Re: [openwisp] Openwisp-Radius logs 'Token authentication failed' with correct UUID + Token
291 views
Skip to first unread message
Federico Capoano
Nov 23, 2021, 12:53:28 PM11/23/21
to open...@googlegroups.com
First thing that comes to my eyes is the following:
Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd
Authorization: Bearer <org-uuid> <token>
In your case it seems to me that it's instead:
Authorization: Bearer <org-uuid> & <token>
Did you come up with your ampersand on your own or is it something you see anywhere in the docs? If you see it anywhere please let me know so I can fix it because it's not right.
I think it should be:
Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd
Ensure the token is the organization radius settings token and not the openwisp controller shared secret, instructions on how to find these values are described here:
I hope this helps.
Best regards
Federico CapoanoOn Tue, Nov 23, 2021 at 4:18 AM Filip Waluda <filip...@gmail.com> wrote:
As per Gitter, here is the part of freeradius -X output as well as the configuration files for the mods and sites:freeradius -X:(0) Received Access-Request Id 203 from {PUBLIC-IP-OF-CLIENT}:50130 to 192.168.105.97:1812 length 79(0) Service-Type = Authenticate-Only(0) User-Name = "TestUser"(0) User-Password = "TestPassword123_"(0) NAS-Port-Type = Wireless-802.11(0) NAS-Identifier = "firewallH23"(0) NAS-Port = 0(0) NAS-IP-Address = {PUBLIC-IP-OF-CLIENT}(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/openwisp_site(0) authorize {(0) update control {(0) &REST-HTTP-Header += "Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd"(0) } # update control = nooprlm_rest (rest): Reserved connection (0)(0) rest: Expanding URI components(0) rest: EXPAND https://radius.domainplaceholder.de(0) rest: --> https://radius.domainplaceholder.de(0) rest: EXPAND /api/v1/freeradius/authorize/(0) rest: --> /api/v1/freeradius/authorize/(0) rest: Sending HTTP POST to "https://radius.domainplaceholder.de/api/v1/freeradius/authorize/"(0) rest: EXPAND {"username": "%{User-Name}", "password": "%{User-Password}"}(0) rest: --> {"username": "TestUser", "password": "TestPassword123_"}(0) rest: Processing response header(0) rest: Status : 403 (Forbidden)(0) rest: Type : json (application/json)(0) rest: ERROR: Server returned:(0) rest: ERROR: {"detail":"Token authentication failed"}rlm_rest (rest): Released connection (0)(0) [rest] = userlock(0) } # authorize = userlock(0) Invalid user (rest: Server returned:): [TestUser] (from client firewallH23 port 0)(0) Using Post-Auth-Type Reject(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/openwisp_site(0) Post-Auth-Type REJECT {(0) update control {(0) &REST-Http-Header += "Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd"(0) } # update control = nooprlm_rest (rest): Reserved connection (1)(0) rest: Expanding URI components(0) rest: EXPAND https://radius.domainplaceholder.de(0) rest: --> https://radius.domainplaceholder.de(0) rest: EXPAND /api/v1/freeradius/postauth/(0) rest: --> /api/v1/freeradius/postauth/(0) rest: Sending HTTP POST to "https://radius.domainplaceholder.de/api/v1/freeradius/postauth/"(0) rest: EXPAND {"username": "%{User-Name}", "password": "%{User-Password}", "reply": "%{reply:Packet-Type}", "called_station_id": "%{Called-Station-ID}", "calling_station_id": "%{Calling-Station-ID}"}(0) rest: --> {"username": "TestUser", "password": "TestPassword123_", "reply": "Access-Reject", "called_station_id": "", "calling_station_id": ""}(0) rest: Processing response header(0) rest: Status : 403 (Forbidden)(0) rest: Type : json (application/json)(0) rest: ERROR: Server returned:(0) rest: ERROR: {"detail":"Token authentication failed"}rlm_rest (rest): Released connection (1)(0) [rest] = invalid(0) } # Post-Auth-Type REJECT = invalid(0) Delaying response for 1.000000 secondsWaking up in 0.1 seconds.Waking up in 0.8 seconds.