Hello Fabrice,
I did quite a lot of while changing some parameters but the
authentication source is never found even that the correct connection
profile is considered:
Feb 21 12:16:48 srv1 packetfence_httpd.aaa: httpd.aaa(14253) INFO:
[mac:80:ce:62:a1:2e:75] handling radius autz request: from switch_ip
=> (172.29.180.68), connection_type => Ethernet-EAP,switch_mac =>
(70:35:09:b9:d2:03), mac => [80:ce:62:a1:2e:75], port => 10103,
username => "[email protected]" (pf::radius::authorize)
Feb 21 12:16:48 srv1 packetfence_httpd.aaa: httpd.aaa(14253) INFO:
[mac:80:ce:62:a1:2e:75] Instantiate profile AD_LOGIN
(pf::Connection::ProfileFactory::_from_profile)
Feb 21 12:16:48 srv1 packetfence_httpd.aaa: httpd.aaa(14253) INFO:
[mac:80:ce:62:a1:2e:75] Found authentication source(s) : '' for realm
'null' (pf::config::util::filter_authentication_sources)
Feb 21 12:16:48 srv1 packetfence_httpd.aaa: httpd.aaa(14253) WARN:
[mac:80:ce:62:a1:2e:75] Calling match with empty/invalid rule class.
Defaulting to 'authentication' (pf::authentication::match2)
Feb 21 12:16:48 srv1 packetfence_httpd.aaa: httpd.aaa(14253) INFO:
[mac:80:ce:62:a1:2e:75] Using sources for matching
(pf::authentication::match2)
Feb 21 12:16:48 srv1 packetfence_httpd.aaa: httpd.aaa(14253) WARN:
[mac:80:ce:62:a1:2e:75] Use of uninitialized value in string eq at
/usr/local/pf/lib/pf/role.pm <http://role.pm> line 736.
(pf::role::_check_bypass)
Feb 21 12:16:48 srv1 packetfence_httpd.aaa: httpd.aaa(14253) INFO:
[mac:80:ce:62:a1:2e:75] Role has already been computed and we don't
want to recompute it. Getting role from node_info
(pf::role::getRegisteredRole)
Is there a way to increase the loglevel of packetfence or to add
addtional logging in the source ?
Thank you for any possible advice on that topic.
Regards,
Carlos
Am Di., 19. Feb. 2019 um 10:50 Uhr schrieb Carlos Wetli
<[email protected] <mailto:[email protected]>>:
Hello Fabrice,
I put all together and simplified everything in order to have a
single catch_all rule:
I did a check with ldapsearch to check if I have connectivity with
the AD and if the machine can be found. The test was successfull.
The user authentication is done against the AD which is also
working fine.
Thanks again for your support in that matter,
Regards,
Carlos
!-----------------------------------------------------------------!
! profiles.conf !
!-----------------------------------------------------------------!
root@srv1:/usr/local/pf/conf# more profiles.conf
[AD_LOGIN]
locale=
device_registration=default
filter=connection_type:Ethernet-EAP
description=AD LOGIN
autoregister=enabled
preregistration=enabled
root_module=default_pending_policy
sources=CWE
#
# Copyright (C) 2005-2018 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
!-----------------------------------------------------------------!
! authentication.conf !
!-----------------------------------------------------------------!
root@srv1:/usr/local/pf/conf# more authentication.conf
[local]
description=Local Users
type=SQL
[file1]
description=Legacy Source
path=/usr/local/pf/conf/admin.conf
type=Htpasswd
realms=null
[file1 rule admins]
description=All admins
class=administration
match=all
action0=set_access_level=ALL
[null]
description=Null Source
type=Null
email_required=no
[null rule catchall]
description=catchall
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[CWE]
cache_match=0
read_timeout=10
realms=ad.cwe.local
password=SecretPass
searchattributes=
scope=sub
binddn=CN=cwe1,OU=Manual,OU=TechUsers,DC=ad,DC=cwe,DC=local
port=389
description=ad.cwe.local
write_timeout=5
type=AD
basedn=OU=Laptop,OU=Workplaces,DC=ad,DC=cwe,DC=local
monitor=1
set_access_level_action=
shuffle=1
usernameattribute=servicePrincipalName
connection_timeout=1
encryption=none
host=ad.cwe.local
email_attribute=mail
[CWE rule catch_all_admin]
action0=set_access_level=NONE
match=all
class=administration
[CWE rule catch_all_auth]
action0=set_role=default
match=all
class=authentication
action1=set_access_duration=12h
[CWE_ADMIN_LOGIN]
cache_match=0
read_timeout=10
realms=ad.cwe.local
password=SecretPass
searchattributes=
scope=sub
binddn=CN=cwe1,OU=Users,DC=ad,DC=cwe,DC=local
port=636
description=ad.cwe.local
write_timeout=5
type=AD
basedn=OU=Users,DC=ad,DC=cwe,DC=local
monitor=1
set_access_level_action=
shuffle=0
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=1
encryption=ssl
host=ad.cwe.local
[CWE_ADMIN_LOGIN rule catch_all_admin]
action0=set_access_level=ALL
match=all
class=administration
[CWE_ADMIN_LOGIN rule catch_all_auth]
action0=set_role=default
match=all
class=authentication
action1=set_access_duration=12h
!-----------------------------------------------------------------!
