Re: [PacketFence-users] Machine authentication

luca comes via PacketFence-users Tue, 11 Jul 2017 02:41:38 -0700

Hello Fabrice,

I will test your suggestion, but how can I obtain the machine password? As far 
as I know It's written inside an encrypted portion of the registry, I'm trying 
to reset it with netdom but I'm not sure it can help.



Luca


Inviato da Outlook<http://aka.ms/weboutlook>


________________________________
Da: Durand fabrice via PacketFence-users 
<[email protected]>
Inviato: martedì 11 luglio 2017 01:55
A: [email protected]
Cc: Durand fabrice
Oggetto: Re: [PacketFence-users] Machine authentication


Hello Luca,


You need to test this source with a machine account (UserPrincipalName), not a 
user account (sAMAccountName), this is why it failled.


Try that:
/usr/local/pf/bin/pftest authentication host/LAB3-NB.dm.loc 
reallystrongpassword DM_Machine_Auth_PDC

Also capture the ldap traffic from the packetfence server (something like that: 
tshark -i eth0 -f "port 389" -w /tmp/ldap.pcap) and analyse the ldap.pcap file 
under wireshark.
Regards
Fabrice

Le 2017-07-10 à 09:50, luca comes a écrit :

It's really strange Fabrice,

because if I try it from the gui it tells me success but if I try from pftest 
doesn't work (perhaps I'm wrong with the command):


[root@pfnac01 ~]#/usr/local/pf/bin/pftest authentication ldapuser <PWD> 
DM_Machine_Auth_PDC

Testing authentication for "ldapuser"

Authenticating against DM_Machine_Auth_PDC
  Authentication FAILED against DM_Machine_Auth_PDC (Invalid login or password)
  Did not match against DM_Machine_Auth_PDC for 'authentication' rules
  Did not match against DM_Machine_Auth_PDC for 'administration' rules


But both the rules and the roles are defined:


authentication.conf:


[DM_Machine_Auth_PDC]
description=Domain Machine Authentication
password=<PWD>
scope=sub
binddn=CN=ldapuser,OU=DMGROUP,DC=dm,DC=loc
basedn=OU=DMGROUP,DC=dm,DC=loc
email_attribute=mail
usernameattribute=ServicePrincipalName
connection_timeout=5
stripped_user_name=yes
encryption=none
dynamic_routing_module=AuthModule
port=389
type=AD
host=dc2dm.dm.loc

[DM_Machine_Auth_PDC rule prova]
description=
class=authentication
match=all
action0=set_access_duration=1h
action1=set_role=Dipendenti

roles.conf

[Dipendenti]
notes=Accesso VLAN 167
max_nodes_per_pid=2

[Dipendenti_2]
notes=Accesso VLAN 251
max_nodes_per_pid=2

[Test]
notes=Accesso VLAN 20
max_nodes_per_pid=1

[MAR]
notes=Machine Auth
max_nodes_per_pid=1




Inviato da Outlook<http://aka.ms/weboutlook>


________________________________
Da: Fabrice Durand <[email protected]><mailto:[email protected]>
Inviato: lunedì 10 luglio 2017 15:30
A: luca comes; 
[email protected]<mailto:[email protected]>
Oggetto: Re: [PacketFence-users] Machine authentication


Your issue is with the DM_Machine_Auth_PDC source.

Verify that you are able to bind with this source.

Also you can use pftest.


Le 2017-07-10 à 09:24, luca comes a écrit :

Hi Fabrice,

yes I was checking the debug and I saw it. In the attached packetfence.log I 
can see ERROR: [mac:00:9c:02:92:ea:b0] Error binding 'Connection reset by peer' 
(pf::LDAP::bind) but the domain join is still working with wbinf -u for example.


Luca


Inviato da Outlook<http://aka.ms/weboutlook>


________________________________
Da: Fabrice Durand <[email protected]><mailto:[email protected]>
Inviato: lunedì 10 luglio 2017 15:06
A: luca comes; 
[email protected]<mailto:[email protected]>
Oggetto: Re: [PacketFence-users] Machine authentication


The machine authentication is ok this time.

Do you have the packetfence.log for this device ?


Le 2017-07-10 à 08:58, luca comes a écrit :

Hello Fabrice,

attached you can find radius debug file of the transaction.


Thanks


Luca


Inviato da Outlook<http://aka.ms/weboutlook>


________________________________
Da: Fabrice Durand <[email protected]><mailto:[email protected]>
Inviato: lunedì 10 luglio 2017 14:48
A: luca comes; 
[email protected]<mailto:[email protected]>
Oggetto: Re: [PacketFence-users] Machine authentication


Hello Luca,

you need to have the realm to use the correct domain join.


Also what i need is the complete radius debug when you try machine 
authentication.

Regards

Fabrice


Le 2017-07-10 à 08:45, luca comes a écrit :

Hi Fabrice,

in this manner the error is not shown in radius.log but machine authentication 
is still not working. Also as the preceding email the domain (DM) is correctly 
joined and tested with wbinfo. But if I try a radtest vs my domain I obtain an 
Access-Reject. Any suggestio on how to troubleshoot this problem? I would like 
to go in production but with those results I have to leave.


Thanks


Luca


Inviato da Outlook<http://aka.ms/weboutlook>


________________________________
Da: Fabrice Durand via PacketFence-users 
<[email protected]><mailto:[email protected]>
Inviato: lunedì 10 luglio 2017 14:23
A: 
[email protected]<mailto:[email protected]>
Cc: Fabrice Durand
Oggetto: Re: [PacketFence-users] Machine authentication


Hello Luca,

add a realm dm.loc and assign it to your domain and restart radius.

