Hello Fabrice, I put all together and simplified everything in order to have a single catch_all rule:
I did a check with ldapsearch to check if I have connectivity with the AD and if the machine can be found. The test was successfull. The user authentication is done against the AD which is also working fine. Thanks again for your support in that matter, Regards, Carlos !-----------------------------------------------------------------! ! profiles.conf ! !-----------------------------------------------------------------! root@srv1:/usr/local/pf/conf# more profiles.conf [AD_LOGIN] locale= device_registration=default filter=connection_type:Ethernet-EAP description=AD LOGIN autoregister=enabled preregistration=enabled root_module=default_pending_policy sources=CWE # # Copyright (C) 2005-2018 Inverse inc. # # See the enclosed file COPYING for license information (GPL). # If you did not receive this file, see # http://www.fsf.org/licensing/licenses/gpl.html !-----------------------------------------------------------------! ! authentication.conf ! !-----------------------------------------------------------------! root@srv1:/usr/local/pf/conf# more authentication.conf [local] description=Local Users type=SQL [file1] description=Legacy Source path=/usr/local/pf/conf/admin.conf type=Htpasswd realms=null [file1 rule admins] description=All admins class=administration match=all action0=set_access_level=ALL [null] description=Null Source type=Null email_required=no [null rule catchall] description=catchall class=authentication match=all action0=set_role=guest action1=set_access_duration=1D [CWE] cache_match=0 read_timeout=10 realms=ad.cwe.local password=SecretPass searchattributes= scope=sub binddn=CN=cwe1,OU=Manual,OU=TechUsers,DC=ad,DC=cwe,DC=local port=389 description=ad.cwe.local write_timeout=5 type=AD basedn=OU=Laptop,OU=Workplaces,DC=ad,DC=cwe,DC=local monitor=1 set_access_level_action= shuffle=1 usernameattribute=servicePrincipalName connection_timeout=1 encryption=none host=ad.cwe.local email_attribute=mail [CWE rule catch_all_admin] action0=set_access_level=NONE match=all class=administration [CWE rule catch_all_auth] action0=set_role=default match=all class=authentication action1=set_access_duration=12h [CWE_ADMIN_LOGIN] cache_match=0 read_timeout=10 realms=ad.cwe.local password=SecretPass searchattributes= scope=sub binddn=CN=cwe1,OU=Users,DC=ad,DC=cwe,DC=local port=636 description=ad.cwe.local write_timeout=5 type=AD basedn=OU=Users,DC=ad,DC=cwe,DC=local monitor=1 set_access_level_action= shuffle=0 email_attribute=mail usernameattribute=sAMAccountName connection_timeout=1 encryption=ssl host=ad.cwe.local [CWE_ADMIN_LOGIN rule catch_all_admin] action0=set_access_level=ALL match=all class=administration [CWE_ADMIN_LOGIN rule catch_all_auth] action0=set_role=default match=all class=authentication action1=set_access_duration=12h !-----------------------------------------------------------------! ! realm.conf ! !-----------------------------------------------------------------! root@srv1:/usr/local/pf/conf# more realm.conf [1 DEFAULT] permit_custom_attributes=disabled radius_auth_proxy_type=keyed-balance radius_acct_proxy_type=load-balance radius_auth_compute_in_pf=enabled radius_auth= radius_acct= [1 LOCAL] permit_custom_attributes=disabled radius_auth_proxy_type=keyed-balance radius_acct_proxy_type=load-balance radius_auth_compute_in_pf=enabled radius_auth= radius_acct= [1 NULL] radius_strip_username=enabled permit_custom_attributes=disabled radius_auth_proxy_type=keyed-balance radius_acct_proxy_type=load-balance radius_auth_compute_in_pf=enabled radius_auth= radius_acct= domain=CWE [1 ad.cwe.local] permit_custom_attributes=disabled radius_auth_proxy_type=keyed-balance radius_acct_proxy_type=load-balance radius_auth_compute_in_pf=enabled radius_auth= admin_strip_username=enabled domain=CWE radius_strip_username=enabled portal_strip_username=enabled radius_acct= ldap_source=CWE Am Di., 19. Feb. 2019 um 03:28 Uhr schrieb Durand fabrice via PacketFence-users <[email protected]>: > Hello Carlos, > > my remark below. > Le 19-02-18 à 09 h 04, Carlos Wetli via PacketFence-users a écrit : > > Hello Fabrice, > > Many thanks