Hello Thomas,
you are using PPP on the port 1812.
If there is no calling-station-id attribute then it suppose that it's
for cli access.
May i ask you what sort of setup you try to achieve ?
Regards
Fabrice Durand
Le 2017-02-13 à 08:42, Thomas Massip a écrit :
> Hi all,
>
> I actually use FreeRADIUS Version 3.0.13 with PacketFence
>
> and I have an issue when I try the rlm_rest.
>
> If somoene Know why I have this issue :
>
> rest: ERROR: Server returned:
> (0) rest: ERROR: {"Reply-Message":"PacketFence does not support this
> switch for read/write access
> login","reply:PacketFence-Authorization-Status":"allow"}
>
> This is my output radius -x :
>
> 0) Received Access-Request Id 10 from 192.168.10.14:1812 to
> 192.168.10.22:1812 length 122
> (0) User-Name = "UserTest"
> (0) User-Password = "p@55word"
> (0) Service-Type = Framed-User
> (0) Framed-Protocol = PPP
> (0) NAS-Identifier = "las1.albari"
> (0) NAS-Port-Type = Ethernet
> (0) Acct-Session-Id = "las1.al00000000000000da6bb650001055"
> (0) NAS-IP-Address = 192.168.10.14
> (0) # Executing section authorize from file
> /usr/local/pf/raddb/sites-enabled/packetfence
> (0) authorize {
> (0) update {
> (0) EXPAND %{Packet-Src-IP-Address}
> (0) --> 192.168.10.14
> (0) &request:FreeRADIUS-Client-IP-Address := 192.168.10.14
> (0) &control:PacketFence-RPC-Server = 127.0.0.1
> (0) &control:PacketFence-RPC-Port = 7070
> (0) &control:PacketFence-RPC-User =
> (0) &control:PacketFence-RPC-Pass =
> (0) &control:PacketFence-RPC-Proto = http
> (0) EXPAND %l
> (0) --> 1486992205
> (0) &control:Tmp-Integer-0 := 1486992205
> (0) &control:PacketFence-Request-Time := 0
> (0) } # update = noop
> (0) policy rewrite_calling_station_id {
> (0) if (&Calling-Station-Id && (&Calling-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> {
> (0) if (&Calling-Station-Id && (&Calling-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> -> FALSE
> (0) else {
> (0) [noop] = noop
> (0) } # else = noop
> (0) } # policy rewrite_calling_station_id = noop
> (0) policy rewrite_called_station_id {
> (0) if ((&Called-Station-Id) && (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
> {
> (0) if ((&Called-Station-Id) && (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
> -> FALSE
> (0) else {
> (0) [noop] = noop
> (0) } # else = noop
> (0) } # policy rewrite_called_station_id = noop
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /@\./) {
> (0) if (&User-Name =~ /@\./) -> FALSE
> (0) } # if (&User-Name) = noop
> (0) } # policy filter_username = noop
> (0) policy filter_password {
> (0) if (&User-Password && (&User-Password !=
> "%{string:User-Password}")) {
> (0) EXPAND %{string:User-Password}
> (0) --> p@55word
> (0) if (&User-Password && (&User-Password !=
> "%{string:User-Password}")) -> FALSE
> (0) } # policy filter_password = noop
> (0) [preprocess] = ok
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "UserTest", skipping NULL due to
> config.
> (0) [suffix] = noop
> (0) ntdomain: Checking for prefix before "\"
> (0) ntdomain: No '\' in User-Name = "UserTest", looking up realm NULL
> (0) ntdomain: Found realm "null"
> (0) ntdomain: Adding Stripped-User-Name = "UserTest"
> (0) ntdomain: Adding Realm = "null"
> (0) ntdomain: Authentication realm is LOCAL
> (0) [ntdomain] = ok
> (0) eap: No EAP-Message, not doing EAP
> (0) [eap] = noop
> (0) if ( !EAP-Message ) {
> (0) if ( !EAP-Message ) -> TRUE
> (0) if ( !EAP-Message ) {
> (0) update {
> (0) &control:Auth-Type := Accept
> (0) } # update = noop
> (0) } # if ( !EAP-Message ) = noop
> (0) policy packetfence-eap-mac-policy {
> (0) if ( &EAP-Type ) {
> (0) if ( &EAP-Type ) -> FALSE
> (0) [noop] = noop
> (0) } # policy packetfence-eap-mac-policy = noop
> (0) pap: WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> (0) pap: WARNING: !!! Ignoring control:User-Password. Update
> your !!!
