Hey guys,
I have just put Packetfence into operation in our network, after a prolonged
testing period. Now, suddenly, I see some situations where access gets
rejected, even though the computer had formerly been able to get online. It
seems that, at one point, the machine got online due to mac-auth. Then
suddenly, the authentication request comes in with EAP and fails for some
reason.
See logs:
Success part:
Mar 20 08:36:50 httpd.aaa(31663) INFO: [mac:90:1b:0e:1b:04:a6] handling radius
autz request: from switch_ip => (xx.xx.xx.xx), connection_type =>
WIRED_MAC_AUTH,switch_mac => (Unknown), mac => [90:1b:0e:1b:04:a6], port => 15,
username =>
"901b0e1b04a6" (pf::radius::authorize)
Mar 20 08:36:50 httpd.aaa(31663) INFO: [mac:90:1b:0e:1b:04:a6] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Mar 20 08:36:50 httpd.aaa(31663) INFO: [mac:90:1b:0e:1b:04:a6] Connection type
is WIRED_MAC_AUTH. Getting role from node_info (pf::role::getRegisteredRole)
Mar 20 08:36:50 httpd.aaa(31663) INFO: [mac:90:1b:0e:1b:04:a6] Username was
defined "901b0e1b04a6" - returning role 'Machine-auth'
(pf::role::getRegisteredRole)
Mar 20 08:36:50 httpd.aaa(31663) INFO: [mac:90:1b:0e:1b:04:a6] PID: "default",
Status: reg Returned VLAN: (undefined), Role: Machine-auth
(pf::role::fetchRoleForNode)
Mar 20 08:36:50 httpd.aaa(31663) INFO: [mac:90:1b:0e:1b:04:a6] (xx.xx.xx.xx)
Added VLAN 10 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Now comes failure:
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] handling radius
autz request: from switch_ip => (xx.xx.xx.xx), connection_type =>
Ethernet-EAP,switch_mac => (Unknown), mac => [90:1b:0e:1b:04:a6], port => 15,
username => "MYDOMAIN\MYUSER" (pf::radius::authorize)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Instantiate
profile Machine-auth-autoregister (pf::Portal::ProfileFactory::_from_profile)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Found
authentication source 'DK-Users' for realm 'MYDOMAIN'
(pf::config::util::get_realm_authentication_source)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Found
authentication source 'DK-Users' for realm 'MYDOMAIN'
(pf::config::util::filter_authentication_sources)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Realm 'MYDOMAIN'
authentication source 'DK-Users' is part of the available portal profile
authentication sources. Using it as the only authentication source.
(pf::config::util::filter_authentication_sources)
Mar 20 13:14:18 httpd.aaa(4744) WARN: [mac:90:1b:0e:1b:04:a6] Calling match
with empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Using sources
DK-Users for matching (pf::authentication::match)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Matched rule
(DK-Users) in source DK-Users, returning actions.
(pf::Authentication::Source::match)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Using sources
DK-Users for matching (pf::authentication::match)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Matched rule
(DK-Users) in source DK-Users, returning actions.
(pf::Authentication::Source::match)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] creating person
MYDOMAIN\MYUSER because it doesn't exist (pf::node::node_register)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] person
MYDOMAIN\MYUSER added (pf::person::person_add)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] autoregister a
node that is already registered, do nothing. (pf::node::node_register)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Match rule
3:EthernetEAP&!machine&!EAPTLS (pf::access_filter::test)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] PID:
"MYDOMAIN\MYUSER", Status: reg Returned VLAN: (undefined), Role: REJECT
(pf::role::fetchRoleForNode)
Mar 20 13:14:18 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] According to
rules in fetchRoleForNode this node must be kicked out. Returning USERLOCK
(pf::Switch::handleRadiusDeny)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] handling radius
autz request: from switch_ip => (xx.xx.xx.xx), connection_type =>
Ethernet-EAP,switch_mac => (Unknown), mac => [90:1b:0e:1b:04:a6], port => 15,
username => "MYDOMAIN\MYUSER" (pf::radius::authorize)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Instantiate
profile Machine-auth-autoregister (pf::Portal::ProfileFactory::_from_profile)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Found
authentication source 'DK-Users' for realm 'MYDOMAIN'
(pf::config::util::get_realm_authentication_source)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Found
authentication source 'DK-Users' for realm 'MYDOMAIN'
(pf::config::util::filter_authentication_sources)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Realm 'MYDOMAIN'
authentication source 'DK-Users' is part of the available portal profile
authentication sources. Using it as the only authentication source.
