Hi, I'm trying to set up EAP-TTLS wifi auth to REST API endpoint. I started with basic config and have local auth working but stuck on getting Access-Accept from the API. I have set up rest module but struggling to insert HTTP headers into the request. Can't find it in the docs and only previous topic I found is this one: http://lists.freeradius.org/pipermail/freeradius-users/2020-July/098472.html where you suggested how to insert headers in post auth methods. I tried the same in my authenticate just before "rest" but this doesn't work. update control { &REST-HTTP-Header :="secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5" &REST-HTTP-Header :="uuid: 84ce0574-5074-4b53-9ddc-fcb2c935a1b1" &REST-HTTP-Header :="Content-Type: application/json" } rest What is the correct way to insert HTTP header in the request for authentication sent to external REST server and what syntax should be used for multiple headers (I just multiplied rows here but not sure it should be like that)? Thank you
On Nov 30, 2021, at 8:13 AM, Stjepan Roić <roic27@gmail.com> wrote:
I'm trying to set up EAP-TTLS wifi auth to REST API endpoint. I started with basic config and have local auth working but stuck on getting Access-Accept from the API. I have set up rest module but struggling to insert HTTP headers into the request. Can't find it in the docs and only previous topic I found is this one:
http://lists.freeradius.org/pipermail/freeradius-users/2020-July/098472.html
Which suggests that you read mods-available/rest. Which has all of the information you need.
where you suggested how to insert headers in post auth methods. I tried the same in my authenticate just before "rest" but this doesn't work.
I have no idea what that means. Saying "it doesn't work" is pretty much content-free. If only there was some kind of debug output... or endless pages of documentation telling people to use the debug output. Or messages every day on this mailing list asking people to post the debug output.
update control { &REST-HTTP-Header :="secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5" &REST-HTTP-Header :="uuid: 84ce0574-5074-4b53-9ddc-fcb2c935a1b1" &REST-HTTP-Header :="Content-Type: application/json" } rest
Well, if you want *all* of those to show up, then ":=" is the wrong thing to use. See "man unlang". The operators are documented. You want to use "+=".
What is the correct way to insert HTTP header in the request for authentication sent to external REST server and what syntax should be used for multiple headers (I just multiplied rows here but not sure it should be like that)?
Read and follow the documentation. The file mods-available/rest documents what headers to add. The "unlang" documentation describes how to add attributes. Alan DeKok.
There is no debug because the server isn't starting (copy pasting random string to config causes syntax error which I assumed you knew). Believe it or not I have read the documentation, especially mods-available/rest and can't understand the syntax for this. It says: Additional HTTP headers may be specified with control:REST-HTTP-Header. # The values of those attributes should be in the format: # <attribute>: <value> So I tried this: control:REST-HTTP-Header :+secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5 control:REST-HTTP-Header :+uuid: 84ce0574-5074-4b53-9ddc-fcb2c935a1b1 control:REST-HTTP-Header :+Content-Type: application/json Debug error: /etc/freeradius/3.0/mods-enabled/rest[160]: Expecting section start brace '{' after "control:REST-HTTP-Header :+secret:" Than this: control:REST-HTTP-Header :+"secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5" control:REST-HTTP-Header :+"uuid: 84ce0574-5074-4b53-9ddc-fcb2c935a1b1" control:REST-HTTP-Header :+"Content-Type: application/json" Debug error: /etc/freeradius/3.0/mods-enabled/rest[160]: Expecting section start brace '{' after "control:REST-HTTP-Header :+"secret:" Than this: control:REST-HTTP-Header { :+secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5 :+uuid: 84ce0574-5074-4b53-9ddc-fcb2c935a1b1 :+Content-Type: application/json } Debug error: /etc/freeradius/3.0/mods-enabled/rest[161]: Expecting section start brace '{' after ":+secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5" Than this: control:REST-HTTP-Header { secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5 uuid: 84ce0574-5074-4b53-9ddc-fcb2c935a1b1 Content-Type: application/json } Debug error: /etc/freeradius/3.0/mods-enabled/rest[161]: Expecting section start brace '{' after "secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5" Than this: control { REST-HTTP-Header :+"secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5" REST-HTTP-Header :+"uuid: 84ce0574-5074-4b53-9ddc-fcb2c935a1b1" REST-HTTP-Header :+"Content-Type: application/json" } /etc/freeradius/3.0/mods-enabled/rest[161]: Expecting section start brace '{' after "REST-HTTP-Header :+"secret:" And only thing I can find in unlang docs is similar to what I sent in a previous email. So can you provide some examples how it's used or at least a link to the docs where it's shown? On Tue, 30 Nov 2021 at 14:55, Alan DeKok <aland@deployingradius.com> wrote:
On Nov 30, 2021, at 8:13 AM, Stjepan Roić <roic27@gmail.com> wrote:
I'm trying to set up EAP-TTLS wifi auth to REST API endpoint. I started with basic config and have local auth working but stuck on getting Access-Accept from the API. I have set up rest module but struggling to insert HTTP headers into the request. Can't find it in the docs and only previous topic I found is this one:
http://lists.freeradius.org/pipermail/freeradius-users/2020-July/098472.html
Which suggests that you read mods-available/rest. Which has all of the information you need.
