'privacyIDEA request failed: 500 INTERNAL SERVER ERROR' - FreeRadius

Hi
I have followed the guide on setting up Privactidea on Centos 7 here:
https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/

I can access the webui, register tokens, linked to active directory etc,
all tested ok

I am having issues with the radius plugin, when I attempt to make any
connection to the radius, either using the test functions described in the
link above, or from an external connection, I am seeing the errors below:

]# echo “User-Name=user, User-Password=password” | radclient -sx localhost
auth testing123

Sending Access-Request Id 91 from 0.0.0.0:34321 to 127.0.0.1:1812
User-Name = 'user’
User-Password = 'password’
Received Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:34321 length
75
Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL SERVER
ERROR’

(0) -: Expected Access-Accept got Access-Reject
Packet summary:
Accepted : 0
Rejected : 1
Lost : 0
Passed filter : 0
Failed filter : 1

and on the radius server I see this:

Received Access-Request Id 111 from 127.0.0.1:35488 to 127.0.0.1:1812
length 44
User-Name = 'user’
User-Password = ‘password’
(0) Received Access-Request packet from host 127.0.0.1 port 35488, id=111,
length=44
(0) User-Name = ‘user’
(0) User-Password = ‘password’
(0) # Executing section authorize from file
/etc/raddb/sites-enabled/privacyidea
(0) authorize {
(0) [preprocess] = ok
(0) [digest] = noop
(0) suffix : Checking for suffix after “@”
(0) suffix : No ‘@’ in User-Name = “user”, looking up realm NULL
(0) suffix : No such realm “NULL”
(0) [suffix] = noop
(0) ntdomain : Checking for prefix before “”
(0) ntdomain : No ‘’ in User-Name = “user”, looking up realm NULL
(0) ntdomain : No such realm “NULL”
(0) [ntdomain] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No “known good” password found for the user. Not
setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a “known good” password
is available
(0) [pap] = noop
(0) update control {
(0) Auth-Type := Perl
(0) } # update control = noop
(0) } # authorize = ok
(0) Found Auth-Type = Perl
(0) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(0) Auth-Type Perl {
(0) perl : $RAD_REQUEST{‘User-Name’} = &request:User-Name -> ‘user’
(0) perl : $RAD_REQUEST{‘User-Password’} = &request:User-Password ->
‘password’
(0) perl : $RAD_REQUEST{‘NAS-IP-Address’} = &request:NAS-IP-Address ->
‘127.0.0.1’
(0) perl : $RAD_REQUEST{‘Event-Timestamp’} = &request:Event-Timestamp ->
‘Oct 21 2015 11:50:57 AEDT’
(0) perl : $RAD_CHECK{‘Auth-Type’} = &control:Auth-Type -> ‘Perl’
(0) perl : $RAD_CONFIG{‘Auth-Type’} = &control:Auth-Type -> 'Perl’
rlm_perl: Config File /etc/freeradius/rlm_perl.ini found!
rlm_perl: Default URL https://127.0.0.1/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://127.0.0.1/validate/check
rlm_perl: user sent to privacyidea: user
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam client
rlm_perl: urlparam pass
rlm_perl: urlparam user
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA request failed: 500 INTERNAL SERVER ERROR
rlm_perl: return RLM_MODULE_FAIL
(0) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} -> ‘user’
(0) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-Timestamp’} ->
‘Oct 21 2015 11:50:57 AEDT’
(0) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} ->
‘password’
(0) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-Address’} ->
‘127.0.0.1’
(0) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} ->
‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’
(0) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} -> ‘Perl’
(0) [perl] = fail
(0) } # Auth-Type Perl = fail
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Delaying response for 1 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 35488, id=111,
length=0
(0) Reply-Message = 'privacyIDEA request failed: 500 INTERNAL SERVER
ERROR’
Sending Access-Reject Id 111 from 127.0.0.1:1812 to 127.0.0.1:35488
Reply-Message = 'privacyIDEA request failed: 500 INTERNAL SERVER
ERROR’
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 111 with timestamp +7

I don’t think this is just an issue with the user / password, but if anyone
can point me in the right direction in what I may have done wrong with
either the radius or privacy idea install?

Cheers

Hi Cornelius
Thanks for your response
I am running PIP installation on Centos 7
I am running latest version of Privacy idea (2.7), updated as per
instructions on howtoforge
the user is coming from Active Directory
UID is DN
there are no special characters anywhere in the AD config

testing using the URL you provided I get the message below when attempting
to use an AD user

“version”: “privacyIDEA 2.7”, “result”: {“status”: false, “error”: {“message”: “ERR905: The user can not be found in any resolver in this realm!”, “code”: -500}}, “time”: 1445425459.788956, “id”: 1}

but if i use the root user (from the privacyidea server) this returns:

{“message”: “wrong otp pin”}, “versionnumber”: “2.7”, “version”: “privacyIDEA 2.7”, “result”: {“status”: true, “value”: false}, “time”: 1445425581.107504, “id”: 1}

I assume the OTP token is out of sync, but looks much more promising

any idea on why the AD would not work via this method? as i can see all the users in the webui etc

CheersOn Wednesday, 21 October 2015 21:01:47 UTC+11, Cornelinux K wrote:

Hi Tony,

Are you running a pip installation or debian wheezy?

Which version of privacyidea are you running?

In certain cases there were problems with the ldap resolver, if the DN
contains special characters and is base54 encoded.

Is it openldap or AD?

The Uid type: is it DN or entryUUID?

Kind regards
Cornelius

Cornelius Kölbel
Corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

-------- Ursprüngliche Nachricht --------
Von: Tony Hawker <lil...@gmail.com <javascript:>>
Datum: 21.10.2015 08:59 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com <javascript:>>
Betreff: Re: ‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’ -
FreeRadius

Hi
thanks for your quick response to my issue
I have been watching the privacyidea.log but no entries are made when a
connection attempt is made via the radius, which leads me to think that the
radius is not able to see the privacyidea API?
I can access the URI in my browser, so i can see that is up

I see this in the privacyidea.log when i reboot

[2015-10-21
15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333]
‘Traceback (most recent call last):\n File
"/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/
LDAPIdResolver.py", line 328, in getUserList\n user =
self._ldap_attributes_to_user_object(attributes)\n File
"/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py",
line 246, in _ldap_attributes_to_user_object\n for ldap_k,
ldap_v in attributes.items():\nAttributeError: ‘NoneType’ object has no
attribute ‘items’\n’

Cheers

On Wednesday, 21 October 2015 17:14:34 UTC+11, Cornelinux K wrote:

Hi Tony,

please do the following:

  1. Take a look into the audit log

Within the webui take a look, what you can see in the request in the
AUdit Tab. The right most tab.

I assume, the user does not exist.

The audit gives you a top level view of what is happening in
privacyidea.

  1. Take a look into the log file privacyidea.log.
    This gives you a detailed view, of what is happening.

Kind regards
Cornelius

Am Dienstag, den 20.10.2015, 17:56 -0700 schrieb Tony Hawker:

Hi
I have followed the guide on setting up Privactidea on Centos 7 here:

https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/

I can access the webui, register tokens, linked to active directory
etc, all tested ok

I am having issues with the radius plugin, when I attempt to make any
connection to the radius, either using the test functions described in
the link above, or from an external connection, I am seeing the errors
below:

]# echo “User-Name=user, User-Password=password” | radclient -sx
localhost auth testing123

Sending Access-Request Id 91 from 0.0.0.0:34321 to 127.0.0.1:1812

    User-Name = 'user' 
    User-Password = 'password' 

Received Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:34321
length 75
Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
(0) -: Expected Access-Accept got Access-Reject
Packet summary:
Accepted : 0
Rejected : 1
Lost : 0
Passed filter : 0
Failed filter : 1

and on the radius server I see this:

Received Access-Request Id 111 from 127.0.0.1:35488 to 127.0.0.1:1812
length 44
User-Name = 'user’
User-Password = ‘password’
(0) Received Access-Request packet from host 127.0.0.1 port 35488,
id=111, length=44
(0) User-Name = ‘user’
(0) User-Password = ‘password’
(0) # Executing section authorize from
file /etc/raddb/sites-enabled/privacyidea
(0) authorize {
(0) [preprocess] = ok
(0) [digest] = noop
(0) suffix : Checking for suffix after “@”
(0) suffix : No ‘@’ in User-Name = “user”, looking up realm NULL
(0) suffix : No such realm “NULL”
(0) [suffix] = noop
(0) ntdomain : Checking for prefix before “”
(0) ntdomain : No ‘’ in User-Name = “user”, looking up realm NULL
(0) ntdomain : No such realm “NULL”
(0) [ntdomain] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No “known good” password found for the user. Not
setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a "known good"
password is available
(0) [pap] = noop
(0) update control {
(0) Auth-Type := Perl
(0) } # update control = noop
(0) } # authorize = ok
(0) Found Auth-Type = Perl
(0) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(0) Auth-Type Perl {
(0) perl : $RAD_REQUEST{‘User-Name’} = &request:User-Name -> ‘user’
(0) perl : $RAD_REQUEST{‘User-Password’} = &request:User-Password ->
‘password’
(0) perl : $RAD_REQUEST{‘NAS-IP-Address’} = &request:NAS-IP-Address
-> ‘127.0.0.1’
(0) perl : $RAD_REQUEST{‘Event-Timestamp’} =
&request:Event-Timestamp -> ‘Oct 21 2015 11:50:57 AEDT’
(0) perl : $RAD_CHECK{‘Auth-Type’} = &control:Auth-Type -> ‘Perl’
(0) perl : $RAD_CONFIG{‘Auth-Type’} = &control:Auth-Type -> 'Perl’
rlm_perl: Config File /etc/freeradius/rlm_perl.ini found!
rlm_perl: Default URL https://127.0.0.1/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://127.0.0.1/validate/check
rlm_perl: user sent to privacyidea: user
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam client
rlm_perl: urlparam pass
rlm_perl: urlparam user
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA request failed: 500 INTERNAL SERVER ERROR
rlm_perl: return RLM_MODULE_FAIL
(0) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} -> ‘user’
(0) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-Timestamp’}
-> ‘Oct 21 2015 11:50:57 AEDT’
(0) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} ->
‘password’
(0) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-Address’}
-> ‘127.0.0.1’
(0) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} ->
‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’
(0) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} -> ‘Perl’
(0) [perl] = fail
(0) } # Auth-Type Perl = fail
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Delaying response for 1 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 35488, id=111,
length=0
(0) Reply-Message = 'privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
Sending Access-Reject Id 111 from 127.0.0.1:1812 to 127.0.0.1:35488
Reply-Message = 'privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 111 with timestamp +7

I don’t think this is just an issue with the user / password, but if
anyone can point me in the right direction in what I may have done
wrong with either the radius or privacy idea install?

Cheers


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


You received this message because you are subscribed to the Google Groups
"privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Hi Tony,

please do the following:

  1. Take a look into the audit log

Within the webui take a look, what you can see in the request in the
AUdit Tab. The right most tab.

I assume, the user does not exist.

The audit gives you a top level view of what is happening in
privacyidea.

  1. Take a look into the log file privacyidea.log.
    This gives you a detailed view, of what is happening.

Kind regards
CorneliusAm Dienstag, den 20.10.2015, 17:56 -0700 schrieb Tony Hawker:

Hi
I have followed the guide on setting up Privactidea on Centos 7 here:
https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/

I can access the webui, register tokens, linked to active directory
etc, all tested ok

I am having issues with the radius plugin, when I attempt to make any
connection to the radius, either using the test functions described in
the link above, or from an external connection, I am seeing the errors
below:

]# echo “User-Name=user, User-Password=password” | radclient -sx
localhost auth testing123

Sending Access-Request Id 91 from 0.0.0.0:34321 to 127.0.0.1:1812

    User-Name = 'user'
    User-Password = 'password'

Received Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:34321
length 75
Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
(0) -: Expected Access-Accept got Access-Reject
Packet summary:
Accepted : 0
Rejected : 1
Lost : 0
Passed filter : 0
Failed filter : 1

and on the radius server I see this:

Received Access-Request Id 111 from 127.0.0.1:35488 to 127.0.0.1:1812
length 44
User-Name = ‘user’
User-Password = ‘password’
(0) Received Access-Request packet from host 127.0.0.1 port 35488,
id=111, length=44
(0) User-Name = ‘user’
(0) User-Password = ‘password’
(0) # Executing section authorize from
file /etc/raddb/sites-enabled/privacyidea
(0) authorize {
(0) [preprocess] = ok
(0) [digest] = noop
(0) suffix : Checking for suffix after “@”
(0) suffix : No ‘@’ in User-Name = “user”, looking up realm NULL
(0) suffix : No such realm “NULL”
(0) [suffix] = noop
(0) ntdomain : Checking for prefix before “”
(0) ntdomain : No ‘’ in User-Name = “user”, looking up realm NULL
(0) ntdomain : No such realm “NULL”
(0) [ntdomain] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No “known good” password found for the user. Not
setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a “known good”
password is available
(0) [pap] = noop
(0) update control {
(0) Auth-Type := Perl
(0) } # update control = noop
(0) } # authorize = ok
(0) Found Auth-Type = Perl
(0) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(0) Auth-Type Perl {
(0) perl : $RAD_REQUEST{‘User-Name’} = &request:User-Name -> ‘user’
(0) perl : $RAD_REQUEST{‘User-Password’} = &request:User-Password ->
‘password’
(0) perl : $RAD_REQUEST{‘NAS-IP-Address’} = &request:NAS-IP-Address
-> ‘127.0.0.1’
(0) perl : $RAD_REQUEST{‘Event-Timestamp’} =
&request:Event-Timestamp -> ‘Oct 21 2015 11:50:57 AEDT’
(0) perl : $RAD_CHECK{‘Auth-Type’} = &control:Auth-Type -> ‘Perl’
(0) perl : $RAD_CONFIG{‘Auth-Type’} = &control:Auth-Type -> ‘Perl’
rlm_perl: Config File /etc/freeradius/rlm_perl.ini found!
rlm_perl: Default URL https://127.0.0.1/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://127.0.0.1/validate/check
rlm_perl: user sent to privacyidea: user
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam client
rlm_perl: urlparam pass
rlm_perl: urlparam user
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA request failed: 500 INTERNAL SERVER ERROR
rlm_perl: return RLM_MODULE_FAIL
(0) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} -> ‘user’
(0) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-Timestamp’}
-> ‘Oct 21 2015 11:50:57 AEDT’
(0) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} ->
‘password’
(0) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-Address’}
-> ‘127.0.0.1’
(0) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} ->
‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’
(0) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} -> ‘Perl’
(0) [perl] = fail
(0) } # Auth-Type Perl = fail
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Delaying response for 1 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 35488, id=111,
length=0
(0) Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
Sending Access-Reject Id 111 from 127.0.0.1:1812 to 127.0.0.1:35488
Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 111 with timestamp +7

I don’t think this is just an issue with the user / password, but if
anyone can point me in the right direction in what I may have done
wrong with either the radius or privacy idea install?

Cheers


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi
thanks for your quick response to my issue
I have been watching the privacyidea.log but no entries are made when a
connection attempt is made via the radius, which leads me to think that the
radius is not able to see the privacyidea API?
I can access the URI in my browser, so i can see that is up

I see this in the privacyidea.log when i reboot

[2015-10-21
15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333]
‘Traceback (most recent call last):\n File
"/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/
LDAPIdResolver.py", line 328, in getUserList\n user =
self._ldap_attributes_to_user_object(attributes)\n File
"/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py",
line 246, in _ldap_attributes_to_user_object\n for ldap_k,
ldap_v in attributes.items():\nAttributeError: ‘NoneType’ object has no
attribute ‘items’\n’

CheersOn Wednesday, 21 October 2015 17:14:34 UTC+11, Cornelinux K wrote:

Hi Tony,

please do the following:

  1. Take a look into the audit log

Within the webui take a look, what you can see in the request in the
AUdit Tab. The right most tab.

I assume, the user does not exist.

The audit gives you a top level view of what is happening in
privacyidea.

  1. Take a look into the log file privacyidea.log.
    This gives you a detailed view, of what is happening.

Kind regards
Cornelius

Am Dienstag, den 20.10.2015, 17:56 -0700 schrieb Tony Hawker:

Hi
I have followed the guide on setting up Privactidea on Centos 7 here:

https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/

I can access the webui, register tokens, linked to active directory
etc, all tested ok

I am having issues with the radius plugin, when I attempt to make any
connection to the radius, either using the test functions described in
the link above, or from an external connection, I am seeing the errors
below:

]# echo “User-Name=user, User-Password=password” | radclient -sx
localhost auth testing123

Sending Access-Request Id 91 from 0.0.0.0:34321 to 127.0.0.1:1812

    User-Name = 'user' 
    User-Password = 'password' 

Received Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:34321
length 75
Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
(0) -: Expected Access-Accept got Access-Reject
Packet summary:
Accepted : 0
Rejected : 1
Lost : 0
Passed filter : 0
Failed filter : 1

and on the radius server I see this:

Received Access-Request Id 111 from 127.0.0.1:35488 to 127.0.0.1:1812
length 44
User-Name = 'user’
User-Password = ‘password’
(0) Received Access-Request packet from host 127.0.0.1 port 35488,
id=111, length=44
(0) User-Name = ‘user’
(0) User-Password = ‘password’
(0) # Executing section authorize from
file /etc/raddb/sites-enabled/privacyidea
(0) authorize {
(0) [preprocess] = ok
(0) [digest] = noop
(0) suffix : Checking for suffix after “@”
(0) suffix : No ‘@’ in User-Name = “user”, looking up realm NULL
(0) suffix : No such realm “NULL”
(0) [suffix] = noop
(0) ntdomain : Checking for prefix before “”
(0) ntdomain : No ‘’ in User-Name = “user”, looking up realm NULL
(0) ntdomain : No such realm “NULL”
(0) [ntdomain] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No “known good” password found for the user. Not
setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a "known good"
password is available
(0) [pap] = noop
(0) update control {
(0) Auth-Type := Perl
(0) } # update control = noop
(0) } # authorize = ok
(0) Found Auth-Type = Perl
(0) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(0) Auth-Type Perl {
(0) perl : $RAD_REQUEST{‘User-Name’} = &request:User-Name -> ‘user’
(0) perl : $RAD_REQUEST{‘User-Password’} = &request:User-Password ->
‘password’
(0) perl : $RAD_REQUEST{‘NAS-IP-Address’} = &request:NAS-IP-Address
-> ‘127.0.0.1’
(0) perl : $RAD_REQUEST{‘Event-Timestamp’} =
&request:Event-Timestamp -> ‘Oct 21 2015 11:50:57 AEDT’
(0) perl : $RAD_CHECK{‘Auth-Type’} = &control:Auth-Type -> ‘Perl’
(0) perl : $RAD_CONFIG{‘Auth-Type’} = &control:Auth-Type -> 'Perl’
rlm_perl: Config File /etc/freeradius/rlm_perl.ini found!
rlm_perl: Default URL https://127.0.0.1/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://127.0.0.1/validate/check
rlm_perl: user sent to privacyidea: user
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam client
rlm_perl: urlparam pass
rlm_perl: urlparam user
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA request failed: 500 INTERNAL SERVER ERROR
rlm_perl: return RLM_MODULE_FAIL
(0) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} -> ‘user’
(0) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-Timestamp’}
-> ‘Oct 21 2015 11:50:57 AEDT’
(0) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} ->
‘password’
(0) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-Address’}
-> ‘127.0.0.1’
(0) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} ->
‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’
(0) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} -> ‘Perl’
(0) [perl] = fail
(0) } # Auth-Type Perl = fail
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Delaying response for 1 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 35488, id=111,
length=0
(0) Reply-Message = 'privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
Sending Access-Reject Id 111 from 127.0.0.1:1812 to 127.0.0.1:35488
Reply-Message = 'privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 111 with timestamp +7

I don’t think this is just an issue with the user / password, but if
anyone can point me in the right direction in what I may have done
wrong with either the radius or privacy idea install?

Cheers


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi Tony,

I forgot that you are running on CentOS 7 with FR3.

Did you have a file /etc/raddb/users at all?

In the config you have a

authorize {

update control {
Auth-Type := Perl
}
}

Which sets the Auth-Type -> Perl for all users.

So in this case you might need to add it like this:

authorize {
update control {
Auth-Type := Perl
Class := AVP
}
}

I have not FreeRADIUS 3 at hand to test this…

Kind regards
CorneliusAm Donnerstag, den 22.10.2015, 09:41 +0200 schrieb Cornelius Kölbel:

Hi Tony,

you can edit your file /etc/freeradius/users like this:

DEFAULT Auth-Type := Perl
Class = YOUR_GROUP_EXPECTED_BY_CHECKPOINT

This way each user will be authenticated against the perl module a.k.a.
privacyIDEA and put into the the corresponding group.

Or: You can add the Class AVP that is expected by your checkpoint.
Please note: In the radius request the CLass is hex encoded. In the
users config file you need to enter a normal ascii string.

Kind regards
Cornelius

Am Donnerstag, den 22.10.2015, 09:23 +0200 schrieb Cornelius Kölbel:

Hi Tony,

the Attribute Value Pair Class 25 usually seems to expect some
attribute, which the firewall uses to authorize the access or put the
user of this request in some control group.

So the question is: Do you have another RADIUS server running at the
moment and how do the requests look like there?

I assume we have to add an attribute of class 25 with the correct value,
that is expected by your checkpoint configuration.
http://tools.ietf.org/html/rfc2865#section-5.25

And additionally I assume, that the existing attributes did not make the
response fail, but the missing class-25-attribute.
This attribute is usually used for group information.
(http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-td2781054.html)

So I guess we need to look an the freeradius side (independent on the
privacyIDEA plugin).

We need to investigate

  • the successful RADIUS REQUEST with your existing RADIUS server
  • the successful RADIUS RESPONSE with your existing RADIUS server
    and then configure FreeRADIUS accordingly.

I will try to help you with that.
But maybe at a certain point we might also need to take this to the
freeradius list.

Kind regards
COrnelius

Am Mittwoch, den 21.10.2015, 23:52 -0700 schrieb Tony Hawker:

Thanks Cornelius
this script still doesn’t seem to solve the problem, checkpoint still
doesn’t like the Access-Accept packets for some reason
I’ve had the checkpoint talking to freeradius in the past, so it can
work, but just doesn’t see these accept packets for some reason

On Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote:
Hi Tony,

    here is a slightly modified script, that does not add any
    additional 
    AVPs into the reply. 
    
    It only returns ACCESS_ACCEPT or ACCESS_REJECT. 
    
    This script replaces the existing one. 
    Please restart freeradius and check if checkpoint likes it. 
    
