OK guys, sorry for spamming, but I've gotten this far...
Authentication works using EAP-TTLS. So the Windows 10 computer can
authenticate. However, PacketFence is not updating the VLAN properly. If
I have the credentials saved in the computer, it successfully reaches the
Registration VLAN, but when logging into the captive portal, even though
it's successful, the VLAN doesn't change.
Here're the relevant log entries...
For initial connection:
radius.log:
Wed Nov 25 13:43:14 2015 : Auth: Login OK: [[email protected]] (from
client 172.20.100.1 port 13 cli 00:1d:72:35:22:ce via TLS tunnel)
Wed Nov 25 13:43:14 2015 : Auth: rlm_perl: Returning vlan 99 to request
from 00:1d:72:35:22:ce port 13
Wed Nov 25 13:43:14 2015 : Auth: Login OK: [[email protected]] (from
client 172.20.100.1 port 13 cli 00:1d:72:35:22:ce)
packetfence.log:
Nov 25 13:43:14 httpd.aaa(32213) INFO: [00:1d:72:35:22:ce] handling radius
autz request: from switch_ip => (172.20.100.1), connection_type =>
WIRED_MAC_AUTH,switch_mac => (44:d9:e7:51:a1:ab), mac =>
[00:1d:72:35:22:ce], port => 26, username => "[email protected]"
(pf::radius::authorize)
Nov 25 13:43:14 httpd.aaa(32213) INFO: [00:1d:72:35:22:ce] is of status
unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
Nov 25 13:43:14 httpd.aaa(32213) INFO: [00:1d:72:35:22:ce] (172.20.100.1)
Returning ACCEPT with VLAN 99 and role
(pf::Switch::returnRadiusAccessAccept)
Nov 25 13:43:14 httpd.aaa(32213) INFO: Update of the locationlog based on
accounting data is not supported on network device type
pf::Switch::UBNTEdgeSwitch. (pf::Switch::supportsRoamingAccounting)
For captive portal login:
packetfence.log:
Nov 25 13:47:00 httpd.portal(32465) INFO: [ mac:00:1d:72:35:22:ce
ip:192.168.99.11 ] [00:1d:72:35:22:ce] redirected to authentication page on
BFA_Default portal
(captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
Nov 25 13:47:03 httpd.webservices(32254) INFO: Instantiate profile
BFA_Default (pf::Portal::ProfileFactory::instantiate)
Nov 25 13:47:16 httpd.portal(32463) INFO: [ mac:[undef] ip:[undef] ]
Instantiate profile BFA_Default (pf::Portal::ProfileFactory::instantiate)
Nov 25 13:47:16 httpd.portal(32463) INFO: [ mac:00:1d:72:35:22:ce
ip:192.168.99.11 ] Instantiate profile BFA_Default
(pf::Portal::ProfileFactory::instantiate)
Nov 25 13:47:16 httpd.portal(32463) INFO: [ mac:00:1d:72:35:22:ce
ip:192.168.99.11 ] Authentication successful for [email protected]
in source RADIUS_ALL (RADIUS) (pf::authentication::authenticate)
Nov 25 13:47:16 httpd.portal(32463) INFO: [ mac:00:1d:72:35:22:ce
ip:192.168.99.11 ] Successfully authenticated
[email protected]/192.168.99.11/00:1d:72:35:22:ce
(captiveportal::PacketFence::Controller::Authenticate::authenticationLogin)
Nov 25 13:47:16 httpd.portal(32463) WARN: [ mac:00:1d:72:35:22:ce
ip:192.168.99.11 ] Calling match with empty/invalid rule class. Defaulting
to 'authentication' (pf::authentication::match)
Nov 25 13:47:16 httpd.portal(32463) INFO: [ mac:00:1d:72:35:22:ce
ip:192.168.99.11 ] Matched rule (TestRule) in source RADIUS_ALL, returning
actions. (pf::Authentication::Source::match)
Nov 25 13:47:16 httpd.portal(32463) INFO: [ mac:00:1d:72:35:22:ce
ip:192.168.99.11 ] Matched rule (TestRule) in source RADIUS_ALL, returning
actions. (pf::Authentication::Source::match)
Nov 25 13:47:16 httpd.portal(32463) INFO: [ mac:00:1d:72:35:22:ce
ip:192.168.99.11 ] Instantiate profile BFA_Default
(pf::Portal::ProfileFactory::instantiate)
Nov 25 13:47:16 httpd.portal(32463) INFO: [ mac:00:1d:72:35:22:ce
ip:192.168.99.11 ] [00:1d:72:35:22:ce] re-evaluating access
(manage_register called) (pf::enforcement::reevaluate_access)
Nov 25 13:47:16 httpd.portal(32463) INFO: [ mac:00:1d:72:35:22:ce
ip:192.168.99.11 ] [00:1d:72:35:22:ce] is currentlog connected at
(172.20.100.1) ifIndex 26 in VLAN 99
(pf::enforcement::_should_we_reassign_vlan)
Nov 25 13:47:16 httpd.portal(32463) INFO: [ mac:00:1d:72:35:22:ce
ip:192.168.99.11 ] Instantiate profile BFA_Default
(pf::Portal::ProfileFactory::instantiate)
Nov 25 13:47:16 httpd.portal(32463) INFO: [ mac:00:1d:72:35:22:ce
ip:192.168.99.11 ] [00:1d:72:35:22:ce] Connection type is WIRED_MAC_AUTH.