! realm.conf !
!-----------------------------------------------------------------!
root@srv1:/usr/local/pf/conf# more realm.conf
[1 DEFAULT]
permit_custom_attributes=disabled
radius_auth_proxy_type=keyed-balance
radius_acct_proxy_type=load-balance
radius_auth_compute_in_pf=enabled
radius_auth=
radius_acct=
[1 LOCAL]
permit_custom_attributes=disabled
radius_auth_proxy_type=keyed-balance
radius_acct_proxy_type=load-balance
radius_auth_compute_in_pf=enabled
radius_auth=
radius_acct=
[1 NULL]
radius_strip_username=enabled
permit_custom_attributes=disabled
radius_auth_proxy_type=keyed-balance
radius_acct_proxy_type=load-balance
radius_auth_compute_in_pf=enabled
radius_auth=
radius_acct=
domain=CWE
[1 ad.cwe.local]
permit_custom_attributes=disabled
radius_auth_proxy_type=keyed-balance
radius_acct_proxy_type=load-balance
radius_auth_compute_in_pf=enabled
radius_auth=
admin_strip_username=enabled
domain=CWE
radius_strip_username=enabled
portal_strip_username=enabled
radius_acct=
ldap_source=CWE
Am Di., 19. Feb. 2019 um 03:28 Uhr schrieb Durand fabrice via
PacketFence-users <[email protected]
<mailto:[email protected]>>:
Hello Carlos,
my remark below.
Le 19-02-18 à 09 h 04, Carlos Wetli via PacketFence-users a
écrit :
Hello Fabrice,
Many thanks Fabrice for your reply on that matter, which is
very appreciated.
Please find enclosed the extract as you suggested:
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
INFO: [mac:80:ce:62:a1:2e:75] handling radius autz request:
from switch_ip => (172.29.180.68), connection_type =>
Ethernet-EAP,switch_mac => (70:35:09:b9:d2:03), mac =>
[80:ce:62:a1:2e:75], port => 50103, username =>
"[email protected]" <mailto:[email protected]>
(pf::radius::authorize)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
INFO: [mac:80:ce:62:a1:2e:75] Instantiate profile AD_LOGIN
(pf::Connection::ProfileFactory::_from_profile)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
INFO: [mac:80:ce:62:a1:2e:75] Found authentication source(s)
: '' for realm 'null'
(pf::config::util::filter_authentication_sources)
realm is null , do you have a realm ad.cwe.local configured in
packetfence ?
Also in your AD_LOGIN connection profile, does the source you
defined is configured to match the null realm ? (or
ad.cwe.local) (edit the authentication source)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
WARN: [mac:80:ce:62:a1:2e:75] Calling match with
empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match2)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
INFO: [mac:80:ce:62:a1:2e:75] Using sources for matching
(pf::authentication::match2)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value in
string eq at /usr/local/pf/lib/pf/role.pm <http://role.pm>
line 736.
(pf::role::_check_bypass)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
INFO: [mac:80:ce:62:a1:2e:75] Role has already been computed
and we don't want to recompute it. Getting role from
node_info (pf::role::getRegisteredRole)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value
$role in concatenation (.) or string at
/usr/local/pf/lib/pf/role.pm <http://role.pm> line 478.
(pf::role::getRegisteredRole)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
INFO: [mac:80:ce:62:a1:2e:75] Username was NOT defined or
unable to match a role - returning node based role ''
(pf::role::getRegisteredRole)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
INFO: [mac:80:ce:62:a1:2e:75] PID: "[email protected]"
<mailto:[email protected]>, Status: reg Returned VLAN:
(undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value
$vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm
line 792.