    Kind regards 
    COrnelius 
    
    Am Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony Hawker: 
    > Hi Cornelius 
    > Thanks for this info 
    > where do i remove that line from? I'm not familiar with this
    process? 
    > do i need to change a config file? or change some source
    code and 
    > recompile? 
    > I believe if i could change the message on that line that
    could also 
    > possible help 
    > 
    > 
    > Cheers 
    > 
    > On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K wrote: 
    >         Hello Tony, 
    >         
    >         at the moment there is no way to configure the reply
    message. 
    >         
    >         You can remove the RAD_REPLY in the privacyidea perl
    module. 
    >
    https://github.com/privacyidea/privacyidea/blob/master/authmodules/FreeRADIUS/privacyidea_radius.pm#L335 
    >         
    >         Thus this information will not be added to the
    reply. 
    >         If this succeeds, please drop me a note or open an
    issue at 
    >         github. 
    >         We can then make the reply configurable. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb
    Tony Hawker: 
    >         > Hi Cornelius 
    >         > Thanks for your help, I almost have this working
    now, i 
    >         played around 
    >         > allot, but i think that ticking the "use @ to
    separate user 
    >         and realm" 
    >         > has allowed the radius to pass though the details
    correctly 
    >         > 
    >         > 
    >         > I have managed to have my radius client
    authenticate, and it 
    >         seems to 
    >         > be sending back the reply message "privacy IDEA
    access 
    >         granted" to my 
    >         > firewalls (I am tying to authenticate VPN users) 
    >         > 
    >         > 
    >         > I believe the firewall does not like the response
    message, I 
    >         am 
    >         > possibly getting a similar issue described here: 
    >         > 
    >
    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638 
    >         > 
    >         > 
    >         > I have also attached a screen shot of how the
    packet looks 
    >         from 
    >         > privacy idea, do you think that because the reply
    packet is 
    >         slightly 
    >         > different it could be causing this problem? 
    >         > is t possible to change the privacy idea radius
    accept 
    >         packet too 
    >         > something generic? 
    >         > 
    >         > 
    >         > Cheers 
    >         > 
    >         > On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K  wrote: 
    >         >         
    >         >         
    >         >         Hi, 
    >         >         
    >         >         
    >         >         The user can not be found in the
    resolver. 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         How does the request look like? 
    >         >         Is the realm the default realm. 
    >         >         how does the DN of the user look like? 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         You might have specified the wrong realm
    (see 
    >         default realm) 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Cornelius Kölbel 
    >         >         Corneliu...@netknights.it 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         
    >         >         NetKnights GmbH 
    >         >         http://netknights.it 
    >         >         Landgraf-Karl-Str. 19, 34131 Kassel,
    Germany 
    >         >         Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >         >         
    >         >         
    >         >         Amtsgericht Kassel, HRB 16405 
    >         >         Geschäftsführer: Cornelius Kölbel 
    >         >         
    >         >         
    >         >         -------- Ursprüngliche Nachricht -------- 
    >         >         Von: Tony Hawker <lil...@gmail.com> 
    >         >         Datum: 21.10.2015 13:14 (GMT+01:00) 
    >         >         An: privacyidea
    <priva...@googlegroups.com> 
    >         >         Betreff: Re: Re: 'privacyIDEA request
    failed: 500 
    >         INTERNAL 
    >         >         SERVER ERROR' - FreeRadius 
    >         >         
    >         >         Hi Cornelius 
    >         >         Thanks for your response 
    >         >         I am running PIP installation on Centos 7 
    >         >         I am running latest version of Privacy
    idea (2.7), 
    >         updated as 
    >         >         per instructions on howtoforge 
    >         >         the user is coming from Active Directory 
    >         >         UID is DN 
    >         >         there are no special characters anywhere
    in the AD 
    >         config 
    >         >         
    >         >         
    >         >         testing using the URL you provided I get
    the message 
    >         below 
    >         >         when attempting to use an AD user 
    >         >         "version": "privacyIDEA 2.7", "result":
    {"status": 
    >         false, "error": {"message": "ERR905: The user can
    not be found 
    >         in any resolver in this realm!", "code": -500}},
    "time": 
    >         1445425459.788956, "id": 1} 
    >         >         
    >         >         but if i use the root user (from the
    privacyidea 
    >         server) this returns: 
    >         >         {"message": "wrong otp pin"},
    "versionnumber": 
    >         "2.7", "version": "privacyIDEA 2.7", "result":
    {"status": 
    >         true, "value": false}, "time": 1445425581.107504,
    "id": 1} 
    >         >         I assume the OTP token is out of sync, but
    looks 
    >         much more promising 
    >         >         
    >         >         any idea on why the AD would not work via
    this 
    >         method? as i can see all the users in the webui etc 
    >         >         
    >         >         Cheers 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         On Wednesday, 21 October 2015 21:01:47 UTC +11,  Cornelinux K  wrote: 
    >         >                 Hi Tony, 
    >         >                 
    >         >                 
    >         >                 Are you running a pip installation
    or debian 
    >         wheezy? 
    >         >                 
    >         >                 
    >         >                 Which version of privacyidea are
    you 
    >         running? 
    >         >                 
    >         >                 
    >         >                 In certain cases there were
    problems with 
    >         the ldap 
    >         >                 resolver, if the DN contains
    special 
    >         characters and is 
    >         >                 base54 encoded. 
    >         >                 
    >         >                 
    >         >                 Is it openldap or AD? 
    >         >                 
    >         >                 
    >         >                 The Uid type: is it DN or
    entryUUID? 
    >         >                 
    >         >                 
    >         >                 Kind regards 
    >         >                 Cornelius 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 Cornelius Kölbel 
    >         >                 Corneliu...@netknights.it 
    >         >                 +49 151 2960 1417 
    >         >                 
    >         >                 
    >         >                 NetKnights GmbH 
    >         >                 http://netknights.it 
    >         >                 Landgraf-Karl-Str. 19, 34131
    Kassel, 
    >         Germany 
    >         >                 Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >         >                 
    >         >                 
    >         >                 Amtsgericht Kassel, HRB 16405 
    >         >                 Geschäftsführer: Cornelius Kölbel 
    >         >                 
    >         >                 
    >         >                 -------- Ursprüngliche Nachricht
    -------- 
    >         >                 Von: Tony Hawker
    <lil...@gmail.com> 
    >         >                 Datum: 21.10.2015 08:59 (GMT
    +01:00) 
    >         >                 An: privacyidea
    <priva...@googlegroups.com> 
    >         >                 Betreff: Re: 'privacyIDEA request
    failed: 
    >         500 INTERNAL 
    >         >                 SERVER ERROR' - FreeRadius 
    >         >                 
    >         >                 Hi 
    >         >                 thanks for your quick response to
    my issue 
    >         >                 I have been watching the
    privacyidea.log but 
    >         no 
    >         >                 entries are made when a connection
    attempt 
    >         is made via 
    >         >                 the radius, which leads me to
    think that the 
    >         radius is 
    >         >                 not able to see the privacyidea
    API? 
    >         >                 I can access the URI in my
    browser, so i can 
    >         see that 
    >         >                 is up 
    >         >                 
    >         >                 
    >         >                 I see this in the privacyidea.log
    when i 
    >         reboot 
    >         >                 
    >         >                 
    >         >                 [2015-10-21 
    >         > 
    >
    15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333] 'Traceback (most recent call last):\n  File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/         LDAPIdResolver.py", line 328, in getUserList\n    user = self._ldap_attributes_to_user_object(attributes)\n  File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 246, in          _ldap_attributes_to_user_object\n    for ldap_k, ldap_v in attributes.items():\nAttributeError: \'NoneType\' object has no attribute \'items\'\n' 
    >         >                 
    >         >                 
    >         >                 Cheers 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 On Wednesday, 21 October 2015 17:14:34 UTC  +11,  Cornelinux K wrote: 
    >         >                         Hi Tony, 
    >         >                         
    >         >                         please do the following: 
    >         >                         
    >         >                         1. Take a look into the
    audit log 
    >         >                         
    >         >                         Within the webui take a
    look, what 
    >         you can see 
    >         >                         in the request in the 
    >         >                         AUdit Tab. The right most
    tab. 
    >         >                         
    >         >                         I assume, the user does
    not exist. 
    >         >                         
    >         >                         The audit gives you a top
    level view 
    >         of what 
    >         >                         is happening in 
    >         >                         privacyidea. 
    >         >                         
    >         >                         2. Take a look into the
    log file 
    >         >                         privacyidea.log. 
    >         >                         This gives you a detailed
    view, of 
    >         what is 
    >         >                         happening. 
    >         >                         
    >         >                         Kind regards 
    >         >                         Cornelius 
    >         >                         
    >         >                         Am Dienstag, den
    20.10.2015, 17:56 
    >         -0700 
    >         >                         schrieb Tony Hawker: 
    >         >                         > Hi 
    >         >                         > I have followed the
    guide on 
    >         setting up 
    >         >                         Privactidea on Centos 7
    here: 
    >         >                         > 
    >         > 
    >
    https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/ 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > I can access the webui,
    register 
    >         tokens, 
    >         >                         linked to active
    directory 
    >         >                         > etc, all tested ok 
    >         >                         > 
    >         >                         > 
    >         >                         > I am having issues with
    the radius 
    >         plugin, 
    >         >                         when I attempt to make
    any 
    >         >                         > connection to the
    radius, either 
    >         using the 
    >         >                         test functions described
    in 
    >         >                         > the link above, or from
    an 
    >         external 
    >         >                         connection, I am seeing
    the errors 
    >         >                         > below: 
    >         >                         > 
    >         >                         > 
    >         >                         > ]# echo
    "User-Name=user, 
    >         >                         User-Password=password" |
    radclient 
    >         -sx 
    >         >                         > localhost auth
    testing123 
    >         >                         > 
    >         >                         > 
    >         >                         > Sending Access-Request
    Id 91 from 
    >         >                         0.0.0.0:34321 to
    127.0.0.1:1812 
    >         >                         > 
    >         >                         >         User-Name =
    'user' 
    >         >                         >         User-Password = 
    >         'password' 
    >         >                         > Received Access-Reject
    Id 91 from 
    >         >                         127.0.0.1:1812 to
    127.0.0.1:34321 
    >         >                         > length 75 
    >         >                         >         Reply-Message = 
    >         'privacyIDEA request 
    >         >                         failed: 500 INTERNAL 
    >         >                         > SERVER ERROR' 
    >         >                         > (0) -: Expected
    Access-Accept got 
    >         >                         Access-Reject 
    >         >                         > Packet summary: 
    >         >                         >         Accepted      :
    0 
    >         >                         >         Rejected      :
    1 
    >         >                         >         Lost          :
    0 
    >         >                         >         Passed filter :
    0 
    >         >                         >         Failed filter :
    1 
    >         >                         > 
    >         >                         > 
    >         >                         > and on the radius server
    I see 
    >         this: 
    >         >                         > 
    >         >                         > 
    >         >                         > Received Access-Request
    Id 111 
    >         from 
    >         >                         127.0.0.1:35488 to
    127.0.0.1:1812 
    >         >                         > length 44 
    >         >                         >         User-Name =
    'user' 
    >         >                         >         User-Password = 
    >         'password' 
    >         >                         > (0) Received
    Access-Request packet 
    >         from host 
    >         >                         127.0.0.1 port 35488, 
    >         >                         > id=111, length=44 
    >         >                         > (0)     User-Name =
    'user' 
    >         >                         > (0)     User-Password = 
    >         'password' 
    >         >                         > (0) # Executing section
    authorize 
    >         from 
    >         >                         > 
    >         file /etc/raddb/sites-enabled/privacyidea 
    >         >                         > (0)   authorize { 
    >         >                         > (0)   [preprocess] = ok 
    >         >                         > (0)   [digest] = noop 
    >         >                         > (0)  suffix : Checking
    for suffix 
    >         after "@" 
    >         >                         > (0)  suffix : No '@' in
    User-Name 
    >         = "user", 
    >         >                         looking up realm NULL 
    >         >                         > (0)  suffix : No such
    realm 
    >         "NULL" 
    >         >                         > (0)   [suffix] = noop 
    >         >                         > (0)  ntdomain : Checking
    for 
    >         prefix before 
    >         >                         "\" 
    >         >                         > (0)  ntdomain : No '\'
    in 
    >         User-Name = 
    >         >                         "user", looking up realm
    NULL 
    >         >                         > (0)  ntdomain : No such
    realm 
    >         "NULL" 
    >         >                         > (0)   [ntdomain] = noop 
    >         >                         > (0)   [files] = noop 
    >         >                         > (0)   [expiration] =
    noop 
    >         >                         > (0)   [logintime] =
    noop 
    >         >                         > (0)  WARNING: pap : No
    "known 
    >         good" password 
    >         >                         found for the user.  Not 
    >         >                         > setting Auth-Type 
    >         >                         > (0)  WARNING: pap :
    Authentication 
    >         will fail 
    >         >                         unless a "known good" 
    >         >                         > password is available 
    >         >                         > (0)   [pap] = noop 
    >         >                         > (0)   update control { 
    >         >                         > (0)     Auth-Type :=
    Perl 
    >         >                         > (0)   } # update control
    = noop 
    >         >                         > (0)  } #  authorize =
    ok 
    >         >                         > (0) Found Auth-Type =
    Perl 
    >         >                         > (0) # Executing group
    from 
    >         > 
    >         file /etc/raddb/sites-enabled/privacyidea 
    >         >                         > (0)  Auth-Type Perl { 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'User-Name'} = 
    >         >                         &request:User-Name ->
    'user' 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'User-Password'} = 
    >         >                         &request:User-Password -> 
    >         >                         > 'password' 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'NAS-IP-Address'} 
    >         >                         = &request:NAS-IP-Address 
    >         >                         > -> '127.0.0.1' 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'Event-Timestamp'} 
    >         >                         = 
    >         >                         > &request:Event-Timestamp
    -> 'Oct 
    >         21 2015 
    >         >                         11:50:57 AEDT' 
    >         >                         > (0)   perl : 
    >         $RAD_CHECK{'Auth-Type'} = 
    >         >                         &control:Auth-Type ->
    'Perl' 
    >         >                         > (0)   perl : 
    >         $RAD_CONFIG{'Auth-Type'} = 
    >         >                         &control:Auth-Type ->
    'Perl' 
    >         >                         > rlm_perl: Config 
    >         >
    File /etc/freeradius/rlm_perl.ini 
    >         found! 
    >         >                         > rlm_perl: Default URL 
    >         >
    https://127.0.0.1/validate/check 
    >         >                         > rlm_perl: Looking for
    config for 
    >         auth-type 
    >         >                         Perl 
    >         >                         > rlm_perl: Auth-Type:
    Perl 
    >         >                         > rlm_perl: url: 
    >         >
    https://127.0.0.1/validate/check 
    >         >                         > rlm_perl: user sent to 
    >         privacyidea: user 
    >         >                         > rlm_perl: realm sent to 
    >         privacyidea: 
    >         >                         > rlm_perl: resolver sent
    to 
    >         privacyidea: 
    >         >                         > rlm_perl: client sent
    to 
    >         privacyidea: 
    >         >                         127.0.0.1 
    >         >                         > rlm_perl: state sent to 
    >         privacyidea: 
    >         >                         > rlm_perl: urlparam
    client 
    >         >                         > rlm_perl: urlparam pass 
    >         >                         > rlm_perl: urlparam user 
    >         >                         > rlm_perl: Not verifying
    SSL 
    >         certificate! 
    >         >                         > rlm_perl: privacyIDEA
    request 
    >         failed: 500 
    >         >                         INTERNAL SERVER ERROR 
    >         >                         > rlm_perl: return
    RLM_MODULE_FAIL 
    >         >                         > (0)  perl :
    &request:User-Name = 
    >         >                         $RAD_REQUEST{'User-Name'}
    -> 'user' 
    >         >                         > (0)  perl : 
    >         &request:Event-Timestamp = 
    >         >
    $RAD_REQUEST{'Event-Timestamp'} 
    >         >                         > -> 'Oct 21 2015 11:50:57
    AEDT' 
    >         >                         > (0)  perl :
    &request:User-Password 
    >         = 
    >         >
    $RAD_REQUEST{'User-Password'} -> 
    >         >                         > 'password' 
    >         >                         > (0)  perl : 
    >         &request:NAS-IP-Address = 
    >         >
    $RAD_REQUEST{'NAS-IP-Address'} 
    >         >                         > -> '127.0.0.1' 
    >         >                         > (0)  perl :
    &reply:Reply-Message 
    >         = 
    >         >
    $RAD_REPLY{'Reply-Message'} -> 
    >         >                         > 'privacyIDEA request
    failed: 500 
    >         INTERNAL 
    >         >                         SERVER ERROR' 
    >         >                         > (0)  perl :
    &control:Auth-Type = 
    >         >                         $RAD_CHECK{'Auth-Type'} ->
    'Perl' 
    >         >                         > (0)   [perl] = fail 
    >         >                         > (0)  } # Auth-Type Perl
    = fail 
    >         >                         > (0) Failed to
    authenticate the 
    >         user 
    >         >                         > (0) Using Post-Auth-Type
    Reject 
    >         >                         > (0) Delaying response
    for 1 
    >         seconds 
    >         >                         > Waking up in 0.9
    seconds. 
    >         >                         > (0) Sending delayed
    response 
    >         >                         > (0) Sending
    Access-Reject packet 
    >         to host 
    >         >                         127.0.0.1 port 35488,
    id=111, 
    >         >                         > length=0 
    >         >                         > (0)     Reply-Message = 
    >         'privacyIDEA request 
    >         >                         failed: 500 INTERNAL 
    >         >                         > SERVER ERROR' 
    >         >                         > Sending Access-Reject Id
    111 from 
    >         >                         127.0.0.1:1812 to
    127.0.0.1:35488 
    >         >                         >         Reply-Message = 
    >         'privacyIDEA request 
    >         >                         failed: 500 INTERNAL 
    >         >                         > SERVER ERROR' 
    >         >                         > Waking up in 3.9
    seconds. 
    >         >                         > (0) Cleaning up request
    packet ID 
    >         111 with 
    >         >                         timestamp +7 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > I don't think this is
    just an 
    >         issue with the 
    >         >                         user / password, but if 
    >         >                         > anyone can point me in
    the right 
    >         direction 
    >         >                         in what I may have done 
    >         >                         > wrong with either the
    radius or 
    >         privacy idea 
    >         >                         install? 
    >         >                         > 
    >         >                         > 
    >         >                         > Cheers 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > -- 
    >         >                         > You received this
    message because 
    >         you are 
    >         >                         subscribed to the Google 
    >         >                         > Groups "privacyidea"
    group. 
    >         >                         > To unsubscribe from this
    group and 
    >         stop 
    >         >                         receiving emails from it,
    send 
    >         >                         > an email to 
    >         >
    privacyidea...@googlegroups.com. 
    >         >                         > To post to this group,
    send email 
    >         to 
    >         >
    priva...@googlegroups.com. 
    >         >                         > To view this discussion
    on the web 
    >         visit 
    >         >                         > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com. 
    >         >                         > For more options, visit 
    >         >
    https://groups.google.com/d/optout. 
    >         >                         
    >         >                         -- 
    >         >                         Cornelius Kölbel 
    >         >                         corneliu...@netknights.it 
    >         >                         +49 151 2960 1417 
    >         >                         
    >         >                         NetKnights GmbH 
    >         >                         http://www.netknights.it 
    >         >                         Landgraf-Karl-Str. 19,
    34131 Kassel, 
    >         Germany 
    >         >                         Tel: +49 561 3166797, Fax:
    +49 561 
    >         3166798 
    >         >                         
    >         >                         Amtsgericht Kassel, HRB
    16405 
    >         >                         Geschäftsführer: Cornelius
    Kölbel 
    >         >                         
    >         >                         
    >         >                 
    >         >                 -- 
    >         >                 You received this message because
    you are 
    >         subscribed 
    >         >                 to the Google Groups "privacyidea"
    group. 
    >         >                 To unsubscribe from this group and
    stop 
    >         receiving 
    >         >                 emails from it, send an email to 
    >         >                 privacyidea...@googlegroups.com. 
    >         >                 To post to this group, send email
    to 
    >         >                 priva...@googlegroups.com. 
    >         >                 To view this discussion on the web
    visit 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com. 
    >         >                 For more options, visit 
    >         >
    https://groups.google.com/d/optout. 
    >         >                 
    >         >         
    >         > 
    >         > 
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/ecfb73db-d3cb-4ec0-871c-f1e57f1804e0%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/f393aeb4-4c92-4a5e-a3e4-434cb7f62fb7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Thanks Cornelius
this script still doesn’t seem to solve the problem, checkpoint still
doesn’t like the Access-Accept packets for some reason
I’ve had the checkpoint talking to freeradius in the past, so it can work,
but just doesn’t see these accept packets for some reasonOn Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote:

Hi Tony,

here is a slightly modified script, that does not add any additional
AVPs into the reply.

It only returns ACCESS_ACCEPT or ACCESS_REJECT.

This script replaces the existing one.
Please restart freeradius and check if checkpoint likes it.

Kind regards
COrnelius

Am Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony Hawker:

Hi Cornelius
Thanks for this info
where do i remove that line from? I’m not familiar with this process?
do i need to change a config file? or change some source code and
recompile?
I believe if i could change the message on that line that could also
possible help

Cheers

On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K wrote:
Hello Tony,

    at the moment there is no way to configure the reply message. 
    
    You can remove the RAD_REPLY in the privacyidea perl module. 

https://github.com/privacyidea/privacyidea/blob/master/authmodules/FreeRADIUS/privacyidea_radius.pm#L335

    Thus this information will not be added to the reply. 
    If this succeeds, please drop me a note or open an issue at 
    github. 
    We can then make the reply configurable. 
    
    Kind regards 
    Cornelius 
    
    
    Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb Tony Hawker: 
    > Hi Cornelius 
    > Thanks for your help, I almost have this working now, i 
    played around 
    > allot, but i think that ticking the "use @ to separate user 
    and realm" 
    > has allowed the radius to pass though the details correctly 
    > 
    > 
    > I have managed to have my radius client authenticate, and it 
    seems to 
    > be sending back the reply message "privacy IDEA access 
    granted" to my 
    > firewalls (I am tying to authenticate VPN users) 
    > 
    > 
    > I believe the firewall does not like the response message, I 
    am 
    > possibly getting a similar issue described here: 
    > 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638

    > 
    > 
    > I have also attached a screen shot of how the packet looks 
    from 
    > privacy idea, do you think that because the reply packet is 
    slightly 
    > different it could be causing this problem? 
    > is t possible to change the privacy idea radius accept 
    packet too 
    > something generic? 
    > 
    > 
    > Cheers 
    > 
    > On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K  wrote: 
    >         
    >         
    >         Hi, 
    >         
    >         
    >         The user can not be found in the resolver. 
    >         
    >         
    >         
    >         
    >         How does the request look like? 
    >         Is the realm the default realm. 
    >         how does the DN of the user look like? 
    >         
    >         
    >         
    >         
    >         You might have specified the wrong realm (see 
    default realm) 
    >         
    >         
    >         
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         
    >         
    >         Cornelius Kölbel 
    >         Corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         
    >         NetKnights GmbH 
    >         http://netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    >         -------- Ursprüngliche Nachricht -------- 
    >         Von: Tony Hawker <lil...@gmail.com> 
    >         Datum: 21.10.2015 13:14 (GMT+01:00) 
    >         An: privacyidea <priva...@googlegroups.com> 
    >         Betreff: Re: Re: 'privacyIDEA request failed: 500 
    INTERNAL 
    >         SERVER ERROR' - FreeRadius 
    >         
    >         Hi Cornelius 
    >         Thanks for your response 
    >         I am running PIP installation on Centos 7 
    >         I am running latest version of Privacy idea (2.7), 
    updated as 
    >         per instructions on howtoforge 
    >         the user is coming from Active Directory 
    >         UID is DN 
    >         there are no special characters anywhere in the AD 
    config 
    >         
    >         
    >         testing using the URL you provided I get the message 
    below 
    >         when attempting to use an AD user 
    >         "version": "privacyIDEA 2.7", "result": {"status": 
    false, "error": {"message": "ERR905: The user can not be found 
    in any resolver in this realm!", "code": -500}}, "time": 
    1445425459.788956, "id": 1} 
    >         
    >         but if i use the root user (from the privacyidea 
    server) this returns: 
    >         {"message": "wrong otp pin"}, "versionnumber": 
    "2.7", "version": "privacyIDEA 2.7", "result": {"status": 
    true, "value": false}, "time": 1445425581.107504, "id": 1} 
    >         I assume the OTP token is out of sync, but looks 
    much more promising 
    >         
    >         any idea on why the AD would not work via this 
    method? as i can see all the users in the webui etc 
    >         
    >         Cheers 
    >         
    >         
    >         
    >         
    >         
    >         On Wednesday, 21 October 2015 21:01:47 UTC+11,  Cornelinux K  wrote: 
    >                 Hi Tony, 
    >                 
    >                 
    >                 Are you running a pip installation or debian 
    wheezy? 
    >                 
    >                 
    >                 Which version of privacyidea are you 
    running? 
    >                 
    >                 
    >                 In certain cases there were problems with 
    the ldap 
    >                 resolver, if the DN contains special 
    characters and is 
    >                 base54 encoded. 
    >                 
    >                 
    >                 Is it openldap or AD? 
    >                 
    >                 
    >                 The Uid type: is it DN or entryUUID? 
    >                 
    >                 
    >                 Kind regards 
    >                 Cornelius 
    >                 
    >                 
    >                 
    >                 
    >                 
    >                 
    >                 Cornelius Kölbel 
    >                 Corneliu...@netknights.it 
    >                 +49 151 2960 1417 
    >                 
    >                 
    >                 NetKnights GmbH 
    >                 http://netknights.it 
    >                 Landgraf-Karl-Str. 19, 34131 Kassel, 
    Germany 
    >                 Tel: +49 561 3166797, Fax: +49 561 3166798 
    >                 
    >                 
    >                 Amtsgericht Kassel, HRB 16405 
    >                 Geschäftsführer: Cornelius Kölbel 
    >                 
    >                 
    >                 -------- Ursprüngliche Nachricht -------- 
    >                 Von: Tony Hawker <lil...@gmail.com> 
    >                 Datum: 21.10.2015 08:59 (GMT+01:00) 
    >                 An: privacyidea <priva...@googlegroups.com> 
    >                 Betreff: Re: 'privacyIDEA request failed: 
    500 INTERNAL 
    >                 SERVER ERROR' - FreeRadius 
    >                 
    >                 Hi 
    >                 thanks for your quick response to my issue 
    >                 I have been watching the privacyidea.log but 
    no 
    >                 entries are made when a connection attempt 
    is made via 
    >                 the radius, which leads me to think that the 
    radius is 
    >                 not able to see the privacyidea API? 
    >                 I can access the URI in my browser, so i can 
    see that 
    >                 is up 
    >                 
    >                 
    >                 I see this in the privacyidea.log when i 
    reboot 
    >                 
    >                 
    >                 [2015-10-21 
    > 

15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333]
‘Traceback (most recent call last):\n File
"/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/
LDAPIdResolver.py", line 328, in getUserList\n user =
self._ldap_attributes_to_user_object(attributes)\n File
"/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py",
line 246, in _ldap_attributes_to_user_object\n for ldap_k,
ldap_v in attributes.items():\nAttributeError: ‘NoneType’ object has no
attribute ‘items’\n’

    >                 
    >                 
    >                 Cheers 
    >                 
    >                 
    >                 
    >                 
    >                 
    >                 
    >                 
    >                 
    >                 On Wednesday, 21 October 2015 17:14:34 UTC  +11,  Cornelinux K wrote: 
    >                         Hi Tony, 
    >                         
    >                         please do the following: 
    >                         
    >                         1. Take a look into the audit log 
    >                         
    >                         Within the webui take a look, what 
    you can see 
    >                         in the request in the 
    >                         AUdit Tab. The right most tab. 
    >                         
    >                         I assume, the user does not exist. 
    >                         
    >                         The audit gives you a top level view 
    of what 
    >                         is happening in 
    >                         privacyidea. 
    >                         
    >                         2. Take a look into the log file 
    >                         privacyidea.log. 
    >                         This gives you a detailed view, of 
    what is 
    >                         happening. 
    >                         
    >                         Kind regards 
    >                         Cornelius 
    >                         
    >                         Am Dienstag, den 20.10.2015, 17:56 
    -0700 
    >                         schrieb Tony Hawker: 
    >                         > Hi 
    >                         > I have followed the guide on 
    setting up 
    >                         Privactidea on Centos 7 here: 
    >                         > 
    > 

https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/

    >                         > 
    >                         > 
    >                         > 
    >                         > I can access the webui, register 
    tokens, 
    >                         linked to active directory 
    >                         > etc, all tested ok 
    >                         > 
    >                         > 
    >                         > I am having issues with the radius 
    plugin, 
    >                         when I attempt to make any 
    >                         > connection to the radius, either 
    using the 
    >                         test functions described in 
    >                         > the link above, or from an 
    external 
    >                         connection, I am seeing the errors 
    >                         > below: 
    >                         > 
    >                         > 
    >                         > ]# echo "User-Name=user, 
    >                         User-Password=password" | radclient 
    -sx 
    >                         > localhost auth testing123 
    >                         > 
    >                         > 
    >                         > Sending Access-Request Id 91 from 
    >                         0.0.0.0:34321 to 127.0.0.1:1812 
    >                         > 
    >                         >         User-Name = 'user' 
    >                         >         User-Password = 
    'password' 
    >                         > Received Access-Reject Id 91 from 
    >                         127.0.0.1:1812 to 127.0.0.1:34321 
    >                         > length 75 
    >                         >         Reply-Message = 
    'privacyIDEA request 
    >                         failed: 500 INTERNAL 
    >                         > SERVER ERROR' 
    >                         > (0) -: Expected Access-Accept got 
    >                         Access-Reject 
    >                         > Packet summary: 
    >                         >         Accepted      : 0 
    >                         >         Rejected      : 1 
    >                         >         Lost          : 0 
    >                         >         Passed filter : 0 
    >                         >         Failed filter : 1 
    >                         > 
    >                         > 
    >                         > and on the radius server I see 
    this: 
    >                         > 
    >                         > 
    >                         > Received Access-Request Id 111 
    from 
    >                         127.0.0.1:35488 to 127.0.0.1:1812 
    >                         > length 44 
    >                         >         User-Name = 'user' 
    >                         >         User-Password = 
    'password' 
    >                         > (0) Received Access-Request packet 
    from host 
    >                         127.0.0.1 port 35488, 
    >                         > id=111, length=44 
    >                         > (0)     User-Name = 'user' 
    >                         > (0)     User-Password = 
    'password' 
    >                         > (0) # Executing section authorize 
    from 
    >                         > 
    file /etc/raddb/sites-enabled/privacyidea 
    >                         > (0)   authorize { 
    >                         > (0)   [preprocess] = ok 
    >                         > (0)   [digest] = noop 
    >                         > (0)  suffix : Checking for suffix 
    after "@" 
    >                         > (0)  suffix : No '@' in User-Name 
    = "user", 
    >                         looking up realm NULL 
    >                         > (0)  suffix : No such realm 
    "NULL" 
    >                         > (0)   [suffix] = noop 
    >                         > (0)  ntdomain : Checking for 
    prefix before 
    >                         "\" 
    >                         > (0)  ntdomain : No '\' in 
    User-Name = 
    >                         "user", looking up realm NULL 
    >                         > (0)  ntdomain : No such realm 
    "NULL" 
    >                         > (0)   [ntdomain] = noop 
    >                         > (0)   [files] = noop 
    >                         > (0)   [expiration] = noop 
    >                         > (0)   [logintime] = noop 
    >                         > (0)  WARNING: pap : No "known 
    good" password 
    >                         found for the user.  Not 
    >                         > setting Auth-Type 
    >                         > (0)  WARNING: pap : Authentication 
    will fail 
    >                         unless a "known good" 
    >                         > password is available 
    >                         > (0)   [pap] = noop 
    >                         > (0)   update control { 
    >                         > (0)     Auth-Type := Perl 
    >                         > (0)   } # update control = noop 
    >                         > (0)  } #  authorize = ok 
    >                         > (0) Found Auth-Type = Perl 
    >                         > (0) # Executing group from 
    > 
    file /etc/raddb/sites-enabled/privacyidea 
    >                         > (0)  Auth-Type Perl { 
    >                         > (0)   perl : 
    $RAD_REQUEST{'User-Name'} = 
    >                         &request:User-Name -> 'user' 
    >                         > (0)   perl : 
    $RAD_REQUEST{'User-Password'} = 
    >                         &request:User-Password -> 
    >                         > 'password' 
    >                         > (0)   perl : 
    $RAD_REQUEST{'NAS-IP-Address'} 
    >                         = &request:NAS-IP-Address 
    >                         > -> '127.0.0.1' 
    >                         > (0)   perl : 
    $RAD_REQUEST{'Event-Timestamp'} 
    >                         = 
    >                         > &request:Event-Timestamp -> 'Oct 
    21 2015 
    >                         11:50:57 AEDT' 
    >                         > (0)   perl : 
    $RAD_CHECK{'Auth-Type'} = 
    >                         &control:Auth-Type -> 'Perl' 
    >                         > (0)   perl : 
    $RAD_CONFIG{'Auth-Type'} = 
    >                         &control:Auth-Type -> 'Perl' 
    >                         > rlm_perl: Config 
    >                         File /etc/freeradius/rlm_perl.ini 
    found! 
    >                         > rlm_perl: Default URL 
    >                         https://127.0.0.1/validate/check 
    >                         > rlm_perl: Looking for config for 
    auth-type 
    >                         Perl 
    >                         > rlm_perl: Auth-Type: Perl 
    >                         > rlm_perl: url: 
    >                         https://127.0.0.1/validate/check 
    >                         > rlm_perl: user sent to 
    privacyidea: user 
    >                         > rlm_perl: realm sent to 
    privacyidea: 
    >                         > rlm_perl: resolver sent to 
    privacyidea: 
    >                         > rlm_perl: client sent to 
    privacyidea: 
    >                         127.0.0.1 
    >                         > rlm_perl: state sent to 
    privacyidea: 
    >                         > rlm_perl: urlparam client 
    >                         > rlm_perl: urlparam pass 
    >                         > rlm_perl: urlparam user 
    >                         > rlm_perl: Not verifying SSL 
    certificate! 
    >                         > rlm_perl: privacyIDEA request 
    failed: 500 
    >                         INTERNAL SERVER ERROR 
    >                         > rlm_perl: return RLM_MODULE_FAIL 
    >                         > (0)  perl : &request:User-Name = 
    >                         $RAD_REQUEST{'User-Name'} -> 'user' 
    >                         > (0)  perl : 
    &request:Event-Timestamp = 
    >                         $RAD_REQUEST{'Event-Timestamp'} 
    >                         > -> 'Oct 21 2015 11:50:57 AEDT' 
    >                         > (0)  perl : &request:User-Password 
    = 
    >                         $RAD_REQUEST{'User-Password'} -> 
    >                         > 'password' 
    >                         > (0)  perl : 
    &request:NAS-IP-Address = 
    >                         $RAD_REQUEST{'NAS-IP-Address'} 
    >                         > -> '127.0.0.1' 
    >                         > (0)  perl : &reply:Reply-Message 
    = 
    >                         $RAD_REPLY{'Reply-Message'} -> 
    >                         > 'privacyIDEA request failed: 500 
    INTERNAL 
    >                         SERVER ERROR' 
    >                         > (0)  perl : &control:Auth-Type = 
    >                         $RAD_CHECK{'Auth-Type'} -> 'Perl' 
    >                         > (0)   [perl] = fail 
    >                         > (0)  } # Auth-Type Perl = fail 
    >                         > (0) Failed to authenticate the 
    user 
    >                         > (0) Using Post-Auth-Type Reject 
    >                         > (0) Delaying response for 1 
    seconds 
    >                         > Waking up in 0.9 seconds. 
    >                         > (0) Sending delayed response 
    >                         > (0) Sending Access-Reject packet 
    to host 
    >                         127.0.0.1 port 35488, id=111, 
    >                         > length=0 
    >                         > (0)     Reply-Message = 
    'privacyIDEA request 
    >                         failed: 500 INTERNAL 
    >                         > SERVER ERROR' 
    >                         > Sending Access-Reject Id 111 from 
    >                         127.0.0.1:1812 to 127.0.0.1:35488 
    >                         >         Reply-Message = 
    'privacyIDEA request 
    >                         failed: 500 INTERNAL 
    >                         > SERVER ERROR' 
    >                         > Waking up in 3.9 seconds. 
    >                         > (0) Cleaning up request packet ID 
    111 with 
    >                         timestamp +7 
    >                         > 
    >                         > 
    >                         > 
    >                         > 
    >                         > I don't think this is just an 
    issue with the 
    >                         user / password, but if 
    >                         > anyone can point me in the right 
    direction 
    >                         in what I may have done 
    >                         > wrong with either the radius or 
    privacy idea 
    >                         install? 
    >                         > 
    >                         > 
    >                         > Cheers 
    >                         > 
    >                         > 
    >                         > 
    >                         > 
    >                         > 
    >                         > 
    >                         > 
    >                         > 
    >                         > 
    >                         > 
    >                         > -- 
    >                         > You received this message because 
    you are 
    >                         subscribed to the Google 
    >                         > Groups "privacyidea" group. 
    >                         > To unsubscribe from this group and 
    stop 
    >                         receiving emails from it, send 
    >                         > an email to 
    >                         privacyidea...@googlegroups.com. 
    >                         > To post to this group, send email 
    to 
    >                         priva...@googlegroups.com. 
    >                         > To view this discussion on the web 
    visit 
    >                         > 
    > 

https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com.

    >                         > For more options, visit 
    >                         https://groups.google.com/d/optout. 
    >                         
    >                         -- 
    >                         Cornelius Kölbel 
    >                         corneliu...@netknights.it 
    >                         +49 151 2960 1417 
    >                         
    >                         NetKnights GmbH 
    >                         http://www.netknights.it 
    >                         Landgraf-Karl-Str. 19, 34131 Kassel, 
    Germany 
    >                         Tel: +49 561 3166797, Fax: +49 561 
    3166798 
    >                         
    >                         Amtsgericht Kassel, HRB 16405 
    >                         Geschäftsführer: Cornelius Kölbel 
    >                         
    >                         
    >                 
    >                 -- 
    >                 You received this message because you are 
    subscribed 
    >                 to the Google Groups "privacyidea" group. 
    >                 To unsubscribe from this group and stop 
    receiving 
    >                 emails from it, send an email to 
    >                 privacyidea...@googlegroups.com. 
    >                 To post to this group, send email to 
    >                 priva...@googlegroups.com. 
    >                 To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com.

    >                 For more options, visit 
    >                 https://groups.google.com/d/optout. 
    >                 
    >         
    > 
    > 
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/ecfb73db-d3cb-4ec0-871c-f1e57f1804e0%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi Cornelius
Thanks for this info
where do i remove that line from? I’m not familiar with this process? do i
need to change a config file? or change some source code and recompile?
I believe if i could change the message on that line that could also
possible help

CheersOn Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K wrote:

Hello Tony,

at the moment there is no way to configure the reply message.

You can remove the RAD_REPLY in the privacyidea perl module.

https://github.com/privacyidea/privacyidea/blob/master/authmodules/FreeRADIUS/privacyidea_radius.pm#L335

Thus this information will not be added to the reply.
If this succeeds, please drop me a note or open an issue at github.
We can then make the reply configurable.

Kind regards
Cornelius

Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb Tony Hawker:

Hi Cornelius
Thanks for your help, I almost have this working now, i played around
allot, but i think that ticking the "use @ to separate user and realm"
has allowed the radius to pass though the details correctly

I have managed to have my radius client authenticate, and it seems to
be sending back the reply message “privacy IDEA access granted” to my
firewalls (I am tying to authenticate VPN users)

I believe the firewall does not like the response message, I am
possibly getting a similar issue described here:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638

I have also attached a screen shot of how the packet looks from
privacy idea, do you think that because the reply packet is slightly
different it could be causing this problem?
is t possible to change the privacy idea radius accept packet too
something generic?

Cheers

On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K wrote:

    Hi, 
    
    
    The user can not be found in the resolver. 
    
    
    
    
    How does the request look like? 
    Is the realm the default realm. 
    how does the DN of the user look like? 
    
    
    
    
    You might have specified the wrong realm (see default realm) 
    
    
    
    
    Kind regards 
    Cornelius 
    
    
    
    
    Cornelius Kölbel 
    Corneliu...@netknights.it 
    +49 151 2960 1417 
    
    
    NetKnights GmbH 
    http://netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 
    
    
    -------- Ursprüngliche Nachricht -------- 
    Von: Tony Hawker <lil...@gmail.com> 
    Datum: 21.10.2015 13:14 (GMT+01:00) 
    An: privacyidea <priva...@googlegroups.com> 
    Betreff: Re: Re: 'privacyIDEA request failed: 500 INTERNAL 
    SERVER ERROR' - FreeRadius 
    
    Hi Cornelius 
    Thanks for your response 
    I am running PIP installation on Centos 7 
    I am running latest version of Privacy idea (2.7), updated as 
    per instructions on howtoforge 
    the user is coming from Active Directory 
    UID is DN 
    there are no special characters anywhere in the AD config 
    
    
    testing using the URL you provided I get the message below 
    when attempting to use an AD user 
    "version": "privacyIDEA 2.7", "result": {"status": false, 

“error”: {“message”: “ERR905: The user can not be found in any resolver in
this realm!”, “code”: -500}}, “time”: 1445425459.788956, “id”: 1}

    but if i use the root user (from the privacyidea server) this 

returns:

    {"message": "wrong otp pin"}, "versionnumber": "2.7", "version": 

“privacyIDEA 2.7”, “result”: {“status”: true, “value”: false}, “time”:
1445425581.107504, “id”: 1}

    I assume the OTP token is out of sync, but looks much more 

promising

    any idea on why the AD would not work via this method? as i can 

see all the users in the webui etc

    Cheers 
    
    
    
    
    
    On Wednesday, 21 October 2015 21:01:47 UTC+11, Cornelinux K  wrote: 
            Hi Tony, 
            
            
            Are you running a pip installation or debian wheezy? 
            
            
            Which version of privacyidea are you running? 
            
            
            In certain cases there were problems with the ldap 
            resolver, if the DN contains special characters and is 
            base54 encoded. 
            
            
            Is it openldap or AD? 
            
            
            The Uid type: is it DN or entryUUID? 
            
