Any Idea ?
Sorry If I push it, but I'm still stuck and I have no idea why it's not working
properly
Adrian
De: "packetfence-users" <packetfence-users@lists.sourceforge.net>
À: "packetfence-users" <packetfence-users@lists.sourceforge.net>
Cc: "ADE" <adrian.dessai...@novasys.coop>
Envoyé: Mercredi 23 Octobre 2019 14:57:16
Objet: [PacketFence-users] Role not assigned after authentication
Hi everyone
I have some issues and I don't know from where it comes. I need PF to assign
roles to the authenticated node so it can set the correct VLAN. However, after
being authenticated (success), the node still don't have any roles.
I've followed the PF documentation and my personnal one.
Here is my configuration :
IP's :
*
AD : 192.168.100.200
* PF : 192.168.100.201
* Cisco Switch : 192.168.100.250
Authentification Source :
*
Name: SourceAD_PC
*
Description: Active Directory for Employees
*
Host: 192.168.100.200 :389 without SSL/TLS
*
Base DN: CN=Computers,DC=novasys,DC=local
*
Scope: One-level
*
Username Attribute: servicePrincipalName
*
Bind DN: CN=pfadmin,OU=Utilisateurs,OU=Maquette,DC=novasys,DC=local
*
Password: password
A uthentication rules
*
Name: PC
*
Description: Auth_PC
*
Condition : Any
*
Set the following actions:
*
Set role PC
*
Access Duration 1h
Connection profile :
*
Profile Name: 8021x
*
Profile Description: 802.1X Connection
*
Enable profile: checked
*
Automatically register devices: checked
*
Filters: If any
*
Connection Type: Ethernet-EAP
*
Sources: SourceAD_PC
Switches
* 192.168.100.250
* Description : Cisco
* Type : Cisco Catalyst 2960
* Mode : Production
* Deauth method : RADIUS
*
* Rôle by VLAN ID : Checked
* Registration : 10
* Isolation : 20
* default : 1
* PC : 50
*
* RADIUS_Key : pf_secret
Cisco Configuration :
aaa new-model
aaa group server radius packetfence
server 192.168.100.201 auth-port 1812 acct-port 1813
aaa authentication dot1x default group packetfence
aaa authorization exec default if-authenticated
aaa authorization network default group packetfence
aaa authorization network exec group radius if-authenticated
aaa session-id common
interface FastEthernet0/11
switchport mode access
authentication order dot1x
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
no snmp trap link-status
dot1x pae authenticator
spanning-tree portfast
snmp-server community public RO
snmp-server community private RW
radius-server host 192.168.100.201 auth-port 1812 acct-port 1813 key pf_secret
vlan 10
name registration
vlan 20
name isolation
vlan 50
name production
And my packetfence.log
Oct 21 19:25:37 packetfence packetfence_httpd.aaa: httpd.aaa(3658) INFO:
[mac:c8:d9:d2:ec:65:2d] Username was NOT defined or unable to match a role -
returning node based role '' (pf::role::getRegisteredRole)
Oct 21 19:25:37 packetfence packetfence_httpd.aaa: httpd.aaa(3658) INFO:
[mac:c8:d9:d2:ec:65:2d] PID: "default", Status: reg Returned VLAN: (undefined),
Role: (undefined) (pf::role::fetchRoleForNode)
Oct 21 19:25:37 packetfence packetfence_httpd.aaa: httpd.aaa(3658) WARN:
[mac:c8:d9:d2:ec:65:2d] Use of uninitialized value $vlanName in hash element at
/usr/local/pf/lib/pf/Switch.pm line 800.
(pf::Switch::getVlanByName)
Oct 21 19:25:37 packetfence packetfence_httpd.aaa: httpd.aaa(3658) WARN:
[mac:c8:d9:d2:ec:65:2d] Use of uninitialized value $vlanName in concatenation
(.) or string at /usr/local/pf/lib/pf/Switch.pm line 803.
(pf::Switch::getVlanByName)
Oct 21 19:25:37 packetfence packetfence_httpd.aaa: httpd.aaa(3658) WARN:
[mac:c8:d9:d2:ec:65:2d] No parameter Vlan found in conf/switches.conf for the
switch [ callto:192.168.100.250 | 192.168.100.250 ] (pf::Switch::getVlanByName)
Oct 21 19:25:37 packetfence packetfence_httpd.aaa: httpd.aaa(3658) WARN:
[mac:c8:d9:d2:ec:65:2d] Use of uninitialized value $roleName in hash element at
/usr/local/pf/lib/pf/Switch.pm line 783.
(pf::Switch::getRoleByName)
Oct 21 19:25:37 packetfence packetfence_httpd.aaa: httpd.aaa(3658) WARN:
[mac:c8:d9:d2:ec:65:2d] Use of uninitialized value $roleName in concatenation
(.) or string at /usr/local/pf/lib/pf/Switch.pm line 786.
