[eduVPN-deploy] Challenges with Authentication using RADIUS
John S. Saruni
jsaruni at kenet.or.ke
Tue Jan 26 09:17:16 CET 2021
Dear Kooman/Listers,
I hope you are well. We have setup Radius authentication using LDAP and configured our eduVPN instance as a client on the RADIUS. However, any authentication requests from the eduVPN instance fails per the log below. Any ideas will be highly appreciated.
(0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/freeradius/radacct/xx.xx.xx.xx/auth-detail-20210126
(0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/xx.xx.xx.xx/auth-detail-20210126
(0) auth_log: EXPAND %t
(0) auth_log: --> Tue Jan 26 09:49:58 2021
(0) [auth_log] = ok
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "kenet.or.ke" for User-Name = "jsaruni at kenet.or.ke"
(0) suffix: Found realm "kenet.or.ke"
(0) suffix: Adding Stripped-User-Name = "jsaruni"
(0) suffix: Adding Realm = "kenet.or.ke"
(0) suffix: Authentication realm is LOCAL
(0) [suffix] = ok
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroam
(0) Post-Auth-Type REJECT {
(0) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(0) reply_log: --> /var/log/freeradius/radacct/xx.xx.xx.xx/reply-detail-20210126
(0) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/xx.xx.xx.xx/reply-detail-20210126
(0) reply_log: EXPAND %t
(0) reply_log: --> Tue Jan 26 09:49:58 2021
(0) [reply_log] = ok
(0) f_ticks: EXPAND f_ticks.%{%{reply:Packet-Type}:-format}
(0) f_ticks: --> f_ticks.Access-Reject
(0) f_ticks: EXPAND F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=KE#VISINST=%{Operator-Name}#CSI=%{Calling-Station-Id}#RESULT=FAIL#
(0) f_ticks: --> F-TICKS/eduroam/1.0#REALM=kenet.or.ke#VISCOUNTRY=KE#VISINST=1kenet.or.ke#CSI=#RESULT=FAIL#
(0) f_ticks: EXPAND /var/log/freeradius/f_ticks/f_ticks.log
(0) f_ticks: --> /var/log/freeradius/f_ticks/f_ticks.log
(0) [f_ticks] = ok
(0) } # Post-Auth-Type REJECT = ok
(0) Sent Access-Reject Id 245 from yy.yy.yy.yy:1812 to xx.xx.xx.xx:29807 length 0
(0) Proxy-State = 0x313630
(0) Finished request
Regards,
John Saruni,
KENET TEAM.
Tel: +254-732150500 / +254-703044500
https://www.kenet.or.ke
https://cert.kenet.or.ke
“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked." — Richard Clarke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20210126/9805821c/attachment.html>
More information about the eduVPN-deploy
mailing list