It looks that you already run freeradius in debug mode. ( -X )
do: pfcmd service radiusd restart
Then raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000
Regards
Fabrice
Le 2017-10-17 à 12:31, Luca Messori a écrit :
>
> Hi Fabrice,
>
> I have this error using raddebug:
>
>
>
> [root@PacketFence-ZEN ~]# raddebug -f
> /usr/local/pf/var/run/radiusd.sock -t 3000
>
> ERROR: Cannot redirect debug logs to a file when already in debugging
> mode.
>
> ERROR: Cannot redirect debug logs to a file when already in debugging
> mode.
>
> cp: missing destination file operand after ‘/dev/null’
>
> Try 'cp --help' for more information.
>
> chgrp: missing operand after ‘pf’
>
> Try 'chgrp --help' for more information.
>
> chmod: missing operand after ‘g+w’
>
> Try 'chmod --help' for more information.
>
> ^CERROR: Cannot redirect debug logs to a file when already in
> debugging mode.
>
>
>
> Kind regards
>
>
>
> */Luca Messori/*
>
> _________________________
>
>
>
> Descrizione: mead
>
>
>
>
>
> *Mead Informatica Srl*
> *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
> Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
> Tel. +39 049 8702540 Fax +39 049 8706249
>
>
>
> http://www.meadinformatica.it <http://www.meadinformatica.it/>
>
> -----------------------------------------------------------------------
>
>
>
> Questo messaggio puo' contenere informazioni di carattere riservato e
> confidenziale. Qualora non foste i destinatari, vi preghiamo di
> notificarcelo
> e di provvedere ad eliminare il messaggio, con gli eventuali allegati,
> senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del
> contenuto
> di questo mesaggio espone il responsabile alle conseguenze civili e
> penali.
>
>
>
> This message may contain information which is confidential or
> privileged. if you are not the intended recipient, please immediately
> notify us
> and destroy this message and any attachments without retaining a copy.
> Any unauthorized use of this message can expose the responsabile party
> to civil and/or criminal penalties.
>
>
>
> Descrizione: Descrizione: cid:696372015@22072008-1A64
>
>
>
>
>
> *Da:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* martedì 17 ottobre 2017 18:20
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand <fdur...@inverse.ca>
> *Oggetto:* Re: [PacketFence-users] AD authentication issue
>
>
>
> Hello Luca,
>
> pftest will use ldap bind to authenticate but freeradius will use
> ntlm_auth.
>
> Can you do this on your server:
>
> raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000
>
> And try to authenticate, you will be able to see why it failed to
> authenticate. (you can paste the result).
>
> Regards
>
> Fabrice
>
>
>
>
>
> Le 2017-10-17 à 11:41, Luca Messori via PacketFence-users a écrit :
>
> Hi all,
>
> I’m trying to configure authentication against Active Directory on
> my company network.
>
> I have already joined the PF virtual machine to my domain.
>
> I think that I have correctly configured authentication because
> the pftest command return a successful authentication:
>
> /usr/local/pf/bin/pftest authentication l.messori <my password>
>
> Testing authentication for "l.messori"
>
>
>
> Authenticating against Mead-AD
>
> Authentication SUCCEEDED against Mead-AD (Authentication
> successful.)
>
> Matched against Mead-AD for 'authentication' rules
>
> set_role : default
>
> set_access_duration : 12h
>
> Did not match against Mead-AD for 'administration' rules
>
>
>
> Despite that, sniffing traffic from PF, I cannot see traffic to
> port 389.
>
> In the following output:
>
> 10.33.33.251 is my test switch
>
> 10.33.33.50 is the PF virtual machine
>
> [root@PacketFence-ZEN conf]# tcpdump -i eth0 -nn "host
> 10.33.33.251 or port 389"
>
> tcpdump: verbose output suppressed, use -v or -vv for full
> protocol decode
>
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535
> bytes
>
> 15:26:19.782510 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x82 length: 138
>
> 15:26:19.864640 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Accept (2), id: 0x82 length: 37
>
> 15:26:20.130792 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x83 length: 183
>
> 15:26:20.134381 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x83 length: 64
>
> 15:26:20.160915 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x84 length: 297
>
> 15:26:20.172822 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x84 length: 1090
>
> 15:26:20.186698 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x85 length: 177
>
> 15:26:20.191446 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x85 length: 1086
>
> 15:26:20.214413 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x86 length: 177
>
> 15:26:20.217368 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x86 length: 711
>
> 15:26:20.244856 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x87 length: 315
>
> 15:26:20.247276 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x87 length: 123
>
> 15:26:20.260349 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x88 length: 177
>
> 15:26:20.269760 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x88 length: 101
>
> 15:26:20.293628 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x89 length: 230
>
> 15:26:20.348960 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x89 length: 133
>
> 15:26:20.373341 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x8a length: 294
>
> 15:26:21.409974 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x8a length: 149
>
> 15:26:21.421321 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x8b length: 214
>
> 15:26:21.571988 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Challenge (11), id: 0x8b length: 101
>
> 15:26:21.586364 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS,
> Access Request (1), id: 0x8c length: 214
>
> 15:26:21.593453 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS,
> Access Accept (2), id: 0x8c length: 177
>
>
>
> And my switch log shows authentication failure:
>
> 10/17/2017 17:12:16.90 <Info:nl.ClientAuthFailure>
> <Info:nl.ClientAuthFailure> Authentication failed for Network
> Login 802.1x user MEADINFORMATICA\l.messori Mac 50:3F:56:01:1C:09
> port 3
>
> 10/17/2017 17:12:15.12 <Info:nl.ClientAuthFailure>
> <Info:nl.ClientAuthFailure> Authentication failed for Network
> Login MAC user 503F56011C09 Mac 50:3F:56:01:1C:09 port 3
>
> 10/17/2017 17:12:14.86 <Info:vlan.msgs.portLinkStateUp>
> <Info:vlan.msgs.portLinkStateUp> Port 3 link UP at speed 100 Mbps
> and full-duplex
>
>
>
> Can you help me?
>
> I think that PF never ask AD for users authentication
>
>
>
> Kind regards
>
>
>
> */Luca Messori/*
>
> _________________________
>
>
>
> Descrizione: mead
>
>
>
>
>
> *Mead Informatica Srl*
> *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
> Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
> Tel. +39 049 8702540 Fax +39 049 8706249
>
>
>
> http://www.meadinformatica.it <http://www.meadinformatica.it/>
>
> -----------------------------------------------------------------------
>
>
>
> Questo messaggio puo' contenere informazioni di carattere
> riservato e confidenziale. Qualora non foste i destinatari, vi
> preghiamo di notificarcelo
> e di provvedere ad eliminare il messaggio, con gli eventuali
> allegati, senza trattenerne copia. Qualsivoglia utilizzo non
> autorizzato del contenuto
> di questo mesaggio espone il responsabile alle conseguenze civili
> e penali.
>
>
>
> This message may contain information which is confidential or
> privileged. if you are not the intended recipient, please
> immediately notify us
> and destroy this message and any attachments without retaining a
> copy. Any unauthorized use of this message can expose the
> responsabile party
> to civil and/or criminal penalties.
>
>
>
> Descrizione: Descrizione: cid:696372015@22072008-1A64
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
>
> _______________________________________________
>
> PacketFence-users mailing list
>
> PacketFence-users@lists.sourceforge.net
> <mailto:PacketFence-users@lists.sourceforge.net>
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Fabrice Durand
> fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135) ::
> www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users