Hi Zachary!
IT WORKED! I hope Ludovic reads this post too, so he can pinpoint the
cause of this and
why it changed from 9.2 to 9.3. As far as I can look into my configs
both login-variants
(with or without leading/appended DOMAIN) should work...
Many thanks - I haven't thought of that simple maneuver! For the time
being we can
work with that, but in the distribution phase of our new WLAN it will be
difficult for
normal users to login. They have had to remember already an username and a
password and now the domain too ;-)
Regards
Chris
On 11.03.2020 15:11, Zacharry Williams wrote:
Also I had this issue when I went to 9.3 where I had to start using
DOMAIN\username or [email protected] <mailto:[email protected]>
On Wed, Mar 11, 2020, 7:08 AM Zacharry Williams <[email protected]
<mailto:[email protected]>> wrote:
Double check your switch config. Are you assigning vlanid by role?
On Wed, Mar 11, 2020, 2:20 AM C. Sudec (Admin) <[email protected]
<mailto:[email protected]>> wrote:
Hi Zachary!
Yes, because pftest in shell works and assigns the correct
role....
greets
Chris
________________________________________
Von: Zacharry Williams [[email protected]
<mailto:[email protected]>]
Gesendet: Dienstag, 10. März 2020 22:10
An: [email protected]
<mailto:[email protected]>
Cc: Ludovic Zammit; C. Sudec (Admin)
Betreff: Re: [PacketFence-users] Aruba AP and VLAN Mapping
Are you using the correct distinguished name of the group?
On Tue, Mar 10, 2020 at 2:04 PM Christian Sudec via
PacketFence-users <[email protected]
<mailto:[email protected]><mailto:[email protected]
<mailto:[email protected]>>> wrote:
Hi, here the logs:
Mar 10 12:10:21 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] handling radius autz request: from
switch_ip =>
(10.71.100.63), connection_type =>
Wireless-802.11-EAP,switch_mac =>
(b8:3a:5a:c1:8d:aa), mac => [02:de:ad:04:be:ef], port => 0,
username =>
"Testy", ssid => htl-ar-ad (pf::radius::authorize)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Found authentication source(s) : ''
for realm
'null' (pf::config::util::filter_authentication_sources)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Switch type 'pf::Switch::Aruba' does
not support
MABFloatingDevices (pf::SwitchSupports::__ANON__)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Found authentication source(s) : ''
for realm
'null' (pf::config::util::filter_authentication_sources)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Role has already been computed and we
don't want
to recompute it. Getting role from node_info
(pf::role::getRegisteredRole)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Use of uninitialized value $role in
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm
<http://role.pm><http://role.pm> line 483.
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Username was NOT defined or unable to
match a
role - returning node based role '' (pf::role::getRegisteredRole)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] PID: "default", Status: reg Returned VLAN:
(undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] security_event 1300003 force-closed for
02:de:ad:04:be:ef (pf::security_event::security_event_force_close)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Mar 10 12:10:21 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] handling radius autz request: from
switch_ip =>
(10.71.100.63), connection_type =>
Wireless-802.11-EAP,switch_mac =>
(b8:3a:5a:c1:8d:aa), mac => [02:de:ad:04:be:ef], port => 0,
username =>
"Testy", ssid => htl-ar-ad (pf::radius::authorize)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Found authentication source(s) : ''
for realm
'null' (pf::config::util::filter_authentication_sources)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Switch type 'pf::Switch::Aruba' does
not support
MABFloatingDevices (pf::SwitchSupports::__ANON__)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Found authentication source(s) : ''
for realm
'null' (pf::config::util::filter_authentication_sources)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Role has already been computed and we
don't want
to recompute it. Getting role from node_info
(pf::role::getRegisteredRole)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Use of uninitialized value $role in
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm
<http://role.pm><http://role.pm> line 483.
