Closed jeremytampon closed 2 weeks ago
jimdigriz
commented
3 weeks ago I would recheck your values for client_id and that aboitiz.com is a registered domain for you in Azure Entra ID; bad request means something about the parameters you have provided are incorrect.
jeremytampon
commented
3 weeks ago [EDIT TO SANITISE OUT CREDENTIALS]
Hi Jimdgriz,
I have managed to fix the error in client_id. But now it keeps looping at the " Authorization: Bearer". Please see the attached log file.
Thank you,
On Tue, Oct 29, 2024 at 8:03 PM Alexander Clouter @.***> wrote:
I would recheck your values for client_id and that **.com is a registered domain for you in Azure Entra ID.
— Reply to this email directly, view it on GitHub https://github.com/jimdigriz/freeradius-oauth2-perl/issues/46#issuecomment-2444019699, or unsubscribe https://github.com/notifications/unsubscribe-auth/BKIRXZVQD4RLZVGI4XT5YX3Z552PDAVCNFSM6AAAAABQY76JQKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINBUGAYTSNRZHE . You are receiving this because you authored the thread.Message ID: @.***>
(0) policy oauth2.authorize { (0) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") { (0) EXPAND realm[**.com].oauth2.discovery (0) --> realm[**.com].oauth2.discovery (0) EXPAND %{config:realm[%{Realm}].oauth2.discovery} (0) --> https://login.microsoftonline.com/%{Realm}/v2.0 (0) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") -> TRUE (0) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") { (0) oauth2_perl: $RAD_REQUEST{'User-Name'} = &request:User-Name -> @.*' (0) oauth2_perl: $RAD_REQUEST{'User-Password'} = &request:User-Password -> '****' (0) oauth2_perl: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '192...*' (0) oauth2_perl: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '84xx' (0) oauth2_perl: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Virtual' (0) oauth2_perl: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Oct 31 2024 11:48:32 PST' (0) oauth2_perl: $RAD_REQUEST{'Message-Authenticator'} = &request:Message-Authenticator -> '0xca9f6f995a80fd2ba03954b48ee0b938' (0) oauth2_perl: $RAD_REQUEST{'Stripped-User-Name'} = &request:Stripped-User-Name -> '****' (0) oauth2_perl: $RAD_REQUEST{'Realm'} = &request:Realm -> '**.com' (0) oauth2_perl: $RAD_CHECK{'Proxy-To-Realm'} = &control:Proxy-To-Realm -> '**.com' (0) oauth2_perl: $RAD_CONFIG{'Proxy-To-Realm'} = &control:Proxy-To-Realm -> '**.com' rlm_perl: oauth2 authorize (0) oauth2_perl: EXPAND realm[**.com].oauth2.discovery (0) oauth2_perl: --> realm[**.com].oauth2.discovery (0) oauth2_perl: EXPAND %{config:realm[**.com].oauth2.discovery} (0) oauth2_perl: --> https://login.microsoftonline.com/%{Realm}/v2.0 (0) oauth2_perl: EXPAND https://login.microsoftonline.com/%{Realm}/v2.0 (0) oauth2_perl: --> https://login.microsoftonline.com/******.com/v2.0 (0) oauth2_perl: EXPAND realm[**.com].oauth2.client_id (0) oauth2_perl: --> realm[**.com].oauth2.client_id (0) oauth2_perl: EXPAND %{config:realm[**.com].oauth2.client_id} (0) oauth2_perl: --> * (0) oauth2_perl: EXPAND realm[**.com].oauth2.client_secret (0) oauth2_perl: --> realm[**.com].oauth2.client_secret (0) oauth2_perl: EXPAND %{config:realm[**.com].oauth2.client_secret} (0) oauth2_perl: --> * rlm_perl: oauth2 worker (**.com): supervisor started (tid=1) rlm_perl: oauth2 worker (**.com): fetching discovery document rlm_perl: GET https://login.microsoftonline.com/******.com/v2.0/.well-known/openid-configuration rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: max-age=86400, private rlm_perl: Date: Thu, 31 Oct 2024 03:48:32 GMT rlm_perl: Content-Length: 1753 rlm_perl: Content-Type: application/json; charset=utf-8 rlm_perl: Access-Control-Allow-Methods: GET, OPTIONS rlm_perl: Access-Control-Allow-Origin: * rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:33 GMT rlm_perl: Client-Peer: x.x.x.x:44x rlm_perl: Client-Response-Num: 1 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=stamp2.login.microsoftonline.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" rlm_perl: Set-Cookie: fpc=AvlrhZcELFhAvbBdjGOTizE; expires=Sat, 30-Nov-2024 03:48:33 GMT; path=/; secure; HttpOnly; SameSite=None rlm_perl: Set-Cookie: esctx=PAQABBwEAAADW6jl31mB3T7ugrWTT8pFea9guaRtj3SFyaBm-o-PxJbT4E7dWLB1oJN1WnbMjzrlXjm8S58ZAC6eRzI61uJyoIYRDMmuWYGWRLajfQSsUX0Uf9nfJoXcqaXViw07yZlAFSPwgXiKAqZPwWxU6d6hBwD9EAcphNFrGC_v66GxdHgeNkwRm7dBtX9GCrKnQP98gAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None rlm_perl: Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly rlm_perl: Set-Cookie: stsservicecookie=estsfd; path=/; secure; samesite=none; httponly rlm_perl: Strict-Transport-Security: max-age=31536000; includeSubDomains rlm_perl: X-Content-Type-Options: nosniff rlm_perl: X-Ms-Ests-Server: 2.1.19267.5 - KRSLR1 ProdSlices rlm_perl: X-Ms-Request-Id: f6245ca9-dc7b-4b9b-99b6-xxxxxxxxxxx rlm_perl: X-Ms-Srs: 1.P rlm_perl: X-XSS-Protection: 0 rlm_perl: rlm_perl: {"token_endpoint":"https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxx/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","... rlm_perl: (+ 1241 more bytes not shown) rlm_perl: oauth2 worker (**.com): started (tid=2) rlm_perl: oauth2 worker (**.com): sync rlm_perl: oauth2 worker (**.com): sync users rlm_perl: oauth2 worker (**.com): users page rlm_perl: oauth2 worker (**.com): fetching token rlm_perl: POST https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/oauth2/v2.0/token rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Content-Length: 182 rlm_perl: Content-Type: application/x-www-form-urlencoded rlm_perl: rlm_perl: client_id=**&client_secret=**&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&grant_type=client_credentials rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-store, no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:32 GMT rlm_perl: Pragma: no-cache rlm_perl: Content-Length: 1661 rlm_perl: Content-Type: application/json; charset=utf-8 rlm_perl: Expires: -1 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:33 GMT rlm_perl: Client-Peer: 40.126.16.166:443 rlm_perl: Client-Response-Num: 2 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=stamp2.login.microsoftonline.