Re: [openwisp] Openwisp-Radius logs 'Token authentication failed' with correct UUID + Token
Thanks for this - totally missed it when glancing over and comparing the
configuration file. After removing the ampersand it started working
immediately.
I am 90% sure that I've copied the line from one of the docs and exchanged
the uuid and token, but couldn't find said doc just yet. I'll look through
them when I have time later this week. I can create a pull request in case
I find it if you wish.
On Tuesday, November 23, 2021 at 6:53:28 PM UTC+1 f.capoano wrote:
> First thing that comes to my eyes is the following:
>
> Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1 &
> 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd
>
> Our docs say:
> <https://openwisp-radius.readthedocs.io/en/latest/user/api.html#bearer-token>
>
> Authorization: Bearer
>
> In your case it seems to me that it's instead:
>
> Authorization: Bearer &
>
> Did you come up with your ampersand on your own or is it something you see
> anywhere in the docs? If you see it anywhere please let me know so I can
> fix it because it's not right.
>
> I think it should be:
>
> Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1
> 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd
>
> Ensure the token is the organization radius settings token and not the
> openwisp controller shared secret, instructions on how to find these values
> are described here:
>
> https://openwisp-radius.readthedocs.io/en/latest/user/api.html#organization-uuid-token
>
> I hope this helps.
>
> Best regards
> Federico Capoano
>
> On Tue, Nov 23, 2021 at 4:18 AM Filip Waluda wrote:
>
>> As per Gitter, here is the part of freeradius -X output as well as the
>> configuration files for the mods and sites:
>>
>> *freeradius -X:*
>>
>> (0) Received Access-Request Id 203 from {PUBLIC-IP-OF-CLIENT}:50130 to
>> 192.168.105.97:1812 length 79
>> (0) Service-Type = Authenticate-Only
>> (0) User-Name = "TestUser"
>> (0) User-Password = "TestPassword123_"
>> (0) NAS-Port-Type = Wireless-802.11
>> (0) NAS-Identifier = "firewallH23"
>> (0) NAS-Port = 0
>> (0) NAS-IP-Address = {PUBLIC-IP-OF-CLIENT}
>> (0) # Executing section authorize from file
>> /etc/freeradius/3.0/sites-enabled/openwisp_site
>> (0) authorize {
>> (0) update control {
>> (0) &REST-HTTP-Header += "Authorization: Bearer
>> 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd"
>> (0) } # update control = noop
>> rlm_rest (rest): Reserved connection (0)
>> (0) rest: Expanding URI components
>> (0) rest: EXPAND https://radius.domainplaceholder.de
>> (0) rest:--> https://radius.domainplaceholder.de
>> (0) rest: EXPAND /api/v1/freeradius/authorize/
>> (0) rest:--> /api/v1/freeradius/authorize/
>> (0) rest: Sending HTTP POST to "
>> https://radius.domainplaceholder.de/api/v1/freeradius/authorize/";
>> (0) rest: EXPAND {"username": "%{User-Name}", "password":
>> "%{User-Password}"}
>> (0) rest:--> {"username": "TestUser", "password": "TestPassword123_"}
>> (0) rest: Processing response header
>> (0) rest: Status : 403 (Forbidden)
>> (0) rest: Type : json (application/json)
>> (0) rest: ERROR: Server returned:
>> (0) rest: ERROR: {"detail":"Token authentication failed"}
>> rlm_rest (rest): Released connection (0)
>> (0) [rest] = userlock
>> (0) } # authorize = userlock
>> (0) Invalid user (rest: Server returned:): [TestUser] (from client
>> firewallH23 port 0)
>> (0) Using Post-Auth-Type Reject
>> (0) # Executing group from file
>> /etc/freeradius/3.0/sites-enabled/openwisp_site
>> (0) Post-Auth-Type REJECT {
>> (0) update control {
>> (0) &REST-Http-Header += "Authorization: Bearer
>> 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd"
>> (0) } # update control = noop
>> rlm_rest (rest): Reserved connection (1)
>> (0) rest: Expanding URI components
>> (0) rest: EXPAND https://radius.domainplaceholder.de
>> (0) rest:--> https://radius.domainplaceholder.de
>> (0) rest: EXPAND /api/v1/freeradius/postauth/
>> (0) rest:--> /api/v1/freeradius/postauth/
>> (0) rest: Sending HTTP POST to "
>> https://radius.domainplaceholder.de/api/v1/freeradius/postauth/";
>> (0) rest: EXPAND {"username": "%{User-Name}", "password":
>> "%{User-Password}", "reply": "%{reply:Pac
[openwisp] ansible-openwisp2 / openwisp-radius 'Token authentication failed' with correct UUID & Org. Token
As talked about in Gitter. Config files & debug output have been uploaded here: https://github.com/walunk/openwisp-radius-config -- You received this message because you are subscribed to the Google Groups "OpenWISP" group. To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+unsubscr...@googlegroups.com. To view this discussion on the web, visit https://groups.google.com/d/msgid/openwisp/f79bdf51-7563-49c4-b442-748b5e9ca08fn%40googlegroups.com.
