HI Fabrice,
Like you said, the authentication fails with "DDDD\\uuuu" but work with
"uuuu" (see the test below).
Adding the Realm the authentication works correctly. Thaks for your help.
# ./pftest authentication DDDD\\uuuu **** ad-banco
Testing authentication for "DDDD\uuuu"
Authenticating against ad-banco
Authentication FAILED against ad-banco (Invalid login or password)
Did not match against ad-banco
# ./pftest authentication uuuu **** ad-banco
Testing authentication for "uuuu"
Authenticating against ad-banco
Authentication SUCCEEDED against ad-banco (Authentication successful
using LDAP)
Matched against ad-banco
set_role : Usuario
set_unreg_date : 2018-03-01
2015-04-03 15:06 GMT-03:00 Durand fabrice <[email protected]>:
> Ok so based on the log, Autoreg has been enabled but the username doen't
> match, i think that it try to match with samaccountname=DDDD\\uuuu and not
> samaccountname=uuuu
> So can you try to add DDDD as realm in packetfence (Configuration ->
> Realm) and in the ad.domain.com select use stripped username. (restart
> packetfence too)
> And retry.
>
> Also you can check if the username match something with the pftest cli
> command.
>
> Regards
> Fabrice
>
>
>
> Le 2015-04-03 11:09, Sergio Martinez Tagliafico a écrit :
>
> No problem,
>
>
> Now the log shows
>
> Apr 03 12:04:05 httpd.aaa(11755) INFO: [44:37:e6:e3:86:1f] handling
> radius autz request: from switch_ip => (x.x.x.x), connection_type =>
> Ethernet-EAP,switch_mac => (Unknown), mac => [44:37:e6:e3:86:1f], port =>
> 10001, username => "DDDD\\uuuu" (pf::radius::authorize)
> Apr 03 12:04:05 httpd.aaa(11755) INFO: Could not find any IP phones
> through discovery protocols for ifIndex 10001
> (pf::Switch::getPhonesDPAtIfIndex)
> Apr 03 12:04:05 httpd.aaa(11755) WARN: Can't find provisioner for
> 44:37:e6:e3:86:1f since we don't have it's fingerprint
> (pf::Portal::Profile::findProvisioner)
> Apr 03 12:04:05 httpd.aaa(11755) INFO: [44:37:e6:e3:86:1f] Can't find
> provisioner (pf::vlan::getNormalVlan)
> Apr 03 12:04:05 httpd.aaa(11755) INFO: [44:37:e6:e3:86:1f] Connection type
> is EAP. Getting role from node_info (pf::vlan::getNormalVlan)
> Apr 03 12:04:05 httpd.aaa(11755) INFO: [44:37:e6:e3:86:1f] Username was
> NOT defined or unable to match a role - returning node based role ''
> (pf::vlan::getNormalVlan)
> Apr 03 12:04:05 httpd.aaa(11755) WARN: No parameter Vlan found in
> conf/switches.conf for the switch x.x.x.x (pf::Switch::getVlanByName)
> Apr 03 12:04:05 httpd.aaa(11755) WARN: [44:37:e6:e3:86:1f] Resolved VLAN
> for node is not properly defined: Replacing with macDetectionVlan
> (pf::vlan::fetchVlanForNode)
> Apr 03 12:04:05 httpd.aaa(11755) INFO: [44:37:e6:e3:86:1f] PID:
> "DDDD\\uuuu", Status: unreg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode)
> Apr 03 12:04:05 httpd.aaa(11755) INFO: [44:37:e6:e3:86:1f] (x.x.x.x)
> Returning ACCEPT with VLAN 1 and role
> (pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)
>
> The authz still performed via samba, not with ldap from the source.
>
>
>
> 2015-04-03 11:25 GMT-03:00 Durand fabrice <[email protected]>:
>
>> Hello Sergio,
>>
>> sorry for the delay.
>>
>> So based on your config, you must define an access duration:
>>
>> [ad.domain.com rule Usuarios]
>> description= Users
>> match=all
>> action0=set_role=Usuario
>> action1=set_access_duration=1D
>>
>> Retry and let me know.
>>
>> Regards
>> Fabrice
>>
>>
>>
>> Le 2015-04-02 18:41, Sergio Martinez Tagliafico a écrit :
>>
>> One more detail, I have moved the ldap source (in the web admin
>> interface) at the top position, but the ldap still unused.