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" rlm_perl: Set-Cookie: fpc=xxxxxxxxxxxxxxxxxxxxxxxxxxxx; expires=Sat, 30-Nov-2024 03:48:33 GMT; path=/; secure; HttpOnly; SameSite=None rlm_perl: Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly rlm_perl: Set-Cookie: stsservicecookie=estsfd; path=/; secure; samesite=none; httponly rlm_perl: Strict-Transport-Security: max-age=31536000; includeSubDomains rlm_perl: X-Content-Type-Options: nosniff rlm_perl: X-Ms-Ests-Server: 2.1.19267.5 - SEASLR1 ProdSlices rlm_perl: X-Ms-Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: X-Ms-Srs: 1.P rlm_perl: X-XSS-Protection: 0 rlm_perl: rlm_perl: {"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"eyJ0e...CZ1lE... rlm_perl: (+ 1149 more bytes not shown) rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$select=id,userPrincipalName,isResourceAccount,accountEnabled,lastPasswordChangeDateTime rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:33 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:33 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Client-Response-Num: 1 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 35445 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer xxxxxxxxxxxxxxxxxxxx rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:33 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:34 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Client-Response-Num: 2 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 34694 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer xxxxxxxxxxxxxxxxx rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:34 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:34 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Client-Response-Num: 3 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 35858 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer xxxxxxxxxxxxxxxxx rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:34 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:34 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Client-Response-Num: 4 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: 8f5ec50e-a5ed-43e3-9834-088ad2755753 rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 41340 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer xxxxxxxxxxxxxxxx rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:34 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:35 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Client-Response-Num: 5 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 41468 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer xxxxxxxxxxxxxxxx rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:35 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:35 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Client-Response-Num: 6 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 41518 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxx rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:35 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:35 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: 9bad7198-3466-49e7-8290-a4ee43f2530c rlm_perl: Client-Response-Num: 7 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 41345 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearerxxxxxxxxxxxxxxxxxxx rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:35 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:36 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Client-Response-Num: 8 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 41390 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer xxxxxxxxxxxxxxxxxxxxx rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:35 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:36 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: 2dff08fb-0873-45d8-9c1f-735bb88ffcdb rlm_perl: Client-Response-Num: 9 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: 2dff08fb-0873-45d8-9c1f-735bb88ffcdb rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 41379 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxx rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:36 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:36 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Client-Response-Num: 10 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 41378 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer xxxxxxxxxxxxxxxxx rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:36 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:37 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Client-Response-Num: 11 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 38449 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:36 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:37 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Client-Response-Num: 12 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 36010 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=...
