Re: [openwisp] Openwisp-Radius logs 'Token authentication failed' with correct UUID + Token
Thanks for this - totally missed it when glancing over and comparing the configuration file. After removing the ampersand it started working immediately. I am 90% sure that I've copied the line from one of the docs and exchanged the uuid and token, but couldn't find said doc just yet. I'll look through them when I have time later this week. I can create a pull request in case I find it if you wish. On Tuesday, November 23, 2021 at 6:53:28 PM UTC+1 f.capoano wrote: > First thing that comes to my eyes is the following: > > Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & > 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd > > Our docs say: > <https://openwisp-radius.readthedocs.io/en/latest/user/api.html#bearer-token> > > Authorization: Bearer > > In your case it seems to me that it's instead: > > Authorization: Bearer & > > Did you come up with your ampersand on your own or is it something you see > anywhere in the docs? If you see it anywhere please let me know so I can > fix it because it's not right. > > I think it should be: > > Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1 > 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd > > Ensure the token is the organization radius settings token and not the > openwisp controller shared secret, instructions on how to find these values > are described here: > > https://openwisp-radius.readthedocs.io/en/latest/user/api.html#organization-uuid-token > > I hope this helps. > > Best regards > Federico Capoano > > On Tue, Nov 23, 2021 at 4:18 AM Filip Waluda wrote: > >> As per Gitter, here is the part of freeradius -X output as well as the >> configuration files for the mods and sites: >> >> *freeradius -X:* >> >> (0) Received Access-Request Id 203 from {PUBLIC-IP-OF-CLIENT}:50130 to >> 192.168.105.97:1812 length 79 >> (0) Service-Type = Authenticate-Only >> (0) User-Name = "TestUser" >> (0) User-Password = "TestPassword123_" >> (0) NAS-Port-Type = Wireless-802.11 >> (0) NAS-Identifier = "firewallH23" >> (0) NAS-Port = 0 >> (0) NAS-IP-Address = {PUBLIC-IP-OF-CLIENT} >> (0) # Executing section authorize from file >> /etc/freeradius/3.0/sites-enabled/openwisp_site >> (0) authorize { >> (0) update control { >> (0) &REST-HTTP-Header += "Authorization: Bearer >> 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd" >> (0) } # update control = noop >> rlm_rest (rest): Reserved connection (0) >> (0) rest: Expanding URI components >> (0) rest: EXPAND https://radius.domainplaceholder.de >> (0) rest:--> https://radius.domainplaceholder.de >> (0) rest: EXPAND /api/v1/freeradius/authorize/ >> (0) rest:--> /api/v1/freeradius/authorize/ >> (0) rest: Sending HTTP POST to " >> https://radius.domainplaceholder.de/api/v1/freeradius/authorize/"; >> (0) rest: EXPAND {"username": "%{User-Name}", "password": >> "%{User-Password}"} >> (0) rest:--> {"username": "TestUser", "password": "TestPassword123_"} >> (0) rest: Processing response header >> (0) rest: Status : 403 (Forbidden) >> (0) rest: Type : json (application/json) >> (0) rest: ERROR: Server returned: >> (0) rest: ERROR: {"detail":"Token authentication failed"} >> rlm_rest (rest): Released connection (0) >> (0) [rest] = userlock >> (0) } # authorize = userlock >> (0) Invalid user (rest: Server returned:): [TestUser] (from client >> firewallH23 port 0) >> (0) Using Post-Auth-Type Reject >> (0) # Executing group from file >> /etc/freeradius/3.0/sites-enabled/openwisp_site >> (0) Post-Auth-Type REJECT { >> (0) update control { >> (0) &REST-Http-Header += "Authorization: Bearer >> 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd" >> (0) } # update control = noop >> rlm_rest (rest): Reserved connection (1) >> (0) rest: Expanding URI components >> (0) rest: EXPAND https://radius.domainplaceholder.de >> (0) rest:--> https://radius.domainplaceholder.de >> (0) rest: EXPAND /api/v1/freeradius/postauth/ >> (0) rest:--> /api/v1/freeradius/postauth/ >> (0) rest: Sending HTTP POST to " >> https://radius.domainplaceholder.de/api/v1/freeradius/postauth/"; >> (0) rest: EXPAND {"username": "%{User-Name}", "password": >> "%{User-Password}", "reply": "%{reply:Pac
[openwisp] ansible-openwisp2 / openwisp-radius 'Token authentication failed' with correct UUID & Org. Token
As talked about in Gitter. Config files & debug output have been uploaded here: https://github.com/walunk/openwisp-radius-config -- You received this message because you are subscribed to the Google Groups "OpenWISP" group. To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+unsubscr...@googlegroups.com. To view this discussion on the web, visit https://groups.google.com/d/msgid/openwisp/f79bdf51-7563-49c4-b442-748b5e9ca08fn%40googlegroups.com.
