rlm_rest with Freeradius
Thomas Massip
thomas.massip at e-tera.com
Mon Feb 13 14:28:12 CET 2017
Hi all,
I actually use FreeRADIUS Version 3.0.13 with PacketFence
and I have an issue when i try the rlm_rest.
If somoene Know why i have this issue :
rest: ERROR: Server returned:
(0) rest: ERROR: {"Reply-Message":"PacketFence does not support this
switch for read/write access
login","reply:PacketFence-Authorization-Status":"allow"}
This is my output radius -x :
0) Received Access-Request Id 10 from 192.168.10.14:1812 to
192.168.10.22:1812 length 122
(0) User-Name = "UserTest"
(0) User-Password = "p at 55word"
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Identifier = "las1.albari"
(0) NAS-Port-Type = Ethernet
(0) Acct-Session-Id = "las1.al00000000000000da6bb650001055"
(0) NAS-IP-Address = 192.168.10.14
(0) # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0) authorize {
(0) update {
(0) EXPAND %{Packet-Src-IP-Address}
(0) --> 192.168.10.14
(0) &request:FreeRADIUS-Client-IP-Address := 192.168.10.14
(0) &control:PacketFence-RPC-Server = 127.0.0.1
(0) &control:PacketFence-RPC-Port = 7070
(0) &control:PacketFence-RPC-User =
(0) &control:PacketFence-RPC-Pass =
(0) &control:PacketFence-RPC-Proto = http
(0) EXPAND %l
(0) --> 1486992205
(0) &control:Tmp-Integer-0 := 1486992205
(0) &control:PacketFence-Request-Time := 0
(0) } # update = noop
(0) policy rewrite_calling_station_id {
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy rewrite_calling_station_id = noop
(0) policy rewrite_called_station_id {
(0) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(0) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
-> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy rewrite_called_station_id = noop
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = noop
(0) } # policy filter_username = noop
(0) policy filter_password {
(0) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(0) EXPAND %{string:User-Password}
(0) --> p at 55word
(0) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) -> FALSE
(0) } # policy filter_password = noop
(0) [preprocess] = ok
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "UserTest", skipping NULL due to config.
(0) [suffix] = noop
(0) ntdomain: Checking for prefix before "\"
(0) ntdomain: No '\' in User-Name = "UserTest", looking up realm NULL
(0) ntdomain: Found realm "null"
(0) ntdomain: Adding Stripped-User-Name = "UserTest"
(0) ntdomain: Adding Realm = "null"
(0) ntdomain: Authentication realm is LOCAL
(0) [ntdomain] = ok
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) if ( !EAP-Message ) {
(0) if ( !EAP-Message ) -> TRUE
(0) if ( !EAP-Message ) {
(0) update {
(0) &control:Auth-Type := Accept
(0) } # update = noop
(0) } # if ( !EAP-Message ) = noop
(0) policy packetfence-eap-mac-policy {
(0) if ( &EAP-Type ) {
(0) if ( &EAP-Type ) -> FALSE
(0) [noop] = noop
(0) } # policy packetfence-eap-mac-policy = noop
(0) pap: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(0) pap: WARNING: !!! Ignoring control:User-Password. Update
your !!!
(0) pap: WARNING: !!! configuration so that the "known good" clear text !!!
(0) pap: WARNING: !!! password is in Cleartext-Password and NOT
in !!!
(0) pap: WARNING: !!!
User-Password. !!!
