Hello Francisco,
can you provide the debug of the radius request ?
Like : raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000
and paste the output.
Regards
Fabrice
Le 19-12-18 à 16 h 55, Francisco Rivas via PacketFence-users a écrit :
Hi!
I'm using PacketFence 9.0.1, and I'm getting an auth reject for IP
Phones that are re-authenticating using MAB. The first authentication
goes without any problems, but the next re-auth is rejected.
The RADIUS log shows:
User-Name = "24d9214bbc39"
User-Password = "******"
NAS-IP-Address = 172.x.x.x
NAS-Port = 50126
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "f0:9e:63:39:93:1a"
Calling-Station-Id = "24:d9:21:4b:bc:39"
Calling-Station-Id = "24-D9-21-4B-BC-39"
NAS-Port-Type = Ethernet
Event-Timestamp = "Dec 17 2019 05:10:59 -03"
Message-Authenticator = 0xf8a9bd5438e6df255a886aa1bb71e2d5
NAS-Port-Id = "GigabitEthernet1/0/26"
Cisco-AVPair = "audit-session-id=AC10746800005B10FBBDA5B9"
Cisco-NAS-Port = "GigabitEthernet1/0/26"
Stripped-User-Name = "24d9214bbc39"
Realm = "null"
FreeRADIUS-Client-IP-Address = 172.x.x.x
Module-Failure-Message = "rest: Server returned:"
Module-Failure-Message = "rest:
{\"control:PacketFence-Authorization-Status\":\"allow\",\"Reply-Message\":\"Authentication
failed on PacketFence\"}"
SQL-User-Name = "24d9214bbc39"
This is an Avaya IP Phone. Dot1X authentication works without any
problems, with Windows machines. I think that I'm hitting the same bug
as this thread:
https://marc.info/?l=packetfence-users&m=154954294209777&w=2
As you can see on the RADIUS log, the "Calling-Station-Id" is
duplicated. The Avaya phone is connected to a Cisco Switch:
Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version
12.2(55)SE8, RELEASE SOFTWARE (fc2)
Is there any way to override/fix this problem without updating IOS on
the switch? I've tried to implement the patch that was posted on the
thread that I've found, but it didn't worked (patched API.PM
<http://API.PM> only, as the other 2 files seems to be already patched
in 9.0.1), but got a start error on the web server.
[root@packetfence-01 pf]# diff api.pm <http://api.pm> api-fix-not.pm
<http://api-fix-not.pm>
1369c1369,1376
< if
(pf::util::valid_mac($remapped_radius_request{'Calling-Station-Id'})) {
---
> ## if
(pf::util::valid_mac($remapped_radius_request{'Calling-Station-Id'})) {
> if (ref($remapped_radius_request{'Calling-Station-Id'})) eq
'ARRAY') {
> foreach my $callingStationId
(@{$remapped_radius_request{'Calling-Station-Id'}}) {
> if (pf::util::valid_mac($callingStationId)) {
> $return =
$class->radius_authorize(%remapped_radius_request);
> }
> }
> } elsif
(pf::util::valid_mac($remapped_radius_request{'Calling-Station-Id'})) {
1371c1378
< } else {
---
> } else {
Got this errors on the web server:
Dec 17 04:57:05 packetfence-01 pfqueue: pfqueue(6277) WARN:
[mac:[undef]] "my" variable %remapped_radius_request masks earlier
declaration in same scope at /usr/local/pf/lib/pf/api.pm
<http://api.pm> line 1371.
(main::BEGIN)
Dec 17 04:57:05 packetfence-01 pfqueue: "my" variable
%remapped_radius_request masks earlier declaration in same scope at
/usr/local/pf/lib/pf/api.pm <http://api.pm> line 1371.
Dec 17 04:57:05 packetfence-01 pfqueue: BEGIN not safe after
errors--compilation aborted at /usr/local/pf/lib/pf/api.pm
<http://api.pm> line 1371.
Dec 17 04:57:05 packetfence-01 pfqueue: Compilation failed in require
at /usr/local/pf/sbin/pfqueue line 47.
Dec 17 04:57:05 packetfence-01 pfqueue: BEGIN failed--compilation
aborted at /usr/local/pf/sbin/pfqueue line 47.
Thanks a lot for your help!!!
regards,
Francisco.
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
