Hello Didier, Rejected in post-auth means that it has been rejected by the logic in PacketFence. Verify in the packetfence.log file to see what happens exactly when the device connects.
Regards Fabrice Le mer. 1 févr. 2023 à 07:24, Didier Walraet via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > Hi everybody, > > We have a problem with authentication from Windows sessions. > > When I check with pftest it works : > > Authenticating against 'dcandenne' in context 'admin' > Authentication SUCCEEDED against dcandenne (Authentication successful.) > Matched against dcandenne for 'authentication' rule catchall > set_role : default > set_access_duration : 1D > Did not match against dcandenne for 'administration' rules > > Authenticating against 'dcandenne' in context 'portal' > Authentication SUCCEEDED against dcandenne (Authentication successful.) > Matched against dcandenne for 'authentication' rule catchall > set_role : default > set_access_duration : 1D > > When I test with eapol_test it works : > > EAPOL: SUPP_BE entering state RECEIVE > Received 184 bytes from RADIUS server > Received RADIUS message > RADIUS message: code=2 (Access-Accept) identifier=9 length=184 > Attribute 1 (User-Name) length=24 > Value: 'andenne\\administrateur' > Attribute 26 (Vendor-Specific) length=58 > Value: > 000001371134c13273280210014b8952df27af1d66ef0394150828ddd278c2f3d80b7dd3b9b73d86f83a263ac27392fa5212d77f55bb4b58 > Attribute 26 (Vendor-Specific) length=58 > Value: > 000001371034cf04b7c73dd8aae9b040a0061f528848602d0fadc4ca1fc08fec82bec34b09131f81621125e838d23812afec44aa01c6ac66 > Attribute 79 (EAP-Message) length=6 > Value: 038c0004 > Attribute 80 (Message-Authenticator) length=18 > Value: 5b9fb6bccfe5dd977dd2dcf5039787f3 > STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending > request, round trip time 0.00 sec > > RADIUS packet matching with station > MS-MPPE-Send-Key (sign) - hexdump(len=32): f8 f2 d3 fb 41 8e 70 62 33 4f > e4 b4 86 f0 82 6a 02 dc b7 e2 70 52 8f bb 1d b9 6c 63 07 6d d8 05 > MS-MPPE-Recv-Key (crypt) - hexdump(len=32): de 31 38 73 0f 11 42 a6 1a c9 > 92 c8 be a8 10 14 62 b6 26 dc 8d 85 5c 63 7a fd 41 6b a8 09 6c cb > decapsulated EAP packet (code=3 id=140 len=4) from RADIUS server: EAP > Success > EAPOL: Received EAP-Packet frame > EAPOL: SUPP_BE entering state REQUEST > EAPOL: getSuppRsp > EAP: EAP entering state RECEIVED > EAP: Received EAP-Success > EAP: Status notification: completion (param=success) > EAP: EAP entering state SUCCESS > CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully > EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required > WPA: EAPOL processing complete > Cancelling authentication timeout > State: DISCONNECTED -> COMPLETED > EAPOL: SUPP_PAE entering state AUTHENTICATED > EAPOL: SUPP_BE entering state RECEIVE > EAPOL: SUPP_BE entering state SUCCESS > EAPOL: SUPP_BE entering state IDLE > eapol_sm_cb: result=1 > EAPOL: Successfully fetched key (len=32) > PMK from EAPOL - hexdump(len=32): de 31 38 73 0f 11 42 a6 1a c9 92 c8 be > a8 10 14 62 b6 26 dc 8d 85 5c 63 7a fd 41 6b a8 09 6c cb > No EAP-Key-Name received from server > WPA: Clear old PMK and PTK > EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit > ENGINE: engine deinit > MPPE keys OK: 1 mismatch: 0 > SUCCESS > > But when I try authentication from Windows, before opening of the user > session, with user credentials domain\username, it doesn't work : > > Feb 1 09:00:11 packetfence auth[9916]: (3332) Rejected in post-auth: > [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli > 04:7b:cb:43:d9:37 via TLS tunnel) > Feb 1 09:00:11 packetfence auth[9916]: (3332) Login incorrect: > [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli > 04:7b:cb:43:d9:37 via TLS tunnel) > Feb 1 09:00:11 packetfence auth[9916]: (3333) Login incorrect (eap_peap: > The users session was previously rejected: returning reject (again.)): > [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli > 04:7b:cb:43:d9:37) > Feb 1 09:00:21 packetfence auth[9916]: (3343) Rejected in post-auth: > [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli > 04:7b:cb:43:d9:37 via TLS tunnel) > Feb 1 09:00:21 packetfence auth[9916]: (3343) Login incorrect: > [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli > 04:7b:cb:43:d9:37 via TLS tunnel) > > When I test with same username on Linux system it works : > > Feb 1 08:52:55 packetfence auth[9916]: (3293) Login OK: > [administrateur] (from client 10.185.2.154/32 port 1 cli > 04:0e:3c:f0:ed:5c via TLS tunnel) > Feb 1 08:52:55 packetfence auth[9916]: (3294) Login OK: [administrateur] > (from client 10.185.2.154/32 port 1 cli 04:0e:3c:f0:ed:5c) > Feb 1 09:00:10 packetfence auth[9916]: Adding client 10.185.2.154/32 > > Can anyone help me ? > > Best regards, > > Didier. > -- > > *Didi**er Wa**lraet* > *Gestionnaire informatique* CPAS Ville d'Andenne GSM: 0475 800 796 > didier.walr...@cpas-andenne.be > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
