Hello Jason, can you set your ldap authentication in the file packetfence-tunnel ?
Regards Fabrice Le 2013-04-16 16:15, Jason 'XenoPhage' Frisvold a écrit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi there, > > I'm currently in the process of digging into Packetfence, intending > to use it as a replacement for an ancient NAC system. I'm finding, > however, that I need a bit of help. I've been poking around a bit and > I have some things working, but I'm still having trouble getting the > rest up and running. Below is, I hope, enough information for someone > to assist. > > My testing environment is a fairly simple network with a single > switch (Cisco 3750G) and multiple VLANS. The packetfence box is on a > separate network, no VLANs in common. There is a firewall in between > the PF box and the switch, but I am watching logs looking for any > traffic being blocked. So far I have SNMP and RADIUS open. > > I'm running Packetfence 3.6.1 on a RHEL 6.4 system, fully patched. > The deployment I'm looking for is all out-of-band, no inline 802.1x. > I have radiusd set up locally, though this may eventually be put on a > remote server. For now, I need to understand the radius configuration > to see if we can use our existing radius servers (also freeradius) or > if these should be separate. Ultimately, authentication should be > against our openLDAP servers with RADIUS merely acting as a go-between. > > I've configured the 3750 according to the packetfence network devices > guide, specifically, page 19. I'm using 802.1x with MAB > (MultiDomain). Plugging a macbook into a configured port yields the > expected response of popping up the 802.1x dialog on the OS. So far, > so good. Entering in a username/password, however, fails. Which I > actually expected. > > On the PF side, I can see the incoming transaction in the radius logs > for the username. The trouble I'm having seems to be in making > freeradius talk to openldap for the authentication. I'm not entirely > sure where to enable the ldap piece. I have modified the > raddb/modules/ldap file with the appropriate server and login > information for the ldap browser account. I've restarted radiusd and > tried to log in again. My ldap server, however, is showing no > activity from the PF box. > > So I dug a bit deeper and saw the references to ldap in the > sites-enabled/default file. uncommented those sections, restarted > radiusd, same result. No LDAP activity. > > Monitoring the logs, I can see the attempts from the client, both the > 802.1x user and the mac address of the client. The mac address always > results in a Login OK, which is .. odd? Why is that? And the user > login always fails. Here are the relevant entries : > > Tue Apr 16 14:19:45 2013 : Auth: Login incorrect: [testuser] (from > client 10.0.0.11 port 50102 cli 00-1F-F3-AB-00-CD via TLS tunnel) > Tue Apr 16 14:19:45 2013 : Auth: Login incorrect: [testuser] (from > client 10.0.0.11 port 50102 cli 00-1F-F3-AB-00-CD) > Tue Apr 16 14:20:07 2013 : Auth: Login OK: [001ff3ab00cd] (from client > 10.0.0.11 port 50102 cli 00-1F-F3-AB-00-CD) > > I don't see any indication in the logs that ldap is ever tried. > > Can someone please fill me in on what I'm missing? I imagine I'm > missing a config option somewhere, but I'm not sure where yet. The > documentation got me this far, but it seems that LDAP is a more > advanced setup that isn't covered? Are there tutorials or other docs > somewhere that I can refer to? > > Thanks, > > - -- > - --------------------------- > Jason Frisvold > xenoph...@godshell.com > - --------------------------- > > "Any sufficiently advanced magic is indistinguishable from technology.\" > - - Niven's Inverse of Clarke's Third Law > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlFtsWMACgkQO80o6DJ8UvlCzgCgijuRDuC2rBtFQEyhnhsxa0WK > Cx0AnRkoQo+Jrnm9BL1VYP2bYZ10CtMK > =2qTd > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users