need to investigate
the successful RADIUS REQUEST with your existing RADIUS server
the successful RADIUS RESPONSE with your existing RADIUS server
and then configure FreeRADIUS accordingly.
I will try to help you with that.
But maybe at a certain point we might also need to take this to the
freeradius list.
Kind regards
COrnelius
Am Mittwoch, den 21.10.2015, 23:52 -0700 schrieb Tony Hawker:
Thanks Cornelius
this script still doesn’t seem to solve the problem, checkpoint
still
doesn’t like the Access-Accept packets for some reason
I’ve had the checkpoint talking to freeradius in the past, so it can
work, but just doesn’t see these accept packets for some reason
On Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote:
Hi Tony,
here is a slightly modified script, that does not add any
additional
AVPs into the reply.
It only returns ACCESS_ACCEPT or ACCESS_REJECT.
This script replaces the existing one.
Please restart freeradius and check if checkpoint likes it.
Kind regards
COrnelius
Am Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony
Hawker:
> Hi Cornelius
> Thanks for this info
> where do i remove that line from? I'm not familiar with
this
process?
> do i need to change a config file? or change some source
code and
> recompile?
> I believe if i could change the message on that line that
could also
> possible help
>
>
> Cheers
>
> On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K wrote:
> Hello Tony,
>
> at the moment there is no way to configure the
reply
message.
>
> You can remove the RAD_REPLY in the privacyidea
>
> Thus this information will not be added to the
reply.
> If this succeeds, please drop me a note or open an
issue at
> github.
> We can then make the reply configurable.
>
> Kind regards
> Cornelius
>
>
> Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb
Tony Hawker:
> > Hi Cornelius
> > Thanks for your help, I almost have this working
now, i
> played around
> > allot, but i think that ticking the "use @ to
separate user
> and realm"
> > has allowed the radius to pass though the
details
correctly
> >
> >
> > I have managed to have my radius client
authenticate, and it
> seems to
> > be sending back the reply message "privacy IDEA
access
> granted" to my
> > firewalls (I am tying to authenticate VPN users)
> >
> >
> > I believe the firewall does not like the
response
message, I
> am
> > possibly getting a similar issue described here:
> >
>
> >
> >
> > I have also attached a screen shot of how the
packet looks
> from
> > privacy idea, do you think that because the
reply
packet is
> slightly
> > different it could be causing this problem?
> > is t possible to change the privacy idea radius
accept
> packet too
> > something generic?
> >
> >
> > Cheers
> >
> > On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K wrote:
> >
> >
> > Hi,
> >
> >
> > The user can not be found in the
resolver.
> >
> >
> >
> >
> > How does the request look like?
> > Is the realm the default realm.
> > how does the DN of the user look like?
> >
> >
> >
> >
> > You might have specified the wrong realm
(see
> default realm)
> >
> >
> >
> >
> > Kind regards
> > Cornelius
> >
> >
> >
> >
> > Cornelius Kölbel
> > Corneliu...@netknights.it
> > +49 151 2960 1417
> >
> >
> > NetKnights GmbH
> > http://netknights.it
> > Landgraf-Karl-Str. 19, 34131 Kassel,
Germany
> > Tel: +49 561 3166797, Fax: +49 561
3166798
> >
> >
> > Amtsgericht Kassel, HRB 16405
> > Geschäftsführer: Cornelius Kölbel
> >
> >
> > -------- Ursprüngliche Nachricht
> > Von: Tony Hawker <lil...@gmail.com>
> > Datum: 21.10.2015 13:14 (GMT+01:00)
> > An: privacyidea
<priva...@googlegroups.com>
> > Betreff: Re: Re: 'privacyIDEA request
failed: 500
> INTERNAL
> > SERVER ERROR' - FreeRadius
> >
> > Hi Cornelius
> > Thanks for your response
> > I am running PIP installation on Centos
7
> > I am running latest version of Privacy
idea (2.7),
> updated as
> > per instructions on howtoforge
> > the user is coming from Active Directory
> > UID is DN
> > there are no special characters anywhere
in the AD
> config
> >
> >
> > testing using the URL you provided I get
the message
> below
> > when attempting to use an AD user
> > "version": "privacyIDEA 2.7", "result":
{"status":
> false, "error": {"message": "ERR905: The user can
not be found
> in any resolver in this realm!", "code": -500}},
"time":
> 1445425459.788956, "id": 1}
> >
> > but if i use the root user (from the
privacyidea
> server) this returns:
> > {"message": "wrong otp pin"},
"versionnumber":
> "2.7", "version": "privacyIDEA 2.7", "result":
{"status":
> true, "value": false}, "time": 1445425581.107504,
"id": 1}
> > I assume the OTP token is out of sync,
but
looks
> much more promising
> >
> > any idea on why the AD would not work
via
this
> method? as i can see all the users in the webui
etc
> >
> > Cheers
> >
> >
> >
> >
> >
> > On Wednesday, 21 October 2015 21:01:47 UTC +11, Cornelinux K wrote:
> > Hi Tony,
> >
> >
> > Are you running a pip
installation
or debian
> wheezy?
> >
> >
> > Which version of privacyidea are
you
> running?
> >
> >
> > In certain cases there were
problems with
> the ldap
> > resolver, if the DN contains
special
> characters and is
> > base54 encoded.
> >
> >
> > Is it openldap or AD?
> >
> >
> > The Uid type: is it DN or
entryUUID?
> >
> >
> > Kind regards
> > Cornelius
> >
> >
> >
> >
> >
> >
> > Cornelius Kölbel
> > Corneliu...@netknights.it
> > +49 151 2960 1417
> >
> >
> > NetKnights GmbH
> > http://netknights.it
> > Landgraf-Karl-Str. 19, 34131
Kassel,
> Germany
> > Tel: +49 561 3166797, Fax: +49
failed:
> 500 INTERNAL
> > SERVER ERROR' - FreeRadius
> >
> > Hi
> > thanks for your quick response
to
my issue
> > I have been watching the
privacyidea.log but
> no
> > entries are made when a
connection
attempt
> is made via
> > the radius, which leads me to
think that the
> radius is
> > not able to see the privacyidea
API?
> > I can access the URI in my
browser, so i can
> see that
> > is up
> >
> >
> > I see this in the
privacyidea.log
when i
> reboot
> >
> >
> > [2015-10-21
> >
>
15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333]
‘Traceback (most recent call last):\n File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/
LDAPIdResolver.py”, line 328, in getUserList\n user =
self._ldap_attributes_to_user_object(attributes)\n File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py”,
line 246, in _ldap_attributes_to_user_object\n for ldap_k,
ldap_v in attributes.items():\nAttributeError: 'NoneType' object has no
attribute 'items'\n’
> >
> >
> > Cheers
> >
> >
> >
> >
> >
> >
> >
> >
> > On Wednesday, 21 October 2015 17:14:34 UTC +11, Cornelinux K wrote:
> > Hi Tony,
> >
> > please do the following:
> >
> > 1. Take a look into the
audit log
> >
> > Within the webui take a
look, what
> you can see
> > in the request in the
> > AUdit Tab. The right
most
tab.
> >
> > I assume, the user does
not exist.
> >
> > The audit gives you a
top
level view
> of what
> > is happening in
> > privacyidea.
> >
> > 2. Take a look into the
log file
> > privacyidea.log.
> > This gives you a
detailed
view, of
> what is
> > happening.
> >
> > Kind regards
> > Cornelius
> >
> > Am Dienstag, den
20.10.2015, 17:56
> -0700
> > schrieb Tony Hawker:
> > > Hi
> > > I have followed the
guide on
> setting up
> > Privactidea on Centos 7
here:
> > >
> >
>
register
> tokens,
> > linked to active
directory
> > > etc, all tested ok
> > >
> > >
> > > I am having issues
with
the radius
> plugin,
> > when I attempt to make
any
> > > connection to the
radius, either
> using the
> > test functions described
in
> > > the link above, or
from
an
> external
> > connection, I am seeing
the errors
> > > below:
> > >
> > >
> > > ]# echo
"User-Name=user,
> > User-Password=password"
111 from
> > 127.0.0.1:1812 to
127.0.0.1:35488
> > > Reply-Message
=
> 'privacyIDEA request
> > failed: 500 INTERNAL
> > > SERVER ERROR'
> > > Waking up in 3.9
seconds.
> > > (0) Cleaning up
request
packet ID
> 111 with
> > timestamp +7
> > >
> > >
> > >
> > >
> > > I don't think this is
just an
> issue with the
> > user / password, but if
> > > anyone can point me in
the right
> direction
> > in what I may have done
> > > wrong with either the
radius or
> privacy idea
> > install?
> > >
> > >
> > > Cheers
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > You received this
message because
> you are
> > subscribed to the Google
> > > Groups "privacyidea"
group.
> > > To unsubscribe from
this
group and
> stop
> > receiving emails from
it,
send
> > > an email to
> >
privacyidea...@googlegroups.com.
> > > To post to this group,
send email
> to
> >
priva...@googlegroups.com.
