First thing that comes to my eyes is the following: Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd
Our docs say: <https://openwisp-radius.readthedocs.io/en/latest/user/api.html#bearer-token> Authorization: Bearer <org-uuid> <token> In your case it seems to me that it's instead: Authorization: Bearer <org-uuid> & <token> Did you come up with your ampersand on your own or is it something you see anywhere in the docs? If you see it anywhere please let me know so I can fix it because it's not right. I think it should be: Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd Ensure the token is the organization radius settings token and not the openwisp controller shared secret, instructions on how to find these values are described here: https://openwisp-radius.readthedocs.io/en/latest/user/api.html#organization-uuid-token I hope this helps. Best regards Federico Capoano On Tue, Nov 23, 2021 at 4:18 AM Filip Waluda <filipwal...@gmail.com> wrote: > As per Gitter, here is the part of freeradius -X output as well as the > configuration files for the mods and sites: > > *freeradius -X:* > > (0) Received Access-Request Id 203 from {PUBLIC-IP-OF-CLIENT}:50130 to > 192.168.105.97:1812 length 79 > (0) Service-Type = Authenticate-Only > (0) User-Name = "TestUser" > (0) User-Password = "TestPassword123_" > (0) NAS-Port-Type = Wireless-802.11 > (0) NAS-Identifier = "firewallH23" > (0) NAS-Port = 0 > (0) NAS-IP-Address = {PUBLIC-IP-OF-CLIENT} > (0) # Executing section authorize from file > /etc/freeradius/3.0/sites-enabled/openwisp_site > (0) authorize { > (0) update control { > (0) &REST-HTTP-Header += "Authorization: Bearer > 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd" > (0) } # update control = noop > rlm_rest (rest): Reserved connection (0) > (0) rest: Expanding URI components > (0) rest: EXPAND https://radius.domainplaceholder.de > (0) rest: --> https://radius.domainplaceholder.de > (0) rest: EXPAND /api/v1/freeradius/authorize/ > (0) rest: --> /api/v1/freeradius/authorize/ > (0) rest: Sending HTTP POST to " > https://radius.domainplaceholder.de/api/v1/freeradius/authorize/" > (0) rest: EXPAND {"username": "%{User-Name}", "password": > "%{User-Password}"} > (0) rest: --> {"username": "TestUser", "password": "TestPassword123_"} > (0) rest: Processing response header > (0) rest: Status : 403 (Forbidden) > (0) rest: Type : json (application/json) > (0) rest: ERROR: Server returned: > (0) rest: ERROR: {"detail":"Token authentication failed"} > rlm_rest (rest): Released connection (0) > (0) [rest] = userlock > (0) } # authorize = userlock > (0) Invalid user (rest: Server returned:): [TestUser] (from client > firewallH23 port 0) > (0) Using Post-Auth-Type Reject > (0) # Executing group from file > /etc/freeradius/3.0/sites-enabled/openwisp_site > (0) Post-Auth-Type REJECT { > (0) update control { > (0) &REST-Http-Header += "Authorization: Bearer > 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd" > (0) } # update control = noop > rlm_rest (rest): Reserved connection (1) > (0) rest: Expanding URI components > (0) rest: EXPAND https://radius.domainplaceholder.de > (0) rest: --> https://radius.domainplaceholder.de > (0) rest: EXPAND /api/v1/freeradius/postauth/ > (0) rest: --> /api/v1/freeradius/postauth/ > (0) rest: Sending HTTP POST to " > https://radius.domainplaceholder.de/api/v1/freeradius/postauth/" > (0) rest: EXPAND {"username": "%{User-Name}", "password": > "%{User-Password}", "reply": "%{reply:Packet-Type}", "called_station_id": > "%{Called-Station-ID}", "calling_station_id": "%{Calling-Station-ID}"} > (0) rest: --> {"username": "TestUser", "password": "TestPassword123_", > "reply": "Access-Reject", "called_station_id": "", "calling_station_id": ""} > (0) rest: Processing response header > (0) rest: Status : 403 (Forbidden) > (0) rest: Type : json (application/json) > (0) rest: ERROR: Server returned: > (0) rest: ERROR: {"detail":"Token authentication failed"} > rlm_rest (rest): Released connection (1) > (0) [rest] = invalid > (0) } # Post-Auth-Type REJECT = invalid > (0) Delaying response for 1.000000 seconds > Waking up in 0.1 seconds. > Waking up in 0.8 seconds. > (0) Sending delayed response > (0) Sent