Re: [PacketFence-users] No-EAP Authentication issue with Avaya switches

Wed, 24 Apr 2019 05:58:32 -0700 

Hello Adrian,
you need to create the Calling-Station-Id attribute because it miss in the request. 

To do that add the following in the raddb/policy.d/packetfence file:

fix_avaya {

    if (!&Calling-Station-Id) {
        if (&User-Name && (&User-Name =~ /^${policy.mac-addr-regexp}$/i)) {
            update {

                &request:Calling-Station-Id := 
"%{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}"

            }
        }
    }
}


and in conf/radiusd/packetfence (Here 
https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/packetfence.example#L15), 
add fix_avaya



Like that:

....

#  need to setup hints for the remote radius server
authorize {
    fix_avaya
    # Add in PacketFence specific configuration
    update {

....


Let me know if it works.

Regards

Fabrice



Le 19-04-24 à 05 h 56, Adrian Dessaigne via PacketFence-users a écrit :

Hello everyone.


I currently facing an issue with Non EAP device authentication. When I 
plug the device (In my case, an IP Phone), he gets rejected. In the 
Audit tab, I see the reject but there is no Address Mac shown.

Here is the error message :

Module-Failure-Message = "rest: Server returned:"

Module-Failure-Message = "rest: 
{\"control:PacketFence-Authorization-Status\":\"allow\",\"Reply-Message\":\"CLI 
Access is not allowed by PacketFence on this switch\"}"



I'm using an Avaya 3524GT-PWR+ switch. His behavior about Non-EAP 
device is the following (From the Security Documentation):



For RADIUS authentication of a Non-EAPOL host MAC address, the switch 
generates a <username, password> pair as follow:

 -The username is the Non-EAPOL MAC address in string format.

 -The password is a string that combines the MAC  address, switch IP 
address, unit and port.



I've read a post on the mailing list with a similar issue. When there 
is no Calling-Station-Id attribute in the Radius request, PacketFence 
think the access is a CLI access. So I went in the PF Switch 
configuration tab and defined CLI access for this switch. I then 
created an Admin role with the action "Switch CLI - Read" and "Switch 
CLI - Write". On all my authentication source, I added and 
Administration rule which set to the one I've created. Even with this 
configuration, I still have the same error "CLI Access is not allowed 
by PacketFence on this switch". Does it mean the module do not support 
CLI ?


How can I get a successful authentication with this kind of request ?

Best Regards,

Adrian

PS: Below is the result of the authentication with raddebug.


(5632) Wed Apr 24 10:24:45 2019: Debug: Received Access-Request Id 15 
from 192.168.X.Y:3490 to 192.168.X.X:1812 length 92

(5632) Wed Apr 24 10:24:45 2019: Debug:  NAS-IP-Address = 192.168.X.Y

(5632) Wed Apr 24 10:24:45 2019: Debug:   User-Password = 
"192168100211.00085d521556.0013"

(5632) Wed Apr 24 10:24:45 2019: Debug:   NAS-Port-Type = Ethernet
(5632) Wed Apr 24 10:24:45 2019: Debug:   Service-Type = Login-User
(5632) Wed Apr 24 10:24:45 2019: Debug:   NAS-Port = 13
(5632) Wed Apr 24 10:24:45 2019: Debug:   User-Name = "00085d521556"

(5632) Wed Apr 24 10:24:45 2019: Debug: # Executing section authorize 
from file /usr/local/pf/raddb/sites-enabled/packetfence

(5632) Wed Apr 24 10:24:45 2019: Debug:   authorize {
(5632) Wed Apr 24 10:24:45 2019: Debug:     update {

(5632) Wed Apr 24 10:24:45 2019: Debug:       EXPAND 
%{Packet-Src-IP-Address}

(5632) Wed Apr 24 10:24:45 2019: Debug:          --> 192.168.X.Y
(5632) Wed Apr 24 10:24:45 2019: Debug:       EXPAND %l
(5632) Wed Apr 24 10:24:45 2019: Debug:          --> 1556094285

(5632) Wed Apr 24 10:24:45 2019: Debug:       EXPAND 
%{Calling-Station-ID} %{User-Name}

(5632) Wed Apr 24 10:24:45 2019: Debug: -->  00085d521556
(5632) Wed Apr 24 10:24:45 2019: Debug:     } # update = noop

