[PacketFence-users] Computer/user being rejected

[Jes Kasper Klittum]

Hey guys,

I have just put Packetfence into operation in our network, after a prolonged 
testing period. Now, suddenly, I see some situations where access gets 
rejected, even though the computer had formerly been able to get online. It 
seems that, at one point, the machine got online due to mac-auth. Then 
suddenly, the authentication request comes in with EAP and fails for some 
reason.

See logs:

Success part:

Mar 20 08:36:50 httpd.aaa(31663) INFO: [mac:90:1b:0e:1b:04:a6] handling radius 
autz request: from switch_ip => (xx.xx.xx.xx), connection_type => 
WIRED_MAC_AUTH,switch_mac => (Unknown), mac => [90:1b:0e:1b:04:a6], port => 15, 
username =>
"901b0e1b04a6" (pf::radius::authorize)
Mar 20 08:36:50 httpd.aaa(31663) INFO: [mac:90:1b:0e:1b:04:a6] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Mar 20 08:36:50 httpd.aaa(31663) INFO: [mac:90:1b:0e:1b:04:a6] Connection type 
is WIRED_MAC_AUTH. Getting role from node_info (pf::role::getRegisteredRole)
Mar 20 08:36:50 httpd.aaa(31663) INFO: [mac:90:1b:0e:1b:04:a6] Username was 
defined "901b0e1b04a6" - returning role 'Machine-auth' 
(pf::role::getRegisteredRole)
Mar 20 08:36:50 httpd.aaa(31663) INFO: [mac:90:1b:0e:1b:04:a6] PID: "default", 
Status: reg Returned VLAN: (undefined), Role: Machine-auth 
(pf::role::fetchRoleForNode)
Mar 20 08:36:50 httpd.aaa(31663) INFO: [mac:90:1b:0e:1b:04:a6] (xx.xx.xx.xx) 
Added VLAN 10 to the returned RADIUS Access-Accept 
(pf::Switch::returnRadiusAccessAccept)

Now comes failure:

Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] handling radius 
autz request: from switch_ip => (xx.xx.xx.xx), connection_type => 
Ethernet-EAP,switch_mac => (Unknown), mac => [90:1b:0e:1b:04:a6], port => 15, 
username => "MYDOMAIN\MYUSER" (pf::radius::authorize)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Instantiate 
profile Machine-auth-autoregister (pf::Portal::ProfileFactory::_from_profile)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Found 
authentication source 'DK-Users' for realm 'MYDOMAIN' 
(pf::config::util::get_realm_authentication_source)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Found 
authentication source 'DK-Users' for realm 'MYDOMAIN' 
(pf::config::util::filter_authentication_sources)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Realm 'MYDOMAIN' 
authentication source 'DK-Users' is part of the available portal profile 
authentication sources. Using it as the only authentication source. 
(pf::config::util::filter_authentication_sources)
Mar 20 13:14:18 httpd.aaa(4744) WARN: [mac:90:1b:0e:1b:04:a6] Calling match 
with empty/invalid rule class. Defaulting to 'authentication' 
(pf::authentication::match)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Using sources 
DK-Users for matching (pf::authentication::match)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Matched rule 
(DK-Users) in source DK-Users, returning actions. 
(pf::Authentication::Source::match)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Using sources 
DK-Users for matching (pf::authentication::match)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Matched rule 
(DK-Users) in source DK-Users, returning actions. 
(pf::Authentication::Source::match)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] creating person 
MYDOMAIN\MYUSER because it doesn't exist (pf::node::node_register)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] person 
MYDOMAIN\MYUSER added (pf::person::person_add)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] autoregister a 
node that is already registered, do nothing. (pf::node::node_register)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Match rule 
3:EthernetEAP&!machine&!EAPTLS (pf::access_filter::test)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] PID: 
"MYDOMAIN\MYUSER", Status: reg Returned VLAN: (undefined), Role: REJECT 
(pf::role::fetchRoleForNode)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] According to 
rules in fetchRoleForNode this node must be kicked out. Returning USERLOCK 
(pf::Switch::handleRadiusDeny)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] handling radius 
autz request: from switch_ip => (xx.xx.xx.xx), connection_type => 
Ethernet-EAP,switch_mac => (Unknown), mac => [90:1b:0e:1b:04:a6], port => 15, 
username => "MYDOMAIN\MYUSER" (pf::radius::authorize)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Instantiate 
profile Machine-auth-autoregister (pf::Portal::ProfileFactory::_from_profile)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Found 
authentication source 'DK-Users' for realm 'MYDOMAIN' 
(pf::config::util::get_realm_authentication_source)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Found 
authentication source 'DK-Users' for realm 'MYDOMAIN' 
(pf::config::util::filter_authentication_sources)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Realm 'MYDOMAIN' 
authentication source 'DK-Users' is part of the available portal profile 
authentication sources. Using it as the only authentication source. 
(pf::config::util::filter_authentication_sources)
Mar 20 13:16:16 httpd.aaa(4744) WARN: [mac:90:1b:0e:1b:04:a6] Calling match 
with empty/invalid rule class. Defaulting to 'authentication' 
(pf::authentication::match)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Using sources 
DK-Users for matching (pf::authentication::match)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Matched rule 
(DK-Users) in source DK-Users, returning actions. 
(pf::Authentication::Source::match)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Using sources 
DK-Users for matching (pf::authentication::match)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Matched rule 
(DK-Users) in source DK-Users, returning actions. 
(pf::Authentication::Source::match)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] autoregister a 
node that is already registered, do nothing. (pf::node::node_register)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Match rule 
3:EthernetEAP&!machine&!EAPTLS (pf::access_filter::test)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] PID: 
"MYDOMAIN\MYUSER", Status: reg Returned VLAN: (undefined), Role: REJECT 
(pf::role::fetchRoleForNode)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] According to 
rules in fetchRoleForNode this node must be kicked out. Returning USERLOCK 
(pf::Switch::handleRadiusDeny)