(pf::Switch::getRoleByName)
Oct 21 19:25:37 packetfence packetfence_httpd.aaa: httpd.aaa(3658) INFO:
[mac:c8:d9:d2:ec:65:2d] security_event 1300003 force-closed for
c8:d9:d2:ec:65:2d (pf::security_event::security_event_force_close)
Oct 21 19:25:37 packetfence packetfence_httpd.aaa: httpd.aaa(3658) INFO:
[mac:c8:d9:d2:ec:65:2d] Instantiate profile 8021X
(pf::Connection::ProfileFactory::_from_profile)
Oct 21 19:26:01 packetfence packetfence: INFO -e(17393): generating
/usr/local/pf/var/conf/ssl-certificates.conf
(pf::services::manager::httpd::generateCommonConfig)
Oct 21 19:26:01 packetfence packetfence: INFO -e(17393): generating
/usr/local/pf/var/conf/captive-portal-common
(pf::services::manager::httpd::generateCommonConfig)
Oct 21 19:26:01 packetfence packetfence: INFO -e(17392): generating
/usr/local/pf/var/conf/ssl-certificates.conf
(pf::services::manager::httpd::generateCommonConfig)
Oct 21 19:26:01 packetfence packetfence: INFO -e(17392): generating
/usr/local/pf/var/conf/captive-portal-common
(pf::services::manager::httpd::generateCommonConfig)
Oct 21 19:27:56 packetfence packetfence_httpd.aaa: httpd.aaa(3658) INFO:
[mac:c8:d9:d2:ec:65:2d] handling radius autz request: from switch_ip => [
callto:(192.168.100.250 | (192.168.100.250 ] ), connection_type =>
Ethernet-EAP,switch_mac => (00:17:94:a4:89:0b), mac => [c8:d9:d2:ec:65:2d],
port => 10011, username => "host/PC-Test.novasys.local" (pf::radius::authorize)
Oct 21 19:27:56 packetfence packetfence_httpd.aaa: httpd.aaa(3658) INFO:
[mac:c8:d9:d2:ec:65:2d] is doing machine auth with account
'host/PC-Test.novasys.local'. (pf::radius::authorize)
Oct 21 19:27:56 packetfence packetfence_httpd.aaa: httpd.aaa(3658) INFO:
[mac:c8:d9:d2:ec:65:2d] Instantiate profile 8021X
(pf::Connection::ProfileFactory::_from_profile)
Oct 21 19:27:56 packetfence packetfence_httpd.aaa: httpd.aaa(3658) INFO:
[mac:c8:d9:d2:ec:65:2d] Found authentication source(s) : '' for realm
'novasys.local' (pf::config::util::filter_authentication_sources)
Oct 21 19:27:56 packetfence packetfence_httpd.aaa: httpd.aaa(3658) WARN:
[mac:c8:d9:d2:ec:65:2d] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Oct 21 19:27:56 packetfence packetfence_httpd.aaa: httpd.aaa(3658) INFO:
[mac:c8:d9:d2:ec:65:2d] Found authentication source(s) : '' for realm
'novasys.local' (pf::config::util::filter_authentication_sources)
Oct 21 19:27:56 packetfence packetfence_httpd.aaa: httpd.aaa(3658) INFO:
[mac:c8:d9:d2:ec:65:2d] Role has already been computed and we don't want to
recompute it. Getting role from node_info (pf::role::getRegisteredRole)
Oct 21 19:27:56 packetfence packetfence_httpd.aaa: httpd.aaa(3658) WARN:
[mac:c8:d9:d2:ec:65:2d] Use of uninitialized value $role in concatenation (.)
or string at /usr/local/pf/lib/pf/role.pm line 478.
(pf::role::getRegisteredRole)
Oct 21 19:27:56 packetfence packetfence_httpd.aaa: httpd.aaa(3658) INFO:
[mac:c8:d9:d2:ec:65:2d] Username was NOT defined or unable to match a role -
returning node based role '' (pf::role::getRegisteredRole)
Oct 21 19:27:56 packetfence packetfence_httpd.aaa: httpd.aaa(3658) INFO:
[mac:c8:d9:d2:ec:65:2d] PID: "default", Status: reg Returned VLAN: (undefined),
Role: (undefined) (pf::role::fetchRoleForNode)
Oct 21 19:27:56 packetfence packetfence_httpd.aaa: httpd.aaa(3658) WARN:
[mac:c8:d9:d2:ec:65:2d] Use of uninitialized value $vlanName in hash element at
/usr/local/pf/lib/pf/Switch.pm line 800.
(pf::Switch::getVlanByName)
Oct 21 19:27:56 packetfence packetfence_httpd.aaa: httpd.aaa(3658) WARN:
[mac:c8:d9:d2:ec:65:2d] Use of uninitialized value $vlanName in concatenation
(.) or string at /usr/local/pf/lib/pf/Switch.pm line 803.
(pf::Switch::getVlanByName)
Oct 21 19:27:56 packetfence packetfence_httpd.aaa: httpd.aaa(3658) WARN:
[mac:c8:d9:d2:ec:65:2d] No parameter Vlan found in conf/switches.conf for the
switch [ callto:192.168.100.250 | 192.168.100.250 ] (pf::Switch::getVlanByName)
Oct 21 19:27:56 packetfence packetfence_httpd.aaa: httpd.aaa(3658) WARN:
[mac:c8:d9:d2:ec:65:2d] Use of uninitialized value $roleName in hash element at
/usr/local/pf/lib/pf/Switch.pm line 783.
(pf::Switch::getRoleByName)
Oct 21 19:27:56 packetfence packetfence_httpd.aaa: httpd.aaa(3658) WARN:
[mac:c8:d9:d2:ec:65:2d] Use of uninitialized value $roleName in concatenation
(.) or string at /usr/local/pf/lib/pf/Switch.pm line 786.
(pf::Switch::getRoleByName)
I don't know what's wrong. I've already done a setup like this one but in 8.3.0
(I don't think there is a difference here) and I followed the same
configuration.
If anything more is needed I can give it.
Best regard,
Adrian.
--
Adrian Dessaigne
Technicien Systèmes et Réseaux
[ https://www.novasys.coop/ ]
02 57 65 00 60 - 49 rue Robespierre 29200 BREST
Siège social : 5 rue de Kermadiou 29600 MORLAIX
NOVASYS utilise la suite bureautique [ https://fr.libreoffice.org/ |
Libreoffice ] librement et gratuitement téléchargeable à l'adresse [
https://fr.libreoffice.org/ | https://fr.libreoffice.org/ ]
Enregistrer Enregistrer
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
