Re: [PacketFence-users] 802.1x authentication does not use internal sources

Fri, 03 Apr 2015 11:09:17 -0700

Ok so based on the log, Autoreg has been enabled but the username doen't match, i think that it try to match with samaccountname=DDDD\\uuuu and not samaccountname=uuuu So can you try to add DDDD as realm in packetfence (Configuration -> Realm) and in the ad.domain.com select use stripped username. (restart packetfence too) 
And retry.
Also you can check if the username match something with the pftest cli command. 

Regards
Fabrice


Le 2015-04-03 11:09, Sergio Martinez Tagliafico a écrit :

No problem,


Now the log shows


Apr 03 12:04:05 httpd.aaa(11755) INFO: [44:37:e6:e3:86:1f] handling 
radius autz request: from switch_ip => (x.x.x.x), connection_type => 
Ethernet-EAP,switch_mac => (Unknown), mac => [44:37:e6:e3:86:1f], port 
=> 10001, username => "DDDD\\uuuu" (pf::radius::authorize)
Apr 03 12:04:05 httpd.aaa(11755) INFO: Could not find any IP phones 
through discovery protocols for ifIndex 10001 
(pf::Switch::getPhonesDPAtIfIndex)
Apr 03 12:04:05 httpd.aaa(11755) WARN: Can't find provisioner for 
44:37:e6:e3:86:1f since we don't have it's fingerprint 
(pf::Portal::Profile::findProvisioner)
Apr 03 12:04:05 httpd.aaa(11755) INFO: [44:37:e6:e3:86:1f] Can't find 
provisioner (pf::vlan::getNormalVlan)
Apr 03 12:04:05 httpd.aaa(11755) INFO: [44:37:e6:e3:86:1f] Connection 
type is EAP. Getting role from node_info (pf::vlan::getNormalVlan)
Apr 03 12:04:05 httpd.aaa(11755) INFO: [44:37:e6:e3:86:1f] Username 
was NOT defined or unable to match a role - returning node based role 
'' (pf::vlan::getNormalVlan)
Apr 03 12:04:05 httpd.aaa(11755) WARN: No parameter Vlan found in 
conf/switches.conf for the switch x.x.x.x (pf::Switch::getVlanByName)
Apr 03 12:04:05 httpd.aaa(11755) WARN: [44:37:e6:e3:86:1f] Resolved 
VLAN for node is not properly defined: Replacing with macDetectionVlan 
(pf::vlan::fetchVlanForNode)
Apr 03 12:04:05 httpd.aaa(11755) INFO: [44:37:e6:e3:86:1f] PID: 
"DDDD\\uuuu", Status: unreg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode)
Apr 03 12:04:05 httpd.aaa(11755) INFO: [44:37:e6:e3:86:1f] (x.x.x.x) 
Returning ACCEPT with VLAN 1 and role 
 (pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)


The authz still performed via samba, not with ldap from the source.




2015-04-03 11:25 GMT-03:00 Durand fabrice <[email protected] 
<mailto:[email protected]>>:


    Hello Sergio,

    sorry for the delay.

    So based on your config, you must define an access duration:

    [ad.domain.com <http://ad.domain.com> rule Usuarios]
    description= Users
    match=all
    action0=set_role=Usuario
    action1=set_access_duration=1D

    Retry and let me know.

    Regards
    Fabrice



    Le 2015-04-02 18:41, Sergio Martinez Tagliafico a écrit :


    One more detail, I have moved the ldap source (in the web admin
    interface) at the top position, but the ldap still unused.