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Username was NOT defined or unable to
match a
role - returning node based role '' (pf::role::getRegisteredRole)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] PID: "default", Status: reg Returned VLAN:
(undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] security_event 1300003 force-closed for
02:de:ad:04:be:ef (pf::security_event::security_event_force_close)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] handling radius autz request: from
switch_ip =>
(10.71.100.63), connection_type =>
Wireless-802.11-EAP,switch_mac =>
(b8:3a:5a:c1:8d:aa), mac => [02:de:ad:04:be:ef], port => 0,
username =>
"Testy", ssid => htl-ar-ad (pf::radius::authorize)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Found authentication source(s) : ''
for realm
'null' (pf::config::util::filter_authentication_sources)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Switch type 'pf::Switch::Aruba' does
not support
MABFloatingDevices (pf::SwitchSupports::__ANON__)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] handling radius autz request: from
switch_ip =>
(10.71.100.63), connection_type =>
Wireless-802.11-EAP,switch_mac =>
(b8:3a:5a:c1:8d:aa), mac => [02:de:ad:04:be:ef], port => 0,
username =>
"Testy", ssid => htl-ar-ad (pf::radius::authorize)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Found authentication source(s) : ''
for realm
'null' (pf::config::util::filter_authentication_sources)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Switch type 'pf::Switch::Aruba' does
not support
MABFloatingDevices (pf::SwitchSupports::__ANON__)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Found authentication source(s) : ''
for realm
'null' (pf::config::util::filter_authentication_sources)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Role has already been computed and we
don't want
to recompute it. Getting role from node_info
(pf::role::getRegisteredRole)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Use of uninitialized value $role in
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm
<http://role.pm><http://role.pm> line 483.
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Username was NOT defined or unable to
match a
role - returning node based role '' (pf::role::getRegisteredRole)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] PID: "default", Status: reg Returned VLAN:
(undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Use of uninitialized value $vlanName
in hash
element at /usr/local/pf/lib/pf/Switch.pm line 608.
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Use of uninitialized value $vlanName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm
line 611.
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] No parameter Vlan found in
conf/switches.conf
for the switch 10.71.100.63 (pf::Switch::getVlanByName)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] security_event 1300003 force-closed for
02:de:ad:04:be:ef (pf::security_event::security_event_force_close)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Found authentication source(s) : ''
for realm
'null' (pf::config::util::filter_authentication_sources)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Role has already been computed and we
don't want
to recompute it. Getting role from node_info
(pf::role::getRegisteredRole)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Use of uninitialized value $role in
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm
<http://role.pm><http://role.pm> line 483.
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Username was NOT defined or unable to
match a
role - returning node based role '' (pf::role::getRegisteredRole)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] PID: "default", Status: reg Returned VLAN:
(undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Use of uninitialized value $vlanName
in hash
element at /usr/local/pf/lib/pf/Switch.pm line 608.
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Use of uninitialized value $vlanName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm
line 611.
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] No parameter Vlan found in
conf/switches.conf
for the switch 10.71.100.63 (pf::Switch::getVlanByName)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] security_event 1300003 force-closed for
02:de:ad:04:be:ef (pf::security_event::security_event_force_close)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
So, it looks like I don't get a role. I use the condition
"memberOf
equals CN=SpecificGroup, OU=Groups,CN=OURDOMAIN" in the
authentications
rules. How can I debug Active Directory group
membership evaluation on packetfence?
kind regards
On 10.03.2020 16:09, Ludovic Zammit wrote:
> Ok, so if you are doing 802.1x then most of the time you do
> auto-registration where you don’t display the captive portal.
>
> In that case, your access would be computed on the fly. Do
that and
> remove device info:
>
> grep MAC_ADDRESS /usr/local/pf/logs/packetfence.log
>
> My guess is that you don’t match or get the VLAN for the
proper role.
> Check for the auto register option on the connection profile.
>
> Thanks,
> Ludovic Zammit
> [email protected]
<mailto:[email protected]><mailto:[email protected]
<mailto:[email protected]>> <mailto:[email protected]
<mailto:[email protected]><mailto:[email protected]
<mailto:[email protected]>>> :: +1.514.447.4918 (x145)
::www.inverse.ca <http://www.inverse.ca><http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
>
>
>
>
>> On Mar 10, 2020, at 11:04 AM, Christian Sudec
<[email protected]
<mailto:[email protected]><mailto:[email protected]
<mailto:[email protected]>>
>> <mailto:[email protected]
<mailto:[email protected]><mailto:[email protected]
<mailto:[email protected]>>>> wrote:
>>
>> Hello Ludovic!
>>
>>
>> On 10.03.2020 14:42, Ludovic Zammit wrote:
>>> Hello Christian,
>>>
>>> Are you doing VLAN enforcement or Role enforcement ?
>> We're doing only 'RADIUS Enforcement' as this is the
requirement for
>> 802.1x (both
>> wireless and wired).
>>
>>> On Aruba you have to do one of them, not both at the same
time.
>> What do you mean? When doing 802.1x packetfence uses the
the username
>> and password
>> with its authentication rules to determine the role (eg.
>> teacher/pupil), which is used in the
>> switch-profile with "Role mapping by VLAN ID" to provide
the correct
>> VLAN (772/773).