> > > To view this
Hi Cornelius
there should be no group information passed through to the radius, only
user details
I have added the following to /etc/raddb/users
DEFAULT Auth-Type := Perl
Class = AVP
but i get errors when starting the radius service
/etc/raddb/mods-config/files/authorize[59]: Parse error (check) for entry
DEFAULT: Unknown value ‘Perl’ for attribute ‘Auth-Type’
Failed reading /etc/raddb/mods-config/files/authorize
/etc/raddb/mods-enabled/files[9]: Instantiation failed for module “files”
I will get a successful login from the other freeradius and compare with
what is comming from the privacyidea radius and see what the difference is,
will upload these shortly
CheersOn Thursday, 22 October 2015 18:41:18 UTC+11, Cornelinux K wrote:
Hi Tony,
you can edit your file /etc/freeradius/users like this:
DEFAULT Auth-Type := Perl
Class = YOUR_GROUP_EXPECTED_BY_CHECKPOINT
This way each user will be authenticated against the perl module a.k.a.
privacyIDEA and put into the the corresponding group.
Or: You can add the Class AVP that is expected by your checkpoint.
Please note: In the radius request the CLass is hex encoded. In the
users config file you need to enter a normal ascii string.
Kind regards
Cornelius
Am Donnerstag, den 22.10.2015, 09:23 +0200 schrieb Cornelius Kölbel:
Hi Tony,
the Attribute Value Pair Class 25 usually seems to expect some
attribute, which the firewall uses to authorize the access or put the
user of this request in some control group.
So the question is: Do you have another RADIUS server running at the
moment and how do the requests look like there?
So I guess we need to look an the freeradius side (independent on the
privacyIDEA plugin).
We need to investigate
the successful RADIUS REQUEST with your existing RADIUS server
the successful RADIUS RESPONSE with your existing RADIUS server
and then configure FreeRADIUS accordingly.
I will try to help you with that.
But maybe at a certain point we might also need to take this to the
freeradius list.
Kind regards
COrnelius
Am Mittwoch, den 21.10.2015, 23:52 -0700 schrieb Tony Hawker:
Thanks Cornelius
this script still doesn’t seem to solve the problem, checkpoint still
doesn’t like the Access-Accept packets for some reason
I’ve had the checkpoint talking to freeradius in the past, so it can
work, but just doesn’t see these accept packets for some reason
On Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote:
Hi Tony,
here is a slightly modified script, that does not add any
additional
AVPs into the reply.
It only returns ACCESS_ACCEPT or ACCESS_REJECT.
This script replaces the existing one.
Please restart freeradius and check if checkpoint likes it.
Kind regards
COrnelius
Am Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony Hawker:
> Hi Cornelius
> Thanks for this info
> where do i remove that line from? I'm not familiar with this
process?
> do i need to change a config file? or change some source
code and
> recompile?
> I believe if i could change the message on that line that
could also
> possible help
>
>
> Cheers
>
> On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K wrote:
> Hello Tony,
>
> at the moment there is no way to configure the reply
message.
>
> You can remove the RAD_REPLY in the privacyidea perl
module.
>
>
> Thus this information will not be added to the
reply.
> If this succeeds, please drop me a note or open an
issue at
> github.
> We can then make the reply configurable.
>
> Kind regards
> Cornelius
>
>
> Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb
Tony Hawker:
> > Hi Cornelius
> > Thanks for your help, I almost have this working
now, i
> played around
> > allot, but i think that ticking the "use @ to
separate user
> and realm"
> > has allowed the radius to pass though the details
correctly
> >
> >
> > I have managed to have my radius client
authenticate, and it
> seems to
> > be sending back the reply message "privacy IDEA
access
> granted" to my
> > firewalls (I am tying to authenticate VPN users)
> >
> >
> > I believe the firewall does not like the response
message, I
> am
> > possibly getting a similar issue described here:
> >
>
> >
> >
> > I have also attached a screen shot of how the
packet looks
> from
> > privacy idea, do you think that because the reply
packet is
> slightly
> > different it could be causing this problem?
> > is t possible to change the privacy idea radius
accept
> packet too
> > something generic?
> >
> >
> > Cheers
> >
> > On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K wrote:
> >
> >
> > Hi,
> >
> >
> > The user can not be found in the
resolver.
> >
> >
> >
> >
> > How does the request look like?
> > Is the realm the default realm.
> > how does the DN of the user look like?
> >
> >
> >
> >
> > You might have specified the wrong realm
(see
> default realm)
> >
> >
> >
> >
> > Kind regards
> > Cornelius
> >
> >
> >
> >
> > Cornelius Kölbel
> > Corneliu...@netknights.it
> > +49 151 2960 1417
> >
> >
> > NetKnights GmbH
> > http://netknights.it
> > Landgraf-Karl-Str. 19, 34131 Kassel,
Germany
> > Tel: +49 561 3166797, Fax: +49 561
3166798
> >
> >
> > Amtsgericht Kassel, HRB 16405
> > Geschäftsführer: Cornelius Kölbel
> >
> >
> > -------- Ursprüngliche Nachricht --------
> > Von: Tony Hawker <lil...@gmail.com>
> > Datum: 21.10.2015 13:14 (GMT+01:00)
> > An: privacyidea
<priva...@googlegroups.com>
> > Betreff: Re: Re: 'privacyIDEA request
failed: 500
> INTERNAL
> > SERVER ERROR' - FreeRadius
> >
> > Hi Cornelius
> > Thanks for your response
> > I am running PIP installation on Centos 7
> > I am running latest version of Privacy
idea (2.7),
> updated as
> > per instructions on howtoforge
> > the user is coming from Active Directory
> > UID is DN
> > there are no special characters anywhere
in the AD
> config
> >
> >
> > testing using the URL you provided I get
the message
> below
> > when attempting to use an AD user
> > "version": "privacyIDEA 2.7", "result":
{"status":
> false, "error": {"message": "ERR905: The user can
not be found
> in any resolver in this realm!", "code": -500}},
"time":
> 1445425459.788956, "id": 1}
> >
> > but if i use the root user (from the
privacyidea
> server) this returns:
> > {"message": "wrong otp pin"},
"versionnumber":
> "2.7", "version": "privacyIDEA 2.7", "result":
{"status":
> true, "value": false}, "time": 1445425581.107504,
"id": 1}
> > I assume the OTP token is out of sync, but
looks
> much more promising
> >
> > any idea on why the AD would not work via
this
> method? as i can see all the users in the webui etc
> >
> > Cheers
> >
> >
> >
> >
> >
> > On Wednesday, 21 October 2015 21:01:47 UTC +11, Cornelinux K wrote:
> > Hi Tony,
> >
> >
> > Are you running a pip installation
or debian
> wheezy?
> >
> >
> > Which version of privacyidea are
you
> running?
> >
> >
> > In certain cases there were
problems with
> the ldap
> > resolver, if the DN contains
special
> characters and is
> > base54 encoded.
> >
> >
> > Is it openldap or AD?
> >
> >
> > The Uid type: is it DN or
entryUUID?
> >
> >
> > Kind regards
> > Cornelius
> >
> >
> >
> >
> >
> >
> > Cornelius Kölbel
> > Corneliu...@netknights.it
> > +49 151 2960 1417
> >
> >
> > NetKnights GmbH
> > http://netknights.it
> > Landgraf-Karl-Str. 19, 34131
Kassel,
> Germany
> > Tel: +49 561 3166797, Fax: +49 561
3166798
> >
> >
> > Amtsgericht Kassel, HRB 16405
> > Geschäftsführer: Cornelius Kölbel
> >
> >
> > -------- Ursprüngliche Nachricht
--------
> > Von: Tony Hawker
<lil...@gmail.com>
> > Datum: 21.10.2015 08:59 (GMT
+01:00)
> > An: privacyidea
<priva...@googlegroups.com>
> > Betreff: Re: 'privacyIDEA request
failed:
> 500 INTERNAL
> > SERVER ERROR' - FreeRadius
> >
> > Hi
> > thanks for your quick response to
my issue
> > I have been watching the
privacyidea.log but
> no
> > entries are made when a connection
attempt
> is made via
> > the radius, which leads me to
think that the
> radius is
> > not able to see the privacyidea
API?
> > I can access the URI in my
browser, so i can
> see that
> > is up
> >
> >
> > I see this in the privacyidea.log
when i
> reboot
> >
> >
> > [2015-10-21
> >
>
15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333]
‘Traceback (most recent call last):\n File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/
LDAPIdResolver.py”, line 328, in getUserList\n user =
self._ldap_attributes_to_user_object(attributes)\n File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py”,
line 246, in _ldap_attributes_to_user_object\n for ldap_k,
ldap_v in attributes.items():\nAttributeError: 'NoneType' object has no
attribute 'items'\n’
> >
> >
> > Cheers
> >
> >
> >
> >
> >
> >
> >
> >
> > On Wednesday, 21 October 2015 17:14:34 UTC +11, Cornelinux K wrote:
> > Hi Tony,
> >
> > please do the following:
> >
> > 1. Take a look into the
audit log
> >
> > Within the webui take a
look, what
> you can see
> > in the request in the
> > AUdit Tab. The right most
tab.
> >
> > I assume, the user does
not exist.
> >
> > The audit gives you a top
level view
> of what
> > is happening in
> > privacyidea.
> >
> > 2. Take a look into the
log file
> > privacyidea.log.
> > This gives you a detailed
view, of
> what is
> > happening.
> >
> > Kind regards
> > Cornelius
> >
> > Am Dienstag, den
20.10.2015, 17:56
> -0700
> > schrieb Tony Hawker:
> > > Hi
> > > I have followed the
guide on
> setting up
> > Privactidea on Centos 7
here:
> > >
> >
>
> > > For more options, visit
> >
https://groups.google.com/d/optout.
