Re: [PacketFence-users] Captive Portal Issues

Zacharry Williams via PacketFence-users Wed, 11 Mar 2020 09:58:27 -0700

Okay so this is the one from today. get's matched to the Ethernet profile
and denied.



Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
[mac:00:24:d7:90:be:84] handling radius autz request: from switch_ip =>
(192.168.100.216), connection_type => Wireless-802.11-EAP,switch_mac =>
(c8:b5:ad:ce:43:7c), mac => [00:24:d7:90:be:84], port => 0, username =>
"host/ tacos -016.BluedogRV.lan" (pf::radius::authorize)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
[mac:00:24:d7:90:be:84] is doing machine auth with account 'host/ tacos .
tacos.lan'. (pf::radius::authorize)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] instantiating new pf::role object (pf::role::new)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] instantiating new pf::access_filter::vlan
(pf::access_filter::new)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] No engine found for IsPhone
(pf::access_filter::test)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Trying to match IP address to MAC
'00:24:d7:90:be:84' using SQL 'ip4log' table (pf::ip4log::mac2ip)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Viewing an 'ip4log' table entry for the following
MAC address '00:24:d7:90:be:84' (pf::ip4log::_view_by_mac)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Matched MAC '00:24:d7:90:be:84' to IP address
'192.168.50.119' using SQL 'ip4log' table (pf::ip4log::mac2ip)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Memory configuration is not valid anymore for key
FilterEngine::Profile() in local cached_hash (pfconfig::cached::is_valid)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Memory configuration is not valid anymore for key
config::Profiles() in local cached_hash (pfconfig::cached::is_valid)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
[mac:00:24:d7:90:be:84] Instantiate profile Ethernet802.1x
(pf::Connection::ProfileFactory::_from_profile)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] instantiating new pf::Connection::Profile object
(pf::Connection::Profile::new)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] instantiating new pf::access_filter::vlan
(pf::access_filter::new)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] No engine found for AutoRegister
(pf::access_filter::test)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Autoregistration set on profile Ethernet802.1x
(pf::role::shouldAutoRegister)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] instantiating new pf::access_filter::vlan
(pf::access_filter::new)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] No engine found for NodeInfoForAutoReg
(pf::access_filter::test)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Memory configuration is not valid anymore for key
config::Profiles() in local cached_hash (pfconfig::cached::is_valid)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Used realm tacos tacos.lan is associated to the
configured realm tacos.lan
(pf::config::util::get_realm_authentication_source)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
[mac:00:24:d7:90:be:84] Found authentication source(s) : 'tacod1' for realm
' tacos.lan' (pf::config::util::filter_authentication_sources)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] EAP connection with a username "host/ tacos -016.
tacos .lan". Trying to match rules from authentication sources.
(pf::role::getNodeInfoForAutoReg)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) WARN:
[mac:00:24:d7:90:be:84] Use of uninitialized value in concatenation (.) or
string at /usr/local/pf/lib/pf/authentication.pm line 389.
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Match called with parameters radius_request =>
HASH(0x55bbf87d1a00), rule_class => authentication, stripped_user_name => ,
SSID => , username => host/tacos-016. tacos .lan, realm => BluedogRV.lan,
context => radius, connection_type => Wireless-802.11-EAP
(pf::authentication::match2)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Stripping username is enabled in this context
(radius). Will return a split username and realm.
(pf::config::util::strip_username_if_needed)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
[mac:00:24:d7:90:be:84] Using sources tacos for matching
(pf::authentication::match2)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
[mac:00:24:d7:90:be:84] LDAP testing connection (pf::LDAP::expire_if)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] cache get for namespace='Default',
key='ARRAY(0x55bbfd640658)', cache='RawMemory', time='0ms': HIT
(CHI::Driver::_log_get_result)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] [ tacos ] Using LDAP connection to 192.168.20.98
(pf::Authentication::Source::LDAPSource::_connect)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] [ tacos tacos ] Searching for
(|(sAMAccountName=host/ tacos -016. tacos .lan)(servicePrincipalName=host/
tacos -016. tacos .lan)), from DC= tacos ,DC=lan, with scope sub
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] [ tacos tacos ] Found 1 results
(pf::Authentication::Source::LDAPSource::_match_in_subclass)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] [ tacos tacos ] Searching is_member filter
(|(member=CN= tacos -016,OU=Post Falls,OU= tacos Computers,DC= tacos
,DC=lan)(uniqueMember=CN= tacos -016,OU=Post Falls,OU= tacos Computers,DC=
tacos ,DC=lan)(memberUid=))
(pf::Authentication::Source::LDAPSource::_match_in_subclass)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] [ tacos Domain_Users] Searching for
(|(sAMAccountName=host/ tacos -016. tacos .lan)(servicePrincipalName=host/
tacos -016. tacos .lan)), from DC= tacos ,DC=lan, with scope sub
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] [ tacos Domain_Users] Found 1 results
(pf::Authentication::Source::LDAPSource::_match_in_subclass)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] [ tacos Domain_Users] Searching is_member filter
(|(member=CN= tacos -016,OU=Post Falls,OU= tacos Computers,DC= tacos
,DC=lan)(uniqueMember=CN= tacos -016,OU=Post Falls,OU= tacos Computers,DC=
tacos ,DC=lan)(memberUid=))
(pf::Authentication::Source::LDAPSource::_match_in_subclass)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) WARN:
[mac:00:24:d7:90:be:84] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] [00:24:d7:90:be:84] auto-registering node
(pf::radius::authorize)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) WARN:
[mac:00:24:d7:90:be:84] No role specified or found for pid host/ tacos
-016.BluedogRV.lan (MAC 00:24:d7:90:be:84); assume maximum number of
registered nodes is reached (pf::node::is_max_reg_nodes_reached)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) ERROR:
[mac:00:24:d7:90:be:84] max nodes per pid met or exceeded - registration of
00:24:d7:90:be:84 to host/ tacos -016.BluedogRV.lan failed
(pf::registration::setup_node_for_registration)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) ERROR:
[mac:00:24:d7:90:be:84] auto-registration of node failed max nodes per pid
met or exceeded (pf::radius::authorize)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) ERROR:
[mac:00:24:d7:90:be:84] Database query failed with non retryable error:
Cannot add or update a child row: a foreign key constraint fails
(`pf`.`node`, CONSTRAINT `0_57` FOREIGN KEY (`tenant_id`, `pid`) REFERENCES
`person` (`tenant_id`, `pid`) ON DELETE CASCADE ON UPDATE CASCADE) (errno:
1452) [INSERT INTO `node` ( `autoreg`, `bandwidth_balance`,
`bypass_role_id`, `bypass_vlan`, `category_id`, `computername`,
`detect_date`, `device_class`, `device_manufacturer`, `device_score`,
`device_type`, `device_version`, `dhcp6_enterprise`, `dhcp6_fingerprint`,
`dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, `last_dhcp`, `last_seen`,
`lastskip`, `mac`, `machine_account`, `notes`, `pid`, `regdate`,
`sessionid`, `status`, `tenant_id`, `time_balance`, `unregdate`,
`user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE KEY
UPDATE `autoreg` = ?, `last_seen` = NOW(), `machine_account` = ?, `pid` =
?, `status` = ?, `tenant_id` = ?]{yes, NULL, NULL, NULL, NULL, NULL,
2020-03-11 08:53:16, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
0000-00-00 00:00:00, 0000-00-00 00:00:00, 0000-00-00 00:00:00,
00:24:d7:90:be:84, host/ tacos -016.BluedogRV.lan, NULL, host/ tacos
-016.BluedogRV.lan, 0000-00-00 00:00:00, NULL, reg, 1, NULL, 0000-00-00
00:00:00, NULL, no, yes, host/ tacos -016. tacos .lan, host/ tacos
-016.BluedogRV.lan, reg, 1} (pf::dal::db_execute)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] disconnecting db (pf::db::db_disconnect)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) ERROR:
[mac:00:24:d7:90:be:84] Cannot save 00:24:d7:90:be:84 error (500)
(pf::radius::authorize)