jimdigriz
commented
3 weeks ago Got to be careful, bearers are credentials, so pasting them in their entirety means the world and their dog have access to your Entra ID database does warn that plain text credentials are displayed); hopefully only your user/group listing but you may need to consider the impact of this.
The looping is normal, the troubleshooting does hint that this may occur, and if you have a large number of users or group memberships it can take some time to download the lot.
After a while, it can take a minute or so, it should settle down, and does it then start to work?
jeremytampon
commented
2 weeks ago Hi Alexander,
Thanks for the heads up. I actually did a sanitation at the github by deleting the private information. Since this is a proof-of-concept only, we will be deleting everything and recreate once all our testing is done. I will let you know once the looping settles down and if it works.
jeremytampon
commented
2 weeks ago Hi Alexander,
The looping has settled down and upon testing the workstation received an error ""Can't connect to this network". Please below the sanitized log captured.
(8) Received Access-Request Id 1 from x.x.x.x:36620 to x.x.x.x:1812 length 446 (8) User-Name = "host/xxxxxx.xxxxxxxx.net" (8) NAS-IP-Address = 192.168.x.x (8) NAS-Identifier = "xx-xx-xx-xx-xx-xx" (8) Called-Station-Id = "xx-xx-xx-xx-xx-xx:xxxxxxxx" (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) NAS-Port = 1 (8) Calling-Station-Id = "xx-xx-xx-xx-xx-xx" (8) Location-Data = 0x31305048170443656275 (8) Connect-Info = "CONNECT 802.11" (8) Acct-Session-Id = "6728544D-0D5E1000" (8) Acct-Multi-Session-Id = "9DE64110E6F529BF" (8) WLAN-Pairwise-Cipher = 1027076 (8) WLAN-Group-Cipher = 1027076 (8) WLAN-AKM-Suite = 1027073 (8) Ruckus-SSID = "xxxxxxxx" (8) Ruckus-BSSID = 0xc8848c8d5e1c (8) Ruckus-Wlan-Id = 1032 (8) Ruckus-Location = "xxxx" (8) Ruckus-VLAN-ID = 224 (8) Ruckus-SCG-CBlade-IP = 3232236383 (8) Ruckus-SCG-DBlade-IP = 3232298759 (8) Attr-26.25053.155 = 0x414556 (8) Ruckus-Zone-Name = "xxxxxxxx" (8) Ruckus-Wlan-Name = "xxxxxxxx" (8) EAP-Message = 0x02b3002701686f73742f4d4130324d454c54435046332e61626f6974697a67726f75702e6e6574 (8) Chargeable-User-Identity = 0x00 (8) Message-Authenticator = 0x9754fe84720010e6d19469daf93c938f (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]@/ ) { (8) if (&User-Name =~ /@[^@]@/ ) -> FALSE (8) if (&User-Name =~ /../ ) { (8) if (&User-Name =~ /../ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) -> FALSE (8) if (&User-Name =~ /.$/) { (8) if (&User-Name =~ /.$/) -> FALSE (8) if (&User-Name =~ /@./) { (8) if (&User-Name =~ /@./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "xxxxxx.xxxxxxxx.net", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 179 length 39 (8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) authenticate { (8) eap: Peer sent packet with method EAP Identity (1) (8) eap: Calling submodule eap_md5 to process data (8) eap_md5: Issuing MD5 Challenge (8) eap: Sending EAP Request (code 1) ID 180 length 22 (8) eap: EAP session adding &reply:State = 0x9d09462d9dbd42f9 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) Sent Access-Challenge Id 1 from x.x.x.x:1812 to x.x.x.x:36620 length 80 (8) EAP-Message = 0x01b40016041060be21de53f34fab1552c6b5cabde883 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x9d09462d9dbd42f9f5115fbfc79ec8c7 (8) Finished request
jimdigriz
commented
2 weeks ago This is not a 'oauth2' problem, this is a regular 802.1X/FreeRADIUS problem.
