[openwisp] Openwisp-Radius logs 'Token authentication failed' with correct UUID + Token

Filip Waluda Mon, 22 Nov 2021 23:18:23 -0800

As per Gitter, here is the part of freeradius -X output as well as the 
configuration files for the mods and sites:


*freeradius -X:*

(0) Received Access-Request Id 203 from {PUBLIC-IP-OF-CLIENT}:50130 to 
192.168.105.97:1812 length 79
(0)   Service-Type = Authenticate-Only
(0)   User-Name = "TestUser"
(0)   User-Password = "TestPassword123_"
(0)   NAS-Port-Type = Wireless-802.11
(0)   NAS-Identifier = "firewallH23"
(0)   NAS-Port = 0
(0)   NAS-IP-Address = {PUBLIC-IP-OF-CLIENT}
(0) # Executing section authorize from file 
/etc/freeradius/3.0/sites-enabled/openwisp_site
(0)   authorize {
(0)     update control {
(0)       &REST-HTTP-Header += "Authorization: Bearer 
2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd"
(0)     } # update control = noop
rlm_rest (rest): Reserved connection (0)
(0) rest: Expanding URI components
(0) rest: EXPAND https://radius.domainplaceholder.de
(0) rest:    --> https://radius.domainplaceholder.de
(0) rest: EXPAND /api/v1/freeradius/authorize/
(0) rest:    --> /api/v1/freeradius/authorize/
(0) rest: Sending HTTP POST to 
"https://radius.domainplaceholder.de/api/v1/freeradius/authorize/";
(0) rest: EXPAND {"username": "%{User-Name}", "password": 
"%{User-Password}"}
(0) rest:    --> {"username": "TestUser", "password": "TestPassword123_"}
(0) rest: Processing response header
(0) rest:   Status : 403 (Forbidden)
(0) rest:   Type   : json (application/json)
(0) rest: ERROR: Server returned:
(0) rest: ERROR: {"detail":"Token authentication failed"}
rlm_rest (rest): Released connection (0)
(0)     [rest] = userlock
(0)   } # authorize = userlock
(0) Invalid user (rest: Server returned:): [TestUser] (from client 
firewallH23 port 0)
(0) Using Post-Auth-Type Reject
(0) # Executing group from file 
/etc/freeradius/3.0/sites-enabled/openwisp_site
(0)   Post-Auth-Type REJECT {
(0)     update control {
(0)       &REST-Http-Header += "Authorization: Bearer 
2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd"
(0)     } # update control = noop
rlm_rest (rest): Reserved connection (1)
(0) rest: Expanding URI components
(0) rest: EXPAND https://radius.domainplaceholder.de
(0) rest:    --> https://radius.domainplaceholder.de
(0) rest: EXPAND /api/v1/freeradius/postauth/
(0) rest:    --> /api/v1/freeradius/postauth/
(0) rest: Sending HTTP POST to 
"https://radius.domainplaceholder.de/api/v1/freeradius/postauth/";
(0) rest: EXPAND {"username": "%{User-Name}", "password": 
"%{User-Password}", "reply": "%{reply:Packet-Type}", "called_station_id": 
"%{Called-Station-ID}", "calling_station_id": "%{Calling-Station-ID}"}
(0) rest:    --> {"username": "TestUser", "password": "TestPassword123_", 
"reply": "Access-Reject", "called_station_id": "", "calling_station_id": ""}
(0) rest: Processing response header
(0) rest:   Status : 403 (Forbidden)
(0) rest:   Type   : json (application/json)
(0) rest: ERROR: Server returned:
(0) rest: ERROR: {"detail":"Token authentication failed"}
rlm_rest (rest): Released connection (1)
(0)     [rest] = invalid
(0)   } # Post-Auth-Type REJECT = invalid
(0) Delaying response for 1.000000 seconds
Waking up in 0.1 seconds.
Waking up in 0.8 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 203 from 192.168.105.97:1812 to 
{PUBLIC-IP-OF-CLIENT}:50130 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 203 with timestamp +48
Ready to process requests

