Weird error - OpenVPN with radiusplugin.so plugin auth on Alpine

[itxworks]

I am not sure I followed https://privacyidea.readthedocs.io/en/latest/application_plugins/openvpn.html - Freeradius

Since there is no openvpn-auth-radius its build from source -> http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz

PI is running with latest 3.6.3 - Radius AUTH only works fine - so the issue might be the accounting request any idea how to handle this ?

FreeRADIUS Version 3.0.16

Ubuntu 18.x Container on PVE 5.13.19-4

--- EAP Test Ready to process requests (0) Received Access-Request Id 103 from 192.168.30.88:50565 to 192.168.27.4:1812 length 44 (0) User-Name = "xxxx" (0) User-Password = "xxxx460384" (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/privacyidea (0) authorize { (0) update request { (0) EXPAND %{Packet-Src-IP-Address} (0) --> 192.168.30.88 (0) Packet-Src-IP-Address = 192.168.30.88 (0) } # update request = noop (0) perl-privacyidea: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'xxxxx' (0) perl-privacyidea: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'xxxx460384' (0) perl-privacyidea: $RAD_REQUEST{'Packet-Src-IP-Address'} = &request:Packet-Src-IP-Address -> '192.168.30.88' (0) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '192.168.30.88' (0) perl-privacyidea: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'xxxx' (0) perl-privacyidea: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'xxxx460384' (0) [perl-privacyidea] = ok (0) if (ok || updated) { (0) if (ok || updated) -> TRUE (0) if (ok || updated) { (0) update control { (0) Auth-Type := Perl (0) } # update control = noop (0) } # if (ok || updated) = noop (0) } # authorize = ok (0) Found Auth-Type = Perl (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/privacyidea (0) Auth-Type Perl { (0) perl-privacyidea: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'xxxx' (0) perl-privacyidea: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'xxxx460384' (0) perl-privacyidea: $RAD_REQUEST{'Packet-Src-IP-Address'} = &request:Packet-Src-IP-Address -> '192.168.30.88' (0) perl-privacyidea: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl' (0) perl-privacyidea: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl' rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found! rlm_perl: Debugging config: true rlm_perl: Default URL https://localhost/validate/check rlm_perl: Looking for config for auth-type Perl rlm_perl: RAD_REQUEST: Packet-Src-IP-Address = 192.168.30.88 rlm_perl: RAD_REQUEST: User-Name = xxx rlm_perl: RAD_REQUEST: User-Password = xxxx460384 rlm_perl: Setting client IP to 192.168.30.88. rlm_perl: Auth-Type: Perl rlm_perl: url: https://localhost/validate/check rlm_perl: user sent to privacyidea: xxxx rlm_perl: realm sent to privacyidea: rlm_perl: resolver sent to privacyidea: rlm_perl: client sent to privacyidea: 192.168.30.88 rlm_perl: state sent to privacyidea: rlm_perl: urlparam client = 192.168.30.88 rlm_perl: urlparam user = xxxx rlm_perl: urlparam pass = xxxx460384 rlm_perl: Request timeout: 10 rlm_perl: Not verifying SSL certificate! rlm_perl: elapsed time for privacyidea call: 1.329239 rlm_perl: Content {"detail": {"message": "matching 1 tokens", "otplen": 6, "serial": "OATH0001F065", "threadid": 139802552300992, "type": "hotp"}, "id": 1, "jsonrpc": "2.0", "result": {"status": true, "value": true}, "time": 1641811822.5173314, "version": "privacyIDEA 3.6.3", "versionnumber": "3.6.3", "signature": "rsa_sha256_pss:a2aa86a89e8773bb26f2ac36e0c87ba31d0f4c70122d7d8720232d896249c52c8a1ebc66796142997fc9bf8c9df0ebdd69729eb5494563e6322b62acca526c8a44167c248066a7ca928937b7aeaba69c58f8c0ce8a8caa8b00624b6900da74a9f118e971b7298b053bc89c0d0bd2c9f97d650161e49d9ad6c8bc44fd23ff21a6b68b75c424275823d21bbab68febd31f123ca1b4bfe7b9dc7dd7827dc4a372fe3fc117faaeb4f4b447857bafdaa61682e33282a3d41d502275389478a219b9b7bbda475171d6e902c7c8f5a3e31e75f196f4431b6e06ae59b28370d79f035ce485e1d317e921fd2fd49cba57efc5b3e04dd9393f678546f9008c4675eedf6e15"} rlm_perl: privacyIDEA access granted rlm_perl: ++++ Parsing group: Attribute rlm_perl: +++++ Found member 'Attribute Filter-Id' rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'Filter-Id' rlm_perl: ++++++ no directory rlm_perl: +++++++ User attribute is a string: rlm_perl: +++++++ trying to match rlm_perl: ++++++++ Result: No match, no RADIUS attribute Filter-Id added. rlm_perl: +++++ Found member 'Attribute otherAttribute' rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'otherAttribute' rlm_perl: ++++++ no directory rlm_perl: +++++++ User attribute is a string: rlm_perl: +++++++ trying to match rlm_perl: ++++++++ Result: No match, no RADIUS attribute otherAttribute added. rlm_perl: +++++ Found member 'Attribute Class' rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'Class' rlm_perl: ++++++ no directory rlm_perl: +++++++ User attribute is a string: rlm_perl: +++++++ trying to match rlm_perl: ++++++++ Result: No match, no RADIUS attribute Class added. rlm_perl: ++++ Parsing group: Mapping rlm_perl: +++++ Found member 'Mapping user' rlm_perl: return RLM_MODULE_OK (0) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '192.168.30.88' (0) perl-privacyidea: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'xxxx' (0) perl-privacyidea: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'xxxx460384' (0) perl-privacyidea: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'privacyIDEA access granted' (0) perl-privacyidea: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl' (0) [perl-privacyidea] = ok (0) } # Auth-Type Perl = ok (0) Sent Access-Accept Id 103 from 192.168.27.4:1812 to 192.168.30.88:50565 length 0 (0) Reply-Message = "privacyIDEA access granted" (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 103 with timestamp +35 Ready to process requests