(5632) Wed Apr 24 10:24:45 2019: Debug:     policy 
packetfence-set-tenant-id {
(5632) Wed Apr 24 10:24:45 2019: Debug:       if (!NAS-IP-Address || 
NAS-IP-Address == "0.0.0.0"){
(5632) Wed Apr 24 10:24:45 2019: Debug:       if (!NAS-IP-Address || 
NAS-IP-Address == "0.0.0.0") -> FALSE
(5632) Wed Apr 24 10:24:45 2019: Debug:       if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(5632) Wed Apr 24 10:24:45 2019: Debug:       EXPAND 
%{%{control:PacketFence-Tenant-Id}:-0}

(5632) Wed Apr 24 10:24:45 2019: Debug:          --> 0

(5632) Wed Apr 24 10:24:45 2019: Debug:       if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  -> TRUE
(5632) Wed Apr 24 10:24:45 2019: Debug:       if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  {

(5632) Wed Apr 24 10:24:45 2019: Debug:         update control {
(5632) Wed Apr 24 10:24:45 2019: Debug:  EXPAND %{User-Name}
(5632) Wed Apr 24 10:24:45 2019: Debug: --> 00085d521556

(5632) Wed Apr 24 10:24:45 2019: Debug:  SQL-User-Name set to 
'00085d521556'
(5632) Wed Apr 24 10:24:45 2019: Debug:  Executing select query:  
SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = 
'192.168.X.Y'), 0)
(5632) Wed Apr 24 10:24:45 2019: Debug:  EXPAND %{sql: SELECT 
IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = 
'%{NAS-IP-Address}'), 0)}

(5632) Wed Apr 24 10:24:45 2019: Debug: --> 1
(5632) Wed Apr 24 10:24:45 2019: Debug:         } # update control = noop

(5632) Wed Apr 24 10:24:45 2019: Debug:       } # if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  = noop
(5632) Wed Apr 24 10:24:45 2019: Debug:       if ( 
&control:PacketFence-Tenant-Id == 0 ) {
(5632) Wed Apr 24 10:24:45 2019: Debug:       if ( 
&control:PacketFence-Tenant-Id == 0 )  -> FALSE
(5632) Wed Apr 24 10:24:45 2019: Debug:     } # policy 
packetfence-set-tenant-id = noop
(5632) Wed Apr 24 10:24:45 2019: Debug:     policy 
rewrite_calling_station_id {
(5632) Wed Apr 24 10:24:45 2019: Debug:       if (&Calling-Station-Id 
&& (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
{
(5632) Wed Apr 24 10:24:45 2019: Debug:       if (&Calling-Station-Id 
&& (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
-> FALSE

(5632) Wed Apr 24 10:24:45 2019: Debug:       else {
(5632) Wed Apr 24 10:24:45 2019: Debug:         [noop] = noop
(5632) Wed Apr 24 10:24:45 2019: Debug:       } # else = noop

(5632) Wed Apr 24 10:24:45 2019: Debug:     } # policy 
rewrite_calling_station_id = noop
(5632) Wed Apr 24 10:24:45 2019: Debug:     policy 
rewrite_called_station_id {
(5632) Wed Apr 24 10:24:45 2019: Debug:       if ((&Called-Station-Id) 
&& (&Called-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) 
{
(5632) Wed Apr 24 10:24:45 2019: Debug:       if ((&Called-Station-Id) 
&& (&Called-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) 
-> FALSE

(5632) Wed Apr 24 10:24:45 2019: Debug:       else {
(5632) Wed Apr 24 10:24:45 2019: Debug:         [noop] = noop
(5632) Wed Apr 24 10:24:45 2019: Debug:       } # else = noop

(5632) Wed Apr 24 10:24:45 2019: Debug:     } # policy 
rewrite_called_station_id = noop

(5632) Wed Apr 24 10:24:45 2019: Debug:     policy filter_username {
(5632) Wed Apr 24 10:24:45 2019: Debug:       if (&User-Name) {
(5632) Wed Apr 24 10:24:45 2019: Debug:       if (&User-Name)  -> TRUE
(5632) Wed Apr 24 10:24:45 2019: Debug:       if (&User-Name)  {
(5632) Wed Apr 24 10:24:45 2019: Debug:         if (&User-Name =~ / /) {