where you suggested how to insert headers in post auth methods. I tried the same in my authenticate just before "rest" but this doesn't work.
I have no idea what that means. Saying "it doesn't work" is pretty much content-free.
If only there was some kind of debug output... or endless pages of documentation telling people to use the debug output. Or messages every day on this mailing list asking people to post the debug output.
update control { &REST-HTTP-Header :="secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5" &REST-HTTP-Header :="uuid: 84ce0574-5074-4b53-9ddc-fcb2c935a1b1" &REST-HTTP-Header :="Content-Type: application/json" } rest
Well, if you want *all* of those to show up, then ":=" is the wrong thing to use. See "man unlang". The operators are documented. You want to use "+=".
What is the correct way to insert HTTP header in the request for authentication sent to external REST server and what syntax should be used for multiple headers (I just multiplied rows here but not sure it should be like that)?
Read and follow the documentation. The file mods-available/rest documents what headers to add. The "unlang" documentation describes how to add attributes.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Nov 30, 2021, at 10:32 AM, Stjepan Roić <roic27@gmail.com> wrote:
There is no debug because the server isn't starting (copy pasting random string to config causes syntax error which I assumed you knew).
Is it your intention to annoy people, or to solve problems? Because you're doing the first very well. This needs to stop immediately. When people say "it doesn't work", I have no idea what that means. Mostly because many people seem to be obsessed with asking vague questions, and are actively hostile to giving any useful information. Such as error messages or debug logs. And then when I ask for more information, they get upset. This behavior is not appropriate.
Believe it or not I have read the documentation, especially mods-available/rest and can't understand the syntax for this. It says:
Which is a much better question than the your previous message.
Additional HTTP headers may be specified with control:REST-HTTP-Header. # The values of those attributes should be in the format: # <attribute>: <value>
So I tried this:
control:REST-HTTP-Header :+secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5 control:REST-HTTP-Header :+uuid: 84ce0574-5074-4b53-9ddc-fcb2c935a1b1 control:REST-HTTP-Header :+Content-Type: application/json
Which shows you didn't read the documentation. You can't just put random things into the configuration files. There's a syntax, which is documented. See "man unlang", and the documentation around double-quoted strings. And the documentation around using operators. I said to use "+=" as the operator. Instead, you're using ":+" ? Why?
Debug error: /etc/freeradius/3.0/mods-enabled/rest[160]: Expecting section start brace '{' after "control:REST-HTTP-Header :+secret:"
Yes. Because "man unlang" documents how to set values. Hint: use the operator I suggested, and the one which is documented. Don't use ones you invented.
Than this: ... Than this: .. ... Than this: ... Than this: ..
Yeah... that's the approach of "I haven't read Alan's message or the documentation, so I'm just going to try random things in the hope that something will magically work". Don't do that. It's not productive.
And only thing I can find in unlang docs is similar to what I sent in a previous email.
Or maybe use "+=" as I suggested, instead of ":="? Instead of doing that, you've spent all kinds of time doing random things. I have no idea why.
So can you provide some examples how it's used or at least a link to the docs where it's shown?
You originally did this: update control { &REST-HTTP-Header := "secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5" &REST-HTTP-Header := "uuid: 84ce0574-5074-4b53-9ddc-fcb2c935a1b1" &REST-HTTP-Header := "Content-Type: application/json" } I said to use "+=" instead of ":=". Making that change gives you: update control { &REST-HTTP-Header += "secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5" &REST-HTTP-Header += "uuid: 84ce0574-5074-4b53-9ddc-fcb2c935a1b1" &REST-HTTP-Header += "Content-Type: application/json" } Which should work. If it doesn't, don't post another message complaining about how mean I am for helping you. Doing so will get you banned from the list. I have zero patience for that nonsense. Instead, follow the documentation, and post the debug output. Which you SHOULD have posted the first time. Alan DeKok.
