Hello Carlos,
my remark below.
Le 19-02-18 à 09 h 04, Carlos Wetli via PacketFence-users a écrit :
Hello Fabrice,
Many thanks Fabrice for your reply on that matter, which is very
appreciated.
Please find enclosed the extract as you suggested:
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO:
[mac:80:ce:62:a1:2e:75] handling radius autz request: from switch_ip
=> (172.29.180.68), connection_type => Ethernet-EAP,switch_mac =>
(70:35:09:b9:d2:03), mac => [80:ce:62:a1:2e:75], port => 50103,
username => "[email protected]" (pf::radius::authorize)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO:
[mac:80:ce:62:a1:2e:75] Instantiate profile AD_LOGIN
(pf::Connection::ProfileFactory::_from_profile)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO:
[mac:80:ce:62:a1:2e:75] Found authentication source(s) : '' for realm
'null' (pf::config::util::filter_authentication_sources)
realm is null , do you have a realm ad.cwe.local configured in packetfence ?
Also in your AD_LOGIN connection profile, does the source you defined is
configured to match the null realm ? (or ad.cwe.local) (edit the
authentication source)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN:
[mac:80:ce:62:a1:2e:75] Calling match with empty/invalid rule class.
Defaulting to 'authentication' (pf::authentication::match2)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO:
[mac:80:ce:62:a1:2e:75] Using sources for matching
(pf::authentication::match2)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN:
[mac:80:ce:62:a1:2e:75] Use of uninitialized value in string eq at
/usr/local/pf/lib/pf/role.pm <http://role.pm> line 736.
(pf::role::_check_bypass)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO:
[mac:80:ce:62:a1:2e:75] Role has already been computed and we don't
want to recompute it. Getting role from node_info
(pf::role::getRegisteredRole)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN:
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $role in
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm
<http://role.pm> line 478.
(pf::role::getRegisteredRole)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO:
[mac:80:ce:62:a1:2e:75] Username was NOT defined or unable to match a
role - returning node based role '' (pf::role::getRegisteredRole)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO:
[mac:80:ce:62:a1:2e:75] PID: "[email protected]", Status: reg Returned
VLAN: (undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN:
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $vlanName in hash
element at /usr/local/pf/lib/pf/Switch.pm line 792.
(pf::Switch::getVlanByName)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN:
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $vlanName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 795.
(pf::Switch::getVlanByName)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN:
[mac:80:ce:62:a1:2e:75] No parameter Vlan found in conf/switches.conf
for the switch 172.29.180.68 (pf::Switch::getVlanByName)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN:
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $roleName in hash
element at /usr/local/pf/lib/pf/Switch.pm line 775.
(pf::Switch::getRoleByName)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN:
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $roleName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 778.
(pf::Switch::getRoleByName)
Feb 18 13:43:49 srv1 pfqueue: pfqueue(11366) INFO: [mac:unknown]
undefined source id provided (pf::lookup::person::lookup_person)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO:
[mac:80:ce:62:a1:2e:75] Match rule 1:eap (pf::access_filter::radius::test)
It match a rule in the radius filter but there is no answer1.
Can you share the radius filters ?
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN:
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $answer[1] in
pattern match (m//) at /usr/local/pf/lib/pf/access_filter/radius.pm
<http://radius.pm> line 69.
(pf::access_filter::radius::handleAnswerInRule)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN:
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $range in pattern
match (m//) at /usr/local/pf/lib/pf/access_filter/radius.pm
<http://radius.pm> line 174.
(pf::access_filter::radius::rangeValidator)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN:
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $item in pattern
match (m//) at /usr/share/perl5/vendor_perl/Number/Range.pm line 43.
(Number::Range::initialize)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN:
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $item in split at
/usr/share/perl5/vendor_perl/Number/Range.pm line 44.
(Number::Range::initialize)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN:
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $answer in
substitution (s///) at /usr/local/pf/lib/pf/access_filter/radius.pm
<http://radius.pm> line 147.
(pf::access_filter::radius::evalParam)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN:
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $answer in
substitution (s///) at /usr/local/pf/lib/pf/access_filter/radius.pm
<http://radius.pm> line 148.
(pf::access_filter::radius::evalParam)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN:
[mac:80:ce:62:a1:2e:75] Use of uninitialized value $return in split at
/usr/local/pf/lib/pf/access_filter/radius.pm <http://radius.pm> line 128.
(pf::access_filter::radius::evalAnswer)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN:
[mac:80:ce:62:a1:2e:75] Use of uninitialized value in substitution
(s///) at /usr/local/pf/lib/pf/access_filter/radius.pm
<http://radius.pm> line 129.
(pf::access_filter::radius::evalAnswer)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN:
[mac:80:ce:62:a1:2e:75] Use of uninitialized value in hash element at
/usr/local/pf/lib/pf/access_filter/radius.pm <http://radius.pm> line 133.
(pf::access_filter::radius::evalAnswer)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO:
[mac:80:ce:62:a1:2e:75] violation 1300003 force-closed for
80:ce:62:a1:2e:75 (pf::violation::violation_force_close)
Regards
Fabrice
Many thanks for you support and any possbile hint.
Regards,
carlos
Am Sa., 16. Feb. 2019 um 00:26 Uhr schrieb Durand fabrice via
PacketFence-users <[email protected]
<mailto:[email protected]>>:
Hello Carlos,
can you check in packetfence.log if you see the eap-tls
authentication coming ?
It's a line like that:
packetfence_httpd.aaa: httpd.aaa(2265) INFO:
[mac:00:11:22:33:44:55] handling radius autz request: from
switch_ip => (10.0.0.1), connection_type => Wireless-802.1
1-NoEAP,switch_mac => (ff:24:8d:79:8c:24), mac =>
[00:11:22:33:44:55], port => 3, username => "001122334455, ssid =>
bob (pf::radius::authorize)
And if it exist can you paste what you have after that?
If there is no line like that then it mean that the eap-tls
authentication failled on the freeradius side.
Regards
Fabrice
Le 19-02-15 à 10 h 50, Carlos Wetli via PacketFence-users a écrit :
Hello,
I am trying to do machine authentication against AD (EAP-TLS) and
i am not sure that the authentication is successful. How can i
check that the authentication over AD is successful
(logfiles/node audit)? If not successfull, how can i check which
authentication source is considered during authentication.
What I can see for now is the following:
(11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Password &&
(&User-Password != "%{string:User-Password}")) {
(11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Password &&
(&User-Password != "%{string:User-Password}")) -> FALSE
(11) Fri Feb 15 16:19:50 2019: Debug: } # policy
filter_password = updated
(11) Fri Feb 15 16:19:50 2019: Debug: [preprocess] = ok
(11) Fri Feb 15 16:19:50 2019: Debug: suffix: Checking for suffix
after "@"
(11) Fri Feb 15 16:19:50 2019: Debug: suffix: No '@' in User-Name
= "host/M-1.ad.cwe.local", skipping NULL due to config.
(11) Fri Feb 15 16:19:50 2019: Debug: [suffix] = noop
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Checking for
prefix before "\"
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: No '\' in
User-Name = "host/M-1.ad.cwe.local", looking up realm NULL
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Found realm "null"
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Adding
Stripped-User-Name = "host/M-1.ad.cwe.local"
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Adding Realm = "null"
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Authentication
realm is LOCAL
(11) Fri Feb 15 16:19:50 2019: Debug: [ntdomain] = ok
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Peer sent EAP Response
(code 2) ID 9 length 6
(11) Fri Feb 15 16:19:50 2019: Debug: eap: No EAP Start, assuming
it's an on-going EAP conversation
(11) Fri Feb 15 16:19:50 2019: Debug: [eap] = updated
(11) Fri Feb 15 16:19:50 2019: Debug: if ( !EAP-Message ) {
(11) Fri Feb 15 16:19:50 2019: Debug: if ( !EAP-Message ) ->
FALSE
(11) Fri Feb 15 16:19:50 2019: Debug: policy
packetfence-eap-mac-policy {
(11) Fri Feb 15 16:19:50 2019: Debug: if ( &EAP-Type ) {
(11) Fri Feb 15 16:19:50 2019: Debug: if ( &EAP-Type ) -> TRUE
(11) Fri Feb 15 16:19:50 2019: Debug: if ( &EAP-Type ) {
(11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Name &&
(&User-Name =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Name &&
(&User-Name =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> FALSE
(11) Fri Feb 15 16:19:50 2019: Debug: } # if ( &EAP-Type )
= updated
(11) Fri Feb 15 16:19:50 2019: Debug: [noop] = noop
(11) Fri Feb 15 16:19:50 2019: Debug: } # policy
packetfence-eap-mac-policy = updated
(11) Fri Feb 15 16:19:50 2019: WARNING: pap:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! Ignoring
control:User-Password. Update your !!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! configuration so
that the "known good" clear text !!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! password is in
Cleartext-Password and NOT in !!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! User-Password. !!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(11) Fri Feb 15 16:19:50 2019: Debug: [pap] = noop
(11) Fri Feb 15 16:19:50 2019: Debug: } # authorize = updated
(11) Fri Feb 15 16:19:50 2019: Debug: Found Auth-Type = eap
(11) Fri Feb 15 16:19:50 2019: Debug: # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(11) Fri Feb 15 16:19:50 2019: Debug: authenticate {
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Expiring EAP session
with state 0x4ef4a14549fdace8
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Finished EAP session
with state 0x4ef4a14549fdace8
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Previous EAP request
found for state 0x4ef4a14549fdace8, released from the list
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Peer sent packet with
method EAP TLS (13)
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Calling submodule
eap_tls to process data
(11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: Continuing EAP-TLS
(11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: Peer ACKed our
handshake fragment. handshake is finished
(11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: [eaptls verify] =
success
(11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: [eaptls process] =
success
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Sending EAP Success
(code 3) ID 9 length 4
(11) Fri Feb 15
I have followed the instruction already seen on the support page,
which is to :
- create a profile with a rule eap for the authentication
- create an authentication source for the machine authentication
- create a realm towards the AD
When browsing the AD manually, i can see my host in the correct
Base Search DN.
Thank you for a short advice,
Regards,
Carlos
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
