Hi all
I have been struggling with getting this to work persistent.
Somehow it worked perfect in last week, and today it does not work.
*The Scenario*
My auth Matrix:
Windows Domain Linux Standalone Windows Standalone
Computer AD Auth X
User AD Auth X X X
MAC Filter X X
We have a mix of Windows domain joined computers, Windows non-domain and
linux non-domain.
I am using MAC filter and EAP for username validation for the non-domain
joind computers.
This part is working as expected.
The problem is windows. Some how the 802.1x are non working consistent
as expected.
Last week, i saw in the radius.log that the computer account was
authenticated without any problems, then when the user logged into the
device, the user was authenticated.
Today only one of them works. There have been no changes to Switch,
Packetfence or Windows GPO for 802.1x settings.
I have a local CA within the Windows domain. Packetfence HTTP and Radius
certs has been changed to a cert from this CA Server.
All domain computers has the root ca under it trusted cert store and
there are both a user cert and a computer cert generated and placed in
the personal cert store on the local computer.
Packetfence 14 on Debian 12. Last update last week, and everything workd
after and the domain joined part was testet multiple times.
I have a connection profile, that looks for Ethernet-EAP which select a
authentication source.
Last week i had a authentication rule that was looking for memberof
within two groups and both should match. One for the computer account
and one for the user account.
THis worked. I have been debugging today on why it do no work any more
on domain joined, so i now have two authentication sources within the
connection profile.
Where the one is for computer auth, where all the computer AD groups are
placed as a ldap condition with matches any.
Still no luck.
Next, i need to verify that the computer that the user are using is
domain joind and validated also.
So. I was either lucky that i hit en error last week that somehow made
it work and now packetfence has "fixed" it self.
How should i configure connection profile and authentication source for
my domain joined scenario so it will work ?
Some log samples of the error
2024-11-15T10:32:23.666264+01:00 pf01 auth[44161]: (39583) Rejected in
post-auth: [host/TEST01-0431-W.domain.local] (from client
192.168.168.13/32 port 12 cli CC:CC:a0:12:f2:01 via TLS tunnel)
2024-11-15T10:32:23.666689+01:00 pf01 auth[44161]: (39583) Login
incorrect: [host/TEST01-0431-W.domain.local] (from client
192.168.168.13/32 port 12 cli CC:CC:a0:12:f2:01 via TLS tunnel)
2024-11-15T10:32:23.669715+01:00 pf01 auth[44161]: (39584) Login
incorrect (eap_peap: The users session was previously rejected:
returning reject (again.)): [host/TEST01-0431-W.domain.local] (from
client 192.168.168.13/32 port 12 cli CC:CC:a0:12:f2:01)
2024-11-15T10:33:31.371874+01:00 pf01 auth[44161]: (39599) Rejected in
post-auth: [host/TEST01-0431-W.domain.local] (from client
192.168.168.13/32 port 12 cli CC:CC:a0:12:f2:01 via TLS tunnel)
2024-11-15T10:33:31.372422+01:00 pf01 auth[44161]: (39599) Login
incorrect: [host/TEST01-0431-W.domain.local] (from client
192.168.168.13/32 port 12 cli CC:CC:a0:12:f2:01 via TLS tunnel)
2024-11-15T10:33:31.388552+01:00 pf01 auth[44161]: (39600) Login
incorrect (eap_peap: The users session was previously rejected:
returning reject (again.)): [host/TEST01-0431-W.domain.local] (from
client 192.168.168.13/32 port 12 cli CC:CC:a0:12:f2:01)
2024-11-15T14:54:44.386022+01:00 pf01auth[24466]: Adding client
192.168.168.13/32
2024-11-15T14:54:44.813659+01:00 pf01auth[24466]: (182) Login
incorrect (chrooted_mschap_machine: Program returned code (1) and output
'NT Error: code: 3221225762, message: (3221225762, 'Indicates a name
that was specified as a remote computer name is syntactically
invalid.')'): [host/TEST01-0431-W.domain.local] (from client
192.168.168.13/32 port 12 cli CC:CC:a0:12:f2:01 via TLS tunnel)
2024-11-15T14:54:44.833389+01:00 pf01auth[24466]: (183) Login incorrect
(eap_peap: The users session was previously rejected: returning reject
(again.)): [host/TEST01-0431-W.domain.local] (from client
192.168.168.13/32 port 12 cli CC:CC:a0:12:f2:01)
Request Time
RADIUS Request
Called-Station-Id = "CC:CC:CC:fd:c7:c0",
Calling-Station-Id = "CC:CC:a0:12:f2:01",
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex",
EAP-Message =
