[PacketFence-users] No-EAP Authentication issue with Avaya switches

Adrian Dessaigne via PacketFence-users Wed, 24 Apr 2019 03:10:55 -0700

Hello everyone. 

I currently facing an issue with Non EAP device authentication. When I plug the 
device (In my case, an IP Phone), he gets rejected. In the Audit tab, I see the 
reject but there is no Address Mac shown. 
Here is the error message :


Module-Failure-Message = "rest: Server returned:" 
Module-Failure-Message = "rest: 
{\"control:PacketFence-Authorization-Status\":\"allow\",\"Reply-Message\":\"CLI 
Access is not allowed by PacketFence on this switch\"}" 

I'm using an Avaya 3524GT-PWR+ switch. His behavior about Non-EAP device is the 
following (From the Security Documentation): 

For RADIUS authentication of a Non-EAPOL host MAC address, the switch generates 
a <username, password> pair as follow: 
-The username is the Non-EAPOL MAC address in string format. 
-The password is a string that combines the MAC address, switch IP address, 
unit and port. 

I've read a post on the mailing list with a similar issue. When there is no 
Calling-Station-Id attribute in the Radius request, PacketFence think the 
access is a CLI access. So I went in the PF Switch configuration tab and 
defined CLI access for this switch. I then created an Admin role with the 
action "Switch CLI - Read" and "Switch CLI - Write". On all my authentication 
source, I added and Administration rule which set to the one I've created. Even 
with this configuration, I still have the same error "C LI Access is not 
allowed by PacketFence on this switch". Does it mean the module do not support 
CLI ? 

How can I get a successful authentication with this kind of request ? 

Best Regards, 

Adrian 

PS: Below is the result of the authentication with raddebug. 

