Hi Fabrice,
I wanted to follow up to see if you were able to determine if there is
any issue here?
Thank you,
*Benjamin Brenek*
BAYADA Home Health Care | Senior Associate, Sys. Analyst (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com <http://www.bayada.com/>
*From:*Brenek, Benjamin via PacketFence-users
<[email protected]>
*Sent:* Tuesday, July 23, 2019 4:40 PM
*To:* [email protected]
*Cc:* Brenek, Benjamin <[email protected]>
*Subject:* Re: [PacketFence-users] PacketFence (9.0.1) EAP-TLS
Authentication Source
*CAUTION:*This email originated from outside of BAYADA. Beware of
links and attachments.
Hi Fabrice,
Please see log output below:
(947) Tue Jul 23 16:33:39 2019: Debug: Received Access-Request Id 104
from 192.168.237.50:41017 to 192.168.237.11:1812 length 263
(947) Tue Jul 23 16:33:39 2019: Debug: User-Name =
"host/d4:be:d9:84:b0:8a"
(947) Tue Jul 23 16:33:39 2019: Debug: Service-Type = Framed-User
(947) Tue Jul 23 16:33:39 2019: Debug: Cisco-AVPair =
"service-type=Framed"
(947) Tue Jul 23 16:33:39 2019: Debug: Framed-MTU = 1500
(947) Tue Jul 23 16:33:39 2019: Debug: Called-Station-Id =
"58-0A-20-DD-42-0F"
(947) Tue Jul 23 16:33:39 2019: Debug: Calling-Station-Id =
"D4-BE-D9-84-B0-8A"
(947) Tue Jul 23 16:33:39 2019: Debug: EAP-Message =
0x0201001b01686f73742f64343a62653a64393a38343a62303a3861
(947) Tue Jul 23 16:33:39 2019: Debug: Message-Authenticator =
0xa1fe8ed271005b90db8615e720925b00
(947) Tue Jul 23 16:33:39 2019: Debug: Cisco-AVPair =
"audit-session-id=C0A82376000010E55ACA4F6B"
(947) Tue Jul 23 16:33:39 2019: Debug: NAS-Port-Type = Ethernet
(947) Tue Jul 23 16:33:39 2019: Debug: NAS-Port = 50115
(947) Tue Jul 23 16:33:39 2019: Debug: NAS-Port-Id =
"GigabitEthernet1/0/15"
(947) Tue Jul 23 16:33:39 2019: Debug: NAS-IP-Address = 192.168.222.50
(947) Tue Jul 23 16:33:39 2019: Debug: Proxy-State = 0x313231
(947) Tue Jul 23 16:33:39 2019: Debug: # Executing section authorize
from file /usr/local/pf/raddb/sites-enabled/packetfence
(947) Tue Jul 23 16:33:39 2019: Debug: authorize {
(947) Tue Jul 23 16:33:39 2019: Debug: update {
(947) Tue Jul 23 16:33:39 2019: Debug: EXPAND
%{Packet-Src-IP-Address}
(947) Tue Jul 23 16:33:39 2019: Debug: --> 192.168.237.50
(947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %l
(947) Tue Jul 23 16:33:39 2019: Debug: --> 1563914019
(947) Tue Jul 23 16:33:39 2019: Debug: } # update = noop
(947) Tue Jul 23 16:33:39 2019: Debug: policy
packetfence-set-tenant-id {
(947) Tue Jul 23 16:33:39 2019: Debug: if (!NAS-IP-Address ||
NAS-IP-Address == "0.0.0.0"){
(947) Tue Jul 23 16:33:39 2019: Debug: if (!NAS-IP-Address ||
NAS-IP-Address == "0.0.0.0") -> FALSE
(947) Tue Jul 23 16:33:39 2019: Debug: if (
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(947) Tue Jul 23 16:33:39 2019: Debug: EXPAND
%{%{control:PacketFence-Tenant-Id}:-0}
(947) Tue Jul 23 16:33:39 2019: Debug: --> 0
(947) Tue Jul 23 16:33:39 2019: Debug: if (
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE
(947) Tue Jul 23 16:33:39 2019: Debug: if (
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(947) Tue Jul 23 16:33:39 2019: Debug: update control {
(947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{User-Name}
(947) Tue Jul 23 16:33:39 2019: Debug: -->
host/d4:be:d9:84:b0:8a
(947) Tue Jul 23 16:33:39 2019: Debug: SQL-User-Name set to
'host/d4:be:d9:84:b0:8a'
(947) Tue Jul 23 16:33:39 2019: Debug: Executing select
query: SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname
= '192.168.222.50'), 0)
(947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{sql: SELECT
IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname =
'%{NAS-IP-Address}'), 0)}
(947) Tue Jul 23 16:33:39 2019: Debug: --> 1
(947) Tue Jul 23 16:33:39 2019: Debug: } # update control = noop
(947) Tue Jul 23 16:33:39 2019: Debug: } # if (
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop
(947) Tue Jul 23 16:33:39 2019: Debug: if (
&control:PacketFence-Tenant-Id == 0 ) {
(947) Tue Jul 23 16:33:39 2019: Debug: if (
&control:PacketFence-Tenant-Id == 0 ) -> FALSE
(947) Tue Jul 23 16:33:39 2019: Debug: } # policy
packetfence-set-tenant-id = noop
(947) Tue Jul 23 16:33:39 2019: Debug: policy
rewrite_calling_station_id {
(947) Tue Jul 23 16:33:39 2019: Debug: if (&Calling-Station-Id
&& (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(947) Tue Jul 23 16:33:39 2019: Debug: if (&Calling-Station-Id
&& (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(947) Tue Jul 23 16:33:39 2019: Debug: if (&Calling-Station-Id
&& (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(947) Tue Jul 23 16:33:39 2019: Debug: update request {
(947) Tue Jul 23 16:33:39 2019: Debug: EXPAND
%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(947) Tue Jul 23 16:33:39 2019: Debug: --> d4:be:d9:84:b0:8a
(947) Tue Jul 23 16:33:39 2019: Debug: } # update request = noop
(947) Tue Jul 23 16:33:39 2019: Debug: [updated] = updated
(947) Tue Jul 23 16:33:39 2019: Debug: } # if
(&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(947) Tue Jul 23 16:33:39 2019: Debug: ... skipping else:
Preceding "if" was taken
(947) Tue Jul 23 16:33:39 2019: Debug: } # policy
rewrite_calling_station_id = updated
(947) Tue Jul 23 16:33:39 2019: Debug: policy
rewrite_called_station_id {
(947) Tue Jul 23 16:33:39 2019: Debug: if ((&Called-Station-Id)
&& (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(947) Tue Jul 23 16:33:39 2019: Debug: if ((&Called-Station-Id)
&& (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
-> TRUE
(947) Tue Jul 23 16:33:39 2019: Debug: if ((&Called-Station-Id)
&& (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(947) Tue Jul 23 16:33:39 2019: Debug: update request {
(947) Tue Jul 23 16:33:39 2019: Debug: EXPAND
%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(947) Tue Jul 23 16:33:39 2019: Debug: --> 58:0a:20:dd:42:0f
(947) Tue Jul 23 16:33:39 2019: Debug: } # update request = noop
(947) Tue Jul 23 16:33:39 2019: Debug: if ("%{8}") {
(947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{8}
(947) Tue Jul 23 16:33:39 2019: Debug: -->
(947) Tue Jul 23 16:33:39 2019: Debug: if ("%{8}") -> FALSE
(947) Tue Jul 23 16:33:39 2019: Debug: elsif (
(Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) {
(947) Tue Jul 23 16:33:39 2019: Debug: elsif (
(Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE
(947) Tue Jul 23 16:33:39 2019: Debug: elsif (Aruba-Essid-Name) {
(947) Tue Jul 23 16:33:39 2019: Debug: elsif
(Aruba-Essid-Name) -> FALSE
(947) Tue Jul 23 16:33:39 2019: Debug: elsif ( (Cisco-AVPair)
&& "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) {
(947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{Cisco-AVPair}
(947) Tue Jul 23 16:33:39 2019: Debug: --> service-type=Framed
(947) Tue Jul 23 16:33:39 2019: Debug: elsif ( (Cisco-AVPair)
&& "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE
(947) Tue Jul 23 16:33:39 2019: Debug: [updated] = updated
(947) Tue Jul 23 16:33:39 2019: Debug: } # if
((&Called-Station-Id) && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
= updated
(947) Tue Jul 23 16:33:39 2019: Debug: ... skipping else:
