Hello,
I am trying to do machine authentication against AD (EAP-TLS) and i am not
sure that the authentication is successful. How can i check that the
authentication over AD is successful (logfiles/node audit)? If not
successfull, how can i check which authentication source is considered
during authentication.
What I can see for now is the following:
(11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Password &&
(&User-Password != "%{string:User-Password}")) {
(11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Password &&
(&User-Password != "%{string:User-Password}")) -> FALSE
(11) Fri Feb 15 16:19:50 2019: Debug: } # policy filter_password =
updated
(11) Fri Feb 15 16:19:50 2019: Debug: [preprocess] = ok
(11) Fri Feb 15 16:19:50 2019: Debug: suffix: Checking for suffix after "@"
(11) Fri Feb 15 16:19:50 2019: Debug: suffix: No '@' in User-Name =
"host/M-1.ad.cwe.local", skipping NULL due to config.
(11) Fri Feb 15 16:19:50 2019: Debug: [suffix] = noop
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Checking for prefix before
"\"
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: No '\' in User-Name =
"host/M-1.ad.cwe.local", looking up realm NULL
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Found realm "null"
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Adding Stripped-User-Name =
"host/M-1.ad.cwe.local"
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Adding Realm = "null"
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Authentication realm is
LOCAL
(11) Fri Feb 15 16:19:50 2019: Debug: [ntdomain] = ok
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Peer sent EAP Response (code 2)
ID 9 length 6
(11) Fri Feb 15 16:19:50 2019: Debug: eap: No EAP Start, assuming it's an
on-going EAP conversation
(11) Fri Feb 15 16:19:50 2019: Debug: [eap] = updated
(11) Fri Feb 15 16:19:50 2019: Debug: if ( !EAP-Message ) {
(11) Fri Feb 15 16:19:50 2019: Debug: if ( !EAP-Message ) -> FALSE
(11) Fri Feb 15 16:19:50 2019: Debug: policy packetfence-eap-mac-policy
{
(11) Fri Feb 15 16:19:50 2019: Debug: if ( &EAP-Type ) {
(11) Fri Feb 15 16:19:50 2019: Debug: if ( &EAP-Type ) -> TRUE
(11) Fri Feb 15 16:19:50 2019: Debug: if ( &EAP-Type ) {
(11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Name && (&User-Name
=~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Name && (&User-Name
=~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> FALSE
(11) Fri Feb 15 16:19:50 2019: Debug: } # if ( &EAP-Type ) = updated
(11) Fri Feb 15 16:19:50 2019: Debug: [noop] = noop
(11) Fri Feb 15 16:19:50 2019: Debug: } # policy
packetfence-eap-mac-policy = updated
(11) Fri Feb 15 16:19:50 2019: WARNING: pap:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! Ignoring
control:User-Password. Update your !!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! configuration so that the
"known good" clear text !!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! password is in
Cleartext-Password and NOT in !!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!!
User-Password. !!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(11) Fri Feb 15 16:19:50 2019: Debug: [pap] = noop
(11) Fri Feb 15 16:19:50 2019: Debug: } # authorize = updated
(11) Fri Feb 15 16:19:50 2019: Debug: Found Auth-Type = eap
(11) Fri Feb 15 16:19:50 2019: Debug: # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(11) Fri Feb 15 16:19:50 2019: Debug: authenticate {
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Expiring EAP session with state
0x4ef4a14549fdace8
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Finished EAP session with state
0x4ef4a14549fdace8
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Previous EAP request found for
state 0x4ef4a14549fdace8, released from the list
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Peer sent packet with method EAP
TLS (13)
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Calling submodule eap_tls to
process data
(11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: Continuing EAP-TLS
(11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: Peer ACKed our handshake
fragment. handshake is finished
(11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: [eaptls verify] = success
(11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: [eaptls process] = success
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Sending EAP Success (code 3) ID
9 length 4
(11) Fri Feb 15
I have followed the instruction already seen on the support page, which is
to :
- create a profile with a rule eap for the authentication
- create an authentication source for the machine authentication
- create a realm towards the AD
When browsing the AD manually, i can see my host in the correct Base Search
DN.
Thank you for a short advice,
Regards,
Carlos
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