Getting role from node_info (pf::vlan::getNormalVlan)
Nov 25 13:47:16 httpd.portal(32463) INFO: [ mac:00:1d:72:35:22:ce
ip:192.168.99.11 ] [00:1d:72:35:22:ce] Username was defined "
[email protected]" - returning role 'staff' (pf::vlan::getNormalVlan)
Nov 25 13:47:16 httpd.portal(32463) INFO: [ mac:00:1d:72:35:22:ce
ip:192.168.99.11 ] [00:1d:72:35:22:ce] PID: "[email protected]",
Status: reg Returned VLAN: 116, Role: staff (pf::vlan::fetchVlanForNode)
Nov 25 13:47:16 httpd.portal(32463) INFO: [ mac:00:1d:72:35:22:ce
ip:192.168.99.11 ] [00:1d:72:35:22:ce] VLAN reassignment required (current
VLAN = 99 but should be in VLAN 116)
(pf::enforcement::_should_we_reassign_vlan)
Nov 25 13:47:16 httpd.portal(32463) INFO: [ mac:00:1d:72:35:22:ce
ip:192.168.99.11 ] [00:1d:72:35:22:ce] switch port is (172.20.100.1)
ifIndex 26 connection type: Wired MAC Auth
(pf::enforcement::_vlan_reevaluation)
Nov 25 13:47:16 httpd.portal(32252) INFO: [ mac:00:1d:72:35:22:ce
ip:192.168.99.11 ] Instantiate profile BFA_Default
(pf::Portal::ProfileFactory::instantiate)
Nov 25 13:47:16 httpd.portal(32252) INFO: [ mac:00:1d:72:35:22:ce
ip:192.168.99.11 ] Instantiate profile BFA_Default
(pf::Portal::ProfileFactory::instantiate)
Nov 25 13:47:17 httpd.webservices(32254) WARN: Until CoA is implemented we
will bounce the port on VLAN re-assignment traps for MAC-Auth
(pf::Switch::handleReAssignVlanTrapForWiredMacAuth)
Nov 25 13:47:18 httpd.webservices(32254) INFO: Instantiate profile
BFA_Default (pf::Portal::ProfileFactory::instantiate)
Nov 25 13:47:33 httpd.webservices(32254) INFO: Instantiate profile
BFA_Default (pf::Portal::ProfileFactory::instantiate)
However, the VLAN never actually changes to 116. The only way to get the
VLAN to change, is to force the computer and switch to re-initiate the
802.1X challenge.
I'm not readily seeing any errors, so I'm not sure why the VLAN isn't
changing. Here's my conf file for the switch that I slapped together...
package pf::Switch::UBNTEdgeSwitch;
=head1 NAME
pf::Switch::UBNTEdgeSwitch
=head1 SYNOPSIS
The pf::Switch::UBNTEdgeSwitch module manages access to Ubiquiti EdgeSwitch
=head1 STATUS
Tested on EdgeSwitch Lite running v1.1.2
=cut
use strict;
use warnings;
use Log::Log4perl;
use POSIX;
use base ('pf::Switch');
use pf::Switch::constants;
use pf::util;
use pf::constants;
use pf::config;
sub description { 'UBNTEdgeSwitch' }
=head1 SUBROUTINES
=cut
sub supportsRoleBasedEnforcement { return $TRUE; }
sub supportsWiredMacAuth { return $TRUE; }
sub supportsWiredDot1x { return $TRUE; }
sub supportsRadiusDynamicVlanAssignment { return $TRUE; }
=head2 _dot1xPortReauthenticate
Actual implementation.