[openwisp] Openwisp-Radius logs 'Token authentication failed' with correct UUID + Token
As per Gitter, here is the part of freeradius -X output as well as the configuration files for the mods and sites: *freeradius -X:* (0) Received Access-Request Id 203 from {PUBLIC-IP-OF-CLIENT}:50130 to 192.168.105.97:1812 length 79 (0) Service-Type = Authenticate-Only (0) User-Name = "TestUser" (0) User-Password = "TestPassword123_" (0) NAS-Port-Type = Wireless-802.11 (0) NAS-Identifier = "firewallH23" (0) NAS-Port = 0 (0) NAS-IP-Address = {PUBLIC-IP-OF-CLIENT} (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/openwisp_site (0) authorize { (0) update control { (0) &REST-HTTP-Header += "Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd" (0) } # update control = noop rlm_rest (rest): Reserved connection (0) (0) rest: Expanding URI components (0) rest: EXPAND https://radius.domainplaceholder.de (0) rest:--> https://radius.domainplaceholder.de (0) rest: EXPAND /api/v1/freeradius/authorize/ (0) rest:--> /api/v1/freeradius/authorize/ (0) rest: Sending HTTP POST to "https://radius.domainplaceholder.de/api/v1/freeradius/authorize/"; (0) rest: EXPAND {"username": "%{User-Name}", "password": "%{User-Password}"} (0) rest:--> {"username": "TestUser", "password": "TestPassword123_"} (0) rest: Processing response header (0) rest: Status : 403 (Forbidden) (0) rest: Type : json (application/json) (0) rest: ERROR: Server returned: (0) rest: ERROR: {"detail":"Token authentication failed"} rlm_rest (rest): Released connection (0) (0) [rest] = userlock (0) } # authorize = userlock (0) Invalid user (rest: Server returned:): [TestUser] (from client firewallH23 port 0) (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/openwisp_site (0) Post-Auth-Type REJECT { (0) update control { (0) &REST-Http-Header += "Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd" (0) } # update control = noop rlm_rest (rest): Reserved connection (1) (0) rest: Expanding URI components (0) rest: EXPAND https://radius.domainplaceholder.de (0) rest:--> https://radius.domainplaceholder.de (0) rest: EXPAND /api/v1/freeradius/postauth/ (0) rest:--> /api/v1/freeradius/postauth/ (0) rest: Sending HTTP POST to "https://radius.domainplaceholder.de/api/v1/freeradius/postauth/"; (0) rest: EXPAND {"username": "%{User-Name}", "password": "%{User-Password}", "reply": "%{reply:Packet-Type}", "called_station_id": "%{Called-Station-ID}", "calling_station_id": "%{Calling-Station-ID}"} (0) rest:--> {"username": "TestUser", "password": "TestPassword123_", "reply": "Access-Reject", "called_station_id": "", "calling_station_id": ""} (0) rest: Processing response header (0) rest: Status : 403 (Forbidden) (0) rest: Type : json (application/json) (0) rest: ERROR: Server returned: (0) rest: ERROR: {"detail":"Token authentication failed"} rlm_rest (rest): Released connection (1) (0) [rest] = invalid (0) } # Post-Auth-Type REJECT = invalid (0) Delaying response for 1.00 seconds Waking up in 0.1 seconds. Waking up in 0.8 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 203 from 192.168.105.97:1812 to {PUBLIC-IP-OF-CLIENT}:50130 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 203 with timestamp +48 Ready to process requests *mods-enabled\rest:* rest { tls = {} connect_uri = "https://radius.domainplaceholder.de/api/v1/freeradius"; authorize { uri = "${..connect_uri}/authorize/" method = 'post' body = 'json' data = '{"username": "%{User-Name}", "password": "%{User-Password}"}' tls = ${..tls} } # this section can be left empty authenticate {} post-auth { uri = "${..connect_uri}/postauth/" method = 'post' body = 'json' data = '{"username": "%{User-Name}", "password": "%{User-Password}", "reply": "%{reply:Packet-Type}", "called_station_id": "%{Called-Station-ID}", "calling_station_id": "%{Calling-Station-ID}"}' tls = ${..tls} } accounting { uri = "${..connect_uri}/accounting/" method = 'post' body = 'json' data = '{"status_type": "%{Acct-Status-Type}", "session_id": "%{Acct-Session-Id}", "unique_id": "%{Acct-Unique-Session-Id}", "username": "%{User-Name}", "realm": "%{Realm}", "nas_ip_address": "%{NAS-IP-Address}", "nas_port_id": "%{NAS-Port}", "nas_port_type": "%{NAS-Port-Type}", "session_time": "%{Acct-Session-Time}", "authentication": "%{Acct-Authentic}", "input_octets": "%{Acct-Input-Octets}", "output_octets": "%{Acct-Output-Octets}", "called_station_id": "%{Called-Station-Id}", "calling_station_id": "%{Calling-Station-Id}", "terminate_cause": "%{Acct-Terminate-Cause}", "service_type": "%{Service-Type}", "framed_protocol": "%{Framed-Protocol}", "framed_ip_address": "%{Framed-IP-Address}"}' tls = ${..tls}