Hi Alan, I'm sorry if I annoyed you but was just trying to explain my though process when reading the documentation. Also I personally don't care about your tone and don't see I mentioned you being mean to me, just trying to solve this. I'm new to this and I made a typo when you suggested different operator which I didn't notice later and the debug didn't drop an error on that part. It was my mistake which cost me precious time. If you're still willing to help I'll try to describe my problem below, if not I'll understand. The problem I have is that although my server starts successfully I cannot get those headers in the request. In the attachment I'm sharing debug of the server start, debug from access request and my mods-enabled/rest file. Also below is a picture from the mock rest server for that access request. You'll notice I'm getting Access-accept from the rest server but that's only because I disabled those headers verification on the mock server. I hope this debug can still provide info you need, if not please let me know what to share. Thank you for you time in any case [image: image.png] On Tue, 30 Nov 2021 at 16:54, Alan DeKok <aland@deployingradius.com> wrote:
On Nov 30, 2021, at 10:32 AM, Stjepan Roić <roic27@gmail.com> wrote:
There is no debug because the server isn't starting (copy pasting random string to config causes syntax error which I assumed you knew).
Is it your intention to annoy people, or to solve problems? Because you're doing the first very well. This needs to stop immediately.
When people say "it doesn't work", I have no idea what that means. Mostly because many people seem to be obsessed with asking vague questions, and are actively hostile to giving any useful information. Such as error messages or debug logs. And then when I ask for more information, they get upset.
This behavior is not appropriate.
Believe it or not I have read the documentation, especially mods-available/rest and can't understand the syntax for this. It says:
Which is a much better question than the your previous message.
Additional HTTP headers may be specified with control:REST-HTTP-Header. # The values of those attributes should be in the format: # <attribute>: <value>
So I tried this:
control:REST-HTTP-Header :+secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5 control:REST-HTTP-Header :+uuid: 84ce0574-5074-4b53-9ddc-fcb2c935a1b1 control:REST-HTTP-Header :+Content-Type: application/json
Which shows you didn't read the documentation. You can't just put random things into the configuration files. There's a syntax, which is documented. See "man unlang", and the documentation around double-quoted strings. And the documentation around using operators.
I said to use "+=" as the operator. Instead, you're using ":+" ? Why?
Debug error: /etc/freeradius/3.0/mods-enabled/rest[160]: Expecting section start brace '{' after "control:REST-HTTP-Header :+secret:"
Yes. Because "man unlang" documents how to set values. Hint: use the operator I suggested, and the one which is documented. Don't use ones you invented.
Than this: ... Than this: .. ... Than this: ... Than this: ..
Yeah... that's the approach of "I haven't read Alan's message or the documentation, so I'm just going to try random things in the hope that something will magically work".
Don't do that. It's not productive.
And only thing I can find in unlang docs is similar to what I sent in a previous email.
Or maybe use "+=" as I suggested, instead of ":="?
Instead of doing that, you've spent all kinds of time doing random things. I have no idea why.
So can you provide some examples how it's used or at least a link to the docs where it's shown?
You originally did this:
update control { &REST-HTTP-Header := "secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5" &REST-HTTP-Header := "uuid: 84ce0574-5074-4b53-9ddc-fcb2c935a1b1" &REST-HTTP-Header := "Content-Type: application/json" }
I said to use "+=" instead of ":=". Making that change gives you:
update control { &REST-HTTP-Header += "secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5" &REST-HTTP-Header += "uuid: 84ce0574-5074-4b53-9ddc-fcb2c935a1b1" &REST-HTTP-Header += "Content-Type: application/json" }
Which should work. If it doesn't, don't post another message complaining about how mean I am for helping you. Doing so will get you banned from the list. I have zero patience for that nonsense.
Instead, follow the documentation, and post the debug output. Which you SHOULD have posted the first time.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 02/12/2021 10:40, Stjepan Roić wrote:
I'm new to this and I made a typo when you suggested different operator which I didn't notice later and the debug didn't drop an error on that part.
The configuration is very flexible, so you can define your own settings and read them in other parts of the config. That means adding things in the "wrong" places isn't usually a config error. There are situations where the server will complain on startup (e.g. obsolete options still in use), but it can't complain about everything unusual that it sees.
