Discussion:
A bit of help using the rlm_rest module with django-freeradius
(too old to reply)
Marty E. Plummer
2018-11-18 03:10:09 UTC
Permalink
Greetings all. Let me first say I'm a huge newbie on this whole subject
and have not used freeradius with any more than the default configs and
some user lines along the line of "bob Cleartext-Password := password",
but I've been working on putting together a docker cluster/whatever
using freeradius, postgresql, and a small django project using
django-freeradius to manage users and such. I've tried, to the best of
my ability, to configure freeradius to use rest with their api endpoints
to authenticate users, but I can't get anything other than radtest to
work.

If you clone https://bitbucket.org/hanetzer/radius.git and
docker-compose up --build, you should get a close approximation of my
current setup. You will also need a .env file in the repo's root, which
has a format like this:

DATABASE_URL=db://postgres:***@db/postgres #not yet configurable
DJANGO_DEBUG=false # whether DEBUG=True or not in django
DJANGO_FREERADIUS_API_TOKEN=longasstokenhere # django-freeradius thing
DJANGO_MANAGEPY_COLLECTSTATIC=off #django thing, not yet right so you may get glitchy assets on the admin site
DJANGO_MANAGEPY_MAKEMIGRATIONS=on
DJANGO_MANAGEPY_MIGRATE=on # apply changes to the postgresql db to set up schemas
DJANGO_SETTINGS_MODULE=radius.settings # needed for now
POSTGRES_DB=postgres # not yet configurable
POSTGRES_PASSWORD=changeme # not yet configurable
POSTGRES_USER=postgres # not yet configurable
SECRET_KEY=somesecretkey # django specific
FREERADIUS_SECRET=testing123 # havent' got all the spots yet so best to stick to this value

The setup is supposed to make a json post to api/v1/... which contains,
among other things, { "user":"%{User-Name}", "password":"%{User-Password}" }.
But, %{User-Password} always evaluates to "", an empty string. A manual curl to
the api endpoints works, however.

You'll need to enter the docker container running the webserver like
this 'docker exec -it radius_freeradius_xxxxxx sh' and source /venv/bin/activate,
at which point you run ./manage.py createsuperuser. Follow the prompts
and the admin/root user will be created. You can add a testing normal
user with ./manage.py batch_add_users --name test --file some.csv, where
some.csv contains the following:
username,cleartext$password,***@somehost.com,FirstName,LastName
the password must either be encrypted using the django scheme or
prefaced with the cleartext$ token.

You can access the admin interface and login with the superuser
credentials created above with the url http://localhost:8000/admin

If anyone could provide any help/suggestions on this matter I'd greately
appreciate it.

Marty

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/l
Adam Bishop
2018-11-18 09:43:05 UTC
Permalink
Post by Marty E. Plummer
If anyone could provide any help/suggestions on this matter I'd greately
appreciate it.
Just send the freeradius debug log please.


Adam Bishop

gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.


-
List info/subscribe/unsubs
Marty E. Plummer
2018-11-19 00:06:59 UTC
Permalink
Post by Adam Bishop
Post by Marty E. Plummer
If anyone could provide any help/suggestions on this matter I'd greately
appreciate it.
Just send the freeradius debug log please.
I figured a replicatable setup in the form of docker would be enough.
However, some time after sending the initial email I managed to get it
figured out. Basically I had to move the rest stuff into inner-tunnel so
the eap stuff is decrypted/whatever so I could obtain User-Name and
User-Password for the rest authentication. Everything works now, so I
suppose the ml served as a bit of a rubber-duckie for me to work out my
own issues.
Post by Adam Bishop
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? Se
Alan DeKok
2018-11-19 01:05:15 UTC
Permalink
Post by Marty E. Plummer
Post by Adam Bishop
Just send the freeradius debug log please.
I figured a replicatable setup in the form of docker would be enough.
While documenting your system is useful, we're not going to build a clone of your docker image just to see what's going on with it.

We ask for the debug output because we need it. All of the documentation says this, over and over and over again.
Post by Marty E. Plummer
However, some time after sending the initial email I managed to get it
figured out. Basically I had to move the rest stuff into inner-tunnel so
the eap stuff is decrypted/whatever so I could obtain User-Name and
User-Password for the rest authentication. Everything works now, so I
suppose the ml served as a bit of a rubber-duckie for me to work out my
own issues.
If you run the server in debugging mode, you will see that the outer session doesn't have a User-Password attribute. But the inner one does. So... the conclusion is to move the REST call to the inner tunnel.

And that's why we say to run the server in debug mode. Because once you do that, many common problems become simple to debug.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www
Marty E. Plummer
2018-11-19 02:29:42 UTC
Permalink
Post by Alan DeKok
Post by Marty E. Plummer
Post by Adam Bishop
Just send the freeradius debug log please.
I figured a replicatable setup in the form of docker would be enough.
While documenting your system is useful, we're not going to build a clone of your docker image just to see what's going on with it.
We ask for the debug output because we need it. All of the documentation says this, over and over and over again.
Fair. Though the docker images are pretty small relatively speaking.
Post by Alan DeKok
Post by Marty E. Plummer
However, some time after sending the initial email I managed to get it
figured out. Basically I had to move the rest stuff into inner-tunnel so
the eap stuff is decrypted/whatever so I could obtain User-Name and
User-Password for the rest authentication. Everything works now, so I
suppose the ml served as a bit of a rubber-duckie for me to work out my
own issues.
If you run the server in debugging mode, you will see that the outer session doesn't have a User-Password attribute. But the inner one does. So... the conclusion is to move the REST call to the inner tunnel.
Could have sworn I mentioned that. Maybe I said it in the irc channel,
but yes, the problem was that User-Password was not available outside
the inner-tunnel. Turns out the django-freeradius project is meant for
use with captive-portals and not wpa2-eap (though by moving the REST
calls to the inner-tunnel apparently makes it usable outside of the
intended use).
(btw, is irc.freenode.net/#freeradius official?)
Post by Alan DeKok
And that's why we say to run the server in debug mode. Because once you do that, many common problems become simple to debug.
Yeah, up until I determined to move the REST call into the inner tunnel
the freeradius server was only in debug mode.
Post by Alan DeKok
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.
Alan DeKok
2018-11-19 03:25:44 UTC
Permalink
Post by Marty E. Plummer
(btw, is irc.freenode.net/#freeradius official?)
No.
Post by Marty E. Plummer
Post by Alan DeKok
And that's why we say to run the server in debug mode. Because once you do that, many common problems become simple to debug.
Yeah, up until I determined to move the REST call into the inner tunnel
the freeradius server was only in debug mode.
The point is *also* to post the debug output to the list. All of the available documentation says to do this. Including the "man" page, web site, FAQ, Wiki, and the message you get when joining the list.

Despite that, people keep posting everything *but* the debug output. We don't need to see configuration files, docket config. etc. We need the debug output.

Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/u
Loading...