            
            Kind regards 
            Cornelius 
            
            
            
            
            
            
            Cornelius Kölbel 
            Corneliu...@netknights.it 
            +49 151 2960 1417 
            
            
            NetKnights GmbH 
            http://netknights.it 
            Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
            Tel: +49 561 3166797, Fax: +49 561 3166798 
            
            
            Amtsgericht Kassel, HRB 16405 
            Geschäftsführer: Cornelius Kölbel 
            
            
            -------- Ursprüngliche Nachricht -------- 
            Von: Tony Hawker <lil...@gmail.com> 
            Datum: 21.10.2015 08:59 (GMT+01:00) 
            An: privacyidea <priva...@googlegroups.com> 
            Betreff: Re: 'privacyIDEA request failed: 500 INTERNAL 
            SERVER ERROR' - FreeRadius 
            
            Hi 
            thanks for your quick response to my issue 
            I have been watching the privacyidea.log but no 
            entries are made when a connection attempt is made via 
            the radius, which leads me to think that the radius is 
            not able to see the privacyidea API? 
            I can access the URI in my browser, so i can see that 
            is up 
            
            
            I see this in the privacyidea.log when i reboot 
            
            
            [2015-10-21 

15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333]
‘Traceback (most recent call last):\n File
"/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/
LDAPIdResolver.py", line 328, in getUserList\n user =
self._ldap_attributes_to_user_object(attributes)\n File
"/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py",
line 246, in _ldap_attributes_to_user_object\n for ldap_k,
ldap_v in attributes.items():\nAttributeError: ‘NoneType’ object has no
attribute ‘items’\n’

            Cheers 
            
            
            
            
            
            
            
            
            On Wednesday, 21 October 2015 17:14:34 UTC+11,  Cornelinux K wrote: 
                    Hi Tony, 
                    
                    please do the following: 
                    
                    1. Take a look into the audit log 
                    
                    Within the webui take a look, what you can see 
                    in the request in the 
                    AUdit Tab. The right most tab. 
                    
                    I assume, the user does not exist. 
                    
                    The audit gives you a top level view of what 
                    is happening in 
                    privacyidea. 
                    
                    2. Take a look into the log file 
                    privacyidea.log. 
                    This gives you a detailed view, of what is 
                    happening. 
                    
                    Kind regards 
                    Cornelius 
                    
                    Am Dienstag, den 20.10.2015, 17:56 -0700 
                    schrieb Tony Hawker: 
                    > Hi 
                    > I have followed the guide on setting up 
                    Privactidea on Centos 7 here: 
                    > 

https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/

                    > 
                    > 
                    > 
                    > I can access the webui, register tokens, 
                    linked to active directory 
                    > etc, all tested ok 
                    > 
                    > 
                    > I am having issues with the radius plugin, 
                    when I attempt to make any 
                    > connection to the radius, either using the 
                    test functions described in 
                    > the link above, or from an external 
                    connection, I am seeing the errors 
                    > below: 
                    > 
                    > 
                    > ]# echo "User-Name=user, 
                    User-Password=password" | radclient -sx 
                    > localhost auth testing123 
                    > 
                    > 
                    > Sending Access-Request Id 91 from 
                    0.0.0.0:34321 to 127.0.0.1:1812 
                    > 
                    >         User-Name = 'user' 
                    >         User-Password = 'password' 
                    > Received Access-Reject Id 91 from 
                    127.0.0.1:1812 to 127.0.0.1:34321 
                    > length 75 
                    >         Reply-Message = 'privacyIDEA request 
                    failed: 500 INTERNAL 
                    > SERVER ERROR' 
                    > (0) -: Expected Access-Accept got 
                    Access-Reject 
                    > Packet summary: 
                    >         Accepted      : 0 
                    >         Rejected      : 1 
                    >         Lost          : 0 
                    >         Passed filter : 0 
                    >         Failed filter : 1 
                    > 
                    > 
                    > and on the radius server I see this: 
                    > 
                    > 
                    > Received Access-Request Id 111 from 
                    127.0.0.1:35488 to 127.0.0.1:1812 
                    > length 44 
                    >         User-Name = 'user' 
                    >         User-Password = 'password' 
                    > (0) Received Access-Request packet from host 
                    127.0.0.1 port 35488, 
                    > id=111, length=44 
                    > (0)     User-Name = 'user' 
                    > (0)     User-Password = 'password' 
                    > (0) # Executing section authorize from 
                    > file /etc/raddb/sites-enabled/privacyidea 
                    > (0)   authorize { 
                    > (0)   [preprocess] = ok 
                    > (0)   [digest] = noop 
                    > (0)  suffix : Checking for suffix after "@" 
                    > (0)  suffix : No '@' in User-Name = "user", 
                    looking up realm NULL 
                    > (0)  suffix : No such realm "NULL" 
                    > (0)   [suffix] = noop 
                    > (0)  ntdomain : Checking for prefix before 
                    "\" 
                    > (0)  ntdomain : No '\' in User-Name = 
                    "user", looking up realm NULL 
                    > (0)  ntdomain : No such realm "NULL" 
                    > (0)   [ntdomain] = noop 
                    > (0)   [files] = noop 
                    > (0)   [expiration] = noop 
                    > (0)   [logintime] = noop 
                    > (0)  WARNING: pap : No "known good" password 
                    found for the user.  Not 
                    > setting Auth-Type 
                    > (0)  WARNING: pap : Authentication will fail 
                    unless a "known good" 
                    > password is available 
                    > (0)   [pap] = noop 
                    > (0)   update control { 
                    > (0)     Auth-Type := Perl 
                    > (0)   } # update control = noop 
                    > (0)  } #  authorize = ok 
                    > (0) Found Auth-Type = Perl 
                    > (0) # Executing group from 
                    file /etc/raddb/sites-enabled/privacyidea 
                    > (0)  Auth-Type Perl { 
                    > (0)   perl : $RAD_REQUEST{'User-Name'} = 
                    &request:User-Name -> 'user' 
                    > (0)   perl : $RAD_REQUEST{'User-Password'} = 
                    &request:User-Password -> 
                    > 'password' 
                    > (0)   perl : $RAD_REQUEST{'NAS-IP-Address'} 
                    = &request:NAS-IP-Address 
                    > -> '127.0.0.1' 
                    > (0)   perl : $RAD_REQUEST{'Event-Timestamp'} 
                    = 
                    > &request:Event-Timestamp -> 'Oct 21 2015 
                    11:50:57 AEDT' 
                    > (0)   perl : $RAD_CHECK{'Auth-Type'} = 
                    &control:Auth-Type -> 'Perl' 
                    > (0)   perl : $RAD_CONFIG{'Auth-Type'} = 
                    &control:Auth-Type -> 'Perl' 
                    > rlm_perl: Config 
                    File /etc/freeradius/rlm_perl.ini found! 
                    > rlm_perl: Default URL 
                    https://127.0.0.1/validate/check 
                    > rlm_perl: Looking for config for auth-type 
                    Perl 
                    > rlm_perl: Auth-Type: Perl 
                    > rlm_perl: url: 
                    https://127.0.0.1/validate/check 
                    > rlm_perl: user sent to privacyidea: user 
                    > rlm_perl: realm sent to privacyidea: 
                    > rlm_perl: resolver sent to privacyidea: 
                    > rlm_perl: client sent to privacyidea: 
                    127.0.0.1 
                    > rlm_perl: state sent to privacyidea: 
                    > rlm_perl: urlparam client 
                    > rlm_perl: urlparam pass 
                    > rlm_perl: urlparam user 
                    > rlm_perl: Not verifying SSL certificate! 
                    > rlm_perl: privacyIDEA request failed: 500 
                    INTERNAL SERVER ERROR 
                    > rlm_perl: return RLM_MODULE_FAIL 
                    > (0)  perl : &request:User-Name = 
                    $RAD_REQUEST{'User-Name'} -> 'user' 
                    > (0)  perl : &request:Event-Timestamp = 
                    $RAD_REQUEST{'Event-Timestamp'} 
                    > -> 'Oct 21 2015 11:50:57 AEDT' 
                    > (0)  perl : &request:User-Password = 
                    $RAD_REQUEST{'User-Password'} -> 
                    > 'password' 
                    > (0)  perl : &request:NAS-IP-Address = 
                    $RAD_REQUEST{'NAS-IP-Address'} 
                    > -> '127.0.0.1' 
                    > (0)  perl : &reply:Reply-Message = 
                    $RAD_REPLY{'Reply-Message'} -> 
                    > 'privacyIDEA request failed: 500 INTERNAL 
                    SERVER ERROR' 
                    > (0)  perl : &control:Auth-Type = 
                    $RAD_CHECK{'Auth-Type'} -> 'Perl' 
                    > (0)   [perl] = fail 
                    > (0)  } # Auth-Type Perl = fail 
                    > (0) Failed to authenticate the user 
                    > (0) Using Post-Auth-Type Reject 
                    > (0) Delaying response for 1 seconds 
                    > Waking up in 0.9 seconds. 
                    > (0) Sending delayed response 
                    > (0) Sending Access-Reject packet to host 
                    127.0.0.1 port 35488, id=111, 
                    > length=0 
                    > (0)     Reply-Message = 'privacyIDEA request 
                    failed: 500 INTERNAL 
                    > SERVER ERROR' 
                    > Sending Access-Reject Id 111 from 
                    127.0.0.1:1812 to 127.0.0.1:35488 
                    >         Reply-Message = 'privacyIDEA request 
                    failed: 500 INTERNAL 
                    > SERVER ERROR' 
                    > Waking up in 3.9 seconds. 
                    > (0) Cleaning up request packet ID 111 with 
                    timestamp +7 
                    > 
                    > 
                    > 
                    > 
                    > I don't think this is just an issue with the 
                    user / password, but if 
                    > anyone can point me in the right direction 
                    in what I may have done 
                    > wrong with either the radius or privacy idea 
                    install? 
                    > 
                    > 
                    > Cheers 
                    > 
                    > 
                    > 
                    > 
                    > 
                    > 
                    > 
                    > 
                    > 
                    > 
                    > -- 
                    > You received this message because you are 
                    subscribed to the Google 
                    > Groups "privacyidea" group. 
                    > To unsubscribe from this group and stop 
                    receiving emails from it, send 
                    > an email to 
                    privacyidea...@googlegroups.com. 
                    > To post to this group, send email to 
                    priva...@googlegroups.com. 
                    > To view this discussion on the web visit 
                    > 

https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com.

                    > For more options, visit 
                    https://groups.google.com/d/optout. 
                    
                    -- 
                    Cornelius Kölbel 
                    corneliu...@netknights.it 
                    +49 151 2960 1417 
                    
                    NetKnights GmbH 
                    http://www.netknights.it 
                    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
                    Tel: +49 561 3166797, Fax: +49 561 3166798 
                    
                    Amtsgericht Kassel, HRB 16405 
                    Geschäftsführer: Cornelius Kölbel 
                    
                    
            
            -- 
            You received this message because you are subscribed 
            to the Google Groups "privacyidea" group. 
            To unsubscribe from this group and stop receiving 
            emails from it, send an email to 
            privacyidea...@googlegroups.com. 
            To post to this group, send email to 
            priva...@googlegroups.com. 
            To view this discussion on the web visit 

https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com.

            For more options, visit 
            https://groups.google.com/d/optout. 


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hello Tony,

at the moment there is no way to configure the reply message.

You can remove the RAD_REPLY in the privacyidea perl module.
https://github.com/privacyidea/privacyidea/blob/master/authmodules/FreeRADIUS/privacyidea_radius.pm#L335

Thus this information will not be added to the reply.
If this succeeds, please drop me a note or open an issue at github.
We can then make the reply configurable.

Kind regards
CorneliusAm Mittwoch, den 21.10.2015, 17:54 -0700 schrieb Tony Hawker:

Hi Cornelius
Thanks for your help, I almost have this working now, i played around
allot, but i think that ticking the “use @ to separate user and realm”
has allowed the radius to pass though the details correctly

I have managed to have my radius client authenticate, and it seems to
be sending back the reply message “privacy IDEA access granted” to my
firewalls (I am tying to authenticate VPN users)

I believe the firewall does not like the response message, I am
possibly getting a similar issue described here:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638

I have also attached a screen shot of how the packet looks from
privacy idea, do you think that because the reply packet is slightly
different it could be causing this problem?
is t possible to change the privacy idea radius accept packet too
something generic?

Cheers

On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K wrote:

    Hi,
    
    
    The user can not be found in the resolver.
    
    
    
    
    How does the request look like?
    Is the realm the default realm.
    how does the DN of the user look like?
    
    
    
    
    You might have specified the wrong realm (see default realm)
    
    
    
    
    Kind regards
    Cornelius 
    
    
    
    
    Cornelius Kölbel
    Corneliu...@netknights.it
    +49 151 2960 1417
    
    
    NetKnights GmbH
    http://netknights.it
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany
    Tel: +49 561 3166797, Fax: +49 561 3166798
    
    
    Amtsgericht Kassel, HRB 16405
    Geschäftsführer: Cornelius Kölbel
    
    
    -------- Ursprüngliche Nachricht --------
    Von: Tony Hawker <lil...@gmail.com> 
    Datum: 21.10.2015 13:14 (GMT+01:00) 
    An: privacyidea <priva...@googlegroups.com> 
    Betreff: Re: Re: 'privacyIDEA request failed: 500 INTERNAL
    SERVER ERROR' - FreeRadius 
    
    Hi Cornelius
    Thanks for your response
    I am running PIP installation on Centos 7
    I am running latest version of Privacy idea (2.7), updated as
    per instructions on howtoforge
    the user is coming from Active Directory
    UID is DN
    there are no special characters anywhere in the AD config
    
    
    testing using the URL you provided I get the message below
    when attempting to use an AD user
    "version": "privacyIDEA 2.7", "result": {"status": false, "error": {"message": "ERR905: The user can not be found in any resolver in this realm!", "code": -500}}, "time": 1445425459.788956, "id": 1}
    
    but if i use the root user (from the privacyidea server) this returns:
    {"message": "wrong otp pin"}, "versionnumber": "2.7", "version": "privacyIDEA 2.7", "result": {"status": true, "value": false}, "time": 1445425581.107504, "id": 1}
    I assume the OTP token is out of sync, but looks much more promising
    
    any idea on why the AD would not work via this method? as i can see all the users in the webui etc
    
    Cheers
    
    
    
    
    
    On Wednesday, 21 October 2015 21:01:47 UTC+11, Cornelinux K wrote:
            Hi Tony,
            
            
            Are you running a pip installation or debian wheezy?
            
            
            Which version of privacyidea are you running?
            
            
            In certain cases there were problems with the ldap
            resolver, if the DN contains special characters and is
            base54 encoded.
            
            
            Is it openldap or AD?
            
            
            The Uid type: is it DN or entryUUID? 
            
            
            Kind regards 
            Cornelius 
            
            
            
            
            
            
            Cornelius Kölbel
            Corneliu...@netknights.it
            +49 151 2960 1417
            
            
            NetKnights GmbH
            http://netknights.it
            Landgraf-Karl-Str. 19, 34131 Kassel, Germany
            Tel: +49 561 3166797, Fax: +49 561 3166798
            
            
            Amtsgericht Kassel, HRB 16405
            Geschäftsführer: Cornelius Kölbel
            
            
            -------- Ursprüngliche Nachricht --------
            Von: Tony Hawker <lil...@gmail.com> 
            Datum: 21.10.2015 08:59 (GMT+01:00) 
            An: privacyidea <priva...@googlegroups.com> 
            Betreff: Re: 'privacyIDEA request failed: 500 INTERNAL
            SERVER ERROR' - FreeRadius 
            
            Hi
            thanks for your quick response to my issue
            I have been watching the privacyidea.log but no
            entries are made when a connection attempt is made via
            the radius, which leads me to think that the radius is
            not able to see the privacyidea API?
            I can access the URI in my browser, so i can see that
            is up
            
            
            I see this in the privacyidea.log when i reboot
            
            
            [2015-10-21
            15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333] 'Traceback (most recent call last):\n  File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/         LDAPIdResolver.py", line 328, in getUserList\n    user = self._ldap_attributes_to_user_object(attributes)\n  File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 246, in          _ldap_attributes_to_user_object\n    for ldap_k, ldap_v in attributes.items():\nAttributeError: \'NoneType\' object has no attribute \'items\'\n'
            
            
            Cheers
            
            
            
            
            
            
            
            
            On Wednesday, 21 October 2015 17:14:34 UTC+11, Cornelinux K wrote:
                    Hi Tony, 
                    
                    please do the following: 
                    
                    1. Take a look into the audit log 
                    
                    Within the webui take a look, what you can see
                    in the request in the 
                    AUdit Tab. The right most tab. 
                    
                    I assume, the user does not exist. 
                    
                    The audit gives you a top level view of what
                    is happening in 
                    privacyidea. 
                    
                    2. Take a look into the log file
                    privacyidea.log. 
                    This gives you a detailed view, of what is
                    happening. 
                    
                    Kind regards 
                    Cornelius 
                    
                    Am Dienstag, den 20.10.2015, 17:56 -0700
                    schrieb Tony Hawker: 
                    > Hi 
                    > I have followed the guide on setting up
                    Privactidea on Centos 7 here: 
                    >
                    https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/ 
                    > 
                    > 
                    > 
                    > I can access the webui, register tokens,
                    linked to active directory 
                    > etc, all tested ok 
                    > 
                    > 
                    > I am having issues with the radius plugin,
                    when I attempt to make any 
                    > connection to the radius, either using the
                    test functions described in 
                    > the link above, or from an external
                    connection, I am seeing the errors 
                    > below: 
                    > 
                    > 
                    > ]# echo "User-Name=user,
                    User-Password=password" | radclient -sx 
                    > localhost auth testing123 
                    > 
                    > 
                    > Sending Access-Request Id 91 from
                    0.0.0.0:34321 to 127.0.0.1:1812 
                    > 
                    >         User-Name = 'user' 
                    >         User-Password = 'password' 
                    > Received Access-Reject Id 91 from
                    127.0.0.1:1812 to 127.0.0.1:34321 
                    > length 75 
                    >         Reply-Message = 'privacyIDEA request
                    failed: 500 INTERNAL 
                    > SERVER ERROR' 
                    > (0) -: Expected Access-Accept got
                    Access-Reject 
                    > Packet summary: 
                    >         Accepted      : 0 
                    >         Rejected      : 1 
                    >         Lost          : 0 
                    >         Passed filter : 0 
                    >         Failed filter : 1 
                    > 
                    > 
                    > and on the radius server I see this: 
                    > 
                    > 
                    > Received Access-Request Id 111 from
                    127.0.0.1:35488 to 127.0.0.1:1812 
                    > length 44 
                    >         User-Name = 'user' 
                    >         User-Password = 'password' 
                    > (0) Received Access-Request packet from host
                    127.0.0.1 port 35488, 
                    > id=111, length=44 
                    > (0)     User-Name = 'user' 
                    > (0)     User-Password = 'password' 
                    > (0) # Executing section authorize from 
                    > file /etc/raddb/sites-enabled/privacyidea 
                    > (0)   authorize { 
                    > (0)   [preprocess] = ok 
                    > (0)   [digest] = noop 
                    > (0)  suffix : Checking for suffix after "@" 
                    > (0)  suffix : No '@' in User-Name = "user",
                    looking up realm NULL 
                    > (0)  suffix : No such realm "NULL" 
                    > (0)   [suffix] = noop 
                    > (0)  ntdomain : Checking for prefix before
                    "\" 
                    > (0)  ntdomain : No '\' in User-Name =
                    "user", looking up realm NULL 
                    > (0)  ntdomain : No such realm "NULL" 
                    > (0)   [ntdomain] = noop 
                    > (0)   [files] = noop 
                    > (0)   [expiration] = noop 
                    > (0)   [logintime] = noop 
                    > (0)  WARNING: pap : No "known good" password
                    found for the user.  Not 
                    > setting Auth-Type 
                    > (0)  WARNING: pap : Authentication will fail
                    unless a "known good" 
                    > password is available 
                    > (0)   [pap] = noop 
                    > (0)   update control { 
                    > (0)     Auth-Type := Perl 
                    > (0)   } # update control = noop 
                    > (0)  } #  authorize = ok 
                    > (0) Found Auth-Type = Perl 
                    > (0) # Executing group from
                    file /etc/raddb/sites-enabled/privacyidea 
                    > (0)  Auth-Type Perl { 
                    > (0)   perl : $RAD_REQUEST{'User-Name'} =
                    &request:User-Name -> 'user' 
                    > (0)   perl : $RAD_REQUEST{'User-Password'} =
                    &request:User-Password -> 
                    > 'password' 
                    > (0)   perl : $RAD_REQUEST{'NAS-IP-Address'}
                    = &request:NAS-IP-Address 
                    > -> '127.0.0.1' 
                    > (0)   perl : $RAD_REQUEST{'Event-Timestamp'}
                    = 
                    > &request:Event-Timestamp -> 'Oct 21 2015
                    11:50:57 AEDT' 
                    > (0)   perl : $RAD_CHECK{'Auth-Type'} =
                    &control:Auth-Type -> 'Perl' 
                    > (0)   perl : $RAD_CONFIG{'Auth-Type'} =
                    &control:Auth-Type -> 'Perl' 
                    > rlm_perl: Config
                    File /etc/freeradius/rlm_perl.ini found! 
                    > rlm_perl: Default URL
                    https://127.0.0.1/validate/check 
                    > rlm_perl: Looking for config for auth-type
                    Perl 
                    > rlm_perl: Auth-Type: Perl 
                    > rlm_perl: url:
                    https://127.0.0.1/validate/check 
                    > rlm_perl: user sent to privacyidea: user 
                    > rlm_perl: realm sent to privacyidea: 
                    > rlm_perl: resolver sent to privacyidea: 
                    > rlm_perl: client sent to privacyidea:
                    127.0.0.1 
                    > rlm_perl: state sent to privacyidea: 
                    > rlm_perl: urlparam client 
                    > rlm_perl: urlparam pass 
                    > rlm_perl: urlparam user 
                    > rlm_perl: Not verifying SSL certificate! 
                    > rlm_perl: privacyIDEA request failed: 500
                    INTERNAL SERVER ERROR 
                    > rlm_perl: return RLM_MODULE_FAIL 
                    > (0)  perl : &request:User-Name =
                    $RAD_REQUEST{'User-Name'} -> 'user' 
                    > (0)  perl : &request:Event-Timestamp =
                    $RAD_REQUEST{'Event-Timestamp'} 
                    > -> 'Oct 21 2015 11:50:57 AEDT' 
                    > (0)  perl : &request:User-Password =
                    $RAD_REQUEST{'User-Password'} -> 
                    > 'password' 
                    > (0)  perl : &request:NAS-IP-Address =
                    $RAD_REQUEST{'NAS-IP-Address'} 
                    > -> '127.0.0.1' 
                    > (0)  perl : &reply:Reply-Message =
                    $RAD_REPLY{'Reply-Message'} -> 
                    > 'privacyIDEA request failed: 500 INTERNAL
                    SERVER ERROR' 
                    > (0)  perl : &control:Auth-Type =
                    $RAD_CHECK{'Auth-Type'} -> 'Perl' 
                    > (0)   [perl] = fail 
                    > (0)  } # Auth-Type Perl = fail 
                    > (0) Failed to authenticate the user 
                    > (0) Using Post-Auth-Type Reject 
                    > (0) Delaying response for 1 seconds 
                    > Waking up in 0.9 seconds. 
                    > (0) Sending delayed response 
                    > (0) Sending Access-Reject packet to host
                    127.0.0.1 port 35488, id=111, 
                    > length=0 
                    > (0)     Reply-Message = 'privacyIDEA request
                    failed: 500 INTERNAL 
                    > SERVER ERROR' 
                    > Sending Access-Reject Id 111 from
                    127.0.0.1:1812 to 127.0.0.1:35488 
                    >         Reply-Message = 'privacyIDEA request
                    failed: 500 INTERNAL 
                    > SERVER ERROR' 
                    > Waking up in 3.9 seconds. 
                    > (0) Cleaning up request packet ID 111 with
                    timestamp +7 
                    > 
                    > 
                    > 
                    > 
                    > I don't think this is just an issue with the
                    user / password, but if 
                    > anyone can point me in the right direction
                    in what I may have done 
                    > wrong with either the radius or privacy idea
                    install? 
                    > 
                    > 
                    > Cheers 
                    > 
                    > 
                    > 
                    > 
                    > 
                    > 
                    > 
                    > 
                    > 
                    > 
                    > -- 
                    > You received this message because you are
                    subscribed to the Google 
                    > Groups "privacyidea" group. 
                    > To unsubscribe from this group and stop
                    receiving emails from it, send 
                    > an email to
                    privacyidea...@googlegroups.com. 
                    > To post to this group, send email to
                    priva...@googlegroups.com. 
                    > To view this discussion on the web visit 
                    >
                    https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com. 
                    > For more options, visit
                    https://groups.google.com/d/optout. 
                    
                    -- 
                    Cornelius Kölbel 
                    corneliu...@netknights.it 
                    +49 151 2960 1417 
                    
                    NetKnights GmbH 
                    http://www.netknights.it 
                    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
                    Tel: +49 561 3166797, Fax: +49 561 3166798 
                    
                    Amtsgericht Kassel, HRB 16405 
                    Geschäftsführer: Cornelius Kölbel 
                    
                    
            
            -- 
            You received this message because you are subscribed
            to the Google Groups "privacyidea" group.
            To unsubscribe from this group and stop receiving
            emails from it, send an email to
            privacyidea...@googlegroups.com.
            To post to this group, send email to
            priva...@googlegroups.com.
            To view this discussion on the web visit
            https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com.
            For more options, visit
            https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Tony,

the Attribute Value Pair Class 25 usually seems to expect some
attribute, which the firewall uses to authorize the access or put the
user of this request in some control group.

So the question is: Do you have another RADIUS server running at the
moment and how do the requests look like there?

I assume we have to add an attribute of class 25 with the correct value,
that is expected by your checkpoint configuration.
http://tools.ietf.org/html/rfc2865#section-5.25

And additionally I assume, that the existing attributes did not make the
response fail, but the missing class-25-attribute.
This attribute is usually used for group information.
(http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-td2781054.html)

So I guess we need to look an the freeradius side (independent on the
privacyIDEA plugin).

We need to investigate

  • the successful RADIUS REQUEST with your existing RADIUS server
  • the successful RADIUS RESPONSE with your existing RADIUS server
    and then configure FreeRADIUS accordingly.

I will try to help you with that.
But maybe at a certain point we might also need to take this to the
freeradius list.

Kind regards
COrneliusAm Mittwoch, den 21.10.2015, 23:52 -0700 schrieb Tony Hawker:

Thanks Cornelius
this script still doesn’t seem to solve the problem, checkpoint still
doesn’t like the Access-Accept packets for some reason
I’ve had the checkpoint talking to freeradius in the past, so it can
work, but just doesn’t see these accept packets for some reason

On Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote:
Hi Tony,

    here is a slightly modified script, that does not add any
    additional 
    AVPs into the reply. 
    
    It only returns ACCESS_ACCEPT or ACCESS_REJECT. 
    
    This script replaces the existing one. 
    Please restart freeradius and check if checkpoint likes it. 
    
