Hi, I'm new to Packetfence but been using 802.1x with NPS / Freeradius for a
long time. Packetfence wide features and nice GUI caught my eye but got stuck
right away...
In short, Authenication towards AD works fine and Acceptance is Passed. BUT
roles are not.
That said The connection policy is set to Ethernet-EAP and noEAP and AD as
source with auto register devices. The device being used get's registered with
a "none" role which is then also "applied" to the user meaning no VLAN or ACL
is passed to the Switch. Would I change the device role the user authenticated
would get that role to.
Packetfence log says:
Feb 25 03:05:33 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(45170) INFO:
[mac:c4:65:16:9e:b4:e6] handling radius autz request: from switch_ip =>
(10.0.20.2), connection_type => Ethernet-NoEAP,switch_mac =>
(38:21:c7:4e:d1:22), mac => [c4:65:16:9e:b4:e6], port => 12, username =>
"vemab\dkdata" (pf::radius::authorize)
Feb 25 03:05:33 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(45170) INFO:
[mac:c4:65:16:9e:b4:e6] Instantiate profile LAN
(pf::Connection::ProfileFactory::_from_profile)
Feb 25 03:05:33 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(45170) INFO:
[mac:c4:65:16:9e:b4:e6] Found authentication source(s) : 'VEMAB_AD' for realm
'default' (pf::config::util::filter_authentication_sources)
Feb 25 03:05:33 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(45170) WARN:
[mac:c4:65:16:9e:b4:e6] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Feb 25 03:05:33 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(45170) WARN:
[mac:c4:65:16:9e:b4:e6] Switch type 'pf::Switch::Aruba::2930M' does not support
MABFloatingDevices (pf::SwitchSupports::__ANON__)
Feb 25 03:05:33 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(45170) INFO:
[mac:c4:65:16:9e:b4:e6] Found authentication source(s) : 'VEMAB_AD' for realm
'default' (pf::config::util::filter_authentication_sources)
Feb 25 03:05:33 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(45170) INFO:
[mac:c4:65:16:9e:b4:e6] Connection type is MAC-AUTH. Getting role from
node_info (pf::role::getRegisteredRole)
Feb 25 03:05:33 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(45170) WARN:
[mac:c4:65:16:9e:b4:e6] Use of uninitialized value $role in concatenation (.)
or string at /usr/local/pf/lib/pf/role.pm line 483.
(pf::role::getRegisteredRole)
Feb 25 03:05:33 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(45170) INFO:
[mac:c4:65:16:9e:b4:e6] Username was NOT defined or unable to match a role -
returning node based role '' (pf::role::getRegisteredRole)
Feb 25 03:05:33 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(45170) INFO:
[mac:c4:65:16:9e:b4:e6] PID: "default", Status: reg Returned VLAN: (undefined),
Role: (undefined) (pf::role::fetchRoleForNode)
Feb 25 03:05:33 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(45170) WARN:
[mac:c4:65:16:9e:b4:e6] Use of uninitialized value $vlanName in hash element at
/usr/local/pf/lib/pf/Switch.pm line 608.
(pf::Switch::getVlanByName)
Feb 25 03:05:33 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(45170) WARN:
[mac:c4:65:16:9e:b4:e6] Use of uninitialized value $vlanName in concatenation
(.) or string at /usr/local/pf/lib/pf/Switch.pm line 611.
(pf::Switch::getVlanByName)
Sum: Username was NOT defined or unable to match a role
Radius LOG:
Feb 25 03:05:33 RADIUS-1 auth[46782]: rlm_rest (rest): Opening additional
connection (6), 1 of 61 pending slots used
Feb 25 03:05:33 RADIUS-1 auth[46782]: [mac:c4:65:16:9e:b4:e6] Accepted user:
and returned VLAN
Feb 25 03:05:33 RADIUS-1 auth[46782]: (40) Login OK: [vemab\dkdata] (from
client 10.0.20.2/32 port 12 cli c4:65:16:9e:b4:e6)
Sum: no vlan passed
While pftest says:
Testing authentication for "dkdata"
Authenticating against 'local' in context 'admin'
Authentication FAILED against local (Invalid login or password)
Did not match against local for 'authentication' rules
Did not match against local for 'administration' rules
Authenticating against 'local' in context 'portal'
Authentication FAILED against local (Invalid login or password)
Did not match against local for 'authentication' rules
Did not match against local for 'administration' rules
Authenticating against 'file1' in context 'admin'
Authentication FAILED against file1 (Invalid login or password)
Did not match against file1 for 'authentication' rules
Did not match against file1 for 'administration' rules
Authenticating against 'file1' in context 'portal'
Authentication FAILED against file1 (Invalid login or password)
Did not match against file1 for 'authentication' rules
Did not match against file1 for 'administration' rules
Authenticating against 'sms' in context 'admin'
Authentication FAILED against sms (Invalid login or password)
Matched against sms for 'authentication' rule catchall
set_role : guest
set_access_duration : 1D
Did not match against sms for 'administration' rules
Authenticating against 'sms' in context 'portal'
Authentication FAILED against sms (Invalid login or password)
Matched against sms for 'authentication' rule catchall
set_role : guest
set_access_duration : 1D
Did not match against sms for 'administration' rules
Authenticating against 'email' in context 'admin'
Authentication SUCCEEDED against email ()
Matched against email for 'authentication' rule catchall
set_role : guest
set_access_duration : 1D
Did not match against email for 'administration' rules
Authenticating against 'email' in context 'portal'
Authentication SUCCEEDED against email ()
Matched against email for 'authentication' rule catchall
set_role : guest
set_access_duration : 1D
Did not match against email for 'administration' rules
Authenticating against 'sponsor' in context 'admin'
Authentication SUCCEEDED against sponsor ()
Matched against sponsor for 'authentication' rule catchall
set_role : guest
set_access_duration : 1D
Did not match against sponsor for 'administration' rules
Authenticating against 'sponsor' in context 'portal'
Authentication SUCCEEDED against sponsor ()
Matched against sponsor for 'authentication' rule catchall
set_role : guest
set_access_duration : 1D
Did not match against sponsor for 'administration' rules
Authenticating against 'null' in context 'admin'
Authentication SUCCEEDED against null ()
Matched against null for 'authentication' rule catchall
set_role : guest
set_access_duration : 1D
Did not match against null for 'administration' rules
Authenticating against 'null' in context 'portal'
Authentication SUCCEEDED against null ()
Matched against null for 'authentication' rule catchall
set_role : guest
set_access_duration : 1D
Did not match against null for 'administration' rules
Authenticating against 'VEMAB_AD' in context 'admin'
Authentication SUCCEEDED against VEMAB_AD (Authentication successful.)
Matched against VEMAB_AD for 'authentication' rule ADMIN
set_role : MGMT
set_access_duration : 3h
Did not match against VEMAB_AD for 'administration' rules
Authenticating against 'VEMAB_AD' in context 'portal'
Authentication SUCCEEDED against VEMAB_AD (Authentication successful.)
Matched against VEMAB_AD for 'authentication' rule ADMIN
set_role : MGMT
set_access_duration : 3h
Did not match against VEMAB_AD for 'administration' rules
In other words should return role MGMT which is vlan 10 according to the test,
I put lots of hours yesterday on this probably very simple error... Switch
config is this:
[10.0.20.2]
description=CORE-1
type=Aruba::2930M
USERVlan=30
radiusSecret=*********
MGMTVlan=10
deauthMethod=RADIUS
MGMT_ISOLATIONVlan=11
guestVlan=31
defaultVlan=30
What am I missing ?
BR,
Anton.
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
