Re: [PacketFence-users] Problem with Users-Sources-AD Rules after upgrading to 5.3.1. Connection type is WIRED_MAC_AUTH. -> Username was NOT defined or unable to match a role - Connection type is EAP. -> Username was defined

[Dennis Schulmeyer]

Hi Louis,

I’m sorry, I forgot to answer to your comments in the log dump… :/
Please look for my comments in the log below…

I have to admit that I’m relatively new to this topic… but I’ve read lot’s of 
stuff about it…:)
So I tried different configurations and found that only a combination of 
linkUp/Down and 802.1x/MAB can satisfy our needs.
What I don’t understand is how a new IP assignment should work without linkDown 
and Up again for a non 802.1x/MAB (out-of-band) client.
For example: Guest users are put in the "registration VLAN", then they 
authenticate via web portal, then they are put into the "guest VLAN“.. But the 
clients won’t search for a new IP address unless the network connection will be 
disconnected… thats why I use linkUP/Down via snmp …

Before I reconfigure all my test equipment, can you confirm that I’ll make this 
all with RADIUS auth. only?

fyi: what we have here is…(stupid)Panasonic IP phones, Cisco C2960 + C3750 
switches, Cisco WAC+APs, MS AD Source and all different kinds of clients.. 
wired and wireless.., 4 different VLANs to put users in, depending on group 
membership or machine name.

Thank you a lot!
Dennis


Von: Louis Munro
Antworten an: 
"packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>"
Datum: Mittwoch, 5. August 2015 18:55
An: 
"packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>"
Betreff: Re: [PacketFence-users] Problem with Users-Sources-AD Rules after 
upgrading to 5.3.1. Connection type is WIRED_MAC_AUTH. -> Username was NOT 
defined or unable to match a role - Connection type is EAP. -> Username was 
defined

Hi Dennis,

I am not sure I agree with your assessment of the situation.

For one thing, do you need to run pfsetvlan?
Unless you have switches authenticating with port security or link-up/down 
traps (and you really shouldn’t) then you don’t need it.
Turn it off if all you have is RADIUS authentication.




On Aug 5, 2015, at 11:48 , Dennis Schulmeyer 
<d...@mensch-und-mouse.de<mailto:d...@mensch-und-mouse.de>> wrote:

[root@testpf vlan]# tail -f /usr/local/pf/logs/packetfence.log
Aug 05 17:12:42 httpd.aaa(2825) INFO: [70:5a:b6:a7:a5:0d] handling radius autz 
request: from switch_ip => (192.168.6.20), connection_type => 
WIRED_MAC_AUTH,switch_mac => (00:23:34:a6:0f:06), mac => [70:5a:b6:a7:a5:0d], 
port => 10504, username => "705ab6a7a50d" (pf::radius::authorize)
Aug 05 17:12:44 httpd.aaa(2825) INFO: Could not find any IP phones through 
discovery protocols for ifIndex 10504 (pf::Switch::getPhonesDPAtIfIndex)
Aug 05 17:12:44 httpd.aaa(2825) INFO: [70:5a:b6:a7:a5:0d] Can't find 
provisioner (pf::vlan::getNormalVlan)
Aug 05 17:12:44 httpd.aaa(2825) INFO: [70:5a:b6:a7:a5:0d] Can't find scan 
engine (pf::vlan::getNormalVlan)
Aug 05 17:12:44 httpd.aaa(2825) INFO: [70:5a:b6:a7:a5:0d] Connection type is 
WIRED_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
Aug 05 17:12:44 httpd.aaa(2825) INFO: [70:5a:b6:a7:a5:0d] Username was NOT 
defined or unable to match a role - returning node based role '' 
(pf::vlan::getNormalVlan)
Aug 05 17:12:44 httpd.aaa(2825) WARN: No parameter Vlan found in 
conf/switches.conf for the switch 192.168.6.20 (pf::Switch::getVlanByName)
Aug 05 17:12:44 httpd.aaa(2825) WARN: [70:5a:b6:a7:a5:0d] Resolved VLAN for 
node is not properly defined: Replacing with macDetectionVlan 
(pf::vlan::fetchVlanForNode)
Aug 05 17:12:44 httpd.aaa(2825) INFO: [70:5a:b6:a7:a5:0d] PID: 
"TESTDOMAIN\\dennis.schulmeyer", Status: reg Returned VLAN: 14, Role:  
(pf::vlan::fetchVlanForNode)
Aug 05 17:12:44 httpd.aaa(2825) INFO: [70:5a:b6:a7:a5:0d] (192.168.6.20) 
Returning ACCEPT with VLAN 14 and role  
(pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)


I am seeing an access-accept here. It returns VLAN 14 which comes from the 
configuration, in the switches config where you mapped “Mac Detection” to VLAN 
14.
Usually what this means is that device is registered (probably because it did 
so on an EAP connection before) but there is no role for it in the database.

Look for that device in the “nodes” panel.
I’ll bet you it does not have a role.

—  correct, the node doesn’t have a role, but the user does..  As soon as I 
give the device a role manually, the switch will put the device in the given 
VLAN.

  1.  Do I need to give every node a defined role manually?
  2.  Why isn’t the users role not being applied as we see with the device 
below?
  3.  Maybe the node role wasn’t applied because of the Realms/Domain problem 
I’ve reported at http://sourceforge.net/p/packetfence/mailman/message/34348653/ 
?!


