Hi Francois,
I had misread the admin guide. I hadn't manually run the netsh nap client set
enforce line, as I thought that the "Enforce Network Access Protection" tick
box enabled that, and I have that set using a 3rd party tool. Running the set
enforce line on the client worked.
Out of interest, does the ID for the EAP Quarantine Enforcement Client change
per OS, or OS installation, or per session? Ie, do I need to read it in
somehow using a variable, or is it constant for all Windows 7/Vista/XP
installations?
Cheers,
Andi
From: Francois Gaudreault [mailto:[email protected]]
Sent: 20 January 2012 16:21
To: [email protected]
Subject: Re: [Packetfence-users] Enabling SoH results in radius failure
Oh and Andi,
Did you enable the NAP policy on the client :
netsh nap client show config
# get the "ID" value for the "EAP Quarantine Enforcement Client"
netsh nap client set enforce id=$ID admin=enable
On 12-01-20 11:04 AM, Francois Gaudreault wrote:
Hi Andi,
What PacketFence tells you in its log?
On 12-01-20 10:33 AM, Morris, Andi wrote:
Hi all,
Since enabling SoH and creating a violation for no antivirus my clients no
longer get authenticated via radius. Commenting out the two soh lines in the
eap.conf and restarting the radius service results in authentication working
again.
The first thing I found from running in debug mode was the following syslog
errors:
radiusd_pfsoh[6593]: Error in SOAP communication with server: 401 Authorization
Required
radiusd_pfsoh[6593]: SoH SOAP request failed: Can't call method "fault" on an
undefined value at /etc/raddb/packetfence-soh.pm line 89.
After looking in the packetfence-soh.pm file I could see that it was expecting
the webservice password to be provided, so after putting that in, and again
restarting the service those syslog messages disappeared.
However, radius is still failing my client.
The parts of the radius debug output that I think are relevant show:
# Executing group from file /etc/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR SOH RESPONSE
[peap] EAP type nak
[peap] SoH - client NAKed
[peap] Setting User-Name to sm18818
[peap] Processing SoH request
SoH-Supported = no
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "sm18818"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-09-E8-98-A0-02"
Calling-Station-Id = "00-24-54-42-86-04"
Cisco-AVPair = "audit-session-id=0A01011500000072292F4EBC"
NAS-Port-Type = Ethernet
NAS-Port = 50002
NAS-Port-Id = "FastEthernet0/2"
NAS-IP-Address = 10.1.1.21
[peap] server soh-server {
# Executing section authorize from file /etc/raddb/sites-enabled/packetfence-soh
+- entering group authorize {...}
rlm_perl: Added pair NAS-Port-Type = Ethernet
rlm_perl: Added pair SoH-Supported = no
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Calling-Station-Id = 00-24-54-42-86-04
rlm_perl: Added pair Called-Station-Id = 00-09-E8-98-A0-02
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Cisco-AVPair = audit-session-id=0A01011500000072292F4EBC
rlm_perl: Added pair User-Name = sm18818
rlm_perl: Added pair NAS-IP-Address = 10.1.1.21
rlm_perl: Added pair NAS-Port = 50002
rlm_perl: Added pair NAS-Port-Id = FastEthernet0/2
rlm_perl: Added pair Framed-MTU = 1500
++[packetfence-soh] returns fail
[peap] } # server soh-server
[peap] Got SoH reply
[peap] SoH was rejected
[peap] FAILURE
My client is a windows 7 laptop, with wired dot1x authentication setup,
authenticating via PEAP and with NAP service running and enforced in the dot1x
settings. Even so, I would hope that even for devices without the SoH (mac
etc) they would still be able to authenticate via radius.
Thanks for your help,
Andi
---------------------------------------------------------------
Andi Morris
Technical Security Analyst
Systems and Communications Services
Information Services Division
UWIC
Cardiff
Wales
CF5 2YB
02920 205720
--------------------------------------------------------------
________________________________
>From 1st November 2011 UWIC changed its title to Cardiff Metropolitan
>University. From the 6th December, as part of this change, all email addresses
>which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent
>from Cardiff Metropolitan University will now be sent from the new
>@cardiffmet.ac.uk address. Please could you ensure that all of your contact
>records and databases are updated to reflect this change. Further information
>can be found on the website
>here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Packetfence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected]<mailto:[email protected]> :: +1.514.447.4918
(x130) :: www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Packetfence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected]<mailto:[email protected]> :: +1.514.447.4918
(x130) :: www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