Preceding "if" was taken
(947) Tue Jul 23 16:33:39 2019: Debug: } # policy
rewrite_called_station_id = updated
(947) Tue Jul 23 16:33:39 2019: Debug: policy filter_username {
(947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name) {
(947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name) -> TRUE
(947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name) {
(947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~ / /) {
(947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~ / /)
-> FALSE
(947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~
/@[^@]*@/ ) {
(947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~
/@[^@]*@/ ) -> FALSE
(947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~
/\.\./ ) {
(947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~
/\.\./ ) -> FALSE
(947) Tue Jul 23 16:33:39 2019: Debug: if ((&User-Name =~ /@/)
&& (&User-Name !~ /@(.+)\.(.+)$/) <mailto:/@(.+)\.(.+)$/)>) {
(947) Tue Jul 23 16:33:39 2019: Debug: if ((&User-Name =~ /@/)
&& (&User-Name !~ /@(.+)\.(.+)$/) <mailto:/@(.+)\.(.+)$/)>) -> FALSE
(947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~ /\.$/) {
(947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~
/\.$/) -> FALSE
(947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~ /@\./
<mailto:/@\./>) {
(947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name =~ /@\./
<mailto:/@\./>) -> FALSE
(947) Tue Jul 23 16:33:39 2019: Debug: } # if (&User-Name) =
updated
(947) Tue Jul 23 16:33:39 2019: Debug: } # policy filter_username
= updated
(947) Tue Jul 23 16:33:39 2019: Debug: if ("%{User-Name}"=~
/^host\/.*.heroes.bayada.com$/) {
(947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{User-Name}
(947) Tue Jul 23 16:33:39 2019: Debug: --> host/d4:be:d9:84:b0:8a
(947) Tue Jul 23 16:33:39 2019: Debug: if ("%{User-Name}"=~
/^host\/.*.heroes.bayada.com$/) -> FALSE
(947) Tue Jul 23 16:33:39 2019: Debug: if (! "%{User-Name}"=~
/^[Bb][Aa][Dd][Gg][Ee]_[Rr][Ee][Aa][Dd][Ee][Rr].*$/ && !
"%{User-Name}"=~ /^[Bb][Aa][Yy][Gg][Uu}[Ee][Ss][Tt].*$/ && !
"%{User-Name}"=~ /.*[Hh][Ee][Rr][Oo][Ee][Ss].*$/ && ! "%{User-Name}"=~
/^[Ss]\d\d\d\d[Zz][Oo][Oo][Mm]$/ && ! "%{User-Name}"=~ /^zoomrooms$/
&& ! "%{User-Name}"=~ /^bayguest$/ && ! "%{User-Name}"=~
/^[ABCDEFabcdef0123456789]{12}$|^([ABCDEFabcdef0123456789]{2}[:]){5}[ABCDEFabcdef0123456789]{2}$|^([ABCDEFabcdef0123456789]{2}[-]){5}[ABCDEFabcdef0123456789]{2}$|^([ABCDEFabcdef0123456789]{4}[.]){2}[ABCDEFabcdef0123456789]{4}$/)
{
(947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{User-Name}
(947) Tue Jul 23 16:33:39 2019: Debug: --> host/d4:be:d9:84:b0:8a
(947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{User-Name}
(947) Tue Jul 23 16:33:39 2019: Debug: --> host/d4:be:d9:84:b0:8a
(947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{User-Name}
(947) Tue Jul 23 16:33:39 2019: Debug: --> host/d4:be:d9:84:b0:8a
(947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{User-Name}
(947) Tue Jul 23 16:33:39 2019: Debug: --> host/d4:be:d9:84:b0:8a
(947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{User-Name}
(947) Tue Jul 23 16:33:39 2019: Debug: --> host/d4:be:d9:84:b0:8a
(947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{User-Name}
(947) Tue Jul 23 16:33:39 2019: Debug: --> host/d4:be:d9:84:b0:8a
(947) Tue Jul 23 16:33:39 2019: Debug: EXPAND %{User-Name}
(947) Tue Jul 23 16:33:39 2019: Debug: --> host/d4:be:d9:84:b0:8a
(947) Tue Jul 23 16:33:39 2019: Debug: if (! "%{User-Name}"=~
/^[Bb][Aa][Dd][Gg][Ee]_[Rr][Ee][Aa][Dd][Ee][Rr].*$/ && !
