Hello Fabrice,
Here is the raddebug ouput when the laptop is plugged into port 1/0/1 on the
Netgear switch.
(19) Wed Nov 1 20:23:01 2017: Debug: Received Access-Request Id 199 from
192.168.1.12:42371 to 192.168.1.5:1812 length 193
(19) Wed Nov 1 20:23:01 2017: Debug: User-Name = "PFDOMAIN\\testme"
(19) Wed Nov 1 20:23:01 2017: Debug: Called-Station-Id = "b0-b9-8a-46-3d-0e"
(19) Wed Nov 1 20:23:01 2017: Debug: Calling-Station-Id = "00:21:70:d8:ac:45"
(19) Wed Nov 1 20:23:01 2017: Debug: NAS-Identifier = "b0-b9-8a-46-3d-0c"
(19) Wed Nov 1 20:23:01 2017: Debug: NAS-IP-Address = 192.168.1.5
(19) Wed Nov 1 20:23:01 2017: Debug: NAS-Port = 1
(19) Wed Nov 1 20:23:01 2017: Debug: Framed-MTU = 1500
(19) Wed Nov 1 20:23:01 2017: Debug: NAS-Port-Type = Ethernet
(19) Wed Nov 1 20:23:01 2017: Debug: State =
0x8486bcf2838ea5c8f46e2d7c49360c33
(19) Wed Nov 1 20:23:01 2017: Debug: EAP-Message =
0x020800251900170303001a00000000000000036316860ca21a6feb5ba6b143952509a3497c
(19) Wed Nov 1 20:23:01 2017: Debug: Message-Authenticator =
0xa5b0c93919523b9f5645ee9214488c57
(19) Wed Nov 1 20:23:01 2017: Debug: session-state: No cached attributes
(19) Wed Nov 1 20:23:01 2017: Debug: # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
(19) Wed Nov 1 20:23:01 2017: Debug: authorize {
(19) Wed Nov 1 20:23:01 2017: Debug: update {
(19) Wed Nov 1 20:23:01 2017: Debug: EXPAND %{Packet-Src-IP-Address}
(19) Wed Nov 1 20:23:01 2017: Debug: --> 192.168.1.12
(19) Wed Nov 1 20:23:01 2017: Debug: EXPAND %l
(19) Wed Nov 1 20:23:01 2017: Debug: --> 1509567781
(19) Wed Nov 1 20:23:01 2017: Debug: } # update = noop
(19) Wed Nov 1 20:23:01 2017: Debug: policy rewrite_calling_station_id {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&Calling-Station-Id &&
(&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(19) Wed Nov 1 20:23:01 2017: Debug: if (&Calling-Station-Id &&
(&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(19) Wed Nov 1 20:23:01 2017: Debug: if (&Calling-Station-Id &&
(&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(19) Wed Nov 1 20:23:01 2017: Debug: update request {
(19) Wed Nov 1 20:23:01 2017: Debug: EXPAND
%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(19) Wed Nov 1 20:23:01 2017: Debug: --> 00:21:70:d8:ac:45
(19) Wed Nov 1 20:23:01 2017: Debug: } # update request = noop
(19) Wed Nov 1 20:23:01 2017: Debug: [updated] = updated
(19) Wed Nov 1 20:23:01 2017: Debug: } # if (&Calling-Station-Id &&
(&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(19) Wed Nov 1 20:23:01 2017: Debug: ... skipping else: Preceding "if"
was taken
(19) Wed Nov 1 20:23:01 2017: Debug: } # policy rewrite_calling_station_id
= updated
(19) Wed Nov 1 20:23:01 2017: Debug: policy rewrite_called_station_id {
(19) Wed Nov 1 20:23:01 2017: Debug: if ((&Called-Station-Id) &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(19) Wed Nov 1 20:23:01 2017: Debug: if ((&Called-Station-Id) &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
-> TRUE
(19) Wed Nov 1 20:23:01 2017: Debug: if ((&Called-Station-Id) &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(19) Wed Nov 1 20:23:01 2017: Debug: update request {
(19) Wed Nov 1 20:23:01 2017: Debug: EXPAND
%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(19) Wed Nov 1 20:23:01 2017: Debug: --> b0:b9:8a:46:3d:0e
(19) Wed Nov 1 20:23:01 2017: Debug: } # update request = noop
(19) Wed Nov 1 20:23:01 2017: Debug: if ("%{8}") {
(19) Wed Nov 1 20:23:01 2017: Debug: EXPAND %{8}
(19) Wed Nov 1 20:23:01 2017: Debug: -->
(19) Wed Nov 1 20:23:01 2017: Debug: if ("%{8}") -> FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: elsif ( (Colubris-AVPair) &&
"%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) {
(19) Wed Nov 1 20:23:01 2017: Debug: elsif ( (Colubris-AVPair) &&
"%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: elsif (Aruba-Essid-Name) {
(19) Wed Nov 1 20:23:01 2017: Debug: elsif (Aruba-Essid-Name) -> FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: elsif ( (Cisco-AVPair) &&
"%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) {
(19) Wed Nov 1 20:23:01 2017: Debug: elsif ( (Cisco-AVPair) &&
"%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: [updated] = updated
(19) Wed Nov 1 20:23:01 2017: Debug: } # if ((&Called-Station-Id) &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
= updated
(19) Wed Nov 1 20:23:01 2017: Debug: ... skipping else: Preceding "if"
was taken
(19) Wed Nov 1 20:23:01 2017: Debug: } # policy rewrite_called_station_id
= updated
(19) Wed Nov 1 20:23:01 2017: Debug: policy filter_username {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name) {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name) -> TRUE
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name) {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ / /) {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ / /) -> FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /@[^@]*@/ ) {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /@[^@]*@/ ) ->
FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /\.\./ ) {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /\.\./ ) ->
FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: if ((&User-Name =~ /@/) &&
(&User-Name !~ /@(.+)\.(.+)$/)) {
(19) Wed Nov 1 20:23:01 2017: Debug: if ((&User-Name =~ /@/) &&
(&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /\.$/) {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /\.$/) ->
FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /@\./) {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /@\./) ->
FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: } # if (&User-Name) = updated
(19) Wed Nov 1 20:23:01 2017: Debug: } # policy filter_username = updated
(19) Wed Nov 1 20:23:01 2017: Debug: policy filter_password {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Password &&
(&User-Password != "%{string:User-Password}")) {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Password &&
(&User-Password != "%{string:User-Password}")) -> FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: } # policy filter_password = updated
(19) Wed Nov 1 20:23:01 2017: Debug: [preprocess] = ok
(19) Wed Nov 1 20:23:01 2017: Debug: suffix: Checking for suffix after "@"
(19) Wed Nov 1 20:23:01 2017: Debug: suffix: No '@' in User-Name =
"PFDOMAIN\testme", skipping NULL due to config.
(19) Wed Nov 1 20:23:01 2017: Debug: [suffix] = noop
(19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Checking for prefix before "\"
(19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Looking up realm "PFDOMAIN" for
User-Name = "PFDOMAIN\testme"
(19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Found realm "pfdomain"
(19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Adding Stripped-User-Name =
"testme"
(19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Adding Realm = "pfdomain"
(19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Authentication realm is LOCAL
(19) Wed Nov 1 20:23:01 2017: Debug: [ntdomain] = ok
(19) Wed Nov 1 20:23:01 2017: Debug: eap: Peer sent EAP Response (code 2) ID 8
length 37
(19) Wed Nov 1 20:23:01 2017: Debug: eap: Continuing tunnel setup
(19) Wed Nov 1 20:23:01 2017: Debug: [eap] = ok
(19) Wed Nov 1 20:23:01 2017: Debug: } # authorize = ok
(19) Wed Nov 1 20:23:01 2017: Debug: Found Auth-Type = eap
(19) Wed Nov 1 20:23:01 2017: Debug: # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(19) Wed Nov 1 20:23:01 2017: Debug: authenticate {
(19) Wed Nov 1 20:23:01 2017: Debug: eap: Expiring EAP session with state
0x02989cb2039086a0
(19) Wed Nov 1 20:23:01 2017: Debug: eap: Finished EAP session with state
0x8486bcf2838ea5c8
(19) Wed Nov 1 20:23:01 2017: Debug: eap: Previous EAP request found for state
0x8486bcf2838ea5c8, released from the list
(19) Wed Nov 1 20:23:01 2017: Debug: eap: Peer sent packet with method EAP
PEAP (25)
(19) Wed Nov 1 20:23:01 2017: Debug: eap: Calling submodule eap_peap to
process data
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Continuing EAP-TLS
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: [eaptls verify] = ok
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Done initial handshake
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: [eaptls process] = ok
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Session established. Decoding
tunneled attributes
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: PEAP state phase2
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: EAP method MSCHAPv2 (26)
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Got tunneled request
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: EAP-Message = 0x020800061a03
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Setting User-Name to
PFDOMAIN\testme
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Sending tunneled request to
packetfence-tunnel
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: EAP-Message = 0x020800061a03
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: FreeRADIUS-Proxied-To =
127.0.0.1
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: User-Name = "PFDOMAIN\\testme"
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: State =
0x02989cb2039086a03851ec7eb5936384
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Calling-Station-Id :=
"00:21:70:d8:ac:45"
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: NAS-Identifier =
"b0-b9-8a-46-3d-0c"
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: NAS-IP-Address = 192.168.1.5
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: NAS-Port = 1
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Framed-MTU = 1500
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: NAS-Port-Type = Ethernet
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Called-Station-Id :=
"b0:b9:8a:46:3d:0e"
(19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Event-Timestamp = "Nov 1
2017 20:23:01 UTC"
(19) Wed Nov 1 20:23:01 2017: Debug: Virtual server packetfence-tunnel
received request
(19) Wed Nov 1 20:23:01 2017: Debug: EAP-Message = 0x020800061a03
(19) Wed Nov 1 20:23:01 2017: Debug: FreeRADIUS-Proxied-To = 127.0.0.1
(19) Wed Nov 1 20:23:01 2017: Debug: User-Name = "PFDOMAIN\\testme"
(19) Wed Nov 1 20:23:01 2017: Debug: State =
0x02989cb2039086a03851ec7eb5936384
(19) Wed Nov 1 20:23:01 2017: Debug: Calling-Station-Id :=
"00:21:70:d8:ac:45"
(19) Wed Nov 1 20:23:01 2017: Debug: NAS-Identifier = "b0-b9-8a-46-3d-0c"
(19) Wed Nov 1 20:23:01 2017: Debug: NAS-IP-Address = 192.168.1.5
(19) Wed Nov 1 20:23:01 2017: Debug: NAS-Port = 1
(19) Wed Nov 1 20:23:01 2017: Debug: Framed-MTU = 1500
(19) Wed Nov 1 20:23:01 2017: Debug: NAS-Port-Type = Ethernet
(19) Wed Nov 1 20:23:01 2017: Debug: Called-Station-Id := "b0:b9:8a:46:3d:0e"
(19) Wed Nov 1 20:23:01 2017: Debug: Event-Timestamp = "Nov 1 2017 20:23:01
UTC"
(19) Wed Nov 1 20:23:01 2017: WARNING: Outer and inner identities are the
same. User privacy is compromised.
