Hello Fabrice, I did quite a lot of while changing some parameters but the authentication source is never found even that the correct connection profile is considered:
Feb 21 12:16:48 srv1 packetfence_httpd.aaa: httpd.aaa(14253) INFO: [mac:80:ce:62:a1:2e:75] handling radius autz request: from switch_ip => (172.29.180.68), connection_type => Ethernet-EAP,switch_mac => (70:35:09:b9:d2:03), mac => [80:ce:62:a1:2e:75], port => 10103, username => "[email protected]" (pf::radius::authorize) Feb 21 12:16:48 srv1 packetfence_httpd.aaa: httpd.aaa(14253) INFO: [mac:80:ce:62:a1:2e:75] Instantiate profile AD_LOGIN (pf::Connection::ProfileFactory::_from_profile) Feb 21 12:16:48 srv1 packetfence_httpd.aaa: httpd.aaa(14253) INFO: [mac:80:ce:62:a1:2e:75] Found authentication source(s) : '' for realm 'null' (pf::config::util::filter_authentication_sources) Feb 21 12:16:48 srv1 packetfence_httpd.aaa: httpd.aaa(14253) WARN: [mac:80:ce:62:a1:2e:75] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match2) Feb 21 12:16:48 srv1 packetfence_httpd.aaa: httpd.aaa(14253) INFO: [mac:80:ce:62:a1:2e:75] Using sources for matching (pf::authentication::match2) Feb 21 12:16:48 srv1 packetfence_httpd.aaa: httpd.aaa(14253) WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value in string eq at /usr/local/pf/lib/pf/role.pm line 736. (pf::role::_check_bypass) Feb 21 12:16:48 srv1 packetfence_httpd.aaa: httpd.aaa(14253) INFO: [mac:80:ce:62:a1:2e:75] Role has already been computed and we don't want to recompute it. Getting role from node_info (pf::role::getRegisteredRole) Is there a way to increase the loglevel of packetfence or to add addtional logging in the source ? Thank you for any possible advice on that topic. Regards, Carlos Am Di., 19. Feb. 2019 um 10:50 Uhr schrieb Carlos Wetli < [email protected]>: > Hello Fabrice, > > I put all together and simplified everything in order to have a single > catch_all rule: > > I did a check with ldapsearch to check if I have connectivity with the AD > and if the machine can be found. The test was successfull. > > The user authentication is done against the AD which is also working fine. > > Thanks again for your support in that matter, > Regards, > Carlos > > > !-----------------------------------------------------------------! > ! profiles.conf ! > !-----------------------------------------------------------------! > > root@srv1:/usr/local/pf/conf# more profiles.conf > [AD_LOGIN] > locale= > device_registration=default > filter=connection_type:Ethernet-EAP > description=AD LOGIN > autoregister=enabled > preregistration=enabled > root_module=default_pending_policy > sources=CWE > # > # Copyright (C) 2005-2018 Inverse inc. > # > # See the enclosed file COPYING for license information (GPL). > # If you did not receive this file, see > # http://www.fsf.org/licensing/licenses/gpl.html > > !-----------------------------------------------------------------! > ! authentication.conf ! > !-----------------------------------------------------------------! > root@srv1:/usr/local/pf/conf# more authentication.conf > [local] > description=Local Users > type=SQL > > [file1] > description=Legacy Source > path=/usr/local/pf/conf/admin.conf > type=Htpasswd > realms=null > > [file1 rule admins] > description=All admins > class=administration > match=all > action0=set_access_level=ALL > > [null] > description=Null Source > type=Null > email_required=no > > [null rule catchall] > description=catchall > class=authentication > match=all > action0=set_role=guest > action1=set_access_duration=1D > > [CWE] > cache_match=0 > read_timeout=10 > realms=ad.cwe.local > password=SecretPass > searchattributes= > scope=sub > binddn=CN=cwe1,OU=Manual,OU=TechUsers,DC=ad,DC=cwe,DC=local > port=389 > description=ad.cwe.local > write_timeout=5 > type=AD > basedn=OU=Laptop,OU=Workplaces,DC=ad,DC=cwe,DC=local > monitor=1 > set_access_level_action= > shuffle=1 > usernameattribute=servicePrincipalName > connection_timeout=1 > encryption=none > host=ad.cwe.local > email_attribute=mail > > [CWE rule catch_all_admin] > action0=set_access_level=NONE > match=all > class=administration > > [CWE rule catch_all_auth] > action0=set_role=default > match=all > class=authentication > action1=set_access_duration=12h > > [CWE_ADMIN_LOGIN] > cache_match=0 > read_timeout=10 > realms=ad.cwe.local > password=SecretPass > searchattributes= > scope=sub > binddn=CN=cwe1,OU=Users,DC=ad,DC=cwe,DC=local > port=636 > description=ad.cwe.local > write_timeout=5 > type=AD > basedn=OU=Users,DC=ad,DC=cwe,DC=local > monitor=1 > set_access_level_action= > shuffle=0 > email_attribute=mail > usernameattribute=sAMAccountName > connection_timeout=1 > encryption=ssl > host=ad.cwe.local > > [CWE_ADMIN_LOGIN rule catch_all_admin] > action0=set_access_level=ALL > match=all > class=administration > > [CWE_ADMIN_LOGIN rule catch_all_auth] > action0=set_role=default > match=all > class=authentication > action1=set_access_duration=12h > > > !-----------------------------------------------------------------! > ! realm.conf ! > !-----------------------------------------------------------------! > root@srv1:/usr/local/pf/conf# more realm.conf > [1 DEFAULT] > permit_custom_attributes=disabled > radius_auth_proxy_type=keyed-balance > radius_acct_proxy_type=load-balance > radius_auth_compute_in_pf=enabled > radius_auth= > radius_acct= > > [1 LOCAL] > permit_custom_attributes=disabled > radius_auth_proxy_type=keyed-balance > radius_acct_proxy_type=load-balance > radius_auth_compute_in_pf=enabled > radius_auth= > radius_acct= > > [1 NULL] > radius_strip_username=enabled > permit_custom_attributes=disabled > radius_auth_proxy_type=keyed-balance > radius_acct_proxy_type=load-balance > radius_auth_compute_in_pf=enabled > radius_auth= > radius_acct= > domain=CWE > > [1 ad.cwe.local] > permit_custom_attributes=disabled > radius_auth_proxy_type=keyed-balance > radius_acct_proxy_type=load-balance > radius_auth_compute_in_pf=enabled > radius_auth= > admin_strip_username=enabled > domain=CWE > radius_strip_username=enabled > portal_strip_username=enabled > radius_acct= > ldap_source=CWE > > > Am Di., 19. Feb. 2019 um 03:28 Uhr schrieb Durand fabrice via > PacketFence-users <[email protected]>: > >> Hello Carlos, >> >> my remark below. >> Le 19-02-18 à 09 h 04, Carlos Wetli via PacketFence-users a écrit : >> >> Hello Fabrice, >> >> Many thanks Fabrice for your reply on that matter, which is very >> appreciated. >> >> Please find enclosed the extract as you suggested: >> >> >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: >> [mac:80:ce:62:a1:2e:75] handling radius autz request: from switch_ip => >> (172.29.180.68), connection_type => Ethernet-EAP,switch_mac => >> (70:35:09:b9:d2:03), mac => [80:ce:62:a1:2e:75], port => 50103, username => >> "[email protected]" <[email protected]> (pf::radius::authorize) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: >> [mac:80:ce:62:a1:2e:75] Instantiate profile AD_LOGIN >> (pf::Connection::ProfileFactory::_from_profile) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: >> [mac:80:ce:62:a1:2e:75] Found authentication source(s) : '' for realm >> 'null' (pf::config::util::filter_authentication_sources) >> >> realm is null , do you have a realm ad.cwe.local configured in >> packetfence ? >> >> Also in your AD_LOGIN connection profile, does the source you defined is >> configured to match the null realm ? (or ad.cwe.local) (edit the >> authentication source) >> >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: >> [mac:80:ce:62:a1:2e:75] Calling match with empty/invalid rule class. >> Defaulting to 'authentication' (pf::authentication::match2) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: >> [mac:80:ce:62:a1:2e:75] Using sources for matching >> (pf::authentication::match2) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: >> [mac:80:ce:62:a1:2e:75] Use of uninitialized value in string eq at >> /usr/local/pf/lib/pf/role.pm line 736. >> (pf::role::_check_bypass) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: >> [mac:80:ce:62:a1:2e:75] Role has already been computed and we don't want to >> recompute it. Getting role from node_info (pf::role::getRegisteredRole) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: >> [mac:80:ce:62:a1:2e:75] Use of uninitialized value $role in concatenation >> (.) or string at /usr/local/pf/lib/pf/role.pm line 478. >> (pf::role::getRegisteredRole) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: >> [mac:80:ce:62:a1:2e:75] Username was NOT defined or unable to match a role >> - returning node based role '' (pf::role::getRegisteredRole) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: >> [mac:80:ce:62:a1:2e:75] PID: "[email protected]" <[email protected]>, >> Status: reg Returned VLAN: (undefined), Role: (undefined) >> (pf::role::fetchRoleForNode) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: >> [mac:80:ce:62:a1:2e:75] Use of uninitialized value $vlanName in hash >> element at /usr/local/pf/lib/pf/Switch.pm line 792. >> (pf::Switch::getVlanByName) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: >> [mac:80:ce:62:a1:2e:75] Use of uninitialized value $vlanName in >> concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 795. >> (pf::Switch::getVlanByName) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: >> [mac:80:ce:62:a1:2e:75] No parameter Vlan found in conf/switches.conf for >> the switch 172.29.180.68 (pf::Switch::getVlanByName) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: >> [mac:80:ce:62:a1:2e:75] Use of uninitialized value $roleName in hash >> element at /usr/local/pf/lib/pf/Switch.pm line 775. >> (pf::Switch::getRoleByName) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: >> [mac:80:ce:62:a1:2e:75] Use of uninitialized value $roleName in >> concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 778. >> (pf::Switch::getRoleByName) >> Feb 18 13:43:49 srv1 pfqueue: pfqueue(11366) INFO: [mac:unknown] >> undefined source id provided (pf::lookup::person::lookup_person) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: >> [mac:80:ce:62:a1:2e:75] Match rule 1:eap (pf::access_filter::radius::test) >> >> It match a rule in the radius filter but there is no answer1. >> >> Can you share the radius filters ? >> >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: >> [mac:80:ce:62:a1:2e:75] Use of uninitialized value $answer[1] in pattern >> match (m//) at /usr/local/pf/lib/pf/access_filter/radius.pm line 69. >> (pf::access_filter::radius::handleAnswerInRule) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: >> [mac:80:ce:62:a1:2e:75] Use of uninitialized value $range in pattern match >> (m//) at /usr/local/pf/lib/pf/access_filter/radius.pm line 174. >> (pf::access_filter::radius::rangeValidator) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: >> [mac:80:ce:62:a1:2e:75] Use of uninitialized value $item in pattern match >> (m//) at /usr/share/perl5/vendor_perl/Number/Range.pm line 43. >> (Number::Range::initialize) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: >> [mac:80:ce:62:a1:2e:75] Use of uninitialized value $item in split at >> /usr/share/perl5/vendor_perl/Number/Range.pm line 44. >> (Number::Range::initialize) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: >> [mac:80:ce:62:a1:2e:75] Use of uninitialized value $answer in substitution >> (s///) at /usr/local/pf/lib/pf/access_filter/radius.pm line 147. >> (pf::access_filter::radius::evalParam) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: >> [mac:80:ce:62:a1:2e:75] Use