Regards

Fabrice


Le 2017-07-10 à 05:58, luca comes via PacketFence-users a écrit :

I've found this error in radius.log


ERROR: mschap_machine: Program returned code (1) and output 'Reading winbind 
reply failed! (0xc00
00001)'


But the domain is working fine, how can I solve this?


Luca


Inviato da Outlook<http://aka.ms/weboutlook>


________________________________
Da: luca comes via PacketFence-users 
<[email protected]><mailto:[email protected]>
Inviato: lunedì 10 luglio 2017 11:42
A: 
[email protected]<mailto:[email protected]>
Cc: luca comes
Oggetto: Re: [PacketFence-users] Machine authentication


Hi all,

any suggestion? I don't know what check, domain is correctly configured the 
test are fine (wbinfo -u etc.). I added my domain to the LOCAL realm as per 
Antoine mail but is still doesn't work.


Thanks for your help


Luca


Inviato da Outlook<http://aka.ms/weboutlook>


________________________________
Da: luca comes via PacketFence-users 
<[email protected]><mailto:[email protected]>
Inviato: venerdì 7 luglio 2017 17:40
A: 
[email protected]<mailto:[email protected]>
Cc: luca comes
Oggetto: Re: [PacketFence-users] Machine authentication


Hi Antoine,

thank you for your answer, unfortunately it doesn't work. Same behavior as 
before, any other suggestion?


Luca


Inviato da Outlook<http://aka.ms/weboutlook>


________________________________
Da: Antoine Amacher via PacketFence-users 
<[email protected]><mailto:[email protected]>
Inviato: venerdì 7 luglio 2017 17:20
A: 
[email protected]<mailto:[email protected]>
Cc: Antoine Amacher
Oggetto: Re: [PacketFence-users] Machine authentication


Lucas,


Map the domain on which they should authenticate with the REALM LOCAL.


In configuration -> policies and access control -> realms


Thanks

On 07/07/2017 11:15 AM, luca comes via PacketFence-users wrote:

Hi all,

I'm trying to do machine authentication vs Windows AD but it doesn't work. I've 
created the domain and the realm but in the radius debug log I can see that it 
is not catching the correct realm:



(20) Fri Jul  7 16:29:45 2017: Debug: Received Access-Request Id 103 from 
10.10.10.4:1645 to 172.27.17.5:1812 length 226
(20) Fri Jul  7 16:29:45 2017: Debug:   User-Name = "host/LAB3-NB.dm.loc"
(20) Fri Jul  7 16:29:45 2017: Debug:   Service-Type = Framed-User
(20) Fri Jul  7 16:29:45 2017: Debug:   Framed-MTU = 1500
(20) Fri Jul  7 16:29:45 2017: Debug:   Called-Station-Id = "00-22-91-6F-B8-81"
(20) Fri Jul  7 16:29:45 2017: Debug:   Calling-Station-Id = "00-9C-02-92-EA-B0"
(20) Fri Jul  7 16:29:45 2017: Debug:   EAP-Message = 
0x0201001801686f73742f4c4142332d4e422e646d2e6c6f63
(20) Fri Jul  7 16:29:45 2017: Debug:   Message-Authenticator = 
0xcf9553149f5c843907b87d3758e0b7d8
(20) Fri Jul  7 16:29:45 2017: Debug:   Cisco-AVPair = 
"audit-session-id=0A0A0A04000000DEBBDF4BBE"
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port-Type = Ethernet
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port = 50101
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port-Id = "GigabitEthernet1/0/1"
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-IP-Address = 10.10.10.4
....

....

(20) Fri Jul  7 16:29:46 2017: Debug: suffix: Checking for suffix after "@"
(20) Fri Jul  7 16:29:46 2017: Debug: suffix: No '@' in User-Name = 
"host/LAB3-NB.dm.loc", skipping NULL due to config.
(20) Fri Jul  7 16:29:46 2017: Debug:     [suffix] = noop
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Checking for prefix before "\"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: No '\' in User-Name = 
"host/LAB3-NB.dm.loc", looking up realm NULL
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Found realm "null"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Adding Stripped-User-Name = 
"host/LAB3-NB.dm.loc"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Adding Realm = "null"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Authentication realm is LOCAL
(20) Fri Jul  7 16:29:46 2017: Debug:     [ntdomain] = ok


How can I solve this? Obviously the machine is correctly joined to the domain 
below the servicePrincipalName associated:


TERMSRV/LAB3-NB.dm.loc
TERMSRV/LAB3-NB
RestrictedKrbHost/LAB3-NB
HOST/LAB3-NB
RestrictedKrbHost/LAB3-NB.dm.loc
HOST/LAB3-NB.dm.loc


Anyone that can suggest me what to check?


Thank you in advance.


Luca


Inviato da Outlook<http://aka.ms/weboutlook>



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot



_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Antoine Amacher
[email protected]<mailto:[email protected]>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot



_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Fabrice Durand
[email protected]<mailto:[email protected]> ::  +1.514.447.4918 (x135) ::  
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)


--
Fabrice Durand
[email protected]<mailto:[email protected]> ::  +1.514.447.4918 (x135) ::  
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)


--
Fabrice Durand
[email protected]<mailto:[email protected]> ::  +1.514.447.4918 (x135) ::  
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)


--
Fabrice Durand
[email protected]<mailto:[email protected]> ::  +1.514.447.4918 (x135) ::  
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine authentication

Reply via email to