You'll notice I'm getting Access-accept from the rest server but that's only because I disabled those headers verification on the mock server. I hope this debug can still provide info you need, if not please let me know what to share.
You've got this in your rest config: update control { &REST-HTTP-Header += .... } It needs to go in the main virtual server config (e.g. sites-available/default), somewhere _before_ you call the "rest" module. In your situation probably just after the "filter_username" policy call. Module config defines things for each module. Requests pass through the appropriate virtual server, being altered and changed by modules on the way. If you want to add internal attributes that redefine how a module works they need to be set in the virtual server before that module is called. -- Matthew
Thank you Matthew, regarding your input I have previously tried placing that code inside the authentication section of the default server but got this error: -- Unit freeradius.service has begun starting up. Dec 02 12:03:24 freeradius freeradius[7819]: FreeRADIUS Version 3.0.16 Dec 02 12:03:24 freeradius freeradius[7819]: Copyright (C) 1999-2017 The FreeRADIUS server project and contributors Dec 02 12:03:24 freeradius freeradius[7819]: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Dec 02 12:03:24 freeradius freeradius[7819]: PARTICULAR PURPOSE Dec 02 12:03:24 freeradius freeradius[7819]: You may redistribute copies of FreeRADIUS under the terms of the Dec 02 12:03:24 freeradius freeradius[7819]: GNU General Public License Dec 02 12:03:24 freeradius freeradius[7819]: For more information about these matters, see the file named COPYRIGHT Dec 02 12:03:24 freeradius freeradius[7819]: Starting - reading configuration files ... Dec 02 12:03:24 freeradius freeradius[7819]: Debugger not attached Dec 02 12:03:24 freeradius freeradius[7819]: Creating attribute Unix-Group Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Dec 02 12:03:24 freeradius freeradius[7819]: Creating attribute SQL-Group Dec 02 12:03:24 freeradius freeradius[7819]: tls: Using cached TLS configuration from previous invocation Dec 02 12:03:24 freeradius freeradius[7819]: tls: Using cached TLS configuration from previous invocation Dec 02 12:03:24 freeradius freeradius[7819]: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". Dec 02 12:03:24 freeradius freeradius[7819]: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". Dec 02 12:03:24 freeradius freeradius[7819]: rlm_rest: libcurl version: libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3 Dec 02 12:03:24 freeradius freeradius[7819]: rlm_rest (rest): Initialising connection pool Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql_mysql: libmysql version: 5.7.36 Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Attempting to connect to database "radius" Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Initialising connection pool Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Processing generate_sql_clients Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Opening additional connection (0), 1 of 1 pending slots used Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql_mysql: Starting connect to MySQL server Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Reserved connection (0) Dec 02 12:03:24 freeradius freeradius[7819]: rlm_sql (sql): Released connection (0) Dec 02 12:03:24 freeradius freeradius[7819]: rlm_mschap (mschap): using internal authentication Dec 02 12:03:24 freeradius freeradius[7819]: rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked Dec 02 12:03:24 freeradius freeradius[7819]: rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output *Dec 02 12:03:24 freeradius freeradius[7819]: /etc/freeradius/3.0/sites-enabled/default[480]: Unknown Auth-Type "control" in authenticate sub-section.* Dec 02 12:03:24 freeradius systemd[1]: freeradius.service: Control process exited, code=exited status=1 Dec 02 12:03:24 freeradius systemd[1]: freeradius.service: Failed with result 'exit-code'. Dec 02 12:03:24 freeradius systemd[1]: Failed to start FreeRADIUS multi-protocol policy server. Now I done it in the authorization section just before "filter_username" and although the server starts there is no difference in the output on the rest server, no headers incoming. Debug: Ready to process requests (0) Received Access-Request Id 59 from 127.0.0.1:33440 to 127.0.0.1:1812 length 79 (0) User-Name = "rba_user1" (0) User-Password = "rba_user1" (0) NAS-IP-Address = 172.16.49.8 (0) NAS-Port = 0 (0) Message-Authenticator = 0x8204eb0ff20ae8b2ea0b4ed973d894c3 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound rlm_rest (rest): Reserved connection (0) (0) rest: Expanding URI components (0) rest: EXPAND https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io (0) rest: --> https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io (0) rest: EXPAND /api/v1/auth/login (0) rest: --> /api/v1/auth/login (0) rest: Sending HTTP POST to " https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login " (0) rest: EXPAND {"username": "%{urlquote:%{User-Name}}", "password": "%{urlquote:%{User-Password}}"} (0) rest: --> {"username": "rba_user1", "password": "rba_user1"} (0) rest: Processing response header (0) rest: Status : 200 (OK) (0) rest: Type : json (application/json) (0) rest: Parsing attribute "username" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "username", skipping... (0) rest: Parsing attribute "firstname" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "firstname", skipping... (0) rest: Parsing attribute "lastname" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "lastname", skipping... (0) rest: Parsing attribute "locationId" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "locationId", skipping... (0) rest: Parsing attribute "id" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "id", skipping... (0) rest: Parsing attribute "email" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "email", skipping... (0) rest: Parsing attribute "access_token" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "access_token", skipping... rlm_rest (rest): Released connection (0) Need 5 more connections to reach 10 spares rlm_rest (rest): Opening additional connection (5), 1 of 27 pending slots used rlm_rest (rest): Connecting to " https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login " (0) [rest] = ok (0) [preprocess] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 176 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = rest (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { rlm_rest (rest): Reserved connection (1) (0) rest: Expanding URI components (0) rest: EXPAND https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io (0) rest: --> https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io (0) rest: EXPAND /api/v1/auth/login (0) rest: --> /api/v1/auth/login (0) rest: Sending HTTP POST to " https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login " (0) rest: EXPAND {"username": "%{urlquote:%{User-Name}}", "password": "%{urlquote:%{User-Password}}"} (0) rest: --> {"username": "rba_user1", "password": "rba_user1"} (0) rest: Processing response header (0) rest: Status : 200 (OK) (0) rest: Type : json (application/json) (0) rest: Parsing attribute "username" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "username", skipping... (0) rest: Parsing attribute "firstname" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "firstname", skipping... (0) rest: Parsing attribute "lastname" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "lastname", skipping... (0) rest: Parsing attribute "locationId" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "locationId", skipping... (0) rest: Parsing attribute "id" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "id", skipping... (0) rest: Parsing attribute "email" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "email", skipping... (0) rest: Parsing attribute "access_token" (0) rest: WARNING: Failed parsing attribute: Invalid vendor name in attribute name "access_token", skipping... rlm_rest (rest): Released connection (1) Need 4 more connections to reach 10 spares rlm_rest (rest): Opening additional connection (6), 1 of 26 pending slots used rlm_rest (rest): Connecting to " https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login " (0) [rest] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND %{User-Name} (0) sql: --> rba_user1 (0) sql: SQL-User-Name set to 'rba_user1' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'rba_user1', 'rba_user1', 'Access-Accept', '2021-12-02 12:11:22') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'rba_user1', 'rba_user1', 'Access-Accept', '2021-12-02 12:11:22') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.36-0ubuntu0.18.04.1, protocol version 10 (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 59 from 127.0.0.1:1812 to 127.0.0.1:33440 length 0 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 59 with timestamp +26 [image: image.png] This is my whole authorize section in default server: authorize { filter_username filter_password update control { &REST-HTTP-Header += "secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5" &REST-HTTP-Header += "uuid: 84ce0574-5074-4b53-9ddc-fcb2c935a1b1" &REST-HTTP-Header += "Content-Type: application/json" } rest preprocess eap { ok = return # updated = return } unix files expiration logintime pap } While on a subject of authorization, do I need to have both authorization and authentication configured to fetch user data from API endpoint in the rest module? Because right now I'm sending double POST requests and from my understanding authorize section should only be checking if there is a right authentication method and correct atributes and setting the Auth type. Thank you for your feedback, kind regards On Thu, 2 Dec 2021 at 11:53, Matthew Newton <mcn@freeradius.org> wrote:
On 02/12/2021 10:40, Stjepan Roić wrote:
I'm new to this and I made a typo when you suggested different operator which I didn't notice later and the debug didn't drop an error on that part.
The configuration is very flexible, so you can define your own settings and read them in other parts of the config. That means adding things in the "wrong" places isn't usually a config error.
There are situations where the server will complain on startup (e.g. obsolete options still in use), but it can't complain about everything unusual that it sees.
You'll notice I'm getting Access-accept from the rest server but that's only because I disabled those headers verification on the mock server. I hope this debug can still provide info you need, if not please let me know what to share.
You've got this in your rest config:
update control { &REST-HTTP-Header += .... }
It needs to go in the main virtual server config (e.g. sites-available/default), somewhere _before_ you call the "rest" module. In your situation probably just after the "filter_username" policy call.
