Hello Adrian, most of the requests are from the radius probe from the switch. Probably that is configured on your switch:
automate-tester username dummy ignore-acct-port idle-time 3 So it looks to be normal. Regards Fabrice Le mar. 2 nov. 2021 à 04:08, Adrian Dessaigne <adrian.dessai...@novasys.coop> a écrit : > Hello Fabrice, > > Thanks for your answer. I did a packet sniffing with the command and here > is the result : > https://pastebin.com/d3VLaLvT > (Pastbin code in case the link is deleted : d3VLaLvT) > > I see two different packets : > One with the "CLI or VPN access not allowed from this switch". I don't get > that error message since I don't know when PF need to access the CLI and > the login parameters are good. > Another one with : "[truncated] Scoreboard: _KKK__KKKKK_WK_K" > > Thanks for your help. > > Adrian. > > > ------------------------------ > *De: *"Fabrice Durand" <oeufd...@gmail.com> > *À: *"packetfence-users" <packetfence-users@lists.sourceforge.net> > *Cc: *"ADE" <adrian.dessai...@novasys.coop> > *Envoyé: *Vendredi 29 Octobre 2021 14:39:43 > *Objet: *Re: [PacketFence-users] Question about "web log apache aaa bad > requests" > > Hello Adrian, > you can try that to see exactly what happen: > > tshark -i any -f "port 7070" -Y "http.request || http.response" -V > > > Regards > Fabrice > > Le mar. 26 oct. 2021 à 05:56, Adrian Dessaigne via PacketFence-users < > packetfence-users@lists.sourceforge.net> a écrit : > >> Hi again, >> >> I'm trying to know from where I get this message and I compared the logs >> files with our secondary backup server. >> In the file httpd.aaa.access I still get spammed with those : >> >> Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 6300 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4331 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 33865 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:03 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:03 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3727 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:04 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:04 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 786 6798 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:05 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:05 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5267 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:05 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:05 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5643 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:06 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:06 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3873 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5117 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3882 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 29848 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:07 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:07 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 31987 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:08 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:08 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 786 29763 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:09 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:09 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 6815 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:09 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:09 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4121 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:10 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:10 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4211 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3960 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3636 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4949 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 3341 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:11 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:11 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 4892 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:12 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:12 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 786 5130 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:13 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:13 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 401 286 788 5497 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> Oct 26 11:14:13 httpd_aaa: 127.0.0.1 - - [26/Oct/2021:11:14:13 +0200] >> "POST //radius/rest/authorize HTTP/1.1" 200 881 1516 70853 "-" "FreeRADIUS >> 3.0.21" "127.0.0.1:7070" >> >> But on the other server, I don't have anything in this file. >> From what I could search, the port 7070 is related to the httpd service >> and radiusd is mostly using it. >> So I stoped the radiusd-auth service and the logs stopped (as well the >> error-notifications on the admin interface) >> After restarting the service, the logs started to be spammed again and >> the notification came back. >> >> I'll try to go search deeper but I feel I'm on the edge of my knowledge >> of the services. >> >> Any idea what cause this ? >> Thanks for your answers. >> >> ------------------------------ >> *De: *"packetfence-users" <packetfence-users@lists.sourceforge.net> >> *À: *"packetfence-users" <packetfence-users@lists.sourceforge.net> >> *Cc: *"ADE" <adrian.dessai...@novasys.coop> >> *Envoyé: *Lundi 25 Octobre 2021 10:38:42 >> *Objet: *Re: [PacketFence-users] Question about "web log apache aaa bad >> requests" >> >> Hi ! >> >> Bit of an update on my issue. >> After launching the pf-maint.pl script and doing a reboot, I still have >> the red warning popping up in the Status tab (only in this one) >> Before the reboot, the RAM and CPU usage were really high compared before >> the issue. >> >> What file or configuration should I check to fix this ? >> >> Thanks for your answers. >> ------------------------------ >> *De: *"packetfence-users" <packetfence-users@lists.sourceforge.net> >> *À: *"packetfence-users" <packetfence-users@lists.sourceforge.net> >> *Cc: *"ADE" <adrian.dessai...@novasys.coop> >> *Envoyé: *Jeudi 21 Octobre 2021 12:27:03 >> *Objet: *[PacketFence-users] Question about "web log apache aaa bad >> requests" >> >> Hello everyone ! >> >> I have a small question about a warning I get in PacketFence >> notifications. >> Those notifications appeared when I've set up the accounting >> counfiguration on our cisco switches : >> >> - aaa accounting dot1x default start-stop group radius >> >> I've put this so we can have the Online/Offline status of our nodes. But >> since I have those two notifications popping up : >> >> 100% SVPACKETFENCE web log apache aaa log - responses >> web_log_apache_aaa_log.response_statuses.1m_bad_requests >> >> 0% SVPACKETFENCE web log apache aaa log - responses >> web_log_apache_aaa_log.response_statuses.1m_successful >> >> So I went in the log files httpd.aaa.access and it's filled with those >> event : >> Oct 21 12:12:23 SVPACKETFENCE httpd_aaa: 127.0.0.1 - - >> [21/Oct/2021:12:12:23 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 >> 286 788 5827 "-" "FreeRADIUS 3.0.21" "127.0.0.1:7070" >> Oct 21 12:12:26 SVPACKETFENCE httpd_aaa: 127.0.0.1 - - >> [21/Oct/2021:12:12:26 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 >> 286 788 5918 "-" "FreeRADIUS 3.0.21" "127.0.0.1:7070" >> Oct 21 12:12:27 SVPACKETFENCE httpd_aaa: 127.0.0.1 - - >> [21/Oct/2021:12:12:27 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 >> 286 788 5465 "-" "FreeRADIUS 3.0.21" "127.0.0.1:7070" >> Oct 21 12:12:27 SVPACKETFENCE httpd_aaa: 127.0.0.1 - - >> [21/Oct/2021:12:12:27 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 >> 305 788 5572 "-" "FreeRADIUS 3.0.21" "127.0.0.1:7070" >> Oct 21 12:12:27 SVPACKETFENCE httpd_aaa: 127.0.0.1 - - >> [21/Oct/2021:12:12:27 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 >> 286 786 5235 "-" "FreeRADIUS 3.0.21" "127.0.0.1:7070" >> Oct 21 12:12:27 SVPACKETFENCE httpd_aaa: 127.0.0.1 - - >> [21/Oct/2021:12:12:27 +0200] "POST //radius/rest/authorize HTTP/1.1" 401 >> 286 788 6013 "-" "FreeRADIUS 3.0.21" "127.0.0.1:7070" >> >> However, there is nothing in httpd.aaa.error. >> >> I have tryed by removing the command on the cisco switches but seems like >> it keep going. >> >> Do you have any idea what's going on ? >> >> Thanks a lot for your help ! >> >> Adrian. >> EnregistrerEnregistrer >> >> >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