(pf::Switch::getVlanByName)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value
$vlanName in concatenation (.) or string at
/usr/local/pf/lib/pf/Switch.pm line 795.
(pf::Switch::getVlanByName)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
WARN: [mac:80:ce:62:a1:2e:75] No parameter Vlan found in
conf/switches.conf for the switch 172.29.180.68
(pf::Switch::getVlanByName)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value
$roleName in hash element at /usr/local/pf/lib/pf/Switch.pm
line 775.
(pf::Switch::getRoleByName)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value
$roleName in concatenation (.) or string at
/usr/local/pf/lib/pf/Switch.pm line 778.
(pf::Switch::getRoleByName)
Feb 18 13:43:49 srv1 pfqueue: pfqueue(11366) INFO:
[mac:unknown] undefined source id provided
(pf::lookup::person::lookup_person)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
INFO: [mac:80:ce:62:a1:2e:75] Match rule 1:eap
(pf::access_filter::radius::test)
It match a rule in the radius filter but there is no answer1.
Can you share the radius filters ?
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value
$answer[1] in pattern match (m//) at
/usr/local/pf/lib/pf/access_filter/radius.pm
<http://radius.pm> line 69.
(pf::access_filter::radius::handleAnswerInRule)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value
$range in pattern match (m//) at
/usr/local/pf/lib/pf/access_filter/radius.pm
<http://radius.pm> line 174.
(pf::access_filter::radius::rangeValidator)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value
$item in pattern match (m//) at
/usr/share/perl5/vendor_perl/Number/Range.pm line 43.
(Number::Range::initialize)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value
$item in split at
/usr/share/perl5/vendor_perl/Number/Range.pm line 44.
(Number::Range::initialize)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value
$answer in substitution (s///) at
/usr/local/pf/lib/pf/access_filter/radius.pm
<http://radius.pm> line 147.
(pf::access_filter::radius::evalParam)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value
$answer in substitution (s///) at
/usr/local/pf/lib/pf/access_filter/radius.pm
<http://radius.pm> line 148.
(pf::access_filter::radius::evalParam)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value
$return in split at
/usr/local/pf/lib/pf/access_filter/radius.pm
<http://radius.pm> line 128.
(pf::access_filter::radius::evalAnswer)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value in
substitution (s///) at
/usr/local/pf/lib/pf/access_filter/radius.pm
<http://radius.pm> line 129.
(pf::access_filter::radius::evalAnswer)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
WARN: [mac:80:ce:62:a1:2e:75] Use of uninitialized value in
hash element at /usr/local/pf/lib/pf/access_filter/radius.pm
<http://radius.pm> line 133.
(pf::access_filter::radius::evalAnswer)
Feb 18 13:43:49 srv1 packetfence_httpd.aaa: httpd.aaa(8458)
INFO: [mac:80:ce:62:a1:2e:75] violation 1300003 force-closed
for 80:ce:62:a1:2e:75 (pf::violation::violation_force_close)
Regards
Fabrice
Many thanks for you support and any possbile hint.
Regards,
carlos
Am Sa., 16. Feb. 2019 um 00:26 Uhr schrieb Durand fabrice via
PacketFence-users <[email protected]
<mailto:[email protected]>>:
Hello Carlos,
can you check in packetfence.log if you see the eap-tls
authentication coming ?
It's a line like that:
packetfence_httpd.aaa: httpd.aaa(2265) INFO:
[mac:00:11:22:33:44:55] handling radius autz request:
from switch_ip => (10.0.0.1), connection_type =>
Wireless-802.1
1-NoEAP,switch_mac => (ff:24:8d:79:8c:24), mac =>
[00:11:22:33:44:55], port => 3, username =>
"001122334455, ssid => bob (pf::radius::authorize)
And if it exist can you paste what you have after that?
If there is no line like that then it mean that the
eap-tls authentication failled on the freeradius side.
Regards
Fabrice
Le 19-02-15 à 10 h 50, Carlos Wetli via PacketFence-users
a écrit :
Hello,
I am trying to do machine authentication against AD
(EAP-TLS) and i am not sure that the authentication is
successful. How can i check that the authentication over
AD is successful (logfiles/node audit)? If not
successfull, how can i check which authentication source
is considered during authentication.
