Thanks for this - totally missed it when glancing over and comparing the configuration file. After removing the ampersand it started working immediately.
I am 90% sure that I've copied the line from one of the docs and exchanged the uuid and token, but couldn't find said doc just yet. I'll look through them when I have time later this week. I can create a pull request in case I find it if you wish. On Tuesday, November 23, 2021 at 6:53:28 PM UTC+1 f.capoano wrote: > First thing that comes to my eyes is the following: > > Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & > 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd > > Our docs say: > <https://openwisp-radius.readthedocs.io/en/latest/user/api.html#bearer-token> > > Authorization: Bearer <org-uuid> <token> > > In your case it seems to me that it's instead: > > Authorization: Bearer <org-uuid> & <token> > > Did you come up with your ampersand on your own or is it something you see > anywhere in the docs? If you see it anywhere please let me know so I can > fix it because it's not right. > > I think it should be: > > Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1 > 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd > > Ensure the token is the organization radius settings token and not the > openwisp controller shared secret, instructions on how to find these values > are described here: > > https://openwisp-radius.readthedocs.io/en/latest/user/api.html#organization-uuid-token > > I hope this helps. > > Best regards > Federico Capoano > > On Tue, Nov 23, 2021 at 4:18 AM Filip Waluda <filip...@gmail.com> wrote: > >> As per Gitter, here is the part of freeradius -X output as well as the >> configuration files for the mods and sites: >> >> *freeradius -X:* >> >> (0) Received Access-Request Id 203 from {PUBLIC-IP-OF-CLIENT}:50130 to >> 192.168.105.97:1812 length 79 >> (0) Service-Type = Authenticate-Only >> (0) User-Name = "TestUser" >> (0) User-Password = "TestPassword123_" >> (0) NAS-Port-Type = Wireless-802.11 >> (0) NAS-Identifier = "firewallH23" >> (0) NAS-Port = 0 >> (0) NAS-IP-Address = {PUBLIC-IP-OF-CLIENT} >> (0) # Executing section authorize from file >> /etc/freeradius/3.0/sites-enabled/openwisp_site >> (0) authorize { >> (0) update control { >> (0) &REST-HTTP-Header += "Authorization: Bearer >> 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd" >> (0) } # update control = noop >> rlm_rest (rest): Reserved connection (0) >> (0) rest: Expanding URI components >> (0) rest: EXPAND https://radius.domainplaceholder.de >> (0) rest: --> https://radius.domainplaceholder.de >> (0) rest: EXPAND /api/v1/freeradius/authorize/ >> (0) rest: --> /api/v1/freeradius/authorize/ >> (0) rest: Sending HTTP POST to " >> https://radius.domainplaceholder.de/api/v1/freeradius/authorize/" >> (0) rest: EXPAND {"username": "%{User-Name}", "password": >> "%{User-Password}"} >> (0) rest: --> {"username": "TestUser", "password": "TestPassword123_"} >> (0) rest: Processing response header >> (0) rest: Status : 403 (Forbidden) >> (0) rest: Type : json (application/json) >> (0) rest: ERROR: Server returned: >> (0) rest: ERROR: {"detail":"Token authentication failed"} >> rlm_rest (rest): Released connection (0) >> (0) [rest] = userlock >> (0) } # authorize = userlock >> (0) Invalid user (rest: Server returned:): [TestUser] (from client >> firewallH23 port 0) >> (0) Using Post-Auth-Type Reject >> (0) # Executing group from file >> /etc/freeradius/3.0/sites-enabled/openwisp_site >> (0) Post-Auth-Type REJECT { >> (0) update control { >> (0) &REST-Http-Header += "Authorization: Bearer >> 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd" >> (0) } # update control = noop >> rlm_rest (rest): Reserved connection (1) >> (0) rest: Expanding URI components >> (0) rest: EXPAND https://radius.domainplaceholder.de >> (0) rest: --> https://radius.domainplaceholder.de >> (0) rest: EXPAND /api/v1/freeradius/postauth/ >> (0) rest: --> /api/v1/freeradius/postauth/ >> (0) rest: Sending HTTP POST to " >> https://radius.domainplaceholder.de/api/v1/freeradius/postauth/" >> (0) rest: EXPAND {"username": "%{User-Name}", "password": >> "%{User-Password}", "reply": "%{reply:Packet-Type}", "called_station_id": >> "%{Called-Station-ID}", "calling_station_id": "%{Calling-Station-ID}"} >> (0) rest: --> {"username": "TestUser", "password": "TestPassword123_", >> "reply": "Access-Reject", "called_station_id": "", "calling_station_id": ""} >> (0) rest: Processing response header >> (0) rest: Status : 403 (Forbidden) >> (0) rest: Type : json (application/json) >> (0) rest: ERROR: Server returned: >> (0) rest: ERROR: {"detail":"Token