Re: [PacketFence-users] Login incorrect for authentication process from Wondows login

Thu, 09 Feb 2023 01:04:13 -0800 

Hello Fabrice,

Thank for your reply.
Indeed, the problem seems to come from the assignment of the role in the source of authentication. When I test with eapol_test for the andenne\administrator account, it doesn't work. 
If I just test with administrator account it works.
FYI, there are no conditions defined in the authentication rules.
I feel like the problem is because the username variable contains the domain\username. 
Here is an excerpt from raddebug:
(346) Thu Feb  2 11:00:46 2023: Debug: # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence 
(346) Thu Feb  2 11:00:46 2023: Debug:   Post-Auth-Type REJECT {
(346) Thu Feb  2 11:00:46 2023: Debug:     update {
(346) Thu Feb  2 11:00:46 2023: Debug:     } # update = noop
(346) Thu Feb  2 11:00:46 2023: Debug:     if (! EAP-Type || (EAP-Type != TTLS  && EAP-Type != PEAP) ) { (346) Thu Feb  2 11:00:46 2023: Debug:     if (! EAP-Type || (EAP-Type != TTLS  && EAP-Type != PEAP) )  -> FALSE (346) Thu Feb  2 11:00:46 2023: Debug:     if ("%{%{control:PacketFence-Proxied-From}:-False}" == "True") { (346) Thu Feb  2 11:00:46 2023: Debug:     EXPAND %{%{control:PacketFence-Proxied-From}:-False} 
(346) Thu Feb  2 11:00:46 2023: Debug:        --> False
(346) Thu Feb  2 11:00:46 2023: Debug:     if ("%{%{control:PacketFence-Proxied-From}:-False}" == "True")  -> FALSE (346) Thu Feb  2 11:00:46 2023: Debug: attr_filter.access_reject: EXPAND %{User-Name} (346) Thu Feb  2 11:00:46 2023: Debug: attr_filter.access_reject:    --> andenne\\administrateur (346) Thu Feb  2 11:00:46 2023: Debug: attr_filter.access_reject: Matched entry DEFAULT at line 11 
(346) Thu Feb  2 11:00:46 2023: Debug: [attr_filter.access_reject] = updated
(346) Thu Feb  2 11:00:46 2023: Debug: attr_filter.packetfence_post_auth: EXPAND %{User-Name} (346) Thu Feb  2 11:00:46 2023: Debug: attr_filter.packetfence_post_auth:    --> andenne\\administrateur (346) Thu Feb  2 11:00:46 2023: Debug: attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10 (346) Thu Feb  2 11:00:46 2023: Debug: [attr_filter.packetfence_post_auth] = updated 
(346) Thu Feb  2 11:00:46 2023: Debug:     [eap] = noop
(346) Thu Feb  2 11:00:46 2023: Debug:     policy remove_reply_message_if_eap { (346) Thu Feb  2 11:00:46 2023: Debug:       if (&reply:EAP-Message && &reply:Reply-Message) { (346) Thu Feb  2 11:00:46 2023: Debug:       if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE 
(346) Thu Feb  2 11:00:46 2023: Debug:       else {
(346) Thu Feb  2 11:00:46 2023: Debug:         [noop] = noop
(346) Thu Feb  2 11:00:46 2023: Debug:       } # else = noop
(346) Thu Feb  2 11:00:46 2023: Debug:     } # policy remove_reply_message_if_eap = noop (346) Thu Feb  2 11:00:46 2023: Debug: linelog: EXPAND messages.%{%{reply:Packet-Type}:-default} (346) Thu Feb  2 11:00:46 2023: Debug: linelog:    --> messages.Access-Reject (346) Thu Feb  2 11:00:46 2023: Debug: linelog: EXPAND [mac:%{Calling-Station-Id}] Rejected user: %{User-Name} (346) Thu Feb  2 11:00:46 2023: Debug: linelog:    --> [mac:02:00:00:00:00:01] Rejected user: andenne\administrateur 
(346) Thu Feb  2 11:00:46 2023: Debug: linelog: EXPAND stdout
(346) Thu Feb  2 11:00:46 2023: Debug: linelog:    --> stdout
(346) Thu Feb  2 11:00:46 2023: Debug:     [linelog] = ok
(346) Thu Feb  2 11:00:46 2023: Debug:   } # Post-Auth-Type REJECT = updated
(346) Thu Feb  2 11:00:46 2023: Debug: Delaying response for 1.000000 seconds 
(346) Thu Feb  2 11:00:47 2023: Debug: Sending delayed response
(346) Thu Feb  2 11:00:47 2023: Debug: Sent Access-Reject Id 9 from 127.0.0.1:1812 to 127.0.0.1:58643 length 44 

