Hello Adrian, you can try that to see exactly what happen:
tshark -i any -f "port 7070" -Y "http.request || http.response" -V Regards Fabrice Le mar. 26 oct. 2021 à 05:56, Adrian Dessaigne via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > Hi again, > > I'm trying to know from where I get this message and I compared the logs > files with our secondary backup server. > In the file httpd.aaa.access I still get spammed with those : > > Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 6300 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4331 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 33865 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3727 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:04 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:04 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 786 6798 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:05 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:05 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5267 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:05 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:05 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5643 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:06 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:06 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3873 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5117 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3882 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 29848 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 31987 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:08 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:08 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 786 29763 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:09 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:09 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 6815 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:09 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:09 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4121 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:10 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:10 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4211 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3960 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3636 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4949 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3341 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4892 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:12 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:12 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 786 5130 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:13 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:13 +0200] > "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5497 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > Oct 26 11:14:13 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:13 +0200] > "POST //radius/rest/authorize HTTP/1.1" 200 881 1516 70853 "-" "FreeRADIUS > 3.0.21" "127.0.0.1:7070" > > But on the other server, I don't have anything in this file. > From what I could search, the port 7070 is related to the httpd service > and radiusd is mostly using it. > So I stoped the radiusd-auth service and the logs stopped (as well the > error-notifications on the admin interface) > After restarting the service, the logs started to be spammed again and the > notification came back. > > I'll try to go search deeper but I feel I'm on the edge of my knowledge of > the services. > > Any idea what cause this ? > Thanks for your answers. > > ------------------------------ > *De: *"packetfence-users" <packetfence-users@lists.sourceforge.net> > *À: *"packetfence-users" <packetfence-users@lists.sourceforge.net> > *Cc: *"ADE" <adrian.dessai...@novasys.coop> > *Envoyé: *Lundi 25 Octobre 2021 10:38:42 > *Objet: *Re: [PacketFence-users] Question about "web log apache aaa bad > requests" > > Hi ! > > Bit of an update on my issue. > After launching the pf-maint.pl script and doing a reboot, I still have > the red warning popping up in the Status tab (only in this one) > Before the reboot, the RAM and CPU usage were really high compared before > the issue. > > What file or configuration should I check to fix this ? > > Thanks for your answers. > ------------------------------ > *De: *"packetfence-users" <packetfence-users@lists.sourceforge.net> > *À: *"packetfence-users" <packetfence-users@lists.sourceforge.net> > *Cc: *"ADE" <adrian.dessai...@novasys.coop> > *Envoyé: *Jeudi 21 Octobre 2021 12:27:03 > *Objet: *[PacketFence-users] Question about "web log apache aaa bad > requests" > > Hello everyone ! > > I have a small question about a warning I get in PacketFence notifications. > Those notifications appeared when I've set up the accounting > counfiguration on our cisco switches : > > - aaa accounting dot1x default start-stop group radius > > I've put this so we can have the Online/Offline status of our nodes. But > since I have those two notifications popping up : > > 100% SVPACKETFENCE web log apache aaa log - responses > web_log_apache_aaa_log.response_statuses.1m_bad_requests > > 0% SVPACKETFENCE web log apache aaa log - responses > web_log_apache_aaa_log.response_statuses.1m_successful > > So I went in the log files httpd.aaa.access and it's filled with those > event : > Oct 21 12:12:23 SVPACKETFENCE httpd_aaa: 127.0.0.1 - - > [21/Oct/2021:12:12:23 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 > 286 788 5827 "-" "FreeRADIUS 3.0.21" "127.0.0.1:7070" > Oct 21 12:12:26 SVPACKETFENCE httpd_aaa: 127.0.0.1 - - > [21/Oct/2021:12:12:26 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 > 286 788 5918 "-" "FreeRADIUS 3.0.21" "127.0.0.1:7070" > Oct 21 12:12:27 SVPACKETFENCE httpd_aaa: 127.0.0.1 - - > [21/Oct/2021:12:12:27 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 > 286 788 5465 "-" "FreeRADIUS 3.0.21" "127.0.0.1:7070" > Oct 21 12:12:27 SVPACKETFENCE httpd_aaa: 127.0.0.1 - - > [21/Oct/2021:12:12:27 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 > 305 788 5572 "-" "FreeRADIUS 3.0.21" "127.0.0.1:7070" > Oct 21 12:12:27 SVPACKETFENCE httpd_aaa: 127.0.0.1 - - > [21/Oct/2021:12:12:27 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 > 286 786 5235 "-" "FreeRADIUS 3.0.21" "127.0.0.1:7070" > Oct 21 12:12:27 SVPACKETFENCE httpd_aaa: 127.0.0.1 - - > [21/Oct/2021:12:12:27 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 > 286 788 6013 "-" "FreeRADIUS 3.0.21" "127.0.0.1:7070" > > However, there is nothing in httpd.aaa.error. > > I have tryed by removing the command on the cisco switches but seems like > it keep going. > > Do you have any idea what's going on ? > > Thanks a lot for your help ! > > Adrian. > EnregistrerEnregistrer > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