(5632) Wed Apr 24 10:24:45 2019: Debug: Received Access-Request Id 15 from 
192.168.X.Y:3490 to 192.168.X.X:1812 length 92 
(5632) Wed Apr 24 10:24:45 2019: Debug: NAS-IP-Address = 192.168.X.Y 
(5632) Wed Apr 24 10:24:45 2019: Debug: User-Password = 
"192168100211.00085d521556.0013" 
(5632) Wed Apr 24 10:24:45 2019: Debug: NAS-Port-Type = Ethernet 
(5632) Wed Apr 24 10:24:45 2019: Debug: Service-Type = Login-User 
(5632) Wed Apr 24 10:24:45 2019: Debug: NAS-Port = 13 
(5632) Wed Apr 24 10:24:45 2019: Debug: User-Name = "00085d521556" 
(5632) Wed Apr 24 10:24:45 2019: Debug: # Executing section authorize from file 
/usr/local/pf/raddb/sites-enabled/packetfence 
(5632) Wed Apr 24 10:24:45 2019: Debug: authorize { 
(5632) Wed Apr 24 10:24:45 2019: Debug: update { 
(5632) Wed Apr 24 10:24:45 2019: Debug: EXPAND %{Packet-Src-IP-Address} 
(5632) Wed Apr 24 10:24:45 2019: Debug: --> 192.168.X.Y 
(5632) Wed Apr 24 10:24:45 2019: Debug: EXPAND %l 
(5632) Wed Apr 24 10:24:45 2019: Debug: --> 1556094285 
(5632) Wed Apr 24 10:24:45 2019: Debug: EXPAND %{Calling-Station-ID} 
%{User-Name} 
(5632) Wed Apr 24 10:24:45 2019: Debug: --> 00085d521556 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # update = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: policy packetfence-set-tenant-id { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (!NAS-IP-Address || NAS-IP-Address 
== "0.0.0.0"){ 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (!NAS-IP-Address || NAS-IP-Address 
== "0.0.0.0") -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { 
(5632) Wed Apr 24 10:24:45 2019: Debug: EXPAND 
%{%{control:PacketFence-Tenant-Id}:-0} 
(5632) Wed Apr 24 10:24:45 2019: Debug: --> 0 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { 
(5632) Wed Apr 24 10:24:45 2019: Debug: update control { 
(5632) Wed Apr 24 10:24:45 2019: Debug: EXPAND %{User-Name} 
(5632) Wed Apr 24 10:24:45 2019: Debug: --> 00085d521556 
(5632) Wed Apr 24 10:24:45 2019: Debug: SQL-User-Name set to '00085d521556' 
(5632) Wed Apr 24 10:24:45 2019: Debug: Executing select query: SELECT 
IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '192.168.X.Y'), 0) 
(5632) Wed Apr 24 10:24:45 2019: Debug: EXPAND %{sql: SELECT IFNULL((SELECT 
tenant_id FROM radius_nas WHERE nasname = '%{NAS-IP-Address}'), 0)} 
(5632) Wed Apr 24 10:24:45 2019: Debug: --> 1 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # update control = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ( &control:PacketFence-Tenant-Id == 
0 ) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ( &control:PacketFence-Tenant-Id == 
0 ) -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # policy packetfence-set-tenant-id = 
noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: policy rewrite_calling_station_id { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&Calling-Station-Id && 
(&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
 { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&Calling-Station-Id && 
(&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
 -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: else { 
(5632) Wed Apr 24 10:24:45 2019: Debug: [noop] = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # else = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # policy rewrite_calling_station_id = 
noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: policy rewrite_called_station_id { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ((&Called-Station-Id) && 
(&Called-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
 { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ((&Called-Station-Id) && 
(&Called-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
 -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: else { 
(5632) Wed Apr 24 10:24:45 2019: Debug: [noop] = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # else = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # policy rewrite_called_station_id = 
noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: policy filter_username { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&User-Name) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&User-Name) -> TRUE 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&User-Name) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&User-Name =~ / /) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&User-Name =~ / /) -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&User-Name =~ /@[^@]*@/ ) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&User-Name =~ /@[^@]*@/ ) -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&User-Name =~ /\.\./ ) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&User-Name =~ /\.\./ ) -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ((&User-Name =~ /@/) && (&User-Name 
