Hi Louis,
I got the the winbind to work by rejoining my PF server to my domain, now I am
able to validate the domain blind by running (lists all of my domain users):
chroot /chroots/domain-ad wbinfo -u
PEAP did not work after that, I got the same logs on radius.log
I set my supplicant (Windows 10 PC) to authenticate with EAP-TLS, but it not
work either:
Thu Aug 11 11:59:34 2016 : ERROR: (88) eap_tls: ERROR: SSL says error 20 :
unable to get local issuer certificateThu Aug 11 11:59:34 2016 : ERROR: (88)
eap_tls: ERROR: TLS Alert write:fatal:unknown CAThu Aug 11 11:59:34 2016 :
Error: tls: TLS_accept: Error in SSLv3 read client certificate BThu Aug 11
11:59:34 2016 : Auth: (88) Login incorrect (eap_tls: SSL says error 20 : unable
to get local issuer certificate): [host/PC0001.intranet.local] (from client
192.168.1.28 port 1 cli f8:16:54:1a:14:13)Thu Aug 11 11:59:34 2016 : Info:
rlm_sql (sql): Closing connection (102): Hit idle_timeout, was idle for 165
secondsThu Aug 11 11:59:34 2016 : Info: rlm_sql (sql): Closing connection
(103): Hit idle_timeout, was idle for 165 secondsThu Aug 11 11:59:34 2016 :
Info: rlm_sql (sql): Opening additional connection (104), 1 of 64 pending slots
usedThu Aug 11 11:59:34 2016 : Info: rlm_sql (sql): Need 2 more connections to
reach 10 sparesThu Aug 11 11:59:34 2016 : Info: rlm_sql (sql): Opening
additional connection (105), 1 of 63 pending slots usedThu Aug 11 11:59:34 2016
: [mac:f8:16:54:1a:14:13] Rejected user: host/PC0001.intranet.localThu Aug 11
11:59:35 2016 : Info: rlm_perl: MAC address 0 is empty or invalid in this
request. It could be normal on certain radius callsThu Aug 11 11:59:35 2016 :
Info: rlm_sql (sql): Need 1 more connections to reach 10 sparesThu Aug 11
11:59:35 2016 : Info: rlm_sql (sql): Opening additional connection (106), 1 of
62 pending slots usedThu Aug 11 11:59:35 2016 : [mac:] Accepted user: and
returned VLAN Thu Aug 11 11:59:35 2016 : Auth: (89) Login OK: [dummy] (from
client 192.168.1.59 port 0)Thu Aug 11 11:59:40 2016 : ERROR: (96) eap_tls:
ERROR: SSL says error 20 : unable to get local issuer certificateThu Aug 11
11:59:40 2016 : ERROR: (96) eap_tls: ERROR: TLS Alert write:fatal:unknown CAThu
Aug 11 11:59:40 2016 : Error: tls: TLS_accept: Error in SSLv3 read client
certificate BThu Aug 11 11:59:40 2016 : Auth: (96) Login incorrect (eap_tls:
SSL says error 20 : unable to get local issuer certificate):
[[email protected]] (from client 192.168.1.28 port 1 cli
f8:16:54:1a:14:13)Thu Aug 11 11:59:40 2016 : [mac:f8:16:54:1a:14:13] Rejected
user: [email protected]
I enabled FreeRADIUS in debug mode (radiusd -d /usr/local/pf/raddb -n auth -X )
as you suggested, but I got this error at the end of the CLI:
auth: #### Opening IP addresses and Ports ####listen { type = "auth"
virtual_server = "packetfence" ipaddr = 127.0.0.1 port =
18120Failed binding to auth address 127.0.0.1 port 18120 bound to server
packetfence: Address already in use/usr/local/pf/raddb/auth.conf[9]: Error
binding to port for 127.0.0.1 port 18120
Radtest:
# radtest dd9999 Abcd1234 localhost:18120 12 testing123Sent Access-Request Id
64 from 0.0.0.0:35042 to 127.0.0.1:18120 length 76 User-Name = "dd9999"
User-Password = "Abcd1234" NAS-IP-Address = 169.254.0.1
NAS-Port = 12 Message-Authenticator = 0x00 Cleartext-Password =
"Abcd1234"Received Access-Accept Id 64 from 127.0.0.1:18120 to 0.0.0.0:0 length
20
Please advise.
Thank you,Vianney
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
From: [email protected]: Tue, 9 Aug 2016 16:17:59 -0400
To: [email protected]
Subject: Re: [PacketFence-users] Microsoft PKI (MSPKI) + Cisco Wireles
Controller
Your supplicant is not configured to attempt eap-tls.It's trying PEAP, as you
can see from the logs.
In additon, PEAP itself is not going to work because winbind is either not
running or misconfigured.
But try to fix one thing at a time.Get the supplicant to authenticate using
eap-tls.Until it does no amount of changing the configuration will help.
Once you have the supplicant attempting eap-tls, run FreeRADIUS in debug mode :
# radiusd -d /usr/local/pf/raddb -n auth -X
It will tell you a lot more than just the logs.
On Aug 9, 2016, at 4:05 PM, Vianney Amador <[email protected]> wrote:Hi
guys,
I've been struggling for a couple of days with this setup, but I haven't been
able to make work, the PCs will not connect WiFi.
radius.log
Tue Aug 9 15:28:55 2016 : ERROR: (193) mschap: ERROR: Program returned code
(1) and output 'Reading winbind reply failed! (0xc0000001)'Tue Aug 9 15:28:55
2016 : Auth: (193) Login incorrect (mschap: Program returned code (1) and
output 'Reading winbind reply failed! (0xc0000001)'):
[host/PC0001.INTRANET.local] (from client 192.168.1.28 port 1 cli
f8:16:54:1a:14:13 via TLS tunnel)Tue Aug 9 15:28:55 2016 : Info: rlm_sql
(sql): Closing connection (253): Hit idle_timeout, was idle for 101 secondsTue
Aug 9 15:28:55 2016 : Info: rlm_sql (sql): Closing connection (254): Hit
idle_timeout, was idle for 101 secondsTue Aug 9 15:28:55 2016 : Info: rlm_sql
(sql): Opening additional connection (255), 1 of 64 pending slots usedTue Aug
9 15:28:55 2016 : Info: rlm_sql (sql): Need 2 more connections to reach 10
sparesTue Aug 9 15:28:55 2016 : Info: rlm_sql (sql): Opening additional
connection (256), 1 of 63 pending slots usedTue Aug 9 15:28:55 2016 : Info:
(194) eap_peap: The users session was previously rejected: returning reject
(again.)Tue Aug 9 15:28:55 2016 : Info: (194) eap_peap: This means you need
to read the PREVIOUS messages in the debug outputTue Aug 9 15:28:55 2016 :
Info: (194) eap_peap: to find out the reason why the user was rejectedTue Aug
9 15:28:55 2016 : Info: (194) eap_peap: Look for "reject" or "fail". Those
earlier messages will tell youTue Aug 9 15:28:55 2016 : Info: (194) eap_peap:
what went wrong, and how to fix the problemTue Aug 9 15:28:55 2016 : Auth:
(194) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP
sub-module failed): [host/PC0001.INTRANET.local] (from client 192.168.1.28 port
1 cli f8:16:54:1a:14:13)Tue Aug 9 15:28:55 2016 : [mac:f8:16:54:1a:14:13]
Rejected user: host/PC0001.INTRANET.local
Thank you for your help,Vianney
Best regards, --Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