Allows callers to refer to this implementation even though someone along
the way override the above call.
=cut
sub dot1xPortReauthenticate {
my ($this, $ifIndex) = @_;
my $logger = Log::Log4perl::get_logger(ref($this));
return;
}
=head2 parseTrap
All traps ignored
=cut
sub parseTrap {
my ( $this, $trapString ) = @_;
my $trapHashRef;
my $logger = Log::Log4perl::get_logger( ref($this) );
$logger->debug("trap ignored, not useful for switch");
$trapHashRef->{'trapType'} = 'unknown';
return $trapHashRef;
}
=head2 getIfIndexByNasPortId
Fetch the ifindex on the switch by NAS-Port-Id radius attribute
=cut
sub getIfIndexByNasPortId {
my ($this, $ifDesc_param) = @_;
if ( !$this->connectRead() ) {
return 0;
}
my @ifDescTemp = split(':',$ifDesc_param);
my $OID_ifDesc = '1.3.6.1.2.1.2.2.1.2';
=cut
sub dot1xPortReauthenticate {
my ($this, $ifIndex) = @_;
my $logger = Log::Log4perl::get_logger(ref($this));
return;
}
=head2 parseTrap
All traps ignored
=cut
sub parseTrap {
my ( $this, $trapString ) = @_;
my $trapHashRef;
my $logger = Log::Log4perl::get_logger( ref($this) );
$logger->debug("trap ignored, not useful for switch");
$trapHashRef->{'trapType'} = 'unknown';
return $trapHashRef;
}
=head2 getIfIndexByNasPortId
Fetch the ifindex on the switch by NAS-Port-Id radius attribute
=cut
sub getIfIndexByNasPortId {
my ($this, $ifDesc_param) = @_;
if ( !$this->connectRead() ) {
return 0;
}
my @ifDescTemp = split(':',$ifDesc_param);
my $OID_ifDesc = '1.3.6.1.2.1.2.2.1.2';
if ($connection_type == $WIRED_802_1X) {
my $default = $SNMP::SNMP;
my %tech = (
$SNMP::SNMP => 'dot1xPortReauthenticate',
$SNMP::RADIUS => 'deauthenticateMacRadius',
);
if (!defined($method) || !defined($tech{$method})) {
$method = $default;
}
return $method,$tech{$method};
}
if ($connection_type == $WIRED_MAC_AUTH) {
my $default = $SNMP::SNMP;
my %tech = (
$SNMP::SNMP => 'handleReAssignVlanTrapForWiredMacAuth',
$SNMP::RADIUS => 'deauthenticateMacRadius',
);
if (!defined($method) || !defined($tech{$method})) {
$method = $default;
}
return $method,$tech{$method};
}
}
=head2 radiusDisconnect
Sends a RADIUS Disconnect-Request to the NAS with the MAC as the
Calling-Station-Id to disconnect.
Optionally you can provide other attributes as an hashref.
Uses L<pf::util::radius> for the low-level RADIUS stuff.
=cut
# TODO consider whether we should handle retries or not?
sub radiusDisconnect {
my ($self, $mac, $add_attributes_ref) = @_;
my $logger = Log::Log4perl::get_logger( ref($self) );
# initialize
$add_attributes_ref = {} if (!defined($add_attributes_ref));
if (!defined($self->{'_radiusSecret'})) {
$logger->warn(
"[$self->{'_ip'}] Unable to perform RADIUS CoA-Request: RADIUS
Shared Secret not configured"
);
return;
}
$logger->info("[$self->{'_ip'}] Deauthenticating $mac");
# Where should we send the RADIUS CoA-Request?
# to network device by default
my $send_disconnect_to = $self->{'_ip'};
# allowing client code to override where we connect with NAS-IP-Address
$send_disconnect_to = $add_attributes_ref->{'NAS-IP-Address'}
if (defined($add_attributes_ref->{'NAS-IP-Address'}));
my $response;
try {
my $connection_info = {
nas_ip => $send_disconnect_to,
secret => $self->{'_radiusSecret'},
LocalAddr => $self->deauth_source_ip(),
};
$logger->debug("[$self->{'_ip'}] Network device supports roles.