-- OPENVPN Server ...

Ready to process requests (0) Received Access-Request Id 198 from 192.168.30.64:46447 to 192.168.27.4:1812 length 126 (0) User-Name = "xxxx" (0) User-Password = "xxxx790008" (0) NAS-IP-Address = 127.0.0.1 (0) NAS-Port = 1 (0) Service-Type = Outbound-User (0) Calling-Station-Id = "192.168.30.48" (0) NAS-Identifier = "OpenVpn" (0) Acct-Session-Id = "D5C3CB2C6E3AE8BDC8051EB33E28C02E" (0) NAS-Port-Type = Virtual (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/privacyidea (0) authorize { (0) update request { (0) EXPAND %{Packet-Src-IP-Address} (0) --> 192.168.30.64 (0) Packet-Src-IP-Address = 192.168.30.64 (0) } # update request = noop (0) perl-privacyidea: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'xxxx' (0) perl-privacyidea: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'xxxx790008' (0) perl-privacyidea: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '127.0.0.1' (0) perl-privacyidea: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '1' (0) perl-privacyidea: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Outbound-User' (0) perl-privacyidea: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> '192.168.30.48' (0) perl-privacyidea: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'OpenVpn' (0) perl-privacyidea: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Virtual' (0) perl-privacyidea: $RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id -> 'D5C3CB2C6E3AE8BDC8051EB33E28C02E' (0) perl-privacyidea: $RAD_REQUEST{'Packet-Src-IP-Address'} = &request:Packet-Src-IP-Address -> '192.168.30.64' (0) perl-privacyidea: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Outbound-User' (0) perl-privacyidea: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '1' (0) perl-privacyidea: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> '192.168.30.48' (0) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '192.168.30.64' (0) perl-privacyidea: &request:Acct-Session-Id = $RAD_REQUEST{'Acct-Session-Id'} -> 'D5C3CB2C6E3AE8BDC8051EB33E28C02E' (0) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Virtual' (0) perl-privacyidea: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '127.0.0.1' (0) perl-privacyidea: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'xxxx' (0) perl-privacyidea: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'xxxx790008' (0) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'OpenVpn' (0) [perl-privacyidea] = ok (0) if (ok || updated) { (0) if (ok || updated) -> TRUE (0) if (ok || updated) { (0) update control { (0) Auth-Type := Perl (0) } # update control = noop (0) } # if (ok || updated) = noop (0) } # authorize = ok (0) Found Auth-Type = Perl (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/privacyidea (0) Auth-Type Perl { (0) perl-privacyidea: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'xxxx' (0) perl-privacyidea: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'xxxx790008' (0) perl-privacyidea: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '127.0.0.1' (0) perl-privacyidea: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '1' (0) perl-privacyidea: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Outbound-User' (0) perl-privacyidea: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> '192.168.30.48' (0) perl-privacyidea: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'OpenVpn' (0) perl-privacyidea: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Virtual' (0) perl-privacyidea: $RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id -> 'D5C3CB2C6E3AE8BDC8051EB33E28C02E' (0) perl-privacyidea: $RAD_REQUEST{'Packet-Src-IP-Address'} = &request:Packet-Src-IP-Address -> '192.168.30.64' (0) perl-privacyidea: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl' (0) perl-privacyidea: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl' rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found! rlm_perl: Debugging config: true rlm_perl: Default URL https://localhost/validate/check