> (0) pap: WARNING: !!! configuration so that the "known good" clear
> text !!!
> (0) pap: WARNING: !!! password is in Cleartext-Password and NOT
> in !!!
> (0) pap: WARNING: !!!
> User-Password. !!!
> (0) pap: WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> (0) pap: WARNING: Auth-Type already set. Not setting to PAP
> (0) [pap] = noop
> (0) } # authorize = ok
> (0) Found Auth-Type = Accept
> (0) Auth-Type = Accept, accepting the user
> (0) # Executing section post-auth from file
> /usr/local/pf/raddb/sites-enabled/packetfence
> (0) post-auth {
> (0) update {
> (0) EXPAND %{Packet-Src-IP-Address}
> (0) --> 192.168.10.14
> (0) &request:FreeRADIUS-Client-IP-Address := 192.168.10.14
> (0) &control:PacketFence-RPC-Server = 127.0.0.1
> (0) &control:PacketFence-RPC-Port = 7070
> (0) &control:PacketFence-RPC-User =
> (0) &control:PacketFence-RPC-Pass =
> (0) &control:PacketFence-RPC-Proto = http
> (0) } # update = noop
> (0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) {
> (0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) )
> -> TRUE
> (0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) {
> rlm_rest (rest): Closing connection (0): Hit idle_timeout, was idle
> for 282 seconds
> rlm_rest (rest): Closing connection (1): Hit idle_timeout, was idle
> for 282 seconds
> rlm_rest (rest): Closing connection (2): Hit idle_timeout, was idle
> for 282 seconds
> rlm_rest (rest): You probably need to lower "min"
> rlm_rest (rest): Closing connection (3): Hit idle_timeout, was idle
> for 282 seconds
> rlm_rest (rest): You probably need to lower "min"
> rlm_rest (rest): Closing connection (4): Hit idle_timeout, was idle
> for 282 seconds
> rlm_rest (rest): You probably need to lower "min"
> rlm_rest (rest): 0 of 0 connections in use. You may need to increase
> "spare"
> rlm_rest (rest): Opening additional connection (5), 1 of 64 pending
> slots used
> rlm_rest (rest): Connecting to "http://127.0.0.1:7070/";
> rlm_rest (rest): Reserved connection (5)
> (0) rest: Expanding URI components
> (0) rest: EXPAND http://127.0.0.1:7070
> (0) rest: --> http://127.0.0.1:7070
> (0) rest: EXPAND //radius/rest/authorize
> (0) rest: --> //radius/rest/authorize
> (0) rest: Sending HTTP POST to
> "http://127.0.0.1:7070//radius/rest/authorize";
> (0) rest: Encoding attribute "User-Name"
> (0) rest: Encoding attribute "User-Password"
> (0) rest: Encoding attribute "NAS-IP-Address"
> (0) rest: Encoding attribute "Service-Type"
> (0) rest: Encoding attribute "Framed-Protocol"
> (0) rest: Encoding attribute "NAS-Identifier"
> (0) rest: Encoding attribute "NAS-Port-Type"
> (0) rest: Encoding attribute "Acct-Session-Id"
> (0) rest: Encoding attribute "Event-Timestamp"
> (0) rest: Encoding attribute "Stripped-User-Name"
> (0) rest: Encoding attribute "Realm"
> (0) rest: Encoding attribute "FreeRADIUS-Client-IP-Address"
> (0) rest: Processing response header
> (0) rest: Status : 401 (Unauthorized)
> (0) rest: Type : json (application/json)
> (0) rest: ERROR: Server returned:
> (0) rest: ERROR: {"Reply-Message":"PacketFence does not support this
> switch for read/write access
> login","reply:PacketFence-Authorization-Status":"allow"}
> rlm_rest (rest): Released connection (5)
> rlm_rest (rest): Need 2 more connections to reach 10 spares
