Hi all,
Since enabling SoH and creating a violation for no antivirus my clients no
longer get authenticated via radius. Commenting out the two soh lines in the
eap.conf and restarting the radius service results in authentication working
again.
The first thing I found from running in debug mode was the following syslog
errors:
radiusd_pfsoh[6593]: Error in SOAP communication with server: 401 Authorization
Required
radiusd_pfsoh[6593]: SoH SOAP request failed: Can't call method "fault" on an
undefined value at /etc/raddb/packetfence-soh.pm line 89.
After looking in the packetfence-soh.pm file I could see that it was expecting
the webservice password to be provided, so after putting that in, and again
restarting the service those syslog messages disappeared.
However, radius is still failing my client.
The parts of the radius debug output that I think are relevant show:
# Executing group from file /etc/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR SOH RESPONSE
[peap] EAP type nak
[peap] SoH - client NAKed
[peap] Setting User-Name to sm18818
[peap] Processing SoH request
SoH-Supported = no
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "sm18818"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-09-E8-98-A0-02"
Calling-Station-Id = "00-24-54-42-86-04"
Cisco-AVPair = "audit-session-id=0A01011500000072292F4EBC"
NAS-Port-Type = Ethernet
NAS-Port = 50002
NAS-Port-Id = "FastEthernet0/2"
NAS-IP-Address = 10.1.1.21
[peap] server soh-server {
# Executing section authorize from file /etc/raddb/sites-enabled/packetfence-soh
+- entering group authorize {...}
rlm_perl: Added pair NAS-Port-Type = Ethernet
rlm_perl: Added pair SoH-Supported = no
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Calling-Station-Id = 00-24-54-42-86-04
rlm_perl: Added pair Called-Station-Id = 00-09-E8-98-A0-02
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Cisco-AVPair = audit-session-id=0A01011500000072292F4EBC
rlm_perl: Added pair User-Name = sm18818
rlm_perl: Added pair NAS-IP-Address = 10.1.1.21
rlm_perl: Added pair NAS-Port = 50002
rlm_perl: Added pair NAS-Port-Id = FastEthernet0/2
rlm_perl: Added pair Framed-MTU = 1500
++[packetfence-soh] returns fail
[peap] } # server soh-server
[peap] Got SoH reply
[peap] SoH was rejected
[peap] FAILURE
My client is a windows 7 laptop, with wired dot1x authentication setup,
authenticating via PEAP and with NAP service running and enforced in the dot1x
settings. Even so, I would hope that even for devices without the SoH (mac
etc) they would still be able to authenticate via radius.
Thanks for your help,
Andi
---------------------------------------------------------------
Andi Morris
Technical Security Analyst
Systems and Communications Services
Information Services Division
UWIC
Cardiff
Wales
CF5 2YB
02920 205720
--------------------------------------------------------------
________________________________
>From 1st November 2011 UWIC changed its title to Cardiff Metropolitan
>University. From the 6th December, as part of this change, all email addresses
>which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent
>from Cardiff Metropolitan University will now be sent from the new
>@cardiffmet.ac.uk address. Please could you ensure that all of your contact
>records and databases are updated to reflect this change. Further information
>can be found on the website
>here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