(0) pap: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(0) pap: WARNING: Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0) post-auth {
(0) update {
(0) EXPAND %{Packet-Src-IP-Address}
(0) --> 192.168.10.14
(0) &request:FreeRADIUS-Client-IP-Address := 192.168.10.14
(0) &control:PacketFence-RPC-Server = 127.0.0.1
(0) &control:PacketFence-RPC-Port = 7070
(0) &control:PacketFence-RPC-User =
(0) &control:PacketFence-RPC-Pass =
(0) &control:PacketFence-RPC-Proto = http
(0) } # update = noop
(0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) {
(0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) -> TRUE
(0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) {
rlm_rest (rest): Closing connection (0): Hit idle_timeout, was idle for
282 seconds
rlm_rest (rest): Closing connection (1): Hit idle_timeout, was idle for
282 seconds
rlm_rest (rest): Closing connection (2): Hit idle_timeout, was idle for
282 seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing connection (3): Hit idle_timeout, was idle for
282 seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing connection (4): Hit idle_timeout, was idle for
282 seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): 0 of 0 connections in use. You may need to increase
"spare"
rlm_rest (rest): Opening additional connection (5), 1 of 64 pending
slots used
rlm_rest (rest): Connecting to "http://127.0.0.1:7070/"
rlm_rest (rest): Reserved connection (5)
(0) rest: Expanding URI components
(0) rest: EXPAND http://127.0.0.1:7070
(0) rest: --> http://127.0.0.1:7070
(0) rest: EXPAND //radius/rest/authorize
(0) rest: --> //radius/rest/authorize
(0) rest: Sending HTTP POST to
"http://127.0.0.1:7070//radius/rest/authorize"
(0) rest: Encoding attribute "User-Name"
(0) rest: Encoding attribute "User-Password"
(0) rest: Encoding attribute "NAS-IP-Address"
(0) rest: Encoding attribute "Service-Type"
(0) rest: Encoding attribute "Framed-Protocol"
(0) rest: Encoding attribute "NAS-Identifier"
(0) rest: Encoding attribute "NAS-Port-Type"
(0) rest: Encoding attribute "Acct-Session-Id"
(0) rest: Encoding attribute "Event-Timestamp"
(0) rest: Encoding attribute "Stripped-User-Name"
(0) rest: Encoding attribute "Realm"
(0) rest: Encoding attribute "FreeRADIUS-Client-IP-Address"
(0) rest: Processing response header
(0) rest: Status : 401 (Unauthorized)
(0) rest: Type : json (application/json)
(0) rest: ERROR: Server returned:
(0) rest: ERROR: {"Reply-Message":"PacketFence does not support this
switch for read/write access
login","reply:PacketFence-Authorization-Status":"allow"}
rlm_rest (rest): Released connection (5)
rlm_rest (rest): Need 2 more connections to reach 10 spares
rlm_rest (rest): Opening additional connection (6), 1 of 63 pending
slots used
rlm_rest (rest): Connecting to "http://127.0.0.1:7070/"
(0) [rest] = invalid
(0) } # if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) )
= invalid
(0) } # post-auth = invalid
(0) Using Post-Auth-Type Reject
(0) # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0) Post-Auth-Type REJECT {
(0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) {
(0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) -> TRUE
(0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) {
(0) policy packetfence-audit-log-reject {
(0) if (&User-Name != "dummy") {
(0) if (&User-Name != "dummy") -> TRUE
(0) if (&User-Name != "dummy") {
(0) policy request-timing {
(0) if (control:PacketFence-Request-Time != 0) {
(0) if (control:PacketFence-Request-Time != 0) -> FALSE
(0) } # policy request-timing = noop
(0) sql_reject: EXPAND type.reject.query
(0) sql_reject: --> type.reject.query
(0) sql_reject: Using query template 'query'
