EAP-PWD with FreeRADIUS 3.0.15 and Android phone - wifi

I installed FreeRADIUS-3.0.15 in Ubuntu-16.04.2, and set the EAP-PWD configurations (files: eap, users).
With EAP-PWD,
I could get SUCCESS by eapol_test tool, but I could NOT get my Android phone (v5.1.1 & 7.1.2) passed the authentication processes.
 With the same settings, I could get my Android phone passed the authentication through TTLS and PEAP.
I've read the post,
https://serverfault.com/questions/683897/eap-pwd-with-freeradius-3/683923#683923.
But, it doesn't appear if the EAP-PWD could finally work in Android phones with FreeRADIUS server.
Are there any configurations I missed ?
Does EAP-PWD need some specific devices (e.g. AP, Switch-Controller, etc..) to work with ?
The EAP-PWD settings in the file "eap" :
pwd {
group = 19
server_id = theserver#example.com
fragment_size = 1020
virtual_server = "inner-tunnel"
}
The fail RADIUS server logs using my Android phone :
Ready to process requests
(0) Received Access-Request Id 19 from 192.168.1.1:65514 to 192.168.1.48:1812 length 113
(0) User-Name = "steve"
(0) NAS-Port-Type = Wireless-802.11
(0) Called-Station-Id = "00-0A-79-98-19-1F"
(0) Calling-Station-Id = "90-B6-86-8E-8E-F2"
(0) NAS-IP-Address = 192.168.1.1
(0) Framed-MTU = 1400
(0) EAP-Message = 0x0201000a017374657665
(0) Message-Authenticator = 0xfc142f419a003e1f32c49845e2b47148
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /#[^#]*#/ ) {
(0) if (&User-Name =~ /#[^#]*#/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /#\./) {
(0) if (&User-Name =~ /#\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "#"
(0) suffix: No '#' in User-Name = "steve", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 10
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 2 length 22
(0) eap: EAP session adding &reply:State = 0x0920d2120922d68e
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 19 from 192.168.1.48:1812 to 192.168.1.1:65514 length 0
(0) EAP-Message = 0x01020016041003e295427e4313c871b5357ea94cb0cd
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x0920d2120922d68e7c074922ee6197b2
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 20 from 192.168.1.1:65515 to 192.168.1.48:1812 length 127
(1) User-Name = "steve"
(1) NAS-Port-Type = Wireless-802.11
(1) Called-Station-Id = "00-0A-79-98-19-1F"
(1) Calling-Station-Id = "90-B6-86-8E-8E-F2"
(1) NAS-IP-Address = 192.168.1.1
(1) Framed-MTU = 1400
(1) State = 0x0920d2120922d68e7c074922ee6197b2
(1) EAP-Message = 0x020200060334
(1) Message-Authenticator = 0x957e6bdb393fe8c0829f734afa134684
(1) session-state: No cached attributes
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /#[^#]*#/ ) {
(1) if (&User-Name =~ /#[^#]*#/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /#\./) {
(1) if (&User-Name =~ /#\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "#"
(1) suffix: No '#' in User-Name = "steve", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry steve at line 73
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x0920d2120922d68e
(1) eap: Finished EAP session with state 0x0920d2120922d68e
(1) eap: Previous EAP request found for state 0x0920d2120922d68e, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PWD (52)
(1) eap: Calling submodule eap_pwd to process data
(1) eap: Sending EAP Request (code 1) ID 3 length 36
(1) eap: EAP session adding &reply:State = 0x0920d2120823e68e
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 20 from 192.168.1.48:1812 to 192.168.1.1:65515 length 0
(1) EAP-Message = 0x010300243401001301015bd0471300746865736572766572406578616d706c652e636f6d
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x0920d2120823e68e7c074922ee6197b2
(1) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 19 with timestamp +59
(1) Cleaning up request packet ID 20 with timestamp +59
Ready to process requests

I've solved the problem after a long test.
Within the same system settings and environments, just needed to replace the AP to another one (I thought that the problem was caused because some APs (or their firmwares) did not support the function of EAP-PWD), and the problem could be solved.

