Hi Fabrice, I wanted to follow up to see if you were able to determine if there is any issue here?
Thank you, Benjamin Brenek BAYADA Home Health Care | Senior Associate, Sys. Analyst (NES) 4300 Haddonfield Road | Pennsuaken, NJ 08109 O: 856-380-3008 | Ext: 0527-13 | bayada.com<http://www.bayada.com/> From: Brenek, Benjamin via PacketFence-users <[email protected]> Sent: Tuesday, July 23, 2019 4:40 PM To: [email protected] Cc: Brenek, Benjamin <[email protected]> Subject: Re: [PacketFence-users] PacketFence (9.0.1) EAP-TLS Authentication Source CAUTION: This email originated from outside of BAYADA. Beware of links and attachments. Hi Fabrice, Please see log output below: (947) Tue Jul 23 16:33:39 2019: Debug: Received Access-Request Id 104 from 192.168.237.50:41017 to 192.168.237.11:1812 length 263 (947) Tue Jul 23 16:33:39 2019: Debug: User-Name = "host/d4:be:d9:84:b0:8a" (947) Tue Jul 23 16:33:39 2019: Debug: Service-Type = Framed-User (947) Tue Jul 23 16:33:39 2019: Debug: Cisco-AVPair = "service-type=Framed" (947) Tue Jul 23 16:33:39 2019: Debug: Framed-MTU = 1500 (947) Tue Jul 23 16:33:39 2019: Debug: Called-Station-Id = "58-0A-20-DD-42-0F" (947) Tue Jul 23 16:33:39 2019: Debug: Calling-Station-Id = "D4-BE-D9-84-B0-8A" (947) Tue Jul 23 16:33:39 2019: Debug: EAP-Message = 0x0201001b01686f73742f64343a62653a64393a38343a62303a3861 (947) Tue Jul 23 16:33:39 2019: Debug: Message-Authenticator = 0xa1fe8ed271005b90db8615e720925b00 (947) Tue Jul 23 16:33:39 2019: Debug: Cisco-AVPair = "audit-session-id=C0A82376000010E55ACA4F6B" (947) Tue Jul 23 16:33:39 2019: Debug: NAS-Port-Type = Ethernet (947) Tue Jul 23 16:33:39 2019: Debug: NAS-Port = 50115 (947) Tue Jul 23 16:33:39 2019: Debug: NAS-Port-Id = "GigabitEthernet1/0/15" (947) Tue Jul 23 16:33:39 2019: Debug: NAS-IP-Address = 192.168.222.50 (947) Tue Jul 23 16:33:39 2019: Debug: Proxy-State = 0x313231 (947) Tue Jul 23 16:33:39 2019: Debug: # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence (947) Tue Jul 23 16:33:39 2019: Debug: authorize { (947) Tue Jul 23 16:33:39 2019: Debug: update { (947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{Packet-Src-IP-Address} (947) Tue Jul 23 16:33:39 2019: Debug: --> 192.168.237.50 (947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %l (947) Tue Jul 23 16:33:39 2019: Debug: --> 1563914019 (947) Tue Jul 23 16:33:39 2019: Debug: } # update = noop (947) Tue Jul 23 16:33:39 2019: Debug: policy packetfence-set-tenant-id { (947) Tue Jul 23 16:33:39 2019: Debug: if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){ (947) Tue Jul 23 16:33:39 2019: Debug: if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE (947) Tue Jul 23 16:33:39 2019: Debug: if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{%{control:PacketFence-Tenant-Id}:-0} (947) Tue Jul 23 16:33:39 2019: Debug: --> 0 (947) Tue Jul 23 16:33:39 2019: Debug: if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE (947) Tue Jul 23 16:33:39 2019: Debug: if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { (947) Tue Jul 23 16:33:39 2019: Debug: update control { (947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{User-Name} (947) Tue Jul 23 16:33:39 2019: Debug: --> host/d4:be:d9:84:b0:8a (947) Tue Jul 23 16:33:39 2019: Debug: SQL-User-Name set to 'host/d4:be:d9:84:b0:8a' (947) Tue Jul 23 16:33:39 2019: Debug: Executing select query: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '192.168.222.50'), 0) (947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = '%{NAS-IP-Address}'), 