    El abr 2, 2015 6:15 PM, "Sergio Martinez Tagliafico"
    <[email protected] <mailto:[email protected]>> escribió:
    >
    > Sorry about the nameS of roles and domain used, I did not
    changed all of them.
    >
    > thanks.
    >
    > 2015-04-02 18:07 GMT-03:00 Sergio Martinez Tagliafico
    <[email protected] <mailto:[email protected]>>:
    >
    >> Here you are,
    >>
    >> Initialy vlan_filters.conf was empty and the authorization
    request still does not use ldap source (the log is attached)
    >>
    >> Thaks
    >>
    >>
    >>
    --------------------------------------------------------------------
    >> vlan_filters.conf:
    >>
    >> [EthernetEAP]
    >> filter = connection_type
    >> operator = match
    >> value = Ethernet-EAP
    >>
    >> [1:EthernetEAP]
    >> scope = AutoRegister
    >> role = Usuario
    >>
    >> #[EthernetEAP]
    >> #filter = connection_type
    >> #operator = match
    >> #value = Ethernet-EAP
    >>
    >> #[1:EthernetEAP]
    >> #scope = AutoRegister
    >> #role = UsuarioBSU
    >>
    >>
    ---------------------------------------------------------------------
    >> profiles.conf:
    >>
    >> [default]
    >> description=Default Profile
    >> logo=/common/packetfence-cp.png
    >> billing_engine=disabled
    >> redirecturl=http://www.packetfence.org/
    >> always_use_redirecturl=disabled
    >> mandatory_fields=firstname,lastname,phone,email
    >> locale=en_US
    >> nbregpages=0
    >> filter_match_style=any
    >> block_interval=10m
    >> sms_pin_retry_limit=0
    >> sms_request_limit=0
    >> login_attempt_limit=0
    >> dot1x_recompute_role_from_portal=enabled
    >> reuse_dot1x_credentials=0
    >> sources=
    >> provisioners=
    >>
    >> [SW]
    >> locale=
    >> filter=switch:180.184.226.50
    >> mandatory_fields=
    >> sources=ad.uy.corp
    >>
    >>
    ---------------------------------------------------------------------
    >> authentication.conf:
    >>
    >> [local]
    >> description=Local Users
    >> type=SQL
    >>
    >> [sms]
    >> description=SMS-based registration
    >>
    