(5632) Wed Apr 24 10:24:45 2019: Debug:         if (&User-Name =~ / 
/)  -> FALSE
(5632) Wed Apr 24 10:24:45 2019: Debug:         if (&User-Name =~ 
/@[^@]*@/ ) {
(5632) Wed Apr 24 10:24:45 2019: Debug:         if (&User-Name =~ 
/@[^@]*@/ )  -> FALSE
(5632) Wed Apr 24 10:24:45 2019: Debug:         if (&User-Name =~ 
/\.\./ ) {
(5632) Wed Apr 24 10:24:45 2019: Debug:         if (&User-Name =~ 
/\.\./ )  -> FALSE
(5632) Wed Apr 24 10:24:45 2019: Debug:         if ((&User-Name =~ 
/@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5632) Wed Apr 24 10:24:45 2019: Debug:         if ((&User-Name =~ 
/@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(5632) Wed Apr 24 10:24:45 2019: Debug:         if (&User-Name =~ 
/\.$/)  {
(5632) Wed Apr 24 10:24:45 2019: Debug:         if (&User-Name =~ 
/\.$/)   -> FALSE
(5632) Wed Apr 24 10:24:45 2019: Debug:         if (&User-Name =~ 
/@\./)  {
(5632) Wed Apr 24 10:24:45 2019: Debug:         if (&User-Name =~ 
/@\./)   -> FALSE

(5632) Wed Apr 24 10:24:45 2019: Debug:       } # if (&User-Name)  = noop

(5632) Wed Apr 24 10:24:45 2019: Debug:     } # policy filter_username 
= noop

(5632) Wed Apr 24 10:24:45 2019: Debug:     policy filter_password {

(5632) Wed Apr 24 10:24:45 2019: Debug:       if (&User-Password &&    
    (&User-Password != "%{string:User-Password}")) {
(5632) Wed Apr 24 10:24:45 2019: Debug:       EXPAND 
%{string:User-Password}
(5632) Wed Apr 24 10:24:45 2019: Debug:          --> 
192168100211.00085d521556.0013
(5632) Wed Apr 24 10:24:45 2019: Debug:       if (&User-Password &&    
    (&User-Password != "%{string:User-Password}"))  -> FALSE
(5632) Wed Apr 24 10:24:45 2019: Debug:     } # policy filter_password 
= noop

(5632) Wed Apr 24 10:24:45 2019: Debug:  [preprocess] = ok

(5632) Wed Apr 24 10:24:45 2019: Debug: suffix: Checking for suffix 
after "@"
(5632) Wed Apr 24 10:24:45 2019: Debug: suffix: No '@' in User-Name = 
"00085d521556", skipping NULL due to config.

(5632) Wed Apr 24 10:24:45 2019: Debug:     [suffix] = noop

(5632) Wed Apr 24 10:24:45 2019: Debug: ntdomain: Checking for prefix 
before "\"
(5632) Wed Apr 24 10:24:45 2019: Debug: ntdomain: No '\' in User-Name 
= "00085d521556", looking up realm NULL

(5632) Wed Apr 24 10:24:45 2019: Debug: ntdomain: Found realm "null"

(5632) Wed Apr 24 10:24:45 2019: Debug: ntdomain: Adding 
Stripped-User-Name = "00085d521556"

(5632) Wed Apr 24 10:24:45 2019: Debug: ntdomain: Adding Realm = "null"

(5632) Wed Apr 24 10:24:45 2019: Debug: ntdomain: Authentication realm 
is LOCAL

(5632) Wed Apr 24 10:24:45 2019: Debug:     [ntdomain] = ok
(5632) Wed Apr 24 10:24:45 2019: Debug: eap: No EAP-Message, not doing EAP
(5632) Wed Apr 24 10:24:45 2019: Debug:     [eap] = noop
(5632) Wed Apr 24 10:24:45 2019: Debug:     if ( !EAP-Message ) {
(5632) Wed Apr 24 10:24:45 2019: Debug:     if ( !EAP-Message )  -> TRUE
(5632) Wed Apr 24 10:24:45 2019: Debug:     if ( !EAP-Message )  {
(5632) Wed Apr 24 10:24:45 2019: Debug:       update {
(5632) Wed Apr 24 10:24:45 2019: Debug:       } # update = noop

(5632) Wed Apr 24 10:24:45 2019: Debug:     } # if ( !EAP-Message )  = 
noop
(5632) Wed Apr 24 10:24:45 2019: Debug:     policy 
packetfence-eap-mac-policy {

(5632) Wed Apr 24 10:24:45 2019: Debug:       if ( &EAP-Type ) {
(5632) Wed Apr 24 10:24:45 2019: Debug:       if ( &EAP-Type )  -> FALSE
(5632) Wed Apr 24 10:24:45 2019: Debug:       [noop] = noop

(5632) Wed Apr 24 10:24:45 2019: Debug:     } # policy 
packetfence-eap-mac-policy = noop
(5632) Wed Apr 24 10:24:45 2019: WARNING: pap: 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(5632) Wed Apr 24 10:24:45 2019: WARNING: pap: !!! Ignoring 
control:User-Password.  Update your        !!!
(5632) Wed Apr 24 10:24:45 2019: WARNING: pap: !!! configuration so 
that the "known good" clear text   !!!
(5632) Wed Apr 24 10:24:45 2019: WARNING: pap: !!! password is in 
Cleartext-Password and NOT in        !!!
(5632) Wed Apr 24 10:24:45 2019: WARNING: pap: !!! User-Password.      
                                !!!
(5632) Wed Apr 24 10:24:45 2019: WARNING: pap: 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(5632) Wed Apr 24 10:24:45 2019: WARNING: pap: Auth-Type already set.  
Not setting to PAP

(5632) Wed Apr 24 10:24:45 2019: Debug:     [pap] = noop
(5632) Wed Apr 24 10:24:45 2019: Debug:   } # authorize = ok
(5632) Wed Apr 24 10:24:45 2019: Debug: Found Auth-Type = Accept

(5632) Wed Apr 24 10:24:45 2019: Debug: Auth-Type = Accept, accepting 
the user
(5632) Wed Apr 24 10:24:45 2019: Debug: # Executing section post-auth 
from file /usr/local/pf/raddb/sites-enabled/packetfence

(5632) Wed Apr 24 10:24:45 2019: Debug:   post-auth {
(5632) Wed Apr 24 10:24:45 2019: Debug:     update {

(5632) Wed Apr 24 10:24:45 2019: Debug:       EXPAND 
%{Packet-Src-IP-Address}

(5632) Wed Apr 24 10:24:45 2019: Debug:          --> 192.168.X.Y
(5632) Wed Apr 24 10:24:45 2019: Debug:     } # update = noop

(5632) Wed Apr 24 10:24:45 2019: Debug:     policy 
packetfence-set-tenant-id {
(5632) Wed Apr 24 10:24:45 2019: Debug:       if (!NAS-IP-Address || 
NAS-IP-Address == "0.0.0.0"){
(5632) Wed Apr 24 10:24:45 2019: Debug:       if (!NAS-IP-Address || 
NAS-IP-Address == "0.0.0.0") -> FALSE
(5632) Wed Apr 24 10:24:45 2019: Debug:       if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(5632) Wed Apr 24 10:24:45 2019: Debug:       EXPAND 
%{%{control:PacketFence-Tenant-Id}:-0}

(5632) Wed Apr 24 10:24:45 2019: Debug:          --> 1

(5632) Wed Apr 24 10:24:45 2019: Debug:       if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  -> FALSE
(5632) Wed Apr 24 10:24:45 2019: Debug:       if ( 
&control:PacketFence-Tenant-Id == 0 ) {
(5632) Wed Apr 24 10:24:45 2019: Debug:       if ( 
&control:PacketFence-Tenant-Id == 0 )  -> FALSE
(5632) Wed Apr 24 10:24:45 2019: Debug:     } # policy 
packetfence-set-tenant-id = noop
(5632) Wed Apr 24 10:24:45 2019: Debug:     if 
("%{%{control:PacketFence-Proxied-From}:-False}" == "True") {
(5632) Wed Apr 24 10:24:45 2019: Debug:     EXPAND 
%{%{control:PacketFence-Proxied-From}:-False}

