Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Weird error - OpenVPN with radiusplugin.so plugin auth on Alpine #56

Open
itxworks opened this issue Jan 10, 2022 · 1 comment
Open

Weird error - OpenVPN with radiusplugin.so plugin auth on Alpine #56

itxworks opened this issue Jan 10, 2022 · 1 comment

Comments

@itxworks
Copy link

I am not sure I followed https://privacyidea.readthedocs.io/en/latest/application_plugins/openvpn.html - Freeradius

Since there is no openvpn-auth-radius its build from source -> http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz

PI is running with latest 3.6.3 - Radius AUTH only works fine - so the issue might be the accounting request any idea how to handle this ?

FreeRADIUS Version 3.0.16

Ubuntu 18.x Container on PVE 5.13.19-4

--- EAP Test
Ready to process requests
(0) Received Access-Request Id 103 from 192.168.30.88:50565 to 192.168.27.4:1812 length 44
(0) User-Name = "xxxx"
(0) User-Password = "xxxx460384"
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/privacyidea
(0) authorize {
(0) update request {
(0) EXPAND %{Packet-Src-IP-Address}
(0) --> 192.168.30.88
(0) Packet-Src-IP-Address = 192.168.30.88
(0) } # update request = noop
(0) perl-privacyidea: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'xxxxx'
(0) perl-privacyidea: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'xxxx460384'
(0) perl-privacyidea: $RAD_REQUEST{'Packet-Src-IP-Address'} = &request:Packet-Src-IP-Address -> '192.168.30.88'
(0) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '192.168.30.88'
(0) perl-privacyidea: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'xxxx'
(0) perl-privacyidea: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'xxxx460384'
(0) [perl-privacyidea] = ok
(0) if (ok || updated) {
(0) if (ok || updated) -> TRUE
(0) if (ok || updated) {
(0) update control {
(0) Auth-Type := Perl
(0) } # update control = noop
(0) } # if (ok || updated) = noop
(0) } # authorize = ok
(0) Found Auth-Type = Perl
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/privacyidea
(0) Auth-Type Perl {
(0) perl-privacyidea: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'xxxx'
(0) perl-privacyidea: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'xxxx460384'
(0) perl-privacyidea: $RAD_REQUEST{'Packet-Src-IP-Address'} = &request:Packet-Src-IP-Address -> '192.168.30.88'
(0) perl-privacyidea: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl'
(0) perl-privacyidea: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl'
rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
rlm_perl: Debugging config: true
rlm_perl: Default URL https://localhost/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: RAD_REQUEST: Packet-Src-IP-Address = 192.168.30.88
rlm_perl: RAD_REQUEST: User-Name = xxx
rlm_perl: RAD_REQUEST: User-Password = xxxx460384
rlm_perl: Setting client IP to 192.168.30.88.
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://localhost/validate/check
rlm_perl: user sent to privacyidea: xxxx
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 192.168.30.88
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam client = 192.168.30.88
rlm_perl: urlparam user = xxxx
rlm_perl: urlparam pass = xxxx460384
rlm_perl: Request timeout: 10
rlm_perl: Not verifying SSL certificate!
rlm_perl: elapsed time for privacyidea call: 1.329239
rlm_perl: Content {"detail": {"message": "matching 1 tokens", "otplen": 6, "serial": "OATH0001F065", "threadid": 139802552300992, "type": "hotp"}, "id": 1, "jsonrpc": "2.0", "result": {"status": true, "value": true}, "time": 1641811822.5173314, "version": "privacyIDEA 3.6.3", "versionnumber": "3.6.3", "signature": "rsa_sha256_pss:a2aa86a89e8773bb26f2ac36e0c87ba31d0f4c70122d7d8720232d896249c52c8a1ebc66796142997fc9bf8c9df0ebdd69729eb5494563e6322b62acca526c8a44167c248066a7ca928937b7aeaba69c58f8c0ce8a8caa8b00624b6900da74a9f118e971b7298b053bc89c0d0bd2c9f97d650161e49d9ad6c8bc44fd23ff21a6b68b75c424275823d21bbab68febd31f123ca1b4bfe7b9dc7dd7827dc4a372fe3fc117faaeb4f4b447857bafdaa61682e33282a3d41d502275389478a219b9b7bbda475171d6e902c7c8f5a3e31e75f196f4431b6e06ae59b28370d79f035ce485e1d317e921fd2fd49cba57efc5b3e04dd9393f678546f9008c4675eedf6e15"}
rlm_perl: privacyIDEA access granted
rlm_perl: ++++ Parsing group: Attribute
rlm_perl: +++++ Found member 'Attribute Filter-Id'
rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'Filter-Id'
rlm_perl: ++++++ no directory
rlm_perl: +++++++ User attribute is a string:
rlm_perl: +++++++ trying to match
rlm_perl: ++++++++ Result: No match, no RADIUS attribute Filter-Id added.
rlm_perl: +++++ Found member 'Attribute otherAttribute'
rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'otherAttribute'
rlm_perl: ++++++ no directory
rlm_perl: +++++++ User attribute is a string:
rlm_perl: +++++++ trying to match
rlm_perl: ++++++++ Result: No match, no RADIUS attribute otherAttribute added.
rlm_perl: +++++ Found member 'Attribute Class'
rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'Class'
rlm_perl: ++++++ no directory
rlm_perl: +++++++ User attribute is a string:
rlm_perl: +++++++ trying to match
rlm_perl: ++++++++ Result: No match, no RADIUS attribute Class added.
rlm_perl: ++++ Parsing group: Mapping
rlm_perl: +++++ Found member 'Mapping user'
rlm_perl: return RLM_MODULE_OK
(0) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '192.168.30.88'
(0) perl-privacyidea: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'xxxx'
(0) perl-privacyidea: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'xxxx460384'
(0) perl-privacyidea: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'privacyIDEA access granted'
(0) perl-privacyidea: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl'
(0) [perl-privacyidea] = ok
(0) } # Auth-Type Perl = ok
(0) Sent Access-Accept Id 103 from 192.168.27.4:1812 to 192.168.30.88:50565 length 0
(0) Reply-Message = "privacyIDEA access granted"
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 103 with timestamp +35
Ready to process requests