As per the support section you should familarise yourself with how to do 802.1X using EAP-TTLS/PAP first before using this module. Once you get that working then you should look to add the module; so focus on static credentials in a a file locally and get 802.1X with a server certificate working for you.
Good luck!
jeremytampon
commented
2 weeks ago Hi Alexander,
I just like to ask if you ever have a customer that uses something similar to this setup? 802.1X using EAP-TTLS/PAP --> FreeRadius --> Azure AD auth.
On Mon, Nov 4, 2024 at 7:54 PM Alexander Clouter @.***> wrote:
This is not a 'oauth2' problem, this is a regular 802.1X/FreeRADIUS problem.
As per the support section https://github.com/jimdigriz/freeradius-oauth2-perl/blob/master/README.md#support you should familarise yourself with how to do 802.1X using EAP-TTLS/PAP first before using this module. Once you get that working then you should look to add the module; so focus on static credentials in a a file locally and get 802.1X with a server certificate working for you.
Good luck!
— Reply to this email directly, view it on GitHub https://github.com/jimdigriz/freeradius-oauth2-perl/issues/46#issuecomment-2454515468, or unsubscribe https://github.com/notifications/unsubscribe-auth/BKIRXZSMB3W35RVWHNGH55LZ65N6FAVCNFSM6AAAAABQY76JQKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJUGUYTKNBWHA . You are receiving this because you authored the thread.Message ID: @.***>
jimdigriz
commented
2 weeks ago I just like to ask if you ever have a customer that uses something similar to this setup? 802.1X using EAP-TTLS/PAP --> FreeRadius --> Azure AD auth.
Yes. A recent example, I helped an organisation run a multi-tenant deployment of this to service their clients. They were an IT services outfit.
I have helped a few others over the years do this too. Many have managed to get it working themselves; one instance I heard of there was a global deployment with >10k users.
Maybe on a related note, I am actively working on an Azure Marketplace solution that Just Works(tm), I was hoping to have publish it for private preview at the end of Q3 looks like this is more likely going to be 2025 Q1.
jimdigriz
commented
2 weeks ago Going to close this issue as it looks to be a generic 802.1X configuration do open a new issue if you stumble into something oauth2 related
We are trying to setup and integrate the "Cloud RADIUS Server using FreeRADIUS + daloRADIUS on Ubuntu 20.04" to Microsoft Azure AD. Upon integration we encountered the below error saying "token failed: 400 Bad Request". We would like to ask for your assistance. Thank you.