!~ /@(.+)\.(.+)$/)) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ((&User-Name =~ /@/) && (&User-Name 
!~ /@(.+)\.(.+)$/)) -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&User-Name =~ /\.$/) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&User-Name =~ /\.$/) -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&User-Name =~ /@\./) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&User-Name =~ /@\./) -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # if (&User-Name) = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # policy filter_username = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: policy filter_password { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&User-Password && (&User-Password 
!= "%{string:User-Password}")) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: EXPAND %{string:User-Password} 
(5632) Wed Apr 24 10:24:45 2019: Debug: --> 192168100211.00085d521556.0013 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&User-Password && (&User-Password 
!= "%{string:User-Password}")) -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # policy filter_password = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: [preprocess] = ok 
(5632) Wed Apr 24 10:24:45 2019: Debug: suffix: Checking for suffix after "@" 
(5632) Wed Apr 24 10:24:45 2019: Debug: suffix: No '@' in User-Name = 
"00085d521556", skipping NULL due to config. 
(5632) Wed Apr 24 10:24:45 2019: Debug: [suffix] = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: ntdomain: Checking for prefix before 
"\" 
(5632) Wed Apr 24 10:24:45 2019: Debug: ntdomain: No '\' in User-Name = 
"00085d521556", looking up realm NULL 
(5632) Wed Apr 24 10:24:45 2019: Debug: ntdomain: Found realm "null" 
(5632) Wed Apr 24 10:24:45 2019: Debug: ntdomain: Adding Stripped-User-Name = 
"00085d521556" 
(5632) Wed Apr 24 10:24:45 2019: Debug: ntdomain: Adding Realm = "null" 
(5632) Wed Apr 24 10:24:45 2019: Debug: ntdomain: Authentication realm is LOCAL 
(5632) Wed Apr 24 10:24:45 2019: Debug: [ntdomain] = ok 
(5632) Wed Apr 24 10:24:45 2019: Debug: eap: No EAP-Message, not doing EAP 
(5632) Wed Apr 24 10:24:45 2019: Debug: [eap] = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ( !EAP-Message ) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ( !EAP-Message ) -> TRUE 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ( !EAP-Message ) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: update { 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # update = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # if ( !EAP-Message ) = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: policy packetfence-eap-mac-policy { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ( &EAP-Type ) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ( &EAP-Type ) -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: [noop] = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # policy packetfence-eap-mac-policy = 
noop 
(5632) Wed Apr 24 10:24:45 2019: WARNING: pap: 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
(5632) Wed Apr 24 10:24:45 2019: WARNING: pap: !!! Ignoring 
control:User-Password. Update your !!! 
(5632) Wed Apr 24 10:24:45 2019: WARNING: pap: !!! configuration so that the 
"known good" clear text !!! 
(5632) Wed Apr 24 10:24:45 2019: WARNING: pap: !!! password is in 
Cleartext-Password and NOT in !!! 
(5632) Wed Apr 24 10:24:45 2019: WARNING: pap: !!! User-Password. !!! 
(5632) Wed Apr 24 10:24:45 2019: WARNING: pap: 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
(5632) Wed Apr 24 10:24:45 2019: WARNING: pap: Auth-Type already set. Not 
setting to PAP 
(5632) Wed Apr 24 10:24:45 2019: Debug: [pap] = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # authorize = ok 
(5632) Wed Apr 24 10:24:45 2019: Debug: Found Auth-Type = Accept 
(5632) Wed Apr 24 10:24:45 2019: Debug: Auth-Type = Accept, accepting the user 
(5632) Wed Apr 24 10:24:45 2019: Debug: # Executing section post-auth from file 
/usr/local/pf/raddb/sites-enabled/packetfence 
(5632) Wed Apr 24 10:24:45 2019: Debug: post-auth { 
(5632) Wed Apr 24 10:24:45 2019: Debug: update { 
(5632) Wed Apr 24 10:24:45 2019: Debug: EXPAND %{Packet-Src-IP-Address} 
(5632) Wed Apr 24 10:24:45 2019: Debug: --> 192.168.X.Y 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # update = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: policy packetfence-set-tenant-id { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (!NAS-IP-Address || NAS-IP-Address 
