Hi, I noticed that after the upgrade to 10.3 I can authenticate to the
devices cli with any password (!!!!)
I reverted to 10.2 and it works correctly:
auth.conf:
[apra-user-auth-dc01]
cache_match=0
realms=apra,apra.it,default,null
basedn=dc=apra,dc=it
password=xxxxxxxxxxxxxxxxxxxx
set_access_level_action=
scope=sub
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=5
binddn=cn=packetfence,cn=Users,dc=apra,dc=it
encryption=starttls
port=389
description=Apra User authentication
host=192.168.0.7,192.168.0.76
type=AD
read_timeout=10
write_timeout=5
monitor=1
dynamic_routing_module=AuthModule
shuffle=1
searchattributes=
set_access_durations_action=
[apra-user-auth-dc01 rule Administrator]
action0=set_access_level=ALL
condition0=memberOf,equals,CN=Apra Admins,OU=Admins,OU=Utenti,DC=apra,DC=it
status=enabled
match=any
condition1=sAMAccountName,equals,nms
class=administration
action1=mark_as_sponsor=1
[group switch_jesi_accesso]
description=Switch Jesi Accesso
VoIPEnabled=Y
registrationVlan=112
SNMPCommunityWrite=xxxxxxxxxxxxxxxx
guestVlan=99
deauthMethod=RADIUS
type=Cisco::Catalyst_2960
employeesVlan=24
isolationVlan=113
radiusSecret=xxxxxxxxxxxxxxxxxxxx
SNMPVersion=2c
consultantsVlan=24
voiceVlan=14
machineauthVlan=24
defaultVlan=1
staff_itVlan=24
printersVlan=1
ap_managementVlan=-1
videosorveglianzaVlan=21
always_trigger=1
cliAccess=Y
adiacentVlan=17
uplink_dynamic=0
As long as a user is member of the "CN=Apra
Admins,OU=Admins,OU=Utenti,DC=apra,DC=it" any password is accepted, on
any type of switch.
This is a log from 10.3 (with wrong password):
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) WARN:
[mac:58:03:fb:51:bc:35] Trying to match IP address with an invalid MAC
address 'undef' (pf::ip4log::mac2ip)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
[mac:58:03:fb:51:bc:35] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
[mac:58:03:fb:51:bc:35] Found authentication source(s) :
'local,apra-machine-auth-dc01,apra-user-auth-dc01' for realm 'null'
(pf::config::util::filter_authentication_sources)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
[mac:58:03:fb:51:bc:35] Using sources local, apra-machine-auth-dc01,
apra-user-auth-dc01 for matching (pf::authentication::match2)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) WARN:
[mac:58:03:fb:51:bc:35] [apra-user-auth-dc01 Administrator] Searching
for (&(sAMAccountName=c.mammoli.adm)(|(memberOf=CN=Apra
Admins,OU=Admins,OU=Utenti,DC=apra,DC=it)(sAMAccountName=nms))), from
dc=apra,dc=it, with scope sub
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
[mac:58:03:fb:51:bc:35] LDAP testing connection (pf::LDAP::expire_if)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
[mac:58:03:fb:51:bc:35] Matched rule (Administrator) in source
apra-user-auth-dc01, returning actions.
(pf::Authentication::Source::match_rule)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
[mac:58:03:fb:51:bc:35] Matched rule (Administrator) in source
apra-user-auth-dc01, returning actions. (pf::Authentication::Source::match)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
[mac:58:03:fb:51:bc:35] User c.mammoli.adm logged in 192.168.16.48 with
write access (pf::Switch::Cisco::returnAuthorizeWrite)
10.2 (wrong password):
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN:
[mac:d0:22:be:5f:2c:35] Trying to match IP address with an invalid MAC
address 'undef' (pf::ip4log::mac2ip)
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
[mac:d0:22:be:5f:2c:35] Found authentication source(s) :
'local,apra-machine-auth-dc01,apra-user-auth-dc01' for realm 'null'
(pf::config::util::filter_authentication_sources)
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN:
[mac:d0:22:be:5f:2c:35] Use of uninitialized value in numeric ne (!=) at
/usr/local/pf/lib/pf/radius.pm line 921.
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN:
[mac:d0:22:be:5f:2c:35] Use of uninitialized value in numeric ne (!=) at
/usr/local/pf/lib/pf/radius.pm line 921.