(19) Wed Nov 1 20:23:01 2017: Debug: server packetfence-tunnel {
(19) Wed Nov 1 20:23:01 2017: Debug: session-state: No cached attributes
(19) Wed Nov 1 20:23:01 2017: Debug: # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
(19) Wed Nov 1 20:23:01 2017: Debug: authorize {
(19) Wed Nov 1 20:23:01 2017: Debug: if ( outer.EAP-Type == TTLS) {
(19) Wed Nov 1 20:23:01 2017: Debug: if ( outer.EAP-Type == TTLS) ->
FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: policy filter_username {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name) {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name) -> TRUE
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name) {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ / /) {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ / /) -> FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /@[^@]*@/ ) {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /@[^@]*@/ )
-> FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /\.\./ ) {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /\.\./ ) ->
FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: if ((&User-Name =~ /@/) &&
(&User-Name !~ /@(.+)\.(.+)$/)) {
(19) Wed Nov 1 20:23:01 2017: Debug: if ((&User-Name =~ /@/) &&
(&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /\.$/) {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /\.$/) ->
FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /@\./) {
(19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /@\./) ->
FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: } # if (&User-Name) = notfound
(19) Wed Nov 1 20:23:01 2017: Debug: } # policy filter_username =
notfound
(19) Wed Nov 1 20:23:01 2017: Debug: [mschap] = noop
(19) Wed Nov 1 20:23:01 2017: Debug: suffix: Checking for suffix after "@"
(19) Wed Nov 1 20:23:01 2017: Debug: suffix: No '@' in User-Name =
"PFDOMAIN\testme", skipping NULL due to config.
(19) Wed Nov 1 20:23:01 2017: Debug: [suffix] = noop
(19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Checking for prefix before "\"
(19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Looking up realm "PFDOMAIN" for
User-Name = "PFDOMAIN\testme"
(19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Found realm "pfdomain"
(19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Adding Stripped-User-Name =
"testme"
(19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Adding Realm = "pfdomain"
(19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Authentication realm is LOCAL
(19) Wed Nov 1 20:23:01 2017: Debug: [ntdomain] = ok
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
$RAD_REQUEST{'User-Name'} = &request:User-Name -> 'PFDOMAIN\testme'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
$RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '192.168.1.5'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
$RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '1'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
$RAD_REQUEST{'Framed-MTU'} = &request:Framed-MTU -> '1500'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
$RAD_REQUEST{'State'} = &request:State -> '0x02989cb2039086a03851ec7eb5936384'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
$RAD_REQUEST{'Called-Station-Id'} = &request:Called-Station-Id ->
'b0:b9:8a:46:3d:0e'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
$RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id ->
'00:21:70:d8:ac:45'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
$RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'b0-b9-8a-46-3d-0c'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
$RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Ethernet'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
$RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Nov 1 2017
20:23:01 UTC'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
$RAD_REQUEST{'EAP-Message'} = &request:EAP-Message -> '0x020800061a03'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
$RAD_REQUEST{'FreeRADIUS-Proxied-To'} = &request:FreeRADIUS-Proxied-To ->
'127.0.0.1'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
$RAD_REQUEST{'Stripped-User-Name'} = &request:Stripped-User-Name -> 'testme'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
$RAD_REQUEST{'Realm'} = &request:Realm -> 'pfdomain'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