authentication failed"} >> rlm_rest (rest): Released connection (1) >> (0) [rest] = invalid >> (0) } # Post-Auth-Type REJECT = invalid >> (0) Delaying response for 1.000000 seconds >> Waking up in 0.1 seconds. >> Waking up in 0.8 seconds. >> (0) Sending delayed response >> (0) Sent Access-Reject Id 203 from 192.168.105.97:1812 to >> {PUBLIC-IP-OF-CLIENT}:50130 length 20 >> Waking up in 3.9 seconds. >> (0) Cleaning up request packet ID 203 with timestamp +48 >> Ready to process requests >> >> *mods-enabled\rest:* >> >> rest { >> tls = {} >> connect_uri = "https://radius.domainplaceholder.de/api/v1/freeradius" >> >> authorize { >> uri = "${..connect_uri}/authorize/" >> method = 'post' >> body = 'json' >> data = '{"username": "%{User-Name}", "password": >> "%{User-Password}"}' >> tls = ${..tls} >> } >> >> # this section can be left empty >> authenticate {} >> >> post-auth { >> uri = "${..connect_uri}/postauth/" >> method = 'post' >> body = 'json' >> data = '{"username": "%{User-Name}", "password": >> "%{User-Password}", "reply": "%{reply:Packet-Type}", "called_station_id": >> "%{Called-Station-ID}", "calling_station_id": "%{Calling-Station-ID}"}' >> tls = ${..tls} >> } >> >> accounting { >> uri = "${..connect_uri}/accounting/" >> method = 'post' >> body = 'json' >> data = '{"status_type": "%{Acct-Status-Type}", "session_id": >> "%{Acct-Session-Id}", "unique_id": "%{Acct-Unique-Session-Id}", "username": >> "%{User-Name}", "realm": "%{Realm}", "nas_ip_address": "%{NAS-IP-Address}", >> "nas_port_id": "%{NAS-Port}", "nas_port_type": "%{NAS-Port-Type}", >> "session_time": "%{Acct-Session-Time}", "authentication": >> "%{Acct-Authentic}", "input_octets": "%{Acct-Input-Octets}", >> "output_octets": "%{Acct-Output-Octets}", "called_station_id": >> "%{Called-Station-Id}", "calling_station_id": "%{Calling-Station-Id}", >> "terminate_cause": "%{Acct-Terminate-Cause}", "service_type": >> "%{Service-Type}", "framed_protocol": "%{Framed-Protocol}", >> "framed_ip_address": "%{Framed-IP-Address}"}' >> tls = ${..tls} >> } >> } >> >> *sites-enabled\openwisp_site:* >> >> server default { >> api_token_header = "Authorization: Bearer >> 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd" >> listen { >> type = auth >> ipaddr = * >> port = 0 >> limit { >> max_connections = 16 >> lifetime = 0 >> idle_timeout = 30 >> } >> } >> >> listen { >> ipaddr = * >> port = 0 >> type = acct >> limit {} >> } >> >> authorize { >> update control { &REST-HTTP-Header += "${...api_token_header}" } >> rest >> sql >> dailycounter >> dailybandwidthcounter >> noresetcounter >> } >> >> authenticate { >> } >> >> >> preacct { >> preprocess >> acct_unique >> suffix >> files >> } >> >> accounting { >> update control { &REST-HTTP-Header += "${...api_token_header}" } >> rest >> } >> >> session {} >> >> post-auth { >> update control { &REST-HTTP-Header += "${...api_token_header}" } >> rest >> >> Post-Auth-Type REJECT { >> update control { &REST-Http-Header += "${....api_token_header}" } >> rest >> } >> } >> >> pre-proxy {} >> post-proxy {} >> } >> >> *mods-enabled\sql (unchanged):* >> >> sql { >> driver = "rlm_sql_sqlite" >> dialect = "sqlite" >> sqlite { >> filename = "/opt/openwisp2/db.sqlite3" >> } >> >> acct_table1 = "radacct" >> acct_table2 = "radacct" >> postauth_table = "radpostauth" >> authcheck_table = "radcheck" >> groupcheck_table = "radgroupcheck" >> authreply_table = "radreply" >> groupreply_table = "radgroupreply" >> usergroup_table = "radusergroup" >> delete_stale_sessions = yes >> client_table = "nas" >> read_clients = yes >> group_attribute = "SQL-Group" >> >> $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf >> >> pool { >> start = ${thread[pool].start_servers} >> min = ${thread[pool].min_spare_servers} >> max = ${thread[pool].max_servers} >> spare = ${thread[pool].max_spare_servers} >> uses = 0 >> retry_delay = 30 >> lifetime = 0 >> idle_timeout = 60 >> } >> } >> >> -- >> You received this message because you are subscribed to the Google Groups >> "OpenWISP" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to openwisp+u...@googlegroups.com. >> To view this discussion on the web, visit >> https://groups.google.com/d/msgid/openwisp/c61aa74a-002b-467f-832c-1b120b64744dn%40googlegroups.com >> >> <https://groups.google.com/d/msgid/openwisp/c61aa74a-002b-467f-832c-1b120b64744dn%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "OpenWISP" group. To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+unsubscr...@googlegroups.com. To view this discussion on the web, visit https://groups.google.com/d/msgid/openwisp/689bf19b-e334-496b-9b1d-6c45a12b3283n%40googlegroups.com.