I am bring up a packetfence server using guest sms and email signup
with local user authentication. I have a Cisco 3560G the Cisco send
the accept packet to the radius. The radius rejects the packet. I run
raddebug and see the packet get accepted and then rejected by the tunnel.
attached is the raddebug output.
[root@pfptnyc ~]# raddebug -t 300 -f /usr/local/pf/var/run/radiusd.sock
Thu Mar 24 12:22:58 2016 : Debug: Received Access-Request packet from
host 10.10.10.10 port 1645, id=32, length=207
Thu Mar 24 12:22:58 2016 : Debug: User-Name = "18a905cf0442"
Thu Mar 24 12:22:58 2016 : Debug: User-Password = "18a905cf0442"
Thu Mar 24 12:22:58 2016 : Debug: Service-Type = Call-Check
Thu Mar 24 12:22:58 2016 : Debug: Framed-MTU = 1500
Thu Mar 24 12:22:58 2016 : Debug: Called-Station-Id =
"64-A0-E7-D3-14-03"
Thu Mar 24 12:22:58 2016 : Debug: Calling-Station-Id =
"18-A9-05-CF-04-42"
Thu Mar 24 12:22:58 2016 : Debug: Message-Authenticator =
0x53491cf6cd0427923e2511af2f4546ce
Thu Mar 24 12:22:58 2016 : Debug: Cisco-AVPair =
"audit-session-id=0A0A0A0A0000001B087ED2BB"
Thu Mar 24 12:22:58 2016 : Debug: NAS-Port-Type = Ethernet
Thu Mar 24 12:22:58 2016 : Debug: NAS-Port = 50003
Thu Mar 24 12:22:58 2016 : Debug: NAS-Port-Id = "GigabitEthernet0/3"
Thu Mar 24 12:22:58 2016 : Debug: NAS-IP-Address = 10.10.10.10
Thu Mar 24 12:22:58 2016 : Debug: server packetfence {
Thu Mar 24 12:22:58 2016 : Debug: # Executing section authorize from
file /usr/local/pf/raddb//sites-enabled/packetfence
Thu Mar 24 12:22:58 2016 : Debug: +group authorize {
Thu Mar 24 12:22:58 2016 : Debug: ++policy rewrite.calling_station_id {
Thu Mar 24 12:22:58 2016 : Debug: +++? if ((Calling-Station-Id) &&
"%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i)
Thu Mar 24 12:22:58 2016 : Debug: ?? Evaluating (Calling-Station-Id)
-> TRUE
Thu Mar 24 12:22:58 2016 : Debug: expand: %{Calling-Station-Id}
-> 18-A9-05-CF-04-42
Thu Mar 24 12:22:58 2016 : Debug: expand: policy.mac-addr ->
policy.mac-addr
Thu Mar 24 12:22:58 2016 : Debug: expand:
^%{config:policy.mac-addr}$ ->
^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$
Thu Mar 24 12:22:58 2016 : Debug: ? Evaluating
("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
Thu Mar 24 12:22:58 2016 : Debug: +++? if ((Calling-Station-Id) &&
"%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
Thu Mar 24 12:22:58 2016 : Debug: +++if ((Calling-Station-Id) &&
"%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {
Thu Mar 24 12:22:58 2016 : Debug: ++++update request {
Thu Mar 24 12:22:58 2016 : Debug: expand:
%{1}:%{2}:%{3}:%{4}:%{5}:%{6} -> 18:A9:05:CF:04:42
Thu Mar 24 12:22:58 2016 : Debug: expand:
%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} -> 18:a9:05:cf:04:42
Thu Mar 24 12:22:58 2016 : Debug: ++++} # update request = noop
Thu Mar 24 12:22:58 2016 : Debug: ++++[updated] = updated
Thu Mar 24 12:22:58 2016 : Debug: +++} # if ((Calling-Station-Id) &&
"%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) = updated
Thu Mar 24 12:22:58 2016 : Debug: +++ ... skipping else for request 0:
Preceding "if" was taken
Thu Mar 24 12:22:58 2016 : Debug: ++} # policy
