[RESOLVED] RADIUS - Config file not found - Could not parse Response

pwoehl · July 23, 2019, 8:06am

I have a problem using the Radius Plugin, first the Config file is not found, but it is placed correctly, and then the Response could not be parsed and got rejected, but it says the access is granted

(5) Received Access-Request Id 65 from 10.16.X.XXX:50288 to 10.16.X.XX:1812 length 95
(5)   NAS-IP-Address = 10.16.X.XXX
(5)   NAS-Port = 1
(5)   User-Name = "user1"
(5)   User-Password = "password1"
(5)   Message-Authenticator = 0x40a8e93b51ac195c16fadf097ebf3878
(5) # Executing section authorize from file /etc/raddb/sites-enabled/privacyidea
(5)   authorize {
(5)     [preprocess] = ok
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "user1", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) ntdomain: Checking for prefix before "\"
(5) ntdomain: No '\' in User-Name = "user1", looking up realm NULL
(5) ntdomain: No such realm "NULL"
(5)     [ntdomain] = noop
(5) files: users: Matched entry DEFAULT at line 47
(5)     [files] = ok
(5)     [expiration] = noop
(5)     [logintime] = noop
(5) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(5) pap: WARNING: Authentication will fail unless a "known good" password is available
(5)     [pap] = noop
(5)   } # authorize = ok
(5) Found Auth-Type = Perl
(5) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(5)   Auth-Type Perl {
(5) perl:   $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'user1'
(5) perl:   $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'password1'
(5) perl:   $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '10.16.X.XXX'
(5) perl:   $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '1'
(5) perl:   $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Jul 22 2019 16:34:16 CEST'
(5) perl:   $RAD_REQUEST{'Message-Authenticator'} = &request:Message-Authenticator -> '0x40a8e93b51ac195c16fadf097ebf3878'
(5) perl:   $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl'
(5) perl:   $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl'
rlm_perl: Config File  not found!
rlm_perl: Debugging config: FALSE
rlm_perl: Default URL https://127.0.0.1/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Warning:
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://127.0.0.1/validate/check
rlm_perl: user sent to privacyidea: user1
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 10.16.X.XXX
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam client
rlm_perl: urlparam pass
rlm_perl: urlparam user
rlm_perl: Request timeout: 10
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA access granted
rlm_perl: Can not parse response from privacyIDEA.
rlm_perl: return RLM_MODULE_REJECT
(5) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'user1'
(5) perl: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Jul 22 2019 16:34:16 CEST'
(5) perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'password1'
(5) perl: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '1'
(5) perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '10.16.X.XXX'
(5) perl: &request:Message-Authenticator = $RAD_REQUEST{'Message-Authenticator'} -> '0x40a8e93b51ac195c16fadf097ebf3878'
(5) perl: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'privacyIDEA access granted'
(5) perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl'
(5)     [perl] = reject
(5)   } # Auth-Type Perl = reject
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) Post-Auth-Type sub-section not found.  Ignoring.
(5) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(5) Sending delayed response
(5) Sent Access-Reject Id 65 from 10.16.X.XX:1812 to 10.16.X.XXX:50288 length 48
(5)   Reply-Message = "privacyIDEA access granted"
Waking up in 3.9 seconds.
(5) Cleaning up request packet ID 65 with timestamp +2590
Ready to process requests

fredreichbier · July 23, 2019, 8:31am

Hi and welcome to the community!
I believe you’re seeing this issue because the radius plugin can’t read its config file (as you said). Are you sure that the config file is placed at /etc/privacyidea/rlm_perl.ini and it is readable by the user that is running the FreeRADIUS server?

pwoehl · July 23, 2019, 9:01am

Yes it is:

[root@privacyidea1 privacyidea]# pwd
/etc/privacyidea
[root@privacyidea1 privacyidea]# ls -la
total 16
drwx------.   3 root    root   37 Jul 23 10:57 .
drwxr-xr-x. 117 root    root 8192 Jul 22 13:09 ..
drwx------.   2 root    root   63 Jun 12 14:05 gpg
-rw-r--r--.   1 radiusd root 1774 Jul 23 10:57 rlm_perl.ini

[root@privacyidea1 privacyidea]# cat rlm_perl.ini
[Default]
URL = https://localhost/validate/check
#REALM = someRealm
#RESCONF = someResolver
SSL_CHECK = false
#DEBUG = true

[Mapping]
serial = privacyIDEA-Serial

[Mapping user]
# The Mapping is used to add attributes to the RADIUS response.
# The value is read from the privacyIDEA response.
# In this case the content of the privacyIDEA response
#   detail->user->group
# will be written to the RADIUS response attribute "Class".
group = Class

[Attribute Filter-Id]
# With the multivalue attributes in the user response of privacyIDEA
# we can also do an attribute mangling.
# privacyIDEA may return a value like
#   detail : { user : { acl : ["CN=vpn-user,ou=sales,dc=example,dc=com",
#                                   "CN=domain users,ou=sales,dc=example,dc=com"]}}}
#
# The below example would match the privacyIDEA userAttribute "acl" and check if the
# value matches the regex. If it does, it will add the substring $1 as the
# "Filter-Id" to the RADIUS response.
# The ini file can contain several "Attribute" groups, to add several RADIUS attributes
# to the response.
#dir = user
#userAttribute = acl
#regex = CN=(\w*)-users,OU=sales,DC=example,DC=com
#prefix =
#suffix =

[Attribute otherAttribute]
# If you want to have more mapping rules for a RADIUS attribute you
# can give the section an arbitrary name and use the key "radiusAttribute".
#
# This example will set the Filter-Id to "FIXEDValue" if the user is located in
# resolver1.
#radiusAttribute = Filter-Id
#userAttribute = user-resolver
#regex = resolver1
#prefix = FIXEDValue

[Attribute Class]
# This example will add the RADIUS Attribute Class = SomeOtherValue
# if the user is in the resolver "myResolverName".
#userAttribute = user-resolver
#regex = myResolverName
#prefix = SomeOtherValue

basvandervlies · July 23, 2019, 9:38am

from your output I see that the directory /etc/privacyidea is only accessible for user root. You can solve this by:

chmod 711 /etc/privacyidea or
chmod 755 /etc/privacyidea

pwoehl · July 23, 2019, 10:26am

Now I get this
(1) perl: ERROR: Internal failure creating pair &reply:Class = $RAD_REPLY{‘Class’} -> ‘undef’
(1) perl: ERROR: Failed to create pair - Unknown name “privacyIDEA-Serial”
(1) perl: ERROR: &reply:privacyIDEA-Serial = $RAD_REPLY{‘privacyIDEA-Serial’} -> ‘TOTP00045823’

Authentication is successfull

plettich · July 24, 2019, 10:47am

These Errors come from the default rlm_perl.ini where some examples are not commented out.
You can also include the dictionary.netknights in the FreeRADIUS dictionary to let it know about the privacyIDEA-Serial Attribute.

plettich · July 24, 2019, 12:29pm

I’ve added an issue for this: