Hello Fabrice, Many thanks Fabrice for your reply on that matter, which is very appreciated.
Please find enclosed the extract as you suggested: Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: [mac:80:ce:62:a1:2e:75] handling radius autz request: from switch_ip => (172.29.180.68), connection_type => Ethernet-EAP,switch_mac => (70:35:09:b9:d2:03), mac => [80:ce:62:a1:2e:75], port => 50103, username => "[email protected]" (pf::radius::authorize) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: [mac:80:ce:62:a1:2e:75] Instantiate profile AD_LOGIN (pf::Connection::ProfileFactory::_from_profile) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: [mac:80:ce:62:a1:2e:75] Found authentication source(s) : '' for realm 'null' (pf::config::util::filter_authentication_sources) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: [mac:80:ce:62:a1:2e:75] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match2) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: [mac:80:ce:62:a1:2e:75] Using sources for matching (pf::authentication::match2) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value in string eq at /usr/local/pf/lib/pf/role.pm line 736. (pf::role::_check_bypass) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: [mac:80:ce:62:a1:2e:75] Role has already been computed and we don't want to recompute it. Getting role from node_info (pf::role::getRegisteredRole) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value $role in concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 478. (pf::role::getRegisteredRole) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: [mac:80:ce:62:a1:2e:75] Username was NOT defined or unable to match a role - returning node based role '' (pf::role::getRegisteredRole) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: [mac:80:ce:62:a1:2e:75] PID: "[email protected]", Status: reg Returned VLAN: (undefined), Role: (undefined) (pf::role::fetchRoleForNode) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 792. (pf::Switch::getVlanByName) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 795. (pf::Switch::getVlanByName) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: [mac:80:ce:62:a1:2e:75] No parameter Vlan found in conf/switches.conf for the switch 172.29.180.68 (pf::Switch::getVlanByName) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value $roleName in hash element at /usr/local/pf/lib/pf/Switch.pm line 775. (pf::Switch::getRoleByName) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value $roleName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 778. (pf::Switch::getRoleByName) Feb 18 13:43:49 srv1 pfqueue: pfqueue(11366) INFO: [mac:unknown] undefined source id provided (pf::lookup::person::lookup_person) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: [mac:80:ce:62:a1:2e:75] Match rule 1:eap (pf::access_filter::radius::test) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value $answer[1] in pattern match (m//) at /usr/local/pf/lib/pf/access_filter/radius.pm line 69. (pf::access_filter::radius::handleAnswerInRule) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value $range in pattern match (m//) at /usr/local/pf/lib/pf/access_filter/radius.pm line 174. (pf::access_filter::radius::rangeValidator) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value $item in pattern match (m//) at /usr/share/perl5/vendor_perl/Number/Range.pm line 43. (Number::Range::initialize) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value $item in split at /usr/share/perl5/vendor_perl/Number/Range.pm line 44. (Number::Range::initialize) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value $answer in substitution (s///) at /usr/local/pf/lib/pf/access_filter/radius.pm line 147. (pf::access_filter::radius::evalParam) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value $answer in substitution (s///) at /usr/local/pf/lib/pf/access_filter/radius.pm line 148. (pf::access_filter::radius::evalParam) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value $return in split at /usr/local/pf/lib/pf/access_filter/radius.pm line 128. (pf::access_filter::radius::evalAnswer) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value in substitution (s///) at /usr/local/pf/lib/pf/access_filter/radius.pm line 129. (pf::access_filter::radius::evalAnswer) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value in hash element at /usr/local/pf/lib/pf/access_filter/radius.pm line 133. (pf::access_filter::radius::evalAnswer) Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: [mac:80:ce:62:a1:2e:75] violation 1300003 force-closed for 80:ce:62:a1:2e:75 (pf::violation::violation_force_close) Many thanks for you support and any possbile hint. Regards, carlos Am Sa., 16. Feb. 2019 um 00:26 Uhr schrieb Durand fabrice via PacketFence-users <[email protected]>: > Hello Carlos, > > can you check in packetfence.log if you see the eap-tls authentication > coming ? > > It's a line like that: > > packetfence_httpd.aaa: httpd.aaa(2265) INFO: [mac:00:11:22:33:44:55] > handling radius autz request: from switch_ip => (10.0.0.1), connection_type > => Wireless-802.1 > 1-NoEAP,switch_mac => (ff:24:8d:79:8c:24), mac => [00:11:22:33:44:55], > port => 3, username => "001122334455, ssid => bob (pf::radius::authorize) > > And if it exist can you paste what you have after that? > > If there is no line like that then it mean that the eap-tls authentication > failled on the freeradius side. > > Regards > > Fabrice > > > Le 19-02-15 à 10 h 50, Carlos Wetli via PacketFence-users a écrit : > > Hello, > > I am trying to do machine authentication against AD (EAP-TLS) and i am not > sure that the authentication is successful. How can i check that the > authentication over AD is successful (logfiles/node audit)? If not > successfull, how can i check which authentication source is considered > during authentication. > > What I can see for now is the following: > > (11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Password && > (&User-Password != "%{string:User-Password}")) { > (11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Password && > (&User-Password != "%{string:User-Password}")) -> FALSE > (11) Fri Feb 15 16:19:50 2019: Debug: } # policy filter_password = > updated > (11) Fri Feb 15 16:19:50 2019: Debug: [preprocess] = ok > (11) Fri Feb 15 16:19:50 2019: Debug: suffix: Checking for suffix after "@" > (11) Fri Feb 15 16:19:50 2019: Debug: suffix: No '@' in User-Name = > "host/M-1.ad.cwe.local", skipping NULL due to config. > (11) Fri Feb 15 16:19:50 2019: Debug: [suffix] = noop > (11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Checking for prefix before > "\" > (11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: No '\' in User-Name = > "host/M-1.ad.cwe.local", looking up realm NULL > (11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Found realm "null" > (11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Adding Stripped-User-Name > = "host/M-1.ad.cwe.local" > (11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Adding Realm = "null" > (11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Authentication realm is > LOCAL > (11) Fri Feb 15 16:19:50 2019: Debug: [ntdomain] = ok > (11) Fri Feb 15 16:19:50 2019: Debug: eap: Peer sent EAP Response (code 2) > ID 9 length 6 > (11) Fri Feb 15 16:19:50 2019: Debug: eap: No EAP Start, assuming it's an > on-going EAP conversation > (11) Fri Feb 15 16:19:50 2019: Debug: [eap] = updated > (11) Fri Feb 15 16:19:50 2019: Debug: if ( !EAP-Message ) { > (11) Fri Feb 15 16:19:50 2019: Debug: if ( !EAP-Message ) -> FALSE > (11) Fri Feb 15 16:19:50 2019: Debug: policy > packetfence-eap-mac-policy { > (11) Fri Feb 15 16:19:50 2019: Debug: if ( &EAP-Type ) { > (11) Fri Feb 15 16:19:50 2019: Debug: if ( &EAP-Type ) -> TRUE > (11) Fri Feb 15 16:19:50 2019: Debug: if ( &EAP-Type ) { > (11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Name && > (&User-Name =~ > /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) > { > (11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Name && > (&User-Name =~ > /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) > -> FALSE > (11) Fri Feb 15 16:19:50 2019: Debug: } # if ( &EAP-Type ) = updated > (11) Fri Feb 15 16:19:50 2019: Debug: [noop] = noop > (11) Fri Feb 15 16:19:50 2019: Debug: } # policy > packetfence-eap-mac-policy = updated > (11) Fri Feb 15 16:19:50 2019: WARNING: pap: > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > (11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! Ignoring > control:User-Password. Update your !!! > (11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! configuration so that the > "known good" clear text !!! > (11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! password is in > Cleartext-Password and NOT in !!! > (11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! > User-Password. !!! > (11) Fri Feb 15 16:19:50 2019: WARNING: pap: > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > (11) Fri Feb 15 16:19:50 2019: Debug: [pap] = noop > (11) Fri Feb 15 16:19:50 2019: Debug: } # authorize = updated > (11) Fri Feb 15 16:19:50 2019: Debug: Found Auth-Type = eap > (11) Fri Feb 15 16:19:50 2019: Debug: # Executing group from file > /usr/local/pf/raddb/sites-enabled/packetfence > (11) Fri Feb 15 16:19:50 2019: Debug: authenticate { > (11) Fri Feb 15 16:19:50 2019: Debug: eap: Expiring EAP session with state > 0x4ef4a14549fdace8 > (11) Fri Feb 15 16:19:50 2019: Debug: eap: Finished EAP session with state > 0x4ef4a14549fdace8 > (11) Fri Feb 15 16:19:50 2019: Debug: eap: Previous EAP request found for > state 0x4ef4a14549fdace8, released from the list > (11) Fri Feb 15 16:19:50 2019: Debug: eap: Peer sent packet with method > EAP TLS (13) > (11) Fri Feb 15 16:19:50 2019: Debug: eap: Calling submodule eap_tls to > process data > (11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: Continuing EAP-TLS > (11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: Peer ACKed our handshake > fragment. handshake is finished > (11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: [eaptls verify] = success > (11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: [eaptls process] = success > (11) Fri Feb 15 16:19:50 2019: Debug: eap: Sending EAP Success (code 3) ID > 9 length 4 > (11) Fri Feb 15 > > I have followed the instruction already seen on the support page, which is > to : > - create a profile with a rule eap for the authentication > - create an authentication source for the machine authentication > - create a realm towards the AD > > When browsing the AD manually, i can see my host in the correct Base > Search DN. > > Thank you for a short advice, > Regards, > Carlos > > > > _______________________________________________ > PacketFence-users mailing > [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