rewrite.calling_station_id = updated
Thu Mar 24 12:22:58 2016 : Debug: ++policy set.called_station_ssid {
Thu Mar 24 12:22:58 2016 : Debug: +++? if ((Called-Station-Id) &&
"%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i)
Thu Mar 24 12:22:58 2016 : Debug: ?? Evaluating (Called-Station-Id) ->
TRUE
Thu Mar 24 12:22:58 2016 : Debug: expand: %{Called-Station-Id}
-> 64-A0-E7-D3-14-03
Thu Mar 24 12:22:58 2016 : Debug: expand: policy.mac-addr ->
policy.mac-addr
Thu Mar 24 12:22:58 2016 : Debug: expand:
^%{config:policy.mac-addr}(:(.+))?$ ->
^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$
Thu Mar 24 12:22:58 2016 : Debug: ? Evaluating ("%{Called-Station-Id}"
=~ /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE
Thu Mar 24 12:22:58 2016 : Debug: +++? if ((Called-Station-Id) &&
"%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE
Thu Mar 24 12:22:58 2016 : Debug: +++if ((Called-Station-Id) &&
"%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {
Thu Mar 24 12:22:58 2016 : Debug: ++++update request {
Thu Mar 24 12:22:58 2016 : Debug: expand:
%{1}:%{2}:%{3}:%{4}:%{5}:%{6} -> 64:A0:E7:D3:14:03
Thu Mar 24 12:22:58 2016 : Debug: expand:
%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} -> 64:a0:e7:d3:14:03
Thu Mar 24 12:22:58 2016 : Debug: ++++} # update request = noop
Thu Mar 24 12:22:58 2016 : Debug: ++++? if ("%{8}")
Thu Mar 24 12:22:58 2016 : Debug: expand: %{8} ->
Thu Mar 24 12:22:58 2016 : Debug: ? Evaluating ("%{8}") -> FALSE
Thu Mar 24 12:22:58 2016 : Debug: ++++? if ("%{8}") -> FALSE
Thu Mar 24 12:22:58 2016 : Debug: ++++? elsif ((Colubris-AVPair) &&
"%{Colubris-AVPair}" =~ /^ssid=(.*)$/i)
Thu Mar 24 12:22:58 2016 : Debug: ?? Evaluating (Colubris-AVPair) -> FALSE
Thu Mar 24 12:22:58 2016 : Debug: ? Skipping ("%{Colubris-AVPair}" =~
/^ssid=(.*)$/i)
Thu Mar 24 12:22:58 2016 : Debug: ++++? elsif ((Colubris-AVPair) &&
"%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE
Thu Mar 24 12:22:58 2016 : Debug: ++++? elsif (Aruba-Essid-Name)
Thu Mar 24 12:22:58 2016 : Debug: ? Evaluating (Aruba-Essid-Name) -> FALSE
Thu Mar 24 12:22:58 2016 : Debug: ++++? elsif (Aruba-Essid-Name) -> FALSE
Thu Mar 24 12:22:58 2016 : Debug: ++++? elsif ((Cisco-AVPair) &&
"%{Cisco-AVPair}" =~ /^ssid=(.*)$/i)
Thu Mar 24 12:22:58 2016 : Debug: ?? Evaluating (Cisco-AVPair) -> TRUE
Thu Mar 24 12:22:58 2016 : Debug: expand: %{Cisco-AVPair} ->
audit-session-id=0A0A0A0A0000001B087ED2BB
Thu Mar 24 12:22:58 2016 : Debug: ? Evaluating ("%{Cisco-AVPair}" =~
/^ssid=(.*)$/i) -> FALSE
Thu Mar 24 12:22:58 2016 : Debug: ++++? elsif ((Cisco-AVPair) &&
"%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE
Thu Mar 24 12:22:58 2016 : Debug: ++++[updated] = updated
Thu Mar 24 12:22:58 2016 : Debug: +++} # if ((Called-Station-Id) &&
"%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) =
updated
Thu Mar 24 12:22:58 2016 : Debug: +++ ... skipping else for request 0:
Preceding "if" was taken
Thu Mar 24 12:22:58 2016 : Debug: ++} # policy set.called_station_ssid
= updated
Thu Mar 24 12:22:58 2016 : Debug: [suffix] No '@' in User-Name =
"18a905cf0442", skipping NULL due to config.