>>
>> El abr 2, 2015 6:15 PM, "Sergio Martinez Tagliafico" <[email protected]>
>> escribió:
>> >
>> > Sorry about the nameS of roles and domain used, I did not changed all
>> of them.
>> >
>> > thanks.
>> >
>> > 2015-04-02 18:07 GMT-03:00 Sergio Martinez Tagliafico <
>> [email protected]>:
>> >
>> >> Here you are,
>> >>
>> >> Initialy vlan_filters.conf was empty and the authorization request
>> still does not use ldap source (the log is attached)
>> >>
>> >> Thaks
>> >>
>> >>
>> >> --------------------------------------------------------------------
>> >> vlan_filters.conf:
>> >>
>> >> [EthernetEAP]
>> >> filter = connection_type
>> >> operator = match
>> >> value = Ethernet-EAP
>> >>
>> >> [1:EthernetEAP]
>> >> scope = AutoRegister
>> >> role = Usuario
>> >>
>> >> #[EthernetEAP]
>> >> #filter = connection_type
>> >> #operator = match
>> >> #value = Ethernet-EAP
>> >>
>> >> #[1:EthernetEAP]
>> >> #scope = AutoRegister
>> >> #role = UsuarioBSU
>> >>
>> >> ---------------------------------------------------------------------
>> >> profiles.conf:
>> >>
>> >> [default]
>> >> description=Default Profile
>> >> logo=/common/packetfence-cp.png
>> >> billing_engine=disabled
>> >> redirecturl=http://www.packetfence.org/
>> >> always_use_redirecturl=disabled
>> >> mandatory_fields=firstname,lastname,phone,email
>> >> locale=en_US
>> >> nbregpages=0
>> >> filter_match_style=any
>> >> block_interval=10m
>> >> sms_pin_retry_limit=0
>> >> sms_request_limit=0
>> >> login_attempt_limit=0
>> >> dot1x_recompute_role_from_portal=enabled
>> >> reuse_dot1x_credentials=0
>> >> sources=
>> >> provisioners=
>> >>
>> >> [SW]
>> >> locale=
>> >> filter=switch:180.184.226.50
>> >> mandatory_fields=
>> >> sources=ad.uy.corp
>> >>
>> >> ---------------------------------------------------------------------
>> >> authentication.conf:
>> >>
>> >> [local]
>> >> description=Local Users
>> >> type=SQL
>> >>
>> >> [sms]
>> >> description=SMS-based registration
>> >>
>> sms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,100091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078
>> >> type=SMS
>> >> create_local_account=no
>> >>
>> >> [sms rule catchall]
>> >> description=
>> >> match=all
>> >> action0=set_role=guest
>> >> action1=set_access_duration=1D
>> >>
>> >> [email]
>> >> description=Email-based registration
>> >> email_activation_timeout=10m
>> >> type=Email
>> >> create_local_account=no
>> >> allow_localdomain=yes
>> >>
>> >> [email rule catchall]
>> >> description=
>> >> match=all
>> >> action0=set_role=guest
>> >> action1=set_access_duration=1D
>> >>
>> >> [sponsor]
>> >> description=Sponsor-based registration
>> >> type=SponsorEmail
>> >> create_local_account=no
>> >> allow_localdomain=yes
>> >>
>> >> [sponsor rule catchall]
>> >> description=
>> >> match=all
>> >> action0=set_role=guest
>> >> action1=set_access_duration=1D
>> >>
>> >> [null]
>> >> description=Null Source
>> >> type=Null
>> >> email_required=no
>> >>
>> >> [tq]
>> >> description=ra
>> >> type=Null
>> >> email_required=no
>> >>
>> >> [ad.domain.com]
>> >> description=Active Directory for domain.com
>> >> password=****
>> >> scope=sub
>> >> binddn=CN=***,OU=***,OU=Usuarios,DC=domain,DC=com
>> >> basedn=DC=domain,DC=com
>> >> usernameattribute=sAMAccountName
>> >> connection_timeout=5
>> >> stripped_user_name=no
>> >> encryption=ssl
>> >> cache_match=1
>> >> port=636
>> >> type=AD
>> >> host=x.x.x.x
>> >>
>> >> [ad.domain.com rule Usuarios]
>> >> description= Users
>> >> match=all
>> >> action0=set_role=Usuario
>> >>
>> >> ------------------------------------------
>> >> Log with vlan_filters.conf empty:
>> >>
>> >> Apr 02 17:50:18 httpd.aaa(5399) INFO: [44:37:e6:xx:xx:xx] handling
>> radius autz request: from switch_ip => (x.x.x.x), connection_type =>
>> Ethernet-EAP,switch_mac => (Unknown), mac => [44:37:e6:xx:xx:xx], port =>
>> 10001, username => "DDDD\\uuuu" (pf::radius::authorize)
>> >> Apr 02 17:50:19 httpd.aaa(5399) INFO: Could not find any IP phones
>> through discovery protocols for ifIndex 10001
>> (pf::Switch::getPhonesDPAtIfIndex)
>> >> Apr 02 17:50:19 httpd.aaa(5399) INFO: [44:37:e6:xx:xx:xx] is of status
>> unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
>> >> Apr 02 17:50:19 httpd.aaa(5399) INFO: [44:37:e6:xx:xx:xx] (x.x.x.x)
>> Returning ACCEPT with VLAN 410 and role
>> (pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)
>> >>
>> >>
>> >> 2015-04-02 17:33 GMT-03:00 Durand fabrice <[email protected]>:
>> >>
>> >>> Ok so you use vlan_filter too, so i need more details.
