Re: [PacketFence-users] Aruba AP and VLAN Mapping

[Zacharry Williams via PacketFence-users]

Are you using the correct distinguished name of the group?

On Tue, Mar 10, 2020 at 2:04 PM Christian Sudec via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hi, here the logs:
>
> Mar 10 12:10:21 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] handling radius autz request: from switch_ip =>
> (10.71.100.63), connection_type => Wireless-802.11-EAP,switch_mac =>
> (b8:3a:5a:c1:8d:aa), mac => [02:de:ad:04:be:ef], port => 0, username =>
> "Testy", ssid => htl-ar-ad (pf::radius::authorize)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
> (pf::Connection::ProfileFactory::_from_profile)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Found authentication source(s) : '' for realm
> 'null' (pf::config::util::filter_authentication_sources)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
> [mac:02:de:ad:04:be:ef] No category computed for autoreg
> (pf::role::getNodeInfoForAutoReg)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
> [mac:02:de:ad:04:be:ef] Switch type 'pf::Switch::Aruba' does not support
> MABFloatingDevices (pf::SwitchSupports::__ANON__)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Found authentication source(s) : '' for realm
> 'null' (pf::config::util::filter_authentication_sources)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Role has already been computed and we don't want
> to recompute it. Getting role from node_info (pf::role::getRegisteredRole)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
> [mac:02:de:ad:04:be:ef] Use of uninitialized value $role in
> concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 483.
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Username was NOT defined or unable to match a
> role - returning node based role '' (pf::role::getRegisteredRole)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] PID: "default", Status: reg Returned VLAN:
> (undefined), Role: (undefined) (pf::role::fetchRoleForNode)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] security_event 1300003 force-closed for
> 02:de:ad:04:be:ef (pf::security_event::security_event_force_close)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
> (pf::Connection::ProfileFactory::_from_profile)
> Mar 10 12:10:21 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] handling radius autz request: from switch_ip =>
> (10.71.100.63), connection_type => Wireless-802.11-EAP,switch_mac =>
> (b8:3a:5a:c1:8d:aa), mac => [02:de:ad:04:be:ef], port => 0, username =>
> "Testy", ssid => htl-ar-ad (pf::radius::authorize)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
> (pf::Connection::ProfileFactory::_from_profile)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Found authentication source(s) : '' for realm
> 'null' (pf::config::util::filter_authentication_sources)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
> [mac:02:de:ad:04:be:ef] No category computed for autoreg
> (pf::role::getNodeInfoForAutoReg)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
> [mac:02:de:ad:04:be:ef] Switch type 'pf::Switch::Aruba' does not support
> MABFloatingDevices (pf::SwitchSupports::__ANON__)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Found authentication source(s) : '' for realm
> 'null' (pf::config::util::filter_authentication_sources)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Role has already been computed and we don't want
> to recompute it. Getting role from node_info (pf::role::getRegisteredRole)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
> [mac:02:de:ad:04:be:ef] Use of uninitialized value $role in
> concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 483.
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Username was NOT defined or unable to match a
> role - returning node based role '' (pf::role::getRegisteredRole)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] PID: "default", Status: reg Returned VLAN:
> (undefined), Role: (undefined) (pf::role::fetchRoleForNode)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] security_event 1300003 force-closed for
> 02:de:ad:04:be:ef (pf::security_event::security_event_force_close)
> Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
> (pf::Connection::ProfileFactory::_from_profile)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] handling radius autz request: from switch_ip =>
> (10.71.100.63), connection_type => Wireless-802.11-EAP,switch_mac =>
> (b8:3a:5a:c1:8d:aa), mac => [02:de:ad:04:be:ef], port => 0, username =>
> "Testy", ssid => htl-ar-ad (pf::radius::authorize)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
> (pf::Connection::ProfileFactory::_from_profile)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Found authentication source(s) : '' for realm
> 'null' (pf::config::util::filter_authentication_sources)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
> [mac:02:de:ad:04:be:ef] No category computed for autoreg
> (pf::role::getNodeInfoForAutoReg)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
> [mac:02:de:ad:04:be:ef] Switch type 'pf::Switch::Aruba' does not support
> MABFloatingDevices (pf::SwitchSupports::__ANON__)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] handling radius autz request: from switch_ip =>
> (10.71.100.63), connection_type => Wireless-802.11-EAP,switch_mac =>
> (b8:3a:5a:c1:8d:aa), mac => [02:de:ad:04:be:ef], port => 0, username =>
> "Testy", ssid => htl-ar-ad (pf::radius::authorize)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
> (pf::Connection::ProfileFactory::_from_profile)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Found authentication source(s) : '' for realm
> 'null' (pf::config::util::filter_authentication_sources)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
> [mac:02:de:ad:04:be:ef] No category computed for autoreg
> (pf::role::getNodeInfoForAutoReg)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
> [mac:02:de:ad:04:be:ef] Switch type 'pf::Switch::Aruba' does not support
> MABFloatingDevices (pf::SwitchSupports::__ANON__)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Found authentication source(s) : '' for realm
> 'null' (pf::config::util::filter_authentication_sources)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Role has already been computed and we don't want
> to recompute it. Getting role from node_info (pf::role::getRegisteredRole)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
> [mac:02:de:ad:04:be:ef] Use of uninitialized value $role in
> concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 483.
