Re: [PacketFence-users] MACauth authentication source

David Magda via PacketFence-users Tue, 07 May 2019 13:38:27 -0700

On Tue, May 7, 2019 07:45, Nicolas Quiniou-Briand wrote:
> Hello David,
>
> In order to test MAC Auth, you need to specify additional attributes.
>
> What you can do:
>
> 1. Create a mac-authentication.test file:
> ```
> User-Name = "00:11:22:33:44:55"
> User-Password = "00:11:22:33:44:55"
> NAS-IP-Address = 192.168.0.1
> NAS-Port = 0
> NAS-Port-Type = Ethernet
> Service-Type = Call-Check
> Called-Station-Id = "00:1a:1e:01:68:f8"
> Calling-Station-Id = "00:11:22:33:44:55"
> Called-Station-SSID = "FOO"
> ```
[...]


Yup, that worked. Thanks.

Doing some experimenting, if I only send Calling-Station-Id, that gives
back an approved auth and VLAN, but it does produce some warnings/errors
in pf/logs/packetfence.log

        May  7 12:00:40 pf1 packetfence_httpd.aaa: httpd.aaa(6385) WARN:
[mac:08:00:27:d2:51:90] Use of uninitialized value $nas_port in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 2569.
(pf::Switch::NasPortToIfIndex)
        May  7 12:00:40 pf1 packetfence_httpd.aaa: httpd.aaa(6385) WARN:
[mac:08:00:27:d2:51:90] Use of uninitialized value $port in concatenation
(.) or string at /usr/local/pf/lib/pf/radius.pm line 181. 
(pf::radius::authorize)
        May  7 12:00:40 pf1 packetfence_httpd.aaa: httpd.aaa(6385) WARN:
[mac:08:00:27:d2:51:90] Use of uninitialized value $user_name in
concatenation (.) or string at /usr/local/pf/lib/pf/radius.pm line 181.
(pf::radius::authorize)
        May  7 12:00:40 pf1 packetfence_httpd.aaa: httpd.aaa(6385) INFO:
[mac:08:00:27:d2:51:90] handling radius autz request: from switch_ip =>
(10.0.0.22), connection_type => Ethernet-NoEAP,switch_mac => (Unknown),
mac => [08:00:27:d2:51:90], port => , username => ""
pf::radius::authorize)
        May  7 12:00:40 pf1 packetfence_httpd.aaa: httpd.aaa(6385) INFO:
[mac:08:00:27:d2:51:90] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
        May  7 12:00:40 pf1 packetfence_httpd.aaa: httpd.aaa(6385) INFO:
[mac:08:00:27:d2:51:90] Connection type is Ethernet-NoEAP. Getting role
from node_info (pf::role::getRegisteredRole)
        May  7 12:00:40 pf1 packetfence_httpd.aaa: httpd.aaa(6385) WARN:
[mac:08:00:27:d2:51:90] Use of uninitialized value in concatenation (.)
or string at /usr/local/pf/lib/pf/role.pm line 474.
(pf::role::getRegisteredRole)
        May  7 12:00:40 pf1 packetfence_httpd.aaa: httpd.aaa(6385) INFO:
[mac:08:00:27:d2:51:90] Username was defined "" - returning role
'VLAN_100' (pf::role::getRegisteredRole)
        May  7 12:00:40 pf1 packetfence_httpd.aaa: httpd.aaa(6385) INFO:
[mac:08:00:27:d2:51:90] PID: "default", Status: reg Returned VLAN:
(undefined), Role: VLAN_100 (pf::role::fetchRoleForNode)
        May  7 12:00:40 pf1 packetfence_httpd.aaa: httpd.aaa(6385) WARN:
[mac:08:00:27:d2:51:90] Use of uninitialized value $ifIndex in string ne
at /usr/local/pf/lib/pf/locationlog.pm line 521.
(pf::locationlog::_is_locationlog_accurate)
        May  7 12:00:40 pf1 packetfence_httpd.aaa: httpd.aaa(6385) WARN:
[mac:08:00:27:d2:51:90] Use of uninitialized value $switch_port in
concatenation (.) or string at /usr/local/pf/lib/pf/floatingdevice.pm
line 289. (pf::floatingdevice::portHasFloatingDevice)
        May  7 12:00:40 pf1 packetfence_httpd.aaa: httpd.aaa(6385) ERROR:
[mac:08:00:27:d2:51:90] Trying to save a NULL value in a non nullable
field locationlog.port (pf::dal::validate_field)
        May  7 12:00:40 pf1 packetfence_httpd.aaa: httpd.aaa(6385) ERROR:
[mac:08:00:27:d2:51:90] Skipping invalid value (NULL) in when inserting
field locationlog.port (pf::dal::_insert_data)
        May  7 12:00:40 pf1 packetfence_httpd.aaa: httpd.aaa(6385) INFO:
[mac:08:00:27:d2:51:90] (10.0.0.22) Added VLAN 100 to the returned RADIUS
Access-Accept (pf::Switch::returnRadiusAccessAccept)


Adding User-Name and NAS-Port got rid of all the errors. Perhaps of some
interest to you.


For the "nagios" health monitoring account:

        $ echo "User-Name=nagios,User-Password=nagPass" | /usr/bin/radclient -x
-s pf1.net auth rads3cr3t
        Sending Access-Request of id 99 to 10.0.0.171 port 1812
                User-Name = "nagios"
                User-Password = "nagPass"
        rad_recv: Access-Reject packet from host 10.30.0.71 port 1812, id=99,
length=20

           Total approved auths:  0
             Total denied auths:  1
               Total lost auths:  0

Should I just add it to "pf/conf/admin.conf" instead of "pf/raddb/users"?

        May  7 12:47:27 pf1 packetfence_httpd.aaa: httpd.aaa(6385) ERROR:
[mac:07:33:85:24:ad:3d] unable to read password file
'/usr/local/pf/conf/admin.conf' 
pf::Authentication::Source::HtpasswdSource::authenticate)
        May  7 12:47:27 pf1 packetfence_httpd.aaa: httpd.aaa(6385) INFO:
[mac:07:33:85:24:ad:3d] User nagios tried to login in 10.0.0.22 but
authentication failed (pf::radius::switch_access)





_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MACauth authentication source

Reply via email to