of uninitialized value $answer in substitution >> (s///) at /usr/local/pf/lib/pf/access_filter/radius.pm line 148. >> (pf::access_filter::radius::evalParam) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: >> [mac:80:ce:62:a1:2e:75] Use of uninitialized value $return in split at >> /usr/local/pf/lib/pf/access_filter/radius.pm line 128. >> (pf::access_filter::radius::evalAnswer) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: >> [mac:80:ce:62:a1:2e:75] Use of uninitialized value in substitution (s///) >> at /usr/local/pf/lib/pf/access_filter/radius.pm line 129. >> (pf::access_filter::radius::evalAnswer) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) WARN: >> [mac:80:ce:62:a1:2e:75] Use of uninitialized value in hash element at >> /usr/local/pf/lib/pf/access_filter/radius.pm line 133. >> (pf::access_filter::radius::evalAnswer) >> Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458) INFO: >> [mac:80:ce:62:a1:2e:75] violation 1300003 force-closed for >> 80:ce:62:a1:2e:75 (pf::violation::violation_force_close) >> >> Regards >> >> Fabrice >> >> >> Many thanks for you support and any possbile hint. >> Regards, >> carlos >> >> Am Sa., 16. Feb. 2019 um 00:26 Uhr schrieb Durand fabrice via >> PacketFence-users <[email protected]>: >> >>> Hello Carlos, >>> >>> can you check in packetfence.log if you see the eap-tls authentication >>> coming ? >>> >>> It's a line like that: >>> >>> packetfence_httpd.aaa: httpd.aaa(2265) INFO: [mac:00:11:22:33:44:55] >>> handling radius autz request: from switch_ip => (10.0.0.1), connection_type >>> => Wireless-802.1 >>> 1-NoEAP,switch_mac => (ff:24:8d:79:8c:24), mac => [00:11:22:33:44:55], >>> port => 3, username => "001122334455, ssid => bob (pf::radius::authorize) >>> >>> And if it exist can you paste what you have after that? >>> >>> If there is no line like that then it mean that the eap-tls >>> authentication failled on the freeradius side. >>> >>> Regards >>> >>> Fabrice >>> >>> >>> Le 19-02-15 à 10 h 50, Carlos Wetli via PacketFence-users a écrit : >>> >>> Hello, >>> >>> I am trying to do machine authentication against AD (EAP-TLS) and i am >>> not sure that the authentication is successful. How can i check that the >>> authentication over AD is successful (logfiles/node audit)? If not >>> successfull, how can i check which authentication source is considered >>> during authentication. >>> >>> What I can see for now is the following: >>> >>> (11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Password >>> && (&User-Password != "%{string:User-Password}")) { >>> (11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Password >>> && (&User-Password != "%{string:User-Password}")) -> FALSE >>> (11) Fri Feb 15 16:19:50 2019: Debug: } # policy filter_password = >>> updated >>> (11) Fri Feb 15 16:19:50 2019: Debug: [preprocess] = ok >>> (11) Fri Feb 15 16:19:50 2019: Debug: suffix: Checking for suffix after >>> "@" >>> (11) Fri Feb 15 16:19:50 2019: Debug: suffix: No '@' in User-Name = >>> "host/M-1.ad.cwe.local", skipping NULL due to config. >>> (11) Fri Feb 15 16:19:50 2019: Debug: [suffix] = noop >>> (11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Checking for prefix >>> before "\" >>> (11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: No '\' in User-Name = >>> "host/M-1.ad.cwe.local", looking up realm NULL >>> (11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Found realm "null" >>> (11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Adding >>> Stripped-User-Name = "host/M-1.ad.cwe.local" >>> (11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Adding Realm = "null" >>> (11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Authentication realm is >>> LOCAL >>> (11) Fri Feb 15 16:19:50 2019: Debug: [ntdomain] = ok >>> (11) Fri Feb 15 16:19:50 2019: Debug: eap: Peer sent EAP Response (code >>> 2) ID 9 length 6 >>> (11) Fri Feb 15 16:19:50 2019: Debug: eap: No EAP Start, assuming it's >>> an on-going EAP conversation >>> (11) Fri Feb 15 16:19:50 2019: Debug: [eap] = updated >>> (11) Fri Feb 15 16:19:50 2019: Debug: if ( !EAP-Message ) { >>> (11) Fri Feb 15 16:19:50 2019: Debug: if ( !EAP-Message ) -> FALSE >>> (11) Fri Feb 15 16:19:50 2019: Debug: policy >>> packetfence-eap-mac-policy { >>> (11) Fri Feb 15 16:19:50 2019: Debug: if ( &EAP-Type ) { >>> (11) Fri Feb 15 16:19:50 2019: Debug: if ( &EAP-Type ) -> TRUE >>> (11) Fri Feb 15 16:19:50 2019: Debug: if ( &EAP-Type ) { >>> (11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Name && >>> (&User-Name =~ >>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) >>> { >>> (11) Fri Feb 15 16:19:50 2019: Debug: if (&User-Name && >>> (&User-Name =~ >>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) >>> -> FALSE >>> (11) Fri Feb 15 16:19:50 2019: Debug: } # if ( &EAP-Type ) = >>> updated >>> (11) Fri Feb 15 16:19:50 2019: Debug: [noop] = noop >>> (11) Fri Feb 15 16:19:50 2019: Debug: } # policy >>> packetfence-eap-mac-policy = updated >>> (11) Fri Feb 15 16:19:50 2019: WARNING: pap: >>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >>> (11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! Ignoring >>> control:User-Password. Update your !!! >>> (11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! configuration so that >>> the "known good" clear text !!! >>> (11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! password is in >>> Cleartext-Password and NOT in !!! >>> (11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!! >>> User-Password. !!! >>> (11) Fri Feb 15 16:19:50 2019: WARNING: pap: >>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >>> (11) Fri Feb 15 16:19:50 2019: Debug: [pap] = noop >>> (11) Fri Feb 15 16:19:50 2019: Debug: } # authorize = updated >>> (11) Fri Feb 15 16:19:50 2019: Debug: Found Auth-Type = eap >>> (11) Fri Feb 15 16:19:50 2019: Debug: # Executing group from file >>> /usr/local/pf/raddb/sites-enabled/packetfence >>> (11) Fri Feb 15 16:19:50 2019: Debug: authenticate { >>> (11) Fri Feb 15 16:19:50 2019: Debug: eap: Expiring EAP session with >>> state 0x4ef4a14549fdace8 >>> (11) Fri Feb 15 16:19:50 2019: Debug: eap: Finished EAP session with >>> state 0x4ef4a14549fdace8 >>> (11) Fri Feb 15 16:19:50 2019: Debug: eap: Previous EAP request found >>> for state 0x4ef4a14549fdace8, released from the list >>> (11) Fri Feb 15 16:19:50 2019: Debug: eap: Peer sent packet with method >>> EAP TLS (13) >>> (11) Fri Feb 15 16:19:50 2019: Debug: eap: Calling submodule eap_tls to >>> process data >>> (11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: Continuing EAP-TLS >>> (11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: Peer ACKed our handshake >>> fragment. handshake is finished >>> (11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: [eaptls verify] = success >>> (11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: [eaptls process] = success >>> (11) Fri Feb 15 16:19:50 2019: Debug: eap: Sending EAP Success (code 3) >>> ID 9 length 4 >>> (11) Fri Feb 15 >>> >>> I have followed the instruction already seen on the support page, which >>> is to : >>> - create a profile with a rule eap for the authentication >>> - create an authentication source for the machine authentication >>> - create a realm towards the AD >>> >>> When browsing the AD manually, i can see my host in the correct Base >>> Search DN. >>> >>> Thank you for a short advice, >>> Regards, >>> Carlos >>> >>> >>> >>> _______________________________________________ >>> PacketFence-users mailing >>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >> >> >> _______________________________________________ >> PacketFence-users mailing >> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
