[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: rlm_rest authentication failures in rest module
From: Karuna Kumar <karuna.kumar () prontonetworks ! com>
Date: 2016-05-20 7:44:11
Message-ID: CALO3TR65unSfofxxaf+ZYMq+98_mpZHnTOfk=pLf9D_O1YupPw () mail ! gmail ! com
[Download RAW message or body]
Hi Team,
I have figured it out and found to be working with my basic testing.
I have modified the following file configurations after which I have
posted in my previous mail.
---------------------------------------------
CONFIGURATIONS IN raddb/sites-enabled/default
---------------------------------------------
authorize {
rest
}
Just added simple "rest" in authorize { } section and removed "rest"
and kept the default ones in authenticate { } section and it works
with the basic testing ( radtest command ).
Thanks,
Karun.
On Wed, May 18, 2016 at 6:06 PM, Karuna Kumar
<karuna.kumar@prontonetworks.com> wrote:
> Hi,
>
> I am using FreeRADIUS 3.0.11. Unable to authenticate the user through
> rest module. I am able to send request to REST API server and also
> able to fetch response in FreeRADIUS. But, the log says "(1) Failed to
> authenticate the user". Please let me know whether I did something
> wrong or I have to configure anything anywhere else. Configuration and
> logs are pasted below for your reference. Thanks in advance.
>
> ---------------------------------------------
> CONFIGURATIONS IN raddb/sites-enabled/default
> ---------------------------------------------
>
> authorize {
> if (User-Password) {
> update control {
> Cleartext-Password := &User-Password
> Auth-Type := rest
> }
> }
> }
>
> authenticate {
> rest
> }
>
> ---------------------------------------------
> CONFIGURATIONS IN raddb/mods-available/rest
> ---------------------------------------------
>
> connect_uri = "http://192.168.1.25:8900/"
>
> authorize {
> uri = "${..connect_uri}/hns/FreeRadiusTest.jsp?test=value&action=authorize&calledStationId=%{Called-Station-ID}&userName=%{User-Name}"
> method = 'get'
> tls = ${..tls}
> }
>
> authenticate {
> uri = "${..connect_uri}/hns/FreeRadiusTest.jsp?test=value&action=authenticate&calledStationId=%{Called-Station-ID}&userName=%{User-Name}"
> method = 'get'
> tls = ${..tls}
> }
>
> accounting {
> uri = "${..connect_uri}/hns/FreeRadiusTest.jsp?test=value&action=accounting&calledSt \
> ationId=%{Called-Station-ID}&userName=%{User-Name}&acctSessionId=%{Acct-Unique-Session-ID}"
> method = 'post'
> tls = ${..tls}
> }
>
> post-auth {
> uri = "${..connect_uri}/hns/FreeRadiusTest.jsp?test=value&action=postauth&calledStationId=%{Called-Station-ID}&userName=%{User-Name}"
> method = 'post'
> tls = ${..tls}
> }
>
>
> ---------------------------------------------
> radtest command output
> ---------------------------------------------
>
> # radtest test test localhost 0 testing123
> Sent Access-Request Id 243 from 0.0.0.0:55212 to 127.0.0.1:1812 length 74
> User-Name = "test"
> User-Password = "test"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
> Message-Authenticator = 0x00
> Cleartext-Password = "test"
> Received Access-Reject Id 243 from 127.0.0.1:1812 to 0.0.0.0:0 length 35
> Reply-Message = "Hello from KK"
> (0) -: Expected Access-Accept got Access-Reject
>
>
> ---------------------------------------------
> radiusd console debug logs
> ---------------------------------------------
>
> Ready to process requests
> (2) Received Access-Request Id 243 from 127.0.0.1:55212 to
> 127.0.0.1:1812 length 74
> (2) User-Name = "test"
> (2) User-Password = "test"
> (2) NAS-IP-Address = 127.0.0.1
> (2) NAS-Port = 0
> (2) Message-Authenticator = 0xa554ee1ed0ff34cbd52a28d7ff14f641
> (2) # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> (2) authorize {
> (2) policy filter_username {
> (2) if (&User-Name) {
> (2) if (&User-Name) -> TRUE
> (2) if (&User-Name) {
> (2) if (&User-Name =~ / /) {
> (2) if (&User-Name =~ / /) -> FALSE
> (2) if (&User-Name =~ /@[^@]*@/ ) {
> (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (2) if (&User-Name =~ /\.\./ ) {
> (2) if (&User-Name =~ /\.\./ ) -> FALSE
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (2) if (&User-Name =~ /\.$/) {
> (2) if (&User-Name =~ /\.$/) -> FALSE
> (2) if (&User-Name =~ /@\./) {
> (2) if (&User-Name =~ /@\./) -> FALSE
> (2) } # if (&User-Name) = notfound
> (2) } # policy filter_username = notfound
> (2) [preprocess] = ok
> (2) if (User-Password) {
> (2) if (User-Password) -> TRUE