> >
> > --
> > Cornelius Kölbel
> > corneliu...@netknights.it
> > +49 151 2960 1417
> >
> > NetKnights GmbH
> > http://www.netknights.it
> > Landgraf-Karl-Str. 19,
34131 Kassel,
> Germany
> > Tel: +49 561 3166797, Fax:
+49 561
> 3166798
> >
> > Amtsgericht Kassel, HRB
16405
> > Geschäftsführer: Cornelius
Kölbel
> >
> >
> >
> > --
> > You received this message because
you are
> subscribed
> > to the Google Groups "privacyidea"
group.
> > To unsubscribe from this group and
stop
> receiving
> > emails from it, send an email to
> > privacyidea...@googlegroups.com.
> > To post to this group, send email
to
> > priva...@googlegroups.com.
> > To view this discussion on the web
visit
> >
>
you can edit your file /etc/freeradius/users like this:
DEFAULT Auth-Type := Perl
Class = YOUR_GROUP_EXPECTED_BY_CHECKPOINT
This way each user will be authenticated against the perl module a.k.a.
privacyIDEA and put into the the corresponding group.
Or: You can add the Class AVP that is expected by your checkpoint.
Please note: In the radius request the CLass is hex encoded. In the
users config file you need to enter a normal ascii string.
Kind regards
CorneliusAm Donnerstag, den 22.10.2015, 09:23 +0200 schrieb Cornelius Kölbel:
Hi Tony,
the Attribute Value Pair Class 25 usually seems to expect some
attribute, which the firewall uses to authorize the access or put the
user of this request in some control group.
So the question is: Do you have another RADIUS server running at the
moment and how do the requests look like there?
So I guess we need to look an the freeradius side (independent on the
privacyIDEA plugin).
We need to investigate
the successful RADIUS REQUEST with your existing RADIUS server
the successful RADIUS RESPONSE with your existing RADIUS server
and then configure FreeRADIUS accordingly.
I will try to help you with that.
But maybe at a certain point we might also need to take this to the
freeradius list.
Kind regards
COrnelius
Am Mittwoch, den 21.10.2015, 23:52 -0700 schrieb Tony Hawker:
Thanks Cornelius
this script still doesn’t seem to solve the problem, checkpoint still
doesn’t like the Access-Accept packets for some reason
I’ve had the checkpoint talking to freeradius in the past, so it can
work, but just doesn’t see these accept packets for some reason
On Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote:
Hi Tony,
here is a slightly modified script, that does not add any
additional
AVPs into the reply.
It only returns ACCESS_ACCEPT or ACCESS_REJECT.
This script replaces the existing one.
Please restart freeradius and check if checkpoint likes it.
Kind regards
COrnelius
Am Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony Hawker:
> Hi Cornelius
> Thanks for this info
> where do i remove that line from? I'm not familiar with this
process?
> do i need to change a config file? or change some source
code and
> recompile?
> I believe if i could change the message on that line that
could also
> possible help
>
>
> Cheers
>
> On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K wrote:
> Hello Tony,
>
> at the moment there is no way to configure the reply
message.
>
> You can remove the RAD_REPLY in the privacyidea perl
module.
>
https://github.com/privacyidea/privacyidea/blob/master/authmodules/FreeRADIUS/privacyidea_radius.pm#L335
>
> Thus this information will not be added to the
reply.
> If this succeeds, please drop me a note or open an
issue at
> github.
> We can then make the reply configurable.
>
> Kind regards
> Cornelius
>
>
> Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb
Tony Hawker:
> > Hi Cornelius
> > Thanks for your help, I almost have this working
now, i
> played around
> > allot, but i think that ticking the "use @ to
separate user
> and realm"
> > has allowed the radius to pass though the details
correctly
> >
> >
> > I have managed to have my radius client
authenticate, and it
> seems to
> > be sending back the reply message "privacy IDEA
access
> granted" to my
> > firewalls (I am tying to authenticate VPN users)
> >
> >
> > I believe the firewall does not like the response
message, I
> am
> > possibly getting a similar issue described here:
> >
>
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638
> >
> >
> > I have also attached a screen shot of how the
packet looks
> from
> > privacy idea, do you think that because the reply
packet is
> slightly
> > different it could be causing this problem?
> > is t possible to change the privacy idea radius
accept
> packet too
> > something generic?
> >
> >
> > Cheers
> >
> > On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K wrote:
> >
> >
> > Hi,
> >
> >
> > The user can not be found in the
resolver.
> >
> >
> >
> >
> > How does the request look like?
> > Is the realm the default realm.
> > how does the DN of the user look like?
> >
> >
> >
> >
> > You might have specified the wrong realm
(see
> default realm)
> >
> >
> >
> >
> > Kind regards
> > Cornelius
> >
> >
> >
> >
> > Cornelius Kölbel
> > Corneliu...@netknights.it
> > +49 151 2960 1417
> >
> >
> > NetKnights GmbH
> > http://netknights.it
> > Landgraf-Karl-Str. 19, 34131 Kassel,
Germany
> > Tel: +49 561 3166797, Fax: +49 561
3166798
> >
> >
> > Amtsgericht Kassel, HRB 16405
> > Geschäftsführer: Cornelius Kölbel
> >
> >
> > -------- Ursprüngliche Nachricht --------
> > Von: Tony Hawker <lil...@gmail.com>
> > Datum: 21.10.2015 13:14 (GMT+01:00)
> > An: privacyidea
<priva...@googlegroups.com>
> > Betreff: Re: Re: 'privacyIDEA request
failed: 500
> INTERNAL
> > SERVER ERROR' - FreeRadius
> >
> > Hi Cornelius
> > Thanks for your response
> > I am running PIP installation on Centos 7
> > I am running latest version of Privacy
idea (2.7),
> updated as
> > per instructions on howtoforge
> > the user is coming from Active Directory
> > UID is DN
> > there are no special characters anywhere
in the AD
> config
> >
> >
> > testing using the URL you provided I get
the message
> below
> > when attempting to use an AD user
> > "version": "privacyIDEA 2.7", "result":
{"status":
> false, "error": {"message": "ERR905: The user can
not be found
> in any resolver in this realm!", "code": -500}},
"time":
> 1445425459.788956, "id": 1}
> >
> > but if i use the root user (from the
privacyidea
> server) this returns:
> > {"message": "wrong otp pin"},
"versionnumber":
> "2.7", "version": "privacyIDEA 2.7", "result":
{"status":
> true, "value": false}, "time": 1445425581.107504,
"id": 1}
> > I assume the OTP token is out of sync, but
looks
> much more promising
> >
> > any idea on why the AD would not work via
this
> method? as i can see all the users in the webui etc
> >
> > Cheers
> >
> >
> >
> >
> >
> > On Wednesday, 21 October 2015 21:01:47 UTC +11, Cornelinux K wrote:
> > Hi Tony,
> >
> >
> > Are you running a pip installation
or debian
> wheezy?
> >
> >
> > Which version of privacyidea are
you
> running?
> >
> >
> > In certain cases there were
problems with
> the ldap
> > resolver, if the DN contains
special
> characters and is
> > base54 encoded.
> >
> >
> > Is it openldap or AD?
> >
> >
> > The Uid type: is it DN or
entryUUID?
> >
> >
> > Kind regards
> > Cornelius
> >
> >
> >
> >
> >
> >
> > Cornelius Kölbel
> > Corneliu...@netknights.it
> > +49 151 2960 1417
> >
> >
> > NetKnights GmbH
> > http://netknights.it
> > Landgraf-Karl-Str. 19, 34131
Kassel,
> Germany
> > Tel: +49 561 3166797, Fax: +49 561
3166798
> >
> >
> > Amtsgericht Kassel, HRB 16405
> > Geschäftsführer: Cornelius Kölbel
> >
> >
> > -------- Ursprüngliche Nachricht
--------
> > Von: Tony Hawker
<lil...@gmail.com>
> > Datum: 21.10.2015 08:59 (GMT
+01:00)
> > An: privacyidea
<priva...@googlegroups.com>
> > Betreff: Re: 'privacyIDEA request
failed:
> 500 INTERNAL
> > SERVER ERROR' - FreeRadius
> >
> > Hi
> > thanks for your quick response to
my issue
> > I have been watching the
privacyidea.log but
> no
> > entries are made when a connection
attempt
> is made via
> > the radius, which leads me to
think that the
> radius is
> > not able to see the privacyidea
API?
> > I can access the URI in my
browser, so i can
> see that
> > is up
> >
> >
> > I see this in the privacyidea.log
when i
> reboot
> >
> >
> > [2015-10-21
> >
>
15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333] 'Traceback (most recent call last):\n File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/ LDAPIdResolver.py", line 328, in getUserList\n user = self._ldap_attributes_to_user_object(attributes)\n File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 246, in _ldap_attributes_to_user_object\n for ldap_k, ldap_v in attributes.items():\nAttributeError: \'NoneType\' object has no attribute \'items\'\n'
> >
> >
> > Cheers
> >
> >
> >
> >
> >
> >
> >
> >
> > On Wednesday, 21 October 2015 17:14:34 UTC +11, Cornelinux K wrote:
> > Hi Tony,
> >
> > please do the following:
> >
> > 1. Take a look into the
audit log
> >
> > Within the webui take a
look, what
> you can see
> > in the request in the
> > AUdit Tab. The right most
tab.
> >
> > I assume, the user does
not exist.
> >
> > The audit gives you a top
level view
> of what
> > is happening in
> > privacyidea.
> >
> > 2. Take a look into the
log file
> > privacyidea.log.
> > This gives you a detailed
view, of
> what is
> > happening.