0)} (947) Tue Jul 23 16:33:39 2019: Debug: --> 1 (947) Tue Jul 23 16:33:39 2019: Debug: } # update control = noop (947) Tue Jul 23 16:33:39 2019: Debug: } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop (947) Tue Jul 23 16:33:39 2019: Debug: if ( &control:PacketFence-Tenant-Id == 0 ) { (947) Tue Jul 23 16:33:39 2019: Debug: if ( &control:PacketFence-Tenant-Id == 0 ) -> FALSE (947) Tue Jul 23 16:33:39 2019: Debug: } # policy packetfence-set-tenant-id = noop (947) Tue Jul 23 16:33:39 2019: Debug: policy rewrite_calling_station_id { (947) Tue Jul 23 16:33:39 2019: Debug: if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (947) Tue Jul 23 16:33:39 2019: Debug: if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (947) Tue Jul 23 16:33:39 2019: Debug: if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (947) Tue Jul 23 16:33:39 2019: Debug: update request { (947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (947) Tue Jul 23 16:33:39 2019: Debug: --> d4:be:d9:84:b0:8a (947) Tue Jul 23 16:33:39 2019: Debug: } # update request = noop (947) Tue Jul 23 16:33:39 2019: Debug: [updated] = updated (947) Tue Jul 23 16:33:39 2019: Debug: } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (947) Tue Jul 23 16:33:39 2019: Debug: ... skipping else: Preceding "if" was taken (947) Tue Jul 23 16:33:39 2019: Debug: } # policy rewrite_calling_station_id = updated (947) Tue Jul 23 16:33:39 2019: Debug: policy rewrite_called_station_id { (947) Tue Jul 23 16:33:39 2019: Debug: if ((&Called-Station-Id) && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) { (947) Tue Jul 23 16:33:39 2019: Debug: if ((&Called-Station-Id) && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) -> TRUE (947) Tue Jul 23 16:33:39 2019: Debug: if ((&Called-Station-Id) && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) { (947) Tue Jul 23 16:33:39 2019: Debug: update request { (947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (947) Tue Jul 23 16:33:39 2019: Debug: --> 58:0a:20:dd:42:0f (947) Tue Jul 23 16:33:39 2019: Debug: } # update request = noop (947) Tue Jul 23 16:33:39 2019: Debug: if ("%{8}") { (947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{8} (947) Tue Jul 23 16:33:39 2019: Debug: --> (947) Tue Jul 23 16:33:39 2019: Debug: if ("%{8}") -> FALSE (947) Tue Jul 23 16:33:39 2019: Debug: elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) { (947) Tue Jul 23 16:33:39 2019: Debug: elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE (947) Tue Jul 23 16:33:39 2019: Debug: elsif (Aruba-Essid-Name) { (947) Tue Jul 23 16:33:39 2019: Debug: elsif (Aruba-Essid-Name) -> FALSE (947) Tue Jul 23 16:33:39 2019: Debug: elsif ( (Cisco-AVPair) && "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) { (947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{Cisco-AVPair} (947) Tue Jul 23 16:33:39 2019: Debug: --> service-type=Framed (947) Tue Jul 23 16:33:39 2019: Debug: elsif ( (Cisco-AVPair) && "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE (947) Tue Jul 23 16:33:39 2019: Debug: [updated] = updated (947) Tue Jul 23 16:33:39 2019: Debug: } # if ((&Called-Station-Id) && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) = updated (947) Tue Jul 23 16:33:39 2019: Debug: ... skipping else: Preceding "if" was taken (947) Tue Jul 23 16:33:39 2019: Debug: } # policy rewrite_called_station_id = updated (947) Tue Jul 23 16:33:39 2019: Debug: policy filter_username { (947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name) { (947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name) -> TRUE (947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name) { (947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~ / /) { (947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~ / /) -> FALSE (947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~ /@[^@]*@/ ) { (947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~ /@[^@]*@/ ) -> FALSE (947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~ /\.