(5632) Wed Apr 24 10:24:45 2019: Debug:        --> False

(5632) Wed Apr 24 10:24:45 2019: Debug:     if 
("%{%{control:PacketFence-Proxied-From}:-False}" == "True")  -> FALSE
(5632) Wed Apr 24 10:24:45 2019: Debug:     if (! EAP-Type || 
(EAP-Type != TTLS  && EAP-Type != PEAP) ) {
(5632) Wed Apr 24 10:24:45 2019: Debug:     if (! EAP-Type || 
(EAP-Type != TTLS  && EAP-Type != PEAP) )  -> TRUE
(5632) Wed Apr 24 10:24:45 2019: Debug:     if (! EAP-Type || 
(EAP-Type != TTLS  && EAP-Type != PEAP) )  {

(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Expanding URI components
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: EXPAND http://127.0.0.1:7070
(5632) Wed Apr 24 10:24:45 2019: Debug: rest:    --> http://127.0.0.1:7070

(5632) Wed Apr 24 10:24:45 2019: Debug: rest: EXPAND 
//radius/rest/authorize
(5632) Wed Apr 24 10:24:45 2019: Debug: rest:    --> 
//radius/rest/authorize
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Sending HTTP POST to 
"http://127.0.0.1:7070//radius/rest/authorize";
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute 
"User-Name"
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute 
"User-Password"
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute 
"NAS-IP-Address"
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute 
"NAS-Port"
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute 
"Service-Type"
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute 
"NAS-Port-Type"
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute 
"Event-Timestamp"
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute 
"Stripped-User-Name"

(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute "Realm"

(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute 
"SQL-User-Name"
(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Encoding attribute 
"FreeRADIUS-Client-IP-Address"

(5632) Wed Apr 24 10:24:45 2019: Debug: rest: Processing response header

(5632) Wed Apr 24 10:24:45 2019: Debug: rest:   Status : 401 
(Unauthorized)
(5632) Wed Apr 24 10:24:45 2019: Debug: rest:   Type  : json 
(application/json)

(5632) Wed Apr 24 10:24:45 2019: ERROR: rest: Server returned:

(5632) Wed Apr 24 10:24:45 2019: ERROR: rest: 
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"CLI 
Access is not allowed by PacketFence on this switch"}

(5632) Wed Apr 24 10:24:45 2019: Debug:       [rest] = invalid

(5632) Wed Apr 24 10:24:45 2019: Debug:     } # if (! EAP-Type || 
(EAP-Type != TTLS  && EAP-Type != PEAP) )  = invalid

(5632) Wed Apr 24 10:24:45 2019: Debug:   } # post-auth = invalid
(5632) Wed Apr 24 10:24:45 2019: Debug: Using Post-Auth-Type Reject

(5632) Wed Apr 24 10:24:45 2019: Debug: # Executing group from file 
/usr/local/pf/raddb/sites-enabled/packetfence

(5632) Wed Apr 24 10:24:45 2019: Debug:  Post-Auth-Type REJECT {

(5632) Wed Apr 24 10:24:45 2019: Debug:     policy 
packetfence-set-tenant-id {
(5632) Wed Apr 24 10:24:45 2019: Debug:       if (!NAS-IP-Address || 
NAS-IP-Address == "0.0.0.0"){
(5632) Wed Apr 24 10:24:45 2019: Debug:       if (!NAS-IP-Address || 
NAS-IP-Address == "0.0.0.0") -> FALSE
(5632) Wed Apr 24 10:24:45 2019: Debug:       if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(5632) Wed Apr 24 10:24:45 2019: Debug:       EXPAND 
%{%{control:PacketFence-Tenant-Id}:-0}

(5632) Wed Apr 24 10:24:45 2019: Debug:          --> 1

(5632) Wed Apr 24 10:24:45 2019: Debug:       if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  -> FALSE
(5632) Wed Apr 24 10:24:45 2019: Debug:       if ( 
&control:PacketFence-Tenant-Id == 0 ) {
(5632) Wed Apr 24 10:24:45 2019: Debug:       if ( 
&control:PacketFence-Tenant-Id == 0 )  -> FALSE
(5632) Wed Apr 24 10:24:45 2019: Debug:     } # policy 
packetfence-set-tenant-id = noop