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
[mac:d0:22:be:5f:2c:35] LDAP testing connection (pf::LDAP::expire_if)
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN:
[mac:d0:22:be:5f:2c:35] [apra-machine-auth-dc01] No entries found (0)
with filter (servicePrincipalName=c.mammoli.adm) from dc=apra,dc=it on
192.168.0.7:389 (pf::Authentication::Source::LDAPSource::authenticate)
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
[mac:d0:22:be:5f:2c:35] LDAP testing connection (pf::LDAP::expire_if)
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN:
[mac:d0:22:be:5f:2c:35] [apra-user-auth-dc01] User CN=Cristian Mammoli
Adm,OU=Admins,OU=Utenti,DC=apra,DC=it cannot bind from dc=apra,dc=it on
192.168.0.7:389 (pf::Authentication::Source::LDAPSource::authenticate)
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
[mac:d0:22:be:5f:2c:35] User c.mammoli.adm tried to login in
192.168.16.48 but authentication failed (pf::radius::switch_access)
10.3 (Correct password)
Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN:
[mac:f4:60:e2:c9:03:ec] Trying to match IP address with an invalid MAC
address 'undef' (pf::ip4log::mac2ip)
Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
[mac:f4:60:e2:c9:03:ec] Found authentication source(s) :
'local,apra-machine-auth-dc01,apra-user-auth-dc01' for realm 'null'
(pf::config::util::filter_authentication_sources)
Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN:
[mac:f4:60:e2:c9:03:ec] Use of uninitialized value in numeric ne (!=) at
/usr/local/pf/lib/pf/radius.pm line 921.
Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN:
[mac:f4:60:e2:c9:03:ec] Use of uninitialized value in numeric ne (!=) at
/usr/local/pf/lib/pf/radius.pm line 921.
Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
[mac:f4:60:e2:c9:03:ec] LDAP testing connection (pf::LDAP::expire_if)
Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN:
[mac:f4:60:e2:c9:03:ec] [apra-machine-auth-dc01] No entries found (0)
with filter (servicePrincipalName=c.mammoli.adm) from dc=apra,dc=it on
192.168.0.7:389 (pf::Authentication::Source::LDAPSource::authenticate)
Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
[mac:f4:60:e2:c9:03:ec] LDAP testing connection (pf::LDAP::expire_if)
Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
[mac:f4:60:e2:c9:03:ec] [apra-user-auth-dc01] Authentication successful
for c.mammoli.adm (pf::Authentication::Source::LDAPSource::authenticate)
Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
[mac:f4:60:e2:c9:03:ec] Authentication successful for c.mammoli.adm in
source apra-user-auth-dc01 (AD) (pf::authentication::authenticate)
Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
[mac:f4:60:e2:c9:03:ec] Using sources apra-user-auth-dc01 for matching
(pf::authentication::match2)
Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN:
[mac:f4:60:e2:c9:03:ec] [apra-user-auth-dc01 Administrator] Searching
for (&(sAMAccountName=c.mammoli.adm)(|(memberOf=CN=Apra
Admins,OU=Admins,OU=Utenti,DC=apra,DC=it)(sAMAccountName=nms))), from
dc=apra,dc=it, with scope sub
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
[mac:f4:60:e2:c9:03:ec] LDAP testing connection (pf::LDAP::expire_if)
Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
[mac:f4:60:e2:c9:03:ec] Matched rule (Administrator) in source
apra-user-auth-dc01, returning actions.
(pf::Authentication::Source::match_rule)
Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
[mac:f4:60:e2:c9:03:ec] Matched rule (Administrator) in source
apra-user-auth-dc01, returning actions. (pf::Authentication::Source::match)
Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
[mac:f4:60:e2:c9:03:ec] User c.mammoli.adm logged in 192.168.16.48 with
write access (pf::Switch::Cisco::returnAuthorizeWrite)
Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
[mac:f4:60:e2:c9:03:ec] Match rule set_enable_perm_in_radius_reponse
(pf::access_filter::radius::test)
Dumping ldap traffic on 10.3 I only see a search request for my
username, no binds...
--
*Cristian Mammoli*
Network and Computer Systems Administrator
T.+39 0731719822
www.apra.it <https://www.apra.it>
Apra Spa
<https://www.apra.it/>
linksocial
*Avviso sulla tutela di informazioni riservate.* Questo messaggio รจ
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli
eventuali allegati, potrebbero contenere informazioni di carattere
estremamente riservato e confidenziale. Qualora non foste i destinatari
designati, vogliate cortesemente informarci immediatamente con lo stesso
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza
trattenerne copia.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users