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Username was NOT defined or unable to match a
> role - returning node based role '' (pf::role::getRegisteredRole)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] PID: "default", Status: reg Returned VLAN:
> (undefined), Role: (undefined) (pf::role::fetchRoleForNode)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
> [mac:02:de:ad:04:be:ef] Use of uninitialized value $vlanName in hash
> element at /usr/local/pf/lib/pf/Switch.pm line 608.
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
> [mac:02:de:ad:04:be:ef] Use of uninitialized value $vlanName in
> concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611.
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
> [mac:02:de:ad:04:be:ef] No parameter Vlan found in conf/switches.conf
> for the switch 10.71.100.63 (pf::Switch::getVlanByName)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] security_event 1300003 force-closed for
> 02:de:ad:04:be:ef (pf::security_event::security_event_force_close)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
> (pf::Connection::ProfileFactory::_from_profile)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Found authentication source(s) : '' for realm
> 'null' (pf::config::util::filter_authentication_sources)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Role has already been computed and we don't want
> to recompute it. Getting role from node_info (pf::role::getRegisteredRole)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
> [mac:02:de:ad:04:be:ef] Use of uninitialized value $role in
> concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 483.
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Username was NOT defined or unable to match a
> role - returning node based role '' (pf::role::getRegisteredRole)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] PID: "default", Status: reg Returned VLAN:
> (undefined), Role: (undefined) (pf::role::fetchRoleForNode)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
> [mac:02:de:ad:04:be:ef] Use of uninitialized value $vlanName in hash
> element at /usr/local/pf/lib/pf/Switch.pm line 608.
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
> [mac:02:de:ad:04:be:ef] Use of uninitialized value $vlanName in
> concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611.
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
> [mac:02:de:ad:04:be:ef] No parameter Vlan found in conf/switches.conf
> for the switch 10.71.100.63 (pf::Switch::getVlanByName)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] security_event 1300003 force-closed for
> 02:de:ad:04:be:ef (pf::security_event::security_event_force_close)
> Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
> [mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
> (pf::Connection::ProfileFactory::_from_profile)
>
> So, it looks like I don't get a role. I use the condition "memberOf
> equals CN=SpecificGroup, OU=Groups,CN=OURDOMAIN" in the authentications
> rules. How can I debug Active Directory group
> membership evaluation on packetfence?
>
> kind regards
>
>
>
> On 10.03.2020 16:09, Ludovic Zammit wrote:
> > Ok, so if you are doing 802.1x then most of the time you do
> > auto-registration where you don’t display the captive portal.
> >
> > In that case, your access would be computed on the fly. Do that and
> > remove device info:
> >
> > grep MAC_ADDRESS /usr/local/pf/logs/packetfence.log
> >
> > My guess is that you don’t match or get the VLAN for the proper role.
> > Check for the auto register option on the connection profile.
> >
> > Thanks,
> > Ludovic Zammit
> > lzam...@inverse.ca  <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918
> (x145) ::www.inverse.ca
> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
> PacketFence (http://packetfence.org)
> >
> >
> >
> >
> >> On Mar 10, 2020, at 11:04 AM, Christian Sudec <c.su...@htlwrn.ac.at
> >> <mailto:c.su...@htlwrn.ac.at>> wrote:
> >>
> >> Hello Ludovic!
> >>
> >>
> >> On 10.03.2020 14:42, Ludovic Zammit wrote:
> >>> Hello Christian,
> >>>
> >>> Are you doing VLAN enforcement or Role enforcement ?