Module config defines things for each module. Requests pass through the appropriate virtual server, being altered and changed by modules on the way. If you want to add internal attributes that redefine how a module works they need to be set in the virtual server before that module is called.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 2, 2021, at 7:34 AM, Stjepan Roić <roic27@gmail.com> wrote:
regarding your input I have previously tried placing that code inside the authentication section of the default server but got this error:
-- Unit freeradius.service has begun starting up.
Please post the debug outputL from "radiusd -X" or "freeradius -X". There is absolutely ZERO reason to post the logs from systemd. Yes, there's a reason we ask for the debug output. It lets us separate systemd issues from radius issue. And it means that the debug output is readable, instead of being randomly reformatted.
Dec 02 12:03:24 freeradius freeradius[7819]: FreeRADIUS Version 3.0.16 Dec 02 12:03:24 freeradius freeradius[7819]: Copyright (C) 1999-2017 The FreeRADIUS server project and contributors Dec 02 12:03:24 freeradius freeradius[7819]: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Dec 02 12:03:24 freeradius freeradius[7819]: PARTICULAR PURPOSE
Does that look readable? No? That's why we ask for the debug output.
/etc/freeradius/3.0/sites-enabled/default[480]: Unknown Auth-Type "control" in authenticate sub-section.*
You edited the configuration and broke it. Don't do that. Why are you trying to set "Auth-Type" in the "authenticate" section? Why are you trying to set Auth-Type" to a value which doesn't exist?
Now I done it in the authorization section just before "filter_username" and although the server starts there is no difference in the output on the rest server, no headers incoming.
Debug: Ready to process requests (0) Received Access-Request Id 59 from 127.0.0.1:33440 to 127.0.0.1:1812 length 79 (0) User-Name = "rba_user1" (0) User-Password = "rba_user1" (0) NAS-IP-Address = 172.16.49.8 (0) NAS-Port = 0 (0) Message-Authenticator = 0x8204eb0ff20ae8b2ea0b4ed973d894c3 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound rlm_rest (rest): Reserved connection (0)
Note that the is NO "update control" section being run here. Did you edit the right file? Did you restart the server after editing the file? You did one of those steps wrong. THIS is why we ask for the debug output. It doesn't matter what you *think* you did. It matters what you actually did. And the debug output shows what you actually did. In this case, if you read the debug output, you'd see that there's no "update control" being run. At which point you can go back and verify that (a) you're editing the right file, and (b) you're restarting the server (which is documented as being needed) after editing the files. Alan DeKok.
Here is the output of freeradius -X. As you said there is no "update control" being run here, at least from what I can tell. Considering I do manual restart with "service freeradius stop/start/restart" after each change that shouldn't be a problem. So it has to be I'm editing the wrong file but it's the sites-enabled/default file. I attached that one also in the attachment. Any input is appreciated root@freeradius:/home/sroic# freeradius -X FreeRADIUS Version 3.0.16 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/unix including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/rest including configuration file /etc/freeradius/3.0/mods-enabled/sql including configuration file /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/mschap including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/pap including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/passwd including configuration file /etc/freeradius/3.0/mods-enabled/files including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/replicate including configuration file /etc/freeradius/3.0/mods-enabled/expiration including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/control including configuration file /etc/freeradius/3.0/policy.d/abfab-tr including configuration file /etc/freeradius/3.0/policy.d/dhcp including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/filter including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/canonicalization including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/default including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = rest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8 # Loaded module rlm_exec # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_detail # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_rest # Loading module "rest" from file /etc/freeradius/3.0/mods-enabled/rest rest { connect_uri = " https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login " connect_timeout = 4.000000 } # Loaded module rlm_sql # Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql sql { driver = "rlm_sql_mysql" server = "localhost" port = 3306 login = "radius" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } accounting-off { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')" } interim-update { query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } stop { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Creating attribute SQL-Group # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap pap { normalise = yes } # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files files { filename = "/etc/freeradius/3.0/mods-config/files/authorize" acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy" } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } instantiate { } # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key" certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem" ca_file = "/etc/ssl/certs/ca-certificates.crt" private_key_password = <<< secret >>> dh_file = "/etc/freeradius/3.0/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" tls_max_version = "" tls_min_version = "1.0" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "rest" from file /etc/freeradius/3.0/mods-enabled/rest authorize { uri = " https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login " method = "post" body = "json" data = "{"username": "%{urlquote:%{User-Name}}", "password": "%{urlquote:%{User-Password}}"}" auth = "none" require_auth = no timeout = 4.000000 chunk = 0 tls { check_cert = yes check_cert_cn = yes } } authenticate { uri = " https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login " method = "post" body = "json" data = "{"username": "%{urlquote:%{User-Name}}", "password": "%{urlquote:%{User-Password}}"}" auth = "none" require_auth = no timeout = 4.000000 chunk = 0 tls { check_cert = yes check_cert_cn = yes } } accounting { uri = " https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID} " method = "post" body = "none" auth = "none" require_auth = no timeout = 4.000000 chunk = 0 tls { check_cert = yes check_cert_cn = yes } } post-auth { uri = " https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth " method = "post" body = "none" auth = "none" require_auth = no timeout = 4.000000 chunk = 0 tls { check_cert = yes check_cert_cn = yes } } rlm_rest: libcurl version: libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3 rlm_rest (rest): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_rest (rest): Opening additional connection (0), 1 of 32 pending slots used rlm_rest (rest): Connecting to " https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login " rlm_rest (rest): Opening additional connection (1), 1 of 31 pending slots used rlm_rest (rest): Connecting to " https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login " rlm_rest (rest): Opening additional connection (2), 1 of 30 pending slots used rlm_rest (rest): Connecting to " https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login " rlm_rest (rest): Opening additional connection (3), 1 of 29 pending slots used rlm_rest (rest): Connecting to " https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login " rlm_rest (rest): Opening additional connection (4), 1 of 28 pending slots used rlm_rest (rest): Connecting to " https://6c14825b-a5cc-48a1-a0a7-723b78f0a90e.mock.pstmn.io/api/v1/auth/login " # Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/sql rlm_sql_mysql: libmysql version: 5.7.36 mysql { tls { } warnings = "auto" } rlm_sql (sql): Attempting to connect to database "radius" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.36-0ubuntu0.18.04.1, protocol version 10 rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.36-0ubuntu0.18.04.1, protocol version 10 rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.36-0ubuntu0.18.04.1, protocol version 10 rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.36-0ubuntu0.18.04.1, protocol version 10 rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.36-0ubuntu0.18.04.1, protocol version 10 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Released connection (0) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.36-0ubuntu0.18.04.1, protocol version 10 # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/3.0/radiusd.conf } # server server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:345 } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 56492 Listening on proxy address :: port 35702 Ready to process requests On Thu, 2 Dec 2021 at 14:13, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 2, 2021, at 7:34 AM, Stjepan Roić <roic27@gmail.com> wrote:
regarding your input I have previously tried placing that code inside the authentication section of the default server but got this error:
-- Unit freeradius.service has begun starting up.
Please post the debug outputL from "radiusd -X" or "freeradius -X". There is absolutely ZERO reason to post the logs from systemd.
Yes, there's a reason we ask for the debug output. It lets us separate systemd issues from radius issue. And it means that the debug output is readable, instead of being randomly reformatted.
Dec 02 12:03:24 freeradius freeradius[7819]: FreeRADIUS Version 3.0.16 Dec 02 12:03:24 freeradius freeradius[7819]: Copyright (C) 1999-2017 The FreeRADIUS server project and contributors Dec 02 12:03:24 freeradius freeradius[7819]: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Dec 02 12:03:24 freeradius freeradius[7819]: PARTICULAR PURPOSE
Does that look readable? No? That's why we ask for the debug output.
/etc/freeradius/3.0/sites-enabled/default[480]: Unknown Auth-Type "control" in authenticate sub-section.*
You edited the configuration and broke it. Don't do that.
Why are you trying to set "Auth-Type" in the "authenticate" section?
Why are you trying to set Auth-Type" to a value which doesn't exist?
Now I done it in the authorization section just before "filter_username" and although the server starts there is no difference in the output on the rest server, no headers incoming.
Debug: Ready to process requests (0) Received Access-Request Id 59 from 127.0.0.1:33440 to 127.0.0.1:1812 length 79 (0) User-Name = "rba_user1" (0) User-Password = "rba_user1" (0) NAS-IP-Address = 172.16.49.8 (0) NAS-Port = 0 (0) Message-Authenticator = 0x8204eb0ff20ae8b2ea0b4ed973d894c3 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound rlm_rest (rest): Reserved connection (0)
Note that the is NO "update control" section being run here.