\./ ) { (947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~ /\.\./ ) -> FALSE (947) Tue Jul 23 16:33:39 2019: Debug: if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) { (947) Tue Jul 23 16:33:39 2019: Debug: if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) -> FALSE (947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~ /\.$/) { (947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~ /\.$/) -> FALSE (947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~ /@\./<mailto:/@\./>) { (947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~ /@\./<mailto:/@\./>) -> FALSE (947) Tue Jul 23 16:33:39 2019: Debug: } # if (&User-Name) = updated (947) Tue Jul 23 16:33:39 2019: Debug: } # policy filter_username = updated (947) Tue Jul 23 16:33:39 2019: Debug: if ("%{User-Name}"=~ /^host\/.*.heroes.bayada.com$/) { (947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{User-Name} (947) Tue Jul 23 16:33:39 2019: Debug: --> host/d4:be:d9:84:b0:8a (947) Tue Jul 23 16:33:39 2019: Debug: if ("%{User-Name}"=~ /^host\/.*.heroes.bayada.com$/) -> FALSE (947) Tue Jul 23 16:33:39 2019: Debug: if (! "%{User-Name}"=~ /^[Bb][Aa][Dd][Gg][Ee]_[Rr][Ee][Aa][Dd][Ee][Rr].*$/ && ! "%{User-Name}"=~ /^[Bb][Aa][Yy][Gg][Uu}[Ee][Ss][Tt].*$/ && ! "%{User-Name}"=~ /.*[Hh][Ee][Rr][Oo][Ee][Ss].*$/ && ! "%{User-Name}"=~ /^[Ss]\d\d\d\d[Zz][Oo][Oo][Mm]$/ && ! "%{User-Name}"=~ /^zoomrooms$/ && ! "%{User-Name}"=~ /^bayguest$/ && ! "%{User-Name}"=~ /^[ABCDEFabcdef0123456789]{12}$|^([ABCDEFabcdef0123456789]{2}[:]){5}[ABCDEFabcdef0123456789]{2}$|^([ABCDEFabcdef0123456789]{2}[-]){5}[ABCDEFabcdef0123456789]{2}$|^([ABCDEFabcdef0123456789]{4}[.]){2}[ABCDEFabcdef0123456789]{4}$/) { (947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{User-Name} (947) Tue Jul 23 16:33:39 2019: Debug: --> host/d4:be:d9:84:b0:8a (947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{User-Name} (947) Tue Jul 23 16:33:39 2019: Debug: --> host/d4:be:d9:84:b0:8a (947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{User-Name} (947) Tue Jul 23 16:33:39 2019: Debug: --> host/d4:be:d9:84:b0:8a (947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{User-Name} (947) Tue Jul 23 16:33:39 2019: Debug: --> host/d4:be:d9:84:b0:8a (947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{User-Name} (947) Tue Jul 23 16:33:39 2019: Debug: --> host/d4:be:d9:84:b0:8a (947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{User-Name} (947) Tue Jul 23 16:33:39 2019: Debug: --> host/d4:be:d9:84:b0:8a (947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{User-Name} (947) Tue Jul 23 16:33:39 2019: Debug: --> host/d4:be:d9:84:b0:8a (947) Tue Jul 23 16:33:39 2019: Debug: if (! "%{User-Name}"=~ /^[Bb][Aa][Dd][Gg][Ee]_[Rr][Ee][Aa][Dd][Ee][Rr].*$/ && ! "%{User-Name}"=~ /^[Bb][Aa][Yy][Gg][Uu}[Ee][Ss][Tt].*$/ && ! "%{User-Name}"=~ /.*[Hh][Ee][Rr][Oo][Ee][Ss].