[openwisp] Rest Radius Token error with fresh ansible-openwisp2 dev install
When authenticating on a fresh install, I am running into the error (0) rest: ERROR: {"detail":"Radius token does not exist. Obtain a new radius token or provide the organization UUID and API token."} I tried troubleshooting it but can't find anything on the www when searching for said error. Server is being contacted via a public IP which is forwarding ports 1812 to the machine running openwisp2. Following debug output is from a machine which was set up via ansible (fresh install!) - I have configured a NAS with the public IP of our firewall (111.111.111.111 placeholder) that uses the RADIUS server for auth, a user called "testuser" with a NT-Password. Here is the debug output: FreeRADIUS Version 3.0.21 Copyright (C) 1999-2019 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including configuration file /etc/freeradius/3.0/mods-enabled/mschap including configuration file /etc/freeradius/3.0/mods-enabled/files including configuration file /etc/freeradius/3.0/mods-enabled/passwd including configuration file /etc/freeradius/3.0/mods-enabled/sql including configuration file /etc/freeradius/3.0/mods-config/sql/main/sqlite/queries.conf including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/sql_counter including configuration file /etc/freeradius/3.0/mods-config/sql/counter/sqlite/dailycounter.conf including configuration file /etc/freeradius/3.0/mods-config/sql/counter/sqlite/dailybandwidthcounter.conf including configuration file /etc/freeradius/3.0/mods-config/sql/counter/sqlite/noresetcounter.conf including configuration file /etc/freeradius/3.0/mods-config/sql/counter/sqlite/monthlycounter.conf including configuration file /etc/freeradius/3.0/mods-config/sql/counter/sqlite/expire_on_login.conf including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/expiration including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/rest including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/replicate including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/unix including configuration file /etc/freeradius/3.0/mods-enabled/pap including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/rfc7542 including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/fi
[openwisp] No authentication possible via SQL & PAP / EAP
I have installed the dev version of openwisp via ansible and could not get the auth to work due to REST errors. After changing the site I am running into the debug output which I attached as 'debug.txt'. I have spent around 4 hours troubleshooting, but can't get to the core issue. Any help is appreciated. -- You received this message because you are subscribed to the Google Groups "OpenWISP" group. To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+unsubscr...@googlegroups.com. To view this discussion on the web, visit https://groups.google.com/d/msgid/openwisp/9afd167d-9298-4d14-9fd1-46e8bc67d91bn%40googlegroups.com. FreeRADIUS Version 3.0.21 Copyright (C) 1999-2019 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including configuration file /etc/freeradius/3.0/mods-enabled/mschap including configuration file /etc/freeradius/3.0/mods-enabled/files including configuration file /etc/freeradius/3.0/mods-enabled/passwd including configuration file /etc/freeradius/3.0/mods-enabled/sql including configuration file /etc/freeradius/3.0/mods-config/sql/main/sqlite/queries.conf including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/sql_counter including configuration file /etc/freeradius/3.0/mods-config/sql/counter/sqlite/dailycounter.conf including configuration file /etc/freeradius/3.0/mods-config/sql/counter/sqlite/dailybandwidthcounter.conf including configuration file /etc/freeradius/3.0/mods-config/sql/counter/sqlite/noresetcounter.conf including configuration file /etc/freeradius/3.0/mods-config/sql/counter/sqlite/monthlycounter.conf including configuration file /etc/freeradius/3.0/mods-config/sql/counter/sqlite/expire_on_login.conf including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/expiration including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/rest including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/replicate including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/unix including configuration file /etc/freeradius/3.0/mods-enabled/pap including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/rfc7542 including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/filter including configurat