> >
> > Kind regards
> > Cornelius
> >
> > Am Dienstag, den
20.10.2015, 17:56
> -0700
> > schrieb Tony Hawker:
> > > Hi
> > > I have followed the
guide on
> setting up
> > Privactidea on Centos 7
here:
> > >
> >
>
https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/
> > >
> > >
> > >
> > > I can access the webui,
register
> tokens,
> > linked to active
directory
> > > etc, all tested ok
> > >
> > >
> > > I am having issues with
the radius
> plugin,
> > when I attempt to make
any
> > > connection to the
radius, either
> using the
> > test functions described
in
> > > the link above, or from
an
> external
> > connection, I am seeing
the errors
> > > below:
> > >
> > >
> > > ]# echo
"User-Name=user,
> > User-Password=password" |
radclient
> -sx
> > > localhost auth
testing123
> > >
> > >
> > > Sending Access-Request
Id 91 from
> > 0.0.0.0:34321 to
127.0.0.1:1812
> > >
> > > User-Name =
'user'
> > > User-Password =
> 'password'
> > > Received Access-Reject
Id 91 from
> > 127.0.0.1:1812 to
127.0.0.1:34321
> > > length 75
> > > Reply-Message =
> 'privacyIDEA request
> > failed: 500 INTERNAL
> > > SERVER ERROR'
> > > (0) -: Expected
Access-Accept got
> > Access-Reject
> > > Packet summary:
> > > Accepted :
0
> > > Rejected :
1
> > > Lost :
0
> > > Passed filter :
0
> > > Failed filter :
1
> > >
> > >
> > > and on the radius server
I see
> this:
> > >
> > >
> > > Received Access-Request
Id 111
> from
> > 127.0.0.1:35488 to
127.0.0.1:1812
> > > length 44
> > > User-Name =
'user'
> > > User-Password =
> 'password'
> > > (0) Received
Access-Request packet
> from host
> > 127.0.0.1 port 35488,
> > > id=111, length=44
> > > (0) User-Name =
'user'
> > > (0) User-Password =
> 'password'
> > > (0) # Executing section
authorize
> from
> > >
> file /etc/raddb/sites-enabled/privacyidea
> > > (0) authorize {
> > > (0) [preprocess] = ok
> > > (0) [digest] = noop
> > > (0) suffix : Checking
for suffix
> after "@"
> > > (0) suffix : No '@' in
User-Name
> = "user",
> > looking up realm NULL
> > > (0) suffix : No such
realm
> "NULL"
> > > (0) [suffix] = noop
> > > (0) ntdomain : Checking
for
> prefix before
> > "\"
> > > (0) ntdomain : No '\'
in
> User-Name =
> > "user", looking up realm
NULL
> > > (0) ntdomain : No such
realm
> "NULL"
> > > (0) [ntdomain] = noop
> > > (0) [files] = noop
> > > (0) [expiration] =
noop
> > > (0) [logintime] =
noop
> > > (0) WARNING: pap : No
"known
> good" password
> > found for the user. Not
> > > setting Auth-Type
> > > (0) WARNING: pap :
Authentication
> will fail
> > unless a "known good"
> > > password is available
> > > (0) [pap] = noop
> > > (0) update control {
> > > (0) Auth-Type :=
Perl
> > > (0) } # update control
= noop
> > > (0) } # authorize =
ok
> > > (0) Found Auth-Type =
Perl
> > > (0) # Executing group
from
> >
> file /etc/raddb/sites-enabled/privacyidea
> > > (0) Auth-Type Perl {
> > > (0) perl :
> $RAD_REQUEST{'User-Name'} =
> > &request:User-Name ->
'user'
> > > (0) perl :
> $RAD_REQUEST{'User-Password'} =
> > &request:User-Password ->
> > > 'password'
> > > (0) perl :
> $RAD_REQUEST{'NAS-IP-Address'}
> > = &request:NAS-IP-Address
> > > -> '127.0.0.1'
> > > (0) perl :
> $RAD_REQUEST{'Event-Timestamp'}
> > =
> > > &request:Event-Timestamp
-> 'Oct
> 21 2015
> > 11:50:57 AEDT'
> > > (0) perl :
> $RAD_CHECK{'Auth-Type'} =
> > &control:Auth-Type ->
'Perl'
> > > (0) perl :
> $RAD_CONFIG{'Auth-Type'} =
> > &control:Auth-Type ->
'Perl'
> > > rlm_perl: Config
> >
File /etc/freeradius/rlm_perl.ini
> found!
> > > rlm_perl: Default URL
> >
https://127.0.0.1/validate/check
> > > rlm_perl: Looking for
config for
> auth-type
> > Perl
> > > rlm_perl: Auth-Type:
Perl
> > > rlm_perl: url:
> >
https://127.0.0.1/validate/check
> > > rlm_perl: user sent to
> privacyidea: user
> > > rlm_perl: realm sent to
> privacyidea:
> > > rlm_perl: resolver sent
to
> privacyidea:
> > > rlm_perl: client sent
to
> privacyidea:
> > 127.0.0.1
> > > rlm_perl: state sent to
> privacyidea:
> > > rlm_perl: urlparam
client
> > > rlm_perl: urlparam pass
> > > rlm_perl: urlparam user
> > > rlm_perl: Not verifying
SSL
> certificate!
> > > rlm_perl: privacyIDEA
request
> failed: 500
> > INTERNAL SERVER ERROR
> > > rlm_perl: return
RLM_MODULE_FAIL
> > > (0) perl :
&request:User-Name =
> > $RAD_REQUEST{'User-Name'}
-> 'user'
> > > (0) perl :
> &request:Event-Timestamp =
> >
$RAD_REQUEST{'Event-Timestamp'}
> > > -> 'Oct 21 2015 11:50:57
AEDT'
> > > (0) perl :
&request:User-Password
> =
> >
$RAD_REQUEST{'User-Password'} ->
> > > 'password'
> > > (0) perl :
> &request:NAS-IP-Address =
> >
$RAD_REQUEST{'NAS-IP-Address'}
> > > -> '127.0.0.1'
> > > (0) perl :
&reply:Reply-Message
> =
> >
$RAD_REPLY{'Reply-Message'} ->
> > > 'privacyIDEA request
failed: 500
> INTERNAL
> > SERVER ERROR'
> > > (0) perl :
&control:Auth-Type =
> > $RAD_CHECK{'Auth-Type'} ->
'Perl'
> > > (0) [perl] = fail
> > > (0) } # Auth-Type Perl
= fail
> > > (0) Failed to
authenticate the
> user
> > > (0) Using Post-Auth-Type
Reject
> > > (0) Delaying response
for 1
> seconds
> > > Waking up in 0.9
seconds.
> > > (0) Sending delayed
response
> > > (0) Sending
Access-Reject packet
> to host
> > 127.0.0.1 port 35488,
id=111,
> > > length=0
> > > (0) Reply-Message =
> 'privacyIDEA request
> > failed: 500 INTERNAL
> > > SERVER ERROR'
> > > Sending Access-Reject Id
111 from
> > 127.0.0.1:1812 to
127.0.0.1:35488
> > > Reply-Message =
> 'privacyIDEA request
> > failed: 500 INTERNAL
> > > SERVER ERROR'
> > > Waking up in 3.9
seconds.
> > > (0) Cleaning up request
packet ID
> 111 with
> > timestamp +7
> > >
> > >
> > >
> > >
> > > I don't think this is
just an
> issue with the
> > user / password, but if
> > > anyone can point me in
the right
> direction
> > in what I may have done
> > > wrong with either the
radius or
> privacy idea
> > install?
> > >
> > >
> > > Cheers
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > You received this
message because
> you are
> > subscribed to the Google
> > > Groups "privacyidea"
group.
> > > To unsubscribe from this
group and
> stop
> > receiving emails from it,
send
> > > an email to
> >
privacyidea...@googlegroups.com.
> > > To post to this group,
send email
> to
> >
priva...@googlegroups.com.
> > > To view this discussion
on the web
> visit
> > >
> >
>
https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com.
> > > For more options, visit
> >
https://groups.google.com/d/optout.
> >
> > --
> > Cornelius Kölbel
> > corneliu...@netknights.it
> > +49 151 2960 1417
> >
> > NetKnights GmbH
> > http://www.netknights.it
> > Landgraf-Karl-Str. 19,
34131 Kassel,
> Germany
> > Tel: +49 561 3166797, Fax:
+49 561
> 3166798
> >
> > Amtsgericht Kassel, HRB
16405
> > Geschäftsführer: Cornelius
Kölbel
> >
> >
> >
> > --
> > You received this message because
you are
> subscribed
> > to the Google Groups "privacyidea"
group.
> > To unsubscribe from this group and
stop
> receiving
> > emails from it, send an email to
> > privacyidea...@googlegroups.com.
> > To post to this group, send email
to
> > priva...@googlegroups.com.
> > To view this discussion on the web
visit
> >
>
https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com.
> > For more options, visit
> >
https://groups.google.com/d/optout.
> >
> >
> >
> >
> --
> Cornelius Kölbel
> corneliu...@netknights.it
> +49 151 2960 1417
>
> NetKnights GmbH
> http://www.netknights.it
> Landgraf-Karl-Str. 19, 34131 Kassel, Germany
> Tel: +49 561 3166797, Fax: +49 561 3166798
>
> Amtsgericht Kassel, HRB 16405
> Geschäftsführer: Cornelius Kölbel
>
>
> --
> You received this message because you are subscribed to the
Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails
from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to
priva...@googlegroups.com.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/privacyidea/ecfb73db-d3cb-4ec0-871c-f1e57f1804e0%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Hi Cornelius
Thanks for your help, I almost have this working now, i played around
allot, but i think that ticking the “use @ to separate user and realm” has
allowed the radius to pass though the details correctly
I have managed to have my radius client authenticate, and it seems to be
sending back the reply message “privacy IDEA access granted” to my
firewalls (I am tying to authenticate VPN users)
I have also attached a screen shot of how the packet looks from privacy
idea, do you think that because the reply packet is slightly different it
could be causing this problem?
is t possible to change the privacy idea radius accept packet too something
generic?
