FreeRadius Server installation and configuration on Linux system

sinojissac · 02-23-2011, 02:08 AM

I had this problem while doing http://freeradius.org/doc/ # initial tests;
[sinoj@localhost bin]$ sudo ./radtest testing password 127.0.0.1 0 testing123
[sudo] password for sinoj:
Sending Access-Request of id 255 to 127.0.0.1 port 1812
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=255, length=20

Then, used system user name "root" and its password Instead of "testing" & "password" and updated /etc/raddb/users with the system user name and password
[sinoj@localhost bin]$ ./radtest root welcome123 127.0.0.1 0 testing123
Sending Access-Request of id 114 to 127.0.0.1 port 1812
User-Name = "root"
User-Password = "welcome123"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=114, length=20

It worked!!!

zagath2 · 10-02-2019, 12:30 PM

Hi team

I have the follow issue, I'm trying to configure Cisco Any connect + NPS windows Server + LinOTP 2F, but the authentication of cisco asa is failing,
"ERROR:Authentication Rejected: AA failure."

When I entry to debug mode in Freeradius show the following:

rad_recv: Access-Request packet from host 10.127.7.3 port 49617, id=31, length=98
User-Name = "usuario_4"
User-Password = "1234781351"
NAS-IP-Address = 10.127.7.6
NAS-Port = 145
NAS-Port-Type = Virtual
Cisco-AVPair = "coa-push=true"
Proxy-State = 0x0a7f07030000002a
# Executing section authorize from file /etc/freeradius/sites-enabled/linotp
+group authorize {
++[preprocess] = ok
[IPASS] No '/' in User-Name = "usuario_4", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] = noop
[suffix] No '@' in User-Name = "usuario_4", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[ntdomain] No '\' in User-Name = "usuario_4", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] = noop
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = perl
# Executing group from file /etc/freeradius/sites-enabled/linotp
+group authenticate {
rlm_perl: Config File /etc/linotp2/rlm_perl.ini found!
rlm_perl: Default URL https://10.127.7.4/validate/simplecheck
rlm_perl: RAD_REQUEST: User-Password = 1234781351
rlm_perl: RAD_REQUEST: User-Name = usuario_4
rlm_perl: RAD_REQUEST: Cisco-AVPair = coa-push=true
rlm_perl: RAD_REQUEST: NAS-Port = 145
rlm_perl: RAD_REQUEST: Proxy-State = 0x0a7f07030000002a
rlm_perl: RAD_REQUEST: NAS-Port-Type = Virtual
rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.127.7.6
rlm_perl: Auth-Type: perl
rlm_perl: Url: https://10.127.7.4/validate/simplecheck
rlm_perl: User: usuario_4
rlm_perl: urlparam user = usuario_4
rlm_perl: urlparam resConf = LDAP
rlm_perl: urlparam client = 10.127.7.6
rlm_perl: urlparam realm = labotp.local
rlm_perl: urlparam pass = 1234781351
rlm_perl: Content :-)
rlm_perl: LinOTP access granted
rlm_perl: return RLM_MODULE_OK
rlm_perl: Added pair User-Password = 1234781351
rlm_perl: Added pair User-Name = usuario_4
rlm_perl: Added pair Cisco-AVPair = coa-push=true
rlm_perl: Added pair NAS-Port = 145
rlm_perl: Added pair Proxy-State = 0x0a7f07030000002a
rlm_perl: Added pair NAS-Port-Type = Virtual
rlm_perl: Added pair NAS-IP-Address = 10.127.7.6
rlm_perl: Added pair Reply-Message = LinOTP access granted
rlm_perl: Added pair Auth-Type = perl
++[perl] = ok
+} # group authenticate = ok
WARNING: Empty post-auth section. Using default return values.
Sending Access-Accept of id 31 to 10.127.7.3 port 49617
Reply-Message = "LinOTP access granted"
Proxy-State = 0x0a7f07030000002a
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 31 with timestamp +15
Ready to process requests.