*mods-enabled\rest:*

rest {
    tls = {}
connect_uri = "https://radius.domainplaceholder.de/api/v1/freeradius";

    authorize {
        uri = "${..connect_uri}/authorize/"
        method = 'post'
        body = 'json'
        data = '{"username": "%{User-Name}", "password": 
"%{User-Password}"}'
        tls = ${..tls}
    }

    # this section can be left empty
    authenticate {}

    post-auth {
        uri = "${..connect_uri}/postauth/"
        method = 'post'
        body = 'json'
        data = '{"username": "%{User-Name}", "password": 
"%{User-Password}", "reply": "%{reply:Packet-Type}", "called_station_id": 
"%{Called-Station-ID}", "calling_station_id": "%{Calling-Station-ID}"}'
        tls = ${..tls}
    }

    accounting {
        uri = "${..connect_uri}/accounting/"
        method = 'post'
        body = 'json'
        data = '{"status_type": "%{Acct-Status-Type}", "session_id": 
"%{Acct-Session-Id}", "unique_id": "%{Acct-Unique-Session-Id}", "username": 
"%{User-Name}", "realm": "%{Realm}", "nas_ip_address": "%{NAS-IP-Address}", 
"nas_port_id": "%{NAS-Port}", "nas_port_type": "%{NAS-Port-Type}", 
"session_time": "%{Acct-Session-Time}", "authentication": 
"%{Acct-Authentic}", "input_octets": "%{Acct-Input-Octets}", 
"output_octets": "%{Acct-Output-Octets}", "called_station_id": 
"%{Called-Station-Id}", "calling_station_id": "%{Calling-Station-Id}", 
"terminate_cause": "%{Acct-Terminate-Cause}", "service_type": 
"%{Service-Type}", "framed_protocol": "%{Framed-Protocol}", 
"framed_ip_address": "%{Framed-IP-Address}"}'
        tls = ${..tls}
    }
}

*sites-enabled\openwisp_site:*

server default {
api_token_header = "Authorization: Bearer 
2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd" 
    listen {
        type = auth
        ipaddr = *
        port = 0
        limit {
            max_connections = 16
            lifetime = 0
            idle_timeout = 30
        }
    }

    listen {
        ipaddr = *
        port = 0
        type = acct
        limit {}
    }

    authorize {
update control { &REST-HTTP-Header += "${...api_token_header}" }
        rest
        sql
dailycounter
        dailybandwidthcounter
        noresetcounter
    }

    authenticate {
    }

    
    preacct {
        preprocess
        acct_unique
        suffix
        files
    }

    accounting {
update control { &REST-HTTP-Header += "${...api_token_header}" }
        rest
    }

    session {}

    post-auth {
update control { &REST-HTTP-Header += "${...api_token_header}" }
        rest

        Post-Auth-Type REJECT {
    update control { &REST-Http-Header += "${....api_token_header}" }
            rest
        }
    }

    pre-proxy {}
    post-proxy {}
}

*mods-enabled\sql (unchanged):*

sql {
    driver = "rlm_sql_sqlite"
    dialect = "sqlite"
    sqlite {
        filename = "/opt/openwisp2/db.sqlite3"
    }

    acct_table1 = "radacct"
    acct_table2 = "radacct"
    postauth_table = "radpostauth"
    authcheck_table = "radcheck"
    groupcheck_table = "radgroupcheck"
    authreply_table = "radreply"
    groupreply_table = "radgroupreply"
    usergroup_table = "radusergroup"
    delete_stale_sessions = yes
    client_table = "nas"
    read_clients = yes
    group_attribute = "SQL-Group"

    $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf

    pool {
        start = ${thread[pool].start_servers}
        min = ${thread[pool].min_spare_servers}
        max = ${thread[pool].max_servers}
        spare = ${thread[pool].max_spare_servers}
        uses = 0
        retry_delay = 30
        lifetime = 0
        idle_timeout = 60
    }
}

-- 
You received this message because you are subscribed to the Google Groups 
"OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web, visit 
https://groups.google.com/d/msgid/openwisp/c61aa74a-002b-467f-832c-1b120b64744dn%40googlegroups.com.

[openwisp] Openwisp-Radius logs 'Token authentication failed' with correct UUID + Token

Reply via email to