Hello Luca,
are you using an active directory ?
If it's the case then first you need to join PacketFence to the domain.
Also can you do a : raddebug -f /usr/local/pf/var/run/radius.sock -t 3000
and retry your authentication (you will have more details).
Regards
Fabrice
Le 2017-01-25 à 04:51, Luca Messori a écrit :
>
> Hi all,
>
> I’m trying to configure my PF to authenticate wireless users.
>
>
>
> I have created a WPA2 enterprise WLAN on my Aps and I have configured
> the PF IP as radius server.
>
> I have configured a LDAP user source that should be used by the Radius
> server.
>
> Using pftest I have this output:
>
> [root@mitelwifi ~]# /usr/local/pf/bin/pftest authentication
> integrazionewifi <MYPASSWD> <LDAP_SOURCE>
>
> Testing authentication for "integrazionewifi"
>
>
>
> Authenticating against <LDAP_SOURCE>
>
> Authentication SUCCEEDED against <LDAP_SOURCE> (Authentication
> successful.)
>
> Matched against <LDAP_SOURCE>for 'authentication' rules
>
> set_role : impiegati
>
> set_access_duration : 5D
>
> Did not match against <LDAP_SOURCE>
>
>
>
> When a wireless client try to connect to the WLAN I see this log on
> radius log file:
>
> Wed Jan 25 02:41:29 2017 : Auth: (11) Login incorrect (eap: Tried to
> start unsupported EAP type MSCHAPv2 (26)):
> [<MYDOMAIN>\integrazionewifi] (from client 10.12.15.0/24 port 1 cli
> 70:77:81:1a:d2:c5 via TLS tunnel)
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing connection
> (1): Hit idle_timeout, was idle for 204 seconds
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing connection
> (2): Hit idle_timeout, was idle for 204 seconds
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing connection
> (3): Hit idle_timeout, was idle for 204 seconds
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing connection
> (4): Hit idle_timeout, was idle for 204 seconds
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing connection
> (0): Hit idle_timeout, was idle for 204 seconds
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing connection
> (5): Hit idle_timeout, was idle for 204 seconds
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Opening additional
> connection (6), 1 of 64 pending slots used
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Need 2 more
> connections to reach 10 spares
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Opening additional
> connection (7), 1 of 63 pending slots used
>
> Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: The users session
> was previously rejected: returning reject (again.)
>
> Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: This means you need
> to read the PREVIOUS messages in the debug output
>
> Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: to find out the
> reason why the user was rejected
>
> Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: Look for "reject" or
> "fail". Those earlier messages will tell you
>
> Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: what went wrong, and
> how to fix the problem
>
> Wed Jan 25 02:41:29 2017 : Auth: (12) Login incorrect (eap: Failed
> continuing EAP PEAP (25) session. EAP sub-module failed):
> [<MYDOMAIN>\integrazionewifi] (from client 10.12.15.0/24 port 1 cli
> 70:77:81:1a:d2:c5)
>
> Wed Jan 25 02:41:29 2017 : [mac:70:77:81:1a:d2:c5] Rejected user:
> assl10\integrazionewifi
>
>
>
> Using tcpdump I cannot see any connection to LDAP serevr
>
>
>
> I don’t understand why I have this log.
>
> I have enabled PEAP and MSCHAPv2 as authentication method.
>
>
>
> Thank you very much
>
>
>
> Luca Messori
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
