Hi Fabrice,
You are right.
This morning I done some new test using good credential and wrong credential
(same username but wrong password) and I have the correct reply from Radius
server.
So, I haven't an authentication problem but an authorization problem to
investigate.
Radius server is sending to the switch a vlanid set to 442 but for me this is
the registration vlan.
I would like that it will send vlanid=20 (my working vlan for enterprise users)
Can you help me?
How can I sent you to resolve this issue?
Have a nice day
Luca Messori
_________________________
[Descrizione: mead]
Mead Informatica Srl
SEDE - Via G. Ferraris, 2 - 42122 Reggio Emilia
Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
Tel. +39 049 8702540 Fax +39 049 8706249
http://www.meadinformatica.it<http://www.meadinformatica.it/>
-----------------------------------------------------------------------
Questo messaggio puo' contenere informazioni di carattere riservato e
confidenziale. Qualora non foste i destinatari, vi preghiamo di notificarcelo
e di provvedere ad eliminare il messaggio, con gli eventuali allegati, senza
trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto
di questo mesaggio espone il responsabile alle conseguenze civili e penali.
This message may contain information which is confidential or privileged. if
you are not the intended recipient, please immediately notify us
and destroy this message and any attachments without retaining a copy. Any
unauthorized use of this message can expose the responsabile party
to civil and/or criminal penalties.
Da: Fabrice Durand [mailto:[email protected]]
Inviato: martedì 17 ottobre 2017 18:48
A: Luca Messori <[email protected]>;
[email protected]
Oggetto: Re: R: [PacketFence-users] AD authentication issue
it worked !!
Le 2017-10-17 à 12:44, Luca Messori a écrit :
I have attached the log file using this command:
/usr/sbin/radiusd -d /usr/local/pf/raddb -n auth -fm -X
Is this good for you?
Kind regards
Luca Messori
_________________________
[Descrizione: mead]
Mead Informatica Srl
SEDE - Via G. Ferraris, 2 - 42122 Reggio Emilia
Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
Tel. +39 049 8702540 Fax +39 049 8706249
http://www.meadinformatica.it<http://www.meadinformatica.it/>
-----------------------------------------------------------------------
Questo messaggio puo' contenere informazioni di carattere riservato e
confidenziale. Qualora non foste i destinatari, vi preghiamo di notificarcelo
e di provvedere ad eliminare il messaggio, con gli eventuali allegati, senza
trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto
di questo mesaggio espone il responsabile alle conseguenze civili e penali.
This message may contain information which is confidential or privileged. if
you are not the intended recipient, please immediately notify us
and destroy this message and any attachments without retaining a copy. Any
unauthorized use of this message can expose the responsabile party
to civil and/or criminal penalties.
Da: Fabrice Durand via PacketFence-users
[mailto:[email protected]]
Inviato: martedì 17 ottobre 2017 18:20
A:
[email protected]<mailto:[email protected]>
Cc: Fabrice Durand <[email protected]><mailto:[email protected]>
Oggetto: Re: [PacketFence-users] AD authentication issue
Hello Luca,
pftest will use ldap bind to authenticate but freeradius will use ntlm_auth.
Can you do this on your server:
raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000
And try to authenticate, you will be able to see why it failed to authenticate.
(you can paste the result).
Regards
Fabrice
Le 2017-10-17 à 11:41, Luca Messori via PacketFence-users a écrit :
Hi all,
I'm trying to configure authentication against Active Directory on my company
network.
I have already joined the PF virtual machine to my domain.
I think that I have correctly configured authentication because the pftest
command return a successful authentication:
/usr/local/pf/bin/pftest authentication l.messori <my password>
Testing authentication for "l.messori"
Authenticating against Mead-AD
Authentication SUCCEEDED against Mead-AD (Authentication successful.)
Matched against Mead-AD for 'authentication' rules
set_role : default
set_access_duration : 12h
Did not match against Mead-AD for 'administration' rules
Despite that, sniffing traffic from PF, I cannot see traffic to port 389.
In the following output:
10.33.33.251 is my test switch
10.33.33.50 is the PF virtual machine
[root@PacketFence-ZEN conf]# tcpdump -i eth0 -nn "host 10.33.33.251 or port
389"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:26:19.782510 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS, Access
Request (1), id: 0x82 length: 138
15:26:19.864640 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS, Access Accept
(2), id: 0x82 length: 37
15:26:20.130792 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS, Access
Request (1), id: 0x83 length: 183
15:26:20.134381 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS, Access
Challenge (11), id: 0x83 length: 64
15:26:20.160915 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS, Access
Request (1), id: 0x84 length: 297
15:26:20.172822 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS, Access
Challenge (11), id: 0x84 length: 1090
15:26:20.186698 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS, Access
Request (1), id: 0x85 length: 177
15:26:20.191446 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS, Access
Challenge (11), id: 0x85 length: 1086
15:26:20.214413 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS, Access
Request (1), id: 0x86 length: 177
15:26:20.217368 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS, Access
Challenge (11), id: 0x86 length: 711
15:26:20.244856 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS, Access
Request (1), id: 0x87 length: 315
15:26:20.247276 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS, Access
Challenge (11), id: 0x87 length: 123
15:26:20.260349 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS, Access
Request (1), id: 0x88 length: 177
15:26:20.269760 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS, Access
Challenge (11), id: 0x88 length: 101
15:26:20.293628 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS, Access
Request (1), id: 0x89 length: 230
15:26:20.348960 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS, Access
Challenge (11), id: 0x89 length: 133
15:26:20.373341 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS, Access
Request (1), id: 0x8a length: 294
15:26:21.409974 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS, Access
Challenge (11), id: 0x8a length: 149
15:26:21.421321 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS, Access
Request (1), id: 0x8b length: 214
15:26:21.571988 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS, Access
Challenge (11), id: 0x8b length: 101
15:26:21.586364 IP 10.33.33.251.32769 > 10.33.33.50.1812: RADIUS, Access
Request (1), id: 0x8c length: 214
15:26:21.593453 IP 10.33.33.50.1812 > 10.33.33.251.32769: RADIUS, Access Accept
(2), id: 0x8c length: 177
And my switch log shows authentication failure:
10/17/2017 17:12:16.90 <Info:nl.ClientAuthFailure><Info:nl.ClientAuthFailure>
Authentication failed for Network Login 802.1x user MEADINFORMATICA\l.messori
Mac 50:3F:56:01:1C:09 port 3
10/17/2017 17:12:15.12 <Info:nl.ClientAuthFailure><Info:nl.ClientAuthFailure>
Authentication failed for Network Login MAC user 503F56011C09 Mac
50:3F:56:01:1C:09 port 3
10/17/2017 17:12:14.86
<Info:vlan.msgs.portLinkStateUp><Info:vlan.msgs.portLinkStateUp> Port 3 link UP
at speed 100 Mbps and full-duplex
Can you help me?
I think that PF never ask AD for users authentication
Kind regards
Luca Messori
_________________________
[Descrizione: mead]
Mead Informatica Srl
SEDE - Via G. Ferraris, 2 - 42122 Reggio Emilia
Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
Tel. +39 049 8702540 Fax +39 049 8706249
http://www.meadinformatica.it<http://www.meadinformatica.it/>
-----------------------------------------------------------------------
Questo messaggio puo' contenere informazioni di carattere riservato e
confidenziale. Qualora non foste i destinatari, vi preghiamo di notificarcelo
e di provvedere ad eliminare il messaggio, con gli eventuali allegati, senza
trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto
di questo mesaggio espone il responsabile alle conseguenze civili e penali.
This message may contain information which is confidential or privileged. if
you are not the intended recipient, please immediately notify us
and destroy this message and any attachments without retaining a copy. Any
unauthorized use of this message can expose the responsabile party
to civil and/or criminal penalties.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x135) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
--
Fabrice Durand
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x135) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