>> >>>
>> >>> Can you provide these files:
>> >>> vlan_filters.conf
>> >>> profile.conf
>> >>> authentication.conf
>> >>>
>> >>> Regards
>> >>> Fabrice
>> >>>
>> >>>
>> >>> Le 2015-04-02 16:07, Sergio Martinez Tagliafico a écrit :
>> >>>>
>> >>>> I have defined the filter with a ldap source (from the portal
>> profile preview the authz run fine) but the internal source is not used.
>> >>>>
>> >>>> [default]
>> >>>> description=Default Profile
>> >>>> logo=/common/packetfence-cp.png
>> >>>> billing_engine=disabled
>> >>>> redirecturl=http://www.packetfence.org/
>> >>>> always_use_redirecturl=disabled
>> >>>> mandatory_fields=firstname,lastname,phone,email
>> >>>> locale=en_US
>> >>>> nbregpages=0
>> >>>> filter_match_style=any
>> >>>> block_interval=10m
>> >>>> sms_pin_retry_limit=0
>> >>>> sms_request_limit=0
>> >>>> login_attempt_limit=0
>> >>>> dot1x_recompute_role_from_portal=enabled
>> >>>> reuse_dot1x_credentials=0
>> >>>> sources=
>> >>>> provisioners=
>> >>>>
>> >>>> [SW]
>> >>>> locale=
>> >>>> filter=switch:180.184.226.50
>> >>>> mandatory_fields=
>> >>>> sources=ad.domain.com
>> >>>>
>> >>>>
>> >>>>
>> >>>> Apr 02 16:58:04 httpd.aaa(5039) INFO: [44:37:e6:xx:xx:xx] handling
>> radius autz request: from switch_ip => (x.x.x.x), connection_type =>
>> Ethernet-EAP,switch_mac => (Unknown), mac => [44:37:e6:e3:86:1f], port =>
>> 10001, username => "DDDD\\uuuu" (pf::radius::authorize)
>> >>>> Apr 02 16:58:04 httpd.aaa(5039) INFO: Could not find any IP phones
>> through discovery protocols for ifIndex 10001
>> (pf::Switch::getPhonesDPAtIfIndex)
>> >>>> Apr 02 16:58:04 httpd.aaa(5039) INFO: [44:37:e6:xx:xx:xx] Match Vlan
>> rule: 1:EthernetEAP (pf::vlan::filter::test)
>> >>>> Apr 02 16:58:04 httpd.aaa(5039) WARN: Trying to compute the unreg
>> date from an undefined value. Stopping processing and making unreg date
>> undefined. (pf::config::dynamic_unreg_date)
>> >>>>
>> >>>>
>> >>>> 2015-04-02 16:13 GMT-03:00 Durand fabrice <[email protected]>:
>> >>>>>
>> >>>>> Hello Sergio,
>> >>>>>
>> >>>>> let's configure a portal profile with filter switch : x.x.x.x and
>> add the ldap source on it and retry.
>> >>>>>
>> >>>>> Regards
>> >>>>> Fabrice
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> Le 2015-04-02 15:07, Sergio Martinez Tagliafico a écrit :
>> >>>>>>
>> >>>>>> Hi friends,
>> >>>>>>
>> >>>>>> I am in my first experience with packetfence and i am getting some
>> issues.
