Hey all,
I'm trying to implement a check to make sure the radius service is running on
my server, however I'm finding that the radtest gets rejected by the post-auth
checks inside the packetfence virtual server:
post-auth {
exec
# skip packetfence if we have already treated it in the inner-tunnel
if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) {
update control {
PacketFence-RPC-Server = ${rpc_host}
PacketFence-RPC-Port = ${rpc_port}
PacketFence-RPC-User = ${rpc_user}
PacketFence-RPC-Pass = ${rpc_pass}
PacketFence-RPC-Proto = ${rpc_proto}
}
packetfence
}
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
[root@hallsnac03 ~]# radtest testuser testtest 10.1.3.12 12 testing123
Sending Access-Request of id 142 to 10.1.3.12 port 1812
User-Name = "testuser"
User-Password = "testtest"
NAS-IP-Address = 10.1.3.7
NAS-Port = 12
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 10.1.3.12 port 1812, id=142, length=20
Listening on authentication address 10.1.3.12 port 1812 as server packetfence
Listening on accounting address 10.1.3.12 port 1813 as server packetfence
Listening on command file /usr/local/pf/var/run/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address 10.1.3.12 port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.3.12 port 35154, id=255,
length=81
User-Name = "testuser"
User-Password = "testtest"
NAS-IP-Address = 10.1.3.12
NAS-Port = 12
Message-Authenticator = 0xe1ad4673558e31c9b9da8116047710dd
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb//sites-enabled/packetfence
+group authorize {
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++[preprocess] = ok
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
++update request {
expand: %{Packet-Src-IP-Address} -> 10.1.3.12
++} # update request = noop
++update control {
++} # update control = noop
rlm_perl: Added pair User-Name = testuser
rlm_perl: Added pair User-Password = testtest
rlm_perl: Added pair NAS-Port = 12
rlm_perl: Added pair NAS-IP-Address = 10.1.3.12
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 10.1.3.12
rlm_perl: Added pair Message-Authenticator = 0xe1ad4673558e31c9b9da8116047710dd
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair Auth-Type = Accept
rlm_perl: Added pair PacketFence-RPC-Port = 9090
++[packetfence] = noop
+} # group authorize = ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [testuser] (from client 10.1.3.12 port 12)
} # server packetfence
# Executing section post-auth from file
/usr/local/pf/raddb//sites-enabled/packetfence
+group post-auth {
++[exec] = noop
++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP))
? Evaluating !(EAP-Type ) -> TRUE
?? Skipping (EAP-Type != EAP-TTLS )
?? Skipping (EAP-Type != PEAP)
++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) -> TRUE
++if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) {
+++update control {
+++} # update control = noop
rlm_perl: MAC address is empty or invalid in this request. It could be normal
on certain radius calls
rlm_perl: Added pair User-Name = testuser
rlm_perl: Added pair User-Password = testtest
rlm_perl: Added pair NAS-IP-Address = 10.1.3.12
rlm_perl: Added pair NAS-Port = 12
rlm_perl: Added pair Message-Authenticator = 0xe1ad4673558e31c9b9da8116047710dd
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 10.1.3.12
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair Auth-Type = Accept
rlm_perl: Added pair PacketFence-RPC-Port = 9090
+++[packetfence] = reject
++} # if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) = reject
+} # group post-auth = reject
Sending Access-Reject of id 255 to 10.1.3.12 port 35154
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
I'm using this in a HA environment so I've added the PacketFence VIP address to
the /raddb/clients.conf file as suggested in the
/usr/local/pf/addons/watchdog/freeradius-watchdog.sh file.
Does something need changing in the watchdog script, or the packetfence virtual
server? I'm running 4.3.0 on Redhat using DRBD and heartbeat for HA.
Cheers,
Andi
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