Fabrice for your reply on that matter, which is very > appreciated. > > Please find enclosed the extract as you suggested: > > > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: > [mac:80:ce:62:a1:2e:75] handling radius autz request: from switch_ip => > (172.29.180.68), connection_type => Ethernet-EAP,switch_mac => > (70:35:09:b9:d2:03), mac => [80:ce:62:a1:2e:75], port => 50103, username => > "[email protected]" <[email protected]> (pf::radius::authorize) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: > [mac:80:ce:62:a1:2e:75] Instantiate profile AD_LOGIN > (pf::Connection::ProfileFactory::_from_profile) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: > [mac:80:ce:62:a1:2e:75] Found authentication source(s) : '' for realm > 'null' (pf::config::util::filter_authentication_sources) > > realm is null , do you have a realm ad.cwe.local configured in packetfence > ? > > Also in your AD_LOGIN connection profile, does the source you defined is > configured to match the null realm ? (or ad.cwe.local) (edit the > authentication source) > > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: > [mac:80:ce:62:a1:2e:75] Calling match with empty/invalid rule class. > Defaulting to 'authentication' (pf::authentication::match2) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: > [mac:80:ce:62:a1:2e:75] Using sources for matching > (pf::authentication::match2) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: > [mac:80:ce:62:a1:2e:75] Use of uninitialized value in string eq at > /usr/local/pf/lib/pf/role.pm line 736. > (pf::role::_check_bypass) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: > [mac:80:ce:62:a1:2e:75] Role has already been computed and we don't want to > recompute it. Getting role from node_info (pf::role::getRegisteredRole) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: > [mac:80:ce:62:a1:2e:75] Use of uninitialized value $role in concatenation > (.) or string at /usr/local/pf/lib/pf/role.pm line 478. > (pf::role::getRegisteredRole) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: > [mac:80:ce:62:a1:2e:75] Username was NOT defined or unable to match a role > - returning node based role '' (pf::role::getRegisteredRole) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: > [mac:80:ce:62:a1:2e:75] PID: "[email protected]" <[email protected]>, > Status: reg Returned VLAN: (undefined), Role: (undefined) > (pf::role::fetchRoleForNode) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: > [mac:80:ce:62:a1:2e:75] Use of uninitialized value $vlanName in hash > element at /usr/local/pf/lib/pf/Switch.pm line 792. > (pf::Switch::getVlanByName) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: > [mac:80:ce:62:a1:2e:75] Use of uninitialized value $vlanName in > concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 795. > (pf::Switch::getVlanByName) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: > [mac:80:ce:62:a1:2e:75] No parameter Vlan found in conf/switches.conf for > the switch 172.29.180.68 (pf::Switch::getVlanByName) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: > [mac:80:ce:62:a1:2e:75] Use of uninitialized value $roleName in hash > element at /usr/local/pf/lib/pf/Switch.pm line 775. > (pf::Switch::getRoleByName) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: > [mac:80:ce:62:a1:2e:75] Use of uninitialized value $roleName in > concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 778. > (pf::Switch::getRoleByName) > Feb 18 13:43:49 srv1 pfqueue: pfqueue(11366) INFO: [mac:unknown] undefined > source id provided (pf::lookup::person::lookup_person) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: > [mac:80:ce:62:a1:2e:75] Match rule 1:eap (pf::access_filter::radius::test) > > It match a rule in the radius filter but there is no answer1. > > Can you share the radius filters ? > > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: > [mac:80:ce:62:a1:2e:75] Use of uninitialized value $answer[1] in pattern > match (m//) at /usr/local/pf/lib/pf/access_filter/radius.pm line 69. > (pf::access_filter::radius::handleAnswerInRule) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: > [mac:80:ce:62:a1:2e:75] Use of uninitialized value $range in pattern match > (m//) at /usr/local/pf/lib/pf/access_filter/radius.pm line 174. > (pf::access_filter::radius::rangeValidator) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: > [mac:80:ce:62:a1:2e:75] Use of uninitialized value $item in pattern match > (m//) at /usr/share/perl5/vendor_perl/Number/Range.pm line 43. > (Number::Range::initialize) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: > [mac:80:ce:62:a1:2e:75] Use of uninitialized value $item in split at > /usr/share/perl5/vendor_perl/Number/Range.pm line 44. > (Number::Range::initialize) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: > [mac:80:ce:62:a1:2e:75] Use of uninitialized value $answer in substitution > (s///) at /usr/local/pf/lib/pf/access_filter/radius.pm line 147. > (pf::access_filter::radius::evalParam) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: > [mac:80:ce:62:a1:2e:75] Use of uninitialized value $answer in substitution > (s///) at /usr/local/pf/lib/pf/access_filter/radius.pm line 148. > (pf::access_filter::radius::evalParam) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: > [mac:80:ce:62:a1:2e:75] Use of uninitialized value $return in split at > /usr/local/pf/lib/pf/access_filter/radius.pm line 128. > (pf::access_filter::radius::evalAnswer) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: > [mac:80:ce:62:a1:2e:75] Use of uninitialized value in substitution (s///) > at /usr/local/pf/lib/pf/access_filter/radius.pm line 129. > (pf::access_filter::radius::evalAnswer) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: > [mac:80:ce:62:a1:2e:75] Use of uninitialized value in hash element at > /usr/local/pf/lib/pf/access_filter/radius.pm line 133. > (pf::access_filter::radius::evalAnswer) > Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: > [mac:80:ce:62:a1:2e:75] violation 1300003 force-closed for > 80:ce:62:a1:2e:75 (pf::violation::violation_force_close) > > Regards > > Fabrice > > > Many thanks for you support and any possbile hint. > Regards, > carlos > > Am Sa., 16. Feb. 2019 um 00:26 Uhr schrieb Durand fabrice via > PacketFence-users <[email protected]>: > >> Hello Carlos, >> >> can you check in packetfence.log if you see the eap-tls authentication >> coming ? >> >> It's a line like that: >> >> packetfence_httpd.aaa: httpd.aaa(2265) INFO: [mac:00:11:22:33:44:55] >> handling radius autz request: from switch_ip => (10.0.0.1), connection_type >> => Wireless-802.1 >> 1-NoEAP,switch_mac => (ff:24:8d:79:8c:24), mac => [00:11:22:33:44:55], >> port => 3, username => "001122334455, ssid => bob (pf::radius::authorize) >> >> And if it exist can you paste what you have after that? >> >> If there is no line like that then it mean that the eap-tls >> authentication failled on the freeradius side. >> >> Regards >> >> Fabrice >> >> >> Le 19-02-15 à 10 h 50, Carlos Wetli via PacketFence-users a écrit : >> >> Hello, >> >> I am trying to do machine authentication against AD (EAP-TLS) and i am >> not sure that the authentication is successful. How can i check that the >> authentication over AD is successful (logfiles/node audit)? If not >> successfull, how can i check which authentication source is considered >> during authentication. >> >> What I can see for now is the following: >> >> (11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Password >> && (&User-Password != "%{string:User-Password}")) { >> (11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Password >> && (&User-Password != "%{string:User-Password}")) -> FALSE >> (11) Fri Feb 15 16:19:50 2019: Debug: } # policy filter_password = >> updated >> (11) Fri Feb 15 16:19:50 2019: Debug: [preprocess] = ok >> (11) Fri Feb 15 16:19:50 2019: Debug: suffix: Checking for suffix after >> "@" >> (11) Fri Feb 15 16:19:50 2019: Debug: suffix: No '@' in User-Name = >> "host/M-1.ad.cwe.local", skipping NULL due to config. >> (11) Fri Feb 15 16:19:50 2019: Debug: [suffix] = noop >> (11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Checking for prefix >> before "\" >> (11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: No '\' in User-Name = >> "host/M-1.ad.cwe.local", looking up realm NULL >> (11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Found realm "null" >> (11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Adding Stripped-User-Name >> = "host/M-1.ad.cwe.local" >> (11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Adding Realm = "null" >> (11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Authentication realm is >> LOCAL >> (11) Fri Feb 15 16:19:50 2019: Debug: [ntdomain] = ok >> (11) Fri Feb 15 16:19:50 2019: Debug: eap: Peer sent EAP Response (code >> 2) ID 9 length 6 >> (11) Fri Feb 15 16:19:50 2019: Debug: eap: No EAP Start, assuming it's an >> on-going EAP conversation >> (11) Fri Feb 15 16:19:50 2019: Debug: [eap] = updated >> (11) Fri Feb 15 16:19:50 2019: Debug: if ( !EAP-Message ) { >> (11) Fri Feb 15 16:19:50 2019: Debug: if ( !EAP-Message ) -> FALSE >> (11) Fri Feb 15 16:19:50 2019: Debug: policy >> packetfence-eap-mac-policy { >> (11) Fri Feb 15 16:19:50 2019: Debug: if ( &EAP-Type ) { >> (11) Fri Feb 15 16:19:50 2019: Debug: if ( &EAP-Type ) -> TRUE >> (11) Fri Feb 15 16:19:50 2019: Debug: if ( &EAP-Type ) { >> (11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Name && >> (&User-Name =~ >> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) >> { >> (11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Name && >> (&User-Name =~ >> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) >> -> FALSE >> (11) Fri Feb 15 16:19:50 2019: Debug: } # if ( &EAP-Type ) = >> updated >> (11) Fri Feb 15 16:19:50 2019: Debug: [noop] = noop >> (11) Fri Feb 15 16:19:50 2019: Debug: } # policy >> packetfence-eap-mac-policy = updated >> (11) Fri Feb 15 16:19:50 2019: WARNING: pap: >> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >> (11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! Ignoring >> control:User-Password. Update your !!! >> (11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! configuration so that >> the "known good" clear text !!! >> (11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! password is in >> Cleartext-Password and NOT in !!! >> (11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! >> User-Password. !!! >> (11) Fri Feb 15 16:19:50 2019: WARNING: pap: >> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >> (11) Fri Feb 15 16:19:50 2019: Debug: [pap] = noop >> (11) Fri Feb 15 16:19:50 2019: Debug: } # authorize = updated >> (11) Fri Feb 15 16:19:50 2019: Debug: Found Auth-Type = eap >> (11) Fri Feb 15 16:19:50 2019: Debug: # Executing group from file >> /usr/local/pf/raddb/sites-enabled/packetfence >> (11) Fri Feb 15 16:19:50 2019: Debug: authenticate { >> (11) Fri Feb 15 16:19:50 2019: Debug: eap: Expiring EAP session with >> state 0x4ef4a14549fdace8 >> (11) Fri Feb 15 16:19:50 2019: Debug: eap: Finished EAP session with >> state 0x4ef4a14549fdace8 >> (11) Fri Feb 15 16:19:50 2019: Debug: eap: Previous EAP request found for >> state 0x4ef4a14549fdace8, released from the list >> (11) Fri Feb 15 16:19:50 2019: Debug: eap: Peer sent packet with method >> EAP TLS (13) >> (11) Fri Feb 15 16:19:50 2019: Debug: eap: Calling submodule eap_tls to >> process data >> (11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: Continuing EAP-TLS >> (11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: Peer ACKed our handshake >> fragment. handshake is finished >> (11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: [eaptls verify] = success >> (11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: [eaptls process] = success >> (11) Fri Feb 15 16:19:50 2019: Debug: eap: Sending EAP Success (code 3) >> ID 9 length 4 >> (11) Fri Feb 15 >> >> I have followed the instruction already seen on the support page, which >> is to : >> - create a profile with a rule eap for the authentication >> - create an authentication source for the machine authentication >> - create a realm towards the AD >> >> When browsing the AD manually, i can see my host in the correct Base >> Search DN. >> >> Thank you for a short advice, >> Regards, >> Carlos >> >> >> >> _______________________________________________ >> PacketFence-users mailing >> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > > > _______________________________________________ > PacketFence-users mailing > [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