-- OPENVPN Server ...

Ready to process requests
(0) Received Access-Request Id 198 from 192.168.30.64:46447 to 192.168.27.4:1812 length 126
(0) User-Name = "xxxx"
(0) User-Password = "xxxx790008"
(0) NAS-IP-Address = 127.0.0.1
(0) NAS-Port = 1
(0) Service-Type = Outbound-User
(0) Calling-Station-Id = "192.168.30.48"
(0) NAS-Identifier = "OpenVpn"
(0) Acct-Session-Id = "D5C3CB2C6E3AE8BDC8051EB33E28C02E"
(0) NAS-Port-Type = Virtual
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/privacyidea
(0) authorize {
(0) update request {
(0) EXPAND %{Packet-Src-IP-Address}
(0) --> 192.168.30.64
(0) Packet-Src-IP-Address = 192.168.30.64
(0) } # update request = noop
(0) perl-privacyidea: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'xxxx'
(0) perl-privacyidea: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'xxxx790008'
(0) perl-privacyidea: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '127.0.0.1'
(0) perl-privacyidea: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '1'
(0) perl-privacyidea: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Outbound-User'
(0) perl-privacyidea: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> '192.168.30.48'
(0) perl-privacyidea: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'OpenVpn'
(0) perl-privacyidea: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Virtual'
(0) perl-privacyidea: $RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id -> 'D5C3CB2C6E3AE8BDC8051EB33E28C02E'
(0) perl-privacyidea: $RAD_REQUEST{'Packet-Src-IP-Address'} = &request:Packet-Src-IP-Address -> '192.168.30.64'
(0) perl-privacyidea: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Outbound-User'
(0) perl-privacyidea: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '1'
(0) perl-privacyidea: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> '192.168.30.48'
(0) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '192.168.30.64'
(0) perl-privacyidea: &request:Acct-Session-Id = $RAD_REQUEST{'Acct-Session-Id'} -> 'D5C3CB2C6E3AE8BDC8051EB33E28C02E'
(0) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Virtual'
(0) perl-privacyidea: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '127.0.0.1'
(0) perl-privacyidea: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'xxxx'
(0) perl-privacyidea: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'xxxx790008'
(0) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'OpenVpn'
(0) [perl-privacyidea] = ok
(0) if (ok || updated) {
(0) if (ok || updated) -> TRUE
(0) if (ok || updated) {
(0) update control {
(0) Auth-Type := Perl
(0) } # update control = noop
(0) } # if (ok || updated) = noop
(0) } # authorize = ok
(0) Found Auth-Type = Perl
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/privacyidea
(0) Auth-Type Perl {
(0) perl-privacyidea: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'xxxx'
(0) perl-privacyidea: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'xxxx790008'
(0) perl-privacyidea: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '127.0.0.1'
(0) perl-privacyidea: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '1'
(0) perl-privacyidea: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Outbound-User'
(0) perl-privacyidea: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> '192.168.30.48'
(0) perl-privacyidea: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'OpenVpn'
(0) perl-privacyidea: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Virtual'
(0) perl-privacyidea: $RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id -> 'D5C3CB2C6E3AE8BDC8051EB33E28C02E'
(0) perl-privacyidea: $RAD_REQUEST{'Packet-Src-IP-Address'} = &request:Packet-Src-IP-Address -> '192.168.30.64'
(0) perl-privacyidea: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl'
(0) perl-privacyidea: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl'
rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