CheersOn Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K wrote:
Hi,
The user can not be found in the resolver.
How does the request look like?
Is the realm the default realm.
how does the DN of the user look like?
You might have specified the wrong realm (see default realm)
Kind regards
Cornelius
Cornelius Kölbel
Corneliu…@netknights.it <javascript:>
+49 151 2960 1417
Hi Cornelius
Thanks for your response
I am running PIP installation on Centos 7
I am running latest version of Privacy idea (2.7), updated as per
instructions on howtoforge
the user is coming from Active Directory
UID is DN
there are no special characters anywhere in the AD config
testing using the URL you provided I get the message below when attempting
to use an AD user
“version”: “privacyIDEA 2.7”, “result”: {“status”: false, “error”: {“message”: “ERR905: The user can not be found in any resolver in this realm!”, “code”: -500}}, “time”: 1445425459.788956, “id”: 1}
but if i use the root user (from the privacyidea server) this returns:
Hi
thanks for your quick response to my issue
I have been watching the privacyidea.log but no entries are made when a
connection attempt is made via the radius, which leads me to think that the
radius is not able to see the privacyidea API?
I can access the URI in my browser, so i can see that is up
I see this in the privacyidea.log when i reboot
[2015-10-21
15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333]
‘Traceback (most recent call last):\n File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/
LDAPIdResolver.py”, line 328, in getUserList\n user =
self._ldap_attributes_to_user_object(attributes)\n File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py”,
line 246, in _ldap_attributes_to_user_object\n for ldap_k,
ldap_v in attributes.items():\nAttributeError: 'NoneType' object has no
attribute 'items'\n’
Cheers
On Wednesday, 21 October 2015 17:14:34 UTC+11, Cornelinux K wrote:
Hi Tony,
please do the following:
Take a look into the audit log
Within the webui take a look, what you can see in the request in the
AUdit Tab. The right most tab.
I assume, the user does not exist.
The audit gives you a top level view of what is happening in
privacyidea.
Take a look into the log file privacyidea.log.
This gives you a detailed view, of what is happening.
Kind regards
Cornelius
Am Dienstag, den 20.10.2015, 17:56 -0700 schrieb Tony Hawker:
Hi
I have followed the guide on setting up Privactidea on Centos 7 here:
I can access the webui, register tokens, linked to active directory
etc, all tested ok
I am having issues with the radius plugin, when I attempt to make any
connection to the radius, either using the test functions described in
the link above, or from an external connection, I am seeing the errors
below:
Sending Access-Request Id 91 from 0.0.0.0:34321 to 127.0.0.1:1812
User-Name = 'user'
User-Password = 'password'
Received Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:34321
length 75
Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
(0) -: Expected Access-Accept got Access-Reject
Packet summary:
Accepted : 0
Rejected : 1
Lost : 0
Passed filter : 0
Failed filter : 1
and on the radius server I see this:
Received Access-Request Id 111 from 127.0.0.1:35488 to 127.0.0.1:1812
length 44
User-Name = ‘user’
User-Password = ‘password’
(0) Received Access-Request packet from host 127.0.0.1 port 35488,
id=111, length=44
(0) User-Name = ‘user’
(0) User-Password = ‘password’
(0) # Executing section authorize from
file /etc/raddb/sites-enabled/privacyidea
(0) authorize {
(0) [preprocess] = ok
(0) [digest] = noop
(0) suffix : Checking for suffix after “@”
(0) suffix : No ‘@’ in User-Name = “user”, looking up realm NULL
(0) suffix : No such realm “NULL”
(0) [suffix] = noop
(0) ntdomain : Checking for prefix before ""
(0) ntdomain : No '' in User-Name = “user”, looking up realm NULL
(0) ntdomain : No such realm “NULL”
(0) [ntdomain] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No “known good” password found for the user. Not
setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a “known good”
password is available
(0) [pap] = noop
(0) update control {
(0) Auth-Type := Perl
(0) } # update control = noop
(0) } # authorize = ok
(0) Found Auth-Type = Perl
(0) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(0) Auth-Type Perl {
(0) perl : $RAD_REQUEST{‘User-Name’} = &request:User-Name → ‘user’
(0) perl : $RAD_REQUEST{‘User-Password’} = &request:User-Password →
‘password’
(0) perl : $RAD_REQUEST{‘NAS-IP-Address’} = &request:NAS-IP-Address
→ ‘127.0.0.1’
(0) perl : $RAD_REQUEST{‘Event-Timestamp’} =
&request:Event-Timestamp → ‘Oct 21 2015 11:50:57 AEDT’
(0) perl : $RAD_CHECK{‘Auth-Type’} = &control:Auth-Type → ‘Perl’
(0) perl : $RAD_CONFIG{‘Auth-Type’} = &control:Auth-Type → ‘Perl’
rlm_perl: Config File /etc/freeradius/rlm_perl.ini found!
rlm_perl: Default URL https://127.0.0.1/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://127.0.0.1/validate/check
rlm_perl: user sent to privacyidea: user
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam client
rlm_perl: urlparam pass
rlm_perl: urlparam user
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA request failed: 500 INTERNAL SERVER ERROR
rlm_perl: return RLM_MODULE_FAIL
(0) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} → ‘user’
(0) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-Timestamp’}
→ ‘Oct 21 2015 11:50:57 AEDT’
(0) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} →
‘password’
(0) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-Address’}
→ ‘127.0.0.1’
(0) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} →
‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’
(0) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} → ‘Perl’
(0) [perl] = fail
(0) } # Auth-Type Perl = fail
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Delaying response for 1 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 35488, id=111,
length=0
(0) Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
Sending Access-Reject Id 111 from 127.0.0.1:1812 to 127.0.0.1:35488
Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 111 with timestamp +7
I don’t think this is just an issue with the user / password, but if
anyone can point me in the right direction in what I may have done
wrong with either the radius or privacy idea install?
Cheers
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit
Hi Cornelius
we have now resolved this issue, it turned out to be an issue with the VPN
community on the firewall, once resolved everything started working, its
odd that the other auth server was working at all once seeing the issue
Thanks for your support on this, I may put up some basic how-to’s on the
checkpoint implementation that can compliment the guides that are already
available in the next few days
CheersOn Thursday, 22 October 2015 22:56:13 UTC+11, Tony Hawker wrote:
Thanks Cornelius
Yes that file exists, seems to be a default file, with allot of ## out
bits but no entries
I entered the settings as specifed but still get errors when starting
/etc/raddb/mods-config/files/authorize[221]: Parse error (check) for entry
authorize: Invalid attribute name
Failed reading /etc/raddb/mods-config/files/authorize
/etc/raddb/mods-enabled/files[9]: Instantiation failed for module “files”
On Thursday, 22 October 2015 22:50:13 UTC+11, Cornelinux K wrote:
Hi Tony,
I forgot that you are running on CentOS 7 with FR3.
So in this case you might need to add it like this:
authorize {
update control {
Auth-Type := Perl
Class := AVP
}
}
I have not FreeRADIUS 3 at hand to test this…
Kind regards
Cornelius
Am Donnerstag, den 22.10.2015, 09:41 +0200 schrieb Cornelius Kölbel:
Hi Tony,
you can edit your file /etc/freeradius/users like this:
DEFAULT Auth-Type := Perl
Class = YOUR_GROUP_EXPECTED_BY_CHECKPOINT
This way each user will be authenticated against the perl module a.k.a.
privacyIDEA and put into the the corresponding group.
Or: You can add the Class AVP that is expected by your checkpoint.
Please note: In the radius request the CLass is hex encoded. In the
users config file you need to enter a normal ascii string.
Kind regards
Cornelius
Am Donnerstag, den 22.10.2015, 09:23 +0200 schrieb Cornelius Kölbel:
Hi Tony,
the Attribute Value Pair Class 25 usually seems to expect some
attribute, which the firewall uses to authorize the access or put the
user of this request in some control group.
So the question is: Do you have another RADIUS server running at the
moment and how do the requests look like there?
So I guess we need to look an the freeradius side (independent on the
privacyIDEA plugin).
We need to investigate
the successful RADIUS REQUEST with your existing RADIUS server
the successful RADIUS RESPONSE with your existing RADIUS server
and then configure FreeRADIUS accordingly.
I will try to help you with that.
But maybe at a certain point we might also need to take this to the
freeradius list.
Kind regards
COrnelius
Am Mittwoch, den 21.10.2015, 23:52 -0700 schrieb Tony Hawker:
Thanks Cornelius
this script still doesn’t seem to solve the problem, checkpoint
still
doesn’t like the Access-Accept packets for some reason
I’ve had the checkpoint talking to freeradius in the past, so it
can
work, but just doesn’t see these accept packets for some reason
On Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote:
Hi Tony,
here is a slightly modified script, that does not add any
additional
AVPs into the reply.
It only returns ACCESS_ACCEPT or ACCESS_REJECT.
This script replaces the existing one.
Please restart freeradius and check if checkpoint likes it.