&request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Ethernet'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
&request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} ->
'00:21:70:d8:ac:45'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
&request:Called-Station-Id = $RAD_REQUEST{'Called-Station-Id'} ->
'b0:b9:8a:46:3d:0e'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain: &request:State
= $RAD_REQUEST{'State'} -> '0x02989cb2039086a03851ec7eb5936384'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
&request:FreeRADIUS-Proxied-To = $RAD_REQUEST{'FreeRADIUS-Proxied-To'} ->
'127.0.0.1'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
&request:PacketFence-Domain = $RAD_REQUEST{'PacketFence-Domain'} -> 'Win2012AD'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
&request:User-Name = $RAD_REQUEST{'User-Name'} -> 'PFDOMAIN\testme'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
&request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Nov 1 2017
20:23:01 UTC'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
&request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'b0-b9-8a-46-3d-0c'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
&request:EAP-Message = $RAD_REQUEST{'EAP-Message'} -> '0x020800061a03'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain: &request:Realm
= $RAD_REQUEST{'Realm'} -> 'pfdomain'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
&request:Stripped-User-Name = $RAD_REQUEST{'Stripped-User-Name'} -> 'testme'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
&request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '192.168.1.5'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
&request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '1'
(19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
&request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1500'
(19) Wed Nov 1 20:23:01 2017: Debug: [packetfence-multi-domain] = updated
(19) Wed Nov 1 20:23:01 2017: Debug: update control {
(19) Wed Nov 1 20:23:01 2017: Debug: } # update control = noop
(19) Wed Nov 1 20:23:01 2017: Debug: eap: Peer sent EAP Response (code 2) ID 8
length 6
(19) Wed Nov 1 20:23:01 2017: Debug: eap: No EAP Start, assuming it's an
on-going EAP conversation
(19) Wed Nov 1 20:23:01 2017: Debug: [eap] = updated
(19) Wed Nov 1 20:23:01 2017: Debug: policy rewrite_called_station_id {
(19) Wed Nov 1 20:23:01 2017: Debug: if ((&Called-Station-Id) &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(19) Wed Nov 1 20:23:01 2017: Debug: if ((&Called-Station-Id) &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
-> TRUE
(19) Wed Nov 1 20:23:01 2017: Debug: if ((&Called-Station-Id) &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(19) Wed Nov 1 20:23:01 2017: Debug: update request {
(19) Wed Nov 1 20:23:01 2017: Debug: EXPAND
%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(19) Wed Nov 1 20:23:01 2017: Debug: --> b0:b9:8a:46:3d:0e
(19) Wed Nov 1 20:23:01 2017: Debug: } # update request = noop
(19) Wed Nov 1 20:23:01 2017: Debug: if ("%{8}") {
(19) Wed Nov 1 20:23:01 2017: Debug: EXPAND %{8}
(19) Wed Nov 1 20:23:01 2017: Debug: -->
(19) Wed Nov 1 20:23:01 2017: Debug: if ("%{8}") -> FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: elsif ( (Colubris-AVPair) &&
"%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) {
(19) Wed Nov 1 20:23:01 2017: Debug: elsif ( (Colubris-AVPair) &&
"%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: elsif (Aruba-Essid-Name) {
(19) Wed Nov 1 20:23:01 2017: Debug: elsif (Aruba-Essid-Name) ->
FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: elsif ( (Cisco-AVPair) &&
"%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) {
(19) Wed Nov 1 20:23:01 2017: Debug: elsif ( (Cisco-AVPair) &&
"%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE
(19) Wed Nov 1 20:23:01 2017: Debug: [updated] = updated
(19) Wed Nov 1 20:23:01 2017: Debug: } # if ((&Called-Station-Id) &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
= updated
(19) Wed Nov 1 20:23:01 2017: Debug: ... skipping else: Preceding "if"
was taken
(19) Wed Nov 1 20:23:01 2017: Debug: } # policy
rewrite_called_station_id = updated
(19) Wed Nov 1 20:23:01 2017: Debug: [pap] = noop
(19) Wed Nov 1 20:23:01 2017: Debug: } # authorize = updated
(19) Wed Nov 1 20:23:01 2017: WARNING: You set Proxy-To-Realm = local, but