Related

Failed to authenticate to the freeradius server with added user

I was trying to test my freeRadius server in debug mode after building the source code on my Ubuntu VM.
I also use this official tutorial as the reference: https://wiki.freeradius.org/guide/basic-configuration-howto
My goal is:
Add a new user "testing", whose password is "password", to the freeradius config and successfully authenticate to the freeradius server as user "testing".
Below are the steps I have tried:
(1) I added the user info to the top line of "/usr/local/etc/raddb/users"
testing Cleartext-Password := "password"
I didn't make changes to "sudo nano /usr/local/etc/raddb/clients.conf"
(2) I started freeradius server in debug mode
sudo radiusd -X
and the server shows Ready to process requests
(3) I open a new terminal and tried to send the request with new user's info
radtest testing password localhost 0 testing123
The actual result is: Access-Reject
On the client side:
Sent Access-Request Id 128 from 0.0.0.0:41704 to 127.0.0.1:1812 length 77
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "password"
Received Access-Reject Id 128 from 127.0.0.1:1812 to 127.0.0.1:41704 length 20
(0) -: Expected Access-Accept got Access-Reject
On the server side:
(1) Received Access-Request Id 128 from 127.0.0.1:41704 to 127.0.0.1:1812 length 77
(1) User-Name = "testing"
(1) User-Password = "password"
(1) NAS-IP-Address = 127.0.1.1
(1) NAS-Port = 0
(1) Message-Authenticator = 0xaf245c154458b4236bcca590799eeef4
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /#[^#]*#/ ) {
(1) if (&User-Name =~ /#[^#]*#/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> TRUE
(1) if (&User-Name =~ /\.\./ ) {
(1) update request {
(1) &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
(1) } # update request = noop
(1) [reject] = reject
(1) } # if (&User-Name =~ /\.\./ ) = reject
(1) } # if (&User-Name) = reject
(1) } # policy filter_username = reject
(1) } # authorize = reject
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> testing
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 128 from 127.0.0.1:1812 to 127.0.0.1:41704 length 20
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 128 with timestamp +112
Can anyone tell me what is wrong with my steps?
Thanks!
I figured out that previously I messed up with the building process. I used `make deb' to build the package and then switch back to build from the source code. After a few hours and debug, now I finally get the expected output.

Freeradius: Configuration with MSCHAPv2 for Windows-Password and PAM for (Google)OTP