(5632) Wed Apr 24 10:24:45 2019: Debug:     update {
(5632) Wed Apr 24 10:24:45 2019: Debug:     } # update = noop

(5632) Wed Apr 24 10:24:45 2019: Debug:     if (! EAP-Type || 
(EAP-Type != TTLS  && EAP-Type != PEAP) ) {
(5632) Wed Apr 24 10:24:45 2019: Debug:     if (! EAP-Type || 
(EAP-Type != TTLS  && EAP-Type != PEAP) )  -> TRUE
(5632) Wed Apr 24 10:24:45 2019: Debug:     if (! EAP-Type || 
(EAP-Type != TTLS  && EAP-Type != PEAP) )  {
(5632) Wed Apr 24 10:24:45 2019: Debug:       policy 
packetfence-audit-log-reject {
(5632) Wed Apr 24 10:24:45 2019: Debug:         if (&User-Name && 
(&User-Name == "dummy")) {
(5632) Wed Apr 24 10:24:45 2019: Debug:         if (&User-Name && 
(&User-Name == "dummy")) -> FALSE

(5632) Wed Apr 24 10:24:45 2019: Debug:         else {
(5632) Wed Apr 24 10:24:45 2019: Debug:  policy request-timing {

(5632) Wed Apr 24 10:24:45 2019: Debug:             if 
(control:PacketFence-Request-Time != 0) {
(5632) Wed Apr 24 10:24:45 2019: Debug:             if 
(control:PacketFence-Request-Time != 0)  -> FALSE
(5632) Wed Apr 24 10:24:45 2019: Debug:           } # policy 
request-timing = noop
(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: EXPAND 
type.reject.query

(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: --> type.reject.query

(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: Using query 
template 'query'

(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: EXPAND %{User-Name}
(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: --> 00085d521556