rlm_perl: Looking for config for auth-type Perl rlm_perl: RAD_REQUEST: Service-Type = Outbound-User rlm_perl: RAD_REQUEST: NAS-Port = 1 rlm_perl: RAD_REQUEST: Calling-Station-Id = 192.168.30.48 rlm_perl: RAD_REQUEST: Packet-Src-IP-Address = 192.168.30.64 rlm_perl: RAD_REQUEST: Acct-Session-Id = D5C3CB2C6E3AE8BDC8051EB33E28C02E rlm_perl: RAD_REQUEST: NAS-Port-Type = Virtual rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: RAD_REQUEST: User-Name = xxxx rlm_perl: RAD_REQUEST: User-Password = xxxx790008 rlm_perl: RAD_REQUEST: NAS-Identifier = OpenVpn rlm_perl: Setting client IP to 127.0.0.1. rlm_perl: Auth-Type: Perl rlm_perl: url: https://localhost/validate/check rlm_perl: user sent to privacyidea: xxxx rlm_perl: realm sent to privacyidea: rlm_perl: resolver sent to privacyidea: rlm_perl: client sent to privacyidea: 127.0.0.1 rlm_perl: state sent to privacyidea: rlm_perl: urlparam user = xxxx rlm_perl: urlparam client = 127.0.0.1 rlm_perl: urlparam pass = xxxx790008 rlm_perl: Request timeout: 10 rlm_perl: Not verifying SSL certificate! rlm_perl: elapsed time for privacyidea call: 1.295836 rlm_perl: Content {"detail": {"message": "matching 1 tokens", "otplen": 6, "serial": "OATH0001F065", "threadid": 139802552300992, "type": "hotp"}, "id": 1, "jsonrpc": "2.0", "result": {"status": true, "value": true}, "time": 1641812150.074624, "version": "privacyIDEA 3.6.3", "versionnumber": "3.6.3", "signature": "rsa_sha256_pss:a1c9ec3b6125ecc29807f7d6ad64528b89465a39f64a6d437031c1b28c863a204dab3d83280bbbdf745749b187544d1894b7d5c4bddd1913ad66b55335e90df8bc786a15134239a761f10a9c3c60bcf72588bcfeb701df49e901e937bdd0a2ed81084e515bdcb0b6707cf2cdcc89de5c9a35715e074d06dd8837a61cca4c234bef089eceb7196183f4c993f2028c657f23fc656e17fd66d0aa8818919f46f6a4847bedae885e774d631fe894a745d820cd57d6f572bad030c8dd55d1b102697a56aa2ed047b1aacf6a37165791a11ba97c510d0b8ab67914f37aebf3a9a8e90d7567a650c09cb2bbf996f5bca2f94ddd32fe802a471eb7e05b117451f0eedb0a"} rlm_perl: privacyIDEA access granted rlm_perl: ++++ Parsing group: Attribute rlm_perl: +++++ Found member 'Attribute Filter-Id' rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'Filter-Id' rlm_perl: ++++++ no directory rlm_perl: +++++++ User attribute is a string: rlm_perl: +++++++ trying to match rlm_perl: ++++++++ Result: No match, no RADIUS attribute Filter-Id added. rlm_perl: +++++ Found member 'Attribute otherAttribute' rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'otherAttribute' rlm_perl: ++++++ no directory rlm_perl: +++++++ User attribute is a string: rlm_perl: +++++++ trying to match rlm_perl: ++++++++ Result: No match, no RADIUS attribute otherAttribute added. rlm_perl: +++++ Found member 'Attribute Class' rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'Class' rlm_perl: ++++++ no directory rlm_perl: +++++++ User attribute is a string: rlm_perl: +++++++ trying to match rlm_perl: ++++++++ Result: No match, no RADIUS attribute Class added. rlm_perl: ++++ Parsing group: Mapping rlm_perl: +++++ Found member 'Mapping user' rlm_perl: return RLM_MODULE_OK (0) perl-privacyidea: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Outbound-User' (0) perl-privacyidea: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '1' (0) perl-privacyidea: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> '192.168.30.48' (0) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '192.168.30.64' (0) perl-privacyidea: &request:Acct-Session-Id = $RAD_REQUEST{'Acct-Session-Id'} -> 'D5C3CB2C6E3AE8BDC8051EB33E28C02E' (0) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Virtual' (0) perl-privacyidea: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '127.0.0.1' (0) perl-privacyidea: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'xxxx' (0) perl-privacyidea: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'xxxx790008' (0) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'OpenVpn' (0) perl-privacyidea: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'privacyIDEA access