*$/ && ! "%{User-Name}"=~ /^[Ss]\d\d\d\d[Zz][Oo][Oo][Mm]$/ && ! "%{User-Name}"=~ /^zoomrooms$/ && ! "%{User-Name}"=~ /^bayguest$/ && ! "%{User-Name}"=~ /^[ABCDEFabcdef0123456789]{12}$|^([ABCDEFabcdef0123456789]{2}[:]){5}[ABCDEFabcdef0123456789]{2}$|^([ABCDEFabcdef0123456789]{2}[-]){5}[ABCDEFabcdef0123456789]{2}$|^([ABCDEFabcdef0123456789]{4}[.]){2}[ABCDEFabcdef0123456789]{4}$/) -> TRUE (947) Tue Jul 23 16:33:39 2019: Debug: if (! "%{User-Name}"=~ /^[Bb][Aa][Dd][Gg][Ee]_[Rr][Ee][Aa][Dd][Ee][Rr].*$/ && ! "%{User-Name}"=~ /^[Bb][Aa][Yy][Gg][Uu}[Ee][Ss][Tt].*$/ && ! "%{User-Name}"=~ /.*[Hh][Ee][Rr][Oo][Ee][Ss].*$/ && ! "%{User-Name}"=~ /^[Ss]\d\d\d\d[Zz][Oo][Oo][Mm]$/ && ! "%{User-Name}"=~ /^zoomrooms$/ && ! "%{User-Name}"=~ /^bayguest$/ && ! "%{User-Name}"=~ /^[ABCDEFabcdef0123456789]{12}$|^([ABCDEFabcdef0123456789]{2}[:]){5}[ABCDEFabcdef0123456789]{2}$|^([ABCDEFabcdef0123456789]{2}[-]){5}[ABCDEFabcdef0123456789]{2}$|^([ABCDEFabcdef0123456789]{4}[.]){2}[ABCDEFabcdef0123456789]{4}$/) { (947) Tue Jul 23 16:33:39 2019: Debug: update control { (947) Tue Jul 23 16:33:39 2019: Debug: } # update control = noop (947) Tue Jul 23 16:33:39 2019: Debug: } # if (! "%{User-Name}"=~ /^[Bb][Aa][Dd][Gg][Ee]_[Rr][Ee][Aa][Dd][Ee][Rr].*$/ && ! "%{User-Name}"=~ /^[Bb][Aa][Yy][Gg][Uu}[Ee][Ss][Tt].*$/ && ! "%{User-Name}"=~ /.*[Hh][Ee][Rr][Oo][Ee][Ss].*$/ && ! "%{User-Name}"=~ /^[Ss]\d\d\d\d[Zz][Oo][Oo][Mm]$/ && ! "%{User-Name}"=~ /^zoomrooms$/ && ! "%{User-Name}"=~ /^bayguest$/ && ! "%{User-Name}"=~ /^[ABCDEFabcdef0123456789]{12}$|^([ABCDEFabcdef0123456789]{2}[:]){5}[ABCDEFabcdef0123456789]{2}$|^([ABCDEFabcdef0123456789]{2}[-]){5}[ABCDEFabcdef0123456789]{2}$|^([ABCDEFabcdef0123456789]{4}[.]){2}[ABCDEFabcdef0123456789]{4}$/) = noop (947) Tue Jul 23 16:33:39 2019: Debug: policy filter_password { (947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Password && (&User-Password != "%{string:User-Password}")) { (947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (947) Tue Jul 23 16:33:39 2019: Debug: } # policy filter_password = updated (947) Tue Jul 23 16:33:39 2019: Debug: [preprocess] = ok (947) Tue Jul 23 16:33:39 2019: Debug: suffix: Checking for suffix after "@" (947) Tue Jul 23 16:33:39 2019: Debug: suffix: No '@' in User-Name = "host/d4:be:d9:84:b0:8a", skipping NULL due to config. (947) Tue Jul 23 16:33:39 2019: Debug: [suffix] = noop (947) Tue Jul 23 16:33:39 2019: Debug: ntdomain: Checking for prefix before "\" (947) Tue Jul 23 16:33:39 2019: Debug: ntdomain: No '\' in User-Name = "host/d4:be:d9:84:b0:8a", looking up realm NULL (947) Tue Jul 23 16:33:39 2019: Debug: ntdomain: Found realm "null" (947) Tue Jul 23 16:33:39 2019: Debug: ntdomain: Adding Stripped-User-Name = "host/d4:be:d9:84:b0:8a" (947) Tue Jul 23 16:33:39 2019: Debug: ntdomain: Adding Realm = "null" (947) Tue Jul 23 16:33:39 2019: Debug: ntdomain: Authentication realm is LOCAL (947) Tue Jul 23 16:33:39 2019: Debug: [ntdomain] = ok (947) Tue Jul 23 16:33:39 2019: Debug: eap: Request is supposed to be proxied to Realm HEROES. Not doing EAP. (947) Tue Jul 23 16:33:39 2019: Debug: [eap] = noop (947) Tue Jul 23 16:33:39 2019: Debug: [files] = noop (947) Tue Jul 23 16:33:39 2019: Debug: if ( !EAP-Message ) { (947) Tue Jul 23 16:33:39 2019: Debug: if ( !EAP-Message ) -> FALSE (947) Tue Jul 23 16:33:39 2019: Debug: policy packetfence-eap-mac-policy { (947) Tue Jul 23 16:33:39 2019: Debug: if ( &EAP-Type ) { (947) Tue Jul 23 16:33:39 2019: Debug: if ( &EAP-Type ) -> TRUE (947) Tue Jul 23 16:33:39 2019: Debug: if ( &EAP-Type ) { (947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name && (&User-Name =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name && (&User-Name =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> FALSE (947) Tue Jul 23 16:33:39 2019: Debug: } # if ( &EAP-Type ) = updated (947) Tue Jul 23 16:33:39 2019: Debug: [noop] = noop (947) Tue Jul 23 16:33:39 2019: Debug: } # policy packetfence-eap-mac-policy = updated (947) Tue Jul 23 16:33:39 2019: WARNING: pap: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (947) Tue Jul 23 16:33:39 2019: WARNING: pap: !!! Ignoring control:User-Password. Update your !!! (947) Tue Jul 23 16:33:39 2019: WARNING: pap: !!! configuration so that the "known good" clear text !!! (947) Tue Jul 23 16:33:39 2019: WARNING: pap: !!! password is in Cleartext-Password and NOT in !!! (947) Tue Jul 23 16:33:39 2019: WARNING: pap: !!! User-Password. !!! (947) Tue Jul 23 16:33:39 2019: WARNING: pap: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (947) Tue Jul 23 16:33:39 2019: Debug: [pap] = noop (947) Tue Jul 23 16:33:39 2019: Debug: } # authorize = updated (947) Tue Jul 23 16:33:39 2019: Debug: Starting proxy to home server 192.168.11.157 port 1812 (947) Tue Jul 23 16:33:39 2019: Debug: Sent Access-Request Id 228 from 0.0.0.0:59801 to 192.168.11.157:1812 length 274 (947) Tue Jul 23 16:33:39 2019: Debug: User-Name = "host/d4:be:d9:84:b0:8a" (947) Tue Jul 23 16:33:39 2019: Debug: Service-Type = Framed-User (947) Tue Jul 23 16:33:39 2019: Debug: Cisco-AVPair = "service-type=Framed" (947) Tue Jul 23 16:33:39 2019: Debug: Framed-MTU = 1500 (947) Tue Jul 23 16:33:39 2019: Debug: Calling-Station-Id := "d4:be:d9:84:b0:8a" (947) Tue Jul 23 16:33:39 2019: Debug: EAP-Message = 0x0201001b01686f73742f64343a62653a64393a38343a62303a3861 (947) Tue Jul 23 16:33:39 2019: Debug: Message-Authenticator = 0xa1fe8ed271005b90db8615e720925b00 (947) Tue Jul 23 16:33:39 2019: Debug: Cisco-AVPair = "audit-session-id=C0A82376000010E55ACA4F6B" (947) Tue Jul 23 16:33:39 2019: Debug: NAS-Port-Type = Ethernet (947) Tue Jul 23 16:33:39 2019: Debug: NAS-Port = 50115 (947) Tue Jul 23 16:33:39 2019: Debug: NAS-Port-Id = "GigabitEthernet1/0/15" (947) Tue Jul 23 16:33:39 2019: Debug: NAS-IP-Address = 192.168.222.50 (947) Tue Jul 23 16:33:39 2019: Debug: Proxy-State = 0x313231 (947) Tue Jul 23 16:33:39 2019: Debug: Called-Station-Id := "58:0a:20:dd:42:0f" (947) Tue Jul 23 16:33:39 2019: Debug: Event-Timestamp = "Jul 23 2019 16:33:39 EDT" (947) Tue Jul 23 16:33:39 2019: Debug: Proxy-State = 0x313034 (947) Tue Jul 23 16:33:39 2019: Debug: Clearing existing &reply: attributes (947) Tue Jul 23 16:33:39 2019: Debug: Received Access-Reject Id 228 from 192.168.11.157:1812 to 192.168.237.11:59801 length 54 (947) Tue Jul 23 16:33:39 2019: Debug: Proxy-State = 0x313231 (947) Tue Jul 23 16:33:39 2019: Debug: Proxy-State = 0x313034 (947) Tue Jul 23 16:33:39 2019: Debug: EAP-Message = 0x04010004 (947) Tue Jul 23 16:33:39 2019: Debug: Message-Authenticator = 0xc173e9b4af829981bdb8527c21214211 (947) Tue Jul 23 16:33:39 2019: Debug: # Executing section post-proxy from file /usr/local/pf/raddb/sites-enabled/packetfence (947) Tue Jul 23 16:33:39 2019: Debug: post-proxy { (947) Tue Jul 23 16:33:39 2019: Debug: eap: No pre-existing handler found (947) Tue Jul 23 16:33:39 2019: Debug: [eap] = noop (947) Tue Jul 23 16:33:39 2019: Debug: } # post-proxy = noop (947) Tue Jul 23 16:33:39 2019: Debug: Using Post-Auth-Type Reject (947) Tue Jul 23 16:33:39 2019: Debug: # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence (947) Tue Jul 23 16:33:39 2019: Debug: Post-Auth-Type REJECT { (947) Tue Jul 23 16:33:39 2019: Debug: update { (947) Tue