Thank for your help, best regards,

Didier.

        



       ***Didi**er Wa**lraet*

*Gestionnaire informatique*

CPAS Ville d'Andenne

GSM: 0475 800 796
didier.walr...@cpas-andenne.be


Le 01-02-23 à 17:19, Fabrice Durand a écrit :

Hello Didier,
Rejected in post-auth means that it has been rejected by the logic in PacketFence. Verify in the packetfence.log file to see what happens exactly when the device connects. 

Regards
Fabrice
Le mer. 1 févr. 2023 à 07:24, Didier Walraet via PacketFence-users <packetfence-users@lists.sourceforge.net> a écrit : 

    Hi everybody,

    We have a problem with authentication from Windows sessions.

    When I check with pftest it works :

    Authenticating against 'dcandenne' in context 'admin'
      Authentication SUCCEEDED against dcandenne (Authentication
    successful.)
      Matched against dcandenne for 'authentication' rule catchall
        set_role : default
        set_access_duration : 1D
      Did not match against dcandenne for 'administration' rules

    Authenticating against 'dcandenne' in context 'portal'
      Authentication SUCCEEDED against dcandenne (Authentication
    successful.)
      Matched against dcandenne for 'authentication' rule catchall
        set_role : default
        set_access_duration : 1D

    When I test with eapol_test it works :

    EAPOL: SUPP_BE entering state RECEIVE
    Received 184 bytes from RADIUS server
    Received RADIUS message
    RADIUS message: code=2 (Access-Accept) identifier=9 length=184
       Attribute 1 (User-Name) length=24
          Value: 'andenne\\administrateur'
       Attribute 26 (Vendor-Specific) length=58
          Value:
    
000001371134c13273280210014b8952df27af1d66ef0394150828ddd278c2f3d80b7dd3b9b73d86f83a263ac27392fa5212d77f55bb4b58
       Attribute 26 (Vendor-Specific) length=58
          Value:
    
000001371034cf04b7c73dd8aae9b040a0061f528848602d0fadc4ca1fc08fec82bec34b09131f81621125e838d23812afec44aa01c6ac66
       Attribute 79 (EAP-Message) length=6
          Value: 038c0004
       Attribute 80 (Message-Authenticator) length=18
          Value: 5b9fb6bccfe5dd977dd2dcf5039787f3
    STA 02:00:00:00:00:01: Received RADIUS packet matched with a
    pending request, round trip time 0.00 sec