Could you hel me with some troubleshooting about it?

Active directory: 10.127.7.5
Cisco ASA: 10.127.7.6
NPS Windows Server 2012: 10.127.7.3
LinOTP server: 10.127.7.4
PIN LinOTP: 1234
Domain: labotp.local

TB0ne · 10-02-2019, 01:28 PM

Quote:

Originally Posted by zagath2

Hi team
I have the follow issue, I'm trying to configure Cisco Any connect + NPS windows Server + LinOTP 2F, but the authentication of cisco asa is failing,
"ERROR:Authentication Rejected: AA failure."

When I entry to debug mode in Freeradius show the following:

rad_recv: Access-Request packet from host 10.127.7.3 port 49617, id=31, length=98
User-Name = "usuario_4"
User-Password = "1234781351"
NAS-IP-Address = 10.127.7.6
NAS-Port = 145
NAS-Port-Type = Virtual
Cisco-AVPair = "coa-push=true"
Proxy-State = 0x0a7f07030000002a
# Executing section authorize from file /etc/freeradius/sites-enabled/linotp
+group authorize {
++[preprocess] = ok
[IPASS] No '/' in User-Name = "usuario_4", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] = noop
[suffix] No '@' in User-Name = "usuario_4", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[ntdomain] No '\' in User-Name = "usuario_4", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] = noop
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = perl
# Executing group from file /etc/freeradius/sites-enabled/linotp
+group authenticate {
rlm_perl: Config File /etc/linotp2/rlm_perl.ini found!
rlm_perl: Default URL https://10.127.7.4/validate/simplecheck
rlm_perl: RAD_REQUEST: User-Password = 1234781351
rlm_perl: RAD_REQUEST: User-Name = usuario_4
rlm_perl: RAD_REQUEST: Cisco-AVPair = coa-push=true
rlm_perl: RAD_REQUEST: NAS-Port = 145
rlm_perl: RAD_REQUEST: Proxy-State = 0x0a7f07030000002a
rlm_perl: RAD_REQUEST: NAS-Port-Type = Virtual
rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.127.7.6
rlm_perl: Auth-Type: perl
rlm_perl: Url: https://10.127.7.4/validate/simplecheck
rlm_perl: User: usuario_4
rlm_perl: urlparam user = usuario_4
rlm_perl: urlparam resConf = LDAP
rlm_perl: urlparam client = 10.127.7.6
rlm_perl: urlparam realm = labotp.local
rlm_perl: urlparam pass = 1234781351
rlm_perl: Content :-)
rlm_perl: LinOTP access granted
rlm_perl: return RLM_MODULE_OK
rlm_perl: Added pair User-Password = 1234781351
rlm_perl: Added pair User-Name = usuario_4
rlm_perl: Added pair Cisco-AVPair = coa-push=true
rlm_perl: Added pair NAS-Port = 145
rlm_perl: Added pair Proxy-State = 0x0a7f07030000002a
rlm_perl: Added pair NAS-Port-Type = Virtual
rlm_perl: Added pair NAS-IP-Address = 10.127.7.6
rlm_perl: Added pair Reply-Message = LinOTP access granted
rlm_perl: Added pair Auth-Type = perl
++[perl] = ok
+} # group authenticate = ok
WARNING: Empty post-auth section. Using default return values.
Sending Access-Accept of id 31 to 10.127.7.3 port 49617
Reply-Message = "LinOTP access granted"
Proxy-State = 0x0a7f07030000002a
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 31 with timestamp +15
Ready to process requests.

Could you hel me with some troubleshooting about it?

Active directory: 10.127.7.5
Cisco ASA: 10.127.7.6
NPS Windows Server 2012: 10.127.7.3
LinOTP server: 10.127.7.4
PIN LinOTP: 1234
Domain: labotp.local

Read the LQ Rules; you re-opened a thread that had been closed for EIGHT YEARS, and hijacked it with your own question...neither is good. Open your own thread for your own question. And you haven't told us what version/distro of Linux you're running.