== "0.0.0.0"){ 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (!NAS-IP-Address || NAS-IP-Address 
== "0.0.0.0") -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { 
(5632) Wed Apr 24 10:24:45 2019: Debug: EXPAND 
%{%{control:PacketFence-Tenant-Id}:-0} 
(5632) Wed Apr 24 10:24:45 2019: Debug: --> 1 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ( &control:PacketFence-Tenant-Id == 
0 ) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ( &control:PacketFence-Tenant-Id == 
0 ) -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # policy packetfence-set-tenant-id = 
noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: if 
("%{%{control:PacketFence-Proxied-From}:-False}" == "True") { 
(5632) Wed Apr 24 10:24:45 2019: Debug: EXPAND 
%{%{control:PacketFence-Proxied-From}:-False} 
(5632) Wed Apr 24 10:24:45 2019: Debug: --> False 
(5632) Wed Apr 24 10:24:45 2019: Debug: if 
("%{%{control:PacketFence-Proxied-From}:-False}" == "True") -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (! EAP-Type || (EAP-Type != TTLS && 
EAP-Type != PEAP) ) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (! EAP-Type || (EAP-Type != TTLS && 
EAP-Type != PEAP) ) -> TRUE 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (! EAP-Type || (EAP-Type != TTLS && 
EAP-Type != PEAP) ) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Expanding URI components 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: EXPAND http://127.0.0.1:7070 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: --> http://127.0.0.1:7070 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: EXPAND //radius/rest/authorize 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: --> //radius/rest/authorize 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Sending HTTP POST to 
"http://127.0.0.1:7070//radius/rest/authorize"; 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute "User-Name" 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute 
"User-Password" 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute 
"NAS-IP-Address" 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute "NAS-Port" 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute "Service-Type" 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute 
"NAS-Port-Type" 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute 
"Event-Timestamp" 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute 
"Stripped-User-Name" 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute "Realm" 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute 
"SQL-User-Name" 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute 
"FreeRADIUS-Client-IP-Address" 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Processing response header 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Status : 401 (Unauthorized) 
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Type : json (application/json) 
(5632) Wed Apr 24 10:24:45 2019: ERROR: rest: Server returned: 
(5632) Wed Apr 24 10:24:45 2019: ERROR: rest: 
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"CLI Access 
is not allowed by PacketFence on this switch"} 
(5632) Wed Apr 24 10:24:45 2019: Debug: [rest] = invalid 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # if (! EAP-Type || (EAP-Type != TTLS 
&& EAP-Type != PEAP) ) = invalid 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # post-auth = invalid 
(5632) Wed Apr 24 10:24:45 2019: Debug: Using Post-Auth-Type Reject 
(5632) Wed Apr 24 10:24:45 2019: Debug: # Executing group from file 
/usr/local/pf/raddb/sites-enabled/packetfence 
(5632) Wed Apr 24 10:24:45 2019: Debug: Post-Auth-Type REJECT { 
(5632) Wed Apr 24 10:24:45 2019: Debug: policy packetfence-set-tenant-id { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (!NAS-IP-Address || NAS-IP-Address 
== "0.0.0.0"){ 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (!NAS-IP-Address || NAS-IP-Address 
== "0.0.0.0") -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { 
(5632) Wed Apr 24 10:24:45 2019: Debug: EXPAND 
%{%{control:PacketFence-Tenant-Id}:-0} 
(5632) Wed Apr 24 10:24:45 2019: Debug: --> 1 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ( &control:PacketFence-Tenant-Id == 
0 ) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if ( &control:PacketFence-Tenant-Id == 
0 ) -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # policy packetfence-set-tenant-id = 
noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: update { 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # update = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (! EAP-Type || (EAP-Type != TTLS && 
EAP-Type != PEAP) ) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (! EAP-Type || (EAP-Type != TTLS && 