> rlm_rest (rest): Opening additional connection (6), 1 of 63 pending
> slots used
> rlm_rest (rest): Connecting to "http://127.0.0.1:7070/";
> (0) [rest] = invalid
> (0) } # if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP)
> ) = invalid
> (0) } # post-auth = invalid
> (0) Using Post-Auth-Type Reject
> (0) # Executing group from file
> /usr/local/pf/raddb/sites-enabled/packetfence
> (0) Post-Auth-Type REJECT {
> (0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) {
> (0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) )
> -> TRUE
> (0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) {
> (0) policy packetfence-audit-log-reject {
> (0) if (&User-Name != "dummy") {
> (0) if (&User-Name != "dummy") -> TRUE
> (0) if (&User-Name != "dummy") {
> (0) policy request-timing {
> (0) if (control:PacketFence-Request-Time != 0) {
> (0) if (control:PacketFence-Request-Time != 0) -> FALSE
> (0) } # policy request-timing = noop
> (0) sql_reject: EXPAND type.reject.query
> (0) sql_reject: --> type.reject.query
> (0) sql_reject: Using query template 'query'
> rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for
> 282 seconds
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for
> 282 seconds
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for
> 282 seconds
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for
> 282 seconds
> rlm_sql (sql): You probably need to lower "min"
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for
> 282 seconds
> rlm_sql (sql): You probably need to lower "min"
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for
> 282 seconds
> rlm_sql (sql): You probably need to lower "min"
> rlm_sql_mysql: Socket destructor called, closing socket
> rlm_sql (sql): 0 of 0 connections in use. You may need to increase
> "spare"
> rlm_sql (sql): Opening additional connection (6), 1 of 64 pending
> slots used
> rlm_sql_mysql: Starting connect to MySQL server
> rlm_sql_mysql: Connected to database 'pf' on Localhost via UNIX
> socket, server version 5.5.52-MariaDB, protocol version 10
> rlm_sql (sql): Reserved connection (6)
> (0) sql_reject: EXPAND %{User-Name}
> (0) sql_reject: --> UserTest
> (0) sql_reject: SQL-User-Name set to 'UserTest'
> (0) sql_reject: EXPAND INSERT INTO radius_audit_log (
> mac, ip, computer_name, user_name, stripped_user_name, realm,
> event_type, switch_id, switch_mac, switch_ip_address,
> radius_source_ip_address, called_station_id,
> calling_station_id, nas_port_type, ssid,
> nas_port_id, ifindex, nas_port,
> connection_type, nas_ip_address, nas_identifier,
> auth_status, reason, auth_type,
> eap_type, role, node_status, profile, source, auto_reg,
> is_phone, pf_domain, uuid,
> radius_request, radius_reply,
> request_time) VALUES (
> '%{request:Calling-Station-Id}', '%{request:Framed-IP-Address}',
> '%{%{control:PacketFence-Computer-Name}:-N/A}',
> '%{request:User-Name}', '%{request:Stripped-User-Name}',
> '%{request:Realm}', 'Radius-Access-Request',
> '%{%{control:PacketFence-Switch-Id}:-N/A}',
> '%{%{control:PacketFence-Switch-Mac}:-N/A}',
> '%{%{control:PacketFence-Switch-Ip-Address}:-N/A}',
> '%{Packet-Src-IP-Address}', '%{request:Called-Station-Id}',
> '%{request:Calling-Station-Id}', '%{request:NAS-Port-Type}',