Thu Mar 24 12:22:58 2016 : Debug: ++[suffix] = noop
Thu Mar 24 12:22:58 2016 : Debug: [ntdomain] No '\' in User-Name =
"18a905cf0442", looking up realm NULL
Thu Mar 24 12:22:58 2016 : Debug: [ntdomain] No such realm "NULL"
Thu Mar 24 12:22:58 2016 : Debug: ++[ntdomain] = noop
Thu Mar 24 12:22:58 2016 : Debug: ++[preprocess] = ok
Thu Mar 24 12:22:58 2016 : Debug: [eap] No EAP-Message, not doing EAP
Thu Mar 24 12:22:58 2016 : Debug: ++[eap] = noop
Thu Mar 24 12:22:58 2016 : Debug: [files] users: Matched entry DEFAULT
at line 2
Thu Mar 24 12:22:58 2016 : Debug: ++[files] = ok
Thu Mar 24 12:22:58 2016 : Debug: ++[expiration] = noop
Thu Mar 24 12:22:58 2016 : Debug: ++[logintime] = noop
Thu Mar 24 12:22:58 2016 : Debug: ++update request {
Thu Mar 24 12:22:58 2016 : Debug: expand:
%{Packet-Src-IP-Address} -> 10.10.10.10
Thu Mar 24 12:22:58 2016 : Debug: ++} # update request = noop
Thu Mar 24 12:22:58 2016 : Debug: ++update control {
Thu Mar 24 12:22:58 2016 : Debug: ++} # update control = noop
Thu Mar 24 12:22:58 2016 : Debug: ++[packetfence] = noop
Thu Mar 24 12:22:58 2016 : Debug: +} # group authorize = updated
Thu Mar 24 12:22:58 2016 : Debug: Found Auth-Type = Accept
Thu Mar 24 12:22:58 2016 : Debug: Auth-Type = Accept, accepting the user
Thu Mar 24 12:22:58 2016 : Debug: } # server packetfence
Thu Mar 24 12:22:58 2016 : Debug: # Executing section post-auth from
file /usr/local/pf/raddb//sites-enabled/packetfence
Thu Mar 24 12:22:58 2016 : Debug: +group post-auth {
Thu Mar 24 12:22:58 2016 : Debug: ++[exec] = noop
Thu Mar 24 12:22:58 2016 : Debug: ++? if (!EAP-Type || (EAP-Type !=
EAP-TTLS && EAP-Type != PEAP))
Thu Mar 24 12:22:58 2016 : Debug: ? Evaluating !(EAP-Type ) -> TRUE
Thu Mar 24 12:22:58 2016 : Debug: ?? Skipping (EAP-Type != EAP-TTLS )
Thu Mar 24 12:22:58 2016 : Debug: ?? Skipping (EAP-Type != PEAP)
Thu Mar 24 12:22:58 2016 : Debug: ++? if (!EAP-Type || (EAP-Type !=
EAP-TTLS && EAP-Type != PEAP)) -> TRUE
Thu Mar 24 12:22:58 2016 : Debug: ++if (!EAP-Type || (EAP-Type !=
EAP-TTLS && EAP-Type != PEAP)) {
Thu Mar 24 12:22:58 2016 : Debug: +++update control {
Thu Mar 24 12:22:58 2016 : Debug: +++} # update control = noop
Thu Mar 24 12:22:58 2016 : Debug: +++[packetfence] = fail
Thu Mar 24 12:22:58 2016 : Debug: ++} # if (!EAP-Type || (EAP-Type !=
EAP-TTLS && EAP-Type != PEAP)) = fail
Thu Mar 24 12:22:58 2016 : Debug: +} # group post-auth = fail
Thu Mar 24 12:22:58 2016 : Debug: Using Post-Auth-Type Reject
Thu Mar 24 12:22:58 2016 : Debug: # Executing group from file
/usr/local/pf/raddb//sites-enabled/packetfence