    Kind regards 
    COrnelius 
    
    Am Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony Hawker: 
    > Hi Cornelius 
    > Thanks for this info 
    > where do i remove that line from? I'm not familiar with this
    process? 
    > do i need to change a config file? or change some source
    code and 
    > recompile? 
    > I believe if i could change the message on that line that
    could also 
    > possible help 
    > 
    > 
    > Cheers 
    > 
    > On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K wrote: 
    >         Hello Tony, 
    >         
    >         at the moment there is no way to configure the reply
    message. 
    >         
    >         You can remove the RAD_REPLY in the privacyidea perl
    module. 
    >
    https://github.com/privacyidea/privacyidea/blob/master/authmodules/FreeRADIUS/privacyidea_radius.pm#L335 
    >         
    >         Thus this information will not be added to the
    reply. 
    >         If this succeeds, please drop me a note or open an
    issue at 
    >         github. 
    >         We can then make the reply configurable. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb
    Tony Hawker: 
    >         > Hi Cornelius 
    >         > Thanks for your help, I almost have this working
    now, i 
    >         played around 
    >         > allot, but i think that ticking the "use @ to
    separate user 
    >         and realm" 
    >         > has allowed the radius to pass though the details
    correctly 
    >         > 
    >         > 
    >         > I have managed to have my radius client
    authenticate, and it 
    >         seems to 
    >         > be sending back the reply message "privacy IDEA
    access 
    >         granted" to my 
    >         > firewalls (I am tying to authenticate VPN users) 
    >         > 
    >         > 
    >         > I believe the firewall does not like the response
    message, I 
    >         am 
    >         > possibly getting a similar issue described here: 
    >         > 
    >
    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638 
    >         > 
    >         > 
    >         > I have also attached a screen shot of how the
    packet looks 
    >         from 
    >         > privacy idea, do you think that because the reply
    packet is 
    >         slightly 
    >         > different it could be causing this problem? 
    >         > is t possible to change the privacy idea radius
    accept 
    >         packet too 
    >         > something generic? 
    >         > 
    >         > 
    >         > Cheers 
    >         > 
    >         > On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K  wrote: 
    >         >         
    >         >         
    >         >         Hi, 
    >         >         
    >         >         
    >         >         The user can not be found in the
    resolver. 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         How does the request look like? 
    >         >         Is the realm the default realm. 
    >         >         how does the DN of the user look like? 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         You might have specified the wrong realm
    (see 
    >         default realm) 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Cornelius Kölbel 
    >         >         Corneliu...@netknights.it 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         
    >         >         NetKnights GmbH 
    >         >         http://netknights.it 
    >         >         Landgraf-Karl-Str. 19, 34131 Kassel,
    Germany 
    >         >         Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >         >         
    >         >         
    >         >         Amtsgericht Kassel, HRB 16405 
    >         >         Geschäftsführer: Cornelius Kölbel 
    >         >         
    >         >         
    >         >         -------- Ursprüngliche Nachricht -------- 
    >         >         Von: Tony Hawker <lil...@gmail.com> 
    >         >         Datum: 21.10.2015 13:14 (GMT+01:00) 
    >         >         An: privacyidea
    <priva...@googlegroups.com> 
    >         >         Betreff: Re: Re: 'privacyIDEA request
    failed: 500 
    >         INTERNAL 
    >         >         SERVER ERROR' - FreeRadius 
    >         >         
    >         >         Hi Cornelius 
    >         >         Thanks for your response 
    >         >         I am running PIP installation on Centos 7 
    >         >         I am running latest version of Privacy
    idea (2.7), 
    >         updated as 
    >         >         per instructions on howtoforge 
    >         >         the user is coming from Active Directory 
    >         >         UID is DN 
    >         >         there are no special characters anywhere
    in the AD 
    >         config 
    >         >         
    >         >         
    >         >         testing using the URL you provided I get
    the message 
    >         below 
    >         >         when attempting to use an AD user 
    >         >         "version": "privacyIDEA 2.7", "result":
    {"status": 
    >         false, "error": {"message": "ERR905: The user can
    not be found 
    >         in any resolver in this realm!", "code": -500}},
    "time": 
    >         1445425459.788956, "id": 1} 
    >         >         
    >         >         but if i use the root user (from the
    privacyidea 
    >         server) this returns: 
    >         >         {"message": "wrong otp pin"},
    "versionnumber": 
    >         "2.7", "version": "privacyIDEA 2.7", "result":
    {"status": 
    >         true, "value": false}, "time": 1445425581.107504,
    "id": 1} 
    >         >         I assume the OTP token is out of sync, but
    looks 
    >         much more promising 
    >         >         
    >         >         any idea on why the AD would not work via
    this 
    >         method? as i can see all the users in the webui etc 
    >         >         
    >         >         Cheers 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         On Wednesday, 21 October 2015 21:01:47 UTC +11,  Cornelinux K  wrote: 
    >         >                 Hi Tony, 
    >         >                 
    >         >                 
    >         >                 Are you running a pip installation
    or debian 
    >         wheezy? 
    >         >                 
    >         >                 
    >         >                 Which version of privacyidea are
    you 
    >         running? 
    >         >                 
    >         >                 
    >         >                 In certain cases there were
    problems with 
    >         the ldap 
    >         >                 resolver, if the DN contains
    special 
    >         characters and is 
    >         >                 base54 encoded. 
    >         >                 
    >         >                 
    >         >                 Is it openldap or AD? 
    >         >                 
    >         >                 
    >         >                 The Uid type: is it DN or
    entryUUID? 
    >         >                 
    >         >                 
    >         >                 Kind regards 
    >         >                 Cornelius 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 Cornelius Kölbel 
    >         >                 Corneliu...@netknights.it 
    >         >                 +49 151 2960 1417 
    >         >                 
    >         >                 
    >         >                 NetKnights GmbH 
    >         >                 http://netknights.it 
    >         >                 Landgraf-Karl-Str. 19, 34131
    Kassel, 
    >         Germany 
    >         >                 Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >         >                 
    >         >                 
    >         >                 Amtsgericht Kassel, HRB 16405 
    >         >                 Geschäftsführer: Cornelius Kölbel 
    >         >                 
    >         >                 
    >         >                 -------- Ursprüngliche Nachricht
    -------- 
    >         >                 Von: Tony Hawker
    <lil...@gmail.com> 
    >         >                 Datum: 21.10.2015 08:59 (GMT
    +01:00) 
    >         >                 An: privacyidea
    <priva...@googlegroups.com> 
    >         >                 Betreff: Re: 'privacyIDEA request
    failed: 
    >         500 INTERNAL 
    >         >                 SERVER ERROR' - FreeRadius 
    >         >                 
    >         >                 Hi 
    >         >                 thanks for your quick response to
    my issue 
    >         >                 I have been watching the
    privacyidea.log but 
    >         no 
    >         >                 entries are made when a connection
    attempt 
    >         is made via 
    >         >                 the radius, which leads me to
    think that the 
    >         radius is 
    >         >                 not able to see the privacyidea
    API? 
    >         >                 I can access the URI in my
    browser, so i can 
    >         see that 
    >         >                 is up 
    >         >                 
    >         >                 
    >         >                 I see this in the privacyidea.log
    when i 
    >         reboot 
    >         >                 
    >         >                 
    >         >                 [2015-10-21 
    >         > 
    >
    15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333] 'Traceback (most recent call last):\n  File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/         LDAPIdResolver.py", line 328, in getUserList\n    user = self._ldap_attributes_to_user_object(attributes)\n  File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 246, in          _ldap_attributes_to_user_object\n    for ldap_k, ldap_v in attributes.items():\nAttributeError: \'NoneType\' object has no attribute \'items\'\n' 
    >         >                 
    >         >                 
    >         >                 Cheers 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 On Wednesday, 21 October 2015 17:14:34 UTC  +11,  Cornelinux K wrote: 
    >         >                         Hi Tony, 
    >         >                         
    >         >                         please do the following: 
    >         >                         
    >         >                         1. Take a look into the
    audit log 
    >         >                         
    >         >                         Within the webui take a
    look, what 
    >         you can see 
    >         >                         in the request in the 
    >         >                         AUdit Tab. The right most
    tab. 
    >         >                         
    >         >                         I assume, the user does
    not exist. 
    >         >                         
    >         >                         The audit gives you a top
    level view 
    >         of what 
    >         >                         is happening in 
    >         >                         privacyidea. 
    >         >                         
    >         >                         2. Take a look into the
    log file 
    >         >                         privacyidea.log. 
    >         >                         This gives you a detailed
    view, of 
    >         what is 
    >         >                         happening. 
    >         >                         
    >         >                         Kind regards 
    >         >                         Cornelius 
    >         >                         
    >         >                         Am Dienstag, den
    20.10.2015, 17:56 
    >         -0700 
    >         >                         schrieb Tony Hawker: 
    >         >                         > Hi 
    >         >                         > I have followed the
    guide on 
    >         setting up 
    >         >                         Privactidea on Centos 7
    here: 
    >         >                         > 
    >         > 
    >
    https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/ 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > I can access the webui,
    register 
    >         tokens, 
    >         >                         linked to active
    directory 
    >         >                         > etc, all tested ok 
    >         >                         > 
    >         >                         > 
    >         >                         > I am having issues with
    the radius 
    >         plugin, 
    >         >                         when I attempt to make
    any 
    >         >                         > connection to the
    radius, either 
    >         using the 
    >         >                         test functions described
    in 
    >         >                         > the link above, or from
    an 
    >         external 
    >         >                         connection, I am seeing
    the errors 
    >         >                         > below: 
    >         >                         > 
    >         >                         > 
    >         >                         > ]# echo
    "User-Name=user, 
    >         >                         User-Password=password" |
    radclient 
    >         -sx 
    >         >                         > localhost auth
    testing123 
    >         >                         > 
    >         >                         > 
    >         >                         > Sending Access-Request
    Id 91 from 
    >         >                         0.0.0.0:34321 to
    127.0.0.1:1812 
    >         >                         > 
    >         >                         >         User-Name =
    'user' 
    >         >                         >         User-Password = 
    >         'password' 
    >         >                         > Received Access-Reject
    Id 91 from 
    >         >                         127.0.0.1:1812 to
    127.0.0.1:34321 
    >         >                         > length 75 
    >         >                         >         Reply-Message = 
    >         'privacyIDEA request 
    >         >                         failed: 500 INTERNAL 
    >         >                         > SERVER ERROR' 
    >         >                         > (0) -: Expected
    Access-Accept got 
    >         >                         Access-Reject 
    >         >                         > Packet summary: 
    >         >                         >         Accepted      :
    0 
    >         >                         >         Rejected      :
    1 
    >         >                         >         Lost          :
    0 
    >         >                         >         Passed filter :
    0 
    >         >                         >         Failed filter :
    1 
    >         >                         > 
    >         >                         > 
    >         >                         > and on the radius server
    I see 
    >         this: 
    >         >                         > 
    >         >                         > 
    >         >                         > Received Access-Request
    Id 111 
    >         from 
    >         >                         127.0.0.1:35488 to
    127.0.0.1:1812 
    >         >                         > length 44 
    >         >                         >         User-Name =
    'user' 
    >         >                         >         User-Password = 
    >         'password' 
    >         >                         > (0) Received
    Access-Request packet 
    >         from host 
    >         >                         127.0.0.1 port 35488, 
    >         >                         > id=111, length=44 
    >         >                         > (0)     User-Name =
    'user' 
    >         >                         > (0)     User-Password = 
    >         'password' 
    >         >                         > (0) # Executing section
    authorize 
    >         from 
    >         >                         > 
    >         file /etc/raddb/sites-enabled/privacyidea 
    >         >                         > (0)   authorize { 
    >         >                         > (0)   [preprocess] = ok 
    >         >                         > (0)   [digest] = noop 
    >         >                         > (0)  suffix : Checking
    for suffix 
    >         after "@" 
    >         >                         > (0)  suffix : No '@' in
    User-Name 
    >         = "user", 
    >         >                         looking up realm NULL 
    >         >                         > (0)  suffix : No such
    realm 
    >         "NULL" 
    >         >                         > (0)   [suffix] = noop 
    >         >                         > (0)  ntdomain : Checking
    for 
    >         prefix before 
    >         >                         "\" 
    >         >                         > (0)  ntdomain : No '\'
    in 
    >         User-Name = 
    >         >                         "user", looking up realm
    NULL 
    >         >                         > (0)  ntdomain : No such
    realm 
    >         "NULL" 
    >         >                         > (0)   [ntdomain] = noop 
    >         >                         > (0)   [files] = noop 
    >         >                         > (0)   [expiration] =
    noop 
    >         >                         > (0)   [logintime] =
    noop 
    >         >                         > (0)  WARNING: pap : No
    "known 
    >         good" password 
    >         >                         found for the user.  Not 
    >         >                         > setting Auth-Type 
    >         >                         > (0)  WARNING: pap :
    Authentication 
    >         will fail 
    >         >                         unless a "known good" 
    >         >                         > password is available 
    >         >                         > (0)   [pap] = noop 
    >         >                         > (0)   update control { 
    >         >                         > (0)     Auth-Type :=
    Perl 
    >         >                         > (0)   } # update control
    = noop 
    >         >                         > (0)  } #  authorize =
    ok 
    >         >                         > (0) Found Auth-Type =
    Perl 
    >         >                         > (0) # Executing group
    from 
    >         > 
    >         file /etc/raddb/sites-enabled/privacyidea 
    >         >                         > (0)  Auth-Type Perl { 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'User-Name'} = 
    >         >                         &request:User-Name ->
    'user' 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'User-Password'} = 
    >         >                         &request:User-Password -> 
    >         >                         > 'password' 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'NAS-IP-Address'} 
    >         >                         = &request:NAS-IP-Address 
    >         >                         > -> '127.0.0.1' 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'Event-Timestamp'} 
    >         >                         = 
    >         >                         > &request:Event-Timestamp
    -> 'Oct 
    >         21 2015 
    >         >                         11:50:57 AEDT' 
    >         >                         > (0)   perl : 
    >         $RAD_CHECK{'Auth-Type'} = 
    >         >                         &control:Auth-Type ->
    'Perl' 
    >         >                         > (0)   perl : 
    >         $RAD_CONFIG{'Auth-Type'} = 
    >         >                         &control:Auth-Type ->
    'Perl' 
    >         >                         > rlm_perl: Config 
    >         >
    File /etc/freeradius/rlm_perl.ini 
    >         found! 
    >         >                         > rlm_perl: Default URL 
    >         >
    https://127.0.0.1/validate/check 
    >         >                         > rlm_perl: Looking for
    config for 
    >         auth-type 
    >         >                         Perl 
    >         >                         > rlm_perl: Auth-Type:
    Perl 
    >         >                         > rlm_perl: url: 
    >         >
    https://127.0.0.1/validate/check 
    >         >                         > rlm_perl: user sent to 
    >         privacyidea: user 
    >         >                         > rlm_perl: realm sent to 
    >         privacyidea: 
    >         >                         > rlm_perl: resolver sent
    to 
    >         privacyidea: 
    >         >                         > rlm_perl: client sent
    to 
    >         privacyidea: 
    >         >                         127.0.0.1 
    >         >                         > rlm_perl: state sent to 
    >         privacyidea: 
    >         >                         > rlm_perl: urlparam
    client 
    >         >                         > rlm_perl: urlparam pass 
    >         >                         > rlm_perl: urlparam user 
    >         >                         > rlm_perl: Not verifying
    SSL 
    >         certificate! 
    >         >                         > rlm_perl: privacyIDEA
    request 
    >         failed: 500 
    >         >                         INTERNAL SERVER ERROR 
    >         >                         > rlm_perl: return
    RLM_MODULE_FAIL 
    >         >                         > (0)  perl :
    &request:User-Name = 
    >         >                         $RAD_REQUEST{'User-Name'}
    -> 'user' 
    >         >                         > (0)  perl : 
    >         &request:Event-Timestamp = 
    >         >
    $RAD_REQUEST{'Event-Timestamp'} 
    >         >                         > -> 'Oct 21 2015 11:50:57
    AEDT' 
    >         >                         > (0)  perl :
    &request:User-Password 
    >         = 
    >         >
    $RAD_REQUEST{'User-Password'} -> 
    >         >                         > 'password' 
    >         >                         > (0)  perl : 
    >         &request:NAS-IP-Address = 
    >         >
    $RAD_REQUEST{'NAS-IP-Address'} 
    >         >                         > -> '127.0.0.1' 
    >         >                         > (0)  perl :
    &reply:Reply-Message 
    >         = 
    >         >
    $RAD_REPLY{'Reply-Message'} -> 
    >         >                         > 'privacyIDEA request
    failed: 500 
    >         INTERNAL 
    >         >                         SERVER ERROR' 
    >         >                         > (0)  perl :
    &control:Auth-Type = 
    >         >                         $RAD_CHECK{'Auth-Type'} ->
    'Perl' 
    >         >                         > (0)   [perl] = fail 
    >         >                         > (0)  } # Auth-Type Perl
    = fail 
    >         >                         > (0) Failed to
    authenticate the 
    >         user 
    >         >                         > (0) Using Post-Auth-Type
    Reject 
    >         >                         > (0) Delaying response
    for 1 
    >         seconds 
    >         >                         > Waking up in 0.9
    seconds. 
    >         >                         > (0) Sending delayed
    response 
    >         >                         > (0) Sending
    Access-Reject packet 
    >         to host 
    >         >                         127.0.0.1 port 35488,
    id=111, 
    >         >                         > length=0 
    >         >                         > (0)     Reply-Message = 
    >         'privacyIDEA request 
    >         >                         failed: 500 INTERNAL 
    >         >                         > SERVER ERROR' 
    >         >                         > Sending Access-Reject Id
    111 from 
    >         >                         127.0.0.1:1812 to
    127.0.0.1:35488 
    >         >                         >         Reply-Message = 
    >         'privacyIDEA request 
    >         >                         failed: 500 INTERNAL 
    >         >                         > SERVER ERROR' 
    >         >                         > Waking up in 3.9
    seconds. 
    >         >                         > (0) Cleaning up request
    packet ID 
    >         111 with 
    >         >                         timestamp +7 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > I don't think this is
    just an 
    >         issue with the 
    >         >                         user / password, but if 
    >         >                         > anyone can point me in
    the right 
    >         direction 
    >         >                         in what I may have done 
    >         >                         > wrong with either the
    radius or 
    >         privacy idea 
    >         >                         install? 
    >         >                         > 
    >         >                         > 
    >         >                         > Cheers 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > -- 
    >         >                         > You received this
    message because 
    >         you are 
    >         >                         subscribed to the Google 
    >         >                         > Groups "privacyidea"
    group. 
    >         >                         > To unsubscribe from this
    group and 
    >         stop 
    >         >                         receiving emails from it,
    send 
    >         >                         > an email to 
    >         >
    privacyidea...@googlegroups.com. 
    >         >                         > To post to this group,
    send email 
    >         to 
    >         >
    priva...@googlegroups.com. 
    >         >                         > To view this discussion
    on the web 
    >         visit 
    >         >                         > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com. 
    >         >                         > For more options, visit 
    >         >
    https://groups.google.com/d/optout. 
    >         >                         
    >         >                         -- 
    >         >                         Cornelius Kölbel 
    >         >                         corneliu...@netknights.it 
    >         >                         +49 151 2960 1417 
    >         >                         
    >         >                         NetKnights GmbH 
    >         >                         http://www.netknights.it 
    >         >                         Landgraf-Karl-Str. 19,
    34131 Kassel, 
    >         Germany 
    >         >                         Tel: +49 561 3166797, Fax:
    +49 561 
    >         3166798 
    >         >                         
    >         >                         Amtsgericht Kassel, HRB
    16405 
    >         >                         Geschäftsführer: Cornelius
    Kölbel 
    >         >                         
    >         >                         
    >         >                 
    >         >                 -- 
    >         >                 You received this message because
    you are 
    >         subscribed 
    >         >                 to the Google Groups "privacyidea"
    group. 
    >         >                 To unsubscribe from this group and
    stop 
    >         receiving 
    >         >                 emails from it, send an email to 
    >         >                 privacyidea...@googlegroups.com. 
    >         >                 To post to this group, send email
    to 
    >         >                 priva...@googlegroups.com. 
    >         >                 To view this discussion on the web
    visit 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com. 
    >         >                 For more options, visit 
    >         >
    https://groups.google.com/d/optout. 
    >         >                 
    >         >         
    >         > 
    >         > 
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/ecfb73db-d3cb-4ec0-871c-f1e57f1804e0%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/f393aeb4-4c92-4a5e-a3e4-434cb7f62fb7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Tony,

here is a slightly modified script, that does not add any additional
AVPs into the reply.

It only returns ACCESS_ACCEPT or ACCESS_REJECT.

This script replaces the existing one.
Please restart freeradius and check if checkpoint likes it.

Kind regards
COrneliusAm Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony Hawker:

Hi Cornelius
Thanks for this info
where do i remove that line from? I’m not familiar with this process?
do i need to change a config file? or change some source code and
recompile?
I believe if i could change the message on that line that could also
possible help

Cheers

On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K wrote:
Hello Tony,

    at the moment there is no way to configure the reply message. 
    
    You can remove the RAD_REPLY in the privacyidea perl module. 
    https://github.com/privacyidea/privacyidea/blob/master/authmodules/FreeRADIUS/privacyidea_radius.pm#L335 
    
    Thus this information will not be added to the reply. 
    If this succeeds, please drop me a note or open an issue at
    github. 
    We can then make the reply configurable. 
    
    Kind regards 
    Cornelius 
    
    
    Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb Tony Hawker: 
    > Hi Cornelius 
    > Thanks for your help, I almost have this working now, i
    played around 
    > allot, but i think that ticking the "use @ to separate user
    and realm" 
    > has allowed the radius to pass though the details correctly 
    > 
    > 
    > I have managed to have my radius client authenticate, and it
    seems to 
    > be sending back the reply message "privacy IDEA access
    granted" to my 
    > firewalls (I am tying to authenticate VPN users) 
    > 
    > 
    > I believe the firewall does not like the response message, I
    am 
    > possibly getting a similar issue described here: 
    >
    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638 
    > 
    > 
    > I have also attached a screen shot of how the packet looks
    from 
    > privacy idea, do you think that because the reply packet is
    slightly 
    > different it could be causing this problem? 
    > is t possible to change the privacy idea radius accept
    packet too 
    > something generic? 
    > 
    > 
    > Cheers 
    > 
    > On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K wrote: 
    >         
    >         
    >         Hi, 
    >         
    >         
    >         The user can not be found in the resolver. 
    >         
    >         
    >         
    >         
    >         How does the request look like? 
    >         Is the realm the default realm. 
    >         how does the DN of the user look like? 
    >         
    >         
    >         
    >         
    >         You might have specified the wrong realm (see
    default realm) 
    >         
    >         
    >         
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         
    >         
    >         Cornelius Kölbel 
    >         Corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         
    >         NetKnights GmbH 
    >         http://netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    >         -------- Ursprüngliche Nachricht -------- 
    >         Von: Tony Hawker <lil...@gmail.com> 
    >         Datum: 21.10.2015 13:14 (GMT+01:00) 
    >         An: privacyidea <priva...@googlegroups.com> 
    >         Betreff: Re: Re: 'privacyIDEA request failed: 500
    INTERNAL 
    >         SERVER ERROR' - FreeRadius 
    >         
    >         Hi Cornelius 
    >         Thanks for your response 
    >         I am running PIP installation on Centos 7 
    >         I am running latest version of Privacy idea (2.7),
    updated as 
    >         per instructions on howtoforge 
    >         the user is coming from Active Directory 
    >         UID is DN 
    >         there are no special characters anywhere in the AD
    config 
    >         
    >         
    >         testing using the URL you provided I get the message
    below 
    >         when attempting to use an AD user 
    >         "version": "privacyIDEA 2.7", "result": {"status":
    false, "error": {"message": "ERR905: The user can not be found
    in any resolver in this realm!", "code": -500}}, "time":
    1445425459.788956, "id": 1} 
    >         
    >         but if i use the root user (from the privacyidea
    server) this returns: 
    >         {"message": "wrong otp pin"}, "versionnumber":
    "2.7", "version": "privacyIDEA 2.7", "result": {"status":
    true, "value": false}, "time": 1445425581.107504, "id": 1} 
    >         I assume the OTP token is out of sync, but looks
    much more promising 
    >         
    >         any idea on why the AD would not work via this
    method? as i can see all the users in the webui etc 
    >         
    >         Cheers 
    >         
    >         
    >         
    >         
    >         
    >         On Wednesday, 21 October 2015 21:01:47 UTC+11, Cornelinux K  wrote: 
    >                 Hi Tony, 
    >                 
    >                 
    >                 Are you running a pip installation or debian
    wheezy? 
    >                 
    >                 
    >                 Which version of privacyidea are you
    running? 
    >                 
    >                 
    >                 In certain cases there were problems with
    the ldap 
    >                 resolver, if the DN contains special
    characters and is 
    >                 base54 encoded. 
    >                 
    >                 
    >                 Is it openldap or AD? 
    >                 
    >                 
    >                 The Uid type: is it DN or entryUUID? 
    >                 
    >                 
    >                 Kind regards 
    >                 Cornelius 
    >                 
    >                 
    >                 
    >                 
    >                 
    >                 
    >                 Cornelius Kölbel 
    >                 Corneliu...@netknights.it 
    >                 +49 151 2960 1417 
    >                 
    >                 
    >                 NetKnights GmbH 
    >                 http://netknights.it 
    >                 Landgraf-Karl-Str. 19, 34131 Kassel,
    Germany 
    >                 Tel: +49 561 3166797, Fax: +49 561 3166798 
    >                 
    >                 
    >                 Amtsgericht Kassel, HRB 16405 
    >                 Geschäftsführer: Cornelius Kölbel 
    >                 
    >                 
    >                 -------- Ursprüngliche Nachricht -------- 
    >                 Von: Tony Hawker <lil...@gmail.com> 
    >                 Datum: 21.10.2015 08:59 (GMT+01:00) 
    >                 An: privacyidea <priva...@googlegroups.com> 
    >                 Betreff: Re: 'privacyIDEA request failed:
    500 INTERNAL 
    >                 SERVER ERROR' - FreeRadius 
    >                 
    >                 Hi 
    >                 thanks for your quick response to my issue 
    >                 I have been watching the privacyidea.log but
    no 
    >                 entries are made when a connection attempt
    is made via 
    >                 the radius, which leads me to think that the
    radius is 
    >                 not able to see the privacyidea API? 
    >                 I can access the URI in my browser, so i can
    see that 
    >                 is up 
    >                 
    >                 
    >                 I see this in the privacyidea.log when i
    reboot 
    >                 
    >                 
    >                 [2015-10-21 
    >
    15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333] 'Traceback (most recent call last):\n  File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/         LDAPIdResolver.py", line 328, in getUserList\n    user = self._ldap_attributes_to_user_object(attributes)\n  File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 246, in          _ldap_attributes_to_user_object\n    for ldap_k, ldap_v in attributes.items():\nAttributeError: \'NoneType\' object has no attribute \'items\'\n' 
    >                 
    >                 
    >                 Cheers 
    >                 
    >                 
    >                 
    >                 
    >                 
    >                 
    >                 
    >                 
    >                 On Wednesday, 21 October 2015 17:14:34 UTC +11,  Cornelinux K wrote: 
    >                         Hi Tony, 
    >                         
    >                         please do the following: 
    >                         
    >                         1. Take a look into the audit log 
    >                         
    >                         Within the webui take a look, what
    you can see 
    >                         in the request in the 
    >                         AUdit Tab. The right most tab. 
    >                         
    >                         I assume, the user does not exist. 
    >                         
    >                         The audit gives you a top level view
    of what 
    >                         is happening in 
    >                         privacyidea. 
    >                         
    >                         2. Take a look into the log file 
    >                         privacyidea.log. 
    >                         This gives you a detailed view, of
    what is 
    >                         happening. 
    >                         
    >                         Kind regards 
    >                         Cornelius 
    >                         
    >                         Am Dienstag, den 20.10.2015, 17:56
    -0700 
    >                         schrieb Tony Hawker: 
    >                         > Hi 
    >                         > I have followed the guide on
    setting up 
    >                         Privactidea on Centos 7 here: 
    >                         > 
    >
    https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/ 
    >                         > 
    >                         > 
    >                         > 
    >                         > I can access the webui, register
    tokens, 
    >                         linked to active directory 
    >                         > etc, all tested ok 
    >                         > 
    >                         > 
    >                         > I am having issues with the radius
    plugin, 
    >                         when I attempt to make any 
    >                         > connection to the radius, either
    using the 
    >                         test functions described in 
    >                         > the link above, or from an
    external 
    >                         connection, I am seeing the errors 
    >                         > below: 
    >                         > 
    >                         > 
    >                         > ]# echo "User-Name=user, 
    >                         User-Password=password" | radclient
    -sx 
    >                         > localhost auth testing123 
    >                         > 
    >                         > 
    >                         > Sending Access-Request Id 91 from 
    >                         0.0.0.0:34321 to 127.0.0.1:1812 
    >                         > 
    >                         >         User-Name = 'user' 
    >                         >         User-Password =
    'password' 
    >                         > Received Access-Reject Id 91 from 
    >                         127.0.0.1:1812 to 127.0.0.1:34321 
    >                         > length 75 
    >                         >         Reply-Message =
    'privacyIDEA request 
    >                         failed: 500 INTERNAL 
    >                         > SERVER ERROR' 
    >                         > (0) -: Expected Access-Accept got 
    >                         Access-Reject 
    >                         > Packet summary: 
    >                         >         Accepted      : 0 
    >                         >         Rejected      : 1 
    >                         >         Lost          : 0 
    >                         >         Passed filter : 0 
    >                         >         Failed filter : 1 
    >                         > 
    >                         > 
    >                         > and on the radius server I see
    this: 
    >                         > 
    >                         > 
    >                         > Received Access-Request Id 111
    from 
    >                         127.0.0.1:35488 to 127.0.0.1:1812 
    >                         > length 44 
    >                         >         User-Name = 'user' 
    >                         >         User-Password =
    'password' 
    >                         > (0) Received Access-Request packet
    from host 
    >                         127.0.0.1 port 35488, 
    >                         > id=111, length=44 
    >                         > (0)     User-Name = 'user' 
    >                         > (0)     User-Password =
    'password' 
    >                         > (0) # Executing section authorize
    from 
    >                         >
    file /etc/raddb/sites-enabled/privacyidea 
    >                         > (0)   authorize { 
    >                         > (0)   [preprocess] = ok 
    >                         > (0)   [digest] = noop 
    >                         > (0)  suffix : Checking for suffix
    after "@" 
    >                         > (0)  suffix : No '@' in User-Name
    = "user", 
    >                         looking up realm NULL 
    >                         > (0)  suffix : No such realm
    "NULL" 
    >                         > (0)   [suffix] = noop 
    >                         > (0)  ntdomain : Checking for
    prefix before 
    >                         "\" 
    >                         > (0)  ntdomain : No '\' in
    User-Name = 
    >                         "user", looking up realm NULL 
    >                         > (0)  ntdomain : No such realm
    "NULL" 
    >                         > (0)   [ntdomain] = noop 
    >                         > (0)   [files] = noop 
    >                         > (0)   [expiration] = noop 
    >                         > (0)   [logintime] = noop 
    >                         > (0)  WARNING: pap : No "known
    good" password 
    >                         found for the user.  Not 
    >                         > setting Auth-Type 
    >                         > (0)  WARNING: pap : Authentication
    will fail 
    >                         unless a "known good" 
    >                         > password is available 
    >                         > (0)   [pap] = noop 
    >                         > (0)   update control { 
    >                         > (0)     Auth-Type := Perl 
    >                         > (0)   } # update control = noop 
    >                         > (0)  } #  authorize = ok 
    >                         > (0) Found Auth-Type = Perl 
    >                         > (0) # Executing group from 
    >
    file /etc/raddb/sites-enabled/privacyidea 
    >                         > (0)  Auth-Type Perl { 
    >                         > (0)   perl :
    $RAD_REQUEST{'User-Name'} = 
    >                         &request:User-Name -> 'user' 
    >                         > (0)   perl :
    $RAD_REQUEST{'User-Password'} = 
    >                         &request:User-Password -> 
    >                         > 'password' 
    >                         > (0)   perl :
    $RAD_REQUEST{'NAS-IP-Address'} 
    >                         = &request:NAS-IP-Address 
    >                         > -> '127.0.0.1' 
    >                         > (0)   perl :
    $RAD_REQUEST{'Event-Timestamp'} 
    >                         = 
    >                         > &request:Event-Timestamp -> 'Oct
    21 2015 
    >                         11:50:57 AEDT' 
    >                         > (0)   perl :
    $RAD_CHECK{'Auth-Type'} = 
    >                         &control:Auth-Type -> 'Perl' 
    >                         > (0)   perl :
    $RAD_CONFIG{'Auth-Type'} = 
    >                         &control:Auth-Type -> 'Perl' 
    >                         > rlm_perl: Config 
    >                         File /etc/freeradius/rlm_perl.ini
    found! 
    >                         > rlm_perl: Default URL 
    >                         https://127.0.0.1/validate/check 
    >                         > rlm_perl: Looking for config for
    auth-type 
    >                         Perl 
    >                         > rlm_perl: Auth-Type: Perl 
    >                         > rlm_perl: url: 
    >                         https://127.0.0.1/validate/check 
    >                         > rlm_perl: user sent to
    privacyidea: user 
    >                         > rlm_perl: realm sent to
    privacyidea: 
    >                         > rlm_perl: resolver sent to
    privacyidea: 
    >                         > rlm_perl: client sent to
    privacyidea: 
    >                         127.0.0.1 
    >                         > rlm_perl: state sent to
    privacyidea: 
    >                         > rlm_perl: urlparam client 
    >                         > rlm_perl: urlparam pass 
    >                         > rlm_perl: urlparam user 
    >                         > rlm_perl: Not verifying SSL
    certificate! 
    >                         > rlm_perl: privacyIDEA request
    failed: 500 
    >                         INTERNAL SERVER ERROR 
    >                         > rlm_perl: return RLM_MODULE_FAIL 
    >                         > (0)  perl : &request:User-Name = 
    >                         $RAD_REQUEST{'User-Name'} -> 'user' 
    >                         > (0)  perl :
    &request:Event-Timestamp = 
    >                         $RAD_REQUEST{'Event-Timestamp'} 
    >                         > -> 'Oct 21 2015 11:50:57 AEDT' 
    >                         > (0)  perl : &request:User-Password
    = 
    >                         $RAD_REQUEST{'User-Password'} -> 
    >                         > 'password' 
    >                         > (0)  perl :
    &request:NAS-IP-Address = 
    >                         $RAD_REQUEST{'NAS-IP-Address'} 
    >                         > -> '127.0.0.1' 
    >                         > (0)  perl : &reply:Reply-Message
    = 
    >                         $RAD_REPLY{'Reply-Message'} -> 
    >                         > 'privacyIDEA request failed: 500
    INTERNAL 
    >                         SERVER ERROR' 
    >                         > (0)  perl : &control:Auth-Type = 
    >                         $RAD_CHECK{'Auth-Type'} -> 'Perl' 
    >                         > (0)   [perl] = fail 
    >                         > (0)  } # Auth-Type Perl = fail 
    >                         > (0) Failed to authenticate the
    user 
    >                         > (0) Using Post-Auth-Type Reject 
    >                         > (0) Delaying response for 1
    seconds 
    >                         > Waking up in 0.9 seconds. 
    >                         > (0) Sending delayed response 
    >                         > (0) Sending Access-Reject packet
    to host 
    >                         127.0.0.1 port 35488, id=111, 
    >                         > length=0 
    >                         > (0)     Reply-Message =
    'privacyIDEA request 
    >                         failed: 500 INTERNAL 
    >                         > SERVER ERROR' 
    >                         > Sending Access-Reject Id 111 from 
    >                         127.0.0.1:1812 to 127.0.0.1:35488 
    >                         >         Reply-Message =
    'privacyIDEA request 
    >                         failed: 500 INTERNAL 
    >                         > SERVER ERROR' 
    >                         > Waking up in 3.9 seconds. 
    >                         > (0) Cleaning up request packet ID
    111 with 
    >                         timestamp +7 
    >                         > 
    >                         > 
    >                         > 
    >                         > 
    >                         > I don't think this is just an
    issue with the 
    >                         user / password, but if 
    >                         > anyone can point me in the right
    direction 
    >                         in what I may have done 
    >                         > wrong with either the radius or
    privacy idea 
    >                         install? 
    >                         > 
    >                         > 
    >                         > Cheers 
    >                         > 
    >                         > 
    >                         > 
    >                         > 
    >                         > 
    >                         > 
    >                         > 
    >                         > 
    >                         > 
    >                         > 
    >                         > -- 
    >                         > You received this message because
    you are 
    >                         subscribed to the Google 
    >                         > Groups "privacyidea" group. 
    >                         > To unsubscribe from this group and
    stop 
    >                         receiving emails from it, send 
    >                         > an email to 
    >                         privacyidea...@googlegroups.com. 
    >                         > To post to this group, send email
    to 
    >                         priva...@googlegroups.com. 
    >                         > To view this discussion on the web
    visit 
    >                         > 
    >
    https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com. 
    >                         > For more options, visit 
    >                         https://groups.google.com/d/optout. 
    >                         
    >                         -- 
    >                         Cornelius Kölbel 
    >                         corneliu...@netknights.it 
    >                         +49 151 2960 1417 
    >                         
    >                         NetKnights GmbH 
    >                         http://www.netknights.it 
    >                         Landgraf-Karl-Str. 19, 34131 Kassel,
    Germany 
    >                         Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >                         
    >                         Amtsgericht Kassel, HRB 16405 
    >                         Geschäftsführer: Cornelius Kölbel 
    >                         
    >                         
    >                 
    >                 -- 
    >                 You received this message because you are
    subscribed 
    >                 to the Google Groups "privacyidea" group. 
    >                 To unsubscribe from this group and stop
    receiving 
    >                 emails from it, send an email to 
    >                 privacyidea...@googlegroups.com. 
    >                 To post to this group, send email to 
    >                 priva...@googlegroups.com. 
    >                 To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com. 
    >                 For more options, visit 
    >                 https://groups.google.com/d/optout. 
    >                 
    >         
    > 
    > 
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/ecfb73db-d3cb-4ec0-871c-f1e57f1804e0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

privacyidea_radius.pm (14.2 KB)

signature.asc (836 Bytes)

Thanks Cornelius
Yes that file exists, seems to be a default file, with allot of ## out bits
but no entries
I entered the settings as specifed but still get errors when starting

/etc/raddb/mods-config/files/authorize[221]: Parse error (check) for entry
authorize: Invalid attribute name
Failed reading /etc/raddb/mods-config/files/authorize
/etc/raddb/mods-enabled/files[9]: Instantiation failed for module "files"On Thursday, 22 October 2015 22:50:13 UTC+11, Cornelinux K wrote:

Hi Tony,

I forgot that you are running on CentOS 7 with FR3.