> '%{request:Called-Station-SSID}', '%{request:NAS-Port-Id}',
> '%{%{control:PacketFence-IfIndex}:-N/A}', '%{request:NAS-Port}',
> '%{%{control:PacketFence-Connection-Type}:-N/A}',
> '%{request:NAS-IP-Address}', '%{request:NAS-Identifier}',
> 'Reject', '%{request:Module-Failure-Message}',
> '%{control:Auth-Type}', '%{request:EAP-Type}',
> '%{%{control:PacketFence-Role}:-N/A}',
> '%{%{control:PacketFence-Status}:-N/A}',
> '%{%{control:PacketFence-Profile}:-N/A}',
> '%{%{control:PacketFence-Source}:-N/A}',
> '%{%{control:PacketFence-AutoReg}:-N/A}',
> '%{%{control:PacketFence-IsPhone}:-N/A}',
> '%{request:PacketFence-Domain}', '',
> '%{pairs:&request:[*]}','%{pairs:&reply:[*]}',
> '%{%{control:PacketFence-Request-Time}:-N/A}')
> (0) sql_reject: --> INSERT INTO radius_audit_log ( mac, ip,
> computer_name, user_name, stripped_user_name, realm,
> event_type, switch_id, switch_mac, switch_ip_address,
> radius_source_ip_address, called_station_id,
> calling_station_id, nas_port_type, ssid,
> nas_port_id, ifindex, nas_port,
> connection_type, nas_ip_address, nas_identifier,
> auth_status, reason, auth_type,
> eap_type, role, node_status, profile, source, auto_reg,
> is_phone, pf_domain, uuid,
> radius_request, radius_reply,
> request_time) VALUES ( '', '', 'N/A',
> 'UserTest', 'UserTest', 'null',
> 'Radius-Access-Request', 'N/A', 'N/A',
> 'N/A', '192.168.10.14', '', '', 'Ethernet', '',
> '', 'N/A', '', 'N/A', '192.168.10.14', 'las1.albari',
> 'Reject', 'rest: Server returned:', 'Accept',
> '', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A',
> 'N/A', '', '', 'User-Name =3D =22UserTest=22=2C
> User-Password =3D =22p@55word=22=2C NAS-IP-Address =3D
> 192.168.10.14=2C Service-Type =3D Framed-User=2C Framed-Protocol =3D
> PPP=2C NAS-Identifier =3D =22las1.albari=22=2C NAS-Port-Type =3D
> Ethernet=2C Acct-Session-Id =3D
> =22las1.al00000000000000da6bb650001055=22=2C Event-Timestamp =3D
> =22févr. 13 2017 14:23:25 CET=22=2C Stripped-User-Name =3D
> =22UserTest=22=2C Realm =3D =22null=22=2C FreeRADIUS-Client-IP-Address
> =3D 192.168.10.14=2C Module-Failure-Message =3D =22rest: Server
> returned:=22=2C Module-Failure-Message =3D =22rest:
> =7B=5C=22Reply-Message=5C=22:=5C=22PacketFence does not support this
> switch for read/write access
> login=5C=22=2C=5C=22reply:PacketFence-Authorization-Status=5C=22:=5C=22allow=5C=22=7D=22=2C
> SQL-User-Name =3D =22UserTest=22','', '0')
> (0) sql_reject: Executing query: INSERT INTO
> radius_audit_log ( mac, ip, computer_name,
> user_name, stripped_user_name, realm,
> event_type, switch_id, switch_mac,
> switch_ip_address, radius_source_ip_address,
> called_station_id, calling_station_id, nas_port_type,
> ssid, nas_port_id, ifindex, nas_port,
> connection_type, nas_ip_address, nas_identifier,
> auth_status, reason, auth_type,
> eap_type, role, node_status, profile, source, auto_reg,
> is_phone, pf_domain, uuid,
> radius_request, radius_reply,
> request_time) VALUES ( '', '', 'N/A',
> 'UserTest', 'UserTest', 'null',
> 'Radius-Access-Request', 'N/A', 'N/A',
> 'N/A', '192.168.10.14', '', '', 'Ethernet', '',
> '', 'N/A', '', 'N/A', '192.168.10.14', 'las1.albari',
> 'Reject', 'rest: Server returned:', 'Accept',
> '', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A',