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for
282 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for
282 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for
282 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for
282 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for
282 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for
282 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (6), 1 of 64 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on Localhost via UNIX socket,
server version 5.5.52-MariaDB, protocol version 10
rlm_sql (sql): Reserved connection (6)
(0) sql_reject: EXPAND %{User-Name}
(0) sql_reject: --> UserTest
(0) sql_reject: SQL-User-Name set to 'UserTest'
(0) sql_reject: EXPAND INSERT INTO radius_audit_log ( mac,
ip, computer_name, user_name, stripped_user_name, realm,
event_type, switch_id, switch_mac, switch_ip_address,
radius_source_ip_address, called_station_id,
calling_station_id, nas_port_type, ssid,
nas_port_id, ifindex, nas_port,
connection_type, nas_ip_address, nas_identifier,
auth_status, reason, auth_type, eap_type,
role, node_status, profile, source, auto_reg, is_phone,
pf_domain, uuid, radius_request, radius_reply,
request_time) VALUES (
'%{request:Calling-Station-Id}', '%{request:Framed-IP-Address}',
'%{%{control:PacketFence-Computer-Name}:-N/A}', '%{request:User-Name}',
'%{request:Stripped-User-Name}', '%{request:Realm}',
'Radius-Access-Request', '%{%{control:PacketFence-Switch-Id}:-N/A}',
'%{%{control:PacketFence-Switch-Mac}:-N/A}',
'%{%{control:PacketFence-Switch-Ip-Address}:-N/A}',
'%{Packet-Src-IP-Address}', '%{request:Called-Station-Id}',
'%{request:Calling-Station-Id}', '%{request:NAS-Port-Type}',
'%{request:Called-Station-SSID}', '%{request:NAS-Port-Id}',
'%{%{control:PacketFence-IfIndex}:-N/A}', '%{request:NAS-Port}',
'%{%{control:PacketFence-Connection-Type}:-N/A}',
'%{request:NAS-IP-Address}', '%{request:NAS-Identifier}',
'Reject', '%{request:Module-Failure-Message}',
'%{control:Auth-Type}', '%{request:EAP-Type}',
'%{%{control:PacketFence-Role}:-N/A}',
'%{%{control:PacketFence-Status}:-N/A}',
'%{%{control:PacketFence-Profile}:-N/A}',
'%{%{control:PacketFence-Source}:-N/A}',
'%{%{control:PacketFence-AutoReg}:-N/A}',
'%{%{control:PacketFence-IsPhone}:-N/A}',
'%{request:PacketFence-Domain}', '',
'%{pairs:&request:[*]}','%{pairs:&reply:[*]}',
'%{%{control:PacketFence-Request-Time}:-N/A}')
(0) sql_reject: --> INSERT INTO radius_audit_log ( mac, ip,
computer_name, user_name, stripped_user_name, realm,
event_type, switch_id, switch_mac, switch_ip_address,
radius_source_ip_address, called_station_id,
calling_station_id, nas_port_type, ssid,
nas_port_id, ifindex, nas_port,
connection_type, nas_ip_address, nas_identifier,
auth_status, reason, auth_type, eap_type,
role, node_status, profile, source, auto_reg, is_phone,
pf_domain, uuid, radius_request, radius_reply,
request_time) VALUES ( '', '', 'N/A',
'UserTest', 'UserTest', 'null',
'Radius-Access-Request', 'N/A', 'N/A',
'N/A', '192.168.10.14', '', '', 'Ethernet', '',
'', 'N/A', '', 'N/A', '192.168.10.14', 'las1.albari',
'Reject', 'rest: Server returned:', 'Accept',
'', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A',
'N/A', '', '', 'User-Name =3D =22UserTest=22=2C
User-Password =3D =22p at 55word=22=2C NAS-IP-Address =3D 192.168.10.14=2C
Service-Type =3D Framed-User=2C Framed-Protocol =3D PPP=2C
NAS-Identifier =3D =22las1.albari=22=2C NAS-Port-Type =3D Ethernet=2C
Acct-Session-Id =3D =22las1.al00000000000000da6bb650001055=22=2C
Event-Timestamp =3D =22févr. 13 2017 14:23:25 CET=22=2C
Stripped-User-Name =3D =22UserTest=22=2C Realm =3D =22null=22=2C
FreeRADIUS-Client-IP-Address =3D 192.168.10.14=2C Module-Failure-Message
