Hello Andi,
it doesn´t look like a freeradius issue but a PacketFence issue.
Wish version are you running ?
Other thing, in your custom code you are returning just the vlan id but
you must return the vlan_id and the role_name:
return ($vlan, $role);
Regards
Fabrice
Le 2014-05-16 07:37, Morris, Andi a écrit :
Hi,
I've narrowed this down to the packetfence call in the post-auth
section of sites-enabled/packetfence-tunnel. If I comment this out the
authentication and authorization works in both normal and debugging
modes. With it in, it fails in debug and works in normal.
Any tips?
Cheers,
Andi
*From:*Morris, Andi [mailto:[email protected]]
*Sent:* 15 May 2014 15:07
*To:* [email protected]
*Subject:* [PacketFence-users] radius auth not working in debug mode,
but working in standard mode
Hi all,
Quite a weird one here I think.
I had my packetfence setup working with the default freeradius
snakeoil certificates, and have come to the point where I'm trying to
configure the more secure method. I have followed the steps at Alan
Dekok's
http://deployingradius.com/documents/configuration/certificates.html
site, and once I deploy the new root certificate to the client
everything works fine. However, when I run the radius server in debug
mode it doesn't work.
The only error that I can see in the debug output is:
rlm_perl: An error occurred while processing the authorize SOAP
request: syntax error at line 1, column 61, byte 61 at
/usr/lib64/perl5/vendor_perl/XML/Parser.pm line 187.
And the request seems to get rejected shortly after that.
The certificates were created by editing the ca.cnf and server.cnf in
/usr/local/pf/raddb/certs and then running 'make'. Once this was
complete I decrypted the passwords to stop freeradius asking for the
private key password each time the service was started, and then
copied them to /usr/local/pf/conf/ssl. Once in there I edited
/usr/local/pf/conf/radiusd/eap.conf and changed the below lines to
reflect my new certificates:
private_key_file = %%install_dir%%/conf/ssl/pfenceha.key
certificate_file = %%install_dir%%/conf/ssl/pfenceha.crt
It's all very confusing that it works with no issue when in normal
running mode. Debug mode is started using the following command:
radiusd --X --d /usr/local/pf/raddb
The only thing I can think is that when a /usr/local/pf/bin/pfcmd
service radiusd stop is performed is deloads some of the config that
packetfence inserts before radius is started. Is this right? If so, is
there a way to run radius in debug mode taking into account the
various packetfence config files?
I've attached a sanitised debug output. For reference I'm running
version 4.1.0, and have the eduroam config as explained in the 4.2
admin guide, with a slight tweak on the /sites-enabled/packetfence
virtual server so that I can see what visiting users are on my network
also:
post-auth {
exec
if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)||
(User-Name =~ /^.*\@.+/ && User-Name !~ /^.*\@cardiffmet.ac.uk/)) {
packetfence
}
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
I also have a section in my vlan/custom.pm file to separate my
visiting users from home users into separate vlans:
sub getNormalVlan {
my ($this, $switch, $ifIndex, $mac, $node_info, $connection_type,
$user_name, $ssid) = @_;
my $logger = Log::Log4perl->get_logger(__PACKAGE__);
if (defined($node_info->{pid}) && $node_info->{pid} =~
/^.+cardiffmet\.ac\.uk$/i) {
return $switch->getVlanByName('eduroam_local');
}
else {
return $switch->getVlanByName('eduroam_visitors');
}
}
To add further insult to injury, this all works perfectly well on my
development server, running the same versions, and as far as I can see
the same configuration.
Can anybody help please?
Cheers,
Andi
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