EAP-Type != PEAP) ) -> TRUE 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (! EAP-Type || (EAP-Type != TTLS && 
EAP-Type != PEAP) ) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: policy packetfence-audit-log-reject { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&User-Name && (&User-Name == 
"dummy")) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&User-Name && (&User-Name == 
"dummy")) -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: else { 
(5632) Wed Apr 24 10:24:45 2019: Debug: policy request-timing { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (control:PacketFence-Request-Time != 
0) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (control:PacketFence-Request-Time != 
0) -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # policy request-timing = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: EXPAND type.reject.query 
(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: --> type.reject.query 
(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: Using query template 
'query' 
(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: EXPAND %{User-Name} 
(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: --> 00085d521556 
(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: SQL-User-Name set to 
'00085d521556' 
(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: EXPAND INSERT INTO 
radius_audit_log ( mac, ip, computer_name, user_name, stripped_user_name, 
realm, event_type, switch_id, switch_mac, switch_ip_address, 
radius_source_ip_address, called_station_id, calling_station_id, nas_port_type, 
ssid, nas_port_id, ifindex, nas_port, connection_type, nas_ip_address, 
nas_identifier, auth_status, reason, auth_type, eap_type, role, node_status, 
profile, source, auto_reg, is_phone, pf_domain, uuid, radius_request, 
radius_reply, request_time, tenant_id) VALUES ( 
'%{request:Calling-Station-Id}', '%{request:Framed-IP-Address}', 
'%{%{control:PacketFence-Computer-Name}:-N/A}', '%{request:User-Name}', 
'%{request:Stripped-User-Name}', '%{request:Realm}', 'Radius-Access-Request', 
'%{%{control:PacketFence-Switch-Id}:-N/A}', 
'%{%{control:PacketFence-Switch-Mac}:-N/A}', 
'%{%{control:PacketFence-Switch-Ip-Address}:-N/A}', '%{Packet-Src-IP-Address}', 
'%{request:Called-Station-Id}', '%{request:Calling-Station-Id}', 
'%{request:NAS-Port-Type}', '%{request:Called-Station-SSID}', 
'%{request:NAS-Port-Id}', '%{%{control:PacketFence-IfIndex}:-N/A}', 
'%{request:NAS-Port}', '%{%{control:PacketFence-Connection-Type}:-N/A}', 
'%{request:NAS-IP-Address}', '%{request:NAS-Identifier}', 'Reject', 
'%{request:Module-Failure-Message}', '%{control:Auth-Type}', 
'%{request:EAP-Type}', '%{%{control:PacketFence-Role}:-N/A}', 
'%{%{control:PacketFence-Status}:-N/A}', 
'%{%{control:PacketFence-Profile}:-N/A}', 
'%{%{control:PacketFence-Source}:-N/A}', 
'%{%{control:PacketFence-AutoReg}:-0}', '%{%{control:PacketFence-IsPhone}:-0}', 
'%{request:PacketFence-Domain}', '', 
'%{pairs:&request:[*]}','%{pairs:&reply:[*]}', 
'%{%{control:PacketFence-Request-Time}:-N/A}', 
'%{control:PacketFence-Tenant-Id}') 
(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: --> INSERT INTO 
radius_audit_log ( mac, ip, computer_name, user_name, stripped_user_name, 
realm, event_type, switch_id, switch_mac, switch_ip_address, 
radius_source_ip_address, called_station_id, calling_station_id, nas_port_type, 
ssid, nas_port_id, ifindex, nas_port, connection_type, nas_ip_address, 
nas_identifier, auth_status, reason, auth_type, eap_type, role, node_status, 
profile, source, auto_reg, is_phone, pf_domain, uuid, radius_request, 
radius_reply, request_time, tenant_id) VALUES ( '', '', 'N/A', '00085d521556', 
'00085d521556', 'null', 'Radius-Access-Request', 'N/A', 'N/A', 'N/A', 
'192.168.X.Y', '', '', 'Ethernet', '', '', 'N/A', '13', 'N/A', '192.168.X.Y', 
'', 'Reject', 'rest: Server returned:', 'Accept', '', 'N/A', 'N/A', 'N/A', 
'N/A', '0', '0', '', '', 'User-Name =3D =2200085d521556=22=2C User-Password =3D 
=22=2A=2A=2A=2A=2A=2A=22=2C NAS-IP-Address =3D 192.168.X.Y=2C NAS-Port =3D 
13=2C Service-Type =3D Login-User=2C NAS-Port-Type =3D Ethernet=2C 
Event-Timestamp =3D =22avril 24 2019 10:24:45 CEST=22=2C Stripped-User-Name =3D 
=2200085d521556=22=2C Realm =3D =22null=22=2C FreeRADIUS-Client-IP-Address =3D 
192.168.X.Y=2C Module-Failure-Message =3D =22rest: Server returned:=22=2C 
Module-Failure-Message =3D =22rest: 
=7B=5C=22control:PacketFence-Authorization-Status=5C=22:=5C=22allow=5C=22=2C=5C=22Reply-Message=5C=22:=5C=22CLI
 Access is not allowed by PacketFence on this switch=5C=22=7D=22=2C 
SQL-User-Name =3D =2200085d521556=22','', '0', '1') 