"0x0209005b1a02090056318d08838604578b016f2b66bc4285a44f0000000000000000d629efc803f11f6e6a4a0746f581936561ab748ef3d8b9c600686f73742f4c4f414e2d303433312d572e67617465686f7573652e6c6f63616c",
EAP-Type = "MSCHAPv2",
Event-Timestamp = "Nov 15 2024 14:54:44 CET",
Framed-MTU = "1492",
Framed-Protocol = "PPP",
FreeRADIUS-Proxied-To = "127.0.0.1",
HP-Capability-Advert = "0x011a0000000b28",
HP-Capability-Advert = "0x011a0000000b2e",
HP-Capability-Advert = "0x011a0000000b30",
HP-Capability-Advert = "0x011a0000000b3d",
HP-Capability-Advert = "0x011a0000000b18",
HP-Capability-Advert = "0x011a0000000b19",
HP-Capability-Advert = "0x011a0000000b1b",
HP-Capability-Advert = "0x011a0000000b1c",
HP-Capability-Advert = "0x0138",
HP-Capability-Advert = "0x013a",
HP-Capability-Advert = "0x0140",
HP-Capability-Advert = "0x0141",
HP-Capability-Advert = "0x0151",
MS-CHAP-Challenge = "0x067328bd27a2c12f45db625c9cea3e0e",
MS-CHAP-User-Name = "host\/test01-0431-W.domain.local",
MS-CHAP2-Response =
"0x096f8d08838604578b016f2b66bc4285a44f0000000000000000d629efc803f11f6e6a4a0746f581936561ab748ef3d8b9c6",
MS-RAS-Vendor = "11",
Module-Failure-Message = "chrooted_mschap_machine: Program returned code
(1) and output 'NT Error: code: 3221225762
message: (3221225762
'Indicates a name that was specified as a remote computer name is
syntactically invalid.')'",
Module-Failure-Message = "chrooted_mschap_machine: External script says:
NT Error: code: 3221225762
message: (3221225762
'Indicates a name that was specified as a remote computer name is
syntactically invalid.')",
Module-Failure-Message = "chrooted_mschap_machine: MS-CHAP2-Response is
incorrect",
NAS-IP-Address = "192.168.168.13",
NAS-Identifier = "csw04",
NAS-Port = "12",
NAS-Port-Id = "12",
NAS-Port-Type = "Ethernet",
PacketFence-Domain = "DomainLocal",
PacketFence-KeyBalanced = "0534b50a236bb892fcf00a575daa23f6",
PacketFence-NTLM-Auth-Host = "127.0.0.1",
PacketFence-NTLM-Auth-Port = "5000",
PacketFence-Outer-User = "host\/test01-0431-W.domain.local",
PacketFence-Radius-Ip = "192.168.169.12",
Realm = "domain.local",
Service-Type = "Framed-User",
State = "0x5ef935cd5ef02f6046baa6f3b721026f",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = "1",
Tunnel-Type = "VLAN",
User-Name = "host\/test01-0431-W.domain.local",
User-Password = "******"
RADIUS Reply
EAP-Message = "0x04090004",
MS-CHAP-Error = " E=691 R=0 C=ea5eeb24f84e8a31a4095ba71c0a1d7a V=3
M=Authentication rejected",
Message-Authenticator = "0x00000000000000000000000000000000"
Request Time
RADIUS Request
Called-Station-Id = "CC:CC:CC:fd:c7:c0",
Calling-Station-Id = "CC:CC:a0:12:f2:01",
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex",
EAP-Message = "0x020a00061a03",
EAP-Type = "MSCHAPv2",
Event-Timestamp = "Nov 15 2024 10:30:26 CET",
Framed-MTU = "1492",
Framed-Protocol = "PPP",
FreeRADIUS-Proxied-To = "127.0.0.1",
HP-Capability-Advert = "0x011a0000000b28",
HP-Capability-Advert = "0x011a0000000b2e",
HP-Capability-Advert = "0x011a0000000b30",
HP-Capability-Advert = "0x011a0000000b3d",
HP-Capability-Advert = "0x011a0000000b18",
HP-Capability-Advert = "0x011a0000000b19",
HP-Capability-Advert = "0x011a0000000b1b",
HP-Capability-Advert = "0x011a0000000b1c",
HP-Capability-Advert = "0x0138",
HP-Capability-Advert = "0x013a",
HP-Capability-Advert = "0x0140",
HP-Capability-Advert = "0x0141",
HP-Capability-Advert = "0x0151",
MS-RAS-Vendor = "11",
NAS-IP-Address = "192.168.168.13",
NAS-Identifier = "csw04",
NAS-Port = "12",
NAS-Port-Id = "12",
NAS-Port-Type = "Ethernet",
PacketFence-Domain = "DomainLocal",
PacketFence-KeyBalanced = "0534b50a236bb892fcf00a575daa23f6",
PacketFence-NTLM-Auth-Host = "127.0.0.1",
PacketFence-NTLM-Auth-Port = "5000",
PacketFence-Outer-User = "host\/test01-0431-W.domain.local",
PacketFence-Radius-Ip = "192.168.169.12",
Realm = "domain.local",
Service-Type = "Framed-User",
State = "0x0a86ed4b0b8cf751be0839c16fd84264",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = "1",
Tunnel-Type = "VLAN",
User-Name = "host\/test01-0431-W.domain.local",
User-Password = "******"
RADIUS Reply
EAP-Message = "0x030a0004",
MS-MPPE-Encryption-Policy = "Encryption-Required",
MS-MPPE-Encryption-Types = "4",
MS-MPPE-Recv-Key = "0x5e80908d1591a39dbe46bdf0aa3ea461",
MS-MPPE-Send-Key = "0x0f83cc720229c01b7f30189245f3ff32",
Message-Authenticator = "0x00000000000000000000000000000000",
REST-HTTP-Status-Code = "200",
Reply-Message = "This node is not allowed to use this service",
User-Name = "host\/test01-0431-W.domain.local"
Thans in advance
\Peter
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