And now success again:

Mar 20 13:16:51 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] handling radius 
autz request: from switch_ip => (xx.xx.xx.xx), connection_type => 
WIRED_MAC_AUTH,switch_mac => (Unknown), mac => [90:1b:0e:1b:04:a6], port => 15, 
username => "901b0e1b04a6" (pf::radius::authorize)
Mar 20 13:16:51 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Mar 20 13:16:51 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Connection type 
is WIRED_MAC_AUTH. Getting role from node_info (pf::role::getRegisteredRole)
Mar 20 13:16:51 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Username was 
defined "901b0e1b04a6" - returning role 'User-auth' 
(pf::role::getRegisteredRole)
Mar 20 13:16:51 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] PID: 
"MYDOMAIN\MYUSER", Status: reg Returned VLAN: (undefined), Role: User-auth 
(pf::role::fetchRoleForNode)
Mar 20 13:16:51 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] (xx.xx.xx.xx) 
Added VLAN 10 to the returned RADIUS Access-Accept 
(pf::Switch::returnRadiusAccessAccept)

Can someone guide me in the right direction.

Note that we use VLAN filters, to make sure an 902.1x user cannot log in on a 
machine that is not authenticated using 802.1x and validated against our CA. It 
seems to be one of these rules that are being hit - but I don't understand why. 
Maybe it is because it is using the DOMAIN\user instead of the host/computer ?

Below are our rules for vlan filters:

[EthernetEAP]
filter = connection_type
operator = is
value = Ethernet-EAP

[WirelessEAP]
filter = connection_type
operator = is
value = Wireless-802.11-EAP

[machineauth]
filter = user_name
operator = match
value = host/

[machine]
filter = node_info.machine_account
operator = defined

[isadmin]
filter = owner.custom_field_1
operator = match
value = Admin

[EAPTLS]
filter = radius_request
attribute = EAP-Type
operator = is
value = EAP-TLS


### Machine Auth Autoregister ####

[1:EthernetEAP&machineauth]
scope = AutoRegister
role = Machine-auth

[2:EthernetEAP&machineauth]
scope = NodeInfoForAutoReg
role = Machine-auth

[1:WirelessEAP&machineauth&isadmin]
scope = AutoRegister
role = Management

[2:WirelessEAP&machineauth&isadmin]
scope = NodeInfoForAutoReg
role = Management

[3:WirelessEAP&machineauth]
scope = AutoRegister
role = Machine-auth

[4:WirelessEAP&machineauth]
scope = NodeInfoForAutoReg
role = Machine-auth


### Refuse User Auth without machine Auth ####

[3:EthernetEAP&!machine&!EAPTLS]
scope = RegisteredRole
role = REJECT

[4:EthernetEAP&!machine]
scope = RegistrationRole
role = REJECT

[3:WirelessEAP&!machine&!EAPTLS]
scope = RegisteredRole
role = REJECT

[4:WirelessEAP&!machine]
scope = RegistrationRole
role = REJECT

### EAP TLS Autoregister ####

[5:EthernetEAP&EAPTLS]
scope = AutoRegister
role = Machine-auth

[6:EthernetEAP&EAPTLS]
scope = NodeInfoForAutoReg
role = Machine-auth

[5:WirelessEAP&EAPTLS]
scope = AutoRegister
role = Machine-auth

[6:WirelessEAP&EAPTLS]
scope = NodeInfoForAutoReg

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users