Hi Andi,
This may look like a dumb question, but does it matter if the request is
rejected?
What I mean is that if you are only trying to ascertain that the service is
running and replying, the fact that it replies is good enough.
Otherwise, just send an actual MAC instead of 'testuser' and 'testtest'.
:-)
Regards,
--
Louis Munro
lmu...@inverse.ca :: www.inverse.ca
+1.514.447.4918 *125 :: +1 (866) 353-6153
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
On 2014-08-06, at 7:14 , "Morris, Andi" <amor...@cardiffmet.ac.uk> wrote:
> Hey all,
> I’m trying to implement a check to make sure the radius service is running on
> my server, however I’m finding that the radtest gets rejected by the
> post-auth checks inside the packetfence virtual server:
>
> post-auth {
> exec
> # skip packetfence if we have already treated it in the inner-tunnel
> if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) {
> update control {
> PacketFence-RPC-Server = ${rpc_host}
> PacketFence-RPC-Port = ${rpc_port}
> PacketFence-RPC-User = ${rpc_user}
> PacketFence-RPC-Pass = ${rpc_pass}
> PacketFence-RPC-Proto = ${rpc_proto}
> }
> packetfence
> }
> Post-Auth-Type REJECT {
> attr_filter.access_reject
> }
> }
>
> [root@hallsnac03 ~]# radtest testuser testtest 10.1.3.12 12 testing123
> Sending Access-Request of id 142 to 10.1.3.12 port 1812
> User-Name = "testuser"
> User-Password = "testtest"
> NAS-IP-Address = 10.1.3.7
> NAS-Port = 12
> Message-Authenticator = 0x00000000000000000000000000000000
> rad_recv: Access-Reject packet from host 10.1.3.12 port 1812, id=142,
> length=20
>
> Listening on authentication address 10.1.3.12 port 1812 as server packetfence
> Listening on accounting address 10.1.3.12 port 1813 as server packetfence
> Listening on command file /usr/local/pf/var/run/radiusd.sock
> Listening on authentication address 127.0.0.1 port 18120 as server
> inner-tunnel
> Listening on proxy address 10.1.3.12 port 1814
> Ready to process requests.
> rad_recv: Access-Request packet from host 10.1.3.12 port 35154, id=255,
> length=81
> User-Name = "testuser"
> User-Password = "testtest"
> NAS-IP-Address = 10.1.3.12
> NAS-Port = 12
> Message-Authenticator = 0xe1ad4673558e31c9b9da8116047710dd
> server packetfence {
> # Executing section authorize from file
> /usr/local/pf/raddb//sites-enabled/packetfence
> +group authorize {
> [suffix] No '@' in User-Name = "testuser", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> ++[preprocess] = ok
> [eap] No EAP-Message, not doing EAP
> ++[eap] = noop
> [files] users: Matched entry DEFAULT at line 1
> ++[files] = ok
> ++[expiration] = noop
> ++[logintime] = noop
> ++update request {
> expand: %{Packet-Src-IP-Address} -> 10.1.3.12
> ++} # update request = noop
> ++update control {
> ++} # update control = noop
> rlm_perl: Added pair User-Name = testuser
> rlm_perl: Added pair User-Password = testtest
> rlm_perl: Added pair NAS-Port = 12
> rlm_perl: Added pair NAS-IP-Address = 10.1.3.12
> rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 10.1.3.12
> rlm_perl: Added pair Message-Authenticator =
> 0xe1ad4673558e31c9b9da8116047710dd
> rlm_perl: Added pair PacketFence-RPC-Pass =
> rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
> rlm_perl: Added pair PacketFence-RPC-Proto = http
> rlm_perl: Added pair PacketFence-RPC-User =
> rlm_perl: Added pair Auth-Type = Accept
> rlm_perl: Added pair PacketFence-RPC-Port = 9090
> ++[packetfence] = noop
> +} # group authorize = ok
> Found Auth-Type = Accept
> Auth-Type = Accept, accepting the user
> Login OK: [testuser] (from client 10.1.3.12 port 12)
> } # server packetfence
> # Executing section post-auth from file
> /usr/local/pf/raddb//sites-enabled/packetfence
> +group post-auth {
> ++[exec] = noop
> ++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP))
> ? Evaluating !(EAP-Type ) -> TRUE
> ?? Skipping (EAP-Type != EAP-TTLS )
> ?? Skipping (EAP-Type != PEAP)
> ++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) -> TRUE
> ++if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) {
> +++update control {
> +++} # update control = noop
> rlm_perl: MAC address is empty or invalid in this request. It could be normal
> on certain radius calls
> rlm_perl: Added pair User-Name = testuser
> rlm_perl: Added pair User-Password = testtest
> rlm_perl: Added pair NAS-IP-Address = 10.1.3.12
> rlm_perl: Added pair NAS-Port = 12
> rlm_perl: Added pair Message-Authenticator =
> 0xe1ad4673558e31c9b9da8116047710dd
> rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 10.1.3.12
> rlm_perl: Added pair PacketFence-RPC-Pass =
> rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
> rlm_perl: Added pair PacketFence-RPC-User =
> rlm_perl: Added pair PacketFence-RPC-Proto = http
> rlm_perl: Added pair Auth-Type = Accept
> rlm_perl: Added pair PacketFence-RPC-Port = 9090
> +++[packetfence] = reject
> ++} # if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) = reject
> +} # group post-auth = reject
> Sending Access-Reject of id 255 to 10.1.3.12 port 35154
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
>
> I’m using this in a HA environment so I’ve added the PacketFence VIP address
> to the /raddb/clients.conf file as suggested in the
> /usr/local/pf/addons/watchdog/freeradius-watchdog.sh file.
>
> Does something need changing in the watchdog script, or the packetfence
> virtual server? I’m running 4.3.0 on Redhat using DRBD and heartbeat for HA.
>
> Cheers,
> Andi
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk_______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