"%{User-Name}"=~ /^[Bb][Aa][Yy][Gg][Uu}[Ee][Ss][Tt].*$/ && !
"%{User-Name}"=~ /.*[Hh][Ee][Rr][Oo][Ee][Ss].*$/ && ! "%{User-Name}"=~
/^[Ss]\d\d\d\d[Zz][Oo][Oo][Mm]$/ && ! "%{User-Name}"=~ /^zoomrooms$/
&& ! "%{User-Name}"=~ /^bayguest$/ && ! "%{User-Name}"=~
/^[ABCDEFabcdef0123456789]{12}$|^([ABCDEFabcdef0123456789]{2}[:]){5}[ABCDEFabcdef0123456789]{2}$|^([ABCDEFabcdef0123456789]{2}[-]){5}[ABCDEFabcdef0123456789]{2}$|^([ABCDEFabcdef0123456789]{4}[.]){2}[ABCDEFabcdef0123456789]{4}$/)
-> TRUE
(947) Tue Jul 23 16:33:39 2019: Debug: if (! "%{User-Name}"=~
/^[Bb][Aa][Dd][Gg][Ee]_[Rr][Ee][Aa][Dd][Ee][Rr].*$/ && !
"%{User-Name}"=~ /^[Bb][Aa][Yy][Gg][Uu}[Ee][Ss][Tt].*$/ && !
"%{User-Name}"=~ /.*[Hh][Ee][Rr][Oo][Ee][Ss].*$/ && ! "%{User-Name}"=~
/^[Ss]\d\d\d\d[Zz][Oo][Oo][Mm]$/ && ! "%{User-Name}"=~ /^zoomrooms$/
&& ! "%{User-Name}"=~ /^bayguest$/ && ! "%{User-Name}"=~
/^[ABCDEFabcdef0123456789]{12}$|^([ABCDEFabcdef0123456789]{2}[:]){5}[ABCDEFabcdef0123456789]{2}$|^([ABCDEFabcdef0123456789]{2}[-]){5}[ABCDEFabcdef0123456789]{2}$|^([ABCDEFabcdef0123456789]{4}[.]){2}[ABCDEFabcdef0123456789]{4}$/)
{
(947) Tue Jul 23 16:33:39 2019: Debug: update control {
(947) Tue Jul 23 16:33:39 2019: Debug: } # update control = noop
(947) Tue Jul 23 16:33:39 2019: Debug: } # if (! "%{User-Name}"=~
/^[Bb][Aa][Dd][Gg][Ee]_[Rr][Ee][Aa][Dd][Ee][Rr].*$/ && !
"%{User-Name}"=~ /^[Bb][Aa][Yy][Gg][Uu}[Ee][Ss][Tt].*$/ && !