Did you have a file /etc/raddb/users at all?

In the config you have a

authorize {

update control {
Auth-Type := Perl
}
}

Which sets the Auth-Type -> Perl for all users.

So in this case you might need to add it like this:

authorize {
update control {
Auth-Type := Perl
Class := AVP
}
}

I have not FreeRADIUS 3 at hand to test this…

Kind regards
Cornelius

Am Donnerstag, den 22.10.2015, 09:41 +0200 schrieb Cornelius Kölbel:

Hi Tony,

you can edit your file /etc/freeradius/users like this:

DEFAULT Auth-Type := Perl
Class = YOUR_GROUP_EXPECTED_BY_CHECKPOINT

This way each user will be authenticated against the perl module a.k.a.
privacyIDEA and put into the the corresponding group.

Or: You can add the Class AVP that is expected by your checkpoint.
Please note: In the radius request the CLass is hex encoded. In the
users config file you need to enter a normal ascii string.

Kind regards
Cornelius

Am Donnerstag, den 22.10.2015, 09:23 +0200 schrieb Cornelius Kölbel:

Hi Tony,

the Attribute Value Pair Class 25 usually seems to expect some
attribute, which the firewall uses to authorize the access or put the
user of this request in some control group.

So the question is: Do you have another RADIUS server running at the
moment and how do the requests look like there?

I assume we have to add an attribute of class 25 with the correct
value,

that is expected by your checkpoint configuration.
http://tools.ietf.org/html/rfc2865#section-5.25

And additionally I assume, that the existing attributes did not make
the

response fail, but the missing class-25-attribute.
This attribute is usually used for group information.
(
http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-td2781054.html)

So I guess we need to look an the freeradius side (independent on the
privacyIDEA plugin).

We need to investigate

  • the successful RADIUS REQUEST with your existing RADIUS server
  • the successful RADIUS RESPONSE with your existing RADIUS server
    and then configure FreeRADIUS accordingly.

I will try to help you with that.
But maybe at a certain point we might also need to take this to the
freeradius list.

Kind regards
COrnelius

Am Mittwoch, den 21.10.2015, 23:52 -0700 schrieb Tony Hawker:

Thanks Cornelius
this script still doesn’t seem to solve the problem, checkpoint
still

doesn’t like the Access-Accept packets for some reason
I’ve had the checkpoint talking to freeradius in the past, so it can
work, but just doesn’t see these accept packets for some reason

On Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote:
Hi Tony,

    here is a slightly modified script, that does not add any 
    additional 
    AVPs into the reply. 
    
    It only returns ACCESS_ACCEPT or ACCESS_REJECT. 
    
    This script replaces the existing one. 
    Please restart freeradius and check if checkpoint likes it. 
    
    Kind regards 
    COrnelius 
    
    Am Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony 

Hawker:

    > Hi Cornelius 
    > Thanks for this info 
    > where do i remove that line from? I'm not familiar with 

this

    process? 
    > do i need to change a config file? or change some source 
    code and 
    > recompile? 
    > I believe if i could change the message on that line that 
    could also 
    > possible help 
    > 
    > 
    > Cheers 
    > 
    > On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K  wrote: 
    >         Hello Tony, 
    >         
    >         at the moment there is no way to configure the 

reply

    message. 
    >         
    >         You can remove the RAD_REPLY in the privacyidea 

perl

    module. 
    > 

https://github.com/privacyidea/privacyidea/blob/master/authmodules/FreeRADIUS/privacyidea_radius.pm#L335

    >         
    >         Thus this information will not be added to the 
    reply. 
    >         If this succeeds, please drop me a note or open an 
    issue at 
    >         github. 
    >         We can then make the reply configurable. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb 
    Tony Hawker: 
    >         > Hi Cornelius 
    >         > Thanks for your help, I almost have this working 
    now, i 
    >         played around 
    >         > allot, but i think that ticking the "use @ to 
    separate user 
    >         and realm" 
    >         > has allowed the radius to pass though the 

details

    correctly 
    >         > 
    >         > 
    >         > I have managed to have my radius client 
    authenticate, and it 
    >         seems to 
    >         > be sending back the reply message "privacy IDEA 
    access 
    >         granted" to my 
    >         > firewalls (I am tying to authenticate VPN users) 
    >         > 
    >         > 
    >         > I believe the firewall does not like the 

response

    message, I 
    >         am 
    >         > possibly getting a similar issue described here: 
    >         > 
    > 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638

    >         > 
    >         > 
    >         > I have also attached a screen shot of how the 
    packet looks 
    >         from 
    >         > privacy idea, do you think that because the 

reply

    packet is 
    >         slightly 
    >         > different it could be causing this problem? 
    >         > is t possible to change the privacy idea radius 
    accept 
    >         packet too 
    >         > something generic? 
    >         > 
    >         > 
    >         > Cheers 
    >         > 
    >         > On Wednesday, 21 October 2015 23:59:18 UTC+11,  Cornelinux K  wrote: 
    >         >         
    >         >         
    >         >         Hi, 
    >         >         
    >         >         
    >         >         The user can not be found in the 
    resolver. 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         How does the request look like? 
    >         >         Is the realm the default realm. 
    >         >         how does the DN of the user look like? 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         You might have specified the wrong realm 
    (see 
    >         default realm) 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Cornelius Kölbel 
    >         >         Corneliu...@netknights.it 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         
    >         >         NetKnights GmbH 
    >         >         http://netknights.it 
    >         >         Landgraf-Karl-Str. 19, 34131 Kassel, 
    Germany 
    >         >         Tel: +49 561 3166797, Fax: +49 561 
    3166798 
    >         >         
    >         >         
    >         >         Amtsgericht Kassel, HRB 16405 
    >         >         Geschäftsführer: Cornelius Kölbel 
    >         >         
    >         >         
    >         >         -------- Ursprüngliche Nachricht 

    >         >         Von: Tony Hawker <lil...@gmail.com> 
    >         >         Datum: 21.10.2015 13:14 (GMT+01:00) 
    >         >         An: privacyidea 
    <priva...@googlegroups.com> 
    >         >         Betreff: Re: Re: 'privacyIDEA request 
    failed: 500 
    >         INTERNAL 
    >         >         SERVER ERROR' - FreeRadius 
    >         >         
    >         >         Hi Cornelius 
    >         >         Thanks for your response 
    >         >         I am running PIP installation on Centos 

7

    >         >         I am running latest version of Privacy 
    idea (2.7), 
    >         updated as 
    >         >         per instructions on howtoforge 
    >         >         the user is coming from Active Directory 
    >         >         UID is DN 
    >         >         there are no special characters anywhere 
    in the AD 
    >         config 
    >         >         
    >         >         
    >         >         testing using the URL you provided I get 
    the message 
    >         below 
    >         >         when attempting to use an AD user 
    >         >         "version": "privacyIDEA 2.7", "result": 
    {"status": 
    >         false, "error": {"message": "ERR905: The user can 
    not be found 
    >         in any resolver in this realm!", "code": -500}}, 
    "time": 
    >         1445425459.788956, "id": 1} 
    >         >         
    >         >         but if i use the root user (from the 
    privacyidea 
    >         server) this returns: 
    >         >         {"message": "wrong otp pin"}, 
    "versionnumber": 
    >         "2.7", "version": "privacyIDEA 2.7", "result": 
    {"status": 
    >         true, "value": false}, "time": 1445425581.107504, 
    "id": 1} 
    >         >         I assume the OTP token is out of sync, 

but

    looks 
    >         much more promising 
    >         >         
    >         >         any idea on why the AD would not work 

via

    this 
    >         method? as i can see all the users in the webui 

etc

    >         >         
    >         >         Cheers 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         On Wednesday, 21 October 2015 21:01:47  UTC  +11,  Cornelinux K  wrote: 
    >         >                 Hi Tony, 
    >         >                 
    >         >                 
    >         >                 Are you running a pip 

installation

    or debian 
    >         wheezy? 
    >         >                 
    >         >                 
    >         >                 Which version of privacyidea are 
    you 
    >         running? 
    >         >                 
    >         >                 
    >         >                 In certain cases there were 
    problems with 
    >         the ldap 
    >         >                 resolver, if the DN contains 
    special 
    >         characters and is 
    >         >                 base54 encoded. 
    >         >                 
    >         >                 
    >         >                 Is it openldap or AD? 
    >         >                 
    >         >                 
    >         >                 The Uid type: is it DN or 
    entryUUID? 
    >         >                 
    >         >                 
    >         >                 Kind regards 
    >         >                 Cornelius 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 Cornelius Kölbel 
    >         >                 Corneliu...@netknights.it 
    >         >                 +49 151 2960 1417 
    >         >                 
    >         >                 
    >         >                 NetKnights GmbH 
    >         >                 http://netknights.it 
    >         >                 Landgraf-Karl-Str. 19, 34131 
    Kassel, 
    >         Germany 
    >         >                 Tel: +49 561 3166797, Fax: +49 

561

    3166798 
    >         >                 
    >         >                 
    >         >                 Amtsgericht Kassel, HRB 16405 
    >         >                 Geschäftsführer: Cornelius 

Kölbel

    >         >                 
    >         >                 
    >         >                 -------- Ursprüngliche Nachricht 
    -------- 
    >         >                 Von: Tony Hawker 
    <lil...@gmail.com> 
    >         >                 Datum: 21.10.2015 08:59 (GMT 
    +01:00) 
    >         >                 An: privacyidea 
    <priva...@googlegroups.com> 
    >         >                 Betreff: Re: 'privacyIDEA 

request

    failed: 
    >         500 INTERNAL 
    >         >                 SERVER ERROR' - FreeRadius 
    >         >                 
    >         >                 Hi 
    >         >                 thanks for your quick response 

to

    my issue 
    >         >                 I have been watching the 
    privacyidea.log but 
    >         no 
    >         >                 entries are made when a 

connection

    attempt 
    >         is made via 
    >         >                 the radius, which leads me to 
    think that the 
    >         radius is 
    >         >                 not able to see the privacyidea 
    API? 
    >         >                 I can access the URI in my 
    browser, so i can 
    >         see that 
    >         >                 is up 
    >         >                 
    >         >                 
    >         >                 I see this in the 

privacyidea.log

    when i 
    >         reboot 
    >         >                 
    >         >                 
    >         >                 [2015-10-21 
    >         > 
    > 

15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333]
‘Traceback (most recent call last):\n File
"/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/
LDAPIdResolver.py", line 328, in getUserList\n user =
self._ldap_attributes_to_user_object(attributes)\n File
"/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py",
line 246, in _ldap_attributes_to_user_object\n for ldap_k,
ldap_v in attributes.items():\nAttributeError: ‘NoneType’ object has no
attribute ‘items’\n’

    >         >                 
    >         >                 
    >         >                 Cheers 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 On Wednesday, 21 October 2015  17:14:34 UTC  +11,  Cornelinux K wrote: 
    >         >                         Hi Tony, 
    >         >                         
    >         >                         please do the following: 
    >         >                         
    >         >                         1. Take a look into the 
    audit log 
    >         >                         
    >         >                         Within the webui take a 
    look, what 
    >         you can see 
    >         >                         in the request in the 
    >         >                         AUdit Tab. The right 

most

    tab. 
    >         >                         
    >         >                         I assume, the user does 
    not exist. 
    >         >                         
    >         >                         The audit gives you a 

top

    level view 
    >         of what 
    >         >                         is happening in 
    >         >                         privacyidea. 
    >         >                         
    >         >                         2. Take a look into the 
    log file 
    >         >                         privacyidea.log. 
    >         >                         This gives you a 

detailed

    view, of 
    >         what is 
    >         >                         happening. 
    >         >                         
    >         >                         Kind regards 
    >         >                         Cornelius 
    >         >                         
    >         >                         Am Dienstag, den 
    20.10.2015, 17:56 
    >         -0700 
    >         >                         schrieb Tony Hawker: 
    >         >                         > Hi 
    >         >                         > I have followed the 
    guide on 
    >         setting up 
    >         >                         Privactidea on Centos 7 
    here: 
    >         >                         > 
    >         > 
    > 

https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/

    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > I can access the 

webui,

    register 
    >         tokens, 
    >         >                         linked to active 
    directory 
    >         >                         > etc, all tested ok 
    >         >                         > 
    >         >                         > 
    >         >                         > I am having issues 

with

    the radius 
    >         plugin, 
    >         >                         when I attempt to make 
    any 
    >         >                         > connection to the 
    radius, either 
    >         using the 
    >         >                         test functions described 
    in 
    >         >                         > the link above, or 

from

    an 
    >         external 
    >         >                         connection, I am seeing 
    the errors 
    >         >                         > below: 
    >         >                         > 
    >         >                         > 
    >         >                         > ]# echo 
    "User-Name=user, 
    >         >                         User-Password=password" 

|

    radclient 
    >         -sx 
    >         >                         > localhost auth 
    testing123 
    >         >                         > 
    >         >                         > 
    >         >                         > Sending Access-Request 
    Id 91 from 
    >         >                         0.0.0.0:34321 to 
    127.0.0.1:1812 
    >         >                         > 
    >         >                         >         User-Name = 
    'user' 
    >         >                         >         User-Password 

=

    >         'password' 
    >         >                         > Received Access-Reject 
    Id 91 from 
    >         >                         127.0.0.1:1812 to 
    127.0.0.1:34321 
    >         >                         > length 75 
    >         >                         >         Reply-Message 

=

    >         'privacyIDEA request 
    >         >                         failed: 500 INTERNAL 
    >         >                         > SERVER ERROR' 
    >         >                         > (0) -: Expected 
    Access-Accept got 
    >         >                         Access-Reject 
    >         >                         > Packet summary: 
    >         >                         >         Accepted     

:

    0 
    >         >                         >         Rejected     

:

    1 
    >         >                         >         Lost         

:

    0 
    >         >                         >         Passed filter 

:

    0 
    >         >                         >         Failed filter 

:

    1 
    >         >                         > 
    >         >                         > 
    >         >                         > and on the radius 

server

    I see 
    >         this: 
    >         >                         > 
    >         >                         > 
    >         >                         > Received 

Access-Request

    Id 111 
    >         from 
    >         >                         127.0.0.1:35488 to 
    127.0.0.1:1812 
    >         >                         > length 44 
    >         >                         >         User-Name = 
    'user' 
    >         >                         >         User-Password 

=

    >         'password' 
    >         >                         > (0) Received 
    Access-Request packet 
    >         from host 
    >         >                         127.0.0.1 port 35488, 
    >         >                         > id=111, length=44 
    >         >                         > (0)     User-Name = 
    'user' 
    >         >                         > (0)     User-Password 

=

    >         'password' 
    >         >                         > (0) # Executing 

section

    authorize 
    >         from 
    >         >                         > 
    >         file /etc/raddb/sites-enabled/privacyidea 
    >         >                         > (0)   authorize { 
    >         >                         > (0)   [preprocess] = 

ok

    >         >                         > (0)   [digest] = noop 
    >         >                         > (0)  suffix : Checking 
    for suffix 
    >         after "@" 
    >         >                         > (0)  suffix : No '@' 

in

    User-Name 
    >         = "user", 
    >         >                         looking up realm NULL 
    >         >                         > (0)  suffix : No such 
    realm 
    >         "NULL" 
    >         >                         > (0)   [suffix] = noop 
    >         >                         > (0)  ntdomain : 

Checking

    for 
    >         prefix before 
    >         >                         "\" 
    >         >                         > (0)  ntdomain : No '\' 
    in 
    >         User-Name = 
    >         >                         "user", looking up realm 
    NULL 
    >         >                         > (0)  ntdomain : No 

such

    realm 
    >         "NULL" 
    >         >                         > (0)   [ntdomain] = 

noop

    >         >                         > (0)   [files] = noop 
    >         >                         > (0)   [expiration] = 
    noop 
    >         >                         > (0)   [logintime] = 
    noop 
    >         >                         > (0)  WARNING: pap : No 
    "known 
    >         good" password 
    >         >                         found for the user.  Not 
    >         >                         > setting Auth-Type 
    >         >                         > (0)  WARNING: pap : 
    Authentication 
    >         will fail 
    >         >                         unless a "known good" 
    >         >                         > password is available 
    >         >                         > (0)   [pap] = noop 
    >         >                         > (0)   update control { 
    >         >                         > (0)     Auth-Type := 
    Perl 
    >         >                         > (0)   } # update 

control

    = noop 
    >         >                         > (0)  } #  authorize = 
    ok 
    >         >                         > (0) Found Auth-Type = 
    Perl 
    >         >                         > (0) # Executing group 
    from 
    >         > 
    >         file /etc/raddb/sites-enabled/privacyidea 
    >         >                         > (0)  Auth-Type Perl { 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'User-Name'} = 
    >         >                         &request:User-Name -> 
    'user' 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'User-Password'} = 
    >         >                         &request:User-Password 

->

    >         >                         > 'password' 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'NAS-IP-Address'} 
    >         >                         = 

&request:NAS-IP-Address

    >         >                         > -> '127.0.0.1' 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'Event-Timestamp'} 
    >         >                         = 
    >         >                         > 

&request:Event-Timestamp

    -> 'Oct 
    >         21 2015 
    >         >                         11:50:57 AEDT' 
    >         >                         > (0)   perl : 
    >         $RAD_CHECK{'Auth-Type'} = 
    >         >                         &control:Auth-Type -> 
    'Perl' 
    >         >                         > (0)   perl : 
    >         $RAD_CONFIG{'Auth-Type'} = 
    >         >                         &control:Auth-Type -> 
    'Perl' 
    >         >                         > rlm_perl: Config 
    >         > 
    File /etc/freeradius/rlm_perl.ini 
    >         found! 
    >         >                         > rlm_perl: Default URL 
    >         > 
    https://127.0.0.1/validate/check 
    >         >                         > rlm_perl: Looking for 
    config for 
    >         auth-type 
    >         >                         Perl 
    >         >                         > rlm_perl: Auth-Type: 
    Perl 
    >         >                         > rlm_perl: url: 
    >         > 
    https://127.0.0.1/validate/check 
    >         >                         > rlm_perl: user sent to 
    >         privacyidea: user 
    >         >                         > rlm_perl: realm sent 

to

    >         privacyidea: 
    >         >                         > rlm_perl: resolver 

sent

    to 
    >         privacyidea: 
    >         >                         > rlm_perl: client sent 
    to 
    >         privacyidea: 
    >         >                         127.0.0.1 
    >         >                         > rlm_perl: state sent 

to

    >         privacyidea: 
    >         >                         > rlm_perl: urlparam 
    client 
    >         >                         > rlm_perl: urlparam 

pass

    >         >                         > rlm_perl: urlparam 

user

    >         >                         > rlm_perl: Not 

verifying

    SSL 
    >         certificate! 
    >         >                         > rlm_perl: privacyIDEA 
    request 
    >         failed: 500 
    >         >                         INTERNAL SERVER ERROR 
    >         >                         > rlm_perl: return 
    RLM_MODULE_FAIL 
    >         >                         > (0)  perl : 
    &request:User-Name = 
    >         >                         

$RAD_REQUEST{‘User-Name’}

    -> 'user' 
    >         >                         > (0)  perl : 
    >         &request:Event-Timestamp = 
    >         > 
    $RAD_REQUEST{'Event-Timestamp'} 
    >         >                         > -> 'Oct 21 2015 

11:50:57

    AEDT' 
    >         >                         > (0)  perl : 
    &request:User-Password 
    >         = 
    >         > 
    $RAD_REQUEST{'User-Password'} -> 
    >         >                         > 'password' 
    >         >                         > (0)  perl : 
    >         &request:NAS-IP-Address = 
    >         > 
    $RAD_REQUEST{'NAS-IP-Address'} 
    >         >                         > -> '127.0.0.1' 
    >         >                         > (0)  perl : 
    &reply:Reply-Message 
    >         = 
    >         > 
    $RAD_REPLY{'Reply-Message'} -> 
    >         >                         > 'privacyIDEA request 
    failed: 500 
    >         INTERNAL 
    >         >                         SERVER ERROR' 
    >         >                         > (0)  perl : 
    &control:Auth-Type = 
    >         >                         $RAD_CHECK{'Auth-Type'} 

->

    'Perl' 
    >         >                         > (0)   [perl] = fail 
    >         >                         > (0)  } # Auth-Type 

Perl

    = fail 
    >         >                         > (0) Failed to 
    authenticate the 
    >         user 
    >         >                         > (0) Using 

Post-Auth-Type

    Reject 
    >         >                         > (0) Delaying response 
    for 1 
    >         seconds 
    >         >                         > Waking up in 0.9 
    seconds. 
    >         >                         > (0) Sending delayed 
    response 
    >         >                         > (0) Sending 
    Access-Reject packet 
    >         to host 
    >         >                         127.0.0.1 port 35488, 
    id=111, 
    >         >                         > length=0 
    >         >                         > (0)     Reply-Message 

=

    >         'privacyIDEA request 
    >         >                         failed: 500 INTERNAL 
    >         >                         > SERVER ERROR' 
    >         >                         > Sending Access-Reject 

Id

    111 from 
    >         >                         127.0.0.1:1812 to 
    127.0.0.1:35488 
    >         >                         >         Reply-Message 

=

    >         'privacyIDEA request 
    >         >                         failed: 500 INTERNAL 
    >         >                         > SERVER ERROR' 
    >         >                         > Waking up in 3.9 
    seconds. 
    >         >                         > (0) Cleaning up 

request

    packet ID 
    >         111 with 
    >         >                         timestamp +7 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > I don't think this is 
    just an 
    >         issue with the 
    >         >                         user / password, but if 
    >         >                         > anyone can point me in 
    the right 
    >         direction 
    >         >                         in what I may have done 
    >         >                         > wrong with either the 
    radius or 
    >         privacy idea 
    >         >                         install? 
    >         >                         > 
    >         >                         > 
    >         >                         > Cheers 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > -- 
    >         >                         > You received this 
    message because 
    >         you are 
    >         >                         subscribed to the Google 
    >         >                         > Groups "privacyidea" 
    group. 
    >         >                         > To unsubscribe from 

this

    group and 
    >         stop 
    >         >                         receiving emails from 

it,

    send 
    >         >                         > an email to 
    >         > 
    privacyidea...@googlegroups.com. 
    >         >                         > To post to this group, 
    send email 
    >         to 
    >         > 
    priva...@googlegroups.com. 
    >         >                         > To view this 

discussion

    on the web 
    >         visit 
    >         >                         > 
    >         > 
    > 

https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com.

    >         >                         > For more options, 

visit

    >         > 
    https://groups.google.com/d/optout. 
    >         >                         
    >         >                         -- 
    >         >                         Cornelius Kölbel 
    >         >                         

corneliu...@netknights.it

    >         >                         +49 151 2960 1417 
    >        ...

Hi Cornelius
there should be no group information passed through to the radius, only
user details
I have added the following to /etc/raddb/users
DEFAULT Auth-Type := Perl
Class = AVP

but i get errors when starting the radius service

/etc/raddb/mods-config/files/authorize[59]: Parse error (check) for entry
DEFAULT: Unknown value ‘Perl’ for attribute 'Auth-Type’
Failed reading /etc/raddb/mods-config/files/authorize
/etc/raddb/mods-enabled/files[9]: Instantiation failed for module “files”

I will get a successful login from the other freeradius and compare with
what is comming from the privacyidea radius and see what the difference is,
will upload these shortly

CheersOn Thursday, 22 October 2015 18:41:18 UTC+11, Cornelinux K wrote:

Hi Tony,

you can edit your file /etc/freeradius/users like this:

DEFAULT Auth-Type := Perl
Class = YOUR_GROUP_EXPECTED_BY_CHECKPOINT

This way each user will be authenticated against the perl module a.k.a.
privacyIDEA and put into the the corresponding group.

Or: You can add the Class AVP that is expected by your checkpoint.
Please note: In the radius request the CLass is hex encoded. In the
users config file you need to enter a normal ascii string.

Kind regards
Cornelius

Am Donnerstag, den 22.10.2015, 09:23 +0200 schrieb Cornelius Kölbel:

Hi Tony,

the Attribute Value Pair Class 25 usually seems to expect some
attribute, which the firewall uses to authorize the access or put the
user of this request in some control group.

So the question is: Do you have another RADIUS server running at the
moment and how do the requests look like there?

I assume we have to add an attribute of class 25 with the correct value,
that is expected by your checkpoint configuration.
http://tools.ietf.org/html/rfc2865#section-5.25

And additionally I assume, that the existing attributes did not make the
response fail, but the missing class-25-attribute.
This attribute is usually used for group information.
(
http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-td2781054.html)

So I guess we need to look an the freeradius side (independent on the
privacyIDEA plugin).

We need to investigate

  • the successful RADIUS REQUEST with your existing RADIUS server
  • the successful RADIUS RESPONSE with your existing RADIUS server
    and then configure FreeRADIUS accordingly.

I will try to help you with that.
But maybe at a certain point we might also need to take this to the
freeradius list.

Kind regards
COrnelius

Am Mittwoch, den 21.10.2015, 23:52 -0700 schrieb Tony Hawker:

Thanks Cornelius
this script still doesn’t seem to solve the problem, checkpoint still
doesn’t like the Access-Accept packets for some reason
I’ve had the checkpoint talking to freeradius in the past, so it can
work, but just doesn’t see these accept packets for some reason

On Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote:
Hi Tony,

    here is a slightly modified script, that does not add any 
    additional 
    AVPs into the reply. 
    
    It only returns ACCESS_ACCEPT or ACCESS_REJECT. 
    
    This script replaces the existing one. 
    Please restart freeradius and check if checkpoint likes it. 
    
    Kind regards 
    COrnelius 
    
    Am Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony Hawker: 
    > Hi Cornelius 
    > Thanks for this info 
    > where do i remove that line from? I'm not familiar with this 
    process? 
    > do i need to change a config file? or change some source 
    code and 
    > recompile? 
    > I believe if i could change the message on that line that 
    could also 
    > possible help 
    > 
    > 
    > Cheers 
    > 
    > On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K  wrote: 
    >         Hello Tony, 
    >         
    >         at the moment there is no way to configure the reply 
    message. 
    >         
    >         You can remove the RAD_REPLY in the privacyidea perl 
    module. 
    > 

https://github.com/privacyidea/privacyidea/blob/master/authmodules/FreeRADIUS/privacyidea_radius.pm#L335

    >         
    >         Thus this information will not be added to the 
    reply. 
    >         If this succeeds, please drop me a note or open an 
    issue at 
    >         github. 
    >         We can then make the reply configurable. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb 
    Tony Hawker: 
    >         > Hi Cornelius 
    >         > Thanks for your help, I almost have this working 
    now, i 
    >         played around 
    >         > allot, but i think that ticking the "use @ to 
    separate user 
    >         and realm" 
    >         > has allowed the radius to pass though the details 
    correctly 
    >         > 
    >         > 
    >         > I have managed to have my radius client 
    authenticate, and it 
    >         seems to 
    >         > be sending back the reply message "privacy IDEA 
    access 
    >         granted" to my 
    >         > firewalls (I am tying to authenticate VPN users) 
    >         > 
    >         > 
    >         > I believe the firewall does not like the response 
    message, I 
    >         am 
    >         > possibly getting a similar issue described here: 
    >         > 
    > 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638

    >         > 
    >         > 
    >         > I have also attached a screen shot of how the 
    packet looks 
    >         from 
    >         > privacy idea, do you think that because the reply 
    packet is 
    >         slightly 
    >         > different it could be causing this problem? 
    >         > is t possible to change the privacy idea radius 
    accept 
    >         packet too 
    >         > something generic? 
    >         > 
    >         > 
    >         > Cheers 
    >         > 
    >         > On Wednesday, 21 October 2015 23:59:18 UTC+11,  Cornelinux K  wrote: 
    >         >         
    >         >         
    >         >         Hi, 
    >         >         
    >         >         
    >         >         The user can not be found in the 
    resolver. 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         How does the request look like? 
    >         >         Is the realm the default realm. 
    >         >         how does the DN of the user look like? 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         You might have specified the wrong realm 
    (see 
    >         default realm) 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Cornelius Kölbel 
    >         >         Corneliu...@netknights.it 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         
    >         >         NetKnights GmbH 
    >         >         http://netknights.it 
    >         >         Landgraf-Karl-Str. 19, 34131 Kassel, 
    Germany 
    >         >         Tel: +49 561 3166797, Fax: +49 561 
    3166798 
    >         >         
    >         >         
    >         >         Amtsgericht Kassel, HRB 16405 
    >         >         Geschäftsführer: Cornelius Kölbel 
    >         >         
    >         >         
    >         >         -------- Ursprüngliche Nachricht -------- 
    >         >         Von: Tony Hawker <lil...@gmail.com> 
    >         >         Datum: 21.10.2015 13:14 (GMT+01:00) 
    >         >         An: privacyidea 
    <priva...@googlegroups.com> 
    >         >         Betreff: Re: Re: 'privacyIDEA request 
    failed: 500 
    >         INTERNAL 
    >         >         SERVER ERROR' - FreeRadius 
    >         >         
    >         >         Hi Cornelius 
    >         >         Thanks for your response 
    >         >         I am running PIP installation on Centos 7 
    >         >         I am running latest version of Privacy 
    idea (2.7), 
    >         updated as 
    >         >         per instructions on howtoforge 
    >         >         the user is coming from Active Directory 
    >         >         UID is DN 
    >         >         there are no special characters anywhere 
    in the AD 
    >         config 
    >         >         
    >         >         
    >         >         testing using the URL you provided I get 
    the message 
    >         below 
    >         >         when attempting to use an AD user 
    >         >         "version": "privacyIDEA 2.7", "result": 
    {"status": 
    >         false, "error": {"message": "ERR905: The user can 
    not be found 
    >         in any resolver in this realm!", "code": -500}}, 
    "time": 
    >         1445425459.788956, "id": 1} 
    >         >         
    >         >         but if i use the root user (from the 
    privacyidea 
    >         server) this returns: 
    >         >         {"message": "wrong otp pin"}, 
    "versionnumber": 
    >         "2.7", "version": "privacyIDEA 2.7", "result": 
    {"status": 
    >         true, "value": false}, "time": 1445425581.107504, 
    "id": 1} 
    >         >         I assume the OTP token is out of sync, but 
    looks 
    >         much more promising 
    >         >         
    >         >         any idea on why the AD would not work via 
    this 
    >         method? as i can see all the users in the webui etc 
    >         >         
    >         >         Cheers 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         On Wednesday, 21 October 2015 21:01:47 UTC  +11,  Cornelinux K  wrote: 
    >         >                 Hi Tony, 
    >         >                 
    >         >                 
    >         >                 Are you running a pip installation 
    or debian 
    >         wheezy? 
    >         >                 
    >         >                 
    >         >                 Which version of privacyidea are 
    you 
    >         running? 
    >         >                 
    >         >                 
    >         >                 In certain cases there were 
    problems with 
    >         the ldap 
    >         >                 resolver, if the DN contains 
    special 
    >         characters and is 
    >         >                 base54 encoded. 
    >         >                 
    >         >                 
    >         >                 Is it openldap or AD? 
    >         >                 
    >         >                 
    >         >                 The Uid type: is it DN or 
    entryUUID? 
    >         >                 
    >         >                 
    >         >                 Kind regards 
    >         >                 Cornelius 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 Cornelius Kölbel 
    >         >                 Corneliu...@netknights.it 
    >         >                 +49 151 2960 1417 
    >         >                 
    >         >                 
    >         >                 NetKnights GmbH 
    >         >                 http://netknights.it 
    >         >                 Landgraf-Karl-Str. 19, 34131 
    Kassel, 
    >         Germany 
    >         >                 Tel: +49 561 3166797, Fax: +49 561 
    3166798 
    >         >                 
    >         >                 
    >         >                 Amtsgericht Kassel, HRB 16405 
    >         >                 Geschäftsführer: Cornelius Kölbel 
    >         >                 
    >         >                 
    >         >                 -------- Ursprüngliche Nachricht 
    -------- 
    >         >                 Von: Tony Hawker 
    <lil...@gmail.com> 
    >         >                 Datum: 21.10.2015 08:59 (GMT 
    +01:00) 
    >         >                 An: privacyidea 
    <priva...@googlegroups.com> 
    >         >                 Betreff: Re: 'privacyIDEA request 
    failed: 
    >         500 INTERNAL 
    >         >                 SERVER ERROR' - FreeRadius 
    >         >                 
    >         >                 Hi 
    >         >                 thanks for your quick response to 
    my issue 
    >         >                 I have been watching the 
    privacyidea.log but 
    >         no 
    >         >                 entries are made when a connection 
    attempt 
    >         is made via 
    >         >                 the radius, which leads me to 
    think that the 
    >         radius is 
    >         >                 not able to see the privacyidea 
    API? 
    >         >                 I can access the URI in my 
    browser, so i can 
    >         see that 
    >         >                 is up 
    >         >                 
    >         >                 
    >         >                 I see this in the privacyidea.log 
    when i 
    >         reboot 
    >         >                 
    >         >                 
    >         >                 [2015-10-21 
    >         > 
    > 