(0) policy oauth2.authorize { (0) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") { (0) EXPAND realm[**.com].oauth2.discovery (0) --> realm[**.com].oauth2.discovery (0) EXPAND %{config:realm[%{Realm}].oauth2.discovery} (0) --> https://login.microsoftonline.com/%{Realm}/v2.0 (0) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") -> TRUE (0) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") { (0) oauth2_perl: $RAD_REQUEST{'User-Name'} = &request:User-Name -> '[**@**.com] (mailto:**@**.com)' (0) oauth2_perl: $RAD_REQUEST{'User-Password'} = &request:User-Password -> '**' (0) oauth2_perl: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '192.168.x.x' (0) oauth2_perl: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '84xx' (0) oauth2_perl: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Virtual' (0) oauth2_perl: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Oct 28 2024 07:13:21 PST' (0) oauth2_perl: $RAD_REQUEST{'Message-Authenticator'} = &request:Message-Authenticator -> 'xxxxxxxxxxxxxxxxxxxxxxxxxx' (0) oauth2_perl: $RAD_REQUEST{'Stripped-User-Name'} = &request:Stripped-User-Name -> '****' (0) oauth2_perl: $RAD_REQUEST{'Realm'} = &request:Realm -> '**.com' (0) oauth2_perl: $RAD_CHECK{'Proxy-To-Realm'} = &control:Proxy-To-Realm -> '**.com' (0) oauth2_perl: $RAD_CONFIG{'Proxy-To-Realm'} = &control:Proxy-To-Realm -> '**.com' rlm_perl: oauth2 authorize (0) oauth2_perl: EXPAND realm[**.com].oauth2.discovery (0) oauth2_perl: --> realm[**.com].oauth2.discovery (0) oauth2_perl: EXPAND %{config:realm[**.com].oauth2.discovery} (0) oauth2_perl: --> https://login.microsoftonline.com/%{Realm}/v2.0 (0) oauth2_perl: EXPAND https://login.microsoftonline.com/%{Realm}/v2.0 (0) oauth2_perl: --> https://login.microsoftonline.com/******.com/v2.0 (0) oauth2_perl: EXPAND realm[**.com].oauth2.client_id (0) oauth2_perl: --> realm[**.com].oauth2.client_id (0) oauth2_perl: EXPAND %{config:realm[**.com].oauth2.client_id} (0) oauth2_perl: --> * (0) oauth2_perl: EXPAND realm[**.com].oauth2.client_secret (0) oauth2_perl: --> realm[**.com].oauth2.client_secret (0) oauth2_perl: EXPAND %{config:realm[**.com].oauth2.client_secret} (0) oauth2_perl: --> * rlm_perl: oauth2 worker (**.com): supervisor started (tid=1) rlm_perl: oauth2 worker (**.com): fetching discovery document rlm_perl: oauth2 worker (**.com): started (tid=2) rlm_perl: oauth2 worker (**.com): sync rlm_perl: oauth2 worker (**.com): sync users rlm_perl: oauth2 worker (**.com): users page rlm_perl: oauth2 worker (**.com): fetching token rlm_perl: oauth2 worker (**.com): token failed: 400 Bad Request Use of uninitialized value $v in concatenation (.) or string at /usr/share/perl5/Net/HTTP/Methods.pm line 161. rlm_perl: oauth2 worker (**.com): users failed: 400 Bad Request rlm_perl: oauth2 worker (**.com): sync groups rlm_perl: oauth2 worker (**.com): groups page rlm_perl: oauth2 worker (**.com): fetching token rlm_perl: oauth2 worker (**.com): token failed: 400 Bad Request Use of uninitialized value $v in concatenation (.) or string at /usr/share/perl5/Net/HTTP/Methods.pm line 161. rlm_perl: oauth2 worker (**.com): groups failed: 400 Bad Request rlm_perl: oauth2 worker (**.com): apply rlm_perl: oauth2 worker (**.com): syncing in 37 seconds (0) oauth2_perl: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '8443' (0) oauth2_perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> '**' (0) oauth2_perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '192.168.x.x' (0) oauth2_perl: &request:Realm = $RAD_REQUEST{'Realm'} -> '**.com' (0) oauth2_perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> '**@**.com' (0) oauth2_perl: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Oct 28 2024 07:13:21 PST' (0) oauth2_perl: &request:Message-Authenticator = $RAD_REQUEST{'Message-Authenticator'} -> '0x1fc4c5530d1a6afebfde3dac7dde846b' (0) oauth2_perl: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Virtual' (0) oauth2_perl: &request:Stripped-User-Name = $RAD_REQUEST{'Stripped-User-Name'} -> '**' (0) oauth2_perl: &control:Proxy-To-Realm = $RAD_CHECK{'Proxy-To-Realm'} -> '**.com' (0) [oauth2_perl] = notfound (0) if (updated && "%{config:realm[%{Realm}].oauth2.cache_password}" =~ /^(yes)?$/i) { (0) if (updated && "%{config:realm[%{Realm}].oauth2.cache_password}" =~ /^(yes)?$/i) -> FALSE (0) } # if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") = notfound (0) ... skipping else: Preceding "if" was taken (0) } # policy oauth2.authorize = notfound