rlm_perl: Debugging config: true
rlm_perl: Default URL https://localhost/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: RAD_REQUEST: Service-Type = Outbound-User
rlm_perl: RAD_REQUEST: NAS-Port = 1
rlm_perl: RAD_REQUEST: Calling-Station-Id = 192.168.30.48
rlm_perl: RAD_REQUEST: Packet-Src-IP-Address = 192.168.30.64
rlm_perl: RAD_REQUEST: Acct-Session-Id = D5C3CB2C6E3AE8BDC8051EB33E28C02E
rlm_perl: RAD_REQUEST: NAS-Port-Type = Virtual
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: User-Name = xxxx
rlm_perl: RAD_REQUEST: User-Password = xxxx790008
rlm_perl: RAD_REQUEST: NAS-Identifier = OpenVpn
rlm_perl: Setting client IP to 127.0.0.1.
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://localhost/validate/check
rlm_perl: user sent to privacyidea: xxxx
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam user = xxxx
rlm_perl: urlparam client = 127.0.0.1
rlm_perl: urlparam pass = xxxx790008
rlm_perl: Request timeout: 10
rlm_perl: Not verifying SSL certificate!
rlm_perl: elapsed time for privacyidea call: 1.295836
rlm_perl: Content {"detail": {"message": "matching 1 tokens", "otplen": 6, "serial": "OATH0001F065", "threadid": 139802552300992, "type": "hotp"}, "id": 1, "jsonrpc": "2.0", "result": {"status": true, "value": true}, "time": 1641812150.074624, "version": "privacyIDEA 3.6.3", "versionnumber": "3.6.3", "signature": "rsa_sha256_pss:a1c9ec3b6125ecc29807f7d6ad64528b89465a39f64a6d437031c1b28c863a204dab3d83280bbbdf745749b187544d1894b7d5c4bddd1913ad66b55335e90df8bc786a15134239a761f10a9c3c60bcf72588bcfeb701df49e901e937bdd0a2ed81084e515bdcb0b6707cf2cdcc89de5c9a35715e074d06dd8837a61cca4c234bef089eceb7196183f4c993f2028c657f23fc656e17fd66d0aa8818919f46f6a4847bedae885e774d631fe894a745d820cd57d6f572bad030c8dd55d1b102697a56aa2ed047b1aacf6a37165791a11ba97c510d0b8ab67914f37aebf3a9a8e90d7567a650c09cb2bbf996f5bca2f94ddd32fe802a471eb7e05b117451f0eedb0a"}
rlm_perl: privacyIDEA access granted
rlm_perl: ++++ Parsing group: Attribute
rlm_perl: +++++ Found member 'Attribute Filter-Id'
rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'Filter-Id'
rlm_perl: ++++++ no directory
rlm_perl: +++++++ User attribute is a string:
rlm_perl: +++++++ trying to match
rlm_perl: ++++++++ Result: No match, no RADIUS attribute Filter-Id added.
rlm_perl: +++++ Found member 'Attribute otherAttribute'
rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'otherAttribute'
rlm_perl: ++++++ no directory
rlm_perl: +++++++ User attribute is a string:
rlm_perl: +++++++ trying to match
rlm_perl: ++++++++ Result: No match, no RADIUS attribute otherAttribute added.
rlm_perl: +++++ Found member 'Attribute Class'
rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'Class'
rlm_perl: ++++++ no directory
rlm_perl: +++++++ User attribute is a string:
rlm_perl: +++++++ trying to match
rlm_perl: ++++++++ Result: No match, no RADIUS attribute Class added.
rlm_perl: ++++ Parsing group: Mapping
rlm_perl: +++++ Found member 'Mapping user'
rlm_perl: return RLM_MODULE_OK
(0) perl-privacyidea: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Outbound-User'
(0) perl-privacyidea: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '1'
(0) perl-privacyidea: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> '192.168.30.48'
(0) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '192.168.30.64'
(0) perl-privacyidea: &request:Acct-Session-Id = $RAD_REQUEST{'Acct-Session-Id'} -> 'D5C3CB2C6E3AE8BDC8051EB33E28C02E'
(0) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Virtual'
(0) perl-privacyidea: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '127.0.0.1'
(0) perl-privacyidea: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'xxxx'
(0) perl-privacyidea: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'xxxx790008'
(0) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'OpenVpn'
(0) perl-privacyidea: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'privacyIDEA access granted'
(0) perl-privacyidea: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl'
(0) [perl-privacyidea] = ok
(0) } # Auth-Type Perl = ok
(0) Sent Access-Accept Id 198 from 192.168.27.4:1812 to 192.168.30.64:46447 length 0
(0) Reply-Message = "privacyIDEA access granted"
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 198 from 192.168.30.64:40879 to 192.168.27.4:1812 length 126
(1) User-Name = "xxxx"
(1) User-Password = "xxxx790008"
(1) NAS-IP-Address = 127.0.0.1
(1) NAS-Port = 1
(1) Service-Type = Outbound-User
(1) Calling-Station-Id = "192.168.30.48"
(1) NAS-Identifier = "OpenVpn"
(1) Acct-Session-Id = "D5C3CB2C6E3AE8BDC8051EB33E28C02E"
(1) NAS-Port-Type = Virtual
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/privacyidea
(1) authorize {
(1) update request {
(1) EXPAND %{Packet-Src-IP-Address}
(1) --> 192.168.30.64
(1) Packet-Src-IP-Address = 192.168.30.64
(1) } # update request = noop
(1) perl-privacyidea: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'xxxx'
(1) perl-privacyidea: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'xxxx790008'
(1) perl-privacyidea: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '127.0.0.1'
(1) perl-privacyidea: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '1'
(1) perl-privacyidea: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Outbound-User'
(1) perl-privacyidea: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> '192.168.30.48'
(1) perl-privacyidea: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'OpenVpn'
(1) perl-privacyidea: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Virtual'
(1) perl-privacyidea: $RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id -> 'D5C3CB2C6E3AE8BDC8051EB33E28C02E'
(1) perl-privacyidea: $RAD_REQUEST{'Packet-Src-IP-Address'} = &request:Packet-Src-IP-Address -> '192.168.30.64'
(1) perl-privacyidea: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Outbound-User'
(1) perl-privacyidea: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '1'
(1) perl-privacyidea: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> '192.168.30.48'
(1) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '192.168.30.64'
(1) perl-privacyidea: &request:Acct-Session-Id = $RAD_REQUEST{'Acct-Session-Id'} -> 'D5C3CB2C6E3AE8BDC8051EB33E28C02E'
(1) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Virtual'
(1) perl-privacyidea: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '127.0.0.1'
(1) perl-privacyidea: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'xxxx'
(1) perl-privacyidea: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'xxxx790008'
(1) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'OpenVpn'
(1) [perl-privacyidea] = ok
(1) if (ok || updated) {
(1) if (ok || updated) -> TRUE
(1) if (ok || updated) {
(1) update control {
(1) Auth-Type := Perl
(1) } # update control = noop
(1) } # if (ok || updated) = noop
(1) } # authorize = ok
(1) Found Auth-Type = Perl
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/privacyidea
(1) Auth-Type Perl {
(1) perl-privacyidea: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'xxxx'
(1) perl-privacyidea: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'xxxx790008'
(1) perl-privacyidea: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '127.0.0.1'
(1) perl-privacyidea: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '1'
(1) perl-privacyidea: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Outbound-User'
(1) perl-privacyidea: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> '192.168.30.48'
(1) perl-privacyidea: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'OpenVpn'
(1) perl-privacyidea: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Virtual'
(1) perl-privacyidea: $RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id -> 'D5C3CB2C6E3AE8BDC8051EB33E28C02E'
(1) perl-privacyidea: $RAD_REQUEST{'Packet-Src-IP-Address'} = &request:Packet-Src-IP-Address -> '192.168.30.64'
(1) perl-privacyidea: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl'
(1) perl-privacyidea: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl'
rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
rlm_perl: Debugging config: true
rlm_perl: Default URL https://localhost/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: RAD_REQUEST: Service-Type = Outbound-User
rlm_perl: RAD_REQUEST: NAS-Port = 1
rlm_perl: RAD_REQUEST: Calling-Station-Id = 192.168.30.48
rlm_perl: RAD_REQUEST: Packet-Src-IP-Address = 192.168.30.64
rlm_perl: RAD_REQUEST: Acct-Session-Id = D5C3CB2C6E3AE8BDC8051EB33E28C02E
rlm_perl: RAD_REQUEST: NAS-Port-Type = Virtual
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: User-Name = xxxx
rlm_perl: RAD_REQUEST: User-Password = xxxx790008
rlm_perl: RAD_REQUEST: NAS-Identifier = OpenVpn
rlm_perl: Setting client IP to 127.0.0.1.
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://localhost/validate/check
rlm_perl: user sent to privacyidea: xxxx
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam user = xxxx
rlm_perl: urlparam client = 127.0.0.1
rlm_perl: urlparam pass = xxxx790008
rlm_perl: Request timeout: 10
rlm_perl: Not verifying SSL certificate!
rlm_perl: elapsed time for privacyidea call: 1.115126
rlm_perl: Content {"detail": {"message": "wrong otp value. previous otp used again", "otplen": 6, "serial": "OATH0001F065", "threadid": 139802552300992, "type": "hotp"}, "id": 1, "jsonrpc": "2.0", "result": {"status": true, "value": false}, "time": 1641812151.1848474, "version": "privacyIDEA 3.6.3", "versionnumber": "3.6.3", "signature": "rsa_sha256_pss:785c38de7edf3ba3fbaaf3c2e995bd418707a30a388d1673b54a26a9d5b09274d55d1ea1cb0b4d18e5dcad09a3e38cadb9cc51c1d267534eeb41ccf3784741b69ff15cffa84faf89f1b62487fcbabef36f4eb972c58ef67972ad4edf4f1138e783787a5903ac77572071bc97b10c838006b4082cb15851aa628c3f1fa12fd216ee328978a093866d6620ee32ce2074a24b34b65043fab4d9f09de813699ff7b0835bd9ead2b38618b4a51568e411e9bbd0916be936cc1697fbd359d0715f6e28cd6414d560b3ab1e68018487d4df3eaa41e5e11607fb4a9b83ade063aa79b5c6ab44227d20169f538ab23f30ecb481c5dc2bac6b0eb8cf2c913af354e8960f87"}
rlm_perl: privacyIDEA Result status is true!
rlm_perl: privacyIDEA access denied
rlm_perl: return RLM_MODULE_REJECT
(1) perl-privacyidea: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Outbound-User'
(1) perl-privacyidea: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '1'
(1) perl-privacyidea: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> '192.168.30.48'
(1) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '192.168.30.64'
(1) perl-privacyidea: &request:Acct-Session-Id = $RAD_REQUEST{'Acct-Session-Id'} -> 'D5C3CB2C6E3AE8BDC8051EB33E28C02E'
(1) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Virtual'
(1) perl-privacyidea: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '127.0.0.1'
(1) perl-privacyidea: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'xxxx'
(1) perl-privacyidea: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'xxxx790008'
(1) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'OpenVpn'
(1) perl-privacyidea: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'wrong otp value. previous otp used again'
(1) perl-privacyidea: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl'
(1) [perl-privacyidea] = reject
(1) } # Auth-Type Perl = reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 198 from 192.168.27.4:1812 to 192.168.30.64:40879 length 62
(1) Reply-Message = "wrong otp value. previous otp used again"
Waking up in 2.8 seconds.
(0) Cleaning up request packet ID 198 with timestamp +24
Waking up in 1.1 seconds.
(1) Cleaning up request packet ID 198 with timestamp +26
Ready to process requests

vim /etc/freeradius/3.0/sites-enabled/privacyidea

server {
authorize {
#files
update request {
# Add the Packet Src IP to the request as client fallback
Packet-Src-IP-Address = "%{Packet-Src-IP-Address}"
}
perl-privacyidea
if (ok || updated) {
update control {
Auth-Type := Perl
}
}
}
listen {
type = auth
ipaddr = *
port = 0
}
authenticate {
Auth-Type Perl {
perl-privacyidea
}
}

}

Thank you !!!!
@itxworks
Copy link
Author

Got it working with radius PAM .. -> Service-Type = Authenticate-Only

  1. Received Access-Request Id 118 from 192.168.30.64:38970 to 192.168.27.4:1812 length 77
    (0) User-Name = "xxxx"
    (0) User-Password = "xxxx248868"
    (0) NAS-IP-Address = 192.168.30.64
    (0) NAS-Identifier = "openvpn"
    (0) NAS-Port = 6309
    (0) NAS-Port-Type = Virtual
    (0) Service-Type = Authenticate-Only
    (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/privacyidea
    (0) authorize {
    (0) update request {
    (0) EXPAND %{Packet-Src-IP-Address}
    (0) --> 192.168.30.64
    (0) Packet-Src-IP-Address = 192.168.30.64
    (0) } # update request = noop
    (0) perl-privacyidea: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'xxxx'
    (0) perl-privacyidea: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'xxxx248868'
    (0) perl-privacyidea: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '192.168.30.64'
    (0) perl-privacyidea: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '6309'
    (0) perl-privacyidea: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Authenticate-Only'
    (0) perl-privacyidea: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'openvpn'
    (0) perl-privacyidea: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Virtual'
    (0) perl-privacyidea: $RAD_REQUEST{'Packet-Src-IP-Address'} = &request:Packet-Src-IP-Address -> '192.168.30.64'
    (0) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'openvpn'
    (0) perl-privacyidea: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '6309'
    (0) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Virtual'
    (0) perl-privacyidea: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'xxxx'
    (0) perl-privacyidea: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '192.168.30.64'
    (0) perl-privacyidea: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Authenticate-Only'
    (0) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '192.168.30.64'
    (0) perl-privacyidea: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'xxxx248868'
    (0) [perl-privacyidea] = ok
    (0) if (ok || updated) {
    (0) if (ok || updated) -> TRUE
    (0) if (ok || updated) {
    (0) update control {
    (0) Auth-Type := Perl
    (0) } # update control = noop
    (0) } # if (ok || updated) = noop
    (0) } # authorize = ok
    (0) Found Auth-Type = Perl
    (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/privacyidea
    (0) Auth-Type Perl {
    (0) perl-privacyidea: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'xxxx'
    (0) perl-privacyidea: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'xxxx248868'
    (0) perl-privacyidea: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '192.168.30.64'
    (0) perl-privacyidea: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '6309'
    (0) perl-privacyidea: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Authenticate-Only'
    (0) perl-privacyidea: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'openvpn'
    (0) perl-privacyidea: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Virtual'
    (0) perl-privacyidea: $RAD_REQUEST{'Packet-Src-IP-Address'} = &request:Packet-Src-IP-Address -> '192.168.30.64'
    (0) perl-privacyidea: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl'
    (0) perl-privacyidea: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl'
    rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
    rlm_perl: Debugging config: true
    rlm_perl: Default URL https://localhost/validate/check
    rlm_perl: Looking for config for auth-type Perl
    rlm_perl: RAD_REQUEST: NAS-Identifier = openvpn
    rlm_perl: RAD_REQUEST: NAS-Port = 6309
    rlm_perl: RAD_REQUEST: NAS-Port-Type = Virtual
    rlm_perl: RAD_REQUEST: User-Name = xxxx
    rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.30.64
    rlm_perl: RAD_REQUEST: Service-Type = Authenticate-Only
    rlm_perl: RAD_REQUEST: Packet-Src-IP-Address = 192.168.30.64
    rlm_perl: RAD_REQUEST: User-Password = xxxx248868
    rlm_perl: Setting client IP to 192.168.30.64.
    rlm_perl: Auth-Type: Perl
    rlm_perl: url: https://localhost/validate/check
    rlm_perl: user sent to privacyidea: xxxx
    rlm_perl: realm sent to privacyidea:
    rlm_perl: resolver sent to privacyidea:
    rlm_perl: client sent to privacyidea: 192.168.30.64
    rlm_perl: state sent to privacyidea:
    rlm_perl: urlparam pass = xxxx248868
    rlm_perl: urlparam client = 192.168.30.64
    rlm_perl: urlparam user = xxxx
    rlm_perl: Request timeout: 10
    rlm_perl: Not verifying SSL certificate!
    rlm_perl: elapsed time for privacyidea call: 1.299244
    rlm_perl: Content {"detail": {"message": "matching 1 tokens", "otplen": 6, "serial":
    "OATH0001F065", "threadid": 139802552300992, "type": "hotp"}, "id": 1, "jsonrpc": "2.0", "result": {"status": true, "value": true}, "time": 1641819935.5099869, "version": "privacyIDEA 3.6.3", "versionnumber": "3.6.3", "signature": "rsa_sha256_pss:221539efddcf866c91c6a578321fe14ca66fad597e64e3e9554e19f60b8200f272729f6f70ab46ff4c050728b0877a76b7d60cac9790addb6485af52f11608d341824e6ed39c1a9b39bc812a1bdc9874c512832cba61edeefad39675e8f8929933ad3415a14f941d33144372cbbfa28293191d78f400bfc69498fd626a7a4370e3af3bc4383c99ea929f9c5a960ba23c6ecd3c7d0698f76d2a1527cd5c6bb521eaaae29088dfcd036a11ed16c9065204328ee678cc9be9a4b44051aad43388104e5feef03ac7c4597a4386d43138b488b900270f72d44d16f587c97c886c03b466fedc3419bb0596931c55710bce40de3ad46d6eb09514c3bdc92168082654c9"}
    rlm_perl: privacyIDEA access granted
    rlm_perl: ++++ Parsing group: Mapping
    rlm_perl: +++++ Found member 'Mapping user'
    rlm_perl: ++++ Parsing group: Attribute
    rlm_perl: +++++ Found member 'Attribute Filter-Id'
    rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'Filter-Id'
    rlm_perl: ++++++ no directory
    rlm_perl: +++++++ User attribute is a string:
    rlm_perl: +++++++ trying to match
    rlm_perl: ++++++++ Result: No match, no RADIUS attribute Filter-Id added.
    rlm_perl: +++++ Found member 'Attribute otherAttribute'
    rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'otherAttribute'
    rlm_perl: ++++++ no directory
    rlm_perl: +++++++ User attribute is a string:
    rlm_perl: +++++++ trying to match
    rlm_perl: ++++++++ Result: No match, no RADIUS attribute otherAttribute added.
    rlm_perl: +++++ Found member 'Attribute Class'
    rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'Class'
    rlm_perl: ++++++ no directory
    rlm_perl: +++++++ User attribute is a string:
    rlm_perl: +++++++ trying to match
    rlm_perl: ++++++++ Result: No match, no RADIUS attribute Class added.
    rlm_perl: return RLM_MODULE_OK
    (0) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'openvpn'
    (0) perl-privacyidea: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '6309'
    (0) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Virtual'
    (0) perl-privacyidea: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'xxxx'
    (0) perl-privacyidea: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '192.168.30.64'
    (0) perl-privacyidea: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Authenticate-Only'
    (0) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '192.168.30.64'
    (0) perl-privacyidea: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'xxxx248868'
    (0) perl-privacyidea: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'privacyIDEA access granted'
    (0) perl-privacyidea: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl'
    (0) [perl-privacyidea] = ok
    (0) } # Auth-Type Perl = ok
    (0) Sent Access-Accept Id 118 from 192.168.27.4:1812 to 192.168.30.64:38970 length 0
    (0) Reply-Message = "privacyIDEA access granted"
    (0) Finished request
    Waking up in 4.9 seconds.
    (0) Cleaning up request packet ID 118 with timestamp +43
    Ready to process requests

...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@itxworks