Aug 05 17:31:56 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads 
running: 0 (main::startTrapHandlers)
Aug 05 17:31:56 pfsetvlan(1) INFO: down trap received on 192.168.6.20 ifIndex 
10504 (main::handleTrap)
Aug 05 17:31:56 pfsetvlan(1) INFO: security traps are configured on this switch 
port. Stopping DOWN trap handling here (main::handleTrap)
Aug 05 17:31:56 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
Aug 05 17:32:05 httpd.aaa(2825) INFO: [68:f7:28:d6:9a:04] handling radius autz 
request: from switch_ip => (192.168.6.20), connection_type => 
Ethernet-EAP,switch_mac => (00:23:34:a6:0f:06), mac => [68:f7:28:d6:9a:04], 
port => 10504, username => "TESTDOMAIN\\dennis.schulmeyer" 
(pf::radius::authorize)
Aug 05 17:32:06 httpd.aaa(2825) INFO: Could not find any IP phones through 
discovery protocols for ifIndex 10504 (pf::Switch::getPhonesDPAtIfIndex)
Aug 05 17:32:06 httpd.aaa(2825) INFO: Memory configuration is not valid anymore 
for key resource::authentication_lookup in local cached_hash 
(pfconfig::cached::is_valid)
Aug 05 17:32:06 httpd.aaa(2825) INFO: [TESTDOMAIN Users_AdminDept] Found a 
match (CN=Dennis Schulmeyer,OU=Users,DC=TESTDOMAIN,DC=com) 
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Aug 05 17:32:06 httpd.aaa(2825) INFO: [TESTDOMAIN Users_AdminDept] Found a 
match (CN=Dennis Schulmeyer,OU=Users,DC=TESTDOMAIN,DC=com) 
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Aug 05 17:32:06 httpd.aaa(2825) INFO: [TESTDOMAIN Users_AdminDept] Found a 
match (CN=Dennis Schulmeyer,OU=Users,DC=TESTDOMAIN,DC=com) 
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Aug 05 17:32:06 httpd.aaa(2825) WARN: Trying to compute the unreg date from an 
undefined value. Stopping processing and making unreg date undefined. 
(pf::config::dynamic_unreg_date)
Aug 05 17:32:06 httpd.aaa(2825) INFO: [68:f7:28:d6:9a:04] autoregister a node 
that is already registered, do nothing. (pf::node::node_register)
Aug 05 17:32:06 httpd.aaa(2825) INFO: [68:f7:28:d6:9a:04] Can't find 
provisioner (pf::vlan::getNormalVlan)
Aug 05 17:32:06 httpd.aaa(2825) INFO: [68:f7:28:d6:9a:04] Can't find scan 
engine (pf::vlan::getNormalVlan)
Aug 05 17:32:06 httpd.aaa(2825) INFO: [68:f7:28:d6:9a:04] Connection type is 
EAP. Getting role from node_info (pf::vlan::getNormalVlan)
Aug 05 17:32:06 httpd.aaa(2825) INFO: [68:f7:28:d6:9a:04] Username was defined 
"TESTDOMAIN\\dennis.schulmeyer" - returning user based role 'VLAN3_Guests' 
(pf::vlan::getNormalVlan)
Aug 05 17:32:06 httpd.aaa(2825) INFO: [68:f7:28:d6:9a:04] PID: 
"TESTDOMAIN\\dennis.schulmeyer", Status: reg Returned VLAN: 3, Role: 
VLAN3_Guests (pf::vlan::fetchVlanForNode)
Aug 05 17:32:06 httpd.aaa(2825) INFO: [68:f7:28:d6:9a:04] (192.168.6.20) 
Returning ACCEPT with VLAN 3 and role  
(pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)
Aug 05 17:32:10 pfsetvlan(4) INFO: nb of items in queue: 1; nb of threads 
running: 0 (main::startTrapHandlers)
Aug 05 17:32:10 pfsetvlan(4) INFO: up trap received on 192.168.6.20 ifIndex 
10504 (main::handleTrap)
Aug 05 17:32:10 pfsetvlan(4) INFO: security traps are configured on this switch 
port. Stopping UP trap handling here (main::handleTrap)
Aug 05 17:32:10 pfsetvlan(4) INFO: finished (main::cleanupAfterThread)


This , on the opposite, shows a successful authentication for a user.
The Users_AdminDept rule you have defined for the TESTDOMAIN returns the 
VLAN3_Guests role.
If you want the rule to return a different role you have to configure it to do 
so.

— yes, thats clear. I’ve just added this to show that the user role assignment 
works with a "non domain member“ node.

So I am not sure I understand the problem.
Both devices are successfully authenticated.
They may not get the VLANs you expect but that seems to have to do with the way 
your sources are configured.

What was the expected behaviour, and how does the above differ from it?

— I expected that the users role, defined in the „sources“, would be applied 
whether the machine is a domain member or not. What we have/want here are three 
possibilities:

  1.  Unknown machine with temporary user account (Guest User/pf database) put 
into GuestVLAN after registration – works perfectly!
  2.  Unknown machine with AD user (depending on memberOf) put into VLANx – 
works perfectly!
  3.  Known machine (AD machine name) put into DomainAuthVLAN during MS Windows 
Logon, then depending on AD Username (memberOf) put into VLANx after MS windows 
logon. - works not, because of the two issues I’ve reported.

Regards,
--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

------------------------------------------------------------------------------

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users