> 'N/A', '', '', 'User-Name =3D =22UserTest=22=2C
> User-Password =3D =22p@55word=22=2C NAS-IP-Address =3D
> 192.168.10.14=2C Service-Type =3D Framed-User=2C Framed-Protocol =3D
> PPP=2C NAS-Identifier =3D =22las1.albari=22=2C NAS-Port-Type =3D
> Ethernet=2C Acct-Session-Id =3D
> =22las1.al00000000000000da6bb650001055=22=2C Event-Timestamp =3D
> =22févr. 13 2017 14:23:25 CET=22=2C Stripped-User-Name =3D
> =22UserTest=22=2C Realm =3D =22null=22=2C FreeRADIUS-Client-IP-Address
> =3D 192.168.10.14=2C Module-Failure-Message =3D =22rest: Server
> returned:=22=2C Module-Failure-Message =3D =22rest:
> =7B=5C=22Reply-Message=5C=22:=5C=22PacketFence does not support this
> switch for read/write access
> login=5C=22=2C=5C=22reply:PacketFence-Authorization-Status=5C=22:=5C=22allow=5C=22=7D=22=2C
> SQL-User-Name =3D =22UserTest=22','', '0')
> (0) sql_reject: SQL query returned: success
> (0) sql_reject: 1 record(s) updated
> rlm_sql (sql): Released connection (6)
> rlm_sql (sql): Need 2 more connections to reach 10 spares
> rlm_sql (sql): Opening additional connection (7), 1 of 63 pending
> slots used
> rlm_sql_mysql: Starting connect to MySQL server
> rlm_sql_mysql: Connected to database 'pf' on Localhost via UNIX
> socket, server version 5.5.52-MariaDB, protocol version 10
> (0) [sql_reject] = ok
> (0) } # if (&User-Name != "dummy") = ok
> (0) } # policy packetfence-audit-log-reject = ok
> (0) } # if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP)
> ) = ok
> (0) attr_filter.access_reject: EXPAND %{User-Name}
> (0) attr_filter.access_reject: --> UserTest
> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (0) [attr_filter.access_reject] = updated
> (0) attr_filter.packetfence_post_auth: EXPAND %{User-Name}
> (0) attr_filter.packetfence_post_auth: --> UserTest
> (0) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
> (0) [attr_filter.packetfence_post_auth] = updated
> (0) [eap] = noop
> (0) policy remove_reply_message_if_eap {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (0) else {
> (0) [noop] = noop
> (0) } # else = noop
> (0) } # policy remove_reply_message_if_eap = noop
> (0) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
> (0) linelog: --> messages.Access-Accept
> (0) linelog: EXPAND %t : [mac:%{Calling-Station-Id}] Accepted user:
> %{reply:User-Name} and returned VLAN %{reply:Tunnel-Private-Group-ID}
> (0) linelog: --> Mon Feb 13 14:23:25 2017 : [mac:] Accepted user:
> and returned VLAN
> (0) linelog: EXPAND /usr/local/pf/logs/radius.log
> (0) linelog: --> /usr/local/pf/logs/radius.log
> (0) [linelog] = ok
> (0) } # Post-Auth-Type REJECT = updated
> (0) Rejected in post-auth: [UserTest] (from client 192.168.10.0/24
> port 0)
> (0) Delaying response for 1.000000 seconds
> Waking up in 0.1 seconds.
> Waking up in 0.8 seconds.
> (0) Sending delayed response
> (0) Sent Access-Reject Id 10 from 192.168.10.22:1812 to
> 192.168.10.14:1812 length 20
> Waking up in 3.9 seconds.
> (0) Cleaning up request packet ID 10 with timestamp +282
> Ready to process requests
>
> Thanks for ur help
>
> Best regards
> --
> Thomas MASSIP - Ingenieur Réseau
> SAEM e-tera
> 46 rue Sere de rivieres 81000 ALBI
>
> email: [email protected]
> Tel: 0531813080
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