it is a LOCAL realm! Cancelling proxy request.
(19) Wed Nov 1 20:23:01 2017: Debug: Found Auth-Type = eap
(19) Wed Nov 1 20:23:01 2017: Debug: # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
(19) Wed Nov 1 20:23:01 2017: Debug: authenticate {
(19) Wed Nov 1 20:23:01 2017: Debug: eap: Expiring EAP session with state
0x02989cb2039086a0
(19) Wed Nov 1 20:23:01 2017: Debug: eap: Finished EAP session with state
0x02989cb2039086a0
(19) Wed Nov 1 20:23:01 2017: Debug: eap: Previous EAP request found for state
0x02989cb2039086a0, released from the list
(19) Wed Nov 1 20:23:01 2017: Debug: eap: Peer sent packet with method EAP
MSCHAPv2 (26)
(19) Wed Nov 1 20:23:01 2017: Debug: eap: Calling submodule eap_mschapv2 to
process data
(19) Wed Nov 1 20:23:01 2017: Debug: eap: Sending EAP Success (code 3) ID 8
length 4
(19) Wed Nov 1 20:23:01 2017: Debug: eap: Freeing handler
(19) Wed Nov 1 20:23:01 2017: Debug: [eap] = ok
(19) Wed Nov 1 20:23:01 2017: Debug: } # authenticate = ok
(19) Wed Nov 1 20:23:01 2017: Debug: # Executing section post-auth from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
(19) Wed Nov 1 20:23:01 2017: Debug: post-auth {
(19) Wed Nov 1 20:23:01 2017: Debug: rest: Expanding URI components
(19) Wed Nov 1 20:23:01 2017: Debug: rest: EXPAND http://127.0.0.1:7070
(19) Wed Nov 1 20:23:01 2017: Debug: rest: --> http://127.0.0.1:7070
(19) Wed Nov 1 20:23:01 2017: Debug: rest: EXPAND //radius/rest/authorize
(19) Wed Nov 1 20:23:01 2017: Debug: rest: --> //radius/rest/authorize
(19) Wed Nov 1 20:23:01 2017: Debug: rest: Sending HTTP POST to
"http://127.0.0.1:7070//radius/rest/authorize";
(19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "User-Name"
(19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "NAS-IP-Address"
(19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "NAS-Port"
(19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "Framed-MTU"
(19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "State"
(19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute
"Called-Station-Id"
(19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute
"Calling-Station-Id"
(19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "NAS-Identifier"
(19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "NAS-Port-Type"
(19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "Event-Timestamp"
(19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "EAP-Message"
(19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute
"FreeRADIUS-Proxied-To"
(19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "EAP-Type"
(19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute
"Stripped-User-Name"
(19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "Realm"
(19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute
"PacketFence-Domain"
(19) Wed Nov 1 20:23:04 2017: Debug: rest: Processing response header
(19) Wed Nov 1 20:23:04 2017: Debug: rest: Status : 401 (Unauthorized)
(19) Wed Nov 1 20:23:04 2017: Debug: rest: Type : json (application/json)
(19) Wed Nov 1 20:23:04 2017: ERROR: rest: Server returned:
(19) Wed Nov 1 20:23:04 2017: ERROR: rest: {"Reply-Message":"Network device
does not support this mode of
operation","control:PacketFence-Eap-Type":26,"control:PacketFence-Authorization-Status":"allow","control:PacketFence-Mac":"00:21:70:d8:ac:45","control:PacketFence-Request-Time":1509567784,"control:PacketFence-Switch-Ip-Address":"192.168.1.5","control:PacketFence-IfIndex":"1","control:PacketFence-UserName":"PFDOMAIN\\testme","control:PacketFence-Connection-Type":"Ethernet-EAP","control:PacketFence-Switch-Mac":"b0:b9:8a:46:3d:0e","control:PacketFence-Switch-Id":"192.168.1.5"}
(19) Wed Nov 1 20:23:04 2017: Debug: [rest] = invalid
(19) Wed Nov 1 20:23:04 2017: Debug: } # post-auth = invalid
(19) Wed Nov 1 20:23:04 2017: Debug: Using Post-Auth-Type Reject
(19) Wed Nov 1 20:23:04 2017: Debug: # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
(19) Wed Nov 1 20:23:04 2017: Debug: Post-Auth-Type REJECT {
(19) Wed Nov 1 20:23:04 2017: Debug: update {
(19) Wed Nov 1 20:23:04 2017: Debug: } # update = noop
(19) Wed Nov 1 20:23:04 2017: Debug: policy packetfence-audit-log-reject
{
(19) Wed Nov 1 20:23:04 2017: Debug: if (&User-Name != "dummy") {
(19) Wed Nov 1 20:23:04 2017: Debug: if (&User-Name != "dummy") ->
TRUE
(19) Wed Nov 1 20:23:04 2017: Debug: if (&User-Name != "dummy") {
(19) Wed Nov 1 20:23:04 2017: Debug: policy request-timing {
(19) Wed Nov 1 20:23:04 2017: Debug: if
(control:PacketFence-Request-Time != 0) {
(19) Wed Nov 1 20:23:04 2017: ERROR: Failed retrieving values
required to evaluate condition
(19) Wed Nov 1 20:23:04 2017: Debug: } # policy request-timing = noop
(19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: EXPAND type.reject.query
(19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: --> type.reject.query
(19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: Using query template 'query'
(19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: EXPAND %{User-Name}
(19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: --> PFDOMAIN\\testme
(19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: SQL-User-Name set to
'PFDOMAIN\\testme'
(19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: EXPAND INSERT INTO
radius_audit_log ( mac, ip, computer_name, user_name,
stripped_user_name, realm, event_type, switch_id,
switch_mac, switch_ip_address, radius_source_ip_address,
called_station_id, calling_station_id, nas_port_type, ssid,
nas_port_id, ifindex, nas_port, connection_type,
nas_ip_address, nas_identifier, auth_status, reason, auth_type,
eap_type, role, node_status, profile, source,
auto_reg, is_phone, pf_domain, uuid, radius_request,
radius_reply, request_time) VALUES (
'%{request:Calling-Station-Id}', '%{request:Framed-IP-Address}',
'%{%{control:PacketFence-Computer-Name}:-N/A}', '%{request:User-Name}',
'%{request:Stripped-User-Name}', '%{request:Realm}',
'Radius-Access-Request',
'%{%{control:PacketFence-Switch-Id}:-N/A}',
'%{%{control:PacketFence-Switch-Mac}:-N/A}',
'%{%{control:PacketFence-Switch-Ip-Address}:-N/A}',
'%{Packet-Src-IP-Address}', '%{request:Called-Station-Id}',
'%{request:Calling-Station-Id}', '%{request:NAS-Port-Type}',
'%{request:Called-Station-SSID}', '%{request:NAS-Port-Id}',
'%{%{control:PacketFence-IfIndex}:-N/A}', '%{request:NAS-Port}',
'%{%{control:PacketFence-Connection-Type}:-N/A}',
'%{request:NAS-IP-Address}', '%{request:NAS-Identifier}', 'Reject',
'%{request:Module-Failure-Message}', '%{control:Auth-Type}',
'%{request:EAP-Type}', '%{%{control:PacketFence-Role}:-N/A}',
'%{%{control:PacketFence-Status}:-N/A}',
'%{%{control:PacketFence-Profile}:-N/A}',
'%{%{control:PacketFence-Source}:-N/A}',
'%{%{control:PacketFence-AutoReg}:-N/A}',
'%{%{control:PacketFence-IsPhone}:-N/A}',
'%{request:PacketFence-Domain}', '',
'%{pairs:&request:[*]}','%{pairs:&reply:[*]}',
'%{%{control:PacketFence-Request-Time}:-N/A}')
(19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: --> INSERT INTO
radius_audit_log ( mac, ip, computer_name, user_name,
stripped_user_name, realm, event_type, switch_id,
switch_mac, switch_ip_address, radius_source_ip_address,
called_station_id, calling_station_id, nas_port_type, ssid,
nas_port_id, ifindex, nas_port, connection_type,
nas_ip_address, nas_identifier, auth_status, reason, auth_type,
eap_type, role, node_status, profile, source,
auto_reg, is_phone, pf_domain, uuid, radius_request,
radius_reply, request_time) VALUES (
'00:21:70:d8:ac:45', '', 'N/A', 'PFDOMAIN=5Ctestme', 'testme',
'pfdomain', 'Radius-Access-Request', 'N/A', 'N/A', 'N/A',
'192.168.1.12', 'b0:b9:8a:46:3d:0e', '00:21:70:d8:ac:45',
'Ethernet', '', '', 'N/A', '1', 'N/A',
'192.168.1.5', 'b0-b9-8a-46-3d-0c', 'Reject', 'rest: Server
returned:', 'eap', 'MSCHAPv2', 'N/A', 'N/A', 'N/A',
'N/A', 'N/A', 'N/A', 'Win2012AD', '', 'User-Name =3D
=22PFDOMAIN=5C=5Ctestme=22=2C NAS-IP-Address =3D 192.168.1.5=2C NAS-Port =3D
1=2C Framed-MTU =3D 1500=2C State =3D 0x02989cb2039086a03851ec7eb5936384=2C
Called-Station-Id =3D =22b0:b9:8a:46:3d:0e=22=2C Calling-Station-Id =3D
=2200:21:70:d8:ac:45=22=2C NAS-Identifier =3D =22b0-b9-8a-46-3d-0c=22=2C
NAS-Port-Type =3D Ethernet=2C Event-Timestamp =3D =22Nov 1 2017 20:23:01
UTC=22=2C EAP-Message =3D 0x020800061a03=2C FreeRADIUS-Proxied-To =3D
127.0.0.1=2C EAP-Type =3D MSCHAPv2=2C Stripped-User-Name =3D =22testme=22=2C
Realm =3D =22pfdomain=22=2C PacketFence-Domain =3D =22Win2012AD=22=2C
Module-Failure-Message =3D =22rest: Server returned:=22=2C
Module-Failure-Message =3D =22rest: =7B=5C=22Reply-Message=5C=22:=5C=22Network
device does not support this mode of
operation=5C=22=2C=5C=22control:PacketFence-Eap-Type=5C=22:26=2C=5C=22control:PacketFence-Authorization-Status=5C=22:=5C=22allow=5C=22=2C=5C=22control:PacketFence-Mac=5C=22:=5C=2200:21:70:d8:ac:45=5C=22=2C=5C=22control:PacketFence-Request-Time=5C=22:1509567784=2C=5C=22control:PacketFence-Switch-Ip-Address=5C=22:=5C=22192.168.1.5=5C=22=2C=5C=22control:PacketFence-IfIndex=5C=22:=5C=221=5C=22=2C=5C=22control:PacketFence-UserName=5C=22:=5C=22PFDOMAIN=5C=5C=5C=5Ctestme=5C=22=2C=5C=22control:PacketFence-Connection-Type=5C=22:=5C=22Ethernet-EAP=5C=22=2C=5C=22control:PacketFence-Switch-Mac=5C=22:=5C=22b0:b9:8a:46:3d:0e=5C=22=2C=5C=22control:PacketFence-Switch-Id=5C=22:=5C=22192.168.1.5=5C=22=7D=22=2C
User-Password =3D =22=2A=2A=2A=2A=2A=2A=22=2C Module-Failure-Message =3D
=22Failed retrieving values required to evaluate condition=22=2C SQL-User-Name
=3D =22PFDOMAIN=5C=5C=5C=5Ctestme=22','EAP-Message =3D 0x03080004=2C
Message-Authenticator =3D 0x00000000000000000000000000000000=2C
Stripped-User-Name =3D =22testme=22', 'N/A')
(19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: Executing query: INSERT INTO
radius_audit_log ( mac, ip, computer_name, user_name,
stripped_user_name, realm, event_type, switch_id,
switch_mac, switch_ip_address, radius_source_ip_address,
called_station_id, calling_station_id, nas_port_type, ssid,
nas_port_id, ifindex, nas_port, connection_type,
nas_ip_address, nas_identifier, auth_status, reason, auth_type,
eap_type, role, node_status, profile, source,
auto_reg, is_phone, pf_domain, uuid, radius_request,
radius_reply, request_time) VALUES (
'00:21:70:d8:ac:45', '', 'N/A', 'PFDOMAIN=5Ctestme', 'testme',
'pfdomain', 'Radius-Access-Request', 'N/A', 'N/A', 'N/A',
'192.168.1.12', 'b0:b9:8a:46:3d:0e', '00:21:70:d8:ac:45',
'Ethernet', '', '', 'N/A', '1', 'N/A',
'192.168.1.5', 'b0-b9-8a-46-3d-0c', 'Reject', 'rest: Server
returned:', 'eap', 'MSCHAPv2', 'N/A', 'N/A', 'N/A',
'N/A', 'N/A', 'N/A', 'Win2012AD', '', 'User-Name =3D
=22PFDOMAIN=5C=5Ctestme=22=2C NAS-IP-Address =3D 192.168.1.5=2C NAS-Port =3D
1=2C Framed-MTU =3D 1500=2C State =3D 0x02989cb2039086a03851ec7eb5936384=2C
Called-Station-Id =3D =22b0:b9:8a:46:3d:0e=22=2C Calling-Station-Id =3D
=2200:21:70:d8:ac:45=22=2C NAS-Identifier =3D =22b0-b9-8a-46-3d-0c=22=2C
NAS-Port-Type =3D Ethernet=2C Event-Timestamp =3D =22Nov 1 2017 20:23:01
UTC=22=2C EAP-Message =3D 0x020800061a03=2C FreeRADIUS-Proxied-To =3D
127.0.0.1=2C EAP-Type =3D MSCHAPv2=2C Stripped-User-Name =3D =22testme=22=2C
Realm =3D =22pfdomain=22=2C PacketFence-Domain =3D =22Win2012AD=22=2C
Module-Failure-Message =3D =22rest: Server returned:=22=2C
Module-Failure-Message =3D =22rest: =7B=5C=22Reply-Message=5C=22:=5C=22Network
device does not support this mode of
operation=5C=22=2C=5C=22control:PacketFence-Eap-Type=5C=22:26=2C=5C=22control:PacketFence-Authorization-Status=5C=22:=5C=22allow=5C=22=2C=5C=22control:PacketFence-Mac=5C=22:=5C=2200:21:70:d8:ac:45=5C=22=2C=5C=22control:PacketFence-Request-Time=5C=22:1509567784=2C=5C=22control:PacketFence-Switch-Ip-Address=5C=22:=5C=22192.168.1.5=5C=22=2C=5C=22control:PacketFence-IfIndex=5C=22:=5C=221=5C=22=2C=5C=22control:PacketFence-UserName=5C=22:=5C=22PFDOMAIN=5C=5C=5C=5Ctestme=5C=22=2C=5C=22control:PacketFence-Connection-Type=5C=22:=5C=22Ethernet-EAP=5C=22=2C=5C=22control:PacketFence-Switch-Mac=5C=22:=5C=22b0:b9:8a:46:3d:0e=5C=22=2C=5C=22control:PacketFence-Switch-Id=5C=22:=5C=22192.168.1.5=5C=22=7D=22=2C
User-Password =3D =22=2A=2A=2A=2A=2A=2A=22=2C Module-Failure-Message =3D
=22Failed retrieving values required to evaluate condition=22=2C SQL-User-Name
=3D =22PFDOMAIN=5C=5C=5C=5Ctestme=22','EAP-Message =3D 0x03080004=2C
Message-Authenticator =3D 0x00000000000000000000000000000000=2C
Stripped-User-Name =3D =22testme=22', 'N/A')
(19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: SQL query returned: success
(19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: 1 record(s) updated
(19) Wed Nov 1 20:23:04 2017: Debug: [sql_reject] = ok
(19) Wed Nov 1 20:23:04 2017: Debug: } # if (&User-Name != "dummy") =
ok
(19) Wed Nov 1 20:23:04 2017: Debug: } # policy
packetfence-audit-log-reject = ok
(19) Wed Nov 1 20:23:04 2017: Debug: attr_filter.access_reject: EXPAND
%{User-Name}
(19) Wed Nov 1 20:23:04 2017: Debug: attr_filter.access_reject: -->
PFDOMAIN\\testme
(19) Wed Nov 1 20:23:04 2017: Debug: attr_filter.access_reject: Matched entry
DEFAULT at line 11
(19) Wed Nov 1 20:23:04 2017: Debug: [attr_filter.access_reject] =
updated
(19) Wed Nov 1 20:23:04 2017: Debug: update outer.session-state {
(19) Wed Nov 1 20:23:04 2017: Debug: } # update outer.session-state =
noop
(19) Wed Nov 1 20:23:04 2017: Debug: } # Post-Auth-Type REJECT = updated
(19) Wed Nov 1 20:23:04 2017: Debug: } # server packetfence-tunnel
(19) Wed Nov 1 20:23:04 2017: Debug: Virtual server sending reply
(19) Wed Nov 1 20:23:04 2017: Debug: EAP-Message = 0x03080004
(19) Wed Nov 1 20:23:04 2017: Debug: Message-Authenticator =
0x00000000000000000000000000000000
(19) Wed Nov 1 20:23:04 2017: Debug: eap_peap: Got tunneled reply code 3
(19) Wed Nov 1 20:23:04 2017: Debug: eap_peap: EAP-Message = 0x03080004
(19) Wed Nov 1 20:23:04 2017: Debug: eap_peap: Message-Authenticator =
0x00000000000000000000000000000000
(19) Wed Nov 1 20:23:04 2017: Debug: eap_peap: Tunneled authentication was
rejected
(19) Wed Nov 1 20:23:04 2017: Debug: eap_peap: FAILURE
(19) Wed Nov 1 20:23:04 2017: Debug: eap: Sending EAP Request (code 1) ID 9
length 46
(19) Wed Nov 1 20:23:04 2017: Debug: eap: EAP session adding &reply:State =
0x8486bcf28c8fa5c8
(19) Wed Nov 1 20:23:04 2017: Debug: [eap] = handled
(19) Wed Nov 1 20:23:04 2017: Debug: } # authenticate = handled
(19) Wed Nov 1 20:23:04 2017: Debug: Using Post-Auth-Type Challenge
(19) Wed Nov 1 20:23:04 2017: Debug: Post-Auth-Type sub-section not found.
Ignoring.
(19) Wed Nov 1 20:23:04 2017: Debug: # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(19) Wed Nov 1 20:23:04 2017: Debug: session-state: Saving cached attributes
(19) Wed Nov 1 20:23:04 2017: Debug: Module-Failure-Message := "rest: Server
returned:"
(19) Wed Nov 1 20:23:04 2017: Debug: Sent Access-Challenge Id 199 from
192.168.1.5:1812 to 192.168.1.12:42371 length 0
(19) Wed Nov 1 20:23:04 2017: Debug: EAP-Message =
0x0109002e19001703030023c533942a5ebc7a75646da7f31d383d825f9d81eae05046d9a7c8518889d28455d0fecb
(19) Wed Nov 1 20:23:04 2017: Debug: Message-Authenticator =
0x00000000000000000000000000000000
(19) Wed Nov 1 20:23:04 2017: Debug: State =
0x8486bcf28c8fa5c8f46e2d7c49360c33
(19) Wed Nov 1 20:23:04 2017: Debug: Finished request
>Hello James,
>
>can you run radius in debug mode and retry a connection, i would like to
>see the radius request.
>
>raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000
>
>Regards
>
>Fabrice
>
>
>
>Le 2017-11-01 à 14:21, James Garcellano via PacketFence-users a écrit :
>>
>> Hello everyone,
>>
>>
>>
>> I would like to find out if the Netgear GSM4325PS (M4300 series)
>> switch is supported with PacketFence.
>>
>>
>>
>> The documentation for support network switches state that the Netgear
>> M-Series switches are supported for 802.1x Wired Authentication, so
>> I'm assuming the configuration guidelines that are given should work.
>>
>>
>>
>> I have configured one such switch in a test lab that I put together.
>> When I plug in a laptop, while monitoring the
>> /usr/local/pf/log/packetfence.log, I see the following messages:
>>
>>
>>
>> Nov 1 18:18:33 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2852)
>> INFO: [mac:00:21:70:d8:ac:45] handling radius autz request: from
>> switch_ip => (192.168.1.5), connection_type => Ethernet-EAP,switch_mac
>> => (b0:b9:8a:46:3d:0e), mac => [00:21:70:d8:ac:45], port => 1,
>> username => "PFDOMAIN\testme" (pf::radius::authorize)
>>
>> Nov 1 18:18:33 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2852)
>> ERROR: [mac:00:21:70:d8:ac:45] Wired 802.1X is not supported on switch
>> type pf::Switch::PacketFence. Please let us know what hardware you are
>> using. (pf::Switch::supportsWiredDot1x)
>>
>> Nov 1 18:18:33 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2852)
>> WARN: [mac:00:21:70:d8:ac:45] (192.168.1.5) Sending REJECT since
>> switch is unsupported (pf::radius::_switchUnsupportedReply)
>>
>>
>>
>> 192.168.1.5 is the PacketFence server.
>>
>> 00:21:70:d8:ac:45 is a Dell laptop with Windows 10 configured with
>> 802.1x Security and associated credentials.
>>
>>
>>
>> A similar setup is working with the same laptop connected to a Cisco
>> 2960G series switch.
>>
>>
>>
>> If any more information is required, please let me know.
>>
>>
>>
>> Thank you all!
>>
>>
>>
>> James Garcellano
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@...
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>--
>Fabrice Durand
>fdurand@... :: +1.514.447.4918 (x135) :: http://www.inverse.ca
James Garcellano
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