Kind regards
COrnelius
Am Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony
Hawker:
> Hi Cornelius
> Thanks for this info
> where do i remove that line from? I'm not familiar with
this
process?
> do i need to change a config file? or change some source
code and
> recompile?
> I believe if i could change the message on that line that
could also
> possible help
>
>
> Cheers
>
> On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K wrote:
> Hello Tony,
>
> at the moment there is no way to configure the
reply
message.
>
> You can remove the RAD_REPLY in the privacyidea
>
> Thus this information will not be added to the
reply.
> If this succeeds, please drop me a note or open
an
issue at
> github.
> We can then make the reply configurable.
>
> Kind regards
> Cornelius
>
>
> Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb
Tony Hawker:
> > Hi Cornelius
> > Thanks for your help, I almost have this
working
now, i
> played around
> > allot, but i think that ticking the "use @ to
separate user
> and realm"
> > has allowed the radius to pass though the
details
correctly
> >
> >
> > I have managed to have my radius client
authenticate, and it
> seems to
> > be sending back the reply message "privacy IDEA
access
> granted" to my
> > firewalls (I am tying to authenticate VPN
users)
> >
> >
> > I believe the firewall does not like the
response
message, I
> am
> > possibly getting a similar issue described
> >
> >
> > I have also attached a screen shot of how the
packet looks
> from
> > privacy idea, do you think that because the
reply
packet is
> slightly
> > different it could be causing this problem?
> > is t possible to change the privacy idea radius
accept
> packet too
> > something generic?
> >
> >
> > Cheers
> >
> > On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K wrote:
> >
> >
> > Hi,
> >
> >
> > The user can not be found in the
resolver.
> >
> >
> >
> >
> > How does the request look like?
> > Is the realm the default realm.
> > how does the DN of the user look like?
> >
> >
> >
> >
> > You might have specified the wrong
> > Von: Tony Hawker <lil...@gmail.com>
> > Datum: 21.10.2015 13:14 (GMT+01:00)
> > An: privacyidea
<priva...@googlegroups.com>
> > Betreff: Re: Re: 'privacyIDEA request
failed: 500
> INTERNAL
> > SERVER ERROR' - FreeRadius
> >
> > Hi Cornelius
> > Thanks for your response
> > I am running PIP installation on Centos
7
> > I am running latest version of Privacy
idea (2.7),
> updated as
> > per instructions on howtoforge
> > the user is coming from Active
Directory
> > UID is DN
> > there are no special characters
anywhere
in the AD
> config
> >
> >
> > testing using the URL you provided I
get
the message
> below
> > when attempting to use an AD user
> > "version": "privacyIDEA 2.7", "result":
{"status":
> false, "error": {"message": "ERR905: The user can
not be found
> in any resolver in this realm!", "code": -500}},
"time":
> 1445425459.788956, "id": 1}
> >
> > but if i use the root user (from the
privacyidea
> server) this returns:
> > {"message": "wrong otp pin"},
"versionnumber":
> "2.7", "version": "privacyIDEA 2.7", "result":
{"status":
> true, "value": false}, "time": 1445425581.107504,
"id": 1}
> > I assume the OTP token is out of sync,
but
looks
> much more promising
> >
> > any idea on why the AD would not work
via
this
> method? as i can see all the users in the webui
etc
> >
> > Cheers
> >
> >
> >
> >
> >
> > On Wednesday, 21 October 2015 21:01:47 UTC +11, Cornelinux K wrote:
> > Hi Tony,
> >
> >
> > Are you running a pip
installation
or debian
> wheezy?
> >
> >
> > Which version of privacyidea
are
you
> running?
> >
> >
> > In certain cases there were
problems with
> the ldap
> > resolver, if the DN contains
special
> characters and is
> > base54 encoded.
> >
> >
> > Is it openldap or AD?
> >
> >
> > The Uid type: is it DN or
entryUUID?
> >
> >
> > Kind regards
> > Cornelius
> >
> >
> >
> >
> >
> >
> > Cornelius Kölbel
> > Corneliu...@netknights.it
> > +49 151 2960 1417
> >
> >
> > NetKnights GmbH
> > http://netknights.it
> > Landgraf-Karl-Str. 19, 34131
Kassel,
> Germany
> > Tel: +49 561 3166797, Fax: +49
failed:
> 500 INTERNAL
> > SERVER ERROR' - FreeRadius
> >
> > Hi
> > thanks for your quick response
to
my issue
> > I have been watching the
privacyidea.log but
> no
> > entries are made when a
connection
attempt
> is made via
> > the radius, which leads me to
think that the
> radius is
> > not able to see the privacyidea
API?
> > I can access the URI in my
browser, so i can
> see that
> > is up
> >
> >
> > I see this in the
privacyidea.log
when i
> reboot
> >
> >
> > [2015-10-21
> >
>
15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333]
‘Traceback (most recent call last):\n File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/
LDAPIdResolver.py”, line 328, in getUserList\n user =
self._ldap_attributes_to_user_object(attributes)\n File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py”,
line 246, in _ldap_attributes_to_user_object\n for ldap_k,
ldap_v in attributes.items():\nAttributeError: 'NoneType' object has no
attribute 'items'\n’
> >
> >
> > Cheers
> >
> >
> >
> >
> >
> >
> >
> >
> > On Wednesday, 21 October 2015 17:14:34 UTC +11, Cornelinux K wrote:
> > Hi Tony,
> >
> > please do the
following:
> >
> > 1. Take a look into the
audit log
> >
> > Within the webui take a
look, what
> you can see
> > in the request in the
> > AUdit Tab. The right
most
tab.
> >
> > I assume, the user does
not exist.
> >
> > The audit gives you a
top
level view
> of what
> > is happening in
> > privacyidea.
> >
> > 2. Take a look into the
log file
> > privacyidea.log.
> > This gives you a
detailed
view, of
> what is
> > happening.
> >
> > Kind regards
> > Cornelius
> >
> > Am Dienstag, den
20.10.2015, 17:56
> -0700
> > schrieb Tony Hawker:
> > > Hi
> > > I have followed the
guide on
> setting up
> > Privactidea on Centos 7
here:
> > >
> >
>
111 from
> > 127.0.0.1:1812 to
127.0.0.1:35488
> > > Reply-Message
=
> 'privacyIDEA request
> > failed: 500 INTERNAL
> > > SERVER ERROR'
> > > Waking up in 3.9
seconds.
> > > (0) Cleaning up
request
packet ID
> 111 with
> > timestamp +7
> > >
> > >
> > >
> > >
> > > I don't think this is
just an
> issue with the
> > user / password, but if
> > > anyone can point me
in
the right
> direction
> > in what I may have done
> > > wrong with either the
radius or
> privacy idea
> > install?
> > >
> > >
> > > Cheers
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > You received this
message because
> you are
> > subscribed to the
Google
> > > Groups "privacyidea"
group.
> > > To unsubscribe from
this
group and
> stop
> > receiving emails from
it,
send
> > > an email to
> >
privacyidea...@googlegroups.com.
> > > To post to this
group,
send email
> to
> >
priva...@googlegroups.com.
> > > To view this
Hi Cornelius
as we continue our testing of privacy idea, we still seem to encounter:
"privacyIDEA request failed: 500 Server closed connection without sending
any data back " from the radius server from time to time,
I’m not sure what is causing this, as running radiusd -X i can see that the
correct credentials / password / OTP-code are being sent though
but nothing appears in the privacy idea audit log with these attempts, so
it appears the radius is not passing the attempt on perhaps?
rebooting the privacy idea server seems to fix the issue and we can
authenticate again
is there any way to gather more details on why these 500 errors occur?
CheersOn Friday, 23 October 2015 16:54:35 UTC+11, Cornelinux K wrote:
Hi Tony,
Glad to hear this.
It is great if you can write down some notes which might help others.
Please either send a link or we can publish the information with
privacyidea.
Thanks a lot and kind regards
Cornelius
Cornelius Kölbel
Corneliu…@netknights.it <javascript:>
+49 151 2960 1417
Hi Cornelius
we have now resolved this issue, it turned out to be an issue with the VPN
community on the firewall, once resolved everything started working, its
odd that the other auth server was working at all once seeing the issue
Thanks for your support on this, I may put up some basic how-to’s on the
checkpoint implementation that can compliment the guides that are already
available in the next few days
Cheers
On Thursday, 22 October 2015 22:56:13 UTC+11, Tony Hawker wrote:
Thanks Cornelius
Yes that file exists, seems to be a default file, with allot of ## out
bits but no entries
I entered the settings as specifed but still get errors when starting
/etc/raddb/mods-config/files/authorize[221]: Parse error (check) for entry
authorize: Invalid attribute name
Failed reading /etc/raddb/mods-config/files/authorize
/etc/raddb/mods-enabled/files[9]: Instantiation failed for module “files”
On Thursday, 22 October 2015 22:50:13 UTC+11, Cornelinux K wrote:
Hi Tony,
I forgot that you are running on CentOS 7 with FR3.
So in this case you might need to add it like this:
authorize {
update control {
Auth-Type := Perl
Class := AVP
}
}
I have not FreeRADIUS 3 at hand to test this…
Kind regards
Cornelius
Am Donnerstag, den 22.10.2015, 09:41 +0200 schrieb Cornelius Kölbel:
Hi Tony,
you can edit your file /etc/freeradius/users like this:
DEFAULT Auth-Type := Perl
Class = YOUR_GROUP_EXPECTED_BY_CHECKPOINT
This way each user will be authenticated against the perl module a.k.a.
privacyIDEA and put into the the corresponding group.
