Show me the logs of a successful one. You said it works with a non domain
joined PC?
On Fri, Mar 20, 2020, 12:03 PM Wagner Liegio <wagner.lie...@gmail.com>
wrote:
> Zacharry,
>
> Here is the example: Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa:
> httpd.aaa (6759) WARN: [mac: d0: 94: 66: db: ae: 77] No role specified or
> found for pid ANA \ iran ( MAC d0: 94: 66: db: ae: 77); assumes maximum
> number of registered nodes is reached (pf :: node ::
> is_max_reg_nodes_reached) but, they are all users of the domain and
> computer in the domain. The problem is not the user, but how the rule is
> being applied, there is a problem with that. I have version 8 running with
> the same parameters and I have no problem with auto register.
>
> Em sex., 20 de mar. de 2020 às 15:14, Zacharry Williams <
> zachar...@gmail.com> escreveu:
>
>> What's the distinguished name of your user? The log says it found the
>> auth source but didn't match a role.
>>
>> On Fri, Mar 20, 2020, 10:42 AM Wagner Liegio <wagner.lie...@gmail.com>
>> wrote:
>>
>>> Dear,
>>>
>>> I'm copying the analyst Leandro to follow the case and try to solve it.
>>> I ask you to send me what you need.
>>>
>>> Em sