In my centos7 server, I have set up Telegraf and InfluxDB. InfluxDB successfully receives data from Telegraf and stores them in the database. But when I reconfigure both services to use https, I see the following error in Telegraf's logs
Dec 29 15:13:11 localhost.localdomain telegraf[31779]: 2020-12-29T13:13:11Z E! [outputs.influxdb] When writing to [https://127.0.0.1:8086]: Post "https://127.0.0.1:8086/write?db=GRAFANA": dial tcp 127.0.0.1:8086: connect: connection refused
Dec 29 15:13:11 localhost.localdomain telegraf[31779]: 2020-12-29T13:13:11Z E! [agent] Error writing to outputs.influxdb: could not write any address
InfluxDB doesn't show any errors in it's logs.
Below is my telegraf.conf file:
[agent]
hostname = "local"
flush_interval = "15s"
interval = "15s"
# Input Plugins
[[inputs.cpu]]
percpu = true
totalcpu = true
collect_cpu_time = false
report_active = false
[[inputs.disk]]
ignore_fs = ["tmpfs", "devtmpfs", "devfs"]
[[inputs.io]]
[[inputs.mem]]
[[inputs.net]]
[[inputs.system]]
[[inputs.swap]]
[[inputs.netstat]]
[[inputs.processes]]
[[inputs.kernel]]
# Output Plugin InfluxDB
[[outputs.influxdb]]
database = "GRAFANA"
urls = [ "https://127.0.0.1:8086" ]
insecure_skip_verify = true
username = "telegrafuser"
password = "metricsmetricsmetricsmetrics"
And this is the uncommented [http] section of the influxdb.conf
# Determines whether HTTP endpoint is enabled.
enabled = false
# Determines whether the Flux query endpoint is enabled.
flux-enabled = true
# The bind address used by the HTTP service.
bind-address = ":8086"
# Determines whether user authentication is enabled over HTTP/HTTPS.
auth-enabled = false
# Determines whether HTTPS is enabled.
https-enabled = true
# The SSL certificate to use when HTTPS is enabled.
https-certificate = "/etc/ssl/server-cert.pem"
# Use a separate private key location.
https-private-key = "/etc/ssl/server-key.pem"
I'm trying to install FreeRadius server locally and test that it's working in the right way.
What I did:
downloaded the server (https://wiki.freeradius.org/building/macOS)
unzipped and ran
./configure --enable-developer --with-openssl=no
make
sudo make install
after that I've tried to follow the tutorial (https://wiki.freeradius.org/guide/Basic-configuration-HOWTO) to set up PAP authentication. Basically I've done:
I've created a file 'raddb/users' (without any extension)
Put inside of 'users' file content
bob Cleartext-Password := "hello"
run /build/bin/radiusd -x
waited for the 'Read to process requests'
executed
radtest bob hello localhost 0 testing123
also, I've tried
echo "User-Name=bob,Cleartext-Password=hello" | /usr/local/bin/radclient localhost:1812 auth testing123
# or
echo "User-Name=bob,User-Password=hello" | /usr/local/bin/radclient localhost:1812 auth testing123
So, no matter what I'm trying I'm getting the same result. In console with the command I'm getting:
echo "User-Name=bob,Cleartext-Password=hello" | /usr/local/bin/radclient localhost:1812 auth testing123
Sent Access-Request Id 94 from 0.0.0.0:57710 to 127.0.0.1:1812 length 25
Received Access-Reject Id 94 from 127.0.0.1:1812 to 127.0.0.1:57710 length 20
(0) -: Expected Access-Accept got Access-Reject
radtest bob hello localhost 0 testing123
Sent Access-Request Id 89 from 0.0.0.0:61465 to 127.0.0.1:1812 length 73
User-Name = "bob"
User-Password = "hello"
NAS-IP-Address = 192.168.1.175
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "hello"
Received Access-Reject Id 89 from 127.0.0.1:1812 to 127.0.0.1:61465 length 20
(0) -: Expected Access-Accept got Access-Reject
In any case (any command) I will see such logs in the server's console:
(4) Received Access-Request Id 204 from 127.0.0.1:63640 to 127.0.0.1:1812 length 73
(4) User-Name = "bob"
(4) User-Password = "hello"
(4) NAS-IP-Address = 192.168.1.175
(4) NAS-Port = 0
(4) Message-Authenticator = 0x248b0163da0492fda522a592111071b8
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /#[^#]*#/ ) {
(4) if (&User-Name =~ /#[^#]*#/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /#\./) {
(4) if (&User-Name =~ /#\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "#"
(4) suffix: No '#' in User-Name = "bob", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: No EAP-Message, not doing EAP
(4) [eap] = noop
(4) [files] = noop
(4) [expiration] = noop
(4) [logintime] = noop
(4) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(4) pap: WARNING: Authentication will fail unless a "known good" password is available
(4) [pap] = noop
(4) } # authorize = ok
(4) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(4) Failed to authenticate the user
(4) Using Post-Auth-Type Reject
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) Post-Auth-Type REJECT {
(4) attr_filter.access_reject: EXPAND %{User-Name}
(4) attr_filter.access_reject: --> bob
(4) attr_filter.access_reject: Matched entry DEFAULT at line 11
(4) [attr_filter.access_reject] = updated
(4) [eap] = noop
(4) policy remove_reply_message_if_eap {
(4) if (&reply:EAP-Message && &reply:Reply-Message) {
(4) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(4) else {
(4) [noop] = noop
(4) } # else = noop
(4) } # policy remove_reply_message_if_eap = noop
(4) } # Post-Auth-Type REJECT = updated
(4) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(4) Sending delayed response
(4) Sent Access-Reject Id 204 from 127.0.0.1:1812 to 127.0.0.1:63640 length 20
Waking up in 3.9 seconds.
(4) Cleaning up request packet ID 204 with timestamp +746
Ready to process requests
I see the warning there
No "known good" password found for the user.
but I can't understand what is the way to provide the password with this command or where should I put 'users' file, or what I should put in it. Can't understand how should I connect to the running server with this 'radtest' or 'radclient' tools. Any help is welcome
I would like to share with you a way to send notifications from icinga2 to cachet via the API.
Icinga2 version : 2.4.10-1
Cachet version : 2.3.9
First of all, you have to know which component ID you want to use (in my case, because you can update component by name)
To get the component ID, you can use the curl command :
curl --insecure --request GET --url https://URL/api/v1/components -H "X-Cachet-Token: TOKEN"
URL : The URL of your cachet installation
TOKEN : The Token of the member in Cachet
Create command in /etc/icinga2/conf.d/commands.conf
object NotificationCommand "cachet-incident-notification-v2" {
import "plugin-notification-command"
command = [ PluginDir + "/cachet-notification-v2.sh" ]
env = {
"SERVICESTATE" = "$service.state$"
}
}
Create notification template in /etc/icinga2/conf.d/templates.conf
template Notification "cachet-incident-notification-v2" {
command = "cachet-incident-notification-v2"
states = [ OK, Warning, Critical, Unknown ]
types = [ Problem, Acknowledgement, Recovery, Custom,
FlappingStart, FlappingEnd,
DowntimeStart, DowntimeEnd, DowntimeRemoved ]
/*
period = "24x7"
*/
interval = 0
}
Create notification in /etc/icinga2/conf.d/notifications.conf
apply Notification "cachet-incident-notification-v2" to Service {
import "cachet-incident-notification-v2"
user_groups = host.vars.notification.pager.groups
assign where service.vars.cachetv2 == "1" && host.vars.cachetv2 == "1"
interval = 0 # Disable Re-notification
}
Add variable in your check service in /etc/icinga2/conf.d/service/your/service.conf
[...]
vars.cachetv2 = "1"
[...]
Add variable in your host config file in /etc/icinga2/conf.d/hosts/your/host
[...]
vars.cachetv2 = "1"
[...]
Create the script in /usr/lib/nagios/plugins/cachet-notification-v2.sh
#!/bin/bash
# Some Constants
NOW="$(date +'%d/%m/%Y')"
CACHETAPI_URL="https://URL/api/v1/components/<ID DU COMPOSANT>"
CACHETAPI_TOKEN="TOKEN><"
# Map Notification states for icinga2
# OK - 1 operational
# Warning - 3 Partial outage
# Critical - 4 Major outage
# Unknown - 2 Performance issues
case "$SERVICESTATE" in
'OK')
COMPONENT_STATUS=1
;;
'WARNING')
COMPONENT_STATUS=3
;;
'CRITICAL')
COMPONENT_STATUS=4
;;
'UNKNOWN')
COMPONENT_STATUS=2
;;
esac
curl -X PUT -H "Content-Type: application/json;" -H "X-Cachet-Token: ${CACHETAPI_TOKEN}" -d '{"status": "'"${COMPONENT_STATUS}"'"}' ${CACHETAPI_URL} -k
PS : Give the execution permission to the script
Check the syntax and reload
/etc/init.d/icinga2 checkconfig && /etc/init.d/icinga2 reload
The result :
When your check results in "CRITICAL", the status in Cachet will be MAJOR ISSUE
When your check results in "WARNING", the status in Cachet will be PARTIAL ISSUE
When your check results in "OK", the status in Cachet will be OPERATIONAL
When your check results in "UNKNOWN", the status in Cachet will be PERFORMANCE DELAY
I hope it will help.
Nicolas B.
I'm setting up a wireless lab. User guest123 with password guest123
authenticates over wireless using 802.1X authentication. FreeRadius should
also return FilterId=>labguest. A rule at the wireless controller sets the
user role to whatever FilterId is returned during the RADIUS exchange.
Instead, the request/response churns ten times, and the user is assigned the
default role, "authenticated".
The brief questions before launching into details is what am I doing wrong,
and is there an automated tool to parse through FreeRadius -X output and
produce recommendations?
Simple command line tests from the wireless controller and freeradius show
both authentication and returned attributes.
Here's the part that works
From freeradius:
root#ubuntu/etc/freeradius# radtest guest123 guest123 localhost 0 testing123
User-Name = "guest123"
User-Password = "guest123"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "guest123"
Received Access-Accept Id 184 from 127.0.0.1:1812 to 0.0.0.0:0 length 36
Service-Type = Framed-User
Filter-Id = "labguest"
From Aruba controller:
The role "labguest" is defined here:
user-role labguest
access-list session global-sacl
access-list session apprf-labguest-sacl
access-list session "Cant ping controller"
access-list session allowall
access-list session v6-allowall
The rule to assign user role based on FilterId is here:
aaa server-group "lab-emp_srvgrp-kqh72"
auth-server radius1
set role condition Filter-Id value-of
Here's the part that is broken
After authenticating over wireless and 802.1X, the user receives the default
802.1X role, "authenticated" rather than "labguest".
(Master1) # show user mac 44:39:c4:59:e5:64
Name: guest123, IP: 192.168.16.23, MAC: 44:39:c4:59:e5:64, Age: 00:00:05
Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 70/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X
VLAN Derivation: Default VLAN
FreeRADIUS Version 3.0.15
<<<deleted debug output>>>
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 50900
Listening on proxy address :: port 60069
Ready to process requests
(0) Received Access-Request Id 42 from 192.168.18.254:40607 to
192.168.18.249:1812 length 175
(0) User-Name = "guest123"
(0) NAS-IP-Address = 192.168.18.254
(0) NAS-Port = 0
(0) NAS-Identifier = "192.168.18.254"
(0) NAS-Port-Type = Wireless-802.11
(0) Calling-Station-Id = "4439C459E564"
(0) Called-Station-Id = "000B86BE91F0"
(0) Service-Type = Framed-User
(0) Framed-MTU = 1100
(0) EAP-Message = 0x0202000d016775657374313233
(0) Aruba-Essid-Name = "lab-emp"
(0) Aruba-Location-Id = "AP1"
(0) Aruba-AP-Group = "lab1"
(0) Message-Authenticator = 0x6780aa98cfe6f147e8334301882c9c1f
(0) # Executing section authorize from file /etc/freeradius/sites-enabled
/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /#[^#]*#/ ) {
(0) if (&User-Name =~ /#[^#]*#/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /#\./) {
(0) if (&User-Name =~ /#\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "#"
(0) suffix: No '#' in User-Name = "guest123", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 2 length 13
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_ttls to process data
(0) eap_ttls: Initiating new EAP-TLS session
(0) eap_ttls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 3 length 6
(0) eap: EAP session adding &reply:State = 0xedb76556edb4700e
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 42 from 192.168.18.249:1812 to
192.168.18.254:40607 length 0
(0) EAP-Message = 0x010300061520
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xedb76556edb4700e88dcdd844646037b
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 43 from 192.168.18.254:40607 to
192.168.18.249:1812 length 186
(1) User-Name = "guest123"
(1) NAS-IP-Address = 192.168.18.254
(1) NAS-Port = 0
(1) NAS-Identifier = "192.168.18.254"
(1) NAS-Port-Type = Wireless-802.11
(1) Calling-Station-Id = "4439C459E564"
(1) Called-Station-Id = "000B86BE91F0"
(1) Service-Type = Framed-User
(1) Framed-MTU = 1100
(1) EAP-Message = 0x020300060319
(1) State = 0xedb76556edb4700e88dcdd844646037b
(1) Aruba-Essid-Name = "lab-emp"
(1) Aruba-Location-Id = "AP1"
(1) Aruba-AP-Group = "lab1"
(1) Message-Authenticator = 0xfe39826a334b5ddbe8fa4012037a87d8
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/sites-enabled
/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /#[^#]*#/ ) {
(1) if (&User-Name =~ /#[^#]*#/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /#\./) {
(1) if (&User-Name =~ /#\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "#"
(1) suffix: No '#' in User-Name = "guest123", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 3 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry guest123 at line 82
(1) [files] = ok
(1) sql: EXPAND %{User-Name}
(1) sql: --> guest123
(1) sql: SQL-User-Name set to 'guest123'
rlm_sql (sql): Reserved connection (0)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'guest123' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'guest123' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-
User-Name}' ORDER BY priority
(1) sql: --> SELECT groupname FROM radusergroup WHERE username =
'guest123' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'guest123' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
(1) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname=radius
host=localhost user=radius password=********
Connected to database 'radius' on 'localhost' server version 90510, protocol
version 3, backend PID 1714
(1) [sql] = notfound
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xedb76556edb4700e
(1) eap: Finished EAP session with state 0xedb76556edb4700e
(1) eap: Previous EAP request found for state 0xedb76556edb4700e, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 4 length 6
(1) eap: EAP session adding &reply:State = 0xedb76556ecb37c0e
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 43 from 192.168.18.249:1812 to
192.168.18.254:40607 length 0
(1) Service-Type = Framed-User
(1) Framed-Filter-Id = "labguest"
(1) EAP-Message = 0x010400061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xedb76556ecb37c0e88dcdd844646037b
(1) Finished request
Waking up in 4.9 seconds.
<<<deleted generally repeating debug output>>>
(10) Received Access-Request Id 52 from 192.168.18.254:40607 to 192.168.18.249:1812 length 223
(10) User-Name = "guest123"
(10) NAS-IP-Address = 192.168.18.254
(10) NAS-Port = 0
(10) NAS-Identifier = "192.168.18.254"
(10) NAS-Port-Type = Wireless-802.11
(10) Calling-Station-Id = "4439C459E564"
(10) Called-Station-Id = "000B86BE91F0"
(10) Service-Type = Framed-User
(10) Framed-MTU = 1100
(10) EAP-Message =
0x020c002b190017030100209568f164a54cf0e2aa3c<<<more deleted>>>
(10) State = 0xedb76556e4bb7c0e88dcdd844646037b
(10) Aruba-Essid-Name = "lab-emp"
(10) Aruba-Location-Id = "AP1"
(10) Aruba-AP-Group = "lab1"
(10) Message-Authenticator = 0x2277c43d40495abc84afcfee2d7af56b
(10) session-state: No cached attributes
(10) # Executing section authorize from file /etc/freeradius/sites-enabled
/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /#[^#]*#/ ) {
(10) if (&User-Name =~ /#[^#]*#/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) ->
FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /#\./) {
(10) if (&User-Name =~ /#\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "#"
(10) suffix: No '#' in User-Name = "guest123", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 12 length 43
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/sites-enabled/default
(10) authenticate {
(10) eap: Expiring EAP session with state 0xedb76556e4bb7c0e
(10) eap: Finished EAP session with state 0xedb76556e4bb7c0e
(10) eap: Previous EAP request found for state 0xedb76556e4bb7c0e, released
from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap: Sending EAP Success (code 3) ID 12 length 4
(10) eap: Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) # Executing section post-auth from file /etc/freeradius/sites-enabled
/default
(10) post-auth {
(10) update {
(10) No attributes updated
(10) } # update = noop
(10) sql: EXPAND .query
(10) sql: --> .query
(10) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(10) sql: EXPAND %{User-Name}
(10) sql: --> guest123
(10) sql: SQL-User-Name set to 'guest123'
(10) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(10) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'guest123', ', 'Access-Accept', '2017-12-06 05:15:26')
(10) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'guest123', ', 'Access-Accept', '2017-12-06 05:15:26')
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
(10) sql: SQL query returned: success
(10) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(10) [sql] = ok
(10) [exec] = noop
(10) policy remove_reply_message_if_eap {
(10) if (&reply:EAP-Message && &reply:Reply-Message) {
(10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(10) else {
(10) [noop] = noop
(10) } # else = noop
(10) } # policy remove_reply_message_if_eap = noop
(10) } # post-auth = ok
(10) Sent Access-Accept Id 52 from 192.168.18.249:1812 to
192.168.18.254:40607 length 0
(10) MS-MPPE-Recv-Key =
0xa5ded2c64f1026f75e105877bcc5715f3712051d16c7977a680fd50a2bd53352
(10) MS-MPPE-Send-Key =
0x5ccf08fba6d8803a9ac0478c8b02bd8c9ea5829c6c3d389410eed4f36fb06692
(10) EAP-Message = 0x030c0004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) User-Name = "guest123"
(10) Finished request
Waking up in 4.8 seconds.
(0) Cleaning up request packet ID 42 with timestamp +29
(1) Cleaning up request packet ID 43 with timestamp +29
(2) Cleaning up request packet ID 44 with timestamp +29
(3) Cleaning up request packet ID 45 with timestamp +29
(4) Cleaning up request packet ID 46 with timestamp +29
(5) Cleaning up request packet ID 47 with timestamp +29
(6) Cleaning up request packet ID 48 with timestamp +29
(7) Cleaning up request packet ID 49 with timestamp +29
(8) Cleaning up request packet ID 50 with timestamp +29
(9) Cleaning up request packet ID 51 with timestamp +29
(10)) Cleaning up request packet ID 52 with timestamp +29
Ready to process requests
Expected result:
(Master1) # show user mac 44:39:c4:59:e5:64
Name: guest123, IP: 192.168.16.23, MAC: 44:39:c4:59:e5:64, Age: 00:00:05
Role: labguest (how: ROLE_DERIVATION_DOT1X_SDR)
Actual result:
(Master1) # show user mac 44:39:c4:59:e5:64
Name: guest123, IP: 192.168.16.23, MAC: 44:39:c4:59:e5:64, Age: 00:00:05
Role: authenticated (how: ROLE_DERIVATION_DOT1X)
I posted to the Aruba Airheads blog, and then opened a case with Aruba/HPE support. After analyzing logs and packet capture, the Aruba/HPE support engineer said,
"I would like to inform you that I went through the packet captures and I have attached the screenshots from the same based on what we observed;
As seen in the CP-Accept screenshot, we see the Radius Accept, for when the user was authenticating with Captive Portal. We see in the accept packet, that the server is sending the attribute 'labguest' to the controller for the user role to be assigned.
In the case of Dot1x-Accept screenshot, we do not see any attribute being sent by the server in the accept packet for when the user was authenticating with dot1x authentication.
Please check on the server end if we need to enable sending attribute for MSCHAPv2 along with the PAP protocol, or if there are any specific configurations on the server that are handling the attributes to be sent based on the authentication type."
I then posted to the FreeRADIUS user list. Response:
“The solution is to move the "files" module to before "eap". Edit sites-enabled/default. Look at the "authorize" section.”
That works. Excerpt of edited sites-enabled/default:
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# The EAP module returns "ok" or "updated" if it is not yet ready
# to authenticate the user. The configuration below checks for
# "ok", and stops processing the "authorize" section if so.
#
# Any LDAP and/or SQL servers will not be queried for the
# initial set of packets that go back and forth to set up
# TTLS or PEAP.
#
# The "updated" check is commented out for compatibility with
# previous versions of this configuration, but you may wish to
# uncomment it as well; this will further reduce the number of
# LDAP and/or SQL queries for TTLS or PEAP.
#
files
eap {
ok = return
# updated = return
}
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# mods-available/passwd module.
#
# unix
#
# Read the 'users' file. In v3, this is located in
# raddb/mods-config/files/authorize
# files
Tests from Aruba controller:
(Master1) #aaa test-server mschapv2 radius1 guest123 guest123 verbose
Authentication Successful
Processing time (ms) : 6.407
Attribute value pairs in request
--------------------------------
Vendor Attribute Value
------ --------- -----
NAS-IP-Address 192.168.18.254
NAS-Port-Id 0
NAS-Port-Type Wireless-IEEE802.11
User-Name guest123
Service-Type Login-User
Calling-Station-Id 0.0.0.0
Called-Station-Id 000B86BE91F0
Microsoft MS-CHAP-Challenge \032\241\007[\002(\\321j5\001v\221lf\236
Microsoft MS-CHAP2-Response
Aruba Aruba-Essid-Name
Aruba Aruba-Location-Id N/A
Aruba Aruba-AP-Group N/A
Aruba Aruba-Device-Type
Message-Auth I\365\262\357\365o{s\264\270\246\022Cz\264-
PW_RADIUS_ID H
Rad-Length 199
Attribute value pairs in response
---------------------------------
Vendor Attribute Value
------ --------- -----
Service-Type Framed-User
Filter-Id labguest
Microsoft MS-CHAP2-Success
Microsoft MS-MPPE-Recv-Key \205g8\374\333\260\031\306\3379\321\220\273\273\355\024\277\210Q\003\226\004M>\372\307p6\273&\322\231N\253
Microsoft MS-MPPE-Send-Key \215\277d\301f\207A\215!\376\345.\324\177BM\364\310\251p\263\224\315 \012\001\035:\327\253\314\016\026\243
Microsoft MS-MPPE-Encryption-Policy
Microsoft MS-MPPE-Encryption-Types
PW_RADIUS_ID H
Rad-Length 195
PW_RADIUS_CODE \002
PW_RAD_AUTHENTICATOR }\203!\353\244}\215,\216\203J]\027\247\325\272
(Master1) # show user mac fc:c2:de:13:d6:15
Name: guest123, IP: 192.168.16.3, MAC: fc:c2:de:13:d6:15, Age: 00:00:00
Role: labguest (how: ROLE_DERIVATION_DOT1X_SDR), ACL: 71/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X_SDR
VLAN Derivation: Default VLAN
Note that the edit to sites-enabled/default was after a clean FreeRADIUS install, not a correction to any monkeying.
In case this Attribute is set by a radius server to which the freeradius has to proxy, you have to modify the files:
mods-config/attr_filter/pre-proxy and post-proxy
adding among the attributes that you have to proxy also the:
Filter-Id =* ANY
I need help configuring freeradius with WPA2 Enterprise via LDAP.
LDAP normally works for other services, however, it does not work for WPA2E.
We have also managed WPA2E to work with hard coded username/password fine. So we know all the components on their own work, but do not work together.
We have the freeradius server configured fine to work with the LDAP service.
Any help is appreciated
Here is my ldap setting for free radius modules/ldap file (mostly irrelevant for this issue)
ldap {
server = "ldapmaster.domain.com,ldapslave.domain.com"
identity = "uid=binder,ou=services,dc=security,dc=domain,dc=com"
password = asdfasdfasdf
basedn = "ou=internal,ou=users,dc=security,dc=domain,dc=com"
filter = "(mail=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
max_uses = 0
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = yes
require_cert = "never"
}
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = userPassword
edir_account_policy_check = no
keepalive {
idle = 60
probes = 3
interval = 3
}}
Also have the following setup for eap.conf
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
CA_path = ${cadir}
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
max_entries = 255
}
verify {
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}}
Also have two sites enabled, default and inner-tunnel:
default
authorize {
preprocess
suffix
eap {
ok = return
}
expiration
logintime
ldap
}
authenticate {
eap
ldap
}
inner-tunnel
authorize {
mschap
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
expiration
ldap
logintime
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
ldap
}
Here is a sample log I am seeing in the debug logs:
https://gist.github.com/anonymous/10483144
You appear to of removed the symlink between sites-available/inner-tunnel and sites-enabled/inner-tunnel
If you look in the log it's complaining it can't find the inner-tunnel server, which it requires to perform MSCHAPv2 auth in the TLS tunnel of the PEAP authentication.
server {
PEAP: Setting User-Name to emre#domain.com
Sending tunneled request
EAP-Message = 0x0205001a01656d72654071756269746469676974616c2e636f6d
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "emre#domain.com"
server inner-tunnel {
No such virtual server "inner-tunnel"
} # server inner-tunnel
You add the symlink back, and list the ldap module at the top of the authorize section in the inner-tunnel server. You will also need to map the attribute holding the user's Cleartext-Password to the User-Password attribute, using the ldap attrmap file.
If you do not have the user's Cleartext-Password in the directory (for example if it's hashed), then you should use EAP-TTLS-PAP, and list the LDAP module in the authenticate section of the inner-tunnel server, then add:
if (User-Password) {
update control {
Auth-Type := LDAP
}
}
To the authorize section of the inner-tunnel server.