"%{User-Name}"=~ /.*[Hh][Ee][Rr][Oo][Ee][Ss].*$/ && ! "%{User-Name}"=~
/^[Ss]\d\d\d\d[Zz][Oo][Oo][Mm]$/ && ! "%{User-Name}"=~ /^zoomrooms$/
&& ! "%{User-Name}"=~ /^bayguest$/ && ! "%{User-Name}"=~
/^[ABCDEFabcdef0123456789]{12}$|^([ABCDEFabcdef0123456789]{2}[:]){5}[ABCDEFabcdef0123456789]{2}$|^([ABCDEFabcdef0123456789]{2}[-]){5}[ABCDEFabcdef0123456789]{2}$|^([ABCDEFabcdef0123456789]{4}[.]){2}[ABCDEFabcdef0123456789]{4}$/)
= noop
(947) Tue Jul 23 16:33:39 2019: Debug: policy filter_password {
(947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Password
&& (&User-Password != "%{string:User-Password}")) {
(947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Password
&& (&User-Password != "%{string:User-Password}")) -> FALSE
(947) Tue Jul 23 16:33:39 2019: Debug: } # policy filter_password
= updated
(947) Tue Jul 23 16:33:39 2019: Debug: [preprocess] = ok
(947) Tue Jul 23 16:33:39 2019: Debug: suffix: Checking for suffix
after "@"
(947) Tue Jul 23 16:33:39 2019: Debug: suffix: No '@' in User-Name =
"host/d4:be:d9:84:b0:8a", skipping NULL due to config.
(947) Tue Jul 23 16:33:39 2019: Debug: [suffix] = noop
(947) Tue Jul 23 16:33:39 2019: Debug: ntdomain: Checking for prefix
before "\"
(947) Tue Jul 23 16:33:39 2019: Debug: ntdomain: No '\' in User-Name =
"host/d4:be:d9:84:b0:8a", looking up realm NULL
(947) Tue Jul 23 16:33:39 2019: Debug: ntdomain: Found realm "null"
(947) Tue Jul 23 16:33:39 2019: Debug: ntdomain: Adding
Stripped-User-Name = "host/d4:be:d9:84:b0:8a"
(947) Tue Jul 23 16:33:39 2019: Debug: ntdomain: Adding Realm = "null"
(947) Tue Jul 23 16:33:39 2019: Debug: ntdomain: Authentication realm
is LOCAL
(947) Tue Jul 23 16:33:39 2019: Debug: [ntdomain] = ok
(947) Tue Jul 23 16:33:39 2019: Debug: eap: Request is supposed to be
proxied to Realm HEROES. Not doing EAP.
(947) Tue Jul 23 16:33:39 2019: Debug: [eap] = noop
(947) Tue Jul 23 16:33:39 2019: Debug: [files] = noop
(947) Tue Jul 23 16:33:39 2019: Debug: if ( !EAP-Message ) {
(947) Tue Jul 23 16:33:39 2019: Debug: if ( !EAP-Message ) -> FALSE
(947) Tue Jul 23 16:33:39 2019: Debug: policy
packetfence-eap-mac-policy {
(947) Tue Jul 23 16:33:39 2019: Debug: if ( &EAP-Type ) {
(947) Tue Jul 23 16:33:39 2019: Debug: if ( &EAP-Type ) -> TRUE
(947) Tue Jul 23 16:33:39 2019: Debug: if ( &EAP-Type ) {
(947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name &&
(&User-Name =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(947) Tue Jul 23 16:33:39 2019: Debug: if (&User-Name &&
(&User-Name =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> FALSE
(947) Tue Jul 23 16:33:39 2019: Debug: } # if ( &EAP-Type ) =
updated
(947) Tue Jul 23 16:33:39 2019: Debug: [noop] = noop
(947) Tue Jul 23 16:33:39 2019: Debug: } # policy
packetfence-eap-mac-policy = updated
(947) Tue Jul 23 16:33:39 2019: WARNING: pap:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(947) Tue Jul 23 16:33:39 2019: WARNING: pap: !!! Ignoring
control:User-Password. Update your !!!
(947) Tue Jul 23 16:33:39 2019: WARNING: pap: !!! configuration so
that the "known good" clear text !!!
(947) Tue Jul 23 16:33:39 2019: WARNING: pap: !!! password is in
Cleartext-Password and NOT in !!!
(947) Tue Jul 23 16:33:39 2019: WARNING: pap: !!!
User-Password. !!!
(947) Tue Jul 23 16:33:39 2019: WARNING: pap:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(947) Tue Jul 23 16:33:39 2019: Debug: [pap] = noop
(947) Tue Jul 23 16:33:39 2019: Debug: } # authorize = updated
(947) Tue Jul 23 16:33:39 2019: Debug: Starting proxy to home server
192.168.11.157 port 1812
(947) Tue Jul 23 16:33:39 2019: Debug: Sent Access-Request Id 228 from
0.0.0.0:59801 to 192.168.11.157:1812 length 274
(947) Tue Jul 23 16:33:39 2019: Debug: User-Name =
"host/d4:be:d9:84:b0:8a"
(947) Tue Jul 23 16:33:39 2019: Debug: Service-Type = Framed-User
(947) Tue Jul 23 16:33:39 2019: Debug: Cisco-AVPair =
"service-type=Framed"
(947) Tue Jul 23 16:33:39 2019: Debug: Framed-MTU = 1500
(947) Tue Jul 23 16:33:39 2019: Debug: Calling-Station-Id :=
"d4:be:d9:84:b0:8a"
(947) Tue Jul 23 16:33:39 2019: Debug: EAP-Message =
0x0201001b01686f73742f64343a62653a64393a38343a62303a3861
(947) Tue Jul 23 16:33:39 2019: Debug: Message-Authenticator =
0xa1fe8ed271005b90db8615e720925b00
(947) Tue Jul 23 16:33:39 2019: Debug: Cisco-AVPair =
"audit-session-id=C0A82376000010E55ACA4F6B"
(947) Tue Jul 23 16:33:39 2019: Debug: NAS-Port-Type = Ethernet
(947) Tue Jul 23 16:33:39 2019: Debug: NAS-Port = 50115
(947) Tue Jul 23 16:33:39 2019: Debug: NAS-Port-Id =
"GigabitEthernet1/0/15"
(947) Tue Jul 23 16:33:39 2019: Debug: NAS-IP-Address = 192.168.222.50
(947) Tue Jul 23 16:33:39 2019: Debug: Proxy-State = 0x313231
(947) Tue Jul 23 16:33:39 2019: Debug: Called-Station-Id :=
"58:0a:20:dd:42:0f"
(947) Tue Jul 23 16:33:39 2019: Debug: Event-Timestamp = "Jul 23
2019 16:33:39 EDT"
(947) Tue Jul 23 16:33:39 2019: Debug: Proxy-State = 0x313034
(947) Tue Jul 23 16:33:39 2019: Debug: Clearing existing &reply:
attributes
(947) Tue Jul 23 16:33:39 2019: Debug: Received Access-Reject Id 228
from 192.168.11.157:1812 to 192.168.237.11:59801 length 54
(947) Tue Jul 23 16:33:39 2019: Debug: Proxy-State = 0x313231
(947) Tue Jul 23 16:33:39 2019: Debug: Proxy-State = 0x313034
(947) Tue Jul 23 16:33:39 2019: Debug: EAP-Message = 0x04010004
(947) Tue Jul 23 16:33:39 2019: Debug: Message-Authenticator =
0xc173e9b4af829981bdb8527c21214211
(947) Tue Jul 23 16:33:39 2019: Debug: # Executing section post-proxy
from file /usr/local/pf/raddb/sites-enabled/packetfence
(947) Tue Jul 23 16:33:39 2019: Debug: post-proxy {
(947) Tue Jul 23 16:33:39 2019: Debug: eap: No pre-existing handler found
(947) Tue Jul 23 16:33:39 2019: Debug: [eap] = noop
(947) Tue Jul 23 16:33:39 2019: Debug: } # post-proxy = noop
(947) Tue Jul 23 16:33:39 2019: Debug: Using Post-Auth-Type Reject
(947) Tue Jul 23 16:33:39 2019: Debug: # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(947) Tue Jul 23 16:33:39 2019: Debug: Post-Auth-Type REJECT {
(947) Tue Jul 23 16:33:39 2019: Debug: update {
(947) Tue Jul 23 16:33:39 2019: Debug: } # update = noop
(947) Tue Jul 23 16:33:39 2019: Debug: if (! EAP-Type ||
&reply:Framed-Protocol == "PPP" || (EAP-Type != TTLS && EAP-Type !=
PEAP) ) {
(947) Tue Jul 23 16:33:39 2019: ERROR: Failed retrieving values
required to evaluate condition
(947) Tue Jul 23 16:33:39 2019: Debug: attr_filter.access_reject:
EXPAND %{User-Name}
(947) Tue Jul 23 16:33:39 2019: Debug: attr_filter.access_reject: -->
host/d4:be:d9:84:b0:8a
(947) Tue Jul 23 16:33:39 2019: Debug: attr_filter.access_reject:
Matched entry DEFAULT at line 11
(947) Tue Jul 23 16:33:39 2019: Debug: [attr_filter.access_reject] =
updated
(947) Tue Jul 23 16:33:39 2019: Debug:
attr_filter.packetfence_post_auth: EXPAND %{User-Name}
(947) Tue Jul 23 16:33:39 2019: Debug:
attr_filter.packetfence_post_auth: --> host/d4:be:d9:84:b0:8a
(947) Tue Jul 23 16:33:39 2019: Debug:
attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
(947) Tue Jul 23 16:33:39 2019: Debug:
[attr_filter.packetfence_post_auth] = updated
(947) Tue Jul 23 16:33:39 2019: Debug: [eap] = noop
(947) Tue Jul 23 16:33:39 2019: Debug: policy
remove_reply_message_if_eap {
(947) Tue Jul 23 16:33:39 2019: Debug: if (&reply:EAP-Message &&
&reply:Reply-Message) {
(947) Tue Jul 23 16:33:39 2019: Debug: if (&reply:EAP-Message &&
&reply:Reply-Message) -> FALSE
(947) Tue Jul 23 16:33:39 2019: Debug: else {
(947) Tue Jul 23 16:33:39 2019: Debug: [noop] = noop
(947) Tue Jul 23 16:33:39 2019: Debug: } # else = noop
(947) Tue Jul 23 16:33:39 2019: Debug: } # policy
remove_reply_message_if_eap = noop
(947) Tue Jul 23 16:33:39 2019: Debug: linelog: EXPAND
messages.%{%{reply:Packet-Type}:-default}
(947) Tue Jul 23 16:33:39 2019: Debug: linelog: -->
messages.Access-Reject
(947) Tue Jul 23 16:33:39 2019: Debug: linelog: EXPAND
[mac:%{Calling-Station-Id}] Rejected user: %{User-Name}
(947) Tue Jul 23 16:33:39 2019: Debug: linelog: -->
[mac:d4:be:d9:84:b0:8a] Rejected user: host/d4:be:d9:84:b0:8a
(947) Tue Jul 23 16:33:39 2019: Debug: [linelog] = ok
(947) Tue Jul 23 16:33:39 2019: Debug: } # Post-Auth-Type REJECT =
updated
(947) Tue Jul 23 16:33:39 2019: Debug: Delaying response for 1.000000
seconds
(947) Tue Jul 23 16:33:40 2019: Debug: Sending delayed response
(947) Tue Jul 23 16:33:40 2019: Debug: Sent Access-Reject Id 104 from
192.168.237.11:1812 to 192.168.237.50:41017 length 49
(947) Tue Jul 23 16:33:40 2019: Debug: EAP-Message = 0x04010004
(947) Tue Jul 23 16:33:40 2019: Debug: Message-Authenticator =
0xc173e9b4af829981bdb8527c21214211
(947) Tue Jul 23 16:33:40 2019: Debug: Proxy-State = 0x313231
(947) Tue Jul 23 16:33:44 2019: Debug: Cleaning up request packet ID
104 with timestamp +14202
Thank you,
*Ben*
*From:*Fabrice Durand via PacketFence-users
<[email protected]
<mailto:[email protected]>>
*Sent:* Tuesday, July 23, 2019 3:45 PM
*To:* [email protected]
<mailto:[email protected]>
*Cc:* Fabrice Durand <[email protected] <mailto:[email protected]>>
*Subject:* Re: [PacketFence-users] PacketFence (9.0.1) EAP-TLS
Authentication Source
*CAUTION:*This email originated from outside of BAYADA. Beware of
links and attachments.