granted' (0) perl-privacyidea: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl' (0) [perl-privacyidea] = ok (0) } # Auth-Type Perl = ok (0) Sent Access-Accept Id 198 from 192.168.27.4:1812 to 192.168.30.64:46447 length 0 (0) Reply-Message = "privacyIDEA access granted" (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 198 from 192.168.30.64:40879 to 192.168.27.4:1812 length 126 (1) User-Name = "xxxx" (1) User-Password = "xxxx790008" (1) NAS-IP-Address = 127.0.0.1 (1) NAS-Port = 1 (1) Service-Type = Outbound-User (1) Calling-Station-Id = "192.168.30.48" (1) NAS-Identifier = "OpenVpn" (1) Acct-Session-Id = "D5C3CB2C6E3AE8BDC8051EB33E28C02E" (1) NAS-Port-Type = Virtual (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/privacyidea (1) authorize { (1) update request { (1) EXPAND %{Packet-Src-IP-Address} (1) --> 192.168.30.64 (1) Packet-Src-IP-Address = 192.168.30.64 (1) } # update request = noop (1) perl-privacyidea: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'xxxx' (1) perl-privacyidea: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'xxxx790008' (1) perl-privacyidea: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '127.0.0.1' (1) perl-privacyidea: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '1' (1) perl-privacyidea: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Outbound-User' (1) perl-privacyidea: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> '192.168.30.48' (1) perl-privacyidea: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'OpenVpn' (1) perl-privacyidea: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Virtual' (1) perl-privacyidea: $RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id -> 'D5C3CB2C6E3AE8BDC8051EB33E28C02E' (1) perl-privacyidea: $RAD_REQUEST{'Packet-Src-IP-Address'} = &request:Packet-Src-IP-Address -> '192.168.30.64' (1) perl-privacyidea: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Outbound-User' (1) perl-privacyidea: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '1' (1) perl-privacyidea: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> '192.168.30.48' (1) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '192.168.30.64' (1) perl-privacyidea: &request:Acct-Session-Id = $RAD_REQUEST{'Acct-Session-Id'} -> 'D5C3CB2C6E3AE8BDC8051EB33E28C02E' (1) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Virtual' (1) perl-privacyidea: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '127.0.0.1' (1) perl-privacyidea: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'xxxx' (1) perl-privacyidea: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'xxxx790008' (1) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'OpenVpn' (1) [perl-privacyidea] = ok (1) if (ok || updated) { (1) if (ok || updated) -> TRUE (1) if (ok || updated) { (1) update control { (1) Auth-Type := Perl (1) } # update control = noop (1) } # if (ok || updated) = noop (1) } # authorize = ok (1) Found Auth-Type = Perl (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/privacyidea (1) Auth-Type Perl { (1) perl-privacyidea: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'xxxx' (1) perl-privacyidea: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'xxxx790008' (1) perl-privacyidea: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '127.0.0.1' (1) perl-privacyidea: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '1' (1) perl-privacyidea: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Outbound-User' (1) perl-privacyidea: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> '192.168.30.48' (1) perl-privacyidea: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'OpenVpn' (1) perl-privacyidea: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Virtual' (1) perl-privacyidea: $RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id -> 'D5C3CB2C6E3AE8BDC8051EB33E28C02E' (1) perl-privacyidea: $RAD_REQUEST{'Packet-Src-IP-Address'} = &request:Packet-Src-IP-Address -> '192.168.30.64' (1) perl-privacyidea: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl' (1) perl-privacyidea: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl' rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found! rlm_perl: Debugging config: true rlm_perl: Default URL https://localhost/validate/check rlm_perl: Looking for config for auth-type Perl rlm_perl: RAD_REQUEST: Service-Type = Outbound-User rlm_perl: RAD_REQUEST: NAS-Port = 1 rlm_perl: RAD_REQUEST: Calling-Station-Id = 192.168.30.48 rlm_perl: RAD_REQUEST: Packet-Src-IP-Address = 192.168.30.64 rlm_perl: RAD_REQUEST: Acct-Session-Id = D5C3CB2C6E3AE8BDC8051EB33E28C02E rlm_perl: RAD_REQUEST: NAS-Port-Type = Virtual rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: RAD_REQUEST: User-Name = xxxx rlm_perl: RAD_REQUEST: User-Password = xxxx790008 rlm_perl: RAD_REQUEST: NAS-Identifier = OpenVpn rlm_perl: Setting client IP to 127.0.0.1. rlm_perl: Auth-Type: Perl rlm_perl: url: https://localhost/validate/check rlm_perl: user sent to privacyidea: xxxx rlm_perl: realm sent to privacyidea: rlm_perl: resolver sent to privacyidea: rlm_perl: client sent to privacyidea: 127.0.0.1 rlm_perl: state sent to privacyidea: rlm_perl: urlparam user = xxxx rlm_perl: urlparam client = 127.0.0.1 rlm_perl: urlparam pass = xxxx790008 rlm_perl: Request timeout: 10 rlm_perl: Not verifying SSL certificate! rlm_perl: elapsed time for privacyidea call: 1.115126 rlm_perl: Content {"detail": {"message": "wrong otp value. previous otp used again", "otplen": 6, "serial": "OATH0001F065", "threadid": 139802552300992, "type": "hotp"}, "id": 1, "jsonrpc": "2.0", "result": {"status": true, "value": false}, "time": 1641812151.1848474, "version": "privacyIDEA 3.6.3", "versionnumber": "3.6.3", "signature": "rsa_sha256_pss:785c38de7edf3ba3fbaaf3c2e995bd418707a30a388d1673b54a26a9d5b09274d55d1ea1cb0b4d18e5dcad09a3e38cadb9cc51c1d267534eeb41ccf3784741b69ff15cffa84faf89f1b62487fcbabef36f4eb972c58ef67972ad4edf4f1138e783787a5903ac77572071bc97b10c838006b4082cb15851aa628c3f1fa12fd216ee328978a093866d6620ee32ce2074a24b34b65043fab4d9f09de813699ff7b0835bd9ead2b38618b4a51568e411e9bbd0916be936cc1697fbd359d0715f6e28cd6414d560b3ab1e68018487d4df3eaa41e5e11607fb4a9b83ade063aa79b5c6ab44227d20169f538ab23f30ecb481c5dc2bac6b0eb8cf2c913af354e8960f87"} rlm_perl: privacyIDEA Result status is true! rlm_perl: privacyIDEA access denied rlm_perl: return RLM_MODULE_REJECT (1) perl-privacyidea: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Outbound-User' (1) perl-privacyidea: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '1' (1) perl-privacyidea: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> '192.168.30.48' (1) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '192.168.30.64' (1) perl-privacyidea: &request:Acct-Session-Id = $RAD_REQUEST{'Acct-Session-Id'} -> 'D5C3CB2C6E3AE8BDC8051EB33E28C02E' (1) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Virtual' (1) perl-privacyidea: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '127.0.0.1' (1) perl-privacyidea: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'xxxx' (1) perl-privacyidea: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'xxxx790008' (1) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'OpenVpn' (1) perl-privacyidea: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'wrong otp value. previous otp used again' (1) perl-privacyidea: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl' (1) [perl-privacyidea] = reject (1) } # Auth-Type Perl = reject (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) Post-Auth-Type sub-section not found. Ignoring. (1) Delaying response for 1.000000 seconds Waking up in 0.9 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 198 from 192.168.27.4:1812 to 192.168.30.64:40879 length 62 (1) Reply-Message = "wrong otp value. previous otp used again" Waking up in 2.8 seconds. (0) Cleaning up request packet ID 198 with timestamp +24 Waking up in 1.1 seconds. (1) Cleaning up request packet ID 198 with timestamp +26 Ready to process requests