15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333]
‘Traceback (most recent call last):\n File
"/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/
LDAPIdResolver.py", line 328, in getUserList\n user =
self._ldap_attributes_to_user_object(attributes)\n File
"/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py",
line 246, in _ldap_attributes_to_user_object\n for ldap_k,
ldap_v in attributes.items():\nAttributeError: ‘NoneType’ object has no
attribute ‘items’\n’

    >         >                 
    >         >                 
    >         >                 Cheers 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 On Wednesday, 21 October 2015  17:14:34 UTC  +11,  Cornelinux K wrote: 
    >         >                         Hi Tony, 
    >         >                         
    >         >                         please do the following: 
    >         >                         
    >         >                         1. Take a look into the 
    audit log 
    >         >                         
    >         >                         Within the webui take a 
    look, what 
    >         you can see 
    >         >                         in the request in the 
    >         >                         AUdit Tab. The right most 
    tab. 
    >         >                         
    >         >                         I assume, the user does 
    not exist. 
    >         >                         
    >         >                         The audit gives you a top 
    level view 
    >         of what 
    >         >                         is happening in 
    >         >                         privacyidea. 
    >         >                         
    >         >                         2. Take a look into the 
    log file 
    >         >                         privacyidea.log. 
    >         >                         This gives you a detailed 
    view, of 
    >         what is 
    >         >                         happening. 
    >         >                         
    >         >                         Kind regards 
    >         >                         Cornelius 
    >         >                         
    >         >                         Am Dienstag, den 
    20.10.2015, 17:56 
    >         -0700 
    >         >                         schrieb Tony Hawker: 
    >         >                         > Hi 
    >         >                         > I have followed the 
    guide on 
    >         setting up 
    >         >                         Privactidea on Centos 7 
    here: 
    >         >                         > 
    >         > 
    > 

https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/

    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > I can access the webui, 
    register 
    >         tokens, 
    >         >                         linked to active 
    directory 
    >         >                         > etc, all tested ok 
    >         >                         > 
    >         >                         > 
    >         >                         > I am having issues with 
    the radius 
    >         plugin, 
    >         >                         when I attempt to make 
    any 
    >         >                         > connection to the 
    radius, either 
    >         using the 
    >         >                         test functions described 
    in 
    >         >                         > the link above, or from 
    an 
    >         external 
    >         >                         connection, I am seeing 
    the errors 
    >         >                         > below: 
    >         >                         > 
    >         >                         > 
    >         >                         > ]# echo 
    "User-Name=user, 
    >         >                         User-Password=password" | 
    radclient 
    >         -sx 
    >         >                         > localhost auth 
    testing123 
    >         >                         > 
    >         >                         > 
    >         >                         > Sending Access-Request 
    Id 91 from 
    >         >                         0.0.0.0:34321 to 
    127.0.0.1:1812 
    >         >                         > 
    >         >                         >         User-Name = 
    'user' 
    >         >                         >         User-Password = 
    >         'password' 
    >         >                         > Received Access-Reject 
    Id 91 from 
    >         >                         127.0.0.1:1812 to 
    127.0.0.1:34321 
    >         >                         > length 75 
    >         >                         >         Reply-Message = 
    >         'privacyIDEA request 
    >         >                         failed: 500 INTERNAL 
    >         >                         > SERVER ERROR' 
    >         >                         > (0) -: Expected 
    Access-Accept got 
    >         >                         Access-Reject 
    >         >                         > Packet summary: 
    >         >                         >         Accepted      : 
    0 
    >         >                         >         Rejected      : 
    1 
    >         >                         >         Lost          : 
    0 
    >         >                         >         Passed filter : 
    0 
    >         >                         >         Failed filter : 
    1 
    >         >                         > 
    >         >                         > 
    >         >                         > and on the radius server 
    I see 
    >         this: 
    >         >                         > 
    >         >                         > 
    >         >                         > Received Access-Request 
    Id 111 
    >         from 
    >         >                         127.0.0.1:35488 to 
    127.0.0.1:1812 
    >         >                         > length 44 
    >         >                         >         User-Name = 
    'user' 
    >         >                         >         User-Password = 
    >         'password' 
    >         >                         > (0) Received 
    Access-Request packet 
    >         from host 
    >         >                         127.0.0.1 port 35488, 
    >         >                         > id=111, length=44 
    >         >                         > (0)     User-Name = 
    'user' 
    >         >                         > (0)     User-Password = 
    >         'password' 
    >         >                         > (0) # Executing section 
    authorize 
    >         from 
    >         >                         > 
    >         file /etc/raddb/sites-enabled/privacyidea 
    >         >                         > (0)   authorize { 
    >         >                         > (0)   [preprocess] = ok 
    >         >                         > (0)   [digest] = noop 
    >         >                         > (0)  suffix : Checking 
    for suffix 
    >         after "@" 
    >         >                         > (0)  suffix : No '@' in 
    User-Name 
    >         = "user", 
    >         >                         looking up realm NULL 
    >         >                         > (0)  suffix : No such 
    realm 
    >         "NULL" 
    >         >                         > (0)   [suffix] = noop 
    >         >                         > (0)  ntdomain : Checking 
    for 
    >         prefix before 
    >         >                         "\" 
    >         >                         > (0)  ntdomain : No '\' 
    in 
    >         User-Name = 
    >         >                         "user", looking up realm 
    NULL 
    >         >                         > (0)  ntdomain : No such 
    realm 
    >         "NULL" 
    >         >                         > (0)   [ntdomain] = noop 
    >         >                         > (0)   [files] = noop 
    >         >                         > (0)   [expiration] = 
    noop 
    >         >                         > (0)   [logintime] = 
    noop 
    >         >                         > (0)  WARNING: pap : No 
    "known 
    >         good" password 
    >         >                         found for the user.  Not 
    >         >                         > setting Auth-Type 
    >         >                         > (0)  WARNING: pap : 
    Authentication 
    >         will fail 
    >         >                         unless a "known good" 
    >         >                         > password is available 
    >         >                         > (0)   [pap] = noop 
    >         >                         > (0)   update control { 
    >         >                         > (0)     Auth-Type := 
    Perl 
    >         >                         > (0)   } # update control 
    = noop 
    >         >                         > (0)  } #  authorize = 
    ok 
    >         >                         > (0) Found Auth-Type = 
    Perl 
    >         >                         > (0) # Executing group 
    from 
    >         > 
    >         file /etc/raddb/sites-enabled/privacyidea 
    >         >                         > (0)  Auth-Type Perl { 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'User-Name'} = 
    >         >                         &request:User-Name -> 
    'user' 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'User-Password'} = 
    >         >                         &request:User-Password -> 
    >         >                         > 'password' 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'NAS-IP-Address'} 
    >         >                         = &request:NAS-IP-Address 
    >         >                         > -> '127.0.0.1' 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'Event-Timestamp'} 
    >         >                         = 
    >         >                         > &request:Event-Timestamp 
    -> 'Oct 
    >         21 2015 
    >         >                         11:50:57 AEDT' 
    >         >                         > (0)   perl : 
    >         $RAD_CHECK{'Auth-Type'} = 
    >         >                         &control:Auth-Type -> 
    'Perl' 
    >         >                         > (0)   perl : 
    >         $RAD_CONFIG{'Auth-Type'} = 
    >         >                         &control:Auth-Type -> 
    'Perl' 
    >         >                         > rlm_perl: Config 
    >         > 
    File /etc/freeradius/rlm_perl.ini 
    >         found! 
    >         >                         > rlm_perl: Default URL 
    >         > 
    https://127.0.0.1/validate/check 
    >         >                         > rlm_perl: Looking for 
    config for 
    >         auth-type 
    >         >                         Perl 
    >         >                         > rlm_perl: Auth-Type: 
    Perl 
    >         >                         > rlm_perl: url: 
    >         > 
    https://127.0.0.1/validate/check 
    >         >                         > rlm_perl: user sent to 
    >         privacyidea: user 
    >         >                         > rlm_perl: realm sent to 
    >         privacyidea: 
    >         >                         > rlm_perl: resolver sent 
    to 
    >         privacyidea: 
    >         >                         > rlm_perl: client sent 
    to 
    >         privacyidea: 
    >         >                         127.0.0.1 
    >         >                         > rlm_perl: state sent to 
    >         privacyidea: 
    >         >                         > rlm_perl: urlparam 
    client 
    >         >                         > rlm_perl: urlparam pass 
    >         >                         > rlm_perl: urlparam user 
    >         >                         > rlm_perl: Not verifying 
    SSL 
    >         certificate! 
    >         >                         > rlm_perl: privacyIDEA 
    request 
    >         failed: 500 
    >         >                         INTERNAL SERVER ERROR 
    >         >                         > rlm_perl: return 
    RLM_MODULE_FAIL 
    >         >                         > (0)  perl : 
    &request:User-Name = 
    >         >                         $RAD_REQUEST{'User-Name'} 
    -> 'user' 
    >         >                         > (0)  perl : 
    >         &request:Event-Timestamp = 
    >         > 
    $RAD_REQUEST{'Event-Timestamp'} 
    >         >                         > -> 'Oct 21 2015 11:50:57 
    AEDT' 
    >         >                         > (0)  perl : 
    &request:User-Password 
    >         = 
    >         > 
    $RAD_REQUEST{'User-Password'} -> 
    >         >                         > 'password' 
    >         >                         > (0)  perl : 
    >         &request:NAS-IP-Address = 
    >         > 
    $RAD_REQUEST{'NAS-IP-Address'} 
    >         >                         > -> '127.0.0.1' 
    >         >                         > (0)  perl : 
    &reply:Reply-Message 
    >         = 
    >         > 
    $RAD_REPLY{'Reply-Message'} -> 
    >         >                         > 'privacyIDEA request 
    failed: 500 
    >         INTERNAL 
    >         >                         SERVER ERROR' 
    >         >                         > (0)  perl : 
    &control:Auth-Type = 
    >         >                         $RAD_CHECK{'Auth-Type'} -> 
    'Perl' 
    >         >                         > (0)   [perl] = fail 
    >         >                         > (0)  } # Auth-Type Perl 
    = fail 
    >         >                         > (0) Failed to 
    authenticate the 
    >         user 
    >         >                         > (0) Using Post-Auth-Type 
    Reject 
    >         >                         > (0) Delaying response 
    for 1 
    >         seconds 
    >         >                         > Waking up in 0.9 
    seconds. 
    >         >                         > (0) Sending delayed 
    response 
    >         >                         > (0) Sending 
    Access-Reject packet 
    >         to host 
    >         >                         127.0.0.1 port 35488, 
    id=111, 
    >         >                         > length=0 
    >         >                         > (0)     Reply-Message = 
    >         'privacyIDEA request 
    >         >                         failed: 500 INTERNAL 
    >         >                         > SERVER ERROR' 
    >         >                         > Sending Access-Reject Id 
    111 from 
    >         >                         127.0.0.1:1812 to 
    127.0.0.1:35488 
    >         >                         >         Reply-Message = 
    >         'privacyIDEA request 
    >         >                         failed: 500 INTERNAL 
    >         >                         > SERVER ERROR' 
    >         >                         > Waking up in 3.9 
    seconds. 
    >         >                         > (0) Cleaning up request 
    packet ID 
    >         111 with 
    >         >                         timestamp +7 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > I don't think this is 
    just an 
    >         issue with the 
    >         >                         user / password, but if 
    >         >                         > anyone can point me in 
    the right 
    >         direction 
    >         >                         in what I may have done 
    >         >                         > wrong with either the 
    radius or 
    >         privacy idea 
    >         >                         install? 
    >         >                         > 
    >         >                         > 
    >         >                         > Cheers 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > -- 
    >         >                         > You received this 
    message because 
    >         you are 
    >         >                         subscribed to the Google 
    >         >                         > Groups "privacyidea" 
    group. 
    >         >                         > To unsubscribe from this 
    group and 
    >         stop 
    >         >                         receiving emails from it, 
    send 
    >         >                         > an email to 
    >         > 
    privacyidea...@googlegroups.com. 
    >         >                         > To post to this group, 
    send email 
    >         to 
    >         > 
    priva...@googlegroups.com. 
    >         >                         > To view this discussion 
    on the web 
    >         visit 
    >         >                         > 
    >         > 
    > 

https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com.

    >         >                         > For more options, visit 
    >         > 
    https://groups.google.com/d/optout. 
    >         >                         
    >         >                         -- 
    >         >                         Cornelius Kölbel 
    >         >                         corneliu...@netknights.it 
    >         >                         +49 151 2960 1417 
    >         >                         
    >         >                         NetKnights GmbH 
    >         >                         http://www.netknights.it 
    >         >                         Landgraf-Karl-Str. 19, 
    34131 Kassel, 
    >         Germany 
    >         >                         Tel: +49 561 3166797, Fax: 
    +49 561 
    >         3166798 
    >         >                         
    >         >                         Amtsgericht Kassel, HRB 
    16405 
    >         >                         Geschäftsführer: Cornelius 
    Kölbel 
    >         >                         
    >         >                         
    >         >                 
    >         >                 -- 
    >         >                 You received this message because 
    you are 
    >         subscribed 
    >         >                 to the Google Groups "privacyidea" 
    group. 
    >         >                 To unsubscribe from this group and 
    stop 
    >         receiving 
    >         >                 emails from it, send an email to 
    >         >                 privacyidea...@googlegroups.com. 
    >         >                 To post to this group, send email 
    to 
    >         >                 priva...@googlegroups.com. 
    >         >                 To view this discussion on the web 
    visit 
    >         > 
    > 

https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com.

    >         >                 For more options, visit 
    >         > 
    https://groups.google.com/d/optout. 
    >         >                 
    >         >         
    >         > 
    >         > 
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it ...

Hi Tony,

you can edit your file /etc/freeradius/users like this:

DEFAULT Auth-Type := Perl
Class = YOUR_GROUP_EXPECTED_BY_CHECKPOINT

This way each user will be authenticated against the perl module a.k.a.
privacyIDEA and put into the the corresponding group.

Or: You can add the Class AVP that is expected by your checkpoint.
Please note: In the radius request the CLass is hex encoded. In the
users config file you need to enter a normal ascii string.

Kind regards
CorneliusAm Donnerstag, den 22.10.2015, 09:23 +0200 schrieb Cornelius Kölbel:

Hi Tony,

the Attribute Value Pair Class 25 usually seems to expect some
attribute, which the firewall uses to authorize the access or put the
user of this request in some control group.

So the question is: Do you have another RADIUS server running at the
moment and how do the requests look like there?

I assume we have to add an attribute of class 25 with the correct value,
that is expected by your checkpoint configuration.
http://tools.ietf.org/html/rfc2865#section-5.25

And additionally I assume, that the existing attributes did not make the
response fail, but the missing class-25-attribute.
This attribute is usually used for group information.
(http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-td2781054.html)

So I guess we need to look an the freeradius side (independent on the
privacyIDEA plugin).

We need to investigate

  • the successful RADIUS REQUEST with your existing RADIUS server
  • the successful RADIUS RESPONSE with your existing RADIUS server
    and then configure FreeRADIUS accordingly.

I will try to help you with that.
But maybe at a certain point we might also need to take this to the
freeradius list.

Kind regards
COrnelius

Am Mittwoch, den 21.10.2015, 23:52 -0700 schrieb Tony Hawker:

Thanks Cornelius
this script still doesn’t seem to solve the problem, checkpoint still
doesn’t like the Access-Accept packets for some reason
I’ve had the checkpoint talking to freeradius in the past, so it can
work, but just doesn’t see these accept packets for some reason

On Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote:
Hi Tony,

    here is a slightly modified script, that does not add any
    additional 
    AVPs into the reply. 
    
    It only returns ACCESS_ACCEPT or ACCESS_REJECT. 
    
    This script replaces the existing one. 
    Please restart freeradius and check if checkpoint likes it. 
    
    Kind regards 
    COrnelius 
    
    Am Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony Hawker: 
    > Hi Cornelius 
    > Thanks for this info 
    > where do i remove that line from? I'm not familiar with this
    process? 
    > do i need to change a config file? or change some source
    code and 
    > recompile? 
    > I believe if i could change the message on that line that
    could also 
    > possible help 
    > 
    > 
    > Cheers 
    > 
    > On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K wrote: 
    >         Hello Tony, 
    >         
    >         at the moment there is no way to configure the reply
    message. 
    >         
    >         You can remove the RAD_REPLY in the privacyidea perl
    module. 
    >
    https://github.com/privacyidea/privacyidea/blob/master/authmodules/FreeRADIUS/privacyidea_radius.pm#L335 
    >         
    >         Thus this information will not be added to the
    reply. 
    >         If this succeeds, please drop me a note or open an
    issue at 
    >         github. 
    >         We can then make the reply configurable. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb
    Tony Hawker: 
    >         > Hi Cornelius 
    >         > Thanks for your help, I almost have this working
    now, i 
    >         played around 
    >         > allot, but i think that ticking the "use @ to
    separate user 
    >         and realm" 
    >         > has allowed the radius to pass though the details
    correctly 
    >         > 
    >         > 
    >         > I have managed to have my radius client
    authenticate, and it 
    >         seems to 
    >         > be sending back the reply message "privacy IDEA
    access 
    >         granted" to my 
    >         > firewalls (I am tying to authenticate VPN users) 
    >         > 
    >         > 
    >         > I believe the firewall does not like the response
    message, I 
    >         am 
    >         > possibly getting a similar issue described here: 
    >         > 
    >
    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638 
    >         > 
    >         > 
    >         > I have also attached a screen shot of how the
    packet looks 
    >         from 
    >         > privacy idea, do you think that because the reply
    packet is 
    >         slightly 
    >         > different it could be causing this problem? 
    >         > is t possible to change the privacy idea radius
    accept 
    >         packet too 
    >         > something generic? 
    >         > 
    >         > 
    >         > Cheers 
    >         > 
    >         > On Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K  wrote: 
    >         >         
    >         >         
    >         >         Hi, 
    >         >         
    >         >         
    >         >         The user can not be found in the
    resolver. 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         How does the request look like? 
    >         >         Is the realm the default realm. 
    >         >         how does the DN of the user look like? 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         You might have specified the wrong realm
    (see 
    >         default realm) 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Cornelius Kölbel 
    >         >         Corneliu...@netknights.it 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         
    >         >         NetKnights GmbH 
    >         >         http://netknights.it 
    >         >         Landgraf-Karl-Str. 19, 34131 Kassel,
    Germany 
    >         >         Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >         >         
    >         >         
    >         >         Amtsgericht Kassel, HRB 16405 
    >         >         Geschäftsführer: Cornelius Kölbel 
    >         >         
    >         >         
    >         >         -------- Ursprüngliche Nachricht -------- 
    >         >         Von: Tony Hawker <lil...@gmail.com> 
    >         >         Datum: 21.10.2015 13:14 (GMT+01:00) 
    >         >         An: privacyidea
    <priva...@googlegroups.com> 
    >         >         Betreff: Re: Re: 'privacyIDEA request
    failed: 500 
    >         INTERNAL 
    >         >         SERVER ERROR' - FreeRadius 
    >         >         
    >         >         Hi Cornelius 
    >         >         Thanks for your response 
    >         >         I am running PIP installation on Centos 7 
    >         >         I am running latest version of Privacy
    idea (2.7), 
    >         updated as 
    >         >         per instructions on howtoforge 
    >         >         the user is coming from Active Directory 
    >         >         UID is DN 
    >         >         there are no special characters anywhere
    in the AD 
    >         config 
    >         >         
    >         >         
    >         >         testing using the URL you provided I get
    the message 
    >         below 
    >         >         when attempting to use an AD user 
    >         >         "version": "privacyIDEA 2.7", "result":
    {"status": 
    >         false, "error": {"message": "ERR905: The user can
    not be found 
    >         in any resolver in this realm!", "code": -500}},
    "time": 
    >         1445425459.788956, "id": 1} 
    >         >         
    >         >         but if i use the root user (from the
    privacyidea 
    >         server) this returns: 
    >         >         {"message": "wrong otp pin"},
    "versionnumber": 
    >         "2.7", "version": "privacyIDEA 2.7", "result":
    {"status": 
    >         true, "value": false}, "time": 1445425581.107504,
    "id": 1} 
    >         >         I assume the OTP token is out of sync, but
    looks 
    >         much more promising 
    >         >         
    >         >         any idea on why the AD would not work via
    this 
    >         method? as i can see all the users in the webui etc 
    >         >         
    >         >         Cheers 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         On Wednesday, 21 October 2015 21:01:47 UTC +11,  Cornelinux K  wrote: 
    >         >                 Hi Tony, 
    >         >                 
    >         >                 
    >         >                 Are you running a pip installation
    or debian 
    >         wheezy? 
    >         >                 
    >         >                 
    >         >                 Which version of privacyidea are
    you 
    >         running? 
    >         >                 
    >         >                 
    >         >                 In certain cases there were
    problems with 
    >         the ldap 
    >         >                 resolver, if the DN contains
    special 
    >         characters and is 
    >         >                 base54 encoded. 
    >         >                 
    >         >                 
    >         >                 Is it openldap or AD? 
    >         >                 
    >         >                 
    >         >                 The Uid type: is it DN or
    entryUUID? 
    >         >                 
    >         >                 
    >         >                 Kind regards 
    >         >                 Cornelius 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 Cornelius Kölbel 
    >         >                 Corneliu...@netknights.it 
    >         >                 +49 151 2960 1417 
    >         >                 
    >         >                 
    >         >                 NetKnights GmbH 
    >         >                 http://netknights.it 
    >         >                 Landgraf-Karl-Str. 19, 34131
    Kassel, 
    >         Germany 
    >         >                 Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >         >                 
    >         >                 
    >         >                 Amtsgericht Kassel, HRB 16405 
    >         >                 Geschäftsführer: Cornelius Kölbel 
    >         >                 
    >         >                 
    >         >                 -------- Ursprüngliche Nachricht
    -------- 
    >         >                 Von: Tony Hawker
    <lil...@gmail.com> 
    >         >                 Datum: 21.10.2015 08:59 (GMT
    +01:00) 
    >         >                 An: privacyidea
    <priva...@googlegroups.com> 
    >         >                 Betreff: Re: 'privacyIDEA request
    failed: 
    >         500 INTERNAL 
    >         >                 SERVER ERROR' - FreeRadius 
    >         >                 
    >         >                 Hi 
    >         >                 thanks for your quick response to
    my issue 
    >         >                 I have been watching the
    privacyidea.log but 
    >         no 
    >         >                 entries are made when a connection
    attempt 
    >         is made via 
    >         >                 the radius, which leads me to
    think that the 
    >         radius is 
    >         >                 not able to see the privacyidea
    API? 
    >         >                 I can access the URI in my
    browser, so i can 
    >         see that 
    >         >                 is up 
    >         >                 
    >         >                 
    >         >                 I see this in the privacyidea.log
    when i 
    >         reboot 
    >         >                 
    >         >                 
    >         >                 [2015-10-21 
    >         > 
    >
    15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333] 'Traceback (most recent call last):\n  File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/         LDAPIdResolver.py", line 328, in getUserList\n    user = self._ldap_attributes_to_user_object(attributes)\n  File "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 246, in          _ldap_attributes_to_user_object\n    for ldap_k, ldap_v in attributes.items():\nAttributeError: \'NoneType\' object has no attribute \'items\'\n' 
    >         >                 
    >         >                 
    >         >                 Cheers 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 On Wednesday, 21 October 2015 17:14:34 UTC  +11,  Cornelinux K wrote: 
    >         >                         Hi Tony, 
    >         >                         
    >         >                         please do the following: 
    >         >                         
    >         >                         1. Take a look into the
    audit log 
    >         >                         
    >         >                         Within the webui take a
    look, what 
    >         you can see 
    >         >                         in the request in the 
    >         >                         AUdit Tab. The right most
    tab. 
    >         >                         
    >         >                         I assume, the user does
    not exist. 
    >         >                         
    >         >                         The audit gives you a top
    level view 
    >         of what 
    >         >                         is happening in 
    >         >                         privacyidea. 
    >         >                         
    >         >                         2. Take a look into the
    log file 
    >         >                         privacyidea.log. 
    >         >                         This gives you a detailed
    view, of 
    >         what is 
    >         >                         happening. 
    >         >                         
    >         >                         Kind regards 
    >         >                         Cornelius 
    >         >                         
    >         >                         Am Dienstag, den
    20.10.2015, 17:56 
    >         -0700 
    >         >                         schrieb Tony Hawker: 
    >         >                         > Hi 
    >         >                         > I have followed the
    guide on 
    >         setting up 
    >         >                         Privactidea on Centos 7
    here: 
    >         >                         > 
    >         > 
    >
    https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/ 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > I can access the webui,
    register 
    >         tokens, 
    >         >                         linked to active
    directory 
    >         >                         > etc, all tested ok 
    >         >                         > 
    >         >                         > 
    >         >                         > I am having issues with
    the radius 
    >         plugin, 
    >         >                         when I attempt to make
    any 
    >         >                         > connection to the
    radius, either 
    >         using the 
    >         >                         test functions described
    in 
    >         >                         > the link above, or from
    an 
    >         external 
    >         >                         connection, I am seeing
    the errors 
    >         >                         > below: 
    >         >                         > 
    >         >                         > 
    >         >                         > ]# echo
    "User-Name=user, 
    >         >                         User-Password=password" |
    radclient 
    >         -sx 
    >         >                         > localhost auth
    testing123 
    >         >                         > 
    >         >                         > 
    >         >                         > Sending Access-Request
    Id 91 from 
    >         >                         0.0.0.0:34321 to
    127.0.0.1:1812 
    >         >                         > 
    >         >                         >         User-Name =
    'user' 
    >         >                         >         User-Password = 
    >         'password' 
    >         >                         > Received Access-Reject
    Id 91 from 
    >         >                         127.0.0.1:1812 to
    127.0.0.1:34321 
    >         >                         > length 75 
    >         >                         >         Reply-Message = 
    >         'privacyIDEA request 
    >         >                         failed: 500 INTERNAL 
    >         >                         > SERVER ERROR' 
    >         >                         > (0) -: Expected
    Access-Accept got 
    >         >                         Access-Reject 
    >         >                         > Packet summary: 
    >         >                         >         Accepted      :
    0 
    >         >                         >         Rejected      :
    1 
    >         >                         >         Lost          :
    0 
    >         >                         >         Passed filter :
    0 
    >         >                         >         Failed filter :
    1 
    >         >                         > 
    >         >                         > 
    >         >                         > and on the radius server
    I see 
    >         this: 
    >         >                         > 
    >         >                         > 
    >         >                         > Received Access-Request
    Id 111 
    >         from 
    >         >                         127.0.0.1:35488 to
    127.0.0.1:1812 
    >         >                         > length 44 
    >         >                         >         User-Name =
    'user' 
    >         >                         >         User-Password = 
    >         'password' 
    >         >                         > (0) Received
    Access-Request packet 
    >         from host 
    >         >                         127.0.0.1 port 35488, 
    >         >                         > id=111, length=44 
    >         >                         > (0)     User-Name =
    'user' 
    >         >                         > (0)     User-Password = 
    >         'password' 
    >         >                         > (0) # Executing section
    authorize 
    >         from 
    >         >                         > 
    >         file /etc/raddb/sites-enabled/privacyidea 
    >         >                         > (0)   authorize { 
    >         >                         > (0)   [preprocess] = ok 
    >         >                         > (0)   [digest] = noop 
    >         >                         > (0)  suffix : Checking
    for suffix 
    >         after "@" 
    >         >                         > (0)  suffix : No '@' in
    User-Name 
    >         = "user", 
    >         >                         looking up realm NULL 
    >         >                         > (0)  suffix : No such
    realm 
    >         "NULL" 
    >         >                         > (0)   [suffix] = noop 
    >         >                         > (0)  ntdomain : Checking
    for 
    >         prefix before 
    >         >                         "\" 
    >         >                         > (0)  ntdomain : No '\'
    in 
    >         User-Name = 
    >         >                         "user", looking up realm
    NULL 
    >         >                         > (0)  ntdomain : No such
    realm 
    >         "NULL" 
    >         >                         > (0)   [ntdomain] = noop 
    >         >                         > (0)   [files] = noop 
    >         >                         > (0)   [expiration] =
    noop 
    >         >                         > (0)   [logintime] =
    noop 
    >         >                         > (0)  WARNING: pap : No
    "known 
    >         good" password 
    >         >                         found for the user.  Not 
    >         >                         > setting Auth-Type 
    >         >                         > (0)  WARNING: pap :
    Authentication 
    >         will fail 
    >         >                         unless a "known good" 
    >         >                         > password is available 
    >         >                         > (0)   [pap] = noop 
    >         >                         > (0)   update control { 
    >         >                         > (0)     Auth-Type :=
    Perl 
    >         >                         > (0)   } # update control
    = noop 
    >         >                         > (0)  } #  authorize =
    ok 
    >         >                         > (0) Found Auth-Type =
    Perl 
    >         >                         > (0) # Executing group
    from 
    >         > 
    >         file /etc/raddb/sites-enabled/privacyidea 
    >         >                         > (0)  Auth-Type Perl { 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'User-Name'} = 
    >         >                         &request:User-Name ->
    'user' 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'User-Password'} = 
    >         >                         &request:User-Password -> 
    >         >                         > 'password' 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'NAS-IP-Address'} 
    >         >                         = &request:NAS-IP-Address 
    >         >                         > -> '127.0.0.1' 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'Event-Timestamp'} 
    >         >                         = 
    >         >                         > &request:Event-Timestamp
    -> 'Oct 
    >         21 2015 
    >         >                         11:50:57 AEDT' 
    >         >                         > (0)   perl : 
    >         $RAD_CHECK{'Auth-Type'} = 
    >         >                         &control:Auth-Type ->
    'Perl' 
    >         >                         > (0)   perl : 
    >         $RAD_CONFIG{'Auth-Type'} = 
    >         >                         &control:Auth-Type ->
    'Perl' 
    >         >                         > rlm_perl: Config 
    >         >
    File /etc/freeradius/rlm_perl.ini 
    >         found! 
    >         >                         > rlm_perl: Default URL 
    >         >
    https://127.0.0.1/validate/check 
    >         >                         > rlm_perl: Looking for
    config for 
    >         auth-type 
    >         >                         Perl 
    >         >                         > rlm_perl: Auth-Type:
    Perl 
    >         >                         > rlm_perl: url: 
    >         >
    https://127.0.0.1/validate/check 
    >         >                         > rlm_perl: user sent to 
    >         privacyidea: user 
    >         >                         > rlm_perl: realm sent to 
    >         privacyidea: 
    >         >                         > rlm_perl: resolver sent
    to 
    >         privacyidea: 
    >         >                         > rlm_perl: client sent
    to 
    >         privacyidea: 
    >         >                         127.0.0.1 
    >         >                         > rlm_perl: state sent to 
    >         privacyidea: 
    >         >                         > rlm_perl: urlparam
    client 
    >         >                         > rlm_perl: urlparam pass 
    >         >                         > rlm_perl: urlparam user 
    >         >                         > rlm_perl: Not verifying
    SSL 
    >         certificate! 
    >         >                         > rlm_perl: privacyIDEA
    request 
    >         failed: 500 
    >         >                         INTERNAL SERVER ERROR 
    >         >                         > rlm_perl: return
    RLM_MODULE_FAIL 
    >         >                         > (0)  perl :
    &request:User-Name = 
    >         >                         $RAD_REQUEST{'User-Name'}
    -> 'user' 
    >         >                         > (0)  perl : 
    >         &request:Event-Timestamp = 
    >         >
    $RAD_REQUEST{'Event-Timestamp'} 
    >         >                         > -> 'Oct 21 2015 11:50:57
    AEDT' 
    >         >                         > (0)  perl :
    &request:User-Password 
    >         = 
    >         >
    $RAD_REQUEST{'User-Password'} -> 
    >         >                         > 'password' 
    >         >                         > (0)  perl : 
    >         &request:NAS-IP-Address = 
    >         >
    $RAD_REQUEST{'NAS-IP-Address'} 
    >         >                         > -> '127.0.0.1' 
    >         >                         > (0)  perl :
    &reply:Reply-Message 
    >         = 
    >         >
    $RAD_REPLY{'Reply-Message'} -> 
    >         >                         > 'privacyIDEA request
    failed: 500 
    >         INTERNAL 
    >         >                         SERVER ERROR' 
    >         >                         > (0)  perl :
    &control:Auth-Type = 
    >         >                         $RAD_CHECK{'Auth-Type'} ->
    'Perl' 
    >         >                         > (0)   [perl] = fail 
    >         >                         > (0)  } # Auth-Type Perl
    = fail 
    >         >                         > (0) Failed to
    authenticate the 
    >         user 
    >         >                         > (0) Using Post-Auth-Type
    Reject 
    >         >                         > (0) Delaying response
    for 1 
    >         seconds 
    >         >                         > Waking up in 0.9
    seconds. 
    >         >                         > (0) Sending delayed
    response 
    >         >                         > (0) Sending
    Access-Reject packet 
    >         to host 
    >         >                         127.0.0.1 port 35488,
    id=111, 
    >         >                         > length=0 
    >         >                         > (0)     Reply-Message = 
    >         'privacyIDEA request 
    >         >                         failed: 500 INTERNAL 
    >         >                         > SERVER ERROR' 
    >         >                         > Sending Access-Reject Id
    111 from 
    >         >                         127.0.0.1:1812 to
    127.0.0.1:35488 
    >         >                         >         Reply-Message = 
    >         'privacyIDEA request 
    >         >                         failed: 500 INTERNAL 
    >         >                         > SERVER ERROR' 
    >         >                         > Waking up in 3.9
    seconds. 
    >         >                         > (0) Cleaning up request
    packet ID 
    >         111 with 
    >         >                         timestamp +7 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > I don't think this is
    just an 
    >         issue with the 
    >         >                         user / password, but if 
    >         >                         > anyone can point me in
    the right 
    >         direction 
    >         >                         in what I may have done 
    >         >                         > wrong with either the
    radius or 
    >         privacy idea 
    >         >                         install? 
    >         >                         > 
    >         >                         > 
    >         >                         > Cheers 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > -- 
    >         >                         > You received this
    message because 
    >         you are 
    >         >                         subscribed to the Google 
    >         >                         > Groups "privacyidea"
    group. 
    >         >                         > To unsubscribe from this
    group and 
    >         stop 
    >         >                         receiving emails from it,
    send 
    >         >                         > an email to 
    >         >
    privacyidea...@googlegroups.com. 
    >         >                         > To post to this group,
    send email 
    >         to 
    >         >
    priva...@googlegroups.com. 
    >         >                         > To view this discussion
    on the web 
    >         visit 
    >         >                         > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com. 
    >         >                         > For more options, visit 
    >         >
    https://groups.google.com/d/optout. 
    >         >                         
    >         >                         -- 
    >         >                         Cornelius Kölbel 
    >         >                         corneliu...@netknights.it 
    >         >                         +49 151 2960 1417 
    >         >                         
    >         >                         NetKnights GmbH 
    >         >                         http://www.netknights.it 
    >         >                         Landgraf-Karl-Str. 19,
    34131 Kassel, 
    >         Germany 
    >         >                         Tel: +49 561 3166797, Fax:
    +49 561 
    >         3166798 
    >         >                         
    >         >                         Amtsgericht Kassel, HRB
    16405 
    >         >                         Geschäftsführer: Cornelius
    Kölbel 
    >         >                         
    >         >                         
    >         >                 
    >         >                 -- 
    >         >                 You received this message because
    you are 
    >         subscribed 
    >         >                 to the Google Groups "privacyidea"
    group. 
    >         >                 To unsubscribe from this group and
    stop 
    >         receiving 
    >         >                 emails from it, send an email to 
    >         >                 privacyidea...@googlegroups.com. 
    >         >                 To post to this group, send email
    to 
    >         >                 priva...@googlegroups.com. 
    >         >                 To view this discussion on the web
    visit 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com. 
    >         >                 For more options, visit 
    >         >
    https://groups.google.com/d/optout. 
    >         >                 
    >         >         
    >         > 
    >         > 
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/ecfb73db-d3cb-4ec0-871c-f1e57f1804e0%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/f393aeb4-4c92-4a5e-a3e4-434cb7f62fb7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Cornelius
Thanks for your help, I almost have this working now, i played around
allot, but i think that ticking the “use @ to separate user and realm” has
allowed the radius to pass though the details correctly

I have managed to have my radius client authenticate, and it seems to be
sending back the reply message “privacy IDEA access granted” to my
firewalls (I am tying to authenticate VPN users)

I believe the firewall does not like the response message, I am possibly
getting a similar issue described here:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638

I have also attached a screen shot of how the packet looks from privacy
idea, do you think that because the reply packet is slightly different it
could be causing this problem?
is t possible to change the privacy idea radius accept packet too something
generic?

