Re: [PacketFence-users] always accept request even wrong password.

Fabrice Durand Mon, 11 Jan 2016 03:44:29 -0800

Hello Jabang,

You authenticate against localhostradius and not against a ldap server.


Check your portal profile configuration.

Regards

Fabrice
Le 11 janv. 2016 4:26 AM, jabang konate <[email protected]> a écrit :
hai. im new users on packetfence.

i want develop packetfence on my wireless network using ruckus zone
directory,
i was able install packetfence and use enforcement out-of-band.

my source user is from freeradius and then lookup to openldap server.

when im login to web page, and insert user password, user get access to
internet even with wrong password or user not in ldap.

my ruckus config for that ssid:
Method: 802.1x EAP + MAC Address

registrasion vlan 700: 192.168.1.0/24
isolation vlan 701: 192.168.2.0/24

log packetfence while auth.

Jan 11 01:26:53 httpd.aaa(2143) INFO: [mac:c4:42:02:03:e1:03] handling
radius autz request: from switch_ip => (172.16.9.228), connection_type =>
Wireless-802.11-NoEAP,switch_mac => (54:3d:37:ff:57:a8), mac =>
[c4:42:02:03:e1:03], port => 0, username => "c4420203e103", ssid => captive
(pf::radius::authorize)
Jan 11 01:26:53 httpd.aaa(2143) INFO: [mac:c4:42:02:03:e1:03] is of status
unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
Jan 11 01:26:53 httpd.aaa(2143) INFO: [mac:c4:42:02:03:e1:03]
(172.16.9.228) Added VLAN 700 to the returned RADIUS reply
(pf::Switch::returnRadiusAccessAccept)
Jan 11 01:26:53 httpd.aaa(2143) INFO: [mac:c4:42:02:03:e1:03]
(172.16.9.228) Returning ACCEPT with VLAN 700 and role
(pf::Switch::returnRadiusAccessAccept)
Jan 11 01:26:56 httpd.portal(3255) INFO: [mac:c4:42:02:03:e1:03] Dealing
with a endpoint / browser with captive-portal detection capabilities while
having a self-signed SSL certificate. Using HTTP instead of HTTPS
(pf::web::dispatcher::handler)
Jan 11 01:27:05 httpd.portal(3289) INFO: [mac:[undef]] Dealing with a
endpoint / browser with captive-portal detection capabilities while having
a self-signed SSL certificate. Using HTTP instead of HTTPS
(pf::web::dispatcher::handler)
Jan 11 01:27:09 httpd.portal(3289) INFO: [mac:[undef]] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Jan 11 01:27:09 httpd.portal(3289) INFO: [mac:c4:42:02:03:e1:03]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 11 01:27:09 httpd.portal(3289) INFO: [mac:c4:42:02:03:e1:03] Updating
node user_agent with useragent: 'Mozilla/5.0 (Linux; Android 4.4.4;
SM-G750H Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/45.0.2454.94 Mobile Safari/537.36'
(captiveportal::PacketFence::Controller::CaptivePortal::nodeRecordUserAgent)
Jan 11 01:27:09 httpd.portal(3289) INFO: [mac:c4:42:02:03:e1:03] Static
User-Agent lookup data initialized (pf::useragent::_init)
Jan 11 01:27:11 httpd.portal(3235) INFO: [mac:[undef]] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Jan 11 01:27:11 httpd.portal(3235) INFO: [mac:c4:42:02:03:e1:03]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 11 01:27:12 httpd.portal(3289) INFO: [mac:c4:42:02:03:e1:03] redirected
to authentication page on default portal
(captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
Jan 11 01:27:13 httpd.portal(3235) INFO: [mac:c4:42:02:03:e1:03] redirected
to authentication page on default portal
(captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
Jan 11 01:27:18 httpd.portal(3365) INFO: [mac:[undef]] Dealing with a
endpoint / browser with captive-portal detection capabilities while having
a self-signed SSL certificate. Using HTTP instead of HTTPS
(pf::web::dispatcher::handler)
Jan 11 01:27:25 httpd.portal(2441) INFO: [mac:[undef]] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Jan 11 01:27:25 httpd.portal(2441) INFO: [mac:c4:42:02:03:e1:03]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 11 01:27:25 httpd.portal(2441) INFO: [mac:c4:42:02:03:e1:03]
Authentication successful for sasa in source localhostradius (RADIUS)
(pf::authentication::authenticate)
Jan 11 01:27:25 httpd.portal(2441) INFO: [mac:c4:42:02:03:e1:03]
Successfully authenticated sasa/192.168.1.11/c4:42:02:03:e1:03
(captiveportal::PacketFence::Controller::Authenticate::authenticationLogin)
Jan 11 01:27:25 httpd.portal(2441) INFO: [mac:c4:42:02:03:e1:03] Finding
mandatory fields for source : localhostradius