vim /etc/freeradius/3.0/sites-enabled/privacyidea

server { authorize { #files update request { # Add the Packet Src IP to the request as client fallback Packet-Src-IP-Address = "%{Packet-Src-IP-Address}" } perl-privacyidea if (ok || updated) { update control { Auth-Type := Perl } } } listen { type = auth ipaddr = * port = 0 } authenticate { Auth-Type Perl { perl-privacyidea } }

}

Thank you !!!!

[itxworks]

Got it working with radius PAM .. -> Service-Type = Authenticate-Only

0. Received Access-Request Id 118 from 192.168.30.64:38970 to 192.168.27.4:1812 length 77 (0) User-Name = "xxxx" (0) User-Password = "xxxx248868" (0) NAS-IP-Address = 192.168.30.64 (0) NAS-Identifier = "openvpn" (0) NAS-Port = 6309 (0) NAS-Port-Type = Virtual (0) Service-Type = Authenticate-Only (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/privacyidea (0) authorize { (0) update request { (0) EXPAND %{Packet-Src-IP-Address} (0) --> 192.168.30.64 (0) Packet-Src-IP-Address = 192.168.30.64 (0) } # update request = noop (0) perl-privacyidea: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'xxxx' (0) perl-privacyidea: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'xxxx248868' (0) perl-privacyidea: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '192.168.30.64' (0) perl-privacyidea: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '6309' (0) perl-privacyidea: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Authenticate-Only' (0) perl-privacyidea: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'openvpn' (0) perl-privacyidea: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Virtual' (0) perl-privacyidea: $RAD_REQUEST{'Packet-Src-IP-Address'} = &request:Packet-Src-IP-Address -> '192.168.30.64' (0) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'openvpn' (0) perl-privacyidea: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '6309' (0) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Virtual' (0) perl-privacyidea: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'xxxx' (0) perl-privacyidea: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '192.168.30.64' (0) perl-privacyidea: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Authenticate-Only' (0) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '192.168.30.64' (0) perl-privacyidea: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'xxxx248868' (0) [perl-privacyidea] = ok (0) if (ok || updated) { (0) if (ok || updated) -> TRUE (0) if (ok || updated) { (0) update control { (0) Auth-Type := Perl (0) } # update control = noop (0) } # if (ok || updated) = noop (0) } # authorize = ok (0) Found Auth-Type = Perl (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/privacyidea (0) Auth-Type Perl { (0) perl-privacyidea: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'xxxx' (0) perl-privacyidea: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'xxxx248868' (0) perl-privacyidea: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '192.168.30.64' (0) perl-privacyidea: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '6309' (0) perl-privacyidea: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Authenticate-Only' (0) perl-privacyidea: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'openvpn' (0) perl-privacyidea: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Virtual' (0) perl-privacyidea: $RAD_REQUEST{'Packet-Src-IP-Address'} = &request:Packet-Src-IP-Address -> '192.168.30.64' (0) perl-privacyidea: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl' (0) perl-privacyidea: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl' rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found! rlm_perl: Debugging config: true rlm_perl: Default URL https://localhost/validate/check rlm_perl: Looking for config for auth-type Perl rlm_perl: RAD_REQUEST: NAS-Identifier = openvpn rlm_perl: RAD_REQUEST: NAS-Port = 6309 rlm_perl: RAD_REQUEST: NAS-Port-Type = Virtual rlm_perl: RAD_REQUEST: User-Name = xxxx rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.30.64 rlm_perl: RAD_REQUEST: Service-Type = Authenticate-Only rlm_perl: RAD_REQUEST: Packet-Src-IP-Address = 192.168.30.64 rlm_perl: RAD_REQUEST: User-Password = xxxx248868 rlm_perl: Setting client IP to 192.168.30.64. rlm_perl: Auth-Type: Perl rlm_perl: url: https://localhost/validate/check rlm_perl: user sent to privacyidea: xxxx rlm_perl: realm sent to privacyidea: rlm_perl: resolver sent to privacyidea: rlm_perl: client sent to privacyidea: 192.168.30.64 rlm_perl: state sent to privacyidea: rlm_perl: urlparam pass = xxxx248868 rlm_perl: urlparam client = 192.168.30.64 rlm_perl: urlparam user = xxxx rlm_perl: Request timeout: 10 rlm_perl: Not verifying SSL certificate! rlm_perl: elapsed time for privacyidea call: 1.299244 rlm_perl: Content {"detail": {"message": "matching 1 tokens", "otplen": 6, "serial": "OATH0001F065", "threadid": 139802552300992, "type": "hotp"}, "id": 1, "jsonrpc": "2.0", "result": {"status": true, "value": true}, "time": 1641819935.5099869, "version": "privacyIDEA 3.6.3", "versionnumber": "3.6.3", "signature": "rsa_sha256_pss:221539efddcf866c91c6a578321fe14ca66fad597e64e3e9554e19f60b8200f272729f6f70ab46ff4c050728b0877a76b7d60cac9790addb6485af52f11608d341824e6ed39c1a9b39bc812a1bdc9874c512832cba61edeefad39675e8f8929933ad3415a14f941d33144372cbbfa28293191d78f400bfc69498fd626a7a4370e3af3bc4383c99ea929f9c5a960ba23c6ecd3c7d0698f76d2a1527cd5c6bb521eaaae29088dfcd036a11ed16c9065204328ee678cc9be9a4b44051aad43388104e5feef03ac7c4597a4386d43138b488b900270f72d44d16f587c97c886c03b466fedc3419bb0596931c55710bce40de3ad46d6eb09514c3bdc92168082654c9"} rlm_perl: privacyIDEA access granted rlm_perl: ++++ Parsing group: Mapping rlm_perl: +++++ Found member 'Mapping user' rlm_perl: ++++ Parsing group: Attribute rlm_perl: +++++ Found member 'Attribute Filter-Id' rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'Filter-Id' rlm_perl: ++++++ no directory rlm_perl: +++++++ User attribute is a string: rlm_perl: +++++++ trying to match rlm_perl: ++++++++ Result: No match, no RADIUS attribute Filter-Id added. rlm_perl: +++++ Found member 'Attribute otherAttribute' rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'otherAttribute' rlm_perl: ++++++ no directory rlm_perl: +++++++ User attribute is a string: rlm_perl: +++++++ trying to match rlm_perl: ++++++++ Result: No match, no RADIUS attribute otherAttribute added. rlm_perl: +++++ Found member 'Attribute Class' rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'Class' rlm_perl: ++++++ no directory rlm_perl: +++++++ User attribute is a string: rlm_perl: +++++++ trying to match rlm_perl: ++++++++ Result: No match, no RADIUS attribute Class added. rlm_perl: return RLM_MODULE_OK (0) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'openvpn' (0) perl-privacyidea: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '6309' (0) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Virtual' (0) perl-privacyidea: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'xxxx' (0) perl-privacyidea: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '192.168.30.64' (0) perl-privacyidea: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Authenticate-Only' (0) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '192.168.30.64' (0) perl-privacyidea: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'xxxx248868' (0) perl-privacyidea: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'privacyIDEA access granted' (0) perl-privacyidea: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl' (0) [perl-privacyidea] = ok (0) } # Auth-Type Perl = ok (0) Sent Access-Accept Id 118 from 192.168.27.4:1812 to 192.168.30.64:38970 length 0 (0) Reply-Message = "privacyIDEA access granted" (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 118 with timestamp +43 Ready to process requests

...