i configured my Freeradius 3.0 to authenticate a user by its username and password against our ActiveDirectory using the ntlm_auth module successful.
Then I added to following code to my default site:
if (!State) {
update control {
Auth-Type := ntlm_auth
}
}
else {
update control {
Auth-Type := pam
}
}
And changed to section for ntlm_auth in the same file to:
Auth-Type ntlm_auth {
ntlm_auth
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Bitte geben Sie die invenio OTP-PIN ein"
}
# Return Access-Challenge:
challenge
}
}
This worked fine, but used plaintext passwords.
So I changed to configuration on my Gateway (VPN) to send MSCHAPv2 instead of plaintext.
I changed the ntlm_auth to mschapv2 in the config, but now I get only MSCHAPv2 Response and no response with the OTP-PIN from the challende request.
Log (Debug):
(0) Received Access-Request Id 73 from 212.99.164.134:10057 to 10.1.56.3:1812 length 188
(0) NAS-Identifier = "HAM-FW-02"
(0) User-Name = "USERnameSent"
(0) MS-CHAP2-Response = 0x1c009ddc9d60c7a00ed267291e4049fe8cae0000000000000000dbfae0e612d97ccaf67c193ddd7f0b21244172c83af71d06
(0) MS-CHAP-Challenge = 0xe19eb24bf11796bbb66baab10741f1fb
(0) NAS-Port-Type = Virtual
(0) Calling-Station-Id = "46.114.1.229"
(0) Acct-Session-Id = "17f2146e"
(0) Connect-Info = "vpn-ssl"
(0) Fortinet-Vdom-Name = "0010647802"
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /#[^#]*#/ ) {
(0) if (&User-Name =~ /#[^#]*#/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /#\./) {
(0) if (&User-Name =~ /#\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/freeradius/radacct/212.99.164.134/auth-detail-20210326
(0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/212.99.164.134/auth-detail-20210326
(0) auth_log: EXPAND %t
(0) auth_log: --> Fri Mar 26 06:36:08 2021
(0) [auth_log] = ok
(0) [chap] = noop
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) [digest] = noop
(0) suffix: Checking for suffix after "#"
(0) suffix: No '#' in User-Name = "USERnameSent", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 202
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(0) [pap] = noop
(0) if (!State) {
(0) if (!State) -> TRUE
(0) if (!State) {
(0) update control {
(0) Auth-Type := ntlm_auth
(0) } # update control = noop
(0) } # if (!State) = noop
(0) ... skipping else: Preceding "if" was taken
(0) } # authorize = ok
(0) Found Auth-Type = ntlm_auth
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type ntlm_auth {
(0) mschap: Creating challenge hash with username: USERnameSent
(0) mschap: Client is using MS-CHAPv2
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(0) mschap: --> --username=USERnameSent
(0) mschap: Creating challenge hash with username: USERnameSent
(0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(0) mschap: --> --challenge=0b0349cd8aa9407c
(0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(0) mschap: --> --nt-response=dbfae0e612d97ccaf67c193ddd7f0b21244172c83af71d06
(0) mschap: Program returned code (0) and output 'NT_KEY: 5796EA7F02A7060169CD28DE40DD6165'
(0) mschap: Adding MS-CHAPv2 MPPE keys
(0) [mschap] = ok
(0) if (ok) {
(0) if (ok) -> TRUE
(0) if (ok) {
(0) update reply {
(0) EXPAND %{randstr:aaaaaaaaaaaaaaaa}
(0) --> 9o91xD3qIywz6TTH
(0) State := 0x396f3931784433714979777a36545448
(0) Reply-Message := "Bitte geben Sie die invenio OTP-PIN ein"
(0) } # update reply = noop
(0) policy challenge {
(0) update control {
(0) &Response-Packet-Type = Access-Challenge
(0) } # update control = noop
(0) [handled] = handled
(0) } # policy challenge = handled
(0) } # if (ok) = handled
(0) } # Auth-Type ntlm_auth = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 73 from 10.1.56.3:1812 to 212.99.164.134:10057 length 0
(0) MS-CHAP2-Success = 0x1c533d33323442453233423243323435354244304539344338433737383335303142393346453232463037
(0) MS-MPPE-Recv-Key = 0x6d7dcf451b9c724308f1a01c9b1a7dcc
(0) MS-MPPE-Send-Key = 0xa993f3f27c1f6d5e8b192b9962de7bc4
(0) MS-MPPE-Encryption-Policy = Encryption-Allowed
(0) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(0) State := 0x396f3931784433714979777a36545448
(0) Reply-Message := "Bitte geben Sie die invenio OTP-PIN ein"
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 73 with timestamp +11
Ready to process requests
(1) Received Access-Request Id 74 from 212.99.164.134:24581 to 10.1.56.3:1812 length 206
(1) NAS-Identifier = "HAM-FW-02"
(1) State = 0x396f3931784433714979777a36545448
(1) User-Name = "USERnameSent"
(1) MS-CHAP2-Response = 0x1c003635363333340ed267291e4049fe8cae0000000000000000dbfae0e612d97ccaf67c193ddd7f0b21244172c83af71d06
(1) MS-CHAP-Challenge = 0xe19eb24bf11796bbb66baab10741f1fb
(1) NAS-Port-Type = Virtual
(1) Calling-Station-Id = "46.114.1.229"
(1) Acct-Session-Id = "17f2146e"
(1) Connect-Info = "vpn-ssl"
(1) Fortinet-Vdom-Name = "0010647802"
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /#[^#]*#/ ) {
(1) if (&User-Name =~ /#[^#]*#/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /#/) && (&User-Name !~ /#(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /#\./) {
(1) if (&User-Name =~ /#\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log: --> /var/log/freeradius/radacct/212.99.164.134/auth-detail-20210326
(1) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/212.99.164.134/auth-detail-20210326
(1) auth_log: EXPAND %t
(1) auth_log: --> Fri Mar 26 06:36:16 2021
(1) [auth_log] = ok
(1) [chap] = noop
(1) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(1) [mschap] = ok
(1) [digest] = noop
(1) suffix: Checking for suffix after "#"
(1) suffix: No '#' in User-Name = "USERnameSent", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) files: users: Matched entry DEFAULT at line 202
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(1) [pap] = noop
(1) if (!State) {
(1) if (!State) -> FALSE
(1) else {
(1) update control {
(1) Auth-Type := pam
(1) } # update control = noop
(1) } # else = noop
(1) } # authorize = ok
(1) Found Auth-Type = pam
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Auth-Type pam {
(1) pam: Attribute "User-Password" is required for authentication
(1) [pam] = invalid
(1) } # Auth-Type pam = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> USERnameSent
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 74 from 10.1.56.3:1812 to 212.99.164.134:24581 length 20
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 74 with timestamp +19
Ready to process requests
Any ideas how I can send the challenge-respond to my pam module to authenticate this PIN to the google authenticator. The response seems to be missing or I may have to set {user-password} = {respone-value} somewhere??
Thanks a lot !
Best regards,
Andreas

FreeRadius Live AP login User-Password blank?

