I've attached what seems to be the relevant part of the radius debug log. Is
ther an issue processing the backslashes?
________________________________
From: Fabrice Durand [mailto:[email protected]]
Sent: Saturday, June 29, 2013 1:25 PM
To: [email protected]
Subject: Re: [PacketFence-users] 802.1x device identifier
Hello Tom,
launch radius in debug mode to see what happen.
Regards
Fabrice
Le 2013-06-27 14:25, Tom Fischer a écrit :
I have PFZEN 4.0.1 running in a test environment. I have PF
authenticating Windows wireless workstations via 802.1x with VLAN enforcement.
The connections are working fine, but the identifier/owner is always logged as
admin. Radius appears to be sending the username, but I don't see PF picking it
up. Is there something I need to change?
Radius log
Thu Jun 27 12:09:41 2013 : Auth: Login OK: [DD\\myname] (from client
a.b.c.d port 8551 cli 0090.4b78.ffff via TLS tunnel)
Thu Jun 27 12:09:43 2013 : Auth: rlm_perl: Returning vlan 1 to request
from 00:90:4b:78:92:70 port 8551
Thu Jun 27 12:09:43 2013 : Auth: Login OK: [DD\\myname] (from client
a.b.c.d port 8551 cli 0090.4b78.ffff)
Packetfence log
Jun 27 12:09:42 pf::WebAPI(7869) INFO: handling radius autz request:
from switch_ip => a.b.c.d, connection_type => Wireless-802.11-EAP mac =>
00:90:4b:78:ff:ff, port => 8551, username => (pf::radius::authorize)
Jun 27 12:09:42 pf::WebAPI(7869) INFO: node 00:90:4b:78:ff:ff does not
yet exist in database. Adding it now (pf::radius::authorize)
Jun 27 12:09:43 pf::WebAPI(7869) INFO: MAC: 00:90:4b:78:ff:ff, PID:
admin, Status: reg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode)
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
++[eap] returns ok
Login OK: [DD\\myname] (from client aa.bb.cc.dd port 9656 cli 0090.4b78.9270
via TLS tunnel)
# Executing section post-auth from file
/usr/local/pf/raddb//sites-enabled/packetfence-tunnel
+- entering group post-auth {...}
++[exec] returns noop
rlm_perl: Returning vlan 1 to request from 00:90:4b:78:92:70 port 9656
rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK)
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair Called-Station-Id = 0022.90b3.9501
rlm_perl: Added pair State = 0x6eb0af076fb9b5a319b2951250aba871
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
rlm_perl: Added pair NAS-IP-Address = aa.bb.cc.dd
rlm_perl: Added pair NAS-Port-Id = 9656
rlm_perl: Added pair Calling-Station-Id = 0090.4b78.9270
rlm_perl: Added pair Cisco-AVPair = ssid=OGWN
rlm_perl: Added pair User-Name = DD\\myname
rlm_perl: Added pair NAS-Identifier = ap
rlm_perl: Added pair EAP-Message = 0x020900061a03
rlm_perl: Added pair NAS-Port = 9656
rlm_perl: Added pair WISPr-Location-Name = 3rd floor Conf RM
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair MS-MPPE-Send-Key = 0x91fe569be750d8ddc75e67c901a790d5
rlm_perl: Added pair MS-MPPE-Encryption-Types = 0x00000004
rlm_perl: Added pair Tunnel-Type = 13
rlm_perl: Added pair Tunnel-Medium-Type = 6
rlm_perl: Added pair MS-MPPE-Encryption-Policy = 0x00000002
rlm_perl: Added pair Message-Authenticator = 0x00000000000000000000000000000000
rlm_perl: Added pair Tunnel-Private-Group-ID = 1
rlm_perl: Added pair User-Name = DD\\myname
rlm_perl: Added pair MS-MPPE-Recv-Key = 0x123968c6e8f1df6463eeabbd0abfa12d
rlm_perl: Added pair EAP-Message = 0x03090004
rlm_perl: Added pair Auth-Type = EAP
++[packetfence] returns ok
} # server packetfence-tunnel
[peap] Got tunneled reply code 2
MS-MPPE-Send-Key = 0x91fe569be750d8ddc75e67c901a790d5
MS-MPPE-Encryption-Types = 0x00000004
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
MS-MPPE-Encryption-Policy = 0x00000002
Message-Authenticator = 0x00000000000000000000000000000000
Tunnel-Private-Group-Id:0 = "1"
User-Name = "DD\\myname"
MS-MPPE-Recv-Key = 0x123968c6e8f1df6463eeabbd0abfa12d
EAP-Message = 0x03090004
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Send-Key = 0x91fe569be750d8ddc75e67c901a790d5
MS-MPPE-Encryption-Types = 0x00000004
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
MS-MPPE-Encryption-Policy = 0x00000002
Message-Authenticator = 0x00000000000000000000000000000000
Tunnel-Private-Group-Id:0 = "1"
User-Name = "DD\\myname"
MS-MPPE-Recv-Key = 0x123968c6e8f1df6463eeabbd0abfa12d
EAP-Message = 0x03090004
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 54 to aa.bb.cc.dd port 1645
EAP-Message =
0x010a00261900170301001ba1ade799e99e0dac17d3075727a9ea7a939e3f653a20ef8e31a407