Or: You can add the Class AVP that is expected by your checkpoint.
Please note: In the radius request the CLass is hex encoded. In the
users config file you need to enter a normal ascii string.
Kind regards
Cornelius
Am Donnerstag, den 22.10.2015, 09:23 +0200 schrieb Cornelius Kölbel:
Hi Tony,
the Attribute Value Pair Class 25 usually seems to expect some
attribute, which the firewall uses to authorize the access or put the
user of this request in some control group.
So the question is: Do you have another RADIUS server running at the
moment and how do the requests look like there?
So I guess we need to look an the freeradius side (independent on the
privacyIDEA plugin).
We need to investigate
the successful RADIUS REQUEST with your existing RADIUS server
the successful RADIUS RESPONSE with your existing RADIUS server
and then configure FreeRADIUS accordingly.
I will try to help you with that.
But maybe at a certain point we might also need to take this to the
freeradius list.
Kind regards
COrnelius
Am Mittwoch, den 21.10.2015, 23:52 -0700 schrieb Tony Hawker:
Thanks Cornelius
this script still doesn’t seem to solve the problem, checkpoint
still
doesn’t like the Access-Accept packets for some reason
I’ve had the checkpoint talking to freeradius in the past, so it can
work, but just doesn’t see these accept packets for some reason
On Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote:
Hi Tony,
here is a slightly modified script, that does not add any
additional
AVPs into the reply.
It only returns ACCESS_ACCEPT or ACCESS_REJECT.
This script replaces the existing one.
Please restart freeradius and check if checkpoint likes it.
Kind regards
COrnelius
Am Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony
Hawker:
> Hi Cornelius
> Thanks for this info
> where do i remove that line from? I'm not familiar with
this
process?
> do i need to change a config file? or change some source
code and
> recompile?
> I believe if i could change the message on that line that
could also
> possible help
>
>
> Cheers
>
> On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K wrote:
> Hello Tony,
>
> at the moment there is no way to configure the
reply
message.
>
> You can remove the RAD_REPLY in the privacyidea
>
> Thus this information will not be added to the
reply.
> If this succeeds, please drop me a note or open an
issue at
> github.
> We can then make the reply configurable.
>
> Kind regards
> Cornelius
>
>
> Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb
Tony Hawker:
> > Hi Cornelius
> > Thanks for your help, I almost have this working
now, i
> played around
> > allot, but i think that ticking the "use @ to
separate user
> and realm"
> > has allowed the radius to pass though the
details
correctly
> >
> >
> > I have managed to have my radius client
authenticate, and it
> seems to
> > be sending back the reply message "privacy IDEA
access
> granted" to my
> > firewalls (I am tying to authenticate VPN users)
> >
> >
> > I believe the firewall does not like the
response
message, I
> am
> > possibly getting a similar issue described here:
> >
>
> >
> >
> > I have also attached a screen shot of how the
packet looks
> from
> > privacy idea, do you think that because the
reply
packet is
> slightly
> > different it could be causing this problem?
> > is t possible to change the privacy idea radius
accept
> packet too
> > something generic?
> >
> >
> > Cheers
> >
> > On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K wrote:
> >
> >
> > Hi,
> >
> >
> > The user can not be found in the
resolver.
> >
> >
> >
> >
> > How does the request look like?
> > Is the realm the default realm.
> > how does the DN of the user look like?
> >
> >
> >
> >
> > You might have specified the wrong realm
(see
> default realm)
> >
> >
> >
> >
> > Kind regards
> > Cornelius
> >
> >
> >
> >
> > Cornelius Kölbel
> > Corneliu...@netknights.it
> > +49 151 2960 1417
> >
> >
> > NetKnights GmbH
> > http://netknights.it
> > Landgraf-Karl-Str. 19, 34131 Kassel,
Germany
> > Tel: +49 561 3166797, Fax: +49 561
3166798
> >
> >
> > Amtsgericht Kassel, HRB 16405
> > Geschäftsführer: Cornelius Kölbel
> >
> >
> > -------- Ursprüngliche Nachricht
> > Von: Tony Hawker <lil...@gmail.com>
> > Datum: 21.10.2015 13:14 (GMT+01:00)
> > An: privacyidea
<priva...@googlegroups.com>
> > Betreff: Re: Re: 'privacyIDEA request
failed: 500
> INTERNAL
> > SERVER ERROR' - FreeRadius
> >
> > Hi Cornelius
> > Thanks for your response
> > I am running PIP installation on Centos
7
> > I am running latest version of Privacy
idea (2.7),
> updated as
> > per instructions on howtoforge
> > the user is coming from Active Directory
> > UID is DN
> > there are no special characters anywhere
in the AD
> config
> >
> >
> > testing using the URL you provided I get
the message
> below
> > when attempting to use an AD user
> > "version": "privacyIDEA 2.7", "result":
{"status":
> false, "error": {"message": "ERR905: The user can
not be found
> in any resolver in this realm!", "code": -500}},
"time":
> 1445425459.788956, "id": 1}
> >
> > but if i use the root user (from the
privacyidea
> server) this returns:
> > {"message": "wrong otp pin"},
"versionnumber":
> "2.7", "version": "privacyIDEA 2.7", "result":
{"status":
> true, "value": false}, "time": 1445425581.107504,
"id": 1}
> > I assume the OTP token is out of sync,
but
looks
> much more promising
> >
> > any idea on why the AD would not work
via
this
> method? as i can see all the users in the webui
etc
> >
> > Cheers
> >
> >
> >
> >
> >
> > On Wednesday, 21 October 2015 21:01:47 UTC +11, Cornelinux K wrote:
> > Hi Tony,
> >
> >
> > Are you running a pip
installation
or debian
> wheezy?
> >
> >
> > Which version of privacyidea are
you
> running?
> >
> >
> > In certain cases there were
problems with
> the ldap
> > resolver, if the DN contains
special
> characters and is
> > base54 encoded.
> >
> >
> > Is it openldap or AD?
> >
> >
> > The Uid type: is it DN or
entryUUID?
> >
> >
> > Kind regards
> > Cornelius
> >
> >
> >
> >
> >
> >
> > Cornelius Kölbel
> > Corneliu...@netknights.it
> > +49 151 2960 1417
> >
> >
> > NetKnights GmbH
> > http://netknights.it
> > Landgraf-Karl-Str. 19, 34131
Kassel,
> Germany
> > Tel: +49 561 3166797, Fax: +49
Thanks a lot
CorneliusAm Samstag, den 31.10.2015, 20:52 -0700 schrieb Tony Hawker:
Hi Cornelius
as we continue our testing of privacy idea, we still seem to
encounter:
"privacyIDEA request failed: 500 Server closed connection without
sending any data back " from the radius server from time to time,
I’m not sure what is causing this, as running radiusd -X i can see
that the correct credentials / password / OTP-code are being sent
though
but nothing appears in the privacy idea audit log with these attempts,
so it appears the radius is not passing the attempt on perhaps?
rebooting the privacy idea server seems to fix the issue and we can
authenticate again
is there any way to gather more details on why these 500 errors
occur?
Cheers
On Friday, 23 October 2015 16:54:35 UTC+11, Cornelinux K wrote:
Hi Tony,
Glad to hear this.
It is great if you can write down some notes which might help
others.
Please either send a link or we can publish the information
with privacyidea.
Thanks a lot and kind regards
Cornelius
Cornelius Kölbel
Corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
-------- Ursprüngliche Nachricht --------
Von: Tony Hawker <lil...@gmail.com>
Datum: 23.10.2015 05:26 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com>
Betreff: Re: Re: Re: 'privacyIDEA request failed: 500 INTERNAL
SERVER ERROR' - FreeRadius
Hi Cornelius
we have now resolved this issue, it turned out to be an issue
with the VPN community on the firewall, once resolved
everything started working, its odd that the other auth server
was working at all once seeing the issue
Thanks for your support on this, I may put up some basic
how-to's on the checkpoint implementation that can compliment
the guides that are already available in the next few days
Cheers
On Thursday, 22 October 2015 22:56:13 UTC+11, Tony Hawker wrote:
Thanks Cornelius
Yes that file exists, seems to be a default file, with
allot of ## out bits but no entries
I entered the settings as specifed but still get
errors when starting
/etc/raddb/mods-config/files/authorize[221]: Parse
error (check) for entry authorize: Invalid attribute
name
Failed reading /etc/raddb/mods-config/files/authorize
/etc/raddb/mods-enabled/files[9]: Instantiation failed
for module "files"
On Thursday, 22 October 2015 22:50:13 UTC+11, Cornelinux K wrote:
Hi Tony,
I forgot that you are running on CentOS 7 with
FR3.
Did you have a file /etc/raddb/users at all?
In the config you have a
authorize {
...
update control {
Auth-Type := Perl
}
}
Which sets the Auth-Type -> Perl for all
users.
So in this case you might need to add it like
this:
authorize {
update control {
Auth-Type := Perl
Class := AVP
}
}
I have not FreeRADIUS 3 at hand to test
this...
Kind regards
Cornelius
Am Donnerstag, den 22.10.2015, 09:41 +0200
schrieb Cornelius Kölbel:
> Hi Tony,
>
> you can edit your file /etc/freeradius/users
like this:
>
> DEFAULT Auth-Type := Perl
> Class =
YOUR_GROUP_EXPECTED_BY_CHECKPOINT
>
> This way each user will be authenticated
against the perl module a.k.a.
> privacyIDEA and put into the the
corresponding group.
>
> Or: You can add the Class AVP that is
expected by your checkpoint.