CheersOn Wednesday, 21 October 2015 23:59:18 UTC+11, Cornelinux K wrote:

Hi,

The user can not be found in the resolver.

How does the request look like?
Is the realm the default realm.
how does the DN of the user look like?

You might have specified the wrong realm (see default realm)

Kind regards
Cornelius

Cornelius Kölbel
Corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

-------- Ursprüngliche Nachricht --------
Von: Tony Hawker <lil...@gmail.com <javascript:>>
Datum: 21.10.2015 13:14 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com <javascript:>>
Betreff: Re: Re: ‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’ -
FreeRadius

Hi Cornelius
Thanks for your response
I am running PIP installation on Centos 7
I am running latest version of Privacy idea (2.7), updated as per
instructions on howtoforge
the user is coming from Active Directory
UID is DN
there are no special characters anywhere in the AD config

testing using the URL you provided I get the message below when attempting
to use an AD user

“version”: “privacyIDEA 2.7”, “result”: {“status”: false, “error”: {“message”: “ERR905: The user can not be found in any resolver in this realm!”, “code”: -500}}, “time”: 1445425459.788956, “id”: 1}

but if i use the root user (from the privacyidea server) this returns:

{“message”: “wrong otp pin”}, “versionnumber”: “2.7”, “version”: “privacyIDEA 2.7”, “result”: {“status”: true, “value”: false}, “time”: 1445425581.107504, “id”: 1}

I assume the OTP token is out of sync, but looks much more promising

any idea on why the AD would not work via this method? as i can see all the users in the webui etc

Cheers

On Wednesday, 21 October 2015 21:01:47 UTC+11, Cornelinux K wrote:

Hi Tony,

Are you running a pip installation or debian wheezy?

Which version of privacyidea are you running?

In certain cases there were problems with the ldap resolver, if the DN
contains special characters and is base54 encoded.

Is it openldap or AD?

The Uid type: is it DN or entryUUID?

Kind regards
Cornelius

Cornelius Kölbel
Corneliu…@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

-------- Ursprüngliche Nachricht --------
Von: Tony Hawker lil...@gmail.com
Datum: 21.10.2015 08:59 (GMT+01:00)
An: privacyidea priva...@googlegroups.com
Betreff: Re: ‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’ -
FreeRadius

Hi
thanks for your quick response to my issue
I have been watching the privacyidea.log but no entries are made when a
connection attempt is made via the radius, which leads me to think that the
radius is not able to see the privacyidea API?
I can access the URI in my browser, so i can see that is up

I see this in the privacyidea.log when i reboot

[2015-10-21
15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333]
‘Traceback (most recent call last):\n File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/
LDAPIdResolver.py”, line 328, in getUserList\n user =
self._ldap_attributes_to_user_object(attributes)\n File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py”,
line 246, in _ldap_attributes_to_user_object\n for ldap_k,
ldap_v in attributes.items():\nAttributeError: ‘NoneType’ object has no
attribute ‘items’\n’

Cheers

On Wednesday, 21 October 2015 17:14:34 UTC+11, Cornelinux K wrote:

Hi Tony,

please do the following:

  1. Take a look into the audit log

Within the webui take a look, what you can see in the request in the
AUdit Tab. The right most tab.

I assume, the user does not exist.

The audit gives you a top level view of what is happening in
privacyidea.

  1. Take a look into the log file privacyidea.log.
    This gives you a detailed view, of what is happening.

Kind regards
Cornelius

Am Dienstag, den 20.10.2015, 17:56 -0700 schrieb Tony Hawker:

Hi
I have followed the guide on setting up Privactidea on Centos 7 here:

https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/

I can access the webui, register tokens, linked to active directory
etc, all tested ok

I am having issues with the radius plugin, when I attempt to make any
connection to the radius, either using the test functions described in
the link above, or from an external connection, I am seeing the errors
below:

]# echo “User-Name=user, User-Password=password” | radclient -sx
localhost auth testing123

Sending Access-Request Id 91 from 0.0.0.0:34321 to 127.0.0.1:1812

    User-Name = 'user' 
    User-Password = 'password' 

Received Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:34321
length 75
Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
(0) -: Expected Access-Accept got Access-Reject
Packet summary:
Accepted : 0
Rejected : 1
Lost : 0
Passed filter : 0
Failed filter : 1

and on the radius server I see this:

Received Access-Request Id 111 from 127.0.0.1:35488 to 127.0.0.1:1812
length 44
User-Name = ‘user’
User-Password = ‘password’
(0) Received Access-Request packet from host 127.0.0.1 port 35488,
id=111, length=44
(0) User-Name = ‘user’
(0) User-Password = ‘password’
(0) # Executing section authorize from
file /etc/raddb/sites-enabled/privacyidea
(0) authorize {
(0) [preprocess] = ok
(0) [digest] = noop
(0) suffix : Checking for suffix after “@”
(0) suffix : No ‘@’ in User-Name = “user”, looking up realm NULL
(0) suffix : No such realm “NULL”
(0) [suffix] = noop
(0) ntdomain : Checking for prefix before “”
(0) ntdomain : No ‘’ in User-Name = “user”, looking up realm NULL
(0) ntdomain : No such realm “NULL”
(0) [ntdomain] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No “known good” password found for the user. Not
setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a “known good”
password is available
(0) [pap] = noop
(0) update control {
(0) Auth-Type := Perl
(0) } # update control = noop
(0) } # authorize = ok
(0) Found Auth-Type = Perl
(0) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(0) Auth-Type Perl {
(0) perl : $RAD_REQUEST{‘User-Name’} = &request:User-Name -> ‘user’
(0) perl : $RAD_REQUEST{‘User-Password’} = &request:User-Password ->
‘password’
(0) perl : $RAD_REQUEST{‘NAS-IP-Address’} = &request:NAS-IP-Address
-> ‘127.0.0.1’
(0) perl : $RAD_REQUEST{‘Event-Timestamp’} =
&request:Event-Timestamp -> ‘Oct 21 2015 11:50:57 AEDT’
(0) perl : $RAD_CHECK{‘Auth-Type’} = &control:Auth-Type -> ‘Perl’
(0) perl : $RAD_CONFIG{‘Auth-Type’} = &control:Auth-Type -> ‘Perl’
rlm_perl: Config File /etc/freeradius/rlm_perl.ini found!
rlm_perl: Default URL https://127.0.0.1/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://127.0.0.1/validate/check
rlm_perl: user sent to privacyidea: user
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam client
rlm_perl: urlparam pass
rlm_perl: urlparam user
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA request failed: 500 INTERNAL SERVER ERROR
rlm_perl: return RLM_MODULE_FAIL
(0) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} -> ‘user’
(0) perl : &request:Event-Timestamp = $RAD_REQUEST{‘Event-Timestamp’}
-> ‘Oct 21 2015 11:50:57 AEDT’
(0) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} ->
‘password’
(0) perl : &request:NAS-IP-Address = $RAD_REQUEST{‘NAS-IP-Address’}
-> ‘127.0.0.1’
(0) perl : &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} ->
‘privacyIDEA request failed: 500 INTERNAL SERVER ERROR’
(0) perl : &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} -> ‘Perl’
(0) [perl] = fail
(0) } # Auth-Type Perl = fail
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Delaying response for 1 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 35488, id=111,
length=0
(0) Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
Sending Access-Reject Id 111 from 127.0.0.1:1812 to 127.0.0.1:35488
Reply-Message = ‘privacyIDEA request failed: 500 INTERNAL
SERVER ERROR’
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 111 with timestamp +7

I don’t think this is just an issue with the user / password, but if
anyone can point me in the right direction in what I may have done
wrong with either the radius or privacy idea install?

Cheers


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu…@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


You received this message because you are subscribed to the Google Groups
“privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/242a0b48-4735-4b91-b29b-9d53507fe8b8%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
“privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/68dd1f15-dcf7-44ca-9ceb-b45bc8084d78%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/68dd1f15-dcf7-44ca-9ceb-b45bc8084d78%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Hi Cornelius
we have now resolved this issue, it turned out to be an issue with the VPN
community on the firewall, once resolved everything started working, its
odd that the other auth server was working at all once seeing the issue

Thanks for your support on this, I may put up some basic how-to’s on the
checkpoint implementation that can compliment the guides that are already
available in the next few days

CheersOn Thursday, 22 October 2015 22:56:13 UTC+11, Tony Hawker wrote:

Thanks Cornelius
Yes that file exists, seems to be a default file, with allot of ## out
bits but no entries
I entered the settings as specifed but still get errors when starting

/etc/raddb/mods-config/files/authorize[221]: Parse error (check) for entry
authorize: Invalid attribute name
Failed reading /etc/raddb/mods-config/files/authorize
/etc/raddb/mods-enabled/files[9]: Instantiation failed for module “files”

On Thursday, 22 October 2015 22:50:13 UTC+11, Cornelinux K wrote:

Hi Tony,

I forgot that you are running on CentOS 7 with FR3.

Did you have a file /etc/raddb/users at all?

In the config you have a

authorize {

update control {
Auth-Type := Perl
}
}

Which sets the Auth-Type -> Perl for all users.

So in this case you might need to add it like this:

authorize {
update control {
Auth-Type := Perl
Class := AVP
}
}

I have not FreeRADIUS 3 at hand to test this…

Kind regards
Cornelius

Am Donnerstag, den 22.10.2015, 09:41 +0200 schrieb Cornelius Kölbel:

Hi Tony,

you can edit your file /etc/freeradius/users like this:

DEFAULT Auth-Type := Perl
Class = YOUR_GROUP_EXPECTED_BY_CHECKPOINT

This way each user will be authenticated against the perl module a.k.a.
privacyIDEA and put into the the corresponding group.

Or: You can add the Class AVP that is expected by your checkpoint.
Please note: In the radius request the CLass is hex encoded. In the
users config file you need to enter a normal ascii string.

Kind regards
Cornelius

Am Donnerstag, den 22.10.2015, 09:23 +0200 schrieb Cornelius Kölbel:

Hi Tony,

the Attribute Value Pair Class 25 usually seems to expect some
attribute, which the firewall uses to authorize the access or put the
user of this request in some control group.

So the question is: Do you have another RADIUS server running at the
moment and how do the requests look like there?

I assume we have to add an attribute of class 25 with the correct
value,

that is expected by your checkpoint configuration.
http://tools.ietf.org/html/rfc2865#section-5.25

And additionally I assume, that the existing attributes did not make
the

response fail, but the missing class-25-attribute.
This attribute is usually used for group information.
(
http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-td2781054.html)

So I guess we need to look an the freeradius side (independent on the
privacyIDEA plugin).

We need to investigate

  • the successful RADIUS REQUEST with your existing RADIUS server
  • the successful RADIUS RESPONSE with your existing RADIUS server
    and then configure FreeRADIUS accordingly.

I will try to help you with that.
But maybe at a certain point we might also need to take this to the
freeradius list.

Kind regards
COrnelius

Am Mittwoch, den 21.10.2015, 23:52 -0700 schrieb Tony Hawker:

Thanks Cornelius
this script still doesn’t seem to solve the problem, checkpoint
still

doesn’t like the Access-Accept packets for some reason
I’ve had the checkpoint talking to freeradius in the past, so it
can

work, but just doesn’t see these accept packets for some reason

On Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote:
Hi Tony,

    here is a slightly modified script, that does not add any 
    additional 
    AVPs into the reply. 
    
    It only returns ACCESS_ACCEPT or ACCESS_REJECT. 
    
    This script replaces the existing one. 
    Please restart freeradius and check if checkpoint likes it. 
    
    Kind regards 
    COrnelius 
    
    Am Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony 

Hawker:

    > Hi Cornelius 
    > Thanks for this info 
    > where do i remove that line from? I'm not familiar with 

this

    process? 
    > do i need to change a config file? or change some source 
    code and 
    > recompile? 
    > I believe if i could change the message on that line that 
    could also 
    > possible help 
    > 
    > 
    > Cheers 
    > 
    > On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux  K  wrote: 
    >         Hello Tony, 
    >         
    >         at the moment there is no way to configure the 

reply

    message. 
    >         
    >         You can remove the RAD_REPLY in the privacyidea 

perl

    module. 
    > 

https://github.com/privacyidea/privacyidea/blob/master/authmodules/FreeRADIUS/privacyidea_radius.pm#L335

    >         
    >         Thus this information will not be added to the 
    reply. 
    >         If this succeeds, please drop me a note or open 

an

    issue at 
    >         github. 
    >         We can then make the reply configurable. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb 
    Tony Hawker: 
    >         > Hi Cornelius 
    >         > Thanks for your help, I almost have this 

working

    now, i 
    >         played around 
    >         > allot, but i think that ticking the "use @ to 
    separate user 
    >         and realm" 
    >         > has allowed the radius to pass though the 

details

    correctly 
    >         > 
    >         > 
    >         > I have managed to have my radius client 
    authenticate, and it 
    >         seems to 
    >         > be sending back the reply message "privacy IDEA 
    access 
    >         granted" to my 
    >         > firewalls (I am tying to authenticate VPN 

users)

    >         > 
    >         > 
    >         > I believe the firewall does not like the 

response

    message, I 
    >         am 
    >         > possibly getting a similar issue described 

here:

    >         > 
    > 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638

    >         > 
    >         > 
    >         > I have also attached a screen shot of how the 
    packet looks 
    >         from 
    >         > privacy idea, do you think that because the 

reply

    packet is 
    >         slightly 
    >         > different it could be causing this problem? 
    >         > is t possible to change the privacy idea radius 
    accept 
    >         packet too 
    >         > something generic? 
    >         > 
    >         > 
    >         > Cheers 
    >         > 
    >         > On Wednesday, 21 October 2015 23:59:18 UTC+11,  Cornelinux K  wrote: 
    >         >         
    >         >         
    >         >         Hi, 
    >         >         
    >         >         
    >         >         The user can not be found in the 
    resolver. 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         How does the request look like? 
    >         >         Is the realm the default realm. 
    >         >         how does the DN of the user look like? 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         You might have specified the wrong 

realm

    (see 
    >         default realm) 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Cornelius Kölbel 
    >         >         Corneliu...@netknights.it 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         
    >         >         NetKnights GmbH 
    >         >         http://netknights.it 
    >         >         Landgraf-Karl-Str. 19, 34131 Kassel, 
    Germany 
    >         >         Tel: +49 561 3166797, Fax: +49 561 
    3166798 
    >         >         
    >         >         
    >         >         Amtsgericht Kassel, HRB 16405 
    >         >         Geschäftsführer: Cornelius Kölbel 
    >         >         
    >         >         
    >         >         -------- Ursprüngliche Nachricht 

    >         >         Von: Tony Hawker <lil...@gmail.com> 
    >         >         Datum: 21.10.2015 13:14 (GMT+01:00) 
    >         >         An: privacyidea 
    <priva...@googlegroups.com> 
    >         >         Betreff: Re: Re: 'privacyIDEA request 
    failed: 500 
    >         INTERNAL 
    >         >         SERVER ERROR' - FreeRadius 
    >         >         
    >         >         Hi Cornelius 
    >         >         Thanks for your response 
    >         >         I am running PIP installation on Centos 

7

    >         >         I am running latest version of Privacy 
    idea (2.7), 
    >         updated as 
    >         >         per instructions on howtoforge 
    >         >         the user is coming from Active 

Directory

    >         >         UID is DN 
    >         >         there are no special characters 

anywhere

    in the AD 
    >         config 
    >         >         
    >         >         
    >         >         testing using the URL you provided I 

get

    the message 
    >         below 
    >         >         when attempting to use an AD user 
    >         >         "version": "privacyIDEA 2.7", "result": 
    {"status": 
    >         false, "error": {"message": "ERR905: The user can 
    not be found 
    >         in any resolver in this realm!", "code": -500}}, 
    "time": 
    >         1445425459.788956, "id": 1} 
    >         >         
    >         >         but if i use the root user (from the 
    privacyidea 
    >         server) this returns: 
    >         >         {"message": "wrong otp pin"}, 
    "versionnumber": 
    >         "2.7", "version": "privacyIDEA 2.7", "result": 
    {"status": 
    >         true, "value": false}, "time": 1445425581.107504, 
    "id": 1} 
    >         >         I assume the OTP token is out of sync, 

but

    looks 
    >         much more promising 
    >         >         
    >         >         any idea on why the AD would not work 

via

    this 
    >         method? as i can see all the users in the webui 

etc

    >         >         
    >         >         Cheers 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         On Wednesday, 21 October 2015 21:01:47  UTC  +11,  Cornelinux K  wrote: 
    >         >                 Hi Tony, 
    >         >                 
    >         >                 
    >         >                 Are you running a pip 

installation

    or debian 
    >         wheezy? 
    >         >                 
    >         >                 
    >         >                 Which version of privacyidea 

are

    you 
    >         running? 
    >         >                 
    >         >                 
    >         >                 In certain cases there were 
    problems with 
    >         the ldap 
    >         >                 resolver, if the DN contains 
    special 
    >         characters and is 
    >         >                 base54 encoded. 
    >         >                 
    >         >                 
    >         >                 Is it openldap or AD? 
    >         >                 
    >         >                 
    >         >                 The Uid type: is it DN or 
    entryUUID? 
    >         >                 
    >         >                 
    >         >                 Kind regards 
    >         >                 Cornelius 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 Cornelius Kölbel 
    >         >                 Corneliu...@netknights.it 
    >         >                 +49 151 2960 1417 
    >         >                 
    >         >                 
    >         >                 NetKnights GmbH 
    >         >                 http://netknights.it 
    >         >                 Landgraf-Karl-Str. 19, 34131 
    Kassel, 
    >         Germany 
    >         >                 Tel: +49 561 3166797, Fax: +49 

561

    3166798 
    >         >                 
    >         >                 
    >         >                 Amtsgericht Kassel, HRB 16405 
    >         >                 Geschäftsführer: Cornelius 

Kölbel

    >         >                 
    >         >                 
    >         >                 -------- Ursprüngliche 

Nachricht

    -------- 
    >         >                 Von: Tony Hawker 
    <lil...@gmail.com> 
    >         >                 Datum: 21.10.2015 08:59 (GMT 
    +01:00) 
    >         >                 An: privacyidea 
    <priva...@googlegroups.com> 
    >         >                 Betreff: Re: 'privacyIDEA 

request

    failed: 
    >         500 INTERNAL 
    >         >                 SERVER ERROR' - FreeRadius 
    >         >                 
    >         >                 Hi 
    >         >                 thanks for your quick response 

to

    my issue 
    >         >                 I have been watching the 
    privacyidea.log but 
    >         no 
    >         >                 entries are made when a 

connection

    attempt 
    >         is made via 
    >         >                 the radius, which leads me to 
    think that the 
    >         radius is 
    >         >                 not able to see the privacyidea 
    API? 
    >         >                 I can access the URI in my 
    browser, so i can 
    >         see that 
    >         >                 is up 
    >         >                 
    >         >                 
    >         >                 I see this in the 

privacyidea.log

    when i 
    >         reboot 
    >         >                 
    >         >                 
    >         >                 [2015-10-21 
    >         > 
    > 

15:41:28,041][1924][139636199069440][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:333]
‘Traceback (most recent call last):\n File
"/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/
LDAPIdResolver.py", line 328, in getUserList\n user =
self._ldap_attributes_to_user_object(attributes)\n File
"/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py",
line 246, in _ldap_attributes_to_user_object\n for ldap_k,
ldap_v in attributes.items():\nAttributeError: ‘NoneType’ object has no
attribute ‘items’\n’

    >         >                 
    >         >                 
    >         >                 Cheers 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 On Wednesday, 21 October 2015  17:14:34 UTC  +11,  Cornelinux K wrote: 
    >         >                         Hi Tony, 
    >         >                         
    >         >                         please do the 

following:

    >         >                         
    >         >                         1. Take a look into the 
    audit log 
    >         >                         
    >         >                         Within the webui take a 
    look, what 
    >         you can see 
    >         >                         in the request in the 
    >         >                         AUdit Tab. The right 

most

    tab. 
    >         >                         
    >         >                         I assume, the user does 
    not exist. 
    >         >                         
    >         >                         The audit gives you a 

top

    level view 
    >         of what 
    >         >                         is happening in 
    >         >                         privacyidea. 
    >         >                         
    >         >                         2. Take a look into the 
    log file 
    >         >                         privacyidea.log. 
    >         >                         This gives you a 

detailed

    view, of 
    >         what is 
    >         >                         happening. 
    >         >                         
    >         >                         Kind regards 
    >         >                         Cornelius 
    >         >                         
    >         >                         Am Dienstag, den 
    20.10.2015, 17:56 
    >         -0700 
    >         >                         schrieb Tony Hawker: 
    >         >                         > Hi 
    >         >                         > I have followed the 
    guide on 
    >         setting up 
    >         >                         Privactidea on Centos 7 
    here: 
    >         >                         > 
    >         > 
    > 

https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/

    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > I can access the 

webui,

    register 
    >         tokens, 
    >         >                         linked to active 
    directory 
    >         >                         > etc, all tested ok 
    >         >                         > 
    >         >                         > 
    >         >                         > I am having issues 

with

    the radius 
    >         plugin, 
    >         >                         when I attempt to make 
    any 
    >         >                         > connection to the 
    radius, either 
    >         using the 
    >         >                         test functions 

described

    in 
    >         >                         > the link above, or 

from

    an 
    >         external 
    >         >                         connection, I am seeing 
    the errors 
    >         >                         > below: 
    >         >                         > 
    >         >                         > 
    >         >                         > ]# echo 
    "User-Name=user, 
    >         >                         User-Password=password" 

|

    radclient 
    >         -sx 
    >         >                         > localhost auth 
    testing123 
    >         >                         > 
    >         >                         > 
    >         >                         > Sending 

Access-Request

    Id 91 from 
    >         >                         0.0.0.0:34321 to 
    127.0.0.1:1812 
    >         >                         > 
    >         >                         >         User-Name = 
    'user' 
    >         >                         >         User-Password 

=

    >         'password' 
    >         >                         > Received 

Access-Reject

    Id 91 from 
    >         >                         127.0.0.1:1812 to 
    127.0.0.1:34321 
    >         >                         > length 75 
    >         >                         >         Reply-Message 

=

    >         'privacyIDEA request 
    >         >                         failed: 500 INTERNAL 
    >         >                         > SERVER ERROR' 
    >         >                         > (0) -: Expected 
    Access-Accept got 
    >         >                         Access-Reject 
    >         >                         > Packet summary: 
    >         >                         >         Accepted     

:

    0 
    >         >                         >         Rejected     

:

    1 
    >         >                         >         Lost         

:

    0 
    >         >                         >         Passed filter 

:

    0 
    >         >                         >         Failed filter 

:

    1 
    >         >                         > 
    >         >                         > 
    >         >                         > and on the radius 

server

    I see 
    >         this: 
    >         >                         > 
    >         >                         > 
    >         >                         > Received 

Access-Request

    Id 111 
    >         from 
    >         >                         127.0.0.1:35488 to 
    127.0.0.1:1812 
    >         >                         > length 44 
    >         >                         >         User-Name = 
    'user' 
    >         >                         >         User-Password 

=

    >         'password' 
    >         >                         > (0) Received 
    Access-Request packet 
    >         from host 
    >         >                         127.0.0.1 port 35488, 
    >         >                         > id=111, length=44 
    >         >                         > (0)     User-Name = 
    'user' 
    >         >                         > (0)     User-Password 

=

    >         'password' 
    >         >                         > (0) # Executing 

section

    authorize 
    >         from 
    >         >                         > 
    >         file /etc/raddb/sites-enabled/privacyidea 
    >         >                         > (0)   authorize { 
    >         >                         > (0)   [preprocess] = 

ok

    >         >                         > (0)   [digest] = noop 
    >         >                         > (0)  suffix : 

Checking

    for suffix 
    >         after "@" 
    >         >                         > (0)  suffix : No '@' 

in

    User-Name 
    >         = "user", 
    >         >                         looking up realm NULL 
    >         >                         > (0)  suffix : No such 
    realm 
    >         "NULL" 
    >         >                         > (0)   [suffix] = noop 
    >         >                         > (0)  ntdomain : 

Checking

    for 
    >         prefix before 
    >         >                         "\" 
    >         >                         > (0)  ntdomain : No 

‘’

    in 
    >         User-Name = 
    >         >                         "user", looking up 

realm

    NULL 
    >         >                         > (0)  ntdomain : No 

such

    realm 
    >         "NULL" 
    >         >                         > (0)   [ntdomain] = 

noop

    >         >                         > (0)   [files] = noop 
    >         >                         > (0)   [expiration] = 
    noop 
    >         >                         > (0)   [logintime] = 
    noop 
    >         >                         > (0)  WARNING: pap : 

No

    "known 
    >         good" password 
    >         >                         found for the user. 

Not

    >         >                         > setting Auth-Type 
    >         >                         > (0)  WARNING: pap : 
    Authentication 
    >         will fail 
    >         >                         unless a "known good" 
    >         >                         > password is available 
    >         >                         > (0)   [pap] = noop 
    >         >                         > (0)   update control 

{

    >         >                         > (0)     Auth-Type := 
    Perl 
    >         >                         > (0)   } # update 

control

    = noop 
    >         >                         > (0)  } #  authorize = 
    ok 
    >         >                         > (0) Found Auth-Type = 
    Perl 
    >         >                         > (0) # Executing group 
    from 
    >         > 
    >         file /etc/raddb/sites-enabled/privacyidea 
    >         >                         > (0)  Auth-Type Perl { 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'User-Name'} = 
    >         >                         &request:User-Name -> 
    'user' 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'User-Password'} = 
    >         >                         &request:User-Password 

->

    >         >                         > 'password' 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'NAS-IP-Address'} 
    >         >                         = 

&request:NAS-IP-Address

    >         >                         > -> '127.0.0.1' 
    >         >                         > (0)   perl : 
    >         $RAD_REQUEST{'Event-Timestamp'} 
    >         >                         = 
    >         >                         > 

&request:Event-Timestamp

    -> 'Oct 
    >         21 2015 
    >         >                         11:50:57 AEDT' 
    >         >                         > (0)   perl : 
    >         $RAD_CHECK{'Auth-Type'} = 
    >         >                         &control:Auth-Type -> 
    'Perl' 
    >         >                         > (0)   perl : 
    >         $RAD_CONFIG{'Auth-Type'} = 
    >         >                         &control:Auth-Type -> 
    'Perl' 
    >         >                         > rlm_perl: Config 
    >         > 
    File /etc/freeradius/rlm_perl.ini 
    >         found! 
    >         >                         > rlm_perl: Default URL 
    >         > 
    https://127.0.0.1/validate/check 
    >         >                         > rlm_perl: Looking for 
    config for 
    >         auth-type 
    >         >                         Perl 
    >         >                         > rlm_perl: Auth-Type: 
    Perl 
    >         >                         > rlm_perl: url: 
    >         > 
    https://127.0.0.1/validate/check 
    >         >                         > rlm_perl: user sent 

to

    >         privacyidea: user 
    >         >                         > rlm_perl: realm sent 

to

    >         privacyidea: 
    >         >                         > rlm_perl: resolver 

sent

    to 
    >         privacyidea: 
    >         >                         > rlm_perl: client sent 
    to 
    >         privacyidea: 
    >         >                         127.0.0.1 
    >         >                         > rlm_perl: state sent 

to

    >         privacyidea: 
    >         >                         > rlm_perl: urlparam 
    client 
    >         >                         > rlm_perl: urlparam 

pass

    >         >                         > rlm_perl: urlparam 

user

    >         >                         > rlm_perl: Not 

verifying

    SSL 
    >         certificate! 
    >         >                         > rlm_perl: privacyIDEA 
    request 
    >         failed: 500 
    >         >                         INTERNAL SERVER ERROR 
    >         >                         > rlm_perl: return 
    RLM_MODULE_FAIL 
    >         >                         > (0)  perl : 
    &request:User-Name = 
    >         >                         

$RAD_REQUEST{‘User-Name’}

    -> 'user' 
    >         >                         > (0)  perl : 
    >         &request:Event-Timestamp = 
    >         > 
    $RAD_REQUEST{'Event-Timestamp'} 
    >         >                         > -> 'Oct 21 2015 

11:50:57

    AEDT' 
    >         >                         > (0)  perl : 
    &request:User-Password 
    >         = 
    >         > 
    $RAD_REQUEST{'User-Password'} -> 
    >         >                         > 'password' 
    >         >                         > (0)  perl : 
    >         &request:NAS-IP-Address = 
    >         > 
    $RAD_REQUEST{'NAS-IP-Address'} 
    >         >                         > -> '127.0.0.1' 
    >         >                         > (0)  perl : 
    &reply:Reply-Message 
    >         = 
    >         > 
    $RAD_REPLY{'Reply-Message'} -> 
    >         >                         > 'privacyIDEA request 
    failed: 500 
    >         INTERNAL 
    >         >                         SERVER ERROR' 
    >         >                         > (0)  perl : 
    &control:Auth-Type = 
    >         >                         $RAD_CHECK{'Auth-Type'} 

->

    'Perl' 
    >         >                         > (0)   [perl] = fail 
    >         >                         > (0)  } # Auth-Type 

Perl

    = fail 
    >         >                         > (0) Failed to 
    authenticate the 
    >         user 
    >         >                         > (0) Using 

Post-Auth-Type

    Reject 
    >         >                         > (0) Delaying response 
    for 1 
    >         seconds 
    >         >                         > Waking up in 0.9 
    seconds. 
    >         >                         > (0) Sending delayed 
    response 
    >         >                         > (0) Sending 
    Access-Reject packet 
    >         to host 
    >         >                         127.0.0.1 port 35488, 
    id=111, 
    >         >                         > length=0 
    >         >                         > (0)     Reply-Message 

=

    >         'privacyIDEA request 
    >         >                         failed: 500 INTERNAL 
    >         >                         > SERVER ERROR' 
    >         >                         > Sending Access-Reject 

Id

    111 from 
    >         >                         127.0.0.1:1812 to 
    127.0.0.1:35488 
    >         >                         >         Reply-Message 

=

    >         'privacyIDEA request 
    >         >                         failed: 500 INTERNAL 
    >         >                         > SERVER ERROR' 
    >         >                         > Waking up in 3.9 
    seconds. 
    >         >                         > (0) Cleaning up 

request

    packet ID 
    >         111 with 
    >         >                         timestamp +7 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > I don't think this is 
    just an 
    >         issue with the 
    >         >                         user / password, but if 
    >         >                         > anyone can point me 

in

    the right 
    >         direction 
    >         >                         in what I may have done 
    >         >                         > wrong with either the 
    radius or 
    >         privacy idea 
    >         >                         install? 
    >         >                         > 
    >         >                         > 
    >         >                         > Cheers 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > -- 
    >         >                         > You received this 
    message because 
    >         you are 
    >         >                         subscribed to the 

Google

    >         >                         > Groups "privacyidea" 
    group. 
    >         >                         > To unsubscribe from 

this

    group and 
    >         stop 
    >         >                         receiving emails from 

it,

    send 
    >         >                         > an email to 
    >         > 
    privacyidea...@googlegroups.com. 
    >         >                         > To post to this 

group,

    send email 
    >         to 
    >         > 
    priva...@googlegroups.com. 
    >         >                         > To view this 

discussion

    on the web 
    >         visit 
    >         >                         > 
    >         > 
    > 

https://groups.google.com/d/msgid/privacyidea/96a156c2-b64d-417d-811a-e152d27c8fd2%40googlegroups.com.