(captiveportal::PacketFence::Controller::Authenticate::validateMandatoryFields)
Jan 11 01:27:25 httpd.portal(2441) INFO: [mac:c4:42:02:03:e1:03] person
sasa added (pf::person::person_add)
Jan 11 01:27:25 httpd.portal(2441) WARN: [mac:c4:42:02:03:e1:03] modify of
non-existent person sasa attempted - person added
(pf::person::person_modify)
Jan 11 01:27:25 httpd.portal(2441) INFO: [mac:c4:42:02:03:e1:03] Matched
rule (staff) in source localhostradius, returning actions.
(pf::Authentication::Source::match)
Jan 11 01:27:25 httpd.portal(2441) WARN: [mac:c4:42:02:03:e1:03] Calling
match with empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
Jan 11 01:27:25 httpd.portal(2441) INFO: [mac:c4:42:02:03:e1:03] Matched
rule (staff) in source localhostradius, returning actions.
(pf::Authentication::Source::match)
Jan 11 01:27:25 httpd.portal(2441) INFO: [mac:c4:42:02:03:e1:03]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 11 01:27:25 httpd.portal(2441) INFO: [mac:c4:42:02:03:e1:03]
re-evaluating access (manage_register called)
(pf::enforcement::reevaluate_access)
Jan 11 01:27:25 httpd.portal(2441) INFO: [mac:c4:42:02:03:e1:03] is
currentlog connected at (172.16.9.228) ifIndex 0 in VLAN 700
(pf::enforcement::_should_we_reassign_vlan)
Jan 11 01:27:25 httpd.portal(2441) INFO: [mac:c4:42:02:03:e1:03]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 11 01:27:25 httpd.portal(2441) INFO: [mac:c4:42:02:03:e1:03] Connection
type is WIRELESS_MAC_AUTH. Getting role from node_info
(pf::vlan::getNormalVlan)
Jan 11 01:27:25 httpd.portal(2441) INFO: [mac:c4:42:02:03:e1:03] Username
was defined "c4420203e103" - returning role 'staff'
(pf::vlan::getNormalVlan)
Jan 11 01:27:25 httpd.portal(2441) WARN: [mac:c4:42:02:03:e1:03] No
parameter staffVlan found in conf/switches.conf for the switch 172.16.9.228
(pf::Switch::getVlanByName)
Jan 11 01:27:25 httpd.portal(2441) INFO: [mac:c4:42:02:03:e1:03] PID:
"sasa", Status: reg Returned VLAN: (undefined), Role: staff
(pf::vlan::fetchVlanForNode)
Jan 11 01:27:25 httpd.portal(2441) INFO: [mac:c4:42:02:03:e1:03] switch
port is (172.16.9.228) ifIndex unknown connection type: WiFi MAC Auth
(pf::enforcement::_vlan_reevaluation)
Jan 11 01:27:25 httpd.portal(3235) INFO: [mac:c4:42:02:03:e1:03]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 11 01:27:25 httpd.portal(3235) INFO: [mac:c4:42:02:03:e1:03]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 11 01:27:26 httpd.webservices(2189) INFO: [mac:c4:42:02:03:e1:03]
[c4:42:02:03:e1:03] DesAssociating mac on switch (172.16.9.228)
(pf::api::desAssociate)
Jan 11 01:27:26 httpd.webservices(2189) INFO: [mac:c4:42:02:03:e1:03]
deauthenticating (pf::Switch::radiusDisconnect)
Jan 11 01:27:26 httpd.aaa(2143) INFO: [mac:c4:42:02:03:e1:03] handling
radius autz request: from switch_ip => (172.16.9.228), connection_type =>
Wireless-802.11-NoEAP,switch_mac => (38:ff:36:42:23:08), mac =>
[c4:42:02:03:e1:03], port => 0, username => "c4420203e103", ssid => captive
(pf::radius::authorize)
Jan 11 01:27:26 httpd.aaa(2143) INFO: [mac:c4:42:02:03:e1:03] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 11 01:27:26 httpd.aaa(2143) INFO: [mac:c4:42:02:03:e1:03] Connection
type is WIRELESS_MAC_AUTH. Getting role from node_info
(pf::vlan::getNormalVlan)
Jan 11 01:27:26 httpd.aaa(2143) INFO: [mac:c4:42:02:03:e1:03] Username was
defined "c4420203e103" - returning role 'staff' (pf::vlan::getNormalVlan)
Jan 11 01:27:26 httpd.aaa(2143) WARN: [mac:c4:42:02:03:e1:03] No parameter
staffVlan found in conf/switches.conf for the switch 172.16.9.228
(pf::Switch::getVlanByName)
Jan 11 01:27:26 httpd.aaa(2143) INFO: [mac:c4:42:02:03:e1:03] PID: "sasa",
Status: reg Returned VLAN: (undefined), Role: staff
(pf::vlan::fetchVlanForNode)
Jan 11 01:27:26 httpd.aaa(2143) INFO: [mac:c4:42:02:03:e1:03]
(172.16.9.228) Returning ACCEPT with VLAN  and role
(pf::Switch::returnRadiusAccessAccept)


please give me some advice. i stucked .
i just want is to make packetfence auth based openldap user through
freeradius, because later i want try limit quota.
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
This
email has been sent from a virus-free computer protected by Avast.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] always accept request even wrong password.

Reply via email to