>> >>>>>>
>> >>>>>> One of those is that I do not undertand why with 802.1x dos not
>> use internal sources. Below is the log when radius handle an authz request:
>> >>>>>>
>> >>>>>> Apr 02 15:29:21 httpd.aaa(3355) INFO: [44:37:e6:x:x:x] handling
>> radius autz request: from switch_ip => (x.x.x.x), connection_type =>
>> Ethernet-EAP,switch_mac => (Unknown), mac => [44:37:e6:x:x:x], port =>
>> 10001, username => "DDDD\\uuuu" (pf::radius::authorize)
>> >>>>>> Apr 02 15:29:21 httpd.aaa(3355) INFO: Could not find any IP phones
>> through discovery protocols for ifIndex 10001
>> (pf::Switch::getPhonesDPAtIfIndex)
>> >>>>>>
>> >>>>>> The authz is performed like is described in the Administration
>> Guide, under FreeRADIUS Configuration, but the internal sources (I have
>> cofigure a LDAP source) are not used.
>> >>>>>>
>> >>>>>> Can someone help me?
>> >>>>>>
>> >>>>>> Thanks in advance.
>> >>>>>> Sergio
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> ------------------------------------------------------------------------------
>> >>>>>> Dive into the World of Parallel Programming The Go Parallel
>> Website, sponsored
>> >>>>>> by Intel and developed in partnership with Slashdot Media, is your
>> hub for all
>> >>>>>> things parallel software development, from weekly thought
>> leadership blogs to
>> >>>>>> news, videos, case studies, tutorials and more. Take a look and
>> join the
>> >>>>>> conversation now. http://goparallel.sourceforge.net/
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> _______________________________________________
>> >>>>>> PacketFence-users mailing list
>> >>>>>> [email protected]
>> >>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> ------------------------------------------------------------------------------
>> >>>>> Dive into the World of Parallel Programming The Go Parallel
>> Website, sponsored
>> >>>>> by Intel and developed in partnership with Slashdot Media, is your
>> hub for all
>> >>>>> things parallel software development, from weekly thought
>> leadership blogs to
>> >>>>> news, videos, case studies, tutorials and more. Take a look and
>> join the
>> >>>>> conversation now. http://goparallel.sourceforge.net/
>> >>>>> _______________________________________________
>> >>>>> PacketFence-users mailing list
>> >>>>> [email protected]
>> >>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> >>>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> ------------------------------------------------------------------------------
>> >>>> Dive into the World of Parallel Programming The Go Parallel Website,
>> sponsored
>> >>>> by Intel and developed in partnership with Slashdot Media, is your
>> hub for all
>> >>>> things parallel software development, from weekly thought leadership
>> blogs to
>> >>>> news, videos, case studies, tutorials and more. Take a look and join
>> the
>> >>>> conversation now. http://goparallel.sourceforge.net/
>> >>>>
>> >>>>
>> >>>>
>> >>>> _______________________________________________
>> >>>> PacketFence-users mailing list
>> >>>> [email protected]
>> >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> >>>
>> >>>
>> >>>
>> >>>
>> ------------------------------------------------------------------------------
>> >>> Dive into the World of Parallel Programming The Go Parallel Website,
>> sponsored
>> >>> by Intel and developed in partnership with Slashdot Media, is your
>> hub for all
>> >>> things parallel software development, from weekly thought leadership
>> blogs to
>> >>> news, videos, case studies, tutorials and more. Take a look and join
>> the
>> >>> conversation now. http://goparallel.sourceforge.net/
>> >>> _______________________________________________
>> >>> PacketFence-users mailing list
>> >>> [email protected]
>> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> >>>
>> >>
>> >
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming The Go Parallel Website,
>> sponsored
>> by Intel and developed in partnership with Slashdot Media, is your hub for
>> all
>> things parallel software development, from weekly thought leadership blogs to
>> news, videos, case studies, tutorials and more. Take a look and join the
>> conversation now. http://goparallel.sourceforge.net/
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming The Go Parallel Website,
>> sponsored
>> by Intel and developed in partnership with Slashdot Media, is your hub
>> for all
>> things parallel software development, from weekly thought leadership
>> blogs to
>> news, videos, case studies, tutorials and more. Take a look and join the
>> conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