Thu Mar 24 12:22:58 2016 : Debug: +group REJECT {
Thu Mar 24 12:22:58 2016 : Debug: ++? if (!EAP-Type || (EAP-Type !=
EAP-TTLS && EAP-Type != PEAP))
Thu Mar 24 12:22:58 2016 : Debug: ? Evaluating !(EAP-Type ) -> TRUE
Thu Mar 24 12:22:58 2016 : Debug: ?? Skipping (EAP-Type != EAP-TTLS )
Thu Mar 24 12:22:58 2016 : Debug: ?? Skipping (EAP-Type != PEAP)
Thu Mar 24 12:22:58 2016 : Debug: ++? if (!EAP-Type || (EAP-Type !=
EAP-TTLS && EAP-Type != PEAP)) -> TRUE
Thu Mar 24 12:22:58 2016 : Debug: ++if (!EAP-Type || (EAP-Type !=
EAP-TTLS && EAP-Type != PEAP)) {
Thu Mar 24 12:22:58 2016 : Debug: [sql] expand: %{User-Name}
-> 18a905cf0442
Thu Mar 24 12:22:58 2016 : Debug: [sql] sql_set_user escaped user -->
'18a905cf0442'
Thu Mar 24 12:22:58 2016 : Debug: [sql] expand:
%{check:Post-Auth-Type} -> Reject
Thu Mar 24 12:22:58 2016 : Debug: [sql] expand: INSERT INTO
radius_audit_log ( mac, ip, computer_name, user_name,
stripped_user_name, realm, event_type, switch_id, switch_mac,
switch_ip_address, radius_source_ip_address, called_station_id,
calling_station_id, nas_port_type, ssid, nas_port_id,
ifindex, nas_port, connection_type, nas_ip_address,
nas_identifier, auth_status, reason, auth_type,
eap_type, role, node_status, profile, source, auto_reg,
is_phone, pf_domain, uuid, radius_request, radius_reply)
VALUES ( '%{request:Calling-Station-Id}',
'%{request:Framed-IP-Address}',
'%{control:PacketFence-Computer-Name}', '%{request:User-Name}',
'%{request:Stripped-User-Name}', '%{request:Realm}',
'Radius-Access-Request', '%{control:PacketFence-Switch-Id}',
'%{control:PacketFence-Switch-Mac}',
'%{control:PacketFence-Switch-Ip-Address}',
'%{Packet-Src-IP-Address}', '%{request:Called-Station-Id}', '%{req
À\Thu Mar 24 12:22:58 2016 : Debug: +++[sql] = ok
Thu Mar 24 12:22:58 2016 : Debug: ++} # if (!EAP-Type || (EAP-Type !=
EAP-TTLS && EAP-Type != PEAP)) = ok
Thu Mar 24 12:22:58 2016 : Debug: [attr_filter.access_reject]
expand: %{User-Name} -> 18a905cf0442
Thu Mar 24 12:22:58 2016 : Debug: ++[attr_filter.access_reject] = updated
Thu Mar 24 12:22:58 2016 : Debug: +} # group REJECT = updated
Thu Mar 24 12:22:58 2016 : Debug: Delaying reject of request 0 for 1
seconds
Thu Mar 24 12:22:59 2016 : Debug: Sending delayed reject for request 0
Thu Mar 24 12:22:59 2016 : Debug: Sending Access-Reject packet to host
10.10.10.10 port 1645, id=32, length=0
Thu Mar 24 12:23:04 2016 : Debug: Cleaning up request 0 ID 32 with
timestamp +145
[root@pfptnyc ~]#
Any help to be offerred will be appreciated.
Anthony
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