[openwisp] Openwisp-Radius logs 'Token authentication failed' with correct UUID + Token
As per Gitter, here is the part of freeradius -X output as well as the
configuration files for the mods and sites:
*freeradius -X:*
(0) Received Access-Request Id 203 from {PUBLIC-IP-OF-CLIENT}:50130 to
192.168.105.97:1812 length 79
(0) Service-Type = Authenticate-Only
(0) User-Name = "TestUser"
(0) User-Password = "TestPassword123_"
(0) NAS-Port-Type = Wireless-802.11
(0) NAS-Identifier = "firewallH23"
(0) NAS-Port = 0
(0) NAS-IP-Address = {PUBLIC-IP-OF-CLIENT}
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/openwisp_site
(0) authorize {
(0) update control {
(0) &REST-HTTP-Header += "Authorization: Bearer
2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd"
(0) } # update control = noop
rlm_rest (rest): Reserved connection (0)
(0) rest: Expanding URI components
(0) rest: EXPAND https://radius.domainplaceholder.de
(0) rest:--> https://radius.domainplaceholder.de
(0) rest: EXPAND /api/v1/freeradius/authorize/
(0) rest:--> /api/v1/freeradius/authorize/
(0) rest: Sending HTTP POST to
"https://radius.domainplaceholder.de/api/v1/freeradius/authorize/";
(0) rest: EXPAND {"username": "%{User-Name}", "password":
"%{User-Password}"}
(0) rest:--> {"username": "TestUser", "password": "TestPassword123_"}
(0) rest: Processing response header
(0) rest: Status : 403 (Forbidden)
(0) rest: Type : json (application/json)
(0) rest: ERROR: Server returned:
(0) rest: ERROR: {"detail":"Token authentication failed"}
rlm_rest (rest): Released connection (0)
(0) [rest] = userlock
(0) } # authorize = userlock
(0) Invalid user (rest: Server returned:): [TestUser] (from client
firewallH23 port 0)
(0) Using Post-Auth-Type Reject
(0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/openwisp_site
(0) Post-Auth-Type REJECT {
(0) update control {
(0) &REST-Http-Header += "Authorization: Bearer
2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd"
(0) } # update control = noop
rlm_rest (rest): Reserved connection (1)
(0) rest: Expanding URI components
(0) rest: EXPAND https://radius.domainplaceholder.de
(0) rest:--> https://radius.domainplaceholder.de
(0) rest: EXPAND /api/v1/freeradius/postauth/
(0) rest:--> /api/v1/freeradius/postauth/
(0) rest: Sending HTTP POST to
"https://radius.domainplaceholder.de/api/v1/freeradius/postauth/";
(0) rest: EXPAND {"username": "%{User-Name}", "password":
"%{User-Password}", "reply": "%{reply:Packet-Type}", "called_station_id":
"%{Called-Station-ID}", "calling_station_id": "%{Calling-Station-ID}"}
(0) rest:--> {"username": "TestUser", "password": "TestPassword123_",
"reply": "Access-Reject", "called_station_id": "", "calling_station_id": ""}
(0) rest: Processing response header
(0) rest: Status : 403 (Forbidden)
(0) rest: Type : json (application/json)
(0) rest: ERROR: Server returned:
(0) rest: ERROR: {"detail":"Token authentication failed"}
rlm_rest (rest): Released connection (1)
(0) [rest] = invalid
(0) } # Post-Auth-Type REJECT = invalid
(0) Delaying response for 1.00 seconds
Waking up in 0.1 seconds.
