Hi all, I actually use FreeRADIUS Version 3.0.13 with PacketFence and I have an issue when i try the rlm_rest. If somoene Know why i have this issue : rest: ERROR: Server returned: (0) rest: ERROR: {"Reply-Message":"PacketFence does not support this switch for read/write access login","reply:PacketFence-Authorization-Status":"allow"} This is my output radius -x : 0) Received Access-Request Id 10 from 192.168.10.14:1812 to 192.168.10.22:1812 length 122 (0) User-Name = "UserTest" (0) User-Password = "p@55word" (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) NAS-Identifier = "las1.albari" (0) NAS-Port-Type = Ethernet (0) Acct-Session-Id = "las1.al00000000000000da6bb650001055" (0) NAS-IP-Address = 192.168.10.14 (0) # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence (0) authorize { (0) update { (0) EXPAND %{Packet-Src-IP-Address} (0) --> 192.168.10.14 (0) &request:FreeRADIUS-Client-IP-Address := 192.168.10.14 (0) &control:PacketFence-RPC-Server = 127.0.0.1 (0) &control:PacketFence-RPC-Port = 7070 (0) &control:PacketFence-RPC-User = (0) &control:PacketFence-RPC-Pass = (0) &control:PacketFence-RPC-Proto = http (0) EXPAND %l (0) --> 1486992205 (0) &control:Tmp-Integer-0 := 1486992205 (0) &control:PacketFence-Request-Time := 0 (0) } # update = noop (0) policy rewrite_calling_station_id { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy rewrite_calling_station_id = noop (0) policy rewrite_called_station_id { (0) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) { (0) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy rewrite_called_station_id = noop (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = noop (0) } # policy filter_username = noop (0) policy filter_password { (0) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (0) EXPAND %{string:User-Password} (0) --> p@55word (0) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (0) } # policy filter_password = noop (0) [preprocess] = ok (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "UserTest", skipping NULL due to config. (0) [suffix] = noop (0) ntdomain: Checking for prefix before "\" (0) ntdomain: No '\' in User-Name = "UserTest", looking up realm NULL (0) ntdomain: Found realm "null" (0) ntdomain: Adding Stripped-User-Name = "UserTest" (0) ntdomain: Adding Realm = "null" (0) ntdomain: Authentication realm is LOCAL (0) [ntdomain] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) if ( !EAP-Message ) { (0) if ( !EAP-Message ) -> TRUE (0) if ( !EAP-Message ) { (0) update { (0) &control:Auth-Type := Accept (0) } # update = noop (0) } # if ( !EAP-Message ) = noop (0) policy packetfence-eap-mac-policy { (0) if ( &EAP-Type ) { (0) if ( &EAP-Type ) -> FALSE (0) [noop] = noop (0) } # policy packetfence-eap-mac-policy = noop (0) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (0) pap: WARNING: !!! Ignoring control:User-Password. Update your !!! (0) pap: WARNING: !!! configuration so that the "known good" clear text !!! (0) pap: WARNING: !!! password is in Cleartext-Password and NOT in !!! (0) pap: WARNING: !!! User-Password. !!! (0) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (0) pap: WARNING: Auth-Type already set. Not setting to PAP (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = Accept (0) Auth-Type = Accept, accepting the user (0) # Executing section post-auth from file /usr/local/pf/raddb/sites-enabled/packetfence (0) post-auth { (0) update { (0) EXPAND %{Packet-Src-IP-Address} (0) --> 192.168.10.14 (0) &request:FreeRADIUS-Client-IP-Address := 192.168.10.14 (0) &control:PacketFence-RPC-Server = 127.0.0.1 (0) &control:PacketFence-RPC-Port = 7070 (0) &control:PacketFence-RPC-User = (0) &control:PacketFence-RPC-Pass = (0) &control:PacketFence-RPC-Proto = http (0) } # update = noop (0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) { (0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) -> TRUE (0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) { rlm_rest (rest): Closing connection (0): Hit idle_timeout, was idle for 282 seconds rlm_rest (rest): Closing connection (1): Hit idle_timeout, was idle for 282 seconds rlm_rest (rest): Closing connection (2): Hit idle_timeout, was idle for 282 seconds rlm_rest (rest): You probably need to lower "min" rlm_rest (rest): Closing connection (3): Hit idle_timeout, was idle for 282 seconds rlm_rest (rest): You probably need to lower "min" rlm_rest (rest): Closing connection (4): Hit idle_timeout, was idle for 282 seconds rlm_rest (rest): You probably need to lower "min" rlm_rest (rest): 0 of 0 connections in use. You may need to increase "spare" rlm_rest (rest): Opening additional connection (5), 1 of 64 pending slots used rlm_rest (rest): Connecting to "http://127.0.0.1:7070/" rlm_rest (rest): Reserved connection (5) (0) rest: Expanding