Hi,
I've narrowed this down to the packetfence call in the post-auth section of
sites-enabled/packetfence-tunnel. If I comment this out the authentication and
authorization works in both normal and debugging modes. With it in, it fails in
debug and works in normal.
Any tips?
Cheers,
Andi
From: Morris, Andi [mailto:[email protected]]
Sent: 15 May 2014 15:07
To: [email protected]
Subject: [PacketFence-users] radius auth not working in debug mode, but working
in standard mode
Hi all,
Quite a weird one here I think.
I had my packetfence setup working with the default freeradius snakeoil
certificates, and have come to the point where I'm trying to configure the more
secure method. I have followed the steps at Alan Dekok's
http://deployingradius.com/documents/configuration/certificates.html site, and
once I deploy the new root certificate to the client everything works fine.
However, when I run the radius server in debug mode it doesn't work.
The only error that I can see in the debug output is:
rlm_perl: An error occurred while processing the authorize SOAP request:
syntax error at line 1, column 61, byte 61 at
/usr/lib64/perl5/vendor_perl/XML/Parser.pm line 187.
And the request seems to get rejected shortly after that.
The certificates were created by editing the ca.cnf and server.cnf in
/usr/local/pf/raddb/certs and then running 'make'. Once this was complete I
decrypted the passwords to stop freeradius asking for the private key password
each time the service was started, and then copied them to
/usr/local/pf/conf/ssl. Once in there I edited
/usr/local/pf/conf/radiusd/eap.conf and changed the below lines to reflect my
new certificates:
private_key_file = %%install_dir%%/conf/ssl/pfenceha.key
certificate_file = %%install_dir%%/conf/ssl/pfenceha.crt
It's all very confusing that it works with no issue when in normal running
mode. Debug mode is started using the following command:
radiusd -X -d /usr/local/pf/raddb
The only thing I can think is that when a /usr/local/pf/bin/pfcmd service
radiusd stop is performed is deloads some of the config that packetfence
inserts before radius is started. Is this right? If so, is there a way to run
radius in debug mode taking into account the various packetfence config files?
I've attached a sanitised debug output. For reference I'm running version
4.1.0, and have the eduroam config as explained in the 4.2 admin guide, with a
slight tweak on the /sites-enabled/packetfence virtual server so that I can see
what visiting users are on my network also:
post-auth {
exec
if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)|| (User-Name =~
/^.*\@.+/ && User-Name !~ /^.*\@cardiffmet.ac.uk/)) {
packetfence
}
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
I also have a section in my vlan/custom.pm file to separate my visiting users
from home users into separate vlans:
sub getNormalVlan {
my ($this, $switch, $ifIndex, $mac, $node_info, $connection_type,
$user_name, $ssid) = @_;
my $logger = Log::Log4perl->get_logger(__PACKAGE__);
if (defined($node_info->{pid}) && $node_info->{pid} =~
/^.+cardiffmet\.ac\.uk$/i) {
return $switch->getVlanByName('eduroam_local');
}
else {
return $switch->getVlanByName('eduroam_visitors');
}
}
To add further insult to injury, this all works perfectly well on my
development server, running the same versions, and as far as I can see the same
configuration.
Can anybody help please?
Cheers,
Andi
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
