I understand, we have so many features and we keep most of them because
they are still used by someone.
Also deploying a NAC is not something easy to do, you must be a network
admin, a linux admin and most of the time have skills in windows and be
able to understand how packetfence works...
For this issue it's really a corner case where you have a connection
profile that auto-register but none of the authentication rules matched
so packetfence use the already defined role of the device.
It's something that we never tested since most of the time we set a
catch_all rules at the end of the authentication rules that always match
if none of the other matched.
Btw it's why the mailing exist to be able to help people even if we are
not 100% available to answer all the questions.
I hope you still enjoy using PacketFence.
Regards
Fabrice
Le 19-02-13 à 21 h 15, Christian McDonald via PacketFence-users a écrit :
Try restarting all the services. There are tons of settings and
features riddled throughput PacketFence that require resetting
services (or even the whole operating system) to get working
correctly...I've had similar frustrations
On Wed, Feb 13, 2019 at 9:13 PM William Blake MacIsaac via
PacketFence-users <[email protected]
<mailto:[email protected]>> wrote:
I'm hoping someone can help me. I'm trying to setup
802.1x-Wireless to allow users to connect to a SSID utilizing
domain credentials. The problem is, when users connect and enter
there username and password, they are not being tested against the
Authentication sources i have setup, they are just being allowed
to connect, regardless if they are part of the group or not. I
can even delete the whole authentication source and they are still
being authenticated.. what the hell? :(, please help
image.png
:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345) INFO:
[mac:8c:f5:a3:a2:d4:18] handling radius autz request: from
switch_ip => (10.100.2.254), connection_type =>
Wireless-802.11-EAP,switch_mac => (00:15:5d:01:3d:00), mac =>
[8c:f5:a3:a2:d4:18], port => 12290, username => "bmacisaaca", ssid
=> YC-IT (pf::radius::authorize)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] Instantiate profile 802.1X-Profile
(pf::Connection::ProfileFactory::_from_profile)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] Found authentication source(s) :
'local,8021X-Wireless' for realm 'null'
(pf::config::util::filter_authentication_sources)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
WARN: [mac:8c:f5:a3:a2:d4:18] Calling match with empty/invalid
rule class. Defaulting to 'authentication'
(pf::authentication::match2)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] Using sources local, 8021X-Wireless
for matching (pf::authentication::match2)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] LDAP testing connection
(pf::LDAP::expire_if)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] Role has already been computed and
we don't want to recompute it. Getting role from node_info
(pf::role::getRegisteredRole)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] Username was defined "bmacisaaca" -
returning role 'YC-IT-WIFI' (pf::role::getRegisteredRole)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] PID: "bmacisaaca", Status: reg
Returned VLAN: (undefined), Role: YC-IT-WIFI
(pf::role::fetchRoleForNode)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
WARN: [mac:8c:f5:a3:a2:d4:18] No parameter YC-IT-WIFIVlan found in
conf/switches.conf for the switch 10.100.2.254
(pf::Switch::getVlanByName)
Feb 13 14:19:39 PacketFence pfqueue: pfqueue(33849) INFO:
[mac:unknown] undefined source id provided
(pf::lookup::person::lookup_person)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] violation 1300003 force-closed for
8c:f5:a3:a2:d4:18 (pf::violation::violation_force_close)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] Instantiate profile 802.1X-Profile
(pf::Connection::ProfileFactory::_from_profile)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] handling radius autz request: from
switch_ip => (10.100.2.254), connection_type =>
Wireless-802.11-EAP,switch_mac => (00:15:5d:01:3d:00), mac =>
[8c:f5:a3:a2:d4:18], port => 12290, username => "bmacisaaca", ssid
=> YC-IT (pf::radius::authorize)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] Instantiate profile 802.1X-Profile
(pf::Connection::ProfileFactory::_from_profile)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] Found authentication source(s) :
'local' for realm 'null'
(pf::config::util::filter_authentication_sources)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
WARN: [mac:8c:f5:a3:a2:d4:18] Calling match with empty/invalid
rule class. Defaulting to 'authentication'
(pf::authentication::match2)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] Using sources local for matching
(pf::authentication::match2)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] Role has already been computed and
we don't want to recompute it. Getting role from node_info
(pf::role::getRegisteredRole)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] Username was defined "bmacisaaca" -
returning role 'YC-IT-WIFI' (pf::role::getRegisteredRole)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] PID: "bmacisaaca", Status: reg
Returned VLAN: (undefined), Role: YC-IT-WIFI
(pf::role::fetchRoleForNode)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
WARN: [mac:8c:f5:a3:a2:d4:18] No parameter YC-IT-WIFIVlan found in
conf/switches.conf for the switch 10.100.2.254
(pf::Switch::getVlanByName)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] violation 1300003 force-closed for
8c:f5:a3:a2:d4:18 (pf::violation::violation_force_close)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] Instantiate profile 802.1X-Profile
(pf::Connection::ProfileFactory::_from_profile)
Feb 13 14:21:15 PacketFence pfqueue: pfqueue(32627) INFO:
[mac:unknown] undefined source id provided
(pf::lookup::person::lookup_person)
^C
[root@PacketFence logs]# tail -f packetfence.log
Feb 13 14:28:49 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] Found authentication source(s) :
'local' for realm 'null'
(pf::config::util::filter_authentication_sources)
Feb 13 14:28:49 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
WARN: [mac:8c:f5:a3:a2:d4:18] Calling match with empty/invalid
rule class. Defaulting to 'authentication'
(pf::authentication::match2)
Feb 13 14:28:49 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] Using sources local for matching
(pf::authentication::match2)
Feb 13 14:28:49 PacketFence pfqueue: pfqueue(101125) INFO:
[mac:unknown] undefined source id provided
(pf::lookup::person::lookup_person)
Feb 13 14:28:49 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] Role has already been computed and
we don't want to recompute it. Getting role from node_info
(pf::role::getRegisteredRole)
Feb 13 14:28:49 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] Username was defined "bmacisaaca" -
returning role 'YC-IT-WIFI' (pf::role::getRegisteredRole)
Feb 13 14:28:49 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] PID: "bmacisaaca", Status: reg
Returned VLAN: (undefined), Role: YC-IT-WIFI
(pf::role::fetchRoleForNode)
Feb 13 14:28:49 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
WARN: [mac:8c:f5:a3:a2:d4:18] No parameter YC-IT-WIFIVlan found in
conf/switches.conf for the switch 10.100.2.254
(pf::Switch::getVlanByName)
Feb 13 14:28:49 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] violation 1300003 force-closed for
8c:f5:a3:a2:d4:18 (pf::violation::violation_force_close)
Feb 13 14:28:49 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] Instantiate profile 802.1X-Profile
(pf::Connection::ProfileFactory::_from_profile)
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
R. Christian McDonald
/Director of Technology/
Grand Rapids Adventist Academy
C: (616) 856-9291
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
