What are the attributes returned by PacketFence ?
Le 2017-10-18 à 10:02, Luca Messori a écrit :
>
> Hi Fabrice,
>
> I’m sorry but now I cannot see vlan VSA attributes in access accept
> packets from Radius server.
>
>
>
> Kind regards
>
>
>
> */Luca Messori/*
>
> _________________________
>
>
>
> Descrizione: mead
>
>
>
>
>
> *Mead Informatica Srl*
> *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
> Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
> Tel. +39 049 8702540 Fax +39 049 8706249
>
>
>
> http://www.meadinformatica.it <http://www.meadinformatica.it/>
>
> -----------------------------------------------------------------------
>
>
>
> Questo messaggio puo' contenere informazioni di carattere riservato e
> confidenziale. Qualora non foste i destinatari, vi preghiamo di
> notificarcelo
> e di provvedere ad eliminare il messaggio, con gli eventuali allegati,
> senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del
> contenuto
> di questo mesaggio espone il responsabile alle conseguenze civili e
> penali.
>
>
>
> This message may contain information which is confidential or
> privileged. if you are not the intended recipient, please immediately
> notify us
> and destroy this message and any attachments without retaining a copy.
> Any unauthorized use of this message can expose the responsabile party
> to civil and/or criminal penalties.
>
>
>
> Descrizione: Descrizione: cid:696372015@22072008-1A64
>
>
>
>
>
> *Da:*Fabrice Durand [mailto:fdur...@inverse.ca]
> *Inviato:* mercoledì 18 ottobre 2017 15:06
> *A:* Luca Messori <l.mess...@meadinformatica.it>;
> packetfence-users@lists.sourceforge.net
> *Oggetto:* Re: R: R: [PacketFence-users] AD authentication issue
>
>
>
> Hello Lucas,
>
> my assumption is that you want to autoregister device if the 802.1x
> authentication was successful.
>
> What you can do is to create a Connection Profile (WireSecure) , add a
> filter (Connection Type: Ethernet-EAP), enable "Automatically register
> devices" and in Sources add you AD source.
>
> Regards
>
> Fabrice
>
>
>
>
>
> Le 2017-10-18 à 04:07, Luca Messori a écrit :
>
> Hi Fabrice,
>
> You are right.
>
> This morning I done some new test using good credential and wrong
> credential (same username but wrong password) and I have the
> correct reply from Radius server.
>
>
>
> So, I haven’t an authentication problem but an authorization
> problem to investigate.
>
> Radius server is sending to the switch a vlanid set to 442 but for
> me this is the registration vlan.
>
> I would like that it will send vlanid=20 (my working vlan for
> enterprise users)
>
>
>
> Can you help me?
>
> How can I sent you to resolve this issue?
>
>
>
> Have a nice day
>
>
>
>
>
> */Luca Messori/*
>
> _________________________
>
>
>
> Descrizione: mead
>
>
>
>
>
> *Mead Informatica Srl*
> *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
> Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
> Tel. +39 049 8702540 Fax +39 049 8706249
>
>
>
> http://www.meadinformatica.it <http://www.meadinformatica.it/>
>
> -----------------------------------------------------------------------
>
>
>
> Questo messaggio puo' contenere informazioni di carattere
> riservato e confidenziale. Qualora non foste i destinatari, vi
> preghiamo di notificarcelo
> e di provvedere ad eliminare il messaggio, con gli eventuali
> allegati, senza trattenerne copia. Qualsivoglia utilizzo non
> autorizzato del contenuto
> di questo mesaggio espone il responsabile alle conseguenze civili
> e penali.
>
>
>
> This message may contain information which is confidential or
> privileged. if you are not the intended recipient, please
> immediately notify us
> and destroy this message and any attachments without retaining a
> copy. Any unauthorized use of this message can expose the
> responsabile party
> to civil and/or criminal penalties.
>
>
>
> Descrizione: Descrizione: cid:696372015@22072008-1A64
>
>
>
>
>
> *Da:*Fabrice Durand [mailto:fdur...@inverse.ca]
> *Inviato:* martedì 17 ottobre 2017 18:48
> *A:* Luca Messori <l.mess...@meadinformatica.it>
> <mailto:l.mess...@meadinformatica.it>;
> packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Oggetto:* Re: R: [PacketFence-users] AD authentication issue
>
>
>
> it worked !!
>
>
>
> Le 2017-10-17 à 12:44, Luca Messori a écrit :
>
> I have attached the log file using this command:
>
>
>
> /usr/sbin/radiusd -d /usr/local/pf/raddb -n auth -fm –X
>
>
>
> Is this good for you?
