Hello James,
little bit weird , the NAS-IP-Address is equal to 192.168.1.5 and should
be equal to 192.168.1.12.
Did you changed something the the Netgear config to set NAS IP Address
with the wrong value ?
Regards
Fabrice
Le 2017-11-01 à 16:48, James Garcellano via PacketFence-users a écrit :
> Hello Fabrice,
>
> Here is the raddebug ouput when the laptop is plugged into port 1/0/1 on the
> Netgear switch.
>
> (19) Wed Nov 1 20:23:01 2017: Debug: Received Access-Request Id 199 from
> 192.168.1.12:42371 to 192.168.1.5:1812 length 193
> (19) Wed Nov 1 20:23:01 2017: Debug: User-Name = "PFDOMAIN\\testme"
> (19) Wed Nov 1 20:23:01 2017: Debug: Called-Station-Id =
> "b0-b9-8a-46-3d-0e"
> (19) Wed Nov 1 20:23:01 2017: Debug: Calling-Station-Id =
> "00:21:70:d8:ac:45"
> (19) Wed Nov 1 20:23:01 2017: Debug: NAS-Identifier = "b0-b9-8a-46-3d-0c"
> (19) Wed Nov 1 20:23:01 2017: Debug: NAS-IP-Address = 192.168.1.5
> (19) Wed Nov 1 20:23:01 2017: Debug: NAS-Port = 1
> (19) Wed Nov 1 20:23:01 2017: Debug: Framed-MTU = 1500
> (19) Wed Nov 1 20:23:01 2017: Debug: NAS-Port-Type = Ethernet
> (19) Wed Nov 1 20:23:01 2017: Debug: State =
> 0x8486bcf2838ea5c8f46e2d7c49360c33
> (19) Wed Nov 1 20:23:01 2017: Debug: EAP-Message =
> 0x020800251900170303001a00000000000000036316860ca21a6feb5ba6b143952509a3497c
> (19) Wed Nov 1 20:23:01 2017: Debug: Message-Authenticator =
> 0xa5b0c93919523b9f5645ee9214488c57
> (19) Wed Nov 1 20:23:01 2017: Debug: session-state: No cached attributes
> (19) Wed Nov 1 20:23:01 2017: Debug: # Executing section authorize from file
> /usr/local/pf/raddb/sites-enabled/packetfence
> (19) Wed Nov 1 20:23:01 2017: Debug: authorize {
> (19) Wed Nov 1 20:23:01 2017: Debug: update {
> (19) Wed Nov 1 20:23:01 2017: Debug: EXPAND %{Packet-Src-IP-Address}
> (19) Wed Nov 1 20:23:01 2017: Debug: --> 192.168.1.12
> (19) Wed Nov 1 20:23:01 2017: Debug: EXPAND %l
> (19) Wed Nov 1 20:23:01 2017: Debug: --> 1509567781
> (19) Wed Nov 1 20:23:01 2017: Debug: } # update = noop
> (19) Wed Nov 1 20:23:01 2017: Debug: policy rewrite_calling_station_id {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&Calling-Station-Id &&
> (&Calling-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&Calling-Station-Id &&
> (&Calling-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> -> TRUE
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&Calling-Station-Id &&
> (&Calling-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> {
> (19) Wed Nov 1 20:23:01 2017: Debug: update request {
> (19) Wed Nov 1 20:23:01 2017: Debug: EXPAND
> %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
> (19) Wed Nov 1 20:23:01 2017: Debug: --> 00:21:70:d8:ac:45
> (19) Wed Nov 1 20:23:01 2017: Debug: } # update request = noop
> (19) Wed Nov 1 20:23:01 2017: Debug: [updated] = updated
> (19) Wed Nov 1 20:23:01 2017: Debug: } # if (&Calling-Station-Id &&
> (&Calling-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> = updated
> (19) Wed Nov 1 20:23:01 2017: Debug: ... skipping else: Preceding "if"
> was taken
> (19) Wed Nov 1 20:23:01 2017: Debug: } # policy
> rewrite_calling_station_id = updated
> (19) Wed Nov 1 20:23:01 2017: Debug: policy rewrite_called_station_id {
> (19) Wed Nov 1 20:23:01 2017: Debug: if ((&Called-Station-Id) &&
> (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
> {
> (19) Wed Nov 1 20:23:01 2017: Debug: if ((&Called-Station-Id) &&
> (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
> -> TRUE
> (19) Wed Nov 1 20:23:01 2017: Debug: if ((&Called-Station-Id) &&
> (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
> {
> (19) Wed Nov 1 20:23:01 2017: Debug: update request {
> (19) Wed Nov 1 20:23:01 2017: Debug: EXPAND
> %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
> (19) Wed Nov 1 20:23:01 2017: Debug: --> b0:b9:8a:46:3d:0e
> (19) Wed Nov 1 20:23:01 2017: Debug: } # update request = noop
> (19) Wed Nov 1 20:23:01 2017: Debug: if ("%{8}") {
> (19) Wed Nov 1 20:23:01 2017: Debug: EXPAND %{8}
> (19) Wed Nov 1 20:23:01 2017: Debug: -->
> (19) Wed Nov 1 20:23:01 2017: Debug: if ("%{8}") -> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: elsif ( (Colubris-AVPair) &&
> "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) {
> (19) Wed Nov 1 20:23:01 2017: Debug: elsif ( (Colubris-AVPair) &&
> "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: elsif (Aruba-Essid-Name) {
> (19) Wed Nov 1 20:23:01 2017: Debug: elsif (Aruba-Essid-Name) ->
> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: elsif ( (Cisco-AVPair) &&
> "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) {
> (19) Wed Nov 1 20:23:01 2017: Debug: elsif ( (Cisco-AVPair) &&
> "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: [updated] = updated
> (19) Wed Nov 1 20:23:01 2017: Debug: } # if ((&Called-Station-Id) &&
> (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
> = updated
> (19) Wed Nov 1 20:23:01 2017: Debug: ... skipping else: Preceding "if"
> was taken
> (19) Wed Nov 1 20:23:01 2017: Debug: } # policy
> rewrite_called_station_id = updated
> (19) Wed Nov 1 20:23:01 2017: Debug: policy filter_username {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name) {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name) -> TRUE
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name) {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ / /) {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ / /) -> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /@[^@]*@/ ) {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /@[^@]*@/ )
> -> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /\.\./ ) {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /\.\./ ) ->
> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: if ((&User-Name =~ /@/) &&
> (&User-Name !~ /@(.+)\.(.+)$/)) {
> (19) Wed Nov 1 20:23:01 2017: Debug: if ((&User-Name =~ /@/) &&
> (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /\.$/) {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /\.$/) ->
> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /@\./) {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /@\./) ->
> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: } # if (&User-Name) = updated
> (19) Wed Nov 1 20:23:01 2017: Debug: } # policy filter_username = updated
> (19) Wed Nov 1 20:23:01 2017: Debug: policy filter_password {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Password &&
> (&User-Password != "%{string:User-Password}")) {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Password &&
> (&User-Password != "%{string:User-Password}")) -> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: } # policy filter_password = updated
> (19) Wed Nov 1 20:23:01 2017: Debug: [preprocess] = ok
> (19) Wed Nov 1 20:23:01 2017: Debug: suffix: Checking for suffix after "@"
> (19) Wed Nov 1 20:23:01 2017: Debug: suffix: No '@' in User-Name =
> "PFDOMAIN\testme", skipping NULL due to config.
> (19) Wed Nov 1 20:23:01 2017: Debug: [suffix] = noop
> (19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Checking for prefix before "\"
> (19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Looking up realm "PFDOMAIN"
> for User-Name = "PFDOMAIN\testme"
> (19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Found realm "pfdomain"
> (19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Adding Stripped-User-Name =
> "testme"
> (19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Adding Realm = "pfdomain"
> (19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Authentication realm is LOCAL
> (19) Wed Nov 1 20:23:01 2017: Debug: [ntdomain] = ok
> (19) Wed Nov 1 20:23:01 2017: Debug: eap: Peer sent EAP Response (code 2) ID
> 8 length 37
> (19) Wed Nov 1 20:23:01 2017: Debug: eap: Continuing tunnel setup
> (19) Wed Nov 1 20:23:01 2017: Debug: [eap] = ok
> (19) Wed Nov 1 20:23:01 2017: Debug: } # authorize = ok
> (19) Wed Nov 1 20:23:01 2017: Debug: Found Auth-Type = eap
> (19) Wed Nov 1 20:23:01 2017: Debug: # Executing group from file
> /usr/local/pf/raddb/sites-enabled/packetfence
> (19) Wed Nov 1 20:23:01 2017: Debug: authenticate {
> (19) Wed Nov 1 20:23:01 2017: Debug: eap: Expiring EAP session with state
> 0x02989cb2039086a0
> (19) Wed Nov 1 20:23:01 2017: Debug: eap: Finished EAP session with state
> 0x8486bcf2838ea5c8
> (19) Wed Nov 1 20:23:01 2017: Debug: eap: Previous EAP request found for
> state 0x8486bcf2838ea5c8, released from the list
> (19) Wed Nov 1 20:23:01 2017: Debug: eap: Peer sent packet with method EAP
> PEAP (25)
> (19) Wed Nov 1 20:23:01 2017: Debug: eap: Calling submodule eap_peap to
> process data
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Continuing EAP-TLS
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: [eaptls verify] = ok
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Done initial handshake
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: [eaptls process] = ok
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Session established.
> Decoding tunneled attributes
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: PEAP state phase2
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: EAP method MSCHAPv2 (26)
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Got tunneled request
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: EAP-Message = 0x020800061a03
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Setting User-Name to
> PFDOMAIN\testme
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Sending tunneled request to
> packetfence-tunnel
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: EAP-Message = 0x020800061a03
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: FreeRADIUS-Proxied-To =
> 127.0.0.1
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: User-Name =
> "PFDOMAIN\\testme"
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: State =
> 0x02989cb2039086a03851ec7eb5936384
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Calling-Station-Id :=
> "00:21:70:d8:ac:45"
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: NAS-Identifier =
> "b0-b9-8a-46-3d-0c"
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: NAS-IP-Address = 192.168.1.5
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: NAS-Port = 1
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Framed-MTU = 1500
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: NAS-Port-Type = Ethernet
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Called-Station-Id :=
> "b0:b9:8a:46:3d:0e"
> (19) Wed Nov 1 20:23:01 2017: Debug: eap_peap: Event-Timestamp = "Nov 1
> 2017 20:23:01 UTC"
> (19) Wed Nov 1 20:23:01 2017: Debug: Virtual server packetfence-tunnel
> received request
> (19) Wed Nov 1 20:23:01 2017: Debug: EAP-Message = 0x020800061a03
> (19) Wed Nov 1 20:23:01 2017: Debug: FreeRADIUS-Proxied-To = 127.0.0.1
> (19) Wed Nov 1 20:23:01 2017: Debug: User-Name = "PFDOMAIN\\testme"
> (19) Wed Nov 1 20:23:01 2017: Debug: State =
> 0x02989cb2039086a03851ec7eb5936384
> (19) Wed Nov 1 20:23:01 2017: Debug: Calling-Station-Id :=
> "00:21:70:d8:ac:45"
> (19) Wed Nov 1 20:23:01 2017: Debug: NAS-Identifier = "b0-b9-8a-46-3d-0c"
> (19) Wed Nov 1 20:23:01 2017: Debug: NAS-IP-Address = 192.168.1.5
> (19) Wed Nov 1 20:23:01 2017: Debug: NAS-Port = 1
> (19) Wed Nov 1 20:23:01 2017: Debug: Framed-MTU = 1500
> (19) Wed Nov 1 20:23:01 2017: Debug: NAS-Port-Type = Ethernet
> (19) Wed Nov 1 20:23:01 2017: Debug: Called-Station-Id :=
> "b0:b9:8a:46:3d:0e"
> (19) Wed Nov 1 20:23:01 2017: Debug: Event-Timestamp = "Nov 1 2017
> 20:23:01 UTC"
> (19) Wed Nov 1 20:23:01 2017: WARNING: Outer and inner identities are the
> same. User privacy is compromised.
> (19) Wed Nov 1 20:23:01 2017: Debug: server packetfence-tunnel {
> (19) Wed Nov 1 20:23:01 2017: Debug: session-state: No cached attributes
> (19) Wed Nov 1 20:23:01 2017: Debug: # Executing section authorize from
> file /usr/local/pf/raddb/sites-enabled/packetfence-tunnel
> (19) Wed Nov 1 20:23:01 2017: Debug: authorize {
> (19) Wed Nov 1 20:23:01 2017: Debug: if ( outer.EAP-Type == TTLS) {
> (19) Wed Nov 1 20:23:01 2017: Debug: if ( outer.EAP-Type == TTLS) ->
> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: policy filter_username {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name) {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name) -> TRUE
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name) {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ / /) {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ / /) ->
> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /@[^@]*@/ )
> {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /@[^@]*@/ )
> -> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /\.\./ ) {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /\.\./ )
> -> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: if ((&User-Name =~ /@/) &&
> (&User-Name !~ /@(.+)\.(.+)$/)) {
> (19) Wed Nov 1 20:23:01 2017: Debug: if ((&User-Name =~ /@/) &&
> (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /\.$/) {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /\.$/) ->
> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /@\./) {
> (19) Wed Nov 1 20:23:01 2017: Debug: if (&User-Name =~ /@\./) ->
> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: } # if (&User-Name) = notfound
> (19) Wed Nov 1 20:23:01 2017: Debug: } # policy filter_username =
> notfound
> (19) Wed Nov 1 20:23:01 2017: Debug: [mschap] = noop
> (19) Wed Nov 1 20:23:01 2017: Debug: suffix: Checking for suffix after "@"
> (19) Wed Nov 1 20:23:01 2017: Debug: suffix: No '@' in User-Name =
> "PFDOMAIN\testme", skipping NULL due to config.
> (19) Wed Nov 1 20:23:01 2017: Debug: [suffix] = noop
> (19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Checking for prefix before "\"
> (19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Looking up realm "PFDOMAIN"
> for User-Name = "PFDOMAIN\testme"
> (19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Found realm "pfdomain"
> (19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Adding Stripped-User-Name =
> "testme"
> (19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Adding Realm = "pfdomain"
> (19) Wed Nov 1 20:23:01 2017: Debug: ntdomain: Authentication realm is LOCAL
> (19) Wed Nov 1 20:23:01 2017: Debug: [ntdomain] = ok
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'PFDOMAIN\testme'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '192.168.1.5'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '1'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> $RAD_REQUEST{'Framed-MTU'} = &request:Framed-MTU -> '1500'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> $RAD_REQUEST{'State'} = &request:State -> '0x02989cb2039086a03851ec7eb5936384'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> $RAD_REQUEST{'Called-Station-Id'} = &request:Called-Station-Id ->
> 'b0:b9:8a:46:3d:0e'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id ->
> '00:21:70:d8:ac:45'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier ->
> 'b0-b9-8a-46-3d-0c'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Ethernet'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Nov 1 2017
> 20:23:01 UTC'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> $RAD_REQUEST{'EAP-Message'} = &request:EAP-Message -> '0x020800061a03'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> $RAD_REQUEST{'FreeRADIUS-Proxied-To'} = &request:FreeRADIUS-Proxied-To ->
> '127.0.0.1'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> $RAD_REQUEST{'Stripped-User-Name'} = &request:Stripped-User-Name -> 'testme'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> $RAD_REQUEST{'Realm'} = &request:Realm -> 'pfdomain'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Ethernet'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} ->
> '00:21:70:d8:ac:45'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> &request:Called-Station-Id = $RAD_REQUEST{'Called-Station-Id'} ->
> 'b0:b9:8a:46:3d:0e'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> &request:State = $RAD_REQUEST{'State'} -> '0x02989cb2039086a03851ec7eb5936384'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> &request:FreeRADIUS-Proxied-To = $RAD_REQUEST{'FreeRADIUS-Proxied-To'} ->
> '127.0.0.1'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> &request:PacketFence-Domain = $RAD_REQUEST{'PacketFence-Domain'} ->
> 'Win2012AD'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'PFDOMAIN\testme'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Nov 1 2017
> 20:23:01 UTC'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} ->
> 'b0-b9-8a-46-3d-0c'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> &request:EAP-Message = $RAD_REQUEST{'EAP-Message'} -> '0x020800061a03'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> &request:Realm = $RAD_REQUEST{'Realm'} -> 'pfdomain'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> &request:Stripped-User-Name = $RAD_REQUEST{'Stripped-User-Name'} -> 'testme'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '192.168.1.5'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '1'
> (19) Wed Nov 1 20:23:01 2017: Debug: packetfence-multi-domain:
> &request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1500'
> (19) Wed Nov 1 20:23:01 2017: Debug: [packetfence-multi-domain] =
> updated
> (19) Wed Nov 1 20:23:01 2017: Debug: update control {
> (19) Wed Nov 1 20:23:01 2017: Debug: } # update control = noop
> (19) Wed Nov 1 20:23:01 2017: Debug: eap: Peer sent EAP Response (code 2) ID
> 8 length 6
> (19) Wed Nov 1 20:23:01 2017: Debug: eap: No EAP Start, assuming it's an
> on-going EAP conversation
> (19) Wed Nov 1 20:23:01 2017: Debug: [eap] = updated
> (19) Wed Nov 1 20:23:01 2017: Debug: policy rewrite_called_station_id {
> (19) Wed Nov 1 20:23:01 2017: Debug: if ((&Called-Station-Id) &&
> (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
> {
> (19) Wed Nov 1 20:23:01 2017: Debug: if ((&Called-Station-Id) &&
> (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
> -> TRUE
> (19) Wed Nov 1 20:23:01 2017: Debug: if ((&Called-Station-Id) &&
> (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
> {
> (19) Wed Nov 1 20:23:01 2017: Debug: update request {
> (19) Wed Nov 1 20:23:01 2017: Debug: EXPAND
> %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
> (19) Wed Nov 1 20:23:01 2017: Debug: --> b0:b9:8a:46:3d:0e
> (19) Wed Nov 1 20:23:01 2017: Debug: } # update request = noop
> (19) Wed Nov 1 20:23:01 2017: Debug: if ("%{8}") {
> (19) Wed Nov 1 20:23:01 2017: Debug: EXPAND %{8}
> (19) Wed Nov 1 20:23:01 2017: Debug: -->
> (19) Wed Nov 1 20:23:01 2017: Debug: if ("%{8}") -> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: elsif ( (Colubris-AVPair) &&
> "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) {
> (19) Wed Nov 1 20:23:01 2017: Debug: elsif ( (Colubris-AVPair) &&
> "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: elsif (Aruba-Essid-Name) {
> (19) Wed Nov 1 20:23:01 2017: Debug: elsif (Aruba-Essid-Name) ->
> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: elsif ( (Cisco-AVPair) &&
> "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) {
> (19) Wed Nov 1 20:23:01 2017: Debug: elsif ( (Cisco-AVPair) &&
> "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE
> (19) Wed Nov 1 20:23:01 2017: Debug: [updated] = updated
> (19) Wed Nov 1 20:23:01 2017: Debug: } # if ((&Called-Station-Id) &&
> (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
> = updated
> (19) Wed Nov 1 20:23:01 2017: Debug: ... skipping else: Preceding
> "if" was taken
> (19) Wed Nov 1 20:23:01 2017: Debug: } # policy
> rewrite_called_station_id = updated
> (19) Wed Nov 1 20:23:01 2017: Debug: [pap] = noop
> (19) Wed Nov 1 20:23:01 2017: Debug: } # authorize = updated
> (19) Wed Nov 1 20:23:01 2017: WARNING: You set Proxy-To-Realm = local, but
> it is a LOCAL realm! Cancelling proxy request.
> (19) Wed Nov 1 20:23:01 2017: Debug: Found Auth-Type = eap
> (19) Wed Nov 1 20:23:01 2017: Debug: # Executing group from file
> /usr/local/pf/raddb/sites-enabled/packetfence-tunnel
> (19) Wed Nov 1 20:23:01 2017: Debug: authenticate {
> (19) Wed Nov 1 20:23:01 2017: Debug: eap: Expiring EAP session with state
> 0x02989cb2039086a0
> (19) Wed Nov 1 20:23:01 2017: Debug: eap: Finished EAP session with state
> 0x02989cb2039086a0
> (19) Wed Nov 1 20:23:01 2017: Debug: eap: Previous EAP request found for
> state 0x02989cb2039086a0, released from the list
> (19) Wed Nov 1 20:23:01 2017: Debug: eap: Peer sent packet with method EAP
> MSCHAPv2 (26)
> (19) Wed Nov 1 20:23:01 2017: Debug: eap: Calling submodule eap_mschapv2 to
> process data
> (19) Wed Nov 1 20:23:01 2017: Debug: eap: Sending EAP Success (code 3) ID 8
> length 4
> (19) Wed Nov 1 20:23:01 2017: Debug: eap: Freeing handler
> (19) Wed Nov 1 20:23:01 2017: Debug: [eap] = ok
> (19) Wed Nov 1 20:23:01 2017: Debug: } # authenticate = ok
> (19) Wed Nov 1 20:23:01 2017: Debug: # Executing section post-auth from
> file /usr/local/pf/raddb/sites-enabled/packetfence-tunnel
> (19) Wed Nov 1 20:23:01 2017: Debug: post-auth {
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: Expanding URI components
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: EXPAND http://127.0.0.1:7070
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: --> http://127.0.0.1:7070
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: EXPAND //radius/rest/authorize
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: --> //radius/rest/authorize
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: Sending HTTP POST to
> "http://127.0.0.1:7070//radius/rest/authorize";
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "User-Name"
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute
> "NAS-IP-Address"
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "NAS-Port"
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "Framed-MTU"
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "State"
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute
> "Called-Station-Id"
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute
> "Calling-Station-Id"
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute
> "NAS-Identifier"
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "NAS-Port-Type"
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute
> "Event-Timestamp"
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "EAP-Message"
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute
> "FreeRADIUS-Proxied-To"
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "EAP-Type"
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute
> "Stripped-User-Name"
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute "Realm"
> (19) Wed Nov 1 20:23:01 2017: Debug: rest: Encoding attribute
> "PacketFence-Domain"
> (19) Wed Nov 1 20:23:04 2017: Debug: rest: Processing response header
> (19) Wed Nov 1 20:23:04 2017: Debug: rest: Status : 401 (Unauthorized)
> (19) Wed Nov 1 20:23:04 2017: Debug: rest: Type : json (application/json)
> (19) Wed Nov 1 20:23:04 2017: ERROR: rest: Server returned:
> (19) Wed Nov 1 20:23:04 2017: ERROR: rest: {"Reply-Message":"Network device
> does not support this mode of
> operation","control:PacketFence-Eap-Type":26,"control:PacketFence-Authorization-Status":"allow","control:PacketFence-Mac":"00:21:70:d8:ac:45","control:PacketFence-Request-Time":1509567784,"control:PacketFence-Switch-Ip-Address":"192.168.1.5","control:PacketFence-IfIndex":"1","control:PacketFence-UserName":"PFDOMAIN\\testme","control:PacketFence-Connection-Type":"Ethernet-EAP","control:PacketFence-Switch-Mac":"b0:b9:8a:46:3d:0e","control:PacketFence-Switch-Id":"192.168.1.5"}
> (19) Wed Nov 1 20:23:04 2017: Debug: [rest] = invalid
> (19) Wed Nov 1 20:23:04 2017: Debug: } # post-auth = invalid
> (19) Wed Nov 1 20:23:04 2017: Debug: Using Post-Auth-Type Reject
> (19) Wed Nov 1 20:23:04 2017: Debug: # Executing group from file
> /usr/local/pf/raddb/sites-enabled/packetfence-tunnel
> (19) Wed Nov 1 20:23:04 2017: Debug: Post-Auth-Type REJECT {
> (19) Wed Nov 1 20:23:04 2017: Debug: update {
> (19) Wed Nov 1 20:23:04 2017: Debug: } # update = noop
> (19) Wed Nov 1 20:23:04 2017: Debug: policy
> packetfence-audit-log-reject {
> (19) Wed Nov 1 20:23:04 2017: Debug: if (&User-Name != "dummy") {
> (19) Wed Nov 1 20:23:04 2017: Debug: if (&User-Name != "dummy") ->
> TRUE
> (19) Wed Nov 1 20:23:04 2017: Debug: if (&User-Name != "dummy") {
> (19) Wed Nov 1 20:23:04 2017: Debug: policy request-timing {
> (19) Wed Nov 1 20:23:04 2017: Debug: if
> (control:PacketFence-Request-Time != 0) {
> (19) Wed Nov 1 20:23:04 2017: ERROR: Failed retrieving values
> required to evaluate condition
> (19) Wed Nov 1 20:23:04 2017: Debug: } # policy request-timing =
> noop
> (19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: EXPAND type.reject.query
> (19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: --> type.reject.query
> (19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: Using query template 'query'
> (19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: EXPAND %{User-Name}
> (19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: --> PFDOMAIN\\testme
> (19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: SQL-User-Name set to
> 'PFDOMAIN\\testme'
> (19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: EXPAND INSERT INTO
> radius_audit_log ( mac, ip, computer_name, user_name,
> stripped_user_name, realm, event_type, switch_id,
> switch_mac, switch_ip_address, radius_source_ip_address,
> called_station_id, calling_station_id, nas_port_type, ssid,
> nas_port_id, ifindex, nas_port, connection_type,
> nas_ip_address, nas_identifier, auth_status, reason,
> auth_type, eap_type, role, node_status, profile,
> source, auto_reg, is_phone, pf_domain, uuid, radius_request,
> radius_reply, request_time) VALUES (
> '%{request:Calling-Station-Id}', '%{request:Framed-IP-Address}',
> '%{%{control:PacketFence-Computer-Name}:-N/A}', '%{request:User-Name}',
> '%{request:Stripped-User-Name}', '%{request:Realm}',
> 'Radius-Access-Request',
> '%{%{control:PacketFence-Switch-Id}:-N/A}',
> '%{%{control:PacketFence-Switch-Mac}:-N/A}',
> '%{%{control:PacketFence-Switch-Ip-Address}:-N/A}',
> '%{Packet-Src-IP-Address}', '%{request:Called-Station-Id}',
> '%{request:Calling-Station-Id}', '%{request:NAS-Port-Type}',
> '%{request:Called-Station-SSID}', '%{request:NAS-Port-Id}',
> '%{%{control:PacketFence-IfIndex}:-N/A}', '%{request:NAS-Port}',
> '%{%{control:PacketFence-Connection-Type}:-N/A}',
> '%{request:NAS-IP-Address}', '%{request:NAS-Identifier}', 'Reject',
> '%{request:Module-Failure-Message}', '%{control:Auth-Type}',
> '%{request:EAP-Type}', '%{%{control:PacketFence-Role}:-N/A}',
> '%{%{control:PacketFence-Status}:-N/A}',
> '%{%{control:PacketFence-Profile}:-N/A}',
> '%{%{control:PacketFence-Source}:-N/A}',
> '%{%{control:PacketFence-AutoReg}:-N/A}',
> '%{%{control:PacketFence-IsPhone}:-N/A}',
> '%{request:PacketFence-Domain}', '',
> '%{pairs:&request:[*]}','%{pairs:&reply:[*]}',
> '%{%{control:PacketFence-Request-Time}:-N/A}')
> (19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: --> INSERT INTO
> radius_audit_log ( mac, ip, computer_name, user_name,
> stripped_user_name, realm, event_type, switch_id,
> switch_mac, switch_ip_address, radius_source_ip_address,
> called_station_id, calling_station_id, nas_port_type, ssid,
> nas_port_id, ifindex, nas_port, connection_type,
> nas_ip_address, nas_identifier, auth_status, reason,
> auth_type, eap_type, role, node_status, profile,
> source, auto_reg, is_phone, pf_domain, uuid, radius_request,
> radius_reply, request_time) VALUES (
> '00:21:70:d8:ac:45', '', 'N/A', 'PFDOMAIN=5Ctestme', 'testme',
> 'pfdomain', 'Radius-Access-Request', 'N/A', 'N/A', 'N/A',
> '192.168.1.12', 'b0:b9:8a:46:3d:0e', '00:21:70:d8:ac:45',
> 'Ethernet', '', '', 'N/A', '1', 'N/A',
> '192.168.1.5', 'b0-b9-8a-46-3d-0c', 'Reject', 'rest: Server
> returned:', 'eap', 'MSCHAPv2', 'N/A', 'N/A', 'N/A',
> 'N/A', 'N/A', 'N/A', 'Win2012AD', '', 'User-Name =3D
> =22PFDOMAIN=5C=5Ctestme=22=2C NAS-IP-Address =3D 192.168.1.5=2C NAS-Port =3D
> 1=2C Framed-MTU =3D 1500=2C State =3D 0x02989cb2039086a03851ec7eb5936384=2C
> Called-Station-Id =3D =22b0:b9:8a:46:3d:0e=22=2C Calling-Station-Id =3D
> =2200:21:70:d8:ac:45=22=2C NAS-Identifier =3D =22b0-b9-8a-46-3d-0c=22=2C
> NAS-Port-Type =3D Ethernet=2C Event-Timestamp =3D =22Nov 1 2017 20:23:01
> UTC=22=2C EAP-Message =3D 0x020800061a03=2C FreeRADIUS-Proxied-To =3D
> 127.0.0.1=2C EAP-Type =3D MSCHAPv2=2C Stripped-User-Name =3D =22testme=22=2C
> Realm =3D =22pfdomain=22=2C PacketFence-Domain =3D =22Win2012AD=22=2C
> Module-Failure-Message =3D =22rest: Server returned:=22=2C
> Module-Failure-Message =3D =22rest:
> =7B=5C=22Reply-Message=5C=22:=5C=22Network device does not support this mode
> of
> operation=5C=22=2C=5C=22control:PacketFence-Eap-Type=5C=22:26=2C=5C=22control:PacketFence-Authorization-Status=5C=22:=5C=22allow=5C=22=2C=5C=22control:PacketFence-Mac=5C=22:=5C=2200:21:70:d8:ac:45=5C=22=2C=5C=22control:PacketFence-Request-Time=5C=22:1509567784=2C=5C=22control:PacketFence-Switch-Ip-Address=5C=22:=5C=22192.168.1.5=5C=22=2C=5C=22control:PacketFence-IfIndex=5C=22:=5C=221=5C=22=2C=5C=22control:PacketFence-UserName=5C=22:=5C=22PFDOMAIN=5C=5C=5C=5Ctestme=5C=22=2C=5C=22control:PacketFence-Connection-Type=5C=22:=5C=22Ethernet-EAP=5C=22=2C=5C=22control:PacketFence-Switch-Mac=5C=22:=5C=22b0:b9:8a:46:3d:0e=5C=22=2C=5C=22control:PacketFence-Switch-Id=5C=22:=5C=22192.168.1.5=5C=22=7D=22=2C
> User-Password =3D =22=2A=2A=2A=2A=2A=2A=22=2C Module-Failure-Message =3D
> =22Failed retrieving values required to evaluate condition=22=2C
> SQL-User-Name =3D =22PFDOMAIN=5C=5C=5C=5Ctestme=22','EAP-Message =3D
> 0x03080004=2C Message-Authenticator =3D 0x00000000000000000000000000000000=2C
> Stripped-User-Name =3D =22testme=22', 'N/A')
> (19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: Executing query: INSERT
> INTO radius_audit_log ( mac, ip, computer_name, user_name,
> stripped_user_name, realm, event_type, switch_id,
> switch_mac, switch_ip_address, radius_source_ip_address,
> called_station_id, calling_station_id, nas_port_type, ssid,
> nas_port_id, ifindex, nas_port, connection_type,
> nas_ip_address, nas_identifier, auth_status, reason,
> auth_type, eap_type, role, node_status, profile,
> source, auto_reg, is_phone, pf_domain, uuid, radius_request,
> radius_reply, request_time) VALUES (
> '00:21:70:d8:ac:45', '', 'N/A', 'PFDOMAIN=5Ctestme', 'testme',
> 'pfdomain', 'Radius-Access-Request', 'N/A', 'N/A', 'N/A',
> '192.168.1.12', 'b0:b9:8a:46:3d:0e', '00:21:70:d8:ac:45',
> 'Ethernet', '', '', 'N/A', '1', 'N/A',
> '192.168.1.5', 'b0-b9-8a-46-3d-0c', 'Reject', 'rest: Server
> returned:', 'eap', 'MSCHAPv2', 'N/A', 'N/A', 'N/A',
> 'N/A', 'N/A', 'N/A', 'Win2012AD', '', 'User-Name =3D
> =22PFDOMAIN=5C=5Ctestme=22=2C NAS-IP-Address =3D 192.168.1.5=2C NAS-Port =3D
> 1=2C Framed-MTU =3D 1500=2C State =3D 0x02989cb2039086a03851ec7eb5936384=2C
> Called-Station-Id =3D =22b0:b9:8a:46:3d:0e=22=2C Calling-Station-Id =3D
> =2200:21:70:d8:ac:45=22=2C NAS-Identifier =3D =22b0-b9-8a-46-3d-0c=22=2C
> NAS-Port-Type =3D Ethernet=2C Event-Timestamp =3D =22Nov 1 2017 20:23:01
> UTC=22=2C EAP-Message =3D 0x020800061a03=2C FreeRADIUS-Proxied-To =3D
> 127.0.0.1=2C EAP-Type =3D MSCHAPv2=2C Stripped-User-Name =3D =22testme=22=2C
> Realm =3D =22pfdomain=22=2C PacketFence-Domain =3D =22Win2012AD=22=2C
> Module-Failure-Message =3D =22rest: Server returned:=22=2C
> Module-Failure-Message =3D =22rest:
> =7B=5C=22Reply-Message=5C=22:=5C=22Network device does not support this mode
> of
> operation=5C=22=2C=5C=22control:PacketFence-Eap-Type=5C=22:26=2C=5C=22control:PacketFence-Authorization-Status=5C=22:=5C=22allow=5C=22=2C=5C=22control:PacketFence-Mac=5C=22:=5C=2200:21:70:d8:ac:45=5C=22=2C=5C=22control:PacketFence-Request-Time=5C=22:1509567784=2C=5C=22control:PacketFence-Switch-Ip-Address=5C=22:=5C=22192.168.1.5=5C=22=2C=5C=22control:PacketFence-IfIndex=5C=22:=5C=221=5C=22=2C=5C=22control:PacketFence-UserName=5C=22:=5C=22PFDOMAIN=5C=5C=5C=5Ctestme=5C=22=2C=5C=22control:PacketFence-Connection-Type=5C=22:=5C=22Ethernet-EAP=5C=22=2C=5C=22control:PacketFence-Switch-Mac=5C=22:=5C=22b0:b9:8a:46:3d:0e=5C=22=2C=5C=22control:PacketFence-Switch-Id=5C=22:=5C=22192.168.1.5=5C=22=7D=22=2C
> User-Password =3D =22=2A=2A=2A=2A=2A=2A=22=2C Module-Failure-Message =3D
> =22Failed retrieving values required to evaluate condition=22=2C
> SQL-User-Name =3D =22PFDOMAIN=5C=5C=5C=5Ctestme=22','EAP-Message =3D
> 0x03080004=2C Message-Authenticator =3D 0x00000000000000000000000000000000=2C
> Stripped-User-Name =3D =22testme=22', 'N/A')
> (19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: SQL query returned: success
> (19) Wed Nov 1 20:23:04 2017: Debug: sql_reject: 1 record(s) updated
> (19) Wed Nov 1 20:23:04 2017: Debug: [sql_reject] = ok
> (19) Wed Nov 1 20:23:04 2017: Debug: } # if (&User-Name != "dummy")
> = ok
> (19) Wed Nov 1 20:23:04 2017: Debug: } # policy
> packetfence-audit-log-reject = ok
> (19) Wed Nov 1 20:23:04 2017: Debug: attr_filter.access_reject: EXPAND
> %{User-Name}
> (19) Wed Nov 1 20:23:04 2017: Debug: attr_filter.access_reject: -->
> PFDOMAIN\\testme
> (19) Wed Nov 1 20:23:04 2017: Debug: attr_filter.access_reject: Matched
> entry DEFAULT at line 11
> (19) Wed Nov 1 20:23:04 2017: Debug: [attr_filter.access_reject] =
> updated
> (19) Wed Nov 1 20:23:04 2017: Debug: update outer.session-state {
> (19) Wed Nov 1 20:23:04 2017: Debug: } # update outer.session-state =
> noop
> (19) Wed Nov 1 20:23:04 2017: Debug: } # Post-Auth-Type REJECT = updated
> (19) Wed Nov 1 20:23:04 2017: Debug: } # server packetfence-tunnel
> (19) Wed Nov 1 20:23:04 2017: Debug: Virtual server sending reply
> (19) Wed Nov 1 20:23:04 2017: Debug: EAP-Message = 0x03080004
> (19) Wed Nov 1 20:23:04 2017: Debug: Message-Authenticator =
> 0x00000000000000000000000000000000
> (19) Wed Nov 1 20:23:04 2017: Debug: eap_peap: Got tunneled reply code 3
> (19) Wed Nov 1 20:23:04 2017: Debug: eap_peap: EAP-Message = 0x03080004
> (19) Wed Nov 1 20:23:04 2017: Debug: eap_peap: Message-Authenticator =
> 0x00000000000000000000000000000000
> (19) Wed Nov 1 20:23:04 2017: Debug: eap_peap: Tunneled authentication was
> rejected
> (19) Wed Nov 1 20:23:04 2017: Debug: eap_peap: FAILURE
> (19) Wed Nov 1 20:23:04 2017: Debug: eap: Sending EAP Request (code 1) ID 9
> length 46
> (19) Wed Nov 1 20:23:04 2017: Debug: eap: EAP session adding &reply:State =
> 0x8486bcf28c8fa5c8
> (19) Wed Nov 1 20:23:04 2017: Debug: [eap] = handled
> (19) Wed Nov 1 20:23:04 2017: Debug: } # authenticate = handled
> (19) Wed Nov 1 20:23:04 2017: Debug: Using Post-Auth-Type Challenge
> (19) Wed Nov 1 20:23:04 2017: Debug: Post-Auth-Type sub-section not found.
> Ignoring.
> (19) Wed Nov 1 20:23:04 2017: Debug: # Executing group from file
> /usr/local/pf/raddb/sites-enabled/packetfence
> (19) Wed Nov 1 20:23:04 2017: Debug: session-state: Saving cached attributes
> (19) Wed Nov 1 20:23:04 2017: Debug: Module-Failure-Message := "rest:
> Server returned:"
> (19) Wed Nov 1 20:23:04 2017: Debug: Sent Access-Challenge Id 199 from
> 192.168.1.5:1812 to 192.168.1.12:42371 length 0
> (19) Wed Nov 1 20:23:04 2017: Debug: EAP-Message =
> 0x0109002e19001703030023c533942a5ebc7a75646da7f31d383d825f9d81eae05046d9a7c8518889d28455d0fecb
> (19) Wed Nov 1 20:23:04 2017: Debug: Message-Authenticator =
> 0x00000000000000000000000000000000
> (19) Wed Nov 1 20:23:04 2017: Debug: State =
> 0x8486bcf28c8fa5c8f46e2d7c49360c33
> (19) Wed Nov 1 20:23:04 2017: Debug: Finished request
>
>> Hello James,
>>
>> can you run radius in debug mode and retry a connection, i would like to
>> see the radius request.
>>
>> raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2017-11-01 à 14:21, James Garcellano via PacketFence-users a écrit :
>>> Hello everyone,
>>>
>>>
>>>
>>> I would like to find out if the Netgear GSM4325PS (M4300 series)
>>> switch is supported with PacketFence.
>>>
>>>
>>>
>>> The documentation for support network switches state that the Netgear
>>> M-Series switches are supported for 802.1x Wired Authentication, so
>>> I'm assuming the configuration guidelines that are given should work.
>>>
>>>
>>>
>>> I have configured one such switch in a test lab that I put together.
>>> When I plug in a laptop, while monitoring the
>>> /usr/local/pf/log/packetfence.log, I see the following messages:
>>>
>>>
>>>
>>> Nov 1 18:18:33 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2852)
>>> INFO: [mac:00:21:70:d8:ac:45] handling radius autz request: from
>>> switch_ip => (192.168.1.5), connection_type => Ethernet-EAP,switch_mac
>>> => (b0:b9:8a:46:3d:0e), mac => [00:21:70:d8:ac:45], port => 1,
>>> username => "PFDOMAIN\testme" (pf::radius::authorize)
>>>
>>> Nov 1 18:18:33 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2852)
>>> ERROR: [mac:00:21:70:d8:ac:45] Wired 802.1X is not supported on switch
>>> type pf::Switch::PacketFence. Please let us know what hardware you are
>>> using. (pf::Switch::supportsWiredDot1x)
>>>
>>> Nov 1 18:18:33 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2852)
>>> WARN: [mac:00:21:70:d8:ac:45] (192.168.1.5) Sending REJECT since
>>> switch is unsupported (pf::radius::_switchUnsupportedReply)
>>>
>>>
>>>
>>> 192.168.1.5 is the PacketFence server.
>>>
>>> 00:21:70:d8:ac:45 is a Dell laptop with Windows 10 configured with
>>> 802.1x Security and associated credentials.
>>>
>>>
>>>
>>> A similar setup is working with the same laptop connected to a Cisco
>>> 2960G series switch.
>>>
>>>
>>>
>>> If any more information is required, please let me know.
>>>
>>>
>>>
>>> Thank you all!
>>>
>>>
>>>
>>> James Garcellano
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> PacketFence-users@...
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> --
>> Fabrice Durand
>> fdurand@... :: +1.514.447.4918 (x135) :: http://www.inverse.ca
>
> James Garcellano
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