> (2) if (User-Password) {
> (2) update control {
> (2) Cleartext-Password := &User-Password -> 'test'
> (2) Auth-Type := rest
> (2) } # update control = noop
> (2) } # if (User-Password) = noop
> (2) [chap] = noop
> (2) [mschap] = noop
> (2) [digest] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: No '@' in User-Name = "test", looking up realm NULL
> (2) suffix: No such realm "NULL"
> (2) [suffix] = noop
> (2) eap: No EAP-Message, not doing EAP
> (2) [eap] = noop
> (2) files: users: Matched entry test at line 1
> (2) [files] = ok
> (2) [expiration] = noop
> (2) [logintime] = noop
> (2) pap: WARNING: Auth-Type already set. Not setting to PAP
> (2) [pap] = noop
> (2) } # authorize = ok
> (2) Found Auth-Type = rest
> (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (2) authenticate {
> rlm_rest (rest): Closing connection (2): Hit idle_timeout, was idle
> for 1049 seconds
> rlm_rest (rest): Closing connection (3): Hit idle_timeout, was idle
> for 1049 seconds
> rlm_rest (rest): Closing connection (4): Hit idle_timeout, was idle
> for 1049 seconds
> rlm_rest (rest): Closing connection (0): Hit idle_timeout, was idle
> for 1047 seconds
> rlm_rest (rest): Closing connection (5): Hit idle_timeout, was idle
> for 1047 seconds
> rlm_rest (rest): You probably need to lower "min"
> rlm_rest (rest): Closing connection (1): Hit idle_timeout, was idle
> for 1041 seconds
> rlm_rest (rest): You probably need to lower "min"
> rlm_rest (rest): Closing connection (6): Hit idle_timeout, was idle
> for 1041 seconds
> rlm_rest (rest): You probably need to lower "min"
> rlm_rest (rest): 0 of 0 connections in use. You may need to increase "spare"
> rlm_rest (rest): Opening additional connection (7), 1 of 32 pending slots used
> rlm_rest (rest): Connecting to "http://192.168.1.25:8900/"
> rlm_rest (rest): Reserved connection (7)
> (2) rest: Expanding URI components
> (2) rest: EXPAND http://192.168.1.25:8900
> (2) rest: --> http://192.168.1.25:8900
> (2) rest: EXPAND
> //hns/FreeRadiusTest.jsp?test=value&action=authenticate&calledStationId=%{Called-Station-ID}&userName=%{User-Name}
> (2) rest: -->
> //hns/FreeRadiusTest.jsp?test=value&action=authenticate&calledStationId=&userName=test
> (2) rest: Sending HTTP GET to
> "http://192.168.1.25:8900//hns/FreeRadiusTest.jsp?test=value&action=authenticate&calledStationId=&userName=test"
> (2) rest: Processing response header
> (2) rest: Status : 200 (OK)
> (2) rest: Type : json (application/json)
> (2) rest: Parsing attribute "reply:User-Name"
> (2) rest: EXPAND test
> (2) rest: --> test
> (2) rest: User-Name := "test"
> (2) rest: Parsing attribute "reply:User-Password"
> (2) rest: EXPAND test
> (2) rest: --> test
> (2) rest: User-Password := "test"
> (2) rest: Parsing attribute "control:ClearText-Password"
> (2) rest: EXPAND test
> (2) rest: --> test
> (2) rest: Cleartext-Password := "test"
> (2) rest: Parsing attribute "reply:Reply-Message"
> (2) rest: EXPAND Hello from KK
> (2) rest: --> Hello from KK
> (2) rest: Reply-Message := "Hello from KK"
> rlm_rest (rest): Released connection (7)
> rlm_rest (rest): Need 2 more connections to reach 10 spares
> rlm_rest (rest): Opening additional connection (8), 1 of 31 pending slots used
> rlm_rest (rest): Connecting to "http://192.168.1.25:8900/"
> (2) [rest] = updated
> (2) } # authenticate = updated
> (2) Failed to authenticate the user
> (2) Using Post-Auth-Type Reject
> (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (2) Post-Auth-Type REJECT {
> (2) attr_filter.access_reject: EXPAND %{User-Name}
> (2) attr_filter.access_reject: --> test
> (2) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (2) [attr_filter.access_reject] = updated
> (2) [eap] = noop
> (2) policy remove_reply_message_if_eap {
> (2) if (&reply:EAP-Message && &reply:Reply-Message) {
> (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (2) else {
> (2) [noop] = noop
> (2) } # else = noop
> (2) } # policy remove_reply_message_if_eap = noop
> (2) } # Post-Auth-Type REJECT = updated
> (2) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (2) Sending delayed response
> (2) Sent Access-Reject Id 243 from 127.0.0.1:1812 to 127.0.0.1:55212 length 35
> (2) Reply-Message = "Hello from KK"
> Waking up in 3.9 seconds.
> (2) Cleaning up request packet ID 243 with timestamp +1049
> Ready to process requests
>
>
> Thanks,
> Karun.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic