Hi!
I'm using PacketFence 9.0.1, and I'm getting an auth reject for IP Phones
that are re-authenticating using MAB. The first authentication goes without
any problems, but the next re-auth is rejected.
The RADIUS log shows:
User-Name = "24d9214bbc39"
User-Password = "******"
NAS-IP-Address = 172.x.x.x
NAS-Port = 50126
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "f0:9e:63:39:93:1a"
Calling-Station-Id = "24:d9:21:4b:bc:39"
Calling-Station-Id = "24-D9-21-4B-BC-39"
NAS-Port-Type = Ethernet
Event-Timestamp = "Dec 17 2019 05:10:59 -03"
Message-Authenticator = 0xf8a9bd5438e6df255a886aa1bb71e2d5
NAS-Port-Id = "GigabitEthernet1/0/26"
Cisco-AVPair = "audit-session-id=AC10746800005B10FBBDA5B9"
Cisco-NAS-Port = "GigabitEthernet1/0/26"
Stripped-User-Name = "24d9214bbc39"
Realm = "null"
FreeRADIUS-Client-IP-Address = 172.x.x.x
Module-Failure-Message = "rest: Server returned:"
Module-Failure-Message = "rest:
{\"control:PacketFence-Authorization-Status\":\"allow\",\"Reply-Message\":\"Authentication
failed on PacketFence\"}"
SQL-User-Name = "24d9214bbc39"
This is an Avaya IP Phone. Dot1X authentication works without any problems,
with Windows machines. I think that I'm hitting the same bug as this
thread:
https://marc.info/?l=packetfence-users&m=154954294209777&w=2
As you can see on the RADIUS log, the "Calling-Station-Id" is duplicated.
The Avaya phone is connected to a Cisco Switch:
Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version
12.2(55)SE8, RELEASE SOFTWARE (fc2)
Is there any way to override/fix this problem without updating IOS on the
switch? I've tried to implement the patch that was posted on the thread
that I've found, but it didn't worked (patched API.PM only, as the other 2
files seems to be already patched in 9.0.1), but got a start error on the
web server.
[root@packetfence-01 pf]# diff api.pm api-fix-not.pm
1369c1369,1376
< if
(pf::util::valid_mac($remapped_radius_request{'Calling-Station-Id'})) {
---
> ## if
(pf::util::valid_mac($remapped_radius_request{'Calling-Station-Id'})) {
> if (ref($remapped_radius_request{'Calling-Station-Id'})) eq 'ARRAY')
{
> foreach my $callingStationId
(@{$remapped_radius_request{'Calling-Station-Id'}}) {
> if (pf::util::valid_mac($callingStationId)) {
> $return =
$class->radius_authorize(%remapped_radius_request);
> }
> }
> } elsif
(pf::util::valid_mac($remapped_radius_request{'Calling-Station-Id'})) {
1371c1378
< } else {
---
> } else {
Got this errors on the web server:
Dec 17 04:57:05 packetfence-01 pfqueue: pfqueue(6277) WARN: [mac:[undef]]
"my" variable %remapped_radius_request masks earlier declaration in same
scope at /usr/local/pf/lib/pf/api.pm line 1371.
(main::BEGIN)
Dec 17 04:57:05 packetfence-01 pfqueue: "my" variable
%remapped_radius_request masks earlier declaration in same scope at
/usr/local/pf/lib/pf/api.pm line 1371.
Dec 17 04:57:05 packetfence-01 pfqueue: BEGIN not safe after
errors--compilation aborted at /usr/local/pf/lib/pf/api.pm line 1371.
Dec 17 04:57:05 packetfence-01 pfqueue: Compilation failed in require at
/usr/local/pf/sbin/pfqueue line 47.
Dec 17 04:57:05 packetfence-01 pfqueue: BEGIN failed--compilation aborted
at /usr/local/pf/sbin/pfqueue line 47.
Thanks a lot for your help!!!
regards,
Francisco.
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