Access-Reject Id 203 from 192.168.105.97:1812 to > {PUBLIC-IP-OF-CLIENT}:50130 length 20 > Waking up in 3.9 seconds. > (0) Cleaning up request packet ID 203 with timestamp +48 > Ready to process requests > > *mods-enabled\rest:* > > rest { > tls = {} > connect_uri = "https://radius.domainplaceholder.de/api/v1/freeradius" > > authorize { > uri = "${..connect_uri}/authorize/" > method = 'post' > body = 'json' > data = '{"username": "%{User-Name}", "password": > "%{User-Password}"}' > tls = ${..tls} > } > > # this section can be left empty > authenticate {} > > post-auth { > uri = "${..connect_uri}/postauth/" > method = 'post' > body = 'json' > data = '{"username": "%{User-Name}", "password": > "%{User-Password}", "reply": "%{reply:Packet-Type}", "called_station_id": > "%{Called-Station-ID}", "calling_station_id": "%{Calling-Station-ID}"}' > tls = ${..tls} > } > > accounting { > uri = "${..connect_uri}/accounting/" > method = 'post' > body = 'json' > data = '{"status_type": "%{Acct-Status-Type}", "session_id": > "%{Acct-Session-Id}", "unique_id": "%{Acct-Unique-Session-Id}", "username": > "%{User-Name}", "realm": "%{Realm}", "nas_ip_address": "%{NAS-IP-Address}", > "nas_port_id": "%{NAS-Port}", "nas_port_type": "%{NAS-Port-Type}", > "session_time": "%{Acct-Session-Time}", "authentication": > "%{Acct-Authentic}", "input_octets": "%{Acct-Input-Octets}", > "output_octets": "%{Acct-Output-Octets}", "called_station_id": > "%{Called-Station-Id}", "calling_station_id": "%{Calling-Station-Id}", > "terminate_cause": "%{Acct-Terminate-Cause}", "service_type": > "%{Service-Type}", "framed_protocol": "%{Framed-Protocol}", > "framed_ip_address": "%{Framed-IP-Address}"}' > tls = ${..tls} > } > } > > *sites-enabled\openwisp_site:* > > server default { > api_token_header = "Authorization: Bearer > 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd" > listen { > type = auth > ipaddr = * > port = 0 > limit { > max_connections = 16 > lifetime = 0 > idle_timeout = 30 > } > } > > listen { > ipaddr = * > port = 0 > type = acct > limit {} > } > > authorize { > update control { &REST-HTTP-Header += "${...api_token_header}" } > rest > sql > dailycounter > dailybandwidthcounter > noresetcounter > } > > authenticate { > } > > > preacct { > preprocess > acct_unique > suffix > files > } > > accounting { > update control { &REST-HTTP-Header += "${...api_token_header}" } > rest > } > > session {} > > post-auth { > update control { &REST-HTTP-Header += "${...api_token_header}" } > rest > > Post-Auth-Type REJECT { > update control { &REST-Http-Header += "${....api_token_header}" } > rest > } > } > > pre-proxy {} > post-proxy {} > } > > *mods-enabled\sql (unchanged):* > > sql { > driver = "rlm_sql_sqlite" > dialect = "sqlite" > sqlite { > filename = "/opt/openwisp2/db.sqlite3" > } > > acct_table1 = "radacct" > acct_table2 = "radacct" > postauth_table = "radpostauth" > authcheck_table = "radcheck" > groupcheck_table = "radgroupcheck" > authreply_table = "radreply" > groupreply_table = "radgroupreply" > usergroup_table = "radusergroup" > delete_stale_sessions = yes > client_table = "nas" > read_clients = yes > group_attribute = "SQL-Group" > > $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf > > pool { > start = ${thread[pool].start_servers} > min = ${thread[pool].min_spare_servers} > max = ${thread[pool].max_servers} > spare = ${thread[pool].max_spare_servers} > uses = 0 > retry_delay = 30 > lifetime = 0 > idle_timeout = 60 > } > } > > -- > You received this message because you are subscribed to the Google Groups > "OpenWISP" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to openwisp+unsubscr...@googlegroups.com. > To view this discussion on the web, visit > https://groups.google.com/d/msgid/openwisp/c61aa74a-002b-467f-832c-1b120b64744dn%40googlegroups.com > <https://groups.google.com/d/msgid/openwisp/c61aa74a-002b-467f-832c-1b120b64744dn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "OpenWISP" group. To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+unsubscr...@googlegroups.com. To view this discussion on the web, visit https://groups.google.com/d/msgid/openwisp/CAAGgX6J6%2BePaKUFnF-xO5OpOiM3r0%3DBbfxZH3qaKqpdfgDqqpQ%40mail.gmail.com.