We're trying to get down to having one open ssid, having people be dumped into
the registration vlan by default, sending them to the captive portal if not yet
registered, and then having packetfence put people in the correct vlans after
registering their node. So I have unrouted isolation and registration vlans
directly attached to packetfence/wlan controller and then the other vlans are
only attached to the wlan controller.I have a mac blacklist enabled on the wlan
controller to force it to do a RADIUS request to packetfence for
authentication. If I disable that I'm directed to the portal (no RADIUS
requests though, which is as it should be) so I know I'm on the correct vlan
and the nodes can see the packetfence server.
So, I connect to the wireless network. And I see the wlan controller send the
radius request with the mac address of the machine as the username and the mac
address as the password. But then I see packetfence send a reject message to
the wlan controller. When I look in the web interface under the RADIUS audit
log. All of the requests from nodes that are supposed to be mac based
authentication don't have anything in the mac address field or the
Calling-Station-Id field and you see the [mac:[undef]] in the packetfence.log.
My question is, should the fields be populated by the mac address when doing
mac auth or am I looking in the wrong direction? Is packetfence parsing the
RADIUS request incorrectly? Is there a way to do a rewrite and graft the
username into the mac address/calling-station-id field if that is the case? If
I do 802.1x auth, the mac address and calling-station-id fields are populated
correctly. I've included the packetfence and radius logs below.
RADIUS.LOG:
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing connection (0):
Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing connection (2):
Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing connection (1):
Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Opening additional
connection (3), 1 of 64 pending slots used
Dec 24 10:37:42 hsd-pf-1 auth[12979]: Need 2 more connections to reach min
connections (3)
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Opening additional
connection (4), 1 of 63 pending slots used
Dec 24 10:37:42 hsd-pf-1 auth[12979]: Adding client *REDACTED*
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Closing connection (0):
Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Closing connection (1):
Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Opening additional
connection (2), 1 of 64 pending slots used
Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) rest: ERROR: Server returned:
Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) rest: ERROR:
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication
failed on PacketFence"}
Dec 24 10:37:42 hsd-pf-1 auth[12979]: Need 2 more connections to reach min
connections (3)
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Opening additional
connection (3), 1 of 63 pending slots used
Dec 24 10:37:42 hsd-pf-1 auth[12979]: [mac:] Rejected user: a8:1d:16:7d:c8:11
Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) Rejected in post-auth:
[a8:1d:16:7d:c8:11] (from client *REDACTED* port 0)
Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) Login incorrect (rest: Server
returned:): [a8:1d:16:7d:c8:11] (from client *REDACTED* port 0)
PACKETFENCE.LOG
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) WARN:
[mac:[undef]] Trying to match IP address with an invalid MAC address 'undef'
(pf::ip4log::mac2ip)
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) INFO:
[mac:[undef]] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) INFO:
[mac:[undef]] Found authentication source(s) : 'local,file1,LDAP-1' for realm
'null' (pf::config::util::filter_authentication_sources)
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) INFO:
[mac:[undef]] LDAP testing connection (pf::LDAP::expire_if)
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) WARN:
[mac:[undef]] [LDAP-1] No entries found (0) with filter (cn=a8:1d:16:7d:c8:11)
from o=*REDACTED* on *REDACTED*:636
(pf::Authentication::Source::LDAPSource::authenticate)
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) INFO:
[mac:[undef]] User a8:1d:16:7d:c8:11 tried to login in 00:50:56:8f:b0:a6 but
authentication failed (pf::radius::switch_access)
Any pointers would be appreciated!
Thanks!
-Ryan
This e-mail message together with any attachments or reply should not be
considered private or confidential because it may be archived and subject to
public disclosure under certain circumstances, such as requests made pursuant
to Wisconsin public records law.
The message is intended solely for the use of the individual or entity to which
they are addressed. Please notify the sender immediately by e-mail if you have
received this e-mail by mistake and delete this e-mail from your system.
Please note that the views or opinions presented in this e-mail are solely
those of the author and do not necessarily represent those of the School
District of Hartford Jt. #1. Any unauthorized use, distribution, copying or
disclosure by you or to any other person is prohibited.
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