URI components (0) rest: EXPAND http://127.0.0.1:7070 (0) rest: --> http://127.0.0.1:7070 (0) rest: EXPAND //radius/rest/authorize (0) rest: --> //radius/rest/authorize (0) rest: Sending HTTP POST to "http://127.0.0.1:7070//radius/rest/authorize" (0) rest: Encoding attribute "User-Name" (0) rest: Encoding attribute "User-Password" (0) rest: Encoding attribute "NAS-IP-Address" (0) rest: Encoding attribute "Service-Type" (0) rest: Encoding attribute "Framed-Protocol" (0) rest: Encoding attribute "NAS-Identifier" (0) rest: Encoding attribute "NAS-Port-Type" (0) rest: Encoding attribute "Acct-Session-Id" (0) rest: Encoding attribute "Event-Timestamp" (0) rest: Encoding attribute "Stripped-User-Name" (0) rest: Encoding attribute "Realm" (0) rest: Encoding attribute "FreeRADIUS-Client-IP-Address" (0) rest: Processing response header (0) rest: Status : 401 (Unauthorized) (0) rest: Type : json (application/json) (0) rest: ERROR: Server returned: (0) rest: ERROR: {"Reply-Message":"PacketFence does not support this switch for read/write access login","reply:PacketFence-Authorization-Status":"allow"} rlm_rest (rest): Released connection (5) rlm_rest (rest): Need 2 more connections to reach 10 spares rlm_rest (rest): Opening additional connection (6), 1 of 63 pending slots used rlm_rest (rest): Connecting to "http://127.0.0.1:7070/" (0) [rest] = invalid (0) } # if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) = invalid (0) } # post-auth = invalid (0) Using Post-Auth-Type Reject (0) # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence (0) Post-Auth-Type REJECT { (0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) { (0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) -> TRUE (0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) { (0) policy packetfence-audit-log-reject { (0) if (&User-Name != "dummy") { (0) if (&User-Name != "dummy") -> TRUE (0) if (&User-Name != "dummy") { (0) policy request-timing { (0) if (control:PacketFence-Request-Time != 0) { (0) if (control:PacketFence-Request-Time != 0) -> FALSE (0) } # policy request-timing = noop (0) sql_reject: EXPAND type.reject.query (0) sql_reject: --> type.reject.query (0) sql_reject: Using query template 'query' rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 282 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 282 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 282 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 282 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 282 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 282 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (6), 1 of 64 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'pf' on Localhost via UNIX socket, server version 5.5.52-MariaDB, protocol version 10 rlm_sql (sql): Reserved connection (6) (0) sql_reject: EXPAND %{User-Name} (0) sql_reject: --> UserTest (0) sql_reject: SQL-User-Name set to 'UserTest' (0) sql_reject: EXPAND INSERT INTO radius_audit_log ( mac, ip, computer_name, user_name, stripped_user_name, realm, event_type, switch_id, switch_mac, switch_ip_address, radius_source_ip_address, called_station_id, calling_station_id, nas_port_type, ssid, nas_port_id, ifindex, nas_port, connection_type, nas_ip_address, nas_identifier, auth_status, reason, auth_type, eap_type, role, node_status, profile, source, auto_reg, is_phone, pf_domain, uuid, radius_request, radius_reply, request_time) VALUES ( '%{request:Calling-Station-Id}', '%{request:Framed-IP-Address}', '%{%{control:PacketFence-Computer-Name}:-N/A}', '%{request:User-Name}', '%{request:Stripped-User-Name}', '%{request:Realm}', 'Radius-Access-Request', '%{%{control:PacketFence-Switch-Id}:-N/A}', '%{%{control:PacketFence-Switch-Mac}:-N/A}', '%{%{control:PacketFence-Switch-Ip-Address}:-N/A}', '%{Packet-Src-IP-Address}', '%{request:Called-Station-Id}', '%{request:Calling-Station-Id}', '%{request:NAS-Port-Type}', '%{request:Called-Station-SSID}', '%{request:NAS-Port-Id}', '%{%{control:PacketFence-IfIndex}:-N/A}', '%{request:NAS-Port}', '%{%{control:PacketFence-Connection-Type}:-N/A}', '%{request:NAS-IP-Address}', '%{request:NAS-Identifier}', 'Reject', '%{request:Module-Failure-Message}', '%{control:Auth-Type}', '%{request:EAP-Type}', '%{%{control:PacketFence-Role}:-N/A}', '%{%{control:PacketFence-Status}:-N/A}', '%{%{control:PacketFence-Profile}:-N/A}', '%{%{control:PacketFence-Source}:-N/A}', '%{%{control:PacketFence-AutoReg}:-N/A}', '%{%{control:PacketFence-IsPhone}:-N/A}', '%{request:PacketFence-Domain}', '', '%{pairs:&request:[*]}','%{pairs:&reply:[*]}', '%{%{control:PacketFence-Request-Time}:-N/A}') (0) sql_reject: --> INSERT INTO radius_audit_log ( mac, ip, computer_name, user_name, stripped_user_name, realm, event_type, switch_id, switch_mac, switch_ip_address, radius_source_ip_address, called_station_id, calling_station_id, nas_port_type, ssid, nas_port_id, ifindex, nas_port, connection_type, nas_ip_address, nas_identifier, auth_status, reason, auth_type, eap_type, role, node_status, profile, source, auto_reg, is_phone, pf_domain, uuid, radius_request, radius_reply, request_time) VALUES ( '', '', 'N/A', 'UserTest', 'UserTest', 'null', 'Radius-Access-Request', 'N/A', 'N/A', 'N/A', '192.168.10.14', '', '', 'Ethernet', '', '', 'N/A', '', 'N/A', '192.168.10.14', 'las1.albari', 'Reject', 'rest: Server returned:', 'Accept', '', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A', '', '', 'User-Name =3D =22UserTest=22=2C User-Password =3D =22p@55word=22=2C NAS-IP-Address =3D 192.168.10.14=2C Service-Type =3D Framed-User=2C Framed-Protocol =3D PPP=2C NAS-Identifier =3D =22las1.albari=22=2C NAS-Port-Type =3D Ethernet=2C Acct-Session-Id =3D =22las1.al00000000000000da6bb650001055=22=2C Event-Timestamp =3D =22févr. 13 2017 14:23:25 CET=22=2C Stripped-User-Name =3D =22UserTest=22=2C Realm =3D =22null=22=2C FreeRADIUS-Client-IP-Address =3D 192.168.10.14=2C Module-Failure-Message =3D =22rest: Server returned:=22=2C Module-Failure-Message =3D =22rest: =7B=5C=22Reply-Message=5C=22:=5C=22PacketFence does not support this switch for read/write access login=5C=22=2C=5C=22reply:PacketFence-Authorization-Status=5C=22:=5C=22allow=5C=22=7D=22=2C SQL-User-Name =3D =22UserTest=22','', '0') (0) sql_reject: Executing query: INSERT INTO radius_audit_log ( mac, ip, computer_name, user_name, stripped_user_name, realm, event_type, switch_id, switch_mac, switch_ip_address, radius_source_ip_address, called_station_id, calling_station_id, nas_port_type, ssid, nas_port_id, ifindex, nas_port, connection_type, nas_ip_address, nas_identifier, auth_status, reason, auth_type, eap_type, role, node_status, profile, source, auto_reg, is_phone, pf_domain, uuid, radius_request, radius_reply, request_time) VALUES ( '', '', 'N/A', 'UserTest', 'UserTest', 'null', 'Radius-Access-Request', 'N/A', 'N/A', 'N/A', '192.168.10.14', '', '', 'Ethernet', '', '', 'N/A', '', 'N/A', '192.168.10.14', 'las1.albari', 'Reject', 'rest: Server returned:', 'Accept', '', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A', '', '', 'User-Name =3D =22UserTest=22=2C User-Password =3D =22p@55word=22=2C NAS-IP-Address =3D 192.168.10.14=2C Service-Type =3D Framed-User=2C Framed-Protocol =3D PPP=2C NAS-Identifier =3D =22las1.albari=22=2C NAS-Port-Type =3D Ethernet=2C Acct-Session-Id =3D =22las1.al00000000000000da6bb650001055=22=2C Event-Timestamp =3D =22févr. 13 2017 14:23:25 CET=22=2C Stripped-User-Name =3D =22UserTest=22=2C Realm =3D =22null=22=2C FreeRADIUS-Client-IP-Address =3D 192.168.10.14=2C Module-Failure-Message =3D =22rest: Server returned:=22=2C Module-Failure-Message =3D =22rest: =7B=5C=22Reply-Message=5C=22:=5C=22PacketFence does not support this switch for read/write access login=5C=22=2C=5C=22reply:PacketFence-Authorization-Status=5C=22:=5C=22allow=5C=22=7D=22=2C SQL-User-Name =3D =22UserTest=22','', '0') (0) sql_reject: SQL query returned: success (0) sql_reject: 1 record(s) updated rlm_sql (sql): Released connection (6) rlm_sql (sql): Need 2 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (7), 1 of 63 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'pf' on Localhost via UNIX socket, server version 5.5.52-MariaDB, protocol version 10 (0) [sql_reject] = ok (0) } # if (&User-Name != "dummy") = ok (0) } # policy packetfence-audit-log-reject = ok (0) } # if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) = ok (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> UserTest (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) attr_filter.packetfence_post_auth: EXPAND %{User-Name} (0) attr_filter.packetfence_post_auth: --> UserTest (0) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10 (0) [attr_filter.packetfence_post_auth] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default} (0) linelog: --> messages.Access-Accept (0) linelog: EXPAND %t : [mac:%{Calling-Station-Id}] Accepted user: %{reply:User-Name} and returned VLAN %{reply:Tunnel-Private-Group-ID} (0) linelog: --> Mon Feb 13 14:23:25 2017 : [mac:] Accepted user: and returned VLAN (0) linelog: EXPAND /usr/local/pf/logs/radius.log (0) linelog: --> /usr/local/pf/logs/radius.log (0) [linelog] = ok (0) } # Post-Auth-Type REJECT = updated (0) Rejected in post-auth: [UserTest] (from client 192.168.10.0/24 port 0) (0) Delaying response for 1.000000 seconds Waking up in 0.1 seconds. Waking up in 0.8 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 10 from 192.168.10.22:1812 to 192.168.10.14:1812 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 10 with timestamp +282 Ready to process requests Thanks for ur help Best regards