=3D =22rest: Server returned:=22=2C Module-Failure-Message =3D =22rest:
=7B=5C=22Reply-Message=5C=22:=5C=22PacketFence does not support this
switch for read/write access
login=5C=22=2C=5C=22reply:PacketFence-Authorization-Status=5C=22:=5C=22allow=5C=22=7D=22=2C
SQL-User-Name =3D =22UserTest=22','', '0')
(0) sql_reject: Executing query: INSERT INTO
radius_audit_log ( mac, ip, computer_name,
user_name, stripped_user_name, realm,
event_type, switch_id, switch_mac,
switch_ip_address, radius_source_ip_address,
called_station_id, calling_station_id, nas_port_type,
ssid, nas_port_id, ifindex, nas_port,
connection_type, nas_ip_address, nas_identifier,
auth_status, reason, auth_type, eap_type,
role, node_status, profile, source, auto_reg, is_phone,
pf_domain, uuid, radius_request, radius_reply,
request_time) VALUES ( '', '', 'N/A',
'UserTest', 'UserTest', 'null',
'Radius-Access-Request', 'N/A', 'N/A',
'N/A', '192.168.10.14', '', '', 'Ethernet', '',
'', 'N/A', '', 'N/A', '192.168.10.14', 'las1.albari',
'Reject', 'rest: Server returned:', 'Accept',
'', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A',
'N/A', '', '', 'User-Name =3D =22UserTest=22=2C
User-Password =3D =22p at 55word=22=2C NAS-IP-Address =3D 192.168.10.14=2C
Service-Type =3D Framed-User=2C Framed-Protocol =3D PPP=2C
NAS-Identifier =3D =22las1.albari=22=2C NAS-Port-Type =3D Ethernet=2C
Acct-Session-Id =3D =22las1.al00000000000000da6bb650001055=22=2C
Event-Timestamp =3D =22févr. 13 2017 14:23:25 CET=22=2C
Stripped-User-Name =3D =22UserTest=22=2C Realm =3D =22null=22=2C
FreeRADIUS-Client-IP-Address =3D 192.168.10.14=2C Module-Failure-Message
=3D =22rest: Server returned:=22=2C Module-Failure-Message =3D =22rest:
=7B=5C=22Reply-Message=5C=22:=5C=22PacketFence does not support this
switch for read/write access
login=5C=22=2C=5C=22reply:PacketFence-Authorization-Status=5C=22:=5C=22allow=5C=22=7D=22=2C
SQL-User-Name =3D =22UserTest=22','', '0')
(0) sql_reject: SQL query returned: success
(0) sql_reject: 1 record(s) updated
rlm_sql (sql): Released connection (6)
rlm_sql (sql): Need 2 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 63 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on Localhost via UNIX socket,
server version 5.5.52-MariaDB, protocol version 10
(0) [sql_reject] = ok
(0) } # if (&User-Name != "dummy") = ok
(0) } # policy packetfence-audit-log-reject = ok
(0) } # if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) )
= ok
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> UserTest
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) attr_filter.packetfence_post_auth: EXPAND %{User-Name}
(0) attr_filter.packetfence_post_auth: --> UserTest
(0) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
(0) [attr_filter.packetfence_post_auth] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(0) linelog: --> messages.Access-Accept
(0) linelog: EXPAND %t : [mac:%{Calling-Station-Id}] Accepted user:
%{reply:User-Name} and returned VLAN %{reply:Tunnel-Private-Group-ID}
(0) linelog: --> Mon Feb 13 14:23:25 2017 : [mac:] Accepted user:
and returned VLAN
(0) linelog: EXPAND /usr/local/pf/logs/radius.log
(0) linelog: --> /usr/local/pf/logs/radius.log
(0) [linelog] = ok
(0) } # Post-Auth-Type REJECT = updated
(0) Rejected in post-auth: [UserTest] (from client 192.168.10.0/24 port 0)
(0) Delaying response for 1.000000 seconds
Waking up in 0.1 seconds.
Waking up in 0.8 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 10 from 192.168.10.22:1812 to
192.168.10.14:1812 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 10 with timestamp +282
Ready to process requests
Thanks for ur help
Best regards
More information about the Freeradius-Users
mailing list