(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: Executing query: INSERT 
INTO radius_audit_log ( mac, ip, computer_name, user_name, stripped_user_name, 
realm, event_type, switch_id, switch_mac, switch_ip_address, 
radius_source_ip_address, called_station_id, calling_station_id, nas_port_type, 
ssid, nas_port_id, ifindex, nas_port, connection_type, nas_ip_address, 
nas_identifier, auth_status, reason, auth_type, eap_type, role, node_status, 
profile, source, auto_reg, is_phone, pf_domain, uuid, radius_request, 
radius_reply, request_time, tenant_id) VALUES ( '', '', 'N/A', '00085d521556', 
'00085d521556', 'null', 'Radius-Access-Request', 'N/A', 'N/A', 'N/A', 
'192.168.X.Y', '', '', 'Ethernet', '', '', 'N/A', '13', 'N/A', '192.168.X.Y', 
'', 'Reject', 'rest: Server returned:', 'Accept', '', 'N/A', 'N/A', 'N/A', 
'N/A', '0', '0', '', '', 'User-Name =3D =2200085d521556=22=2C User-Password =3D 
=22=2A=2A=2A=2A=2A=2A=22=2C NAS-IP-Address =3D 192.168.X.Y=2C NAS-Port =3D 
13=2C Service-Type =3D Login-User=2C NAS-Port-Type =3D Ethernet=2C 
Event-Timestamp =3D =22avril 24 2019 10:24:45 CEST=22=2C Stripped-User-Name =3D 
=2200085d521556=22=2C Realm =3D =22null=22=2C FreeRADIUS-Client-IP-Address =3D 
192.168.X.Y=2C Module-Failure-Message =3D =22rest: Server returned:=22=2C 
Module-Failure-Message =3D =22rest: 
=7B=5C=22control:PacketFence-Authorization-Status=5C=22:=5C=22allow=5C=22=2C=5C=22Reply-Message=5C=22:=5C=22CLI
 Access is not allowed by PacketFence on this switch=5C=22=7D=22=2C 
SQL-User-Name =3D =2200085d521556=22','', '0', '1') 
(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: SQL query returned: success 
(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: 1 record(s) updated 
(5632) Wed Apr 24 10:24:45 2019: Debug: [sql_reject] = ok 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # else = ok 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # policy packetfence-audit-log-reject 
= ok 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # if (! EAP-Type || (EAP-Type != TTLS 
&& EAP-Type != PEAP) ) = ok 
(5632) Wed Apr 24 10:24:45 2019: Debug: if 
("%{%{control:PacketFence-Proxied-From}:-False}" == "True") { 
(5632) Wed Apr 24 10:24:45 2019: Debug: EXPAND 
%{%{control:PacketFence-Proxied-From}:-False} 
(5632) Wed Apr 24 10:24:45 2019: Debug: --> False 
(5632) Wed Apr 24 10:24:45 2019: Debug: if 
("%{%{control:PacketFence-Proxied-From}:-False}" == "True") -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: attr_filter.access_reject: EXPAND 
%{User-Name} 
(5632) Wed Apr 24 10:24:45 2019: Debug: attr_filter.access_reject: --> 
00085d521556 
(5632) Wed Apr 24 10:24:45 2019: Debug: attr_filter.access_reject: Matched 
entry DEFAULT at line 11 
(5632) Wed Apr 24 10:24:45 2019: Debug: [attr_filter.access_reject] = updated 
(5632) Wed Apr 24 10:24:45 2019: Debug: attr_filter.packetfence_post_auth: 
EXPAND %{User-Name} 
(5632) Wed Apr 24 10:24:45 2019: Debug: attr_filter.packetfence_post_auth: --> 
00085d521556 
(5632) Wed Apr 24 10:24:45 2019: Debug: attr_filter.packetfence_post_auth: 
Matched entry DEFAULT at line 10 
(5632) Wed Apr 24 10:24:45 2019: Debug: [attr_filter.packetfence_post_auth] = 
updated 
(5632) Wed Apr 24 10:24:45 2019: Debug: [eap] = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: policy remove_reply_message_if_eap { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&reply:EAP-Message && 
&reply:Reply-Message) { 
(5632) Wed Apr 24 10:24:45 2019: Debug: if (&reply:EAP-Message && 
&reply:Reply-Message) -> FALSE 
(5632) Wed Apr 24 10:24:45 2019: Debug: else { 
(5632) Wed Apr 24 10:24:45 2019: Debug: [noop] = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # else = noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # policy remove_reply_message_if_eap 
= noop 
(5632) Wed Apr 24 10:24:45 2019: Debug: linelog: EXPAND 
messages.%{%{reply:Packet-Type}:-default} 
(5632) Wed Apr 24 10:24:45 2019: Debug: linelog: --> messages.Access-Reject 
(5632) Wed Apr 24 10:24:45 2019: Debug: linelog: EXPAND 
[mac:%{Calling-Station-Id}] Rejected user: %{User-Name} 
(5632) Wed Apr 24 10:24:45 2019: Debug: linelog: --> [mac:] Rejected user: 
00085d521556 
(5632) Wed Apr 24 10:24:45 2019: Debug: [linelog] = ok 
(5632) Wed Apr 24 10:24:45 2019: Debug: } # Post-Auth-Type REJECT = updated 
(5632) Wed Apr 24 10:24:45 2019: Debug: Delaying response for 1.000000 seconds 
(5632) Wed Apr 24 10:24:46 2019: Debug: Sending delayed response 
(5632) Wed Apr 24 10:24:46 2019: Debug: Sent Access-Reject Id 15 from 
192.168.X.X:1812 to 192.168.X.Y:3490 length 20 


Enregistrer Enregistrer

_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] No-EAP Authentication issue with Avaya switches

Reply via email to