(pf::config::util::filter_authentication_sources)
Mar 20 13:16:16 httpd.aaa(4744) WARN: [mac:90:1b:0e:1b:04:a6] Calling match
with empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Using sources
DK-Users for matching (pf::authentication::match)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Matched rule
(DK-Users) in source DK-Users, returning actions.
(pf::Authentication::Source::match)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Using sources
DK-Users for matching (pf::authentication::match)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Matched rule
(DK-Users) in source DK-Users, returning actions.
(pf::Authentication::Source::match)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] autoregister a
node that is already registered, do nothing. (pf::node::node_register)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Match rule
3:EthernetEAP&!machine&!EAPTLS (pf::access_filter::test)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] PID:
"MYDOMAIN\MYUSER", Status: reg Returned VLAN: (undefined), Role: REJECT
(pf::role::fetchRoleForNode)
Mar 20 13:16:16 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] According to
rules in fetchRoleForNode this node must be kicked out. Returning USERLOCK
(pf::Switch::handleRadiusDeny)
And now success again:
Mar 20 13:16:51 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] handling radius
autz request: from switch_ip => (xx.xx.xx.xx), connection_type =>
WIRED_MAC_AUTH,switch_mac => (Unknown), mac => [90:1b:0e:1b:04:a6], port => 15,
username => "901b0e1b04a6" (pf::radius::authorize)
Mar 20 13:16:51 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Mar 20 13:16:51 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Connection type
is WIRED_MAC_AUTH. Getting role from node_info (pf::role::getRegisteredRole)
Mar 20 13:16:51 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] Username was
defined "901b0e1b04a6" - returning role 'User-auth'
(pf::role::getRegisteredRole)
Mar 20 13:16:51 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] PID:
"MYDOMAIN\MYUSER", Status: reg Returned VLAN: (undefined), Role: User-auth
(pf::role::fetchRoleForNode)
Mar 20 13:16:51 httpd.aaa(4744) INFO: [mac:90:1b:0e:1b:04:a6] (xx.xx.xx.xx)
Added VLAN 10 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Can someone guide me in the right direction.
Note that we use VLAN filters, to make sure an 902.1x user cannot log in on a
machine that is not authenticated using 802.1x and validated against our CA. It
seems to be one of these rules that are being hit - but I don't understand why.
Maybe it is because it is using the DOMAIN\user instead of the host/computer ?
Below are our rules for vlan filters:
[EthernetEAP]
filter = connection_type
operator = is
value = Ethernet-EAP
[WirelessEAP]
filter = connection_type
operator = is
value = Wireless-802.11-EAP
[machineauth]
filter = user_name
operator = match
value = host/
[machine]
filter = node_info.machine_account
operator = defined
[isadmin]
filter = owner.custom_field_1
operator = match
value = Admin
[EAPTLS]
filter = radius_request
attribute = EAP-Type
operator = is
value = EAP-TLS
### Machine Auth Autoregister ####
[1:EthernetEAP&machineauth]
scope = AutoRegister
role = Machine-auth
[2:EthernetEAP&machineauth]
scope = NodeInfoForAutoReg
role = Machine-auth
[1:WirelessEAP&machineauth&isadmin]
scope = AutoRegister
role = Management
[2:WirelessEAP&machineauth&isadmin]
scope = NodeInfoForAutoReg
role = Management
[3:WirelessEAP&machineauth]
scope = AutoRegister
role = Machine-auth
[4:WirelessEAP&machineauth]
scope = NodeInfoForAutoReg
role = Machine-auth
### Refuse User Auth without machine Auth ####
[3:EthernetEAP&!machine&!EAPTLS]
scope = RegisteredRole
role = REJECT
[4:EthernetEAP&!machine]
scope = RegistrationRole
role = REJECT
[3:WirelessEAP&!machine&!EAPTLS]
scope = RegisteredRole
role = REJECT
[4:WirelessEAP&!machine]
scope = RegistrationRole
role = REJECT
### EAP TLS Autoregister ####
[5:EthernetEAP&EAPTLS]
scope = AutoRegister
role = Machine-auth
[6:EthernetEAP&EAPTLS]
scope = NodeInfoForAutoReg
role = Machine-auth
[5:WirelessEAP&EAPTLS]
scope = AutoRegister
role = Machine-auth
[6:WirelessEAP&EAPTLS]
scope = NodeInfoForAutoReg
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users