    RADIUS packet matching with station
    MS-MPPE-Send-Key (sign) - hexdump(len=32): f8 f2 d3 fb 41 8e 70 62
    33 4f e4 b4 86 f0 82 6a 02 dc b7 e2 70 52 8f bb 1d b9 6c 63 07 6d
    d8 05
    MS-MPPE-Recv-Key (crypt) - hexdump(len=32): de 31 38 73 0f 11 42
    a6 1a c9 92 c8 be a8 10 14 62 b6 26 dc 8d 85 5c 63 7a fd 41 6b a8
    09 6c cb
    decapsulated EAP packet (code=3 id=140 len=4) from RADIUS server:
    EAP Success
    EAPOL: Received EAP-Packet frame
    EAPOL: SUPP_BE entering state REQUEST
    EAPOL: getSuppRsp
    EAP: EAP entering state RECEIVED
    EAP: Received EAP-Success
    EAP: Status notification: completion (param=success)
    EAP: EAP entering state SUCCESS
    CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
    EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames
    required
    WPA: EAPOL processing complete
    Cancelling authentication timeout
    State: DISCONNECTED -> COMPLETED
    EAPOL: SUPP_PAE entering state AUTHENTICATED
    EAPOL: SUPP_BE entering state RECEIVE
    EAPOL: SUPP_BE entering state SUCCESS
    EAPOL: SUPP_BE entering state IDLE
    eapol_sm_cb: result=1
    EAPOL: Successfully fetched key (len=32)
    PMK from EAPOL - hexdump(len=32): de 31 38 73 0f 11 42 a6 1a c9 92
    c8 be a8 10 14 62 b6 26 dc 8d 85 5c 63 7a fd 41 6b a8 09 6c cb
    No EAP-Key-Name received from server
    WPA: Clear old PMK and PTK
    EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
    ENGINE: engine deinit
    MPPE keys OK: 1  mismatch: 0
    SUCCESS

    But when I try authentication from Windows, before opening of the
    user session, with user credentials domain\username, it doesn't work :

    Feb  1 09:00:11 packetfence auth[9916]: (3332)   Rejected in
    post-auth: [ANDENNE\Administrateur] (from client 10.185.2.154/32
    <http://10.185.2.154/32> port 1 cli 04:7b:cb:43:d9:37 via TLS tunnel)
    Feb  1 09:00:11 packetfence auth[9916]: (3332)   Login incorrect:
    [ANDENNE\Administrateur] (from client 10.185.2.154/32
    <http://10.185.2.154/32> port 1 cli 04:7b:cb:43:d9:37 via TLS tunnel)
    Feb  1 09:00:11 packetfence auth[9916]: (3333) Login incorrect
    (eap_peap: The users session was previously rejected: returning
    reject (again.)): [ANDENNE\Administrateur] (from client
    10.185.2.154/32 <http://10.185.2.154/32> port 1 cli 04:7b:cb:43:d9:37)
    Feb  1 09:00:21 packetfence auth[9916]: (3343)   Rejected in
    post-auth: [ANDENNE\Administrateur] (from client 10.185.2.154/32
    <http://10.185.2.154/32> port 1 cli 04:7b:cb:43:d9:37 via TLS tunnel)
    Feb  1 09:00:21 packetfence auth[9916]: (3343)   Login incorrect:
    [ANDENNE\Administrateur] (from client 10.185.2.154/32
    <http://10.185.2.154/32> port 1 cli 04:7b:cb:43:d9:37 via TLS tunnel)

    When I test with same username on Linux system it works :

    Feb  1 08:52:55 packetfence auth[9916]: (3293)   Login OK:
    [administrateur] (from client 10.185.2.154/32
    <http://10.185.2.154/32> port 1 cli 04:0e:3c:f0:ed:5c via TLS tunnel)
    Feb  1 08:52:55 packetfence auth[9916]: (3294) Login OK:
    [administrateur] (from client 10.185.2.154/32
    <http://10.185.2.154/32> port 1 cli 04:0e:3c:f0:ed:5c)
    Feb  1 09:00:10 packetfence auth[9916]: Adding client
    10.185.2.154/32 <http://10.185.2.154/32>

    Can anyone help me ?

    Best regards,

    Didier.
-- 



            ***Didi**er Wa**lraet*

    *Gestionnaire informatique*

    CPAS Ville d'Andenne

    GSM: 0475 800 796
    didier.walr...@cpas-andenne.be


    _______________________________________________
    PacketFence-users mailing list
    PacketFence-users@lists.sourceforge.net
    https://lists.sourceforge.net/lists/listinfo/packetfence-users

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to