#
# Copyright (C) 2005-2019 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[default]
sources=null

[Wire_noEAP]
locale=
filter=connection_type:Ethernet-NoEAP
autoregister=enabled

[Wireless_EAP]
filter_match_style=all
description=Wireless_EAP
sources=tacos-MachineAuth
filter=connection_type:Wireless-802.11-EAP,ssid:tacos
autoregister=enabled
redirecturl=https://www.tacos.com
logo=/common/Logo-horz.png

#
# Copyright (C) 2005-2019 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[Ethernet802.1x]
filter=connection_type:Ethernet-EAP,connection_sub_type:MS-CHAP-V2
sources=BDRVDC1
unreg_on_acct_stop=enabled
autoregister=enabled

[Wireless_BYOD]
filter_match_style=all
description=Wireless_EAP
sources=BDRVDC1
filter=connection_type:Wireless-802.11-EAP,ssid:tacos-BYOD
autoregister=enabled
logo=/common/Logo-horz.png
redirecturl=https://www.tacos.com
#
# Copyright (C) 2005-2019 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
~
~
~
~
~
~
~

On Wed, Mar 11, 2020 at 8:48 AM Zacharry Williams <zachar...@gmail.com>
wrote:

> Yep I'm scrubbing them now. It's also matching clients connecting on
> wireless-eap to wired-eap
>
> On Tue, Mar 10, 2020, 4:53 PM Durand fabrice via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello,
>>
>> can you provide the packetfence.log file and the profiles.conf file ?
>>
>> Regards
>>
>> Fabrice
>>
>>
>> Le 20-03-10 à 15 h 19, Zacharry Williams via PacketFence-users a écrit :
>>
>> Hey all,
>>
>> Randomly it matched the correct connection profile, one time. Is this
>> like a 9.3 bug where connection profiles aren't being match?
>>
>> On Mon, Mar 9, 2020 at 3:06 PM Zacharry Williams <zachar...@gmail.com>
>> wrote:
>>
>>> Hey all,
>>>
>>> I've been working on setting up a guest LAN and a byod LAN for a few
>>> days now. When I use a PSK or AD Authentication it works fine, but the
>>> captive portal isn't working like I think it should be.
>>> I revisited the guide a few times to check and I don't think i'm missing
>>> any settings. I customized a captive portal with a logo and an acceptable
>>> use policy but every time I get the captive portal, I don't get the portal
>>> I customized but instead get the default one. It's like the default
>>> connection profile is matched first. I set the httpd.aaa.conf logging to
>>> debug but nothing shows up as to why it's picking that connection profile
>>> in packetfence.log. I'm using Aruba instants, and managing them through
>>> Aruba Central.
>>>
>>> Where are the logs to read into why it's picking that portal?
>>>
>>>
>>
>> _______________________________________________
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Issues

Reply via email to