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1fb7bb5d18bda2d828d16a40d72634da
Finished request 8.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host aa.bb.cc.dd port 1645, id=55,
length=218
User-Name = "DD\\myname"
Framed-MTU = 1400
Called-Station-Id = "0022.90b3.9501"
Calling-Station-Id = "0090.4b78.9270"
Cisco-AVPair = "ssid=OGWN"
WISPr-Location-Name = "3rd floor Conf RM"
Service-Type = Login-User
Message-Authenticator = 0xb0634449be5374f075866f26b076a0f0
EAP-Message =
0x020a00261900170301001bd6df60a39b2f686e64df6edb387c430fbc9ef9ced32c515da151c5
NAS-Port-Type = Wireless-802.11
NAS-Port = 9656
NAS-Port-Id = "9656"
State = 0x1fb7bb5d18bda2d828d16a40d72634da
NAS-IP-Address = aa.bb.cc.dd
NAS-Identifier = "ap"
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb//sites-enabled/packetfence
+- entering group authorize {...}
[suffix] No '@' in User-Name = "DD\myname", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[eap] EAP packet type response id 10 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
User-Name = "DD\\myname"
[eap] Freeing handler
++[eap] returns ok
Login OK: [DD\\myname] (from client aa.bb.cc.dd port 9656 cli 0090.4b78.9270)
# Executing section post-auth from file
/usr/local/pf/raddb//sites-enabled/packetfence
+- entering group post-auth {...}
++[exec] returns noop
++? if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25))
? Evaluating !(EAP-Type ) -> FALSE
?? Evaluating (EAP-Type != 21 ) -> TRUE
?? Evaluating (EAP-Type != 25) -> FALSE
++? if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)) -> FALSE
} # server packetfence
Sending Access-Accept of id 55 to aa.bb.cc.dd port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
User-Name = "DD\\myname"
MS-MPPE-Recv-Key =
0x746a2e6f91c251cc562568568fad807911f08a187609629f28486efe6a407071
MS-MPPE-Send-Key =
0x162efb2c74592e7375f9f8655a614dd83bda03221d1a5ddf1478361c09e11b71
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 9.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Accounting-Request packet from host aa.bb.cc.dd port 1646, id=63,
length=247
Acct-Session-Id = "0000260C"
Called-Station-Id = "0022.90b3.9501"
Calling-Station-Id = "0090.4b78.9270"
Cisco-AVPair = "ssid=OGWN"
Cisco-AVPair = "vlan-id=1"
Cisco-AVPair = "nas-location=3rd floor Conf RM"
WISPr-Location-Name = "3rd floor Conf RM"
User-Name = "DD\\myname"
Cisco-AVPair = "connect-progress=Call Up"
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port-Type = Wireless-802.11
NAS-Port = 9656
NAS-Port-Id = "9656"
Service-Type = Framed-User
NAS-IP-Address = aa.bb.cc.dd
Acct-Delay-Time = 0
server packetfence {
# Executing section preacct from file
/usr/local/pf/raddb//sites-enabled/packetfence
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 9656,Client-IP-Address =
aa.bb.cc.dd,NAS-IP-Address = aa.bb.cc.dd,Acct-Session-Id = "0000260C",User-Name
= "DD\\myname"'
[acct_unique] Acct-Unique-Session-ID = "9323b0c43bc08a24".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "DD\myname", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/usr/local/pf/raddb//sites-enabled/packetfence
+- entering group accounting {...}
[sql] expand: %{User-Name} -> DD\myname
[sql] sql_set_user escaped user --> 'DD\myname'
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: CALL acct_start ( '%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
'%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}',
'', '0', '0',
REPLACE(REPLACE('%{Called-Station-Id}','-',''),':',''),
REPLACE(REPLACE('%{Calling-Station-Id}','-',''),':',''), '',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
'%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}',
'%{Acct-Status-Type}') -> CALL acct_start ( '0000260C',
'9323b0c43bc08a24', 'OG=5Cmyname', '', 'aa.bb.cc.dd',
'9656', 'Wireless-802.11', '2013-07-01 16:12:35', NULL,
'0', 'RADIUS', '', '', '0', '0',
REPLACE(REPLACE('0022.90b3.9501','-',''),':',''),
REPLACE(REPLACE('0090.4b78.9270','-',''),':',''), '',
'Framed-User', '', '
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> DD\myname
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
} # server packetfence
Sending Accounting-Response of id 63 to aa.bb.cc.dd port 1646
Finished request 10.
Cleaning up request 10 ID 63 with timestamp +12
Going to the next request
Waking up in 4.8 seconds.
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