Did you edit the right file?
Did you restart the server after editing the file?
You did one of those steps wrong.
THIS is why we ask for the debug output. It doesn't matter what you *think* you did. It matters what you actually did. And the debug output shows what you actually did.
In this case, if you read the debug output, you'd see that there's no "update control" being run. At which point you can go back and verify that (a) you're editing the right file, and (b) you're restarting the server (which is documented as being needed) after editing the files.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 2, 2021, at 8:49 AM, Stjepan Roić <roic27@gmail.com> wrote:
Here is the output of freeradius -X.
Which doesn't show it receiving any packets. The documentation you've been told to read says that this is the wrong thing to do. At this point, I'm done. I can't help you. Alan DeKok.
You mean that part I already sent you in a previous email? No problem, thanks for the "help" On Thu, 2 Dec 2021 at 14:57, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 2, 2021, at 8:49 AM, Stjepan Roić <roic27@gmail.com> wrote:
Here is the output of freeradius -X.
Which doesn't show it receiving any packets. The documentation you've been told to read says that this is the wrong thing to do.
At this point, I'm done. I can't help you.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 02/12/2021 14:21, Stjepan Roić wrote:
You mean that part I already sent you in a previous email? No problem, thanks for the "help"
The previous output was rather mangled, and also before Alan suggested that you probably didn't edit the correct file. Just sending part of the debug doesn't help much in diagnosing if the issue has changed much since.
including configuration file /etc/freeradius/3.0/sites-enabled/default
Is this definitely the file you are editing? The debug output (beforehand, anyway, as not included this time) seems to indicate not. Your config snippet shows filter_username filter_password update control { &REST-HTTP-Header += "secret: 1f215f4a27653bd17ddc54e320a1c61e37949fe5" &REST-HTTP-Header += "uuid: 84ce0574-5074-4b53-9ddc-fcb2c935a1b1" &REST-HTTP-Header += "Content-Type: application/json" } rest The debug output shows only filter_username and rest, which indicates that the updated config is not being used. There are reasons for sending the _whole_ debug output every time. It's all we've got to go on to try and guess what you've actually done on your system (as opposed to what you say you did; experience shows people very often forget to say something, or don't explain properly, which *really* makes it hard when we're trying to understand the situation to help). -- Matthew
On Dec 2, 2021, at 9:29 AM, Matthew Newton <mcn@freeradius.org> wrote:
There are reasons for sending the _whole_ debug output every time. It's all we've got to go on to try and guess what you've actually done on your system (as opposed to what you say you did; experience shows people very often forget to say something, or don't explain properly, which *really* makes it hard when we're trying to understand the situation to help).
And don't send *edited* versions of the debug output. And *read* the debug output to see if the server is reading the files you edited. And when you ask a question, read the answer and follow the instructions. The people who have the most difficulty are the ones who ask questions, and then refuse to follow instructions. I don't know why people do this, but it's not productive. Over the last few years, the questions on the list have fallen into one of three categories: 1) people doing complex things who ask good questions, and get good answers and/or bug fixes and/or new features 2) people asking for help in situations where the documentation says what the server does, but they need help putting the pieces together. They also get good answers. 3) people who ask questions, and then refuse to follow instructions. Then when told to follow instructions, they get angry. The last category is the only reason why there's any conflict on this list. I've taken to simply warning, and then banning these people as a way to improve discussion. Alan DeKok.
Hi
-- Unit freeradius.service has begun starting up. Dec 02 12:03:24 freeradius freeradius[7819]: FreeRADIUS Version 3.0.16
Well, you’re using a version very old. The latest version has several patches against the “rlm_rest” module. Just use the latest version from our official repository available in https://packages.networkradius.com/ <https://packages.networkradius.com/> — Jorge Pereira
On Dec 2, 2021, at 5:40 AM, Stjepan Roić <roic27@gmail.com> wrote:
I'm sorry if I annoyed you but was just trying to explain my though process when reading the documentation.
The problem is when I say "post the debug output", the answer shouldn't be "you're the expert, I expected you to understand". The reason I ask for the debug output is that it's usually the only thing which will help. What I completely fail to understand is that all of the documentation says to do this. People still don't do it. And then get upset and argue when asked to post the debug output. This is what I go through pretty much every week. It's frustrating. Alan DeKok.
participants (4)
-
Alan DeKok -
Jorge Pereira -
Matthew Newton -
Stjepan Roić