Re: [PacketFence-users] AD authentication issue

Fabrice Durand via PacketFence-users Tue, 17 Oct 2017 09:20:49 -0700

Hello Luca,

pftest will use ldap bind to authenticate but freeradius will use ntlm_auth.


Can you do this on your server:

raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000

And try to authenticate, you will be able to see why it failed to
authenticate. (you can paste the result).

Regards

Fabrice



Le 2017-10-17 à 11:41, Luca Messori via PacketFence-users a écrit :
>
> Hi all,
>
> I’m trying to configure authentication against Active Directory on my
> company network.
>
> I have already joined the PF virtual machine to my domain.
>
> I think that I have correctly configured authentication because the
> pftest command return a successful authentication:
>
> /usr/local/pf/bin/pftest authentication l.messori <my password>
>
> Testing authentication for "l.messori"
>
>  
>
> Authenticating against Mead-AD
>
>   Authentication SUCCEEDED against Mead-AD (Authentication successful.)
>
>   Matched against Mead-AD for 'authentication' rules
>
>     set_role : default
>
>     set_access_duration : 12h
>
>   Did not match against Mead-AD for 'administration' rules
>
>  
>
> Despite that, sniffing traffic from PF, I cannot see traffic to port 389.
>
> In the following output:
>
> 10.33.33.251 is my test switch
>
> 10.33.33.50 is the PF virtual machine
>
> [root@PacketFence-ZEN conf]#  tcpdump -i eth0 -nn "host 10.33.33.251
> or port 389"
>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
>
> 15:26:19.782510 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x82 length: 138
>
> 15:26:19.864640 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Accept (2), id: 0x82 length: 37
>
> 15:26:20.130792 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x83 length: 183
>
> 15:26:20.134381 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x83 length: 64
>
> 15:26:20.160915 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x84 length: 297
>
> 15:26:20.172822 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x84 length: 1090
>
> 15:26:20.186698 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x85 length: 177
>
> 15:26:20.191446 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x85 length: 1086
>
> 15:26:20.214413 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x86 length: 177
>
> 15:26:20.217368 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x86 length: 711
>
> 15:26:20.244856 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x87 length: 315
>
> 15:26:20.247276 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x87 length: 123
>
> 15:26:20.260349 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x88 length: 177
>
> 15:26:20.269760 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x88 length: 101
>
> 15:26:20.293628 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x89 length: 230
>
> 15:26:20.348960 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x89 length: 133
>
> 15:26:20.373341 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x8a length: 294
>
> 15:26:21.409974 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x8a length: 149
>
> 15:26:21.421321 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x8b length: 214
>
> 15:26:21.571988 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x8b length: 101
>
> 15:26:21.586364 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x8c length: 214
>
> 15:26:21.593453 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Accept (2), id: 0x8c length: 177
>
>  
>
> And my switch log shows authentication failure:
>
> 10/17/2017 17:12:16.90 <Info:nl.ClientAuthFailure> Authentication
> failed for Network Login 802.1x user MEADINFORMATICA\l.messori Mac
> 50:3F:56:01:1C:09 port 3
>
> 10/17/2017 17:12:15.12 <Info:nl.ClientAuthFailure> Authentication
> failed for Network Login MAC user 503F56011C09 Mac 50:3F:56:01:1C:09
> port 3
>
> 10/17/2017 17:12:14.86 <Info:vlan.msgs.portLinkStateUp> Port 3 link UP
> at speed 100 Mbps and full-duplex
>
>  
>
> Can you help me?
>
> I think that PF never ask AD for users authentication
>
>  
>
> Kind regards
>
>  
>
> */Luca Messori/*
>
> _________________________
>
>  
>
>           Descrizione: mead
>
>  
>
>  
>
>    *Mead Informatica Srl*
>     *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
>     Tel. +39 0522 265800 Tel. amm.ne 0522265940 -  Fax +39 0522 393306
>     Tel. +39 049 8702540   Fax +39 049 8706249
>
>  
>
>    http://www.meadinformatica.it <http://www.meadinformatica.it/>
>
> -----------------------------------------------------------------------
>
>  
>
> Questo messaggio puo' contenere informazioni di carattere riservato e
> confidenziale. Qualora non foste i destinatari, vi preghiamo di
> notificarcelo
> e di provvedere ad eliminare il messaggio, con gli eventuali allegati,
> senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del
> contenuto
> di questo mesaggio espone il responsabile alle conseguenze civili e
> penali.
>
>  
>
> This message may contain information which is confidential or
> privileged. if you are not the intended recipient, please immediately
> notify us
> and destroy this message and any attachments without retaining a copy.
> Any unauthorized use of this message can expose the responsabile party
> to civil and/or criminal penalties.
>
>  
>
> Descrizione: Descrizione: cid:696372015@22072008-1A64
>
>  
>
>  
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] AD authentication issue

Reply via email to