sms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,100091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078
    >> type=SMS
    >> create_local_account=no
    >>
    >> [sms rule catchall]
    >> description=
    >> match=all
    >> action0=set_role=guest
    >> action1=set_access_duration=1D
    >>
    >> [email]
    >> description=Email-based registration
    >> email_activation_timeout=10m
    >> type=Email
    >> create_local_account=no
    >> allow_localdomain=yes
    >>
    >> [email rule catchall]
    >> description=
    >> match=all
    >> action0=set_role=guest
    >> action1=set_access_duration=1D
    >>
    >> [sponsor]
    >> description=Sponsor-based registration
    >> type=SponsorEmail
    >> create_local_account=no
    >> allow_localdomain=yes
    >>
    >> [sponsor rule catchall]
    >> description=
    >> match=all
    >> action0=set_role=guest
    >> action1=set_access_duration=1D
    >>
    >> [null]
    >> description=Null Source
    >> type=Null
    >> email_required=no
    >>
    >> [tq]
    >> description=ra
    >> type=Null
    >> email_required=no
    >>
    >> [ad.domain.com <http://ad.domain.com>]
    >> description=Active Directory for domain.com <http://domain.com>
    >> password=****
    >> scope=sub
    >> binddn=CN=***,OU=***,OU=Usuarios,DC=domain,DC=com
    >> basedn=DC=domain,DC=com
    >> usernameattribute=sAMAccountName
    >> connection_timeout=5
    >> stripped_user_name=no
    >> encryption=ssl
    >> cache_match=1
    >> port=636
    >> type=AD
    >> host=x.x.x.x
    >>
    >> [ad.domain.com <http://ad.domain.com> rule Usuarios]
    >> description= Users
    >> match=all
    >> action0=set_role=Usuario
    >>
    >> ------------------------------------------
    >> Log with vlan_filters.conf empty:
    >>
    >> Apr 02 17:50:18 httpd.aaa(5399) INFO: [44:37:e6:xx:xx:xx]
    handling radius autz request: from switch_ip => (x.x.x.x),
    connection_type => Ethernet-EAP,switch_mac => (Unknown), mac =>
    [44:37:e6:xx:xx:xx], port => 10001, username => "DDDD\\uuuu"
    (pf::radius::authorize)
    >> Apr 02 17:50:19 httpd.aaa(5399) INFO: Could not find any IP
    phones through discovery protocols for ifIndex 10001
    (pf::Switch::getPhonesDPAtIfIndex)
    >> Apr 02 17:50:19 httpd.aaa(5399) INFO: [44:37:e6:xx:xx:xx] is
    of status unreg; belongs into registration VLAN
    (pf::vlan::getRegistrationVlan)
    >> Apr 02 17:50:19 httpd.aaa(5399) INFO: [44:37:e6:xx:xx:xx]
    (x.x.x.x) Returning ACCEPT with VLAN 410 and role
     (pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)
    >>
    >>
    >> 2015-04-02 17:33 GMT-03:00 Durand fabrice <[email protected]
    <mailto:[email protected]>>:
    >>
    >>> Ok so you use vlan_filter too, so i need more details.
    >>>
    >>> Can you provide these files:
    >>> vlan_filters.conf
    >>> profile.conf
    >>> authentication.conf
    >>>
    >>> Regards
    >>> Fabrice
    >>>
    >>>
    >>> Le 2015-04-02 16:07, Sergio Martinez Tagliafico a écrit :
    >>>>
    >>>> I have defined the filter with a ldap source (from the
    portal profile preview the authz run fine) but the internal
    source is not used.
    >>>>
    >>>> [default]
    >>>> description=Default Profile
    >>>> logo=/common/packetfence-cp.png
    >>>> billing_engine=disabled
    >>>> redirecturl=http://www.packetfence.org/
    >>>> always_use_redirecturl=disabled
    >>>> mandatory_fields=firstname,lastname,phone,email
    >>>> locale=en_US
    >>>> nbregpages=0
    >>>> filter_match_style=any
    >>>> block_interval=10m
    >>>> sms_pin_retry_limit=0
    >>>> sms_request_limit=0
    >>>> login_attempt_limit=0
    >>>> dot1x_recompute_role_from_portal=enabled
    >>>> reuse_dot1x_credentials=0
    >>>> sources=
    >>>> provisioners=
    >>>>
    >>>> [SW]
    >>>> locale=
    >>>> filter=switch:180.184.226.50
    >>>> mandatory_fields=
    >>>> sources=ad.domain.com <http://ad.domain.com>
    >>>>
    >>>>
    >>>>
    >>>> Apr 02 16:58:04 httpd.aaa(5039) INFO: [44:37:e6:xx:xx:xx]
    handling radius autz request: from switch_ip => (x.x.x.x),
    connection_type => Ethernet-EAP,switch_mac => (Unknown), mac =>
    [44:37:e6:e3:86:1f], port => 10001, username => "DDDD\\uuuu"
    (pf::radius::authorize)
    >>>> Apr 02 16:58:04 httpd.aaa(5039) INFO: Could not find any IP
    phones through discovery protocols for ifIndex 10001
    (pf::Switch::getPhonesDPAtIfIndex)
    >>>> Apr 02 16:58:04 httpd.aaa(5039) INFO: [44:37:e6:xx:xx:xx]
    Match Vlan rule: 1:EthernetEAP (pf::vlan::filter::test)
    >>>> Apr 02 16:58:04 httpd.aaa(5039) WARN: Trying to compute the
    unreg date from an undefined value. Stopping processing and
    making unreg date undefined. (pf::config::dynamic_unreg_date)
    >>>>
    >>>>
    >>>> 2015-04-02 16:13 GMT-03:00 Durand fabrice
    <[email protected] <mailto:[email protected]>>:
    >>>>>
    >>>>> Hello Sergio,
    >>>>>
    >>>>> let's configure a portal profile with filter switch :
    x.x.x.x and add the ldap source on it and retry.
    >>>>>
    >>>>> Regards
    >>>>> Fabrice
    >>>>>
    >>>>>
    >>>>>
    >>>>> Le 2015-04-02 15:07, Sergio Martinez Tagliafico a écrit :
    >>>>>>
    >>>>>> Hi friends,
    >>>>>>
    >>>>>> I am in my first experience with packetfence and i am
    getting some issues.
    >>>>>>
    >>>>>> One of those is that I do not undertand why with 802.1x
    dos not use internal sources. Below is the log when radius handle
    an authz request:
    >>>>>>
    >>>>>> Apr 02 15:29:21 httpd.aaa(3355) INFO: [44:37:e6:x:x:x]
    handling radius autz request: from switch_ip => (x.x.x.x),
    connection_type => Ethernet-EAP,switch_mac => (Unknown), mac =>
    [44:37:e6:x:x:x], port => 10001, username => "DDDD\\uuuu"
    (pf::radius::authorize)
    >>>>>> Apr 02 15:29:21 httpd.aaa(3355) INFO: Could not find any
    IP phones through discovery protocols for ifIndex 10001
    (pf::Switch::getPhonesDPAtIfIndex)
    >>>>>>
    >>>>>> The authz is performed like is described in the
    Administration Guide, under FreeRADIUS Configuration, but the
    internal sources (I have cofigure a LDAP source) are not used.
    >>>>>>
    >>>>>> Can someone help me?
    >>>>>>
    >>>>>> Thanks in advance.
    >>>>>> Sergio
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>
    