> >> We're doing only 'RADIUS Enforcement' as this is the requirement for
> >> 802.1x (both
> >> wireless and wired).
> >>
> >>> On Aruba you have to do one of them, not both at the same time.
> >> What do you mean? When doing 802.1x packetfence uses the the username
> >> and password
> >> with its authentication rules to determine the role (eg.
> >> teacher/pupil), which is used in the
> >> switch-profile with "Role mapping by VLAN ID" to provide the correct
> >> VLAN (772/773).
> >>
> >>> How are you redirected on the captive portal ? By a radius request ?
> >> There ist no captive portal, because no guests are allowed.
> >>
> >>> Once you get authenticated PF sends a radius disconnect message to
> >>> the AP to kick your Mac address out for the client to reconnect
> >>> immediately and get the production vlan/role
> >> That's my question: there is no Tunnel-Private-Group-ID and no
> >> disconnect message. How and where do
> >> I set/debug these?
> >>
> >>> Check the logs/packetfence.log for your Mac address the activity and
> >>> see if you can find any error.
> >> Nothing useful (at least for me) in there:
> >> Mar 10 12:10:22 ippf auth[1659]: (14606)   Login OK: [Testy] (from
> >> client 10.71.100.63/32 port 0 cli bc:d1:d3:31:13:78 via TLS tunnel)
> >> Mar 10 12:10:22 ippf auth[1659]: [mac:bc:d1:d3:31:13:78] Accepted
> >> user: Testy and returned VLAN
> >> Mar 10 12:10:22 ippf auth[1659]: (14607) Login OK: [Testy] (from
> >> client 10.71.100.63/32 port 0 cli bc:d1:d3:31:13:78)
> >>
> >> As you can see: returned VLAN - but I don't get one...
> >>
> >> kind regards
> >>>
> >>> Thanks,
> >>> Ludovic Zammit
> >>> lzam...@inverse.ca <mailto:lzam...@inverse.ca>
> >>>  <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918 (x145)
> >>> ::www.inverse.ca <http://www.inverse.ca>
> >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
> >>> PacketFence (http://packetfence.org)
> >>>
> >>>
> >>>
> >>>
> >>>> On Mar 10, 2020, at 8:00 AM, Christian Sudec via PacketFence-users
> >>>> <packetfence-users@lists.sourceforge.net
> >>>> <mailto:packetfence-users@lists.sourceforge.net>
> >>>> <mailto:packetfence-users@lists.sourceforge.net>> wrote:
> >>>>
> >>>> Hi everybody!
> >>>>
> >>>> First the current situation so far:
> >>>>
> >>>> We installed a test-network, where the packetfence-server is
> >>>> reachable with an ip 10.5.1.4 (type management)
> >>>> and set 'RADIUS enforcement' as chosen method.
> >>>>
> >>>> Next we installed a Mikrotik-Switch (POE) with 4 VLANS (771-774)
> >>>> and attached an Aruba-AP to a trunk port
> >>>> with the mentioned VLANs. The default VLAN is 771 and the AP gets
> >>>> an IP and can connect to the pf-server.
> >>>>
> >>>> Now we created an authentication-source to our AD and created a
> >>>> switch-template for the AP. There are two
> >>>> roles based on AD-group-membership: teachers (VID 772) and pupils
> >>>> (VID 773) - set in the switch profile under
> >>>> 'Role mapping by VLAN ID'.
> >>>>
> >>>> As far as it was possible, we set up the AP according to the
> >>>> packetfence device configuration guide, because
> >>>> the guide refers to ArubaOS 5.x, but we are already at 8.6.0.2.
> >>>>
> >>>> Now we are stuck: everybody can login with an ad-username (and
> >>>> pasword), but the user doesn't get
> >>>> transferred to the correct vlan and stays in the default. In
> >>>> 'Auditing' I can see at 'Node Information' the
> >>>> Role N/A and there is no Tunnel-Private-Group-ID in the RADIUS Reply.
> >>>>
> >>>> Can somebody enlighten me on what to check or what to set / how to
> >>>> debug?
> >>>>
> >>>> kind regards
> >>>> Chris
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> PacketFence-users mailing list
> >>>> PacketFence-users@lists.sourceforge.net
> >>>> <mailto:PacketFence-users@lists.sourceforge.net>
> >>>> <mailto:PacketFence-users@lists.sourceforge.net>
> >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >>>
> >>
> >
>
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>


_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users