[eduVPN-deploy] Challenges with Authentication using RADIUS

[John S. Saruni]

Dear Kooman/Listers, 

I hope you are well. We have setup Radius authentication using LDAP and configured our eduVPN instance as a client on the RADIUS. However, any authentication requests from the eduVPN instance fails per the log below. Any ideas will be highly appreciated. 

(0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d 
(0) auth_log: --> /var/log/freeradius/radacct/xx.xx.xx.xx/auth-detail-20210126 
(0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/xx.xx.xx.xx/auth-detail-20210126 
(0) auth_log: EXPAND %t 
(0) auth_log: --> Tue Jan 26 09:49:58 2021 
(0) [auth_log] = ok 
(0) suffix: Checking for suffix after "@" 
(0) suffix: Looking up realm "kenet.or.ke" for User-Name = "jsaruni at kenet.or.ke" 
(0) suffix: Found realm "kenet.or.ke" 
(0) suffix: Adding Stripped-User-Name = "jsaruni" 
(0) suffix: Adding Realm = "kenet.or.ke" 
(0) suffix: Authentication realm is LOCAL 
(0) [suffix] = ok 
(0) eap: No EAP-Message, not doing EAP 
(0) [eap] = noop 
(0) } # authorize = ok 
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject 
(0) Failed to authenticate the user 
(0) Using Post-Auth-Type Reject 
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroam 
(0) Post-Auth-Type REJECT { 
(0) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d 
(0) reply_log: --> /var/log/freeradius/radacct/xx.xx.xx.xx/reply-detail-20210126 
(0) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/xx.xx.xx.xx/reply-detail-20210126 
(0) reply_log: EXPAND %t 
(0) reply_log: --> Tue Jan 26 09:49:58 2021 
(0) [reply_log] = ok 
(0) f_ticks: EXPAND f_ticks.%{%{reply:Packet-Type}:-format} 
(0) f_ticks: --> f_ticks.Access-Reject 
(0) f_ticks: EXPAND F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=KE#VISINST=%{Operator-Name}#CSI=%{Calling-Station-Id}#RESULT=FAIL# 
(0) f_ticks: --> F-TICKS/eduroam/1.0#REALM=kenet.or.ke#VISCOUNTRY=KE#VISINST=1kenet.or.ke#CSI=#RESULT=FAIL# 
(0) f_ticks: EXPAND /var/log/freeradius/f_ticks/f_ticks.log 
(0) f_ticks: --> /var/log/freeradius/f_ticks/f_ticks.log 
(0) [f_ticks] = ok 
(0) } # Post-Auth-Type REJECT = ok 
(0) Sent Access-Reject Id 245 from yy.yy.yy.yy:1812 to xx.xx.xx.xx:29807 length 0 
(0) Proxy-State = 0x313630 
(0) Finished request 

​ Regards, 
John Saruni, 
KENET TEAM. 

Tel: +254-732150500 / +254-703044500 

https://www.kenet.or.ke 
https://cert.kenet.or.ke 



“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked." — Richard Clarke 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20210126/9805821c/attachment.html>