------------------------------------------------------------------------------
    >>>>>> Dive into the World of Parallel Programming The Go
    Parallel Website, sponsored
    >>>>>> by Intel and developed in partnership with Slashdot Media,
    is your hub for all
    >>>>>> things parallel software development, from weekly thought
    leadership blogs to
    >>>>>> news, videos, case studies, tutorials and more. Take a
    look and join the
    >>>>>> conversation now. http://goparallel.sourceforge.net/
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>> _______________________________________________
    >>>>>> PacketFence-users mailing list
    >>>>>> [email protected]
    <mailto:[email protected]>
    >>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    
------------------------------------------------------------------------------
    >>>>> Dive into the World of Parallel Programming The Go Parallel
    Website, sponsored
    >>>>> by Intel and developed in partnership with Slashdot Media,
    is your hub for all
    >>>>> things parallel software development, from weekly thought
    leadership blogs to
    >>>>> news, videos, case studies, tutorials and more. Take a look
    and join the
    >>>>> conversation now. http://goparallel.sourceforge.net/
    >>>>> _______________________________________________
    >>>>> PacketFence-users mailing list
    >>>>> [email protected]
    <mailto:[email protected]>
    >>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
    >>>>>
    >>>>
    >>>>
    >>>>
    >>>>
    
------------------------------------------------------------------------------
    >>>> Dive into the World of Parallel Programming The Go Parallel
    Website, sponsored
    >>>> by Intel and developed in partnership with Slashdot Media,
    is your hub for all
    >>>> things parallel software development, from weekly thought
    leadership blogs to
    >>>> news, videos, case studies, tutorials and more. Take a look
    and join the
    >>>> conversation now. http://goparallel.sourceforge.net/
    >>>>
    >>>>
    >>>>
    >>>> _______________________________________________
    >>>> PacketFence-users mailing list
    >>>> [email protected]
    <mailto:[email protected]>
    >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
    >>>
    >>>
    >>>
    >>>
    
------------------------------------------------------------------------------
    >>> Dive into the World of Parallel Programming The Go Parallel
    Website, sponsored
    >>> by Intel and developed in partnership with Slashdot Media, is
    your hub for all
    >>> things parallel software development, from weekly thought
    leadership blogs to
    >>> news, videos, case studies, tutorials and more. Take a look
    and join the
    >>> conversation now. http://goparallel.sourceforge.net/
    >>> _______________________________________________
    >>> PacketFence-users mailing list
    >>> [email protected]
    <mailto:[email protected]>
    >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
    >>>
    >>
    >



    
------------------------------------------------------------------------------
    Dive into the World of Parallel Programming The Go Parallel Website, 
sponsored
    by Intel and developed in partnership with Slashdot Media, is your hub for 
all
    things parallel software development, from weekly thought leadership blogs 
to
    news, videos, case studies, tutorials and more. Take a look and join the
    conversation now.http://goparallel.sourceforge.net/


    _______________________________________________
    PacketFence-users mailing list
    [email protected]  
<mailto:[email protected]>
    https://lists.sourceforge.net/lists/listinfo/packetfence-users



    
------------------------------------------------------------------------------
    Dive into the World of Parallel Programming The Go Parallel
    Website, sponsored
    by Intel and developed in partnership with Slashdot Media, is your
    hub for all
    things parallel software development, from weekly thought
    leadership blogs to
    news, videos, case studies, tutorials and more. Take a look and
    join the
    conversation now. http://goparallel.sourceforge.net/
    _______________________________________________
    PacketFence-users mailing list
    [email protected]
    <mailto:[email protected]>
    https://lists.sourceforge.net/lists/listinfo/packetfence-users




------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/


_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users



------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to