Hello Carlos,
can you check in packetfence.log if you see the eap-tls authentication
coming ?
It's a line like that:
packetfence_httpd.aaa: httpd.aaa(2265) INFO: [mac:00:11:22:33:44:55]
handling radius autz request: from switch_ip => (10.0.0.1),
connection_type => Wireless-802.1
1-NoEAP,switch_mac => (ff:24:8d:79:8c:24), mac => [00:11:22:33:44:55],
port => 3, username => "001122334455, ssid => bob (pf::radius::authorize)
And if it exist can you paste what you have after that?
If there is no line like that then it mean that the eap-tls
authentication failled on the freeradius side.
Regards
Fabrice
Le 19-02-15 à 10 h 50, Carlos Wetli via PacketFence-users a écrit :
Hello,
I am trying to do machine authentication against AD (EAP-TLS) and i am
not sure that the authentication is successful. How can i check that
the authentication over AD is successful (logfiles/node audit)? If not
successfull, how can i check which authentication source is considered
during authentication.
What I can see for now is the following:
(11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Password &&
(&User-Password != "%{string:User-Password}")) {
(11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Password &&
(&User-Password != "%{string:User-Password}")) -> FALSE
(11) Fri Feb 15 16:19:50 2019: Debug: } # policy filter_password =
updated
(11) Fri Feb 15 16:19:50 2019: Debug: [preprocess] = ok
(11) Fri Feb 15 16:19:50 2019: Debug: suffix: Checking for suffix
after "@"
(11) Fri Feb 15 16:19:50 2019: Debug: suffix: No '@' in User-Name =
"host/M-1.ad.cwe.local", skipping NULL due to config.
(11) Fri Feb 15 16:19:50 2019: Debug: [suffix] = noop
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Checking for prefix
before "\"
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: No '\' in User-Name =
"host/M-1.ad.cwe.local", looking up realm NULL
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Found realm "null"
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Adding
Stripped-User-Name = "host/M-1.ad.cwe.local"
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Adding Realm = "null"
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Authentication realm
is LOCAL
(11) Fri Feb 15 16:19:50 2019: Debug: [ntdomain] = ok
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Peer sent EAP Response
(code 2) ID 9 length 6
(11) Fri Feb 15 16:19:50 2019: Debug: eap: No EAP Start, assuming it's
an on-going EAP conversation
(11) Fri Feb 15 16:19:50 2019: Debug: [eap] = updated
(11) Fri Feb 15 16:19:50 2019: Debug: if ( !EAP-Message ) {
(11) Fri Feb 15 16:19:50 2019: Debug: if ( !EAP-Message ) -> FALSE
(11) Fri Feb 15 16:19:50 2019: Debug: policy
packetfence-eap-mac-policy {
(11) Fri Feb 15 16:19:50 2019: Debug: if ( &EAP-Type ) {
(11) Fri Feb 15 16:19:50 2019: Debug: if ( &EAP-Type ) -> TRUE
(11) Fri Feb 15 16:19:50 2019: Debug: if ( &EAP-Type ) {
(11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Name &&
(&User-Name =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Name &&
(&User-Name =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> FALSE
(11) Fri Feb 15 16:19:50 2019: Debug: } # if ( &EAP-Type ) =
updated
(11) Fri Feb 15 16:19:50 2019: Debug: [noop] = noop
(11) Fri Feb 15 16:19:50 2019: Debug: } # policy
packetfence-eap-mac-policy = updated
(11) Fri Feb 15 16:19:50 2019: WARNING: pap:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! Ignoring
control:User-Password. Update your !!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! configuration so that
the "known good" clear text !!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! password is in
Cleartext-Password and NOT in !!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!!
User-Password. !!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(11) Fri Feb 15 16:19:50 2019: Debug: [pap] = noop
(11) Fri Feb 15 16:19:50 2019: Debug: } # authorize = updated
(11) Fri Feb 15 16:19:50 2019: Debug: Found Auth-Type = eap
(11) Fri Feb 15 16:19:50 2019: Debug: # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(11) Fri Feb 15 16:19:50 2019: Debug: authenticate {
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Expiring EAP session with
state 0x4ef4a14549fdace8
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Finished EAP session with
state 0x4ef4a14549fdace8
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Previous EAP request found
for state 0x4ef4a14549fdace8, released from the list
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Peer sent packet with
method EAP TLS (13)
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Calling submodule eap_tls
to process data
(11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: Continuing EAP-TLS
(11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: Peer ACKed our
handshake fragment. handshake is finished
(11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: [eaptls verify] = success
(11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: [eaptls process] = success
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Sending EAP Success (code
3) ID 9 length 4
(11) Fri Feb 15
I have followed the instruction already seen on the support page,
which is to :
- create a profile with a rule eap for the authentication
- create an authentication source for the machine authentication
- create a realm towards the AD
When browsing the AD manually, i can see my host in the correct Base
Search DN.
Thank you for a short advice,
Regards,
Carlos
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
