Le 17/01/2017 à 22:34, Fabrice Durand a écrit :
> Hello Denis,
>
> so first you added it in packetfence-tunnel (which is correct) but you
> test it with radclient and it will never go in packetfence-tunnel.
>
> What you have to do is to use eapol_test in order to test 802.1x.
>
> http://deployingradius.com/scripts/eapol_test/
Ok, finally, I found a spare wifi AP for testing, it will be more
efficient...
>
> Also radius debug mean :
> raddebug -f var/run/radiusd.sock -t 300
219) Thu Jan 19 09:32:52 2017: Debug: packetfence: &request:State =
$RAD_REQUEST{'State'} -> '0x7246971f72418d32cc55830e57797d34'
(219) Thu Jan 19 09:32:52 2017: Debug: packetfence:
&request:MS-CHAP-Challenge = $RAD_REQUEST{'MS-CHAP-Challenge'} ->
'0xb5965af9164e8fef4e8bef0a10d33f30'
(219) Thu Jan 19 09:32:52 2017: Debug: packetfence:
&request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '172.16.1.120'
(219) Thu Jan 19 09:32:52 2017: Debug: packetfence:
&request:FreeRADIUS-Proxied-To = $RAD_REQUEST{'FreeRADIUS-Proxied-To'}
-> '127.0.0.1'
(219) Thu Jan 19 09:32:52 2017: Debug: packetfence:
&request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'janv. 19
2017 09:32:52 CET'
(219) Thu Jan 19 09:32:52 2017: Debug: packetfence: &request:EAP-Type =
$RAD_REQUEST{'EAP-Type'} -> 'MSCHAPv2'
(219) Thu Jan 19 09:32:52 2017: Debug: packetfence:
&request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} ->
'44:74:6c:50:25:e7'
(219) Thu Jan 19 09:32:52 2017: Debug: packetfence: &control:NT-Password
= $RAD_CHECK{'NT-Password'} ->
'0x.............................................................'
(219) Thu Jan 19 09:32:52 2017: Debug: packetfence: &control:Auth-Type =
$RAD_CHECK{'Auth-Type'} -> 'eap'
(219) Thu Jan 19 09:32:52 2017: Debug: packetfence:
&control:MD5-Password = $RAD_CHECK{'MD5-Password'} ->
'0x.............................................................................................
(219) Thu Jan 19 09:32:52 2017: Debug: packetfence: &control:LDAP-UserDN
= $RAD_CHECK{'LDAP-UserDN'} ->
'uid=denis.bonnenfant,ou=People,dc=diderot,dc=org'
(219) Thu Jan 19 09:32:52 2017: Debug: packetfence:
&control:Proxy-To-Realm = $RAD_CHECK{'Proxy-To-Realm'} -> 'LOCAL'
(219) Thu Jan 19 09:32:52 2017: Debug: [packetfence] = noop
(219) Thu Jan 19 09:32:52 2017: Debug: if (PacketFence-Domain) {
(219) Thu Jan 19 09:32:52 2017: Debug: if (PacketFence-Domain) -> FALSE
(219) Thu Jan 19 09:32:52 2017: Debug: else {
(219) Thu Jan 19 09:32:52 2017: Debug: mschap: Found NT-Password
(219) Thu Jan 19 09:32:52 2017: Debug: mschap: Creating challenge hash
with username: denis.bonnenfant
(219) Thu Jan 19 09:32:52 2017: Debug: mschap: Client is using MS-CHAPv2
(219) Thu Jan 19 09:32:52 2017: Debug: mschap: Executing:
/usr/local/pf/bin/ntlm_auth_wrapper -- Â Â Â Â --request-nt-key
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-respon{mschap:NT-Response:-00}:
(219) Thu Jan 19 09:32:52 2017: Debug: mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
(219) Thu Jan 19 09:32:52 2017: Debug: mschap: -->
--username=denis.bonnenfant
(219) Thu Jan 19 09:32:52 2017: Debug: mschap: Creating challenge hash
with username: denis.bonnenfant
(219) Thu Jan 19 09:32:52 2017: Debug: mschap: EXPAND
--challenge=%{mschap:Challenge:-00}
(219) Thu Jan 19 09:32:52 2017: Debug: mschap: -->
--challenge=aeca09a8e5925c2c
(219) Thu Jan 19 09:32:52 2017: Debug: mschap: EXPAND
--nt-response=%{mschap:NT-Response:-00}
(219) Thu Jan 19 09:32:52 2017: Debug: mschap: -->
--nt-response=4e944e2ad2edcb5a562284dafb74ea693c14bffea2c590eb
(219) Thu Jan 19 09:32:52 2017: ERROR: mschap: Program returned code (1)
and output 'Reading winbind reply failed! (0xc0000001)'
(219) Thu Jan 19 09:32:52 2017: Debug: mschap: External script failed
(219) Thu Jan 19 09:32:52 2017: ERROR: mschap: External script says:
Reading winbind reply failed! (0xc0000001)
(219) Thu Jan 19 09:32:52 2017: ERROR: mschap: MS-CHAP2-Response is
incorrect
(219) Thu Jan 19 09:32:52 2017: Debug: [mschap] = reject
(219) Thu Jan 19 09:32:52 2017: Debug: } # else = reject
(219) Thu Jan 19 09:32:52 2017: Debug: } # Auth-Type MS-CHAP = reject
(219) Thu Jan 19 09:32:52 2017: Debug: eap: Sending EAP Failure (code 4)
ID 7 length 4
(219) Thu Jan 19 09:32:52 2017: Debug: eap: Freeing handler
(219) Thu Jan 19 09:32:52 2017: Debug: [eap] = reject
(219) Thu Jan 19 09:32:52 2017: Debug: } # authenticate = reject
(219) Thu Jan 19 09:32:52 2017: Debug: Failed to authenticate the user
(219) Thu Jan 19 09:32:52 2017: Debug: Using Post-Auth-Type Reject
(219) Thu Jan 19 09:32:52 2017: Debug: # Executing group from file
raddb//sites-enabled/packetfence-tunnel
:
It seems that it tries to use winbind, it is really strange, as my
config is not AD, and normally i configured to read directly nt-password
in ldap, but logs show no password nequest :
(219) Thu Jan 19 09:32:52 2017: Debug: ldap: EXPAND
(uid=%{%{mschap:User-Name}:-%{User-Name}})
(219) Thu Jan 19 09:32:52 2017: Debug: ldap: --> (uid=denis.bonnenfant)
(219) Thu Jan 19 09:32:52 2017: Debug: ldap: Performing search in
"dc=diderot,dc=org" with filter "(uid=denis.bonnenfant)", scope "sub"
(219) Thu Jan 19 09:32:52 2017: Debug: ldap: Waiting for search result...
(219) Thu Jan 19 09:32:52 2017: Debug: ldap: User object found at DN
"uid=denis.bonnenfant,ou=People,dc=diderot,dc=org"
(219) Thu Jan 19 09:32:52 2017: Debug: ldap: Processing user attributes
(219) Thu Jan 19 09:32:52 2017: Debug: [ldap] = updated
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