What I can see for now is the following:
(11) Fri Feb 15 16:19:50 2019: Debug: if
(&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(11) Fri Feb 15 16:19:50 2019: Debug: if
(&User-Password && (&User-Password !=
"%{string:User-Password}")) -> FALSE
(11) Fri Feb 15 16:19:50 2019: Debug: } # policy
filter_password = updated
(11) Fri Feb 15 16:19:50 2019: Debug: [preprocess] = ok
(11) Fri Feb 15 16:19:50 2019: Debug: suffix: Checking
for suffix after "@"
(11) Fri Feb 15 16:19:50 2019: Debug: suffix: No '@' in
User-Name = "host/M-1.ad.cwe.local", skipping NULL due
to config.
(11) Fri Feb 15 16:19:50 2019: Debug: [suffix] = noop
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Checking
for prefix before "\"
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: No '\'
in User-Name = "host/M-1.ad.cwe.local", looking up realm
NULL
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Found
realm "null"
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Adding
Stripped-User-Name = "host/M-1.ad.cwe.local"
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain: Adding
Realm = "null"
(11) Fri Feb 15 16:19:50 2019: Debug: ntdomain:
Authentication realm is LOCAL
(11) Fri Feb 15 16:19:50 2019: Debug: [ntdomain] = ok
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Peer sent EAP
Response (code 2) ID 9 length 6
(11) Fri Feb 15 16:19:50 2019: Debug: eap: No EAP Start,
assuming it's an on-going EAP conversation
(11) Fri Feb 15 16:19:50 2019: Debug: [eap] = updated
(11) Fri Feb 15 16:19:50 2019: Debug: if (
!EAP-Message ) {
(11) Fri Feb 15 16:19:50 2019: Debug: if (
!EAP-Message ) -> FALSE
(11) Fri Feb 15 16:19:50 2019: Debug: policy
packetfence-eap-mac-policy {
(11) Fri Feb 15 16:19:50 2019: Debug: if (
&EAP-Type ) {
(11) Fri Feb 15 16:19:50 2019: Debug: if (
&EAP-Type ) -> TRUE
(11) Fri Feb 15 16:19:50 2019: Debug: if (
&EAP-Type ) {
(11) Fri Feb 15 16:19:50 2019: Debug: if
(&User-Name && (&User-Name =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(11) Fri Feb 15 16:19:50 2019: Debug: if
(&User-Name && (&User-Name =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> FALSE
(11) Fri Feb 15 16:19:50 2019: Debug: } # if (
&EAP-Type ) = updated
(11) Fri Feb 15 16:19:50 2019: Debug: [noop] = noop
(11) Fri Feb 15 16:19:50 2019: Debug: } # policy
packetfence-eap-mac-policy = updated
(11) Fri Feb 15 16:19:50 2019: WARNING: pap:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!!
Ignoring control:User-Password. Update your !!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!!
configuration so that the "known good" clear text !!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!!
password is in Cleartext-Password and NOT in !!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap: !!!
User-Password. !!!
(11) Fri Feb 15 16:19:50 2019: WARNING: pap:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(11) Fri Feb 15 16:19:50 2019: Debug: [pap] = noop
(11) Fri Feb 15 16:19:50 2019: Debug: } # authorize =
updated
(11) Fri Feb 15 16:19:50 2019: Debug: Found Auth-Type = eap
(11) Fri Feb 15 16:19:50 2019: Debug: # Executing group
from file /usr/local/pf/raddb/sites-enabled/packetfence
(11) Fri Feb 15 16:19:50 2019: Debug: authenticate {
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Expiring EAP
session with state 0x4ef4a14549fdace8
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Finished EAP
session with state 0x4ef4a14549fdace8
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Previous EAP
request found for state 0x4ef4a14549fdace8, released
from the list
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Peer sent
packet with method EAP TLS (13)
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Calling
submodule eap_tls to process data
(11) Fri Feb 15 16:19:50 2019: Debug: eap_tls:
Continuing EAP-TLS
(11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: Peer
ACKed our handshake fragment. handshake is finished
(11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: [eaptls
verify] = success
(11) Fri Feb 15 16:19:50 2019: Debug: eap_tls: [eaptls
process] = success
(11) Fri Feb 15 16:19:50 2019: Debug: eap: Sending EAP
Success (code 3) ID 9 length 4
(11) Fri Feb 15
I have followed the instruction already seen on the
support page, which is to :
- create a profile with a rule eap for the authentication
- create an authentication source for the machine
authentication
- create a realm towards the AD
When browsing the AD manually, i can see my host in the
correct Base Search DN.
Thank you for a short advice,
Regards,
Carlos
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