Evaluating role to be returned.");
my $roleResolver = pf::roles::custom->instance();
my $role = $roleResolver->getRoleForNode($mac, $self);
my $acctsessionid = node_accounting_current_sessionid($mac);
my $node_info = node_attributes($mac);
# transforming MAC to the expected format 00-11-22-33-CA-FE
$mac = uc($mac);
$mac =~ s/:/-/g;
# Standard Attributes
my $attributes_ref = {
'Calling-Station-Id' => $mac,
'NAS-IP-Address' => $send_disconnect_to,
'Acct-Session-Id' => $acctsessionid,
};
# merging additional attributes provided by caller to the standard
attributes
$attributes_ref = { %$attributes_ref, %$add_attributes_ref };
# Roles are configured and the user should have one
if ( defined($role) && (defined($node_info->{'status'}) &&
isenabled($self->{_RoleMap}) ) ) {
$attributes_ref = {
%$attributes_ref,
'Filter-Id' => $role,
};
$logger->info("[$self->{'_ip'}] Returning ACCEPT with Role:
$role");
$response = perform_coa($connection_info, $attributes_ref);
}
else {
$response = perform_disconnect($connection_info,
$attributes_ref);
}
} catch {
chomp;
$logger->warn("[$self->{'_ip'}] Unable to perform RADIUS
CoA-Request: $_");
$logger->error("[$self->{'_ip'}] Wrong RADIUS secret or unreachable
network device...") if ($_ =~ /^Timeout/);
};
return if (!defined($response));
return $TRUE if ($response->{'Code'} eq 'CoA-ACK');
$logger->warn(
"[$self->{'_ip'}] Unable to perform RADIUS Disconnect-Request."
. ( defined($response->{'Code'}) ? " $response->{'Code'}" : 'no
RADIUS code' ) . ' received'
. ( defined($response->{'Error-Cause'}) ? " with Error-Cause:
$response->{'Error-Cause'}." : '' )
);
return;
}
=head1 AUTHOR
Inverse inc. <[email protected]>
=head1 COPYRIGHT
Copyright (C) 2005-2015 Inverse inc.
=head1 LICENSE
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
USA.
=cut
1;
# vim: set shiftwidth=4:
# vim: set expandtab:
# vim: set backspace=indent,eol,start:
Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-9161-630
On Wed, Nov 25, 2015 at 11:30 AM, Nathan, Josh <[email protected]>
wrote:
> OK... correction. The PacketFence radius.log file reports: Auth: Login OK
> AND the switch does assign the VLAN, but the computer thinks that
> authentication failed. I had to force it to do a DHCP renew for it to get
> an IP Address and acknowledge the success. Any ideas on how to smooth that
> out?
>
> Also... is it expected that a successful 802.1X authentication only moves
> the devices to the Registration VLAN rather than just putting them in the
> Production VLAN? Why does the device have to do the
> double-authentication? Once at connection, and second at the portal?
>
> Thanks,
> Joshua Nathan
> IT Administrator
> Black Forest Academy
> +49 (0) 7626-9161-630
>
>
> On Wed, Nov 25, 2015 at 10:42 AM, Nathan, Josh <[email protected]>
> wrote:
>
>> Hello,
>>
>> So... I'm trying to setup 802.1x in a test environment, but I'm getting
>> login faiIures even when the credentials are good. We don't have an Active
>> Directory server or the like, but instead we're storing accounts in a MySQL
>> database using MD5 encryption.
>>
>> With a Linux computer (Chromixium to be precise), I'm able to go through
>> the process successfully if the 802.1X authentication is set to use
>> "Tunneled TLS". But with a Windows computer, I'm really only given the
>> option of using PEAP (which would be good to use anyway), but that always
>> fails. If I set the Linux computer to use PEAP, it also fails.
>>
>> I'm running it on PacketFence 5.4, and it's a Ubiquiti EdgeSwitch, but
>> I'm thinking the problem is with how I'm storing/encrypting the passwords,
>> not the configurations of the server/switch. What would I need to do to
>> get this working? What configuration files do you need (if any)?
>>
>> Thanks,
>> Joshua Nathan
>> IT Administrator
>> Black Forest Academy
>> +49 (0) 7626-9161-630
>>
>>
>
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