(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: SQL-User-Name set 
to '00085d521556'
(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: EXPAND INSERT INTO 
radius_audit_log               ( mac, ip, computer_name, user_name, 
stripped_user_name,  realm, event_type, switch_id, switch_mac, 
switch_ip_address, radius_source_ip_address, called_station_id, 
calling_station_id,                nas_port_type, ssid, nas_port_id,  
              ifindex, nas_port, connection_type,                
nas_ip_address, nas_identifier, auth_status,                reason, 
auth_type, eap_type,                role, node_status, profile,        
        source, auto_reg, is_phone,         pf_domain, uuid, 
radius_request, radius_reply, request_time, tenant_id) VALUES          
     ( '%{request:Calling-Station-Id}', 
'%{request:Framed-IP-Address}', 
'%{%{control:PacketFence-Computer-Name}:-N/A}', 
'%{request:User-Name}', '%{request:Stripped-User-Name}', 
'%{request:Realm}', 'Radius-Access-Request', 
'%{%{control:PacketFence-Switch-Id}:-N/A}', 
'%{%{control:PacketFence-Switch-Mac}:-N/A}', 
'%{%{control:PacketFence-Switch-Ip-Address}:-N/A}',         
'%{Packet-Src-IP-Address}', '%{request:Called-Station-Id}', 
'%{request:Calling-Station-Id}', '%{request:NAS-Port-Type}', 
'%{request:Called-Station-SSID}', '%{request:NAS-Port-Id}', 
'%{%{control:PacketFence-IfIndex}:-N/A}', '%{request:NAS-Port}', 
'%{%{control:PacketFence-Connection-Type}:-N/A}',       
'%{request:NAS-IP-Address}', '%{request:NAS-Identifier}',  'Reject', 
 '%{request:Module-Failure-Message}', '%{control:Auth-Type}', 
'%{request:EAP-Type}',     '%{%{control:PacketFence-Role}:-N/A}', 
'%{%{control:PacketFence-Status}:-N/A}', 
'%{%{control:PacketFence-Profile}:-N/A}', 
'%{%{control:PacketFence-Source}:-N/A}', 
'%{%{control:PacketFence-AutoReg}:-0}', 
'%{%{control:PacketFence-IsPhone}:-0}', 
'%{request:PacketFence-Domain}', '', 
'%{pairs:&request:[*]}','%{pairs:&reply:[*]}', 
'%{%{control:PacketFence-Request-Time}:-N/A}', 
'%{control:PacketFence-Tenant-Id}')
(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: --> INSERT INTO 
radius_audit_log               ( mac, ip, computer_name, user_name, 
stripped_user_name,  realm, event_type, switch_id, switch_mac, 
switch_ip_address, radius_source_ip_address, called_station_id, 
calling_station_id,                nas_port_type, ssid, nas_port_id,  
              ifindex, nas_port, connection_type,                
nas_ip_address, nas_identifier, auth_status,                reason, 
auth_type, eap_type,                role, node_status, profile,        
        source, auto_reg, is_phone,         pf_domain, uuid, 
radius_request, radius_reply, request_time, tenant_id) VALUES          
     ( '', '', 'N/A', '00085d521556',           '00085d521556', 
'null', 'Radius-Access-Request',                'N/A', 'N/A', 'N/A',  
              '192.168.X.Y', '', '',   'Ethernet', '', '',            
    'N/A', '13', 'N/A',               '192.168.X.Y', '',  'Reject', 
 'rest: Server returned:', 'Accept', '', 'N/A', 'N/A', 'N/A',          
      'N/A', '0', '0',           '', '', 'User-Name =3D 
=2200085d521556=22=2C User-Password =3D =22=2A=2A=2A=2A=2A=2A=22=2C 
NAS-IP-Address =3D 192.168.X.Y=2C NAS-Port =3D 13=2C Service-Type =3D 
Login-User=2C NAS-Port-Type =3D Ethernet=2C Event-Timestamp =3D 
=22avril 24 2019 10:24:45 CEST=22=2C Stripped-User-Name =3D 
=2200085d521556=22=2C Realm =3D =22null=22=2C 
FreeRADIUS-Client-IP-Address =3D 192.168.X.Y=2C Module-Failure-Message 
=3D =22rest: Server returned:=22=2C Module-Failure-Message =3D 
=22rest: 
=7B=5C=22control:PacketFence-Authorization-Status=5C=22:=5C=22allow=5C=22=2C=5C=22Reply-Message=5C=22:=5C=22CLI 
Access is not allowed by PacketFence on this switch=5C=22=7D=22=2C 
SQL-User-Name =3D =2200085d521556=22','', '0', '1')
(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: Executing query: 
INSERT INTO radius_audit_log  ( mac, ip, computer_name, user_name, 
stripped_user_name,  realm, event_type, switch_id, switch_mac, 
switch_ip_address, radius_source_ip_address, called_station_id, 
calling_station_id,                nas_port_type, ssid, nas_port_id,  
              ifindex, nas_port, connection_type,                
nas_ip_address, nas_identifier, auth_status,                reason, 
auth_type, eap_type,                role, node_status, profile,        
        source, auto_reg, is_phone,         pf_domain, uuid, 
radius_request, radius_reply, request_time, tenant_id) VALUES          
     ( '', '', 'N/A', '00085d521556',           '00085d521556', 
'null', 'Radius-Access-Request',                'N/A', 'N/A', 'N/A',  
              '192.168.X.Y', '', '',   'Ethernet', '', '',            
    'N/A', '13', 'N/A',               '192.168.X.Y', '',  'Reject', 
 'rest: Server returned:', 'Accept', '', 'N/A', 'N/A', 'N/A',          
      'N/A', '0', '0',           '', '', 'User-Name =3D 
=2200085d521556=22=2C User-Password =3D =22=2A=2A=2A=2A=2A=2A=22=2C 
NAS-IP-Address =3D 192.168.X.Y=2C NAS-Port =3D 13=2C Service-Type =3D 
Login-User=2C NAS-Port-Type =3D Ethernet=2C Event-Timestamp =3D 
=22avril 24 2019 10:24:45 CEST=22=2C Stripped-User-Name =3D 
=2200085d521556=22=2C Realm =3D =22null=22=2C 
FreeRADIUS-Client-IP-Address =3D 192.168.X.Y=2C Module-Failure-Message 
=3D =22rest: Server returned:=22=2C Module-Failure-Message =3D 
=22rest: 
=7B=5C=22control:PacketFence-Authorization-Status=5C=22:=5C=22allow=5C=22=2C=5C=22Reply-Message=5C=22:=5C=22CLI 
Access is not allowed by PacketFence on this switch=5C=22=7D=22=2C 
SQL-User-Name =3D =2200085d521556=22','', '0', '1')
(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: SQL query 
returned: success