    >         >                         > For more options, 

visit

    >         > 
    https://groups.google.com/d/optout. 
    >         >                         
    >         >                         -- 
    >         >                         Cornelius Kölbel 
    >         >                         

corneliu...@netknights.it

    >         >                         +49 151 2960 1417 
    >        ...

Hi Cornelius
as we continue our testing of privacy idea, we still seem to encounter:
"privacyIDEA request failed: 500 Server closed connection without sending
any data back " from the radius server from time to time,
I’m not sure what is causing this, as running radiusd -X i can see that the
correct credentials / password / OTP-code are being sent though
but nothing appears in the privacy idea audit log with these attempts, so
it appears the radius is not passing the attempt on perhaps?
rebooting the privacy idea server seems to fix the issue and we can
authenticate again
is there any way to gather more details on why these 500 errors occur?

CheersOn Friday, 23 October 2015 16:54:35 UTC+11, Cornelinux K wrote:

Hi Tony,

Glad to hear this.
It is great if you can write down some notes which might help others.

Please either send a link or we can publish the information with
privacyidea.

Thanks a lot and kind regards
Cornelius

Cornelius Kölbel
Corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

-------- Ursprüngliche Nachricht --------
Von: Tony Hawker <lil...@gmail.com <javascript:>>
Datum: 23.10.2015 05:26 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com <javascript:>>
Betreff: Re: Re: Re: ‘privacyIDEA request failed: 500 INTERNAL SERVER
ERROR’ - FreeRadius

Hi Cornelius
we have now resolved this issue, it turned out to be an issue with the VPN
community on the firewall, once resolved everything started working, its
odd that the other auth server was working at all once seeing the issue

Thanks for your support on this, I may put up some basic how-to’s on the
checkpoint implementation that can compliment the guides that are already
available in the next few days

Cheers

On Thursday, 22 October 2015 22:56:13 UTC+11, Tony Hawker wrote:

Thanks Cornelius
Yes that file exists, seems to be a default file, with allot of ## out
bits but no entries
I entered the settings as specifed but still get errors when starting

/etc/raddb/mods-config/files/authorize[221]: Parse error (check) for entry
authorize: Invalid attribute name
Failed reading /etc/raddb/mods-config/files/authorize
/etc/raddb/mods-enabled/files[9]: Instantiation failed for module “files”

On Thursday, 22 October 2015 22:50:13 UTC+11, Cornelinux K wrote:

Hi Tony,

I forgot that you are running on CentOS 7 with FR3.

Did you have a file /etc/raddb/users at all?

In the config you have a

authorize {

update control {
Auth-Type := Perl
}
}

Which sets the Auth-Type -> Perl for all users.

So in this case you might need to add it like this:

authorize {
update control {
Auth-Type := Perl
Class := AVP
}
}

I have not FreeRADIUS 3 at hand to test this…

Kind regards
Cornelius

Am Donnerstag, den 22.10.2015, 09:41 +0200 schrieb Cornelius Kölbel:

Hi Tony,

you can edit your file /etc/freeradius/users like this:

DEFAULT Auth-Type := Perl
Class = YOUR_GROUP_EXPECTED_BY_CHECKPOINT

This way each user will be authenticated against the perl module a.k.a.
privacyIDEA and put into the the corresponding group.

Or: You can add the Class AVP that is expected by your checkpoint.
Please note: In the radius request the CLass is hex encoded. In the
users config file you need to enter a normal ascii string.

Kind regards
Cornelius

Am Donnerstag, den 22.10.2015, 09:23 +0200 schrieb Cornelius Kölbel:

Hi Tony,

the Attribute Value Pair Class 25 usually seems to expect some
attribute, which the firewall uses to authorize the access or put the
user of this request in some control group.

So the question is: Do you have another RADIUS server running at the
moment and how do the requests look like there?

I assume we have to add an attribute of class 25 with the correct
value,

that is expected by your checkpoint configuration.
http://tools.ietf.org/html/rfc2865#section-5.25

And additionally I assume, that the existing attributes did not make
the

response fail, but the missing class-25-attribute.
This attribute is usually used for group information.
(
http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-td2781054.html)

So I guess we need to look an the freeradius side (independent on the
privacyIDEA plugin).

We need to investigate

  • the successful RADIUS REQUEST with your existing RADIUS server
  • the successful RADIUS RESPONSE with your existing RADIUS server
    and then configure FreeRADIUS accordingly.

I will try to help you with that.
But maybe at a certain point we might also need to take this to the
freeradius list.

Kind regards
COrnelius

Am Mittwoch, den 21.10.2015, 23:52 -0700 schrieb Tony Hawker:

Thanks Cornelius
this script still doesn’t seem to solve the problem, checkpoint
still

doesn’t like the Access-Accept packets for some reason
I’ve had the checkpoint talking to freeradius in the past, so it can
work, but just doesn’t see these accept packets for some reason

On Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote:
Hi Tony,

    here is a slightly modified script, that does not add any 
    additional 
    AVPs into the reply. 
    
    It only returns ACCESS_ACCEPT or ACCESS_REJECT. 
    
    This script replaces the existing one. 
    Please restart freeradius and check if checkpoint likes it. 
    
    Kind regards 
    COrnelius 
    
    Am Mittwoch, den 21.10.2015, 23:35 -0700 schrieb Tony 

Hawker:

    > Hi Cornelius 
    > Thanks for this info 
    > where do i remove that line from? I'm not familiar with 

this

    process? 
    > do i need to change a config file? or change some source 
    code and 
    > recompile? 
    > I believe if i could change the message on that line that 
    could also 
    > possible help 
    > 
    > 
    > Cheers 
    > 
    > On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K  wrote: 
    >         Hello Tony, 
    >         
    >         at the moment there is no way to configure the 

reply

    message. 
    >         
    >         You can remove the RAD_REPLY in the privacyidea 

perl

    module. 
    > 

https://github.com/privacyidea/privacyidea/blob/master/authmodules/FreeRADIUS/privacyidea_radius.pm#L335

    >         
    >         Thus this information will not be added to the 
    reply. 
    >         If this succeeds, please drop me a note or open an 
    issue at 
    >         github. 
    >         We can then make the reply configurable. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb 
    Tony Hawker: 
    >         > Hi Cornelius 
    >         > Thanks for your help, I almost have this working 
    now, i 
    >         played around 
    >         > allot, but i think that ticking the "use @ to 
    separate user 
    >         and realm" 
    >         > has allowed the radius to pass though the 

details

    correctly 
    >         > 
    >         > 
    >         > I have managed to have my radius client 
    authenticate, and it 
    >         seems to 
    >         > be sending back the reply message "privacy IDEA 
    access 
    >         granted" to my 
    >         > firewalls (I am tying to authenticate VPN users) 
    >         > 
    >         > 
    >         > I believe the firewall does not like the 

response

    message, I 
    >         am 
    >         > possibly getting a similar issue described here: 
    >         > 
    > 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638

    >         > 
    >         > 
    >         > I have also attached a screen shot of how the 
    packet looks 
    >         from 
    >         > privacy idea, do you think that because the 

reply

    packet is 
    >         slightly 
    >         > different it could be causing this problem? 
    >         > is t possible to change the privacy idea radius 
    accept 
    >         packet too 
    >         > something generic? 
    >         > 
    >         > 
    >         > Cheers 
    >         > 
    >         > On Wednesday, 21 October 2015 23:59:18 UTC+11,  Cornelinux K  wrote: 
    >         >         
    >         >         
    >         >         Hi, 
    >         >         
    >         >         
    >         >         The user can not be found in the 
    resolver. 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         How does the request look like? 
    >         >         Is the realm the default realm. 
    >         >         how does the DN of the user look like? 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         You might have specified the wrong realm 
    (see 
    >         default realm) 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Cornelius Kölbel 
    >         >         Corneliu...@netknights.it 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         
    >         >         NetKnights GmbH 
    >         >         http://netknights.it 
    >         >         Landgraf-Karl-Str. 19, 34131 Kassel, 
    Germany 
    >         >         Tel: +49 561 3166797, Fax: +49 561 
    3166798 
    >         >         
    >         >         
    >         >         Amtsgericht Kassel, HRB 16405 
    >         >         Geschäftsführer: Cornelius Kölbel 
    >         >         
    >         >         
    >         >         -------- Ursprüngliche Nachricht 

    >         >         Von: Tony Hawker <lil...@gmail.com> 
    >         >         Datum: 21.10.2015 13:14 (GMT+01:00) 
    >         >         An: privacyidea 
    <priva...@googlegroups.com> 
    >         >         Betreff: Re: Re: 'privacyIDEA request 
    failed: 500 
    >         INTERNAL 
    >         >         SERVER ERROR' - FreeRadius 
    >         >         
    >         >         Hi Cornelius 
    >         >         Thanks for your response 
    >         >         I am running PIP installation on Centos 

7

    >         >         I am running latest version of Privacy 
    idea (2.7), 
    >         updated as 
    >         >         per instructions on howtoforge 
    >         >         the user is coming from Active Directory 
    >         >         UID is DN 
    >         >         there are no special characters anywhere 
    in the AD 
    >         config 
    >         >         
    >         >         
    >         >         testing using the URL you provided I get 
    the message 
    >         below 
    >         >         when attempting to use an AD user 
    >         >         "version": "privacyIDEA 2.7", "result": 
    {"status": 
    >         false, "error": {"message": "ERR905: The user can 
    not be found 
    >         in any resolver in this realm!", "code": -500}}, 
    "time": 
    >         1445425459.788956, "id": 1} 
    >         >         
    >         >         but if i use the root user (from the 
    privacyidea 
    >         server) this returns: 
    >         >         {"message": "wrong otp pin"}, 
    "versionnumber": 
    >         "2.7", "version": "privacyIDEA 2.7", "result": 
    {"status": 
    >         true, "value": false}, "time": 1445425581.107504, 
    "id": 1} 
    >         >         I assume the OTP token is out of sync, 

but

    looks 
    >         much more promising 
    >         >         
    >         >         any idea on why the AD would not work 

via

    this 
    >         method? as i can see all the users in the webui 

etc

    >         >         
    >         >         Cheers 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         On Wednesday, 21 October 2015 21:01:47  UTC  +11,  Cornelinux K  wrote: 
    >         >                 Hi Tony, 
    >         >                 
    >         >                 
    >         >                 Are you running a pip 

installation

    or debian 
    >         wheezy? 
    >         >                 
    >         >                 
    >         >                 Which version of privacyidea are 
    you 
    >         running? 
    >         >                 
    >         >                 
    >         >                 In certain cases there were 
    problems with 
    >         the ldap 
    >         >                 resolver, if the DN contains 
    special 
    >         characters and is 
    >         >                 base54 encoded. 
    >         >                 
    >         >                 
    >         >                 Is it openldap or AD? 
    >         >                 
    >         >                 
    >         >                 The Uid type: is it DN or 
    entryUUID? 
    >         >                 
    >         >                 
    >         >                 Kind regards 
    >         >                 Cornelius 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 Cornelius Kölbel 
    >         >                 Corneliu...@netknights.it 
    >         >                 +49 151 2960 1417 
    >         >                 
    >         >                 
    >         >                 NetKnights GmbH 
    >         >                 http://netknights.it 
    >         >                 Landgraf-Karl-Str. 19, 34131 
    Kassel, 
    >         Germany 
    >         >                 Tel: +49 561 3166797, Fax: +49 

561

    3166798 
    >         >                 
    >         >                 
    >         >                 Amtsgericht Kassel, HRB 16405 
    >         >                 Geschäftsführer: Cornelius 

Kölbel

    >         >                 
    >         >                 
    >         >                 -------- Ursprüngliche Nachricht 
    -------- 
    >         >                 Von: Tony Hawker 
    <lil...@gmail.com> 
    >         >                 Datum: 21.10.2015 08:59 (GMT 
    +01:00) 
    >         >                 An: privacyidea 
    <priva...@googlegroups.com> 
    >         >                 Betreff: Re: 'privacyIDEA 

request

    failed: 
    >         500 INTERNAL 
    >         >                 SERVER ERROR' - FreeRadius 

Hello Tony

can you please take a look into the privacyidea.log file.
Before this increase the log level to “DEBUG”.
http://privacyidea.readthedocs.org/en/latest/installation/system/logging.html
Restart the webserver.

Also take a look into the webservers error log.

Thanks a lot
CorneliusAm Samstag, den 31.10.2015, 20:52 -0700 schrieb Tony Hawker:

Hi Cornelius
as we continue our testing of privacy idea, we still seem to
encounter:
"privacyIDEA request failed: 500 Server closed connection without
sending any data back " from the radius server from time to time,
I’m not sure what is causing this, as running radiusd -X i can see
that the correct credentials / password / OTP-code are being sent
though
but nothing appears in the privacy idea audit log with these attempts,
so it appears the radius is not passing the attempt on perhaps?
rebooting the privacy idea server seems to fix the issue and we can
authenticate again
is there any way to gather more details on why these 500 errors
occur?

Cheers

On Friday, 23 October 2015 16:54:35 UTC+11, Cornelinux K wrote:
Hi Tony,

    Glad to hear this.
    It is great if you can write down some notes which might help
    others.
    
    
    Please either send a link or we can publish the information
    with privacyidea.
    
    
    Thanks a lot and kind regards 
    Cornelius 
    
    
    
    
    
    
    Cornelius Kölbel
    Corneliu...@netknights.it
    +49 151 2960 1417
    
    
    NetKnights GmbH
    http://netknights.it
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany
    Tel: +49 561 3166797, Fax: +49 561 3166798
    
    
    Amtsgericht Kassel, HRB 16405
    Geschäftsführer: Cornelius Kölbel
    
    
    -------- Ursprüngliche Nachricht --------
    Von: Tony Hawker <lil...@gmail.com> 
    Datum: 23.10.2015 05:26 (GMT+01:00) 
    An: privacyidea <priva...@googlegroups.com> 
    Betreff: Re: Re: Re: 'privacyIDEA request failed: 500 INTERNAL
    SERVER ERROR' - FreeRadius 
    
    Hi Cornelius
    we have now resolved this issue, it turned out to be an issue
    with the VPN community on the firewall, once resolved
    everything started working, its odd that the other auth server
    was working at all once seeing the issue
    
    
    Thanks for your support on this, I may put up some basic
    how-to's on the checkpoint implementation that can compliment
    the guides that are already available in the next few days
    
    
    Cheers
    
    On Thursday, 22 October 2015 22:56:13 UTC+11, Tony Hawker wrote:
            Thanks Cornelius
            Yes that file exists, seems to be a default file, with
            allot of ## out bits but no entries
            I entered the settings as specifed but still get
            errors when starting
            
            
            
            
            /etc/raddb/mods-config/files/authorize[221]: Parse
            error (check) for entry authorize: Invalid attribute
            name
            Failed reading /etc/raddb/mods-config/files/authorize
            /etc/raddb/mods-enabled/files[9]: Instantiation failed
            for module "files"
            
            
            
            On Thursday, 22 October 2015 22:50:13 UTC+11, Cornelinux K wrote:
                    Hi Tony, 
                    
                    I forgot that you are running on CentOS 7 with
                    FR3. 
                    
                    Did you have a file /etc/raddb/users at all? 
                    
                    In the config you have a 
                    
                    authorize { 
                       ... 
                       update control { 
                          Auth-Type := Perl 
                       } 
                    } 
                    
                    Which sets the Auth-Type -> Perl for all
                    users. 
                    
                    So in this case you might need to add it like
                    this: 
                    
                    authorize { 
                       update control { 
                          Auth-Type := Perl 
                          Class := AVP 
                       } 
                    } 
                    
                    I have not FreeRADIUS 3 at hand to test
                    this... 
                    
                    Kind regards 
                    Cornelius 
                    
                    Am Donnerstag, den 22.10.2015, 09:41 +0200
                    schrieb Cornelius Kölbel: 
                    > Hi Tony, 
                    > 
                    > you can edit your file /etc/freeradius/users
                    like this: 
                    > 
                    > DEFAULT Auth-Type := Perl 
                    >         Class =
                    YOUR_GROUP_EXPECTED_BY_CHECKPOINT 
                    > 
                    > This way each user will be authenticated
                    against the perl module a.k.a. 
                    > privacyIDEA and put into the the
                    corresponding group. 
                    > 
                    > Or: You can add the Class AVP that is
                    expected by your checkpoint. 
                    > Please note: In the radius request the CLass
                    is hex encoded. In the 
                    > users config file you need to enter a normal
                    ascii string. 
                    > 
                    > 
                    > Kind regards 
                    > Cornelius 
                    > 
                    > Am Donnerstag, den 22.10.2015, 09:23 +0200
                    schrieb Cornelius Kölbel: 
                    > > Hi Tony, 
                    > > 
                    > > the Attribute Value Pair Class 25 usually
                    seems to expect some 
                    > > attribute, which the firewall uses to
                    authorize the access or put the 
                    > > user of this request in some control
                    group. 
                    > > 
                    > > So the question is: Do you have another
                    RADIUS server running at the 
                    > > moment and how do the requests look like
                    there? 
                    > > 
                    > > I assume we have to add an attribute of
                    class 25 with the correct value, 
                    > > that is expected by your checkpoint
                    configuration. 
                    > >
                    http://tools.ietf.org/html/rfc2865#section-5.25 
                    > > 
                    > > And additionally I assume, that the
                    existing attributes did not make the 
                    > > response fail, but the missing
                    class-25-attribute. 
                    > > This attribute is usually used for group
                    information. 
                    > >
                    (http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-td2781054.html) 
                    > > 
                    > > So I guess we need to look an the
                    freeradius side (independent on the 
                    > > privacyIDEA plugin). 
                    > > 
                    > > We need to investigate 
                    > > * the successful RADIUS REQUEST with your
                    existing RADIUS server 
                    > > * the successful RADIUS RESPONSE with your
                    existing RADIUS server 
                    > > and then configure FreeRADIUS
                    accordingly. 
                    > > 
                    > > I will try to help you with that. 
                    > > But maybe at a certain point we might also
                    need to take this to the 
                    > > freeradius list. 
                    > > 
                    > > Kind regards 
                    > > COrnelius 
                    > > 
                    > > 
                    > > 
                    > > 
                    > > 
                    > > Am Mittwoch, den 21.10.2015, 23:52 -0700
                    schrieb Tony Hawker: 
                    > > > Thanks Cornelius 
                    > > > this script still doesn't seem to solve
                    the problem, checkpoint still 
                    > > > doesn't like the Access-Accept packets
                    for some reason 
                    > > > I've had the checkpoint talking to
                    freeradius in the past, so it can 
                    > > > work, but just doesn't see these accept
                    packets for some reason 
                    > > > 
                    > > > On Thursday, 22 October 2015 17:44:43 UTC+11, Cornelinux K wrote: 
                    > > >         Hi Tony, 
                    > > >         
                    > > >         here is a slightly modified
                    script, that does not add any 
                    > > >         additional 
                    > > >         AVPs into the reply. 
                    > > >         
                    > > >         It only returns ACCESS_ACCEPT or
                    ACCESS_REJECT. 
                    > > >         
                    > > >         This script replaces the
                    existing one. 
                    > > >         Please restart freeradius and
                    check if checkpoint likes it. 
                    > > >         
                    > > >         Kind regards 
                    > > >         COrnelius 
                    > > >         
                    > > >         Am Mittwoch, den 21.10.2015,
                    23:35 -0700 schrieb Tony Hawker: 
                    > > >         > Hi Cornelius 
                    > > >         > Thanks for this info 
                    > > >         > where do i remove that line
                    from? I'm not familiar with this 
                    > > >         process? 
                    > > >         > do i need to change a config
                    file? or change some source 
                    > > >         code and 
                    > > >         > recompile? 
                    > > >         > I believe if i could change
                    the message on that line that 
                    > > >         could also 
                    > > >         > possible help 
                    > > >         > 
                    > > >         > 
                    > > >         > Cheers 
                    > > >         > 
                    > > >         > On Thursday, 22 October 2015 17:27:55 UTC+11, Cornelinux K  wrote: 
                    > > >         >         Hello Tony, 
                    > > >         >         
                    > > >         >         at the moment there is
                    no way to configure the reply 
                    > > >         message. 
                    > > >         >         
                    > > >         >         You can remove the
                    RAD_REPLY in the privacyidea perl 
                    > > >         module. 
                    > > >         > 
                    > > >
                    https://github.com/privacyidea/privacyidea/blob/master/authmodules/FreeRADIUS/privacyidea_radius.pm#L335 
                    > > >         >         
                    > > >         >         Thus this information
                    will not be added to the 
                    > > >         reply. 
                    > > >         >         If this succeeds,
                    please drop me a note or open an 
                    > > >         issue at 
                    > > >         >         github. 
                    > > >         >         We can then make the
                    reply configurable. 
                    > > >         >         
                    > > >         >         Kind regards 
                    > > >         >         Cornelius 
                    > > >         >         
                    > > >         >         
                    > > >         >         Am Mittwoch, den 21.10.2015, 17:54 -0700 schrieb 
                    > > >         Tony Hawker: 
                    > > >         >         > Hi Cornelius 
                    > > >         >         > Thanks for your
                    help, I almost have this working 
                    > > >         now, i 
                    > > >         >         played around 
                    > > >         >         > allot, but i think
                    that ticking the "use @ to 
                    > > >         separate user 
                    > > >         >         and realm" 
                    > > >         >         > has allowed the
                    radius to pass though the details 
                    > > >         correctly 
                    > > >         >         > 
                    > > >         >         > 
                    > > >         >         > I have managed to
                    have my radius client 
                    > > >         authenticate, and it 
                    > > >         >         seems to 
                    > > >         >         > be sending back the
                    reply message "privacy IDEA 
                    > > >         access 
                    > > >         >         granted" to my 
                    > > >         >         > firewalls (I am
                    tying to authenticate VPN users) 
                    > > >         >         > 
                    > > >         >         > 
                    > > >         >         > I believe the
                    firewall does not like the response 
                    > > >         message, I 
                    > > >         >         am 
                    > > >         >         > possibly getting a
                    similar issue described here: 
                    > > >         >         > 
                    > > >         > 
                    > > >
                    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107638 
                    > > >         >         > 
                    > > >         >         > 
                    > > >         >         > I have also attached
                    a screen shot of how the 
                    > > >         packet looks 
                    > > >         >         from 
                    > > >         >         > privacy idea, do you
                    think that because the reply 
                    > > >         packet is 
                    > > >         >         slightly 
                    > > >         >         > different it could
                    be causing this problem? 
                    > > >         >         > is t possible to
                    change the privacy idea radius 
                    > > >         accept 
                    > > >         >         packet too 
                    > > >         >         > something generic? 
                    > > >         >         > 
                    > > >         >         > 
                    > > >         >         > Cheers 
                    > > >         >         > 
                    > > >         >         > On Wednesday, 21 October 2015 23:59:18 UTC+11,  Cornelinux K  wrote: 
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         Hi, 
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         The user can
                    not be found in the 
                    > > >         resolver. 
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         How does the
                    request look like? 
                    > > >         >         >         Is the realm
                    the default realm. 
                    > > >         >         >         how does the
                    DN of the user look like? 
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         You might
                    have specified the wrong realm 
                    > > >         (see 
                    > > >         >         default realm) 
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         Kind
                    regards 
                    > > >         >         >         Cornelius 
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         Cornelius
                    Kölbel 
                    > > >         >         >
                    Corneliu...@netknights.it 
                    > > >         >         >         +49 151 2960
                    1417 
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         NetKnights
                    GmbH 
                    > > >         >         >
                    http://netknights.it 
                    > > >         >         >
                    Landgraf-Karl-Str. 19, 34131 Kassel, 
                    > > >         Germany 
                    > > >         >         >         Tel: +49 561
                    3166797, Fax: +49 561 
                    > > >         3166798 
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         Amtsgericht
                    Kassel, HRB 16405 
                    > > >         >         >
                    Geschäftsführer: Cornelius Kölbel 
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         --------
                    Ursprüngliche Nachricht -------- 
                    > > >         >         >         Von: Tony
                    Hawker <lil...@gmail.com> 
                    > > >         >         >         Datum:
                    21.10.2015 13:14 (GMT+01:00) 
                    > > >         >         >         An:
                    privacyidea 
                    > > >         <priva...@googlegroups.com> 
                    > > >         >         >         Betreff: Re:
                    Re: 'privacyIDEA request 
                    > > >         failed: 500 
                    > > >         >         INTERNAL 
                    > > >         >         >         SERVER
                    ERROR' - FreeRadius 
                    > > >         >         >         
                    > > >         >         >         Hi
                    Cornelius 
                    > > >         >         >         Thanks for
                    your response 
                    > > >         >         >         I am running
                    PIP installation on Centos 7 
                    > > >         >         >         I am running
                    latest version of Privacy 
                    > > >         idea (2.7), 
                    > > >         >         updated as 
                    > > >         >         >         per
                    instructions on howtoforge 
                    > > >         >         >         the user is
                    coming from Active Directory 
                    > > >         >         >         UID is DN 
                    > > >         >         >         there are no
                    special characters anywhere 
                    > > >         in the AD 
                    > > >         >         config 
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         testing
                    using the URL you provided I get 
                    > > >         the message 
                    > > >         >         below 
                    > > >         >         >         when
                    attempting to use an AD user 
                    > > >         >         >         "version":
                    "privacyIDEA 2.7", "result": 
                    > > >         {"status": 
                    > > >         >         false, "error":
                    {"message": "ERR905: The user can 
                    > > >         not be found 
                    > > >         >         in any resolver in
                    this realm!", "code": -500}}, 
                    > > >         "time": 
                    > > >         >         1445425459.788956,
                    "id": 1} 
                    > > >         >         >         
                    > > >         >         >         but if i use
                    the root user (from the 
                    > > >         privacyidea 
                    > > >         >         server) this returns: 
                    > > >         >         >         {"message":
                    "wrong otp pin"}, 
                    > > >         "versionnumber": 
                    > > >         >         "2.7", "version":
                    "privacyIDEA 2.7", "result": 
                    > > >         {"status": 
                    > > >         >         true, "value": false},
                    "time": 1445425581.107504, 
                    > > >         "id": 1} 
                    > > >         >         >         I assume the
                    OTP token is out of sync, but 
                    > > >         looks 
                    > > >         >         much more promising 
                    > > >         >         >         
                    > > >         >         >         any idea on
                    why the AD would not work via 
                    > > >         this 
                    > > >         >         method? as i can see
                    all the users in the webui etc 
                    > > >         >         >         
                    > > >         >         >         Cheers 
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         
                    > > >         >         >         On Wednesday, 21 October 2015 21:01:47 UTC  +11,  Cornelinux K  wrote: 
                    > > >         >         >                 Hi
                    Tony, 
                    > > >         >         >                 
                    > > >         >         >                 
                    > > >         >         >                 Are
                    you running a pip installation 
                    > > >         or debian 
                    > > >         >         wheezy? 
                    > > >         >         >                 
                    > > >         >         >                 
                    > > >         >         >
                    Which version of privacyidea are 
                    > > >         you 
                    > > >         >         running? 
                    > > >         >         >                 
                    > > >         >         >                 
                    > > >         >         >                 In
                    certain cases there were 
                    > > >         problems with 
                    > > >         >         the ldap 
                    > > >         >         >
                    resolver, if the DN contains 
                    > > >         special 
                    > > >         >         characters and is 
                    > > >         >         >
                    base54 encoded. 
                    > > >         >         >                 
                    > > >         >         >                 
                    > > >         >         >                 Is
                    it openldap or AD? 
                    > > >         >         >                 
                    > > >         >         >                 
                    > > >         >         >                 The
                    Uid type: is it DN or 
                    > > >         entryUUID? 
                    > > >         >         >                 
                    > > >         >         >                 
                    > > >         >         >                 Kind
                    regards 
                    > > >         >         >
                    Cornelius 
                    > > >         >         >                 
                    > > >         >         >                 
                    > > >         >         >                 
                    > > >         >         >                 
                    > > >         >         >                 
                    > > >         >         >                 
                    > > >         >         >
                    Cornelius Kölbel 
                    > > >         >         >
                    Corneliu...@netknights.it 
                    > > >         >         >                 +49
                    151 2960 1417 
                    > > >         >         >                 
                    > > >         >         >                 
                    > > >         >         >
                    NetKnights GmbH 
                    > > >         >         >
                    http://netknights.it 
                    > > >         >         >
                    Landgraf-Karl-Str. 19, 34131 
                    > > >         Kassel, 
                    > > >         >         Germany 
                    > > >         >         >                 Tel:
                    +49 561 3166797, Fax: +49 561 
                    > > >         3166798 
                    > > >         >         >                 
                    > > >         >         >                 
                    > > >         >         >
                    Amtsgericht Kassel, HRB 16405 
                    > > >         >         >
                    Geschäftsführer: Cornelius Kölbel 
                    > > >         >         >                 
                    > > >         >         >                 
                    > > >         >         >
                    -------- Ursprüngliche Nachricht 
                    > > >         -------- 
                    > > >         >         >                 Von:
                    Tony Hawker 
                    > > >         <lil...@gmail.com> 
                    > > >         >         >
                    Datum: 21.10.2015 08:59 (GMT 
                    > > >         +01:00) 
                    > > >         >         >                 An:
                    privacyidea 
                    > > >         <priva...@googlegroups.com> 
                    > > >         >         >
                    Betreff: Re: 'privacyIDEA request 
                    > > >         failed: 
                    > > >         >         500 INTERNAL 
                    > > >         >         >
                    SERVER ERROR' - FreeRadius 
    ...


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/7d02150c-ac13-4ee0-a78b-d2288f97de4e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)