Access-Reject with RADIUS

By: Benjamin Fries user 02 Jul 2020 at 8:02 a.m. CDT

9 Responses
Benjamin Fries gravatar
Hello, I have everything set up so far to use RADIUS Authentification. The Server is Debian 10, and client is Ubuntu 20. radtest test test1234 172.16.64.142 0 n5SF7PXQXUgWN9nR6JJQ Sent Access-Request Id 95 from 0.0.0.0:55905 to 172.16.64.142:1812 length 74 User-Name = "test" User-Password = "test1234" NAS-IP-Address = 172.16.16.109 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "test1234" Received Access-Reject Id 95 from 172.16.64.142:1812 to 172.16.16.109:55905 length 20 (0) -: Expected Access-Accept got Access-Reject [DEBUG] 2020-07-02 10:36:26.318 [Radius Auth Listener] SuperGluuAuthClient - SuperGluu initial auth failed. Response: {"reason":"Unable to authenticate client.","error_description":"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client.","error":"invalid_client"} I have searched an followed some tickets, the issue here seems to be something different. Could you please help to find what is going on? Thank you.
Debian 10.0
closed

Answers

By Dzouato Djeumen Rolain Bonaventure staff 02 Jul 2020 at 11:20 a.m. CDT

Copy
Dzouato Djeumen Rolain Bonaventure gravatar
Hello Benjamin, I'll be handling your ticket. Let me take a look at what could be wrong.

By Michael Schwartz Account Admin 02 Jul 2020 at 12:10 p.m. CDT

Copy
Michael Schwartz gravatar
You have not provided nearly enough information about your enviornment. Is the server reachable via a public ip address. I see `172.16.x.x` address range, which is private. Your Gluu Server must be able to receive the PUSH messages from the Internet. Before you test RADIUS, it may make sense to test the Super Gluu script against a web application (i.e. oxTrust) to make sure it's working.

By Benjamin Fries user 03 Jul 2020 at 2:10 a.m. CDT

Copy
Benjamin Fries gravatar
Hello Dzouato and Michael, The Gluu Server has no internet access, for now. We are currently just testing Gluu, for now we would like to get the Radius server running, as it is for us the most important part. If this works, we can proceed internally with the next step and testing the main features of Gluu. For the RADIUS server, I guess, we do not need Internet. Could we go through, step by step, what the possible issue could be? What informations and logs do you need? Kind regards, Ben

By Dzouato Djeumen Rolain Bonaventure staff 03 Jul 2020 at 7:54 a.m. CDT

Copy
Dzouato Djeumen Rolain Bonaventure gravatar
Hello Benjamin, As @Michael.Schwartz pointed out , it would be easy to know what's going on if Super-Gluu were working first by testing it with oxTrust, as by default RADIUS is installed and configured to work with it. That said , RADIUS can optionally be configured to work without it. You can find that in the documentation under [Advanced Topics](https://gluu.org/docs/gluu-server/4.1/admin-guide/radius-server/gluu-radius/#advanced-topics) From the error I see , I am positing the RADIUS server isn't able to authenticate against `oxAuth` , but I'll need more information to confirm. Can you please do the following: - Use the link I provided above to turn on one step authentication. Then restart your Gluu instance. RADIUS will now authenticate using the username/password without the second step (Super-Gluu). - Re-attempt to authenticate against the RADIUS server. - If authentication fails , upload the content of your `oxAuth` log file - If it succeeds (unlikely IMHO given the information you provided) , then it is a Super-Gluu related issue and you'll have to make sure Super-Gluu is working in at least `oxTrust` first , then we'll move on from there (reason for Mike's suggestion). Regards, Rolain

By Benjamin Fries user 06 Jul 2020 at 4:43 a.m. CDT

Copy
Benjamin Fries gravatar
Good morning Rolain, - We created a new VM. - Gave it Internet access. - Configured an public IP and public domain. - Fresh install of Gluu, default settings plus RADIUS, with information information above. - set "radius.auth.scheme = onestep" - restarted the VM (complete reboot) - added a test user radtest from internal ip to internal ip: Received Access-Accept Id 121 from 172.16.64.142:1812 to 172.16.16.109:59300 length 20 added a user that was already created on a internal jumphost, configured sshd to use pam, etc... we were able to login to the ssh with the credentials from Gluu. Is there a crypto library online that has to be accessed? I have no idea what I have done differently from the first install... except that the machine had no Internet access. Any idea? Another question: We have just created the user without having to add it to any groups, or giving any permissions, how does Glu know, what user has access to which RADIUS client? If we only want certain users to be able to login into certain radius clients? Regards, Ben

By Dzouato Djeumen Rolain Bonaventure staff 06 Jul 2020 at 6:04 a.m. CDT

Copy
Dzouato Djeumen Rolain Bonaventure gravatar
Hello Ben, I am unsure myself , as radius doesn't depend on any online criptographic library. It would be interesting to know why the previous install didn't work. As for the users against which RADIUS authenticates, we really do not discriminate , but it should be easy to change the authentication script used by RADIUS to provide for some more fine grained authentication mechanism , e.g. authenticating users which belong only to a certain group. You can check out [this link](https://gluu.org/docs/gluu-server/4.1/admin-guide/radius-server/gluu-radius/#custom-authentication-script) about the script and what it ought to contain Let me know if it helps, Regards, Rolain

By Benjamin Fries user 10 Jul 2020 at 9:03 a.m. CDT

Copy
Benjamin Fries gravatar
In the next days we are going to connect some servers with Gluu, including ssh, RocketChat and some video conferencing services. And I still don't know how to combine it with 2FA. It's going to be interesting... I let you know.

By Benjamin Fries user 16 Jul 2020 at 2:44 a.m. CDT

Copy
Benjamin Fries gravatar
NVM, it works... now time to activate 2FA!

By Colora Hagwick user 30 Mar 2021 at 2:42 p.m. CDT

Copy
Colora Hagwick gravatar
Hello, Benjamin! Please, tell me, did you tried to configure 2FA with RADIUS? How did it work? Please, share your experience, I really need help with it Thanks!

Post an answer