>>
>>> How are you redirected on the captive portal ? By a radius
request ?
>> There ist no captive portal, because no guests are allowed.
>>
>>> Once you get authenticated PF sends a radius disconnect
message to
>>> the AP to kick your Mac address out for the client to
reconnect
>>> immediately and get the production vlan/role
>> That's my question: there is no Tunnel-Private-Group-ID and no
>> disconnect message. How and where do
>> I set/debug these?
>>
>>> Check the logs/packetfence.log for your Mac address the
activity and
>>> see if you can find any error.
>> Nothing useful (at least for me) in there:
>> Mar 10 12:10:22 ippf auth[1659]: (14606) Login OK:
[Testy] (from
>> client 10.71.100.63/32
<http://10.71.100.63/32><http://10.71.100.63/32> port 0 cli
bc:d1:d3:31:13:78 via TLS tunnel)
>> Mar 10 12:10:22 ippf auth[1659]: [mac:bc:d1:d3:31:13:78]
Accepted
>> user: Testy and returned VLAN
>> Mar 10 12:10:22 ippf auth[1659]: (14607) Login OK: [Testy]
(from
>> client 10.71.100.63/32
<http://10.71.100.63/32><http://10.71.100.63/32> port 0 cli
bc:d1:d3:31:13:78)
>>
>> As you can see: returned VLAN - but I don't get one...
>>
>> kind regards
>>>
>>> Thanks,
>>> Ludovic Zammit
>>> [email protected]
<mailto:[email protected]><mailto:[email protected]
<mailto:[email protected]>> <mailto:[email protected]
<mailto:[email protected]><mailto:[email protected]
<mailto:[email protected]>>>
>>> <mailto:[email protected]
<mailto:[email protected]><mailto:[email protected]
<mailto:[email protected]>>> :: +1.514.447.4918 (x145)
>>> ::www.inverse.ca
<http://www.inverse.ca><http://www.inverse.ca>
<http://www.inverse.ca>
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>>> PacketFence (http://packetfence.org)
>>>
>>>
>>>
>>>
>>>> On Mar 10, 2020, at 8:00 AM, Christian Sudec via
PacketFence-users
>>>> <[email protected]
<mailto:[email protected]><mailto:[email protected]
<mailto:[email protected]>>
>>>> <mailto:[email protected]
<mailto:[email protected]><mailto:[email protected]
<mailto:[email protected]>>>
>>>> <mailto:[email protected]
<mailto:[email protected]><mailto:[email protected]
<mailto:[email protected]>>>> wrote:
>>>>
>>>> Hi everybody!
>>>>
>>>> First the current situation so far:
>>>>
>>>> We installed a test-network, where the packetfence-server is
>>>> reachable with an ip 10.5.1.4 (type management)
>>>> and set 'RADIUS enforcement' as chosen method.
>>>>
>>>> Next we installed a Mikrotik-Switch (POE) with 4 VLANS
(771-774)
>>>> and attached an Aruba-AP to a trunk port
>>>> with the mentioned VLANs. The default VLAN is 771 and the
AP gets
>>>> an IP and can connect to the pf-server.
>>>>
>>>> Now we created an authentication-source to our AD and
created a
>>>> switch-template for the AP. There are two
>>>> roles based on AD-group-membership: teachers (VID 772)
and pupils
>>>> (VID 773) - set in the switch profile under
>>>> 'Role mapping by VLAN ID'.
>>>>
>>>> As far as it was possible, we set up the AP according to the
>>>> packetfence device configuration guide, because
>>>> the guide refers to ArubaOS 5.x, but we are already at
8.6.0.2.
>>>>
>>>> Now we are stuck: everybody can login with an ad-username
(and
>>>> pasword), but the user doesn't get
>>>> transferred to the correct vlan and stays in the default. In
>>>> 'Auditing' I can see at 'Node Information' the
>>>> Role N/A and there is no Tunnel-Private-Group-ID in the
RADIUS Reply.
>>>>
>>>> Can somebody enlighten me on what to check or what to set
/ how to
>>>> debug?
>>>>
>>>> kind regards
>>>> Chris
>>>>
>>>>
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> [email protected]
<mailto:[email protected]><mailto:[email protected]
<mailto:[email protected]>>
>>>> <mailto:[email protected]
<mailto:[email protected]><mailto:[email protected]
<mailto:[email protected]>>>
>>>> <mailto:[email protected]
<mailto:[email protected]><mailto:[email protected]
<mailto:[email protected]>>>
>>>>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
>
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]><mailto:[email protected]
<mailto:[email protected]>>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
