Hi!
I'm using PacketFence 9.0.1, and I'm getting an auth reject for IP
Phones that are re-authenticating using MAB. The first authentication
goes without any problems, but the next re-auth is rejected.
The RADIUS log shows:
User-Name = "24d9214bbc39"
User-Password = "******"
NAS-IP-Address = 172.x.x.x
NAS-Port = 50126
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "f0:9e:63:39:93:1a"
Calling-Station-Id = "24:d9:21:4b:bc:39"
Calling-Station-Id = "24-D9-21-4B-BC-39"
NAS-Port-Type = Ethernet
Event-Timestamp = "Dec 17 2019 05:10:59 -03"
Message-Authenticator = 0xf8a9bd5438e6df255a886aa1bb71e2d5
NAS-Port-Id = "GigabitEthernet1/0/26"
Cisco-AVPair = "audit-session-id=AC10746800005B10FBBDA5B9"
Cisco-NAS-Port = "GigabitEthernet1/0/26"
Stripped-User-Name = "24d9214bbc39"
Realm = "null"
FreeRADIUS-Client-IP-Address = 172.x.x.x
Module-Failure-Message = "rest: Server returned:"
Module-Failure-Message = "rest:
{\"control:PacketFence-Authorization-Status\":\"allow\",\"Reply-Message\":\"Authentication
failed on PacketFence\"}"
SQL-User-Name = "24d9214bbc39"
This is an Avaya IP Phone. Dot1X authentication works without any
problems, with Windows machines. I think that I'm hitting the same bug
as this thread:
https://marc.info/?l=packetfence-users&m=154954294209777&w=2
As you can see on the RADIUS log, the "Calling-Station-Id" is
duplicated. The Avaya phone is connected to a Cisco Switch:
Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version
12.2(55)SE8, RELEASE SOFTWARE (fc2)
Is there any way to override/fix this problem without updating IOS on
the switch? I've tried to implement the patch that was posted on the
thread that I've found, but it didn't worked (patched API.PM only, as
the other 2 files seems to be already patched in 9.0.1), but got a start
error on the web server.
[root@packetfence-01 pf]# diff api.pm api-fix-not.pm
1369c1369,1376
< if
(pf::util::valid_mac($remapped_radius_request{'Calling-Station-Id'})) {
---
> ## if
(pf::util::valid_mac($remapped_radius_request{'Calling-Station-Id'})) {
> if (ref($remapped_radius_request{'Calling-Station-Id'})) eq
'ARRAY') {
> foreach my $callingStationId
(@{$remapped_radius_request{'Calling-Station-Id'}}) {
> if (pf::util::valid_mac($callingStationId)) {
> $return =
$class->radius_authorize(%remapped_radius_request);
> }
> }
> } elsif
(pf::util::valid_mac($remapped_radius_request{'Calling-Station-Id'})) {
1371c1378
< } else {
---
> } else {
Got this errors on the web server:
Dec 17 04:57:05 packetfence-01 pfqueue: pfqueue(6277) WARN:
[mac:[undef]] "my" variable %remapped_radius_request masks earlier
declaration in same scope at /usr/local/pf/lib/pf/api.pm line 1371.
(main::BEGIN)
Dec 17 04:57:05 packetfence-01 pfqueue: "my" variable
%remapped_radius_request masks earlier declaration in same scope at
/usr/local/pf/lib/pf/api.pm line 1371.
Dec 17 04:57:05 packetfence-01 pfqueue: BEGIN not safe after
errors--compilation aborted at /usr/local/pf/lib/pf/api.pm line 1371.
Dec 17 04:57:05 packetfence-01 pfqueue: Compilation failed in require at
/usr/local/pf/sbin/pfqueue line 47.
Dec 17 04:57:05 packetfence-01 pfqueue: BEGIN failed--compilation
aborted at /usr/local/pf/sbin/pfqueue line 47.
Thanks a lot for your help!!!
regards,
Francisco.
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