(0) Sending delayed response(0) Sent Access-Reject Id 203 from 192.168.105.97:1812 to {PUBLIC-IP-OF-CLIENT}:50130 length 20Waking up in 3.9 seconds.(0) Cleaning up request packet ID 203 with timestamp +48Ready to process requestsmods-enabled\rest:rest {tls = {}connect_uri = "https://radius.domainplaceholder.de/api/v1/freeradius"authorize {uri = "${..connect_uri}/authorize/"method = 'post'body = 'json'data = '{"username": "%{User-Name}", "password": "%{User-Password}"}'tls = ${..tls}}# this section can be left emptyauthenticate {}post-auth {uri = "${..connect_uri}/postauth/"method = 'post'body = 'json'data = '{"username": "%{User-Name}", "password": "%{User-Password}", "reply": "%{reply:Packet-Type}", "called_station_id": "%{Called-Station-ID}", "calling_station_id": "%{Calling-Station-ID}"}'tls = ${..tls}}accounting {uri = "${..connect_uri}/accounting/"method = 'post'body = 'json'data = '{"status_type": "%{Acct-Status-Type}", "session_id": "%{Acct-Session-Id}", "unique_id": "%{Acct-Unique-Session-Id}", "username": "%{User-Name}", "realm": "%{Realm}", "nas_ip_address": "%{NAS-IP-Address}", "nas_port_id": "%{NAS-Port}", "nas_port_type": "%{NAS-Port-Type}", "session_time": "%{Acct-Session-Time}", "authentication": "%{Acct-Authentic}", "input_octets": "%{Acct-Input-Octets}", "output_octets": "%{Acct-Output-Octets}", "called_station_id": "%{Called-Station-Id}", "calling_station_id": "%{Calling-Station-Id}", "terminate_cause": "%{Acct-Terminate-Cause}", "service_type": "%{Service-Type}", "framed_protocol": "%{Framed-Protocol}", "framed_ip_address": "%{Framed-IP-Address}"}'tls = ${..tls}}}sites-enabled\openwisp_site:server default {api_token_header = "Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd"listen {type = authipaddr = *port = 0limit {max_connections = 16lifetime = 0idle_timeout = 30}}listen {ipaddr = *port = 0type = acctlimit {}}authorize {update control { &REST-HTTP-Header += "${...api_token_header}" }restsqldailycounterdailybandwidthcounternoresetcounter}authenticate {}preacct {preprocessacct_uniquesuffixfiles}accounting {update control { &REST-HTTP-Header += "${...api_token_header}" }rest}session {}post-auth {update control { &REST-HTTP-Header += "${...api_token_header}" }restPost-Auth-Type REJECT {update control { &REST-Http-Header += "${....api_token_header}" }rest}}pre-proxy {}post-proxy {}}mods-enabled\sql (unchanged):--sql {driver = "rlm_sql_sqlite"dialect = "sqlite"sqlite {filename = "/opt/openwisp2/db.sqlite3"}acct_table1 = "radacct"acct_table2 = "radacct"postauth_table = "radpostauth"authcheck_table = "radcheck"groupcheck_table = "radgroupcheck"authreply_table = "radreply"groupreply_table = "radgroupreply"usergroup_table = "radusergroup"delete_stale_sessions = yesclient_table = "nas"read_clients = yesgroup_attribute = "SQL-Group"$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.confpool {start = ${thread[pool].start_servers}min = ${thread[pool].min_spare_servers}max = ${thread[pool].max_servers}spare = ${thread[pool].max_spare_servers}uses = 0retry_delay = 30lifetime = 0idle_timeout = 60}}
You received this message because you are subscribed to the Google Groups "OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+u...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/openwisp/c61aa74a-002b-467f-832c-1b120b64744dn%40googlegroups.com.
Filip Waluda
Nov 25, 2021, 10:25:58 AM11/25/21
to OpenWISP
Thanks for this - totally missed it when glancing over and comparing the configuration file. After removing the ampersand it started working immediately.
I am 90% sure that I've copied the line from one of the docs and exchanged the uuid and token, but couldn't find said doc just yet. I'll look through them when I have time later this week. I can create a pull request in case I find it if you wish.
Reply all
Reply to author
Forward
0 new messages