Waking up in 0.8 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 203 from 192.168.105.97:1812 to
{PUBLIC-IP-OF-CLIENT}:50130 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 203 with timestamp +48
Ready to process requests
*mods-enabled\rest:*
rest {
tls = {}
connect_uri = "https://radius.domainplaceholder.de/api/v1/freeradius";
authorize {
uri = "${..connect_uri}/authorize/"
method = 'post'
body = 'json'
data = '{"username": "%{User-Name}", "password":
"%{User-Password}"}'
tls = ${..tls}
}
# this section can be left empty
authenticate {}
post-auth {
uri = "${..connect_uri}/postauth/"
method = 'post'
body = 'json'
data = '{"username": "%{User-Name}", "password":
"%{User-Password}", "reply": "%{reply:Packet-Type}", "called_station_id":
"%{Called-Station-ID}", "calling_station_id": "%{Calling-Station-ID}"}'
tls = ${..tls}
}
accounting {
uri = "${..connect_uri}/accounting/"
method = 'post'
body = 'json'
data = '{"status_type": "%{Acct-Status-Type}", "session_id":
"%{Acct-Session-Id}", "unique_id": "%{Acct-Unique-Session-Id}", "username":
"%{User-Name}", "realm": "%{Realm}", "nas_ip_address": "%{NAS-IP-Address}",
"nas_port_id": "%{NAS-Port}", "nas_port_type": "%{NAS-Port-Type}",
"session_time": "%{Acct-Session-Time}", "authentication":
"%{Acct-Authentic}", "input_octets": "%{Acct-Input-Octets}",
"output_octets": "%{Acct-Output-Octets}", "called_station_id":
"%{Called-Station-Id}", "calling_station_id": "%{Calling-Station-Id}",
"terminate_cause": "%{Acct-Terminate-Cause}", "service_type":
"%{Service-Type}", "framed_protocol": "%{Framed-Protocol}",
"framed_ip_address": "%{Framed-IP-Address}"}'
tls = ${..tls}
[openwisp] Rest Radius Token error with fresh ansible-openwisp2 dev install
When authenticating on a fresh install, I am running into the error
(0) rest: ERROR: {"detail":"Radius token does not exist. Obtain a new
radius token or provide the organization UUID and API token."}
I tried troubleshooting it but can't find anything on the www when
searching for said error.
Server is being contacted via a public IP which is forwarding ports 1812 to
the machine running openwisp2. Following debug output is from a machine
which was set up via ansible (fresh install!) - I have configured a NAS
with the public IP of our firewall (111.111.111.111 placeholder) that uses
the RADIUS server for auth, a user called "testuser" with a NT-Password.
Here is the debug output:
FreeRADIUS Version 3.0.21
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/sql
including configuration file
/etc/freeradius/3.0/mods-config/sql/main/sqlite/queries.conf
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/sql_counter
including configuration file
/etc/freeradius/3.0/mods-config/sql/counter/sqlite/dailycounter.conf
including configuration file
/etc/freeradius/3.0/mods-config/sql/counter/sqlite/dailybandwidthcounter.conf
including configuration file
/etc/freeradius/3.0/mods-config/sql/counter/sqlite/noresetcounter.conf
including configuration file
/etc/freeradius/3.0/mods-config/sql/counter/sqlite/monthlycounter.conf
including configuration file
/etc/freeradius/3.0/mods-config/sql/counter/sqlite/expire_on_login.conf
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/rest
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/rfc7542
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/fi
[openwisp] No authentication possible via SQL & PAP / EAP
I have installed the dev version of openwisp via ansible and could not get the auth to work due to REST errors. After changing the site I am running into the debug output which I attached as 'debug.txt'. I have spent around 4 hours troubleshooting, but can't get to the core issue. Any help is appreciated. -- You received this message because you are subscribed to the Google Groups "OpenWISP" group. To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+unsubscr...@googlegroups.com. To view this discussion on the web, visit https://groups.google.com/d/msgid/openwisp/9afd167d-9298-4d14-9fd1-46e8bc67d91bn%40googlegroups.com. FreeRADIUS Version 3.0.21 Copyright (C) 1999-2019 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including configuration file /etc/freeradius/3.0/mods-enabled/mschap including configuration file /etc/freeradius/3.0/mods-enabled/files including configuration file /etc/freeradius/3.0/mods-enabled/passwd including configuration file /etc/freeradius/3.0/mods-enabled/sql including configuration file /etc/freeradius/3.0/mods-config/sql/main/sqlite/queries.conf including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/sql_counter including configuration file /etc/freeradius/3.0/mods-config/sql/counter/sqlite/dailycounter.conf including configuration file /etc/freeradius/3.0/mods-config/sql/counter/sqlite/dailybandwidthcounter.conf including configuration file /etc/freeradius/3.0/mods-config/sql/counter/sqlite/noresetcounter.conf including configuration file /etc/freeradius/3.0/mods-config/sql/counter/sqlite/monthlycounter.conf including configuration file /etc/freeradius/3.0/mods-config/sql/counter/sqlite/expire_on_login.conf including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/expiration including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/rest including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/replicate including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/unix including configuration file /etc/freeradius/3.0/mods-enabled/pap including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/rfc7542 including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/filter including configurat
