> Does loading in debug mode read different elements of the PF config at all?
Since PacketFence manage FreeRADIUS, we have templates in the PacketFence files
(/usr/local/pf/conf/radiusd) that are being used to generate the actual
FreeRADIUS configuration files (/usr/local/pf/raddb).
The files that we provides templates for are the followings:
- eap.conf
- radiusd.conf
- sql.conf
When you are modifying configurations, where are you doing your modifications ?
Also, which files are you modifying ?
When running RADIUS in debug (using radiusd -X -d /usr/local/pf/raddb), that
actually reads the already generated files (/usr/local/pf/raddb). Those files
will be overwritten on next PacketFence restart.
The good way to make modification to those files would be to modify the
template (/usr/local/pf/conf/radiusd), restart PacketFence to generate new
files using the templates, shuts radius and restart it using debug to use the
newly generated files.
Please let me know of how you proceed.
Thanks
Derek
--
Derek Wuelfrath
[email protected] :: www.inverse.ca
+1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
On May 16, 2014, at 10:46 AM, Morris, Andi <[email protected]> wrote:
> Actually, adding that stops the authentication working at all, so I’ve put it
> back for now, just until I find the cause of this issue.
>
> When I started the thread I said that the problem occurred once I deployed
> the self-signed certificates, but that must have been just that I hadn’t
> tried this in debug mode at that point, as I have just reset to the original
> certificates created during the packetfence setup and the same syntax error
> is happening there.
>
> I just don’t understand why debug mode kills it. I agree that this is
> definitely something packetfence related as commenting out packetfence in the
> post-auth section of the tunnel resolves it. Does loading in debug mode read
> different elements of the PF config at all?
>
> Cheers,
> Andi
>
> From: Morris, Andi [mailto:[email protected]]
> Sent: 16 May 2014 14:29
> To: '[email protected]'
> Subject: Re: [PacketFence-users] radius auth not working in debug mode, but
> working in standard mode
>
> Thanks.
>
> I’ve implemented that, but still getting the same syntax error on the SOAP
> request.
>
> Cheers,
> Andi
>
> From: Fabrice DURAND [mailto:[email protected]]
> Sent: 16 May 2014 13:53
> To: [email protected]
> Subject: Re: [PacketFence-users] radius auth not working in debug mode, but
> working in standard mode
>
> Something like that:
>
> if (defined($node_info->{pid}) && $node_info->{pid} =~
> /^.+cardiffmet\.ac\.uk$/i) {
> return ($switch->getVlanByName('eduroam_local'),'eduroam_local');
> }
> else {
> return ($switch->getVlanByName('eduroam_visitors'),'eduroam_visitors');
> }
>
> Le 2014-05-16 08:48, Morris, Andi a écrit :
> Hi Fabrice,
> Yes I agree. I can’t work out why it works on my dev setup, but not my live.
>
> I’m running version 4.1.0 in both environments.
>
> I’m not sure how to implement your advice for the for the custom script I’m
> sorry.
> I have:
> if (defined($node_info->{pid}) && $node_info->{pid} =~
> /^.+cardiffmet\.ac\.uk$/i) {
> return $switch->getVlanByName('eduroam_local');
> }
> else {
> return $switch->getVlanByName('eduroam_visitors');
> }
>
> Cheers,
> Andi
>
>
> From: Fabrice DURAND [mailto:[email protected]]
> Sent: 16 May 2014 13:01
> To: [email protected]
> Subject: Re: [PacketFence-users] radius auth not working in debug mode, but
> working in standard mode
>
> Hello Andi,
>
> it doesn´t look like a freeradius issue but a PacketFence issue.
>
> Wish version are you running ?
>
> Other thing, in your custom code you are returning just the vlan id but you
> must return the vlan_id and the role_name:
>
> return ($vlan, $role);
>
> Regards
> Fabrice
>
>
> Le 2014-05-16 07:37, Morris, Andi a écrit :
> Hi,
> I’ve narrowed this down to the packetfence call in the post-auth section of
> sites-enabled/packetfence-tunnel. If I comment this out the authentication
> and authorization works in both normal and debugging modes. With it in, it
> fails in debug and works in normal.
>
> Any tips?
>
> Cheers,
> Andi
>
> From: Morris, Andi [mailto:[email protected]]
> Sent: 15 May 2014 15:07
> To: [email protected]
> Subject: [PacketFence-users] radius auth not working in debug mode, but
> working in standard mode
>
> Hi all,
> Quite a weird one here I think.
> I had my packetfence setup working with the default freeradius snakeoil
> certificates, and have come to the point where I’m trying to configure the
> more secure method. I have followed the steps at Alan
> Dekok’shttp://deployingradius.com/documents/configuration/certificates.html
> site, and once I deploy the new root certificate to the client everything
> works fine. However, when I run the radius server in debug mode it doesn’t
> work.
>
> The only error that I can see in the debug output is:
> rlm_perl: An error occurred while processing the authorize SOAP request:
> syntax error at line 1, column 61, byte 61 at
> /usr/lib64/perl5/vendor_perl/XML/Parser.pm line 187.
>
> And the request seems to get rejected shortly after that.
>
> The certificates were created by editing the ca.cnf and server.cnf in
> /usr/local/pf/raddb/certs and then running ‘make’. Once this was complete I
> decrypted the passwords to stop freeradius asking for the private key
> password each time the service was started, and then copied them to
> /usr/local/pf/conf/ssl. Once in there I edited
> /usr/local/pf/conf/radiusd/eap.conf and changed the below lines to reflect my
> new certificates:
> private_key_file = %%install_dir%%/conf/ssl/pfenceha.key
> certificate_file = %%install_dir%%/conf/ssl/pfenceha.crt
>
> It’s all very confusing that it works with no issue when in normal running
> mode. Debug mode is started using the following command:
> radiusd –X –d /usr/local/pf/raddb
>
> The only thing I can think is that when a /usr/local/pf/bin/pfcmd service
> radiusd stop is performed is deloads some of the config that packetfence
> inserts before radius is started. Is this right? If so, is there a way to run
> radius in debug mode taking into account the various packetfence config files?
>
> I’ve attached a sanitised debug output. For reference I’m running version
> 4.1.0, and have the eduroam config as explained in the 4.2 admin guide, with
> a slight tweak on the /sites-enabled/packetfence virtual server so that I can
> see what visiting users are on my network also:
> post-auth {
> exec
> if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)|| (User-Name =~
> /^.*\@.+/ && User-Name !~ /^.*\@cardiffmet.ac.uk/)) {
> packetfence
> }
>
> Post-Auth-Type REJECT {
> attr_filter.access_reject
> }
> }
>
> I also have a section in my vlan/custom.pm file to separate my visiting users
> from home users into separate vlans:
> sub getNormalVlan {
> my ($this, $switch, $ifIndex, $mac, $node_info, $connection_type,
> $user_name, $ssid) = @_;
> my $logger = Log::Log4perl->get_logger(__PACKAGE__);
> if (defined($node_info->{pid}) && $node_info->{pid} =~
> /^.+cardiffmet\.ac\.uk$/i) {
> return $switch->getVlanByName('eduroam_local');
> }
> else {
> return $switch->getVlanByName('eduroam_visitors');
> }
> }
>
> To add further insult to injury, this all works perfectly well on my
> development server, running the same versions, and as far as I can see the
> same configuration.
>
> Can anybody help please?
>
> Cheers,
> Andi
>
>
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
>
>
>
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
>
> --
> Fabrice Durand
> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
>
>
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> --
> Fabrice Durand
> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