(5632) Wed Apr 24 10:24:45 2019: Debug: sql_reject: 1 record(s) updated
(5632) Wed Apr 24 10:24:45 2019: Debug:  [sql_reject] = ok
(5632) Wed Apr 24 10:24:45 2019: Debug:         } # else = ok

(5632) Wed Apr 24 10:24:45 2019: Debug:       } # policy 
packetfence-audit-log-reject = ok
(5632) Wed Apr 24 10:24:45 2019: Debug:     } # if (! EAP-Type || 
(EAP-Type != TTLS  && EAP-Type != PEAP) )  = ok
(5632) Wed Apr 24 10:24:45 2019: Debug:     if 
("%{%{control:PacketFence-Proxied-From}:-False}" == "True") {
(5632) Wed Apr 24 10:24:45 2019: Debug:     EXPAND 
%{%{control:PacketFence-Proxied-From}:-False}

(5632) Wed Apr 24 10:24:45 2019: Debug:        --> False

(5632) Wed Apr 24 10:24:45 2019: Debug:     if 
("%{%{control:PacketFence-Proxied-From}:-False}" == "True")  -> FALSE
(5632) Wed Apr 24 10:24:45 2019: Debug: attr_filter.access_reject: 
EXPAND %{User-Name}
(5632) Wed Apr 24 10:24:45 2019: Debug: attr_filter.access_reject:    
--> 00085d521556
(5632) Wed Apr 24 10:24:45 2019: Debug: attr_filter.access_reject: 
Matched entry DEFAULT at line 11
(5632) Wed Apr 24 10:24:45 2019: Debug:  [attr_filter.access_reject] = 
updated
(5632) Wed Apr 24 10:24:45 2019: Debug: 
attr_filter.packetfence_post_auth: EXPAND %{User-Name}
(5632) Wed Apr 24 10:24:45 2019: Debug: 
attr_filter.packetfence_post_auth:    --> 00085d521556
(5632) Wed Apr 24 10:24:45 2019: Debug: 
attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
(5632) Wed Apr 24 10:24:45 2019: Debug: 
 [attr_filter.packetfence_post_auth] = updated

(5632) Wed Apr 24 10:24:45 2019: Debug:     [eap] = noop

(5632) Wed Apr 24 10:24:45 2019: Debug:     policy 
remove_reply_message_if_eap {
(5632) Wed Apr 24 10:24:45 2019: Debug:       if (&reply:EAP-Message 
&& &reply:Reply-Message) {
(5632) Wed Apr 24 10:24:45 2019: Debug:       if (&reply:EAP-Message 
&& &reply:Reply-Message)  -> FALSE

(5632) Wed Apr 24 10:24:45 2019: Debug:       else {
(5632) Wed Apr 24 10:24:45 2019: Debug:         [noop] = noop
(5632) Wed Apr 24 10:24:45 2019: Debug:       } # else = noop

(5632) Wed Apr 24 10:24:45 2019: Debug:     } # policy 
remove_reply_message_if_eap = noop
(5632) Wed Apr 24 10:24:45 2019: Debug: linelog: EXPAND 
messages.%{%{reply:Packet-Type}:-default}
(5632) Wed Apr 24 10:24:45 2019: Debug: linelog: --> 
messages.Access-Reject
(5632) Wed Apr 24 10:24:45 2019: Debug: linelog: EXPAND 
[mac:%{Calling-Station-Id}] Rejected user: %{User-Name}
(5632) Wed Apr 24 10:24:45 2019: Debug: linelog: --> [mac:] Rejected 
user: 00085d521556

(5632) Wed Apr 24 10:24:45 2019: Debug:     [linelog] = ok

(5632) Wed Apr 24 10:24:45 2019: Debug:   } # Post-Auth-Type REJECT = 
updated
(5632) Wed Apr 24 10:24:45 2019: Debug: Delaying response for 1.000000 
seconds

(5632) Wed Apr 24 10:24:46 2019: Debug: Sending delayed response

(5632) Wed Apr 24 10:24:46 2019: Debug: Sent Access-Reject Id 15 from 
192.168.X.X:1812 to 192.168.X.Y:3490 length 20



EnregistrerEnregistrer


_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
[email protected] ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)


_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to