Jul 23 16:33:39 2019: Debug: } # update = noop (947) Tue Jul 23 16:33:39 2019: Debug: if (! EAP-Type || &reply:Framed-Protocol == "PPP" || (EAP-Type != TTLS && EAP-Type != PEAP) ) { (947) Tue Jul 23 16:33:39 2019: ERROR: Failed retrieving values required to evaluate condition (947) Tue Jul 23 16:33:39 2019: Debug: attr_filter.access_reject: EXPAND %{User-Name} (947) Tue Jul 23 16:33:39 2019: Debug: attr_filter.access_reject: --> host/d4:be:d9:84:b0:8a (947) Tue Jul 23 16:33:39 2019: Debug: attr_filter.access_reject: Matched entry DEFAULT at line 11 (947) Tue Jul 23 16:33:39 2019: Debug: [attr_filter.access_reject] = updated (947) Tue Jul 23 16:33:39 2019: Debug: attr_filter.packetfence_post_auth: EXPAND %{User-Name} (947) Tue Jul 23 16:33:39 2019: Debug: attr_filter.packetfence_post_auth: --> host/d4:be:d9:84:b0:8a (947) Tue Jul 23 16:33:39 2019: Debug: attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10 (947) Tue Jul 23 16:33:39 2019: Debug: [attr_filter.packetfence_post_auth] = updated (947) Tue Jul 23 16:33:39 2019: Debug: [eap] = noop (947) Tue Jul 23 16:33:39 2019: Debug: policy remove_reply_message_if_eap { (947) Tue Jul 23 16:33:39 2019: Debug: if (&reply:EAP-Message && &reply:Reply-Message) { (947) Tue Jul 23 16:33:39 2019: Debug: if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (947) Tue Jul 23 16:33:39 2019: Debug: else { (947) Tue Jul 23 16:33:39 2019: Debug: [noop] = noop (947) Tue Jul 23 16:33:39 2019: Debug: } # else = noop (947) Tue Jul 23 16:33:39 2019: Debug: } # policy remove_reply_message_if_eap = noop (947) Tue Jul 23 16:33:39 2019: Debug: linelog: EXPAND messages.%{%{reply:Packet-Type}:-default} (947) Tue Jul 23 16:33:39 2019: Debug: linelog: --> messages.Access-Reject (947) Tue Jul 23 16:33:39 2019: Debug: linelog: EXPAND [mac:%{Calling-Station-Id}] Rejected user: %{User-Name} (947) Tue Jul 23 16:33:39 2019: Debug: linelog: --> [mac:d4:be:d9:84:b0:8a] Rejected user: host/d4:be:d9:84:b0:8a (947) Tue Jul 23 16:33:39 2019: Debug: [linelog] = ok (947) Tue Jul 23 16:33:39 2019: Debug: } # Post-Auth-Type REJECT = updated (947) Tue Jul 23 16:33:39 2019: Debug: Delaying response for 1.000000 seconds (947) Tue Jul 23 16:33:40 2019: Debug: Sending delayed response (947) Tue Jul 23 16:33:40 2019: Debug: Sent Access-Reject Id 104 from 192.168.237.11:1812 to 192.168.237.50:41017 length 49 (947) Tue Jul 23 16:33:40 2019: Debug: EAP-Message = 0x04010004 (947) Tue Jul 23 16:33:40 2019: Debug: Message-Authenticator = 0xc173e9b4af829981bdb8527c21214211 (947) Tue Jul 23 16:33:40 2019: Debug: Proxy-State = 0x313231 (947) Tue Jul 23 16:33:44 2019: Debug: Cleaning up request packet ID 104 with timestamp +14202 Thank you, Ben From: Fabrice Durand via PacketFence-users <[email protected]<mailto:[email protected]>> Sent: Tuesday, July 23, 2019 3:45 PM To: [email protected]<mailto:[email protected]> Cc: Fabrice Durand <[email protected]<mailto:[email protected]>> Subject: Re: [PacketFence-users] PacketFence (9.0.1) EAP-TLS Authentication Source CAUTION: This email originated from outside of BAYADA. Beware of links and attachments. Hello Benjamin, can you run this command and try to reconnect ? raddebug -f /usr/local/pf/var/run/radiusd.sock -t 300 Then paste the result. Regards Fabrice Le 19-07-23 à 10 h 29, Brenek, Benjamin via PacketFence-users a écrit : Hello All, I have been stuck on the issue of getting EAP-TLS authentication to work for a few days now and have not really been able to get anywhere. Any help would be greatly appreciated in