I'm kinda new to FreeRadius. I managed to setup a server with rlm_rest enabled. my (first) goal is to login via a username and password, that is verified with an external api.
when i use radtest with a username and password, i get the following output on the server and receive an Access-Accept
Sent Access-Request Id 155 from 0.0.0.0:46565 to 127.0.0.1:1812 length 90
User-Name = "username"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 10
Message-Authenticator = 0x00
Cleartext-Password = "password"
however when i try to login on a live AP (WAP300N Linksys) with radius setup, the User-Password is not passed, see log output server below:
Received Access-Request Id 184 from 192.168.1.8:49250 to 192.168.1.29:1812 length 181
User-Name = "admin"
NAS-IP-Address = 192.168.1.10
NAS-Identifier = "RalinkAP0"
NAS-Port = 0
Called-Station-Id = "C0-56-27-8D-E4-61"
Calling-Station-Id = "44-00-10-D3-9B-BC"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020a002b190017030100200f8d3de6cc2558d4ea01c8f5a5b4a7feb747c427121cfa5a837d1cdd4d552dbd
State = 0x3e453e88364f273bd4879022bb95e46c
Message-Authenticator = 0xecb9642bb2342557885edba46f52e0cc
does this have anything to do with the server configuration? Or is the AP clearing the password for some reason. I'm trying to login on an Iphone...maybe that is the issue?
thanks in advance
Stefan

ruby group collection via first letter in view in foreach

I have for example collection with such data:
80 (0)
90 (0)
100 (0)
200 (0)
A2 (0)
A3 (0)
A4 (0)
A5 (0)
A6 (0)
A8 (0)
Allroad (0)
Cabriolet (0)
Coupe (0)
Q7 (0)
Quattro (0)
R8 (0)
RS4 (0)
RS6 (0)
S2 (0)
S3 (0)
S4 (0)
S5 (0)
S6 (0)
S8 (0)
TT (0)
V8 (D11) (0)
and such view:
.vip-offers#manufacturers-list
.man-area
%ul
- #models.each do |car|
%li
= link_to "#{car.name} (#{car.get_cars_model_count(car.id)})", advanced_search_show_path(by_model: car.id), id: "link-blue", data: { no_turbolink: true }
so as you can see - i display whole data as list, but i need to group it by first letter in name, for example:
8
80 (0)
9
90 (0)
1
100 (0)
2
200 (0)
A
A2 (0)
A3 (0)
A4 (0)
A5 (0)
A6 (0)
A8 (0)
Allroad (0)
etc...
i didn't imagine how to select first letter and group by it in view... Maybe somebody have ideas?
.group_by is your friend:
#grouped_cars = cars.group_by { |one_record| one_record.name[0].to_s # returns the first letter of the name }
This code should create a hash structured as following:
{
'0' => [<Car id:12, name: '007'>],
'A' => [<Car id:13, name: 'Audi'>, <Car id:14, name: 'Audi RS5'>],
# etc.
}
Then in you can do:
%ul
- #grouped_cars.each do |first_letter, cars|
%li.first_letter= first_letter
%ul
- cars.each do |car|
%li.one_car= car.name
You might want to add some stuff in the group_by block:
#grouped_cars = cars.group_by do |car|
car.name[0].to_s.upcase # transforms 'a' into 'A'
end
I also noticed that you will probably loose the alphabetical order, because Hashes are not ordered. To solve this, you can do as following:
%ul
- #grouped_cars.keys.sort.each do |letter|
%li.first_letter= first_letter
%ul
- #grouped_cars[letter].each do |car|
%li.one_car= car.name
Or check #DaniëlKnippers comment on my answer

How do I round numbers up to a dynamic precision in Ruby On Rails?

I want to round numbers up to their nearest order of magnitude. (I think I said this right)
Here are some examples:
Input => Output
8 => 10
34 => 40
99 => 100
120 => 200
360 => 400
990 => 1000
1040 => 2000
1620 => 2000
5070 => 6000
9000 => 10000
Anyone know a quick way to write that in Ruby or Rails?
Essentially I need to know the order of magnitude of the number and how to round by that precision.
Thanks!
Here's another way:
def roundup(num)
x = Math.log10(num).floor
num=(num/(10.0**x)).ceil*10**x
return num
end
More idiomatically:
def roundup(num)
x = Math.log10(num).floor
(num/(10.0**x)).ceil * 10**x
end
Here is a solution. It implements the following rules:
0 and powers of 10 are not modified;
9??? is rounded up to 10000 (no matter how long);
A??? is rounded up to B000 (no matter how long), where B is the digit following A.
.
def roundup(n)
n = n.to_i
s = n.to_s
s =~ /\A1?0*\z/ ? n : s =~ /\A\d0*\z/ ? ("1" + "0" * s.size).to_i :
(s[0, 1].to_i + 1).to_s + "0" * (s.size - 1)).to_i
end
fail if roundup(0) != 0
fail if roundup(1) != 1
fail if roundup(8) != 10
fail if roundup(34) != 40
fail if roundup(99) != 100
fail if roundup(100) != 100
fail if roundup(120) != 200
fail if roundup(360) != 400
fail if roundup(990) != 1000
fail if roundup(1040) != 2000
fail if roundup(1620) != 2000
fail if roundup(5070) != 6000
fail if roundup(6000) != 10000
fail if roundup(9000) != 10000

Resources