> Please note: In the radius request the CLass
is hex encoded. In the
> users config file you need to enter a normal
ascii string.
>
>
> Kind regards
> Cornelius
>
> Am Donnerstag, den 22.10.2015, 09:23 +0200
schrieb Cornelius Kölbel:
> > Hi Tony,
> >
> > the Attribute Value Pair Class 25 usually
seems to expect some
> > attribute, which the firewall uses to
authorize the access or put the
> > user of this request in some control
group.
> >
> > So the question is: Do you have another
RADIUS server running at the
> > moment and how do the requests look like
there?
> >
> > I assume we have to add an attribute of
class 25 with the correct value,
> > that is expected by your checkpoint
configuration.
> >
http://tools.ietf.org/html/rfc2865#section-5.25
> >
> > And additionally I assume, that the
existing attributes did not make the
> > response fail, but the missing
class-25-attribute.
> > This attribute is usually used for group
information.
> >
(http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-td2781054.html)
> >
> > So I guess we need to look an the
freeradius side (independent on the
> > privacyIDEA plugin).
> >
> > We need to investigate
> > * the successful RADIUS REQUEST with your
existing RADIUS server
> > * the successful RADIUS RESPONSE with your
existing RADIUS server
> > and then configure FreeRADIUS
accordingly.
> >
> > I will try to help you with that.
> > But maybe at a certain point we might also
need to take this to the
> > freeradius list.
> >
> > Kind regards
> > COrnelius
> >
> >
> >
> >
> >
> > Am Mittwoch, den 21.10.2015, 23:52 -0700
schrieb Tony Hawker:
> > > Thanks Cornelius
> > > this script still doesn't seem to solve
the problem, checkpoint still
> > > doesn't like the Access-Accept packets
for some reason
> > > I've had the checkpoint talking to
freeradius in the past, so it can
> > > work, but just doesn't see these accept
packets for some reason
> > >
> > > On Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote:
> > > Hi Tony,
> > >
> > > here is a slightly modified
script, that does not add any
> > > additional
> > > AVPs into the reply.
> > >
> > > It only returns ACCESS_ACCEPT or
ACCESS_REJECT.
> > >
> > > This script replaces the
existing one.
> > > Please restart freeradius and
check if checkpoint likes it.
> > >
> > > Kind regards
> > > COrnelius
> > >
> > > Am Mittwoch, den 21.10.2015,
23:35 -0700 schrieb Tony Hawker:
> > > > Hi Cornelius
> > > > Thanks for this info
> > > > where do i remove that line
from? I'm not familiar with this
> > > process?
> > > > do i need to change a config
file? or change some source
> > > code and
> > > > recompile?
> > > > I believe if i could change
the message on that line that
> > > could also
> > > > possible help
> > > >
> > > >
> > > > Cheers
> > > >
> > > > On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K wrote:
> > > > Hello Tony,
> > > >
> > > > at the moment there is
no way to configure the reply
> > > message.
> > > >
> > > > You can remove the
RAD_REPLY in the privacyidea perl
> > > module.
> > > >
> > >
https://github.com/privacyidea/privacyidea/blob/master/authmodules/FreeRADIUS/privacyidea_radius.pm#L335
> > > >
> > > > Thus this information
will not be added to the
> > > reply.
> > > > If this succeeds,
please drop me a note or open an
> > > issue at
> > > > github.
> > > > We can then make the
reply configurable.
> > > >
> > > > Kind regards
> > > > Cornelius
> > > >
> > > >
> > > > Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb
> > > Tony Hawker:
> > > > > Hi Cornelius
> > > > > Thanks for your
help, I almost have this working
> > > now, i
> > > > played around
> > > > > allot, but i think
that ticking the "use @ to
> > > separate user
> > > > and realm"
> > > > > has allowed the
radius to pass though the details
> > > correctly
> > > > >
> > > > >
> > > > > I have managed to
have my radius client
> > > authenticate, and it
> > > > seems to
> > > > > be sending back the
reply message "privacy IDEA
> > > access
> > > > granted" to my
> > > > > firewalls (I am
tying to authenticate VPN users)
> > > > >
> > > > >
> > > > > I believe the
firewall does not like the response
> > > message, I
> > > > am
> > > > > possibly getting a
similar issue described here:
> > > > >
> > > >
> > >
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638
> > > > >
> > > > >
> > > > > I have also attached
a screen shot of how the
> > > packet looks
> > > > from
> > > > > privacy idea, do you
think that because the reply
> > > packet is
> > > > slightly
> > > > > different it could
be causing this problem?
> > > > > is t possible to
change the privacy idea radius
> > > accept
> > > > packet too
> > > > > something generic?
> > > > >
> > > > >
> > > > > Cheers
> > > > >
> > > > > On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K wrote:
> > > > >
> > > > >
> > > > > Hi,
> > > > >
> > > > >
> > > > > The user can
not be found in the
> > > resolver.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > How does the
request look like?
> > > > > Is the realm
the default realm.
> > > > > how does the
DN of the user look like?
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > You might
have specified the wrong realm
> > > (see
> > > > default realm)
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Kind
regards
> > > > > Cornelius
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Cornelius
Kölbel
> > > > >
Corneliu...@netknights.it
> > > > > +49 151 2960
1417
> > > > >
> > > > >
> > > > > NetKnights
GmbH
> > > > >
http://netknights.it
> > > > >
Landgraf-Karl-Str. 19, 34131 Kassel,
> > > Germany
> > > > > Tel: +49 561
3166797, Fax: +49 561
> > > 3166798
> > > > >
> > > > >
> > > > > Amtsgericht
Kassel, HRB 16405
> > > > >
Geschäftsführer: Cornelius Kölbel
> > > > >
> > > > >
> > > > > --------
Ursprüngliche Nachricht --------
> > > > > Von: Tony
Hawker <lil...@gmail.com>
> > > > > Datum:
21.10.2015 13:14 (GMT+01:00)
> > > > > An:
privacyidea
> > > <priva...@googlegroups.com>
> > > > > Betreff: Re:
Re: 'privacyIDEA request
> > > failed: 500
> > > > INTERNAL
> > > > > SERVER
ERROR' - FreeRadius
> > > > >
> > > > > Hi
Cornelius
> > > > > Thanks for
your response
> > > > > I am running
PIP installation on Centos 7
> > > > > I am running
latest version of Privacy
> > > idea (2.7),
> > > > updated as
> > > > > per
instructions on howtoforge
> > > > > the user is
coming from Active Directory
> > > > > UID is DN
> > > > > there are no
special characters anywhere
> > > in the AD
> > > > config
> > > > >
> > > > >
> > > > > testing
using the URL you provided I get
> > > the message
> > > > below
> > > > > when
attempting to use an AD user
> > > > > "version":
"privacyIDEA 2.7", "result":
> > > {"status":
> > > > false, "error":
{"message": "ERR905: The user can
> > > not be found
> > > > in any resolver in
this realm!", "code": -500}},
> > > "time":
> > > > 1445425459.788956,
"id": 1}
> > > > >
> > > > > but if i use
the root user (from the
> > > privacyidea
> > > > server) this returns:
> > > > > {"message":
"wrong otp pin"},
> > > "versionnumber":
> > > > "2.7", "version":
"privacyIDEA 2.7", "result":
> > > {"status":
> > > > true, "value": false},
"time": 1445425581.107504,
> > > "id": 1}
> > > > > I assume the
OTP token is out of sync, but
> > > looks
> > > > much more promising
> > > > >
> > > > > any idea on
why the AD would not work via
> > > this
> > > > method? as i can see
all the users in the webui etc
> > > > >
> > > > > Cheers
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Wednesday, 21 October 2015 21:01:47 UTC +11, Cornelinux K wrote:
> > > > > Hi
Tony,
> > > > >
> > > > >
> > > > > Are
you running a pip installation
> > > or debian
> > > > wheezy?
> > > > >
> > > > >
> > > > >
Which version of privacyidea are
> > > you
> > > > running?
> > > > >
> > > > >
> > > > > In
certain cases there were
> > > problems with
> > > > the ldap
> > > > >
resolver, if the DN contains
> > > special
> > > > characters and is
> > > > >
base54 encoded.
> > > > >
> > > > >
> > > > > Is
it openldap or AD?
> > > > >
> > > > >
> > > > > The
Uid type: is it DN or
> > > entryUUID?
> > > > >
> > > > >
> > > > > Kind
regards
> > > > >
Cornelius
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
Cornelius Kölbel
> > > > >
Corneliu...@netknights.it
> > > > > +49
151 2960 1417
> > > > >
> > > > >
> > > > >
NetKnights GmbH
> > > > >
http://netknights.it
> > > > >
Landgraf-Karl-Str. 19, 34131
> > > Kassel,
> > > > Germany
> > > > > Tel:
+49 561 3166797, Fax: +49 561
> > > 3166798
> > > > >
> > > > >
> > > > >
Amtsgericht Kassel, HRB 16405
> > > > >
Geschäftsführer: Cornelius Kölbel
> > > > >
> > > > >
> > > > >
-------- Ursprüngliche Nachricht
> > > --------
> > > > > Von:
Tony Hawker
> > > <lil...@gmail.com>
> > > > >
Datum: 21.10.2015 08:59 (GMT
> > > +01:00)
> > > > > An:
privacyidea
> > > <priva...@googlegroups.com>
> > > > >
Betreff: Re: 'privacyIDEA request
> > > failed:
> > > > 500 INTERNAL
> > > > >
SERVER ERROR' - FreeRadius
...