Hello Fabrice, Thanks for your answer. I did a packet sniffing with the command and here is the result : [ https://pastebin.com/d3VLaLvT | https://pastebin.com/d3VLaLvT ] (Pastbin code in case the link is deleted : d3VLaLvT)
I see two different packets : One with the "CLI or VPN access not allowed from this switch". I don't get that error message since I don't know when PF need to access the CLI and the login parameters are good. Another one with : " [truncated] Scoreboard: _KKK__KKKKK_WK_K" Thanks for your help. Adrian. De: "Fabrice Durand" <oeufd...@gmail.com> À: "packetfence-users" <packetfence-users@lists.sourceforge.net> Cc: "ADE" <adrian.dessai...@novasys.coop> Envoyé: Vendredi 29 Octobre 2021 14:39:43 Objet: Re: [PacketFence-users] Question about "web log apache aaa bad requests" Hello Adrian, you can try that to see exactly what happen: tshark -i any -f "port 7070" -Y "http.request || http.response" -V Regards Fabrice Le mar. 26 oct. 2021 à 05:56, Adrian Dessaigne via PacketFence-users < [ mailto:packetfence-users@lists.sourceforge.net | packetfence-users@lists.sourceforge.net ] > a écrit : Hi again, I'm trying to know from where I get this message and I compared the logs files with our secondary backup server. In the file httpd.aaa.access I still get spammed with those : Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 6300 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4331 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 33865 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3727 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:04 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:04 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 786 6798 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:05 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:05 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5267 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:05 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:05 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5643 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:06 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:06 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3873 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5117 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3882 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 29848 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 31987 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:08 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:08 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 786 29763 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:09 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:09 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 6815 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:09 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:09 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4121 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:10 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:10 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4211 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3960 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3636 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4949 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3341 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4892 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:12 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:12 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 786 5130 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:13 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:13 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5497 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 26 11:14:13 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:13 +0200] "POST //radius/rest/authorize HTTP/1.1" 200 881 1516 70853 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " But on the other server, I don't have anything in this file. >From what I could search, the port 7070 is related to the httpd service and >radiusd is mostly using it. So I stoped the radiusd-auth service and the logs stopped (as well the error-notifications on the admin interface) After restarting the service, the logs started to be spammed again and the notification came back. I'll try to go search deeper but I feel I'm on the edge of my knowledge of the services. Any idea what cause this ? Thanks for your answers. De: "packetfence-users" < [ mailto:packetfence-users@lists.sourceforge.net | packetfence-users@lists.sourceforge.net ] > À: "packetfence-users" < [ mailto:packetfence-users@lists.sourceforge.net | packetfence-users@lists.sourceforge.net ] > Cc: "ADE" < [ mailto:adrian.dessai...@novasys.coop | adrian.dessai...@novasys.coop ] > Envoyé: Lundi 25 Octobre 2021 10:38:42 Objet: Re: [PacketFence-users] Question about "web log apache aaa bad requests" Hi ! Bit of an update on my issue. After launching the [ http://pf-maint.pl/ | pf-maint.pl ] script and doing a reboot, I still have the red warning popping up in the Status tab (only in this one) Before the reboot, the RAM and CPU usage were really high compared before the issue. What file or configuration should I check to fix this ? Thanks for your answers. De: "packetfence-users" < [ mailto:packetfence-users@lists.sourceforge.net | packetfence-users@lists.sourceforge.net ] > À: "packetfence-users" < [ mailto:packetfence-users@lists.sourceforge.net | packetfence-users@lists.sourceforge.net ] > Cc: "ADE" < [ mailto:adrian.dessai...@novasys.coop | adrian.dessai...@novasys.coop ] > Envoyé: Jeudi 21 Octobre 2021 12:27:03 Objet: [PacketFence-users] Question about "web log apache aaa bad requests" Hello everyone ! I have a small question about a warning I get in PacketFence notifications. Those notifications appeared when I've set up the accounting counfiguration on our cisco switches : * aaa accounting dot1x default start-stop group radius I've put this so we can have the Online/Offline status of our nodes. But since I have those two notifications popping up : 100% SVPACKETFENCE web log apache aaa log - responses web_log_apache_aaa_log.response_statuses.1m_bad_requests 0% SVPACKETFENCE web log apache aaa log - responses web_log_apache_aaa_log.response_statuses.1m_successful So I went in the log files httpd.aaa.access and it's filled with those event : Oct 21 12:12:23 SVPACKETFENCE httpd_aaa: 127.0.0.1 - - [21/Oct/2021:12:12:23 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5827 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 21 12:12:26 SVPACKETFENCE httpd_aaa: 127.0.0.1 - - [21/Oct/2021:12:12:26 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5918 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 21 12:12:27 SVPACKETFENCE httpd_aaa: 127.0.0.1 - - [21/Oct/2021:12:12:27 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5465 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 21 12:12:27 SVPACKETFENCE httpd_aaa: 127.0.0.1 - - [21/Oct/2021:12:12:27 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 305 788 5572 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 21 12:12:27 SVPACKETFENCE httpd_aaa: 127.0.0.1 - - [21/Oct/2021:12:12:27 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 786 5235 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " Oct 21 12:12:27 SVPACKETFENCE httpd_aaa: 127.0.0.1 - - [21/Oct/2021:12:12:27 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 286 788 6013 "-" "FreeRADIUS 3.0.21" " [ http://127.0.0.1:7070/ | 127.0.0.1:7070 ] " However, there is nothing in httpd.aaa.error. I have tryed by removing the command on the cisco switches but seems like it keep going. Do you have any idea what's going on ? Thanks a lot for your help ! Adrian. Enregistrer Enregistrer _______________________________________________ PacketFence-users mailing list [ mailto:PacketFence-users@lists.sourceforge.net | PacketFence-users@lists.sourceforge.net ] [ https://lists.sourceforge.net/lists/listinfo/packetfence-users | https://lists.sourceforge.net/lists/listinfo/packetfence-users ] _______________________________________________ PacketFence-users mailing list [ mailto:PacketFence-users@lists.sourceforge.net | PacketFence-users@lists.sourceforge.net ] [ https://lists.sourceforge.net/lists/listinfo/packetfence-users | https://lists.sourceforge.net/lists/listinfo/packetfence-users ] _______________________________________________ PacketFence-users mailing list [ mailto:PacketFence-users@lists.sourceforge.net | PacketFence-users@lists.sourceforge.net ] [ https://lists.sourceforge.net/lists/listinfo/packetfence-users | https://lists.sourceforge.net/lists/listinfo/packetfence-users ]
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