Hello Benjamin,
can you run this command and try to reconnect ?
raddebug -f /usr/local/pf/var/run/radiusd.sock -t 300
Then paste the result.
Regards
Fabrice
Le 19-07-23 à 10 h 29, Brenek, Benjamin via PacketFence-users a écrit :
Hello All,
I have been stuck on the issue of getting EAP-TLS authentication
to work for a few days now and have not really been able to get
anywhere. Any help would be greatly appreciated in getting this setup.
I am testing with a Ethernet connected Windows 10 Laptop. The
laptop has a trusted root CA, along with a client cert signed by
the root CA. I have tested setting the laptop to EAP-TTLS on the
network interface.
Both the trusted Root CA and Client CA were issued by a server
named PFPKI-Dev.
Every time the device connects the following error is thrown:
(Note: This error for some reason does not show up in the Auditing
log, and I need to look at journalctl directly in order to see it.)
(229) Login incorrect (Home Server says so):
[host/d4:be:d9:84:b0:8a] (from client pf port 50115 cli
d4:be:d9:84:b0:8a)
[mac:d4:be:d9:84:b0:8a] Rejected user: host/d4:be:d9:84:b0:8a
(229) Login incorrect (Failed retrieving values required to
evaluate condition): [host/d4:be:d9:84:b0:8a] (from client pf port
50115 cli d4:be:d9:84:b0:8a)
The authentication source is configured as follows:
[EAP-TLS_Test rule Test_Rule]
action0=set_role=employee
condition0=TLS-Cert-Issuer,contains,PFPKI-Dev
condition1=TLS-Client-Cert-Issuer,contains,PFPKI-Dev
match=any
class=authentication
action1=set_access_duration=1D
description=Test Rule
The connection profile is configured as follows:
[Wired]
unreg_on_acct_stop=enabled
locale=
filter=switch_group:Cisco2960
description=Wired authentication
autoregister=enabled
dot1x_unset_on_unmatch=enabled
sources=PFPKI-Dev
The switch that the laptop is connected to is a Cisco 2960S with
the following port configuration:
(vlan 4 Is the mac detection vlan)
interface GigabitEthernet1/0/15
description User/Phone Port
switchport access vlan 4
switchport mode access
switchport voice vlan 48
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication order dot1x
authentication priority dot1x
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
snmp trap mac-notification change added
snmp trap mac-notification change removed
no snmp trap link-status
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end
Thank you,
*Ben*
/Our employees' reviews made us a Best Place to Work
<https://www.glassdoor.com/survey/start_input.htm?showSurvey=REVIEWS&employerId=153924&contentOriginHook=PAGE_SRCH_COMPANIES>
in 2018 &2019!
Spread the word and earn a *bonus* by referring a friend.
<http://hs.bayada.com/talent-scout-ilwid?utm_source=email%20signature&utm_medium=email&utm_campaign=Glassdoor%20Award>/
Image removed by sender. Compassion, Excellence, Reliability
<http://bhhc.co/BAYemail_site>
Image removed by sender. Facebook <http://bhhc.co/BAYemail_fb>
Image removed by sender. Twitter <http://bhhc.co/BAYemail_tw>
Image removed by sender. LinkedIn <http://bhhc.co/BAYemail_LI>
Image removed by sender. YouTube <http://bhhc.co/BAYemail_yt>
Image removed by sender. Bayada <http://bhhc.co/BAYemail_site>
*CONFIDENTIALITY NOTICE:* This email may contain information
belonging to BAYADA and is protected by law. Do not forward, copy,
or otherwise disclose to anyone unless permitted by BAYADA or
required by law. If you are not the intended recipient, please
notify the sender immediately.
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