getting this setup. I am testing with a Ethernet connected Windows 10 Laptop. The laptop has a trusted root CA, along with a client cert signed by the root CA. I have tested setting the laptop to EAP-TTLS on the network interface. Both the trusted Root CA and Client CA were issued by a server named PFPKI-Dev. Every time the device connects the following error is thrown: (Note: This error for some reason does not show up in the Auditing log, and I need to look at journalctl directly in order to see it.) (229) Login incorrect (Home Server says so): [host/d4:be:d9:84:b0:8a] (from client pf port 50115 cli d4:be:d9:84:b0:8a) [mac:d4:be:d9:84:b0:8a] Rejected user: host/d4:be:d9:84:b0:8a (229) Login incorrect (Failed retrieving values required to evaluate condition): [host/d4:be:d9:84:b0:8a] (from client pf port 50115 cli d4:be:d9:84:b0:8a) The authentication source is configured as follows: [EAP-TLS_Test rule Test_Rule] action0=set_role=employee condition0=TLS-Cert-Issuer,contains,PFPKI-Dev condition1=TLS-Client-Cert-Issuer,contains,PFPKI-Dev match=any class=authentication action1=set_access_duration=1D description=Test Rule The connection profile is configured as follows: [Wired] unreg_on_acct_stop=enabled locale= filter=switch_group:Cisco2960 description=Wired authentication autoregister=enabled dot1x_unset_on_unmatch=enabled sources=PFPKI-Dev The switch that the laptop is connected to is a Cisco 2960S with the following port configuration: (vlan 4 Is the mac detection vlan) interface GigabitEthernet1/0/15 description User/Phone Port switchport access vlan 4 switchport mode access switchport voice vlan 48 srr-queue bandwidth share 1 30 35 5 priority-queue out authentication event fail action next-method authentication order dot1x authentication priority dot1x authentication port-control auto authentication periodic authentication timer restart 10800 authentication timer reauthenticate 10800 snmp trap mac-notification change added snmp trap mac-notification change removed no snmp trap link-status mls qos trust device cisco-phone mls qos trust cos dot1x pae authenticator dot1x timeout quiet-period 2 dot1x timeout tx-period 3 spanning-tree portfast service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY end Thank you, Ben Our employees' reviews made us a Best Place to Work<https://www.glassdoor.com/survey/start_input.htm?showSurvey=REVIEWS&employerId=153924&contentOriginHook=PAGE_SRCH_COMPANIES> in 2018 &2019! Spread the word and earn a bonus by referring a friend.<http://hs.bayada.com/talent-scout-ilwid?utm_source=email%20signature&utm_medium=email&utm_campaign=Glassdoor%20Award> [Image removed by sender. Compassion, Excellence, Reliability]<http://bhhc.co/BAYemail_site> [Image removed by sender. Facebook]<http://bhhc.co/BAYemail_fb> [Image removed by sender. Twitter] <http://bhhc.co/BAYemail_tw> [Image removed by sender. LinkedIn] <http://bhhc.co/BAYemail_LI> [Image removed by sender. YouTube] <http://bhhc.co/BAYemail_yt> [Image removed by sender. Bayada] <http://bhhc.co/BAYemail_site> CONFIDENTIALITY NOTICE: This email may contain information belonging to BAYADA and is protected by law. Do not forward, copy, or otherwise disclose to anyone unless permitted by BAYADA or required by law. If you are not the intended recipient, please notify the sender immediately. _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected]<mailto:[email protected]> :: +1.514.447.4918 (x135) :: www.inverse.ca<http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