>
>
>
> Kind regards
>
>
>
> */Luca Messori/*
>
> _________________________
>
>
>
> Descrizione: mead
>
>
>
>
>
> *Mead Informatica Srl*
> *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
> Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39
> 0522 393306
> Tel. +39 049 8702540 Fax +39 049 8706249
>
>
>
> http://www.meadinformatica.it <http://www.meadinformatica.it/>
>
>
> -----------------------------------------------------------------------
>
>
>
> Questo messaggio puo' contenere informazioni di carattere
> riservato e confidenziale. Qualora non foste i destinatari, vi
> preghiamo di notificarcelo
> e di provvedere ad eliminare il messaggio, con gli eventuali
> allegati, senza trattenerne copia. Qualsivoglia utilizzo non
> autorizzato del contenuto
> di questo mesaggio espone il responsabile alle conseguenze
> civili e penali.
>
>
>
> This message may contain information which is confidential or
> privileged. if you are not the intended recipient, please
> immediately notify us
> and destroy this message and any attachments without retaining
> a copy. Any unauthorized use of this message can expose the
> responsabile party
> to civil and/or criminal penalties.
>
>
>
> Descrizione: Descrizione: cid:696372015@22072008-1A64
>
>
>
>
>
> *Da:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* martedì 17 ottobre 2017 18:20
> *A:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Fabrice Durand <fdur...@inverse.ca>
> <mailto:fdur...@inverse.ca>
> *Oggetto:* Re: [PacketFence-users] AD authentication issue
>
>
>
> Hello Luca,
>
> pftest will use ldap bind to authenticate but freeradius will
> use ntlm_auth.
>
> Can you do this on your server:
>
> raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000
>
> And try to authenticate, you will be able to see why it failed
> to authenticate. (you can paste the result).
>
> Regards
>
> Fabrice
>
>
>
>
>
> Le 2017-10-17 à 11:41, Luca Messori via PacketFence-users a
> écrit :
>
> Hi all,
>
> I’m trying to configure authentication against Active
> Directory on my company network.
>
> I have already joined the PF virtual machine to my domain.
>
> I think that I have correctly configured authentication
> because the pftest command return a successful authentication:
>
> /usr/local/pf/bin/pftest authentication l.messori <my
> password>
>
> Testing authentication for "l.messori"
>
>
>
> Authenticating against Mead-AD
>
> Authentication SUCCEEDED against Mead-AD (Authentication
> successful.)
>
> Matched against Mead-AD for 'authentication' rules
>
> set_role : default
>
> set_access_duration : 12h
>
> Did not match against Mead-AD for 'administration' rules
>
>
>
> Despite that, sniffing traffic from PF, I cannot see
> traffic to port 389.
>
> In the following output:
>
> 10.33.33.251 is my test switch
>
> 10.33.33.50 is the PF virtual machine
>
> [root@PacketFence-ZEN conf]# tcpdump -i eth0 -nn "host
> 10.33.33.251 or port 389"
>
> tcpdump: verbose output suppressed, use -v or -vv for full
> protocol decode
>
> listening on eth0, link-type EN10MB (Ethernet), capture
> size 65535 bytes
>
> 15:26:19.782510 IP 10.33.33.251.32769 > 10.33.33.50.1812:
> RADIUS, Access Request (1), id: 0x82 length: 138
>
> 15:26:19.864640 IP 10.33.33.50.1812 > 10.33.33.251.32769:
> RADIUS, Access Accept (2), id: 0x82 length: 37
>
> 15:26:20.130792 IP 10.33.33.251.32769 > 10.33.33.50.1812:
> RADIUS, Access Request (1), id: 0x83 length: 183
>
> 15:26:20.134381 IP 10.33.33.50.1812 > 10.33.33.251.32769:
> RADIUS, Access Challenge (11), id: 0x83 length: 64
>
> 15:26:20.160915 IP 10.33.33.251.32769 > 10.33.33.50.1812:
> RADIUS, Access Request (1), id: 0x84 length: 297
>
> 15:26:20.172822 IP 10.33.33.50.1812 > 10.33.33.251.32769:
> RADIUS, Access Challenge (11), id: 0x84 length: 1090
>
> 15:26:20.186698 IP 10.33.33.251.32769 > 10.33.33.50.1812:
> RADIUS, Access Request (1), id: 0x85 length: 177
>
> 15:26:20.191446 IP 10.33.33.50.1812 > 10.33.33.251.32769:
> RADIUS, Access Challenge (11), id: 0x85 length: 1086
>
> 15:26:20.214413 IP 10.33.33.251.32769 > 10.33.33.50.1812:
> RADIUS, Access Request (1), id: 0x86 length: 177
>
> 15:26:20.217368 IP 10.33.33.50.1812 > 10.33.33.251.32769:
> RADIUS, Access Challenge (11), id: 0x86 length: 711
>
> 15:26:20.244856 IP 10.33.33.251.32769 > 10.33.33.50.1812:
> RADIUS, Access Request (1), id: 0x87 length: 315
>
> 15:26:20.247276 IP 10.33.33.50.1812 > 10.33.33.251.32769:
> RADIUS, Access Challenge (11), id: 0x87 length: 123
>
> 15:26:20.260349 IP 10.33.33.251.32769 > 10.33.33.50.1812:
> RADIUS, Access Request (1), id: 0x88 length: 177
>
> 15:26:20.269760 IP 10.33.33.50.1812 > 10.33.33.251.32769:
> RADIUS, Access Challenge (11), id: 0x88 length: 101
>
> 15:26:20.293628 IP 10.33.33.251.32769 > 10.33.33.50.1812:
> RADIUS, Access Request (1), id: 0x89 length: 230
>
> 15:26:20.348960 IP 10.33.33.50.1812 > 10.33.33.251.32769:
> RADIUS, Access Challenge (11), id: 0x89 length: 133
>
> 15:26:20.373341 IP 10.33.33.251.32769 > 10.33.33.50.1812:
> RADIUS, Access Request (1), id: 0x8a length: 294
>
> 15:26:21.409974 IP 10.33.33.50.1812 > 10.33.33.251.32769:
> RADIUS, Access Challenge (11), id: 0x8a length: 149
>
> 15:26:21.421321 IP 10.33.33.251.32769 > 10.33.33.50.1812:
> RADIUS, Access Request (1), id: 0x8b length: 214
>
> 15:26:21.571988 IP 10.33.33.50.1812 > 10.33.33.251.32769:
> RADIUS, Access Challenge (11), id: 0x8b length: 101
>
> 15:26:21.586364 IP 10.33.33.251.32769 > 10.33.33.50.1812:
> RADIUS, Access Request (1), id: 0x8c length: 214
>
> 15:26:21.593453 IP 10.33.33.50.1812 > 10.33.33.251.32769:
> RADIUS, Access Accept (2), id: 0x8c length: 177
>
>
>
> And my switch log shows authentication failure:
>
> 10/17/2017 17:12:16.90 <Info:nl.ClientAuthFailure>
> <Info:nl.ClientAuthFailure>Authentication failed for
> Network Login 802.1x user MEADINFORMATICA\l.messori Mac
> 50:3F:56:01:1C:09 port 3
>
> 10/17/2017 17:12:15.12 <Info:nl.ClientAuthFailure>
> <Info:nl.ClientAuthFailure>Authentication failed for
> Network Login MAC user 503F56011C09 Mac 50:3F:56:01:1C:09
> port 3
>
> 10/17/2017 17:12:14.86 <Info:vlan.msgs.portLinkStateUp>
> <Info:vlan.msgs.portLinkStateUp>Port 3 link UP at speed
> 100 Mbps and full-duplex
>
>
>
> Can you help me?
>
> I think that PF never ask AD for users authentication
>
>
>
> Kind regards
>
>
>
> */Luca Messori/*
>
> _________________________
>
>
>
> Descrizione: mead
>
>
>
>
>
> *Mead Informatica Srl*
> *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
> Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39
> 0522 393306
> Tel. +39 049 8702540 Fax +39 049 8706249
>
>
>
> http://www.meadinformatica.it
> <http://www.meadinformatica.it/>
>
>
> -----------------------------------------------------------------------
>
>
>
> Questo messaggio puo' contenere informazioni di carattere
> riservato e confidenziale. Qualora non foste i
> destinatari, vi preghiamo di notificarcelo
> e di provvedere ad eliminare il messaggio, con gli
> eventuali allegati, senza trattenerne copia. Qualsivoglia
> utilizzo non autorizzato del contenuto
> di questo mesaggio espone il responsabile alle conseguenze
> civili e penali.
>
>
>
> This message may contain information which is confidential
> or privileged. if you are not the intended recipient,
> please immediately notify us
> and destroy this message and any attachments without
> retaining a copy. Any unauthorized use of this message can
> expose the responsabile party
> to civil and/or criminal penalties.
>
>
>
> Descrizione: Descrizione: cid:696372015@22072008-1A64
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
>
> Check out the vibrant tech community on one of the world's
> most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
>
>
>
> _______________________________________________
>
> PacketFence-users mailing list
>
> PacketFence-users@lists.sourceforge.net
> <mailto:PacketFence-users@lists.sourceforge.net>
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
>
> --
>
> Fabrice Durand
>
> fdur...@inverse.ca <mailto:fdur...@inverse.ca>::
> +1.514.447.4918 (x135) :: www.inverse.ca <http://www.inverse.ca>
>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
> PacketFence (http://packetfence.org)
>
>
>
>
> --
>
> Fabrice Durand
>
> fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135)
> :: www.inverse.ca <http://www.inverse.ca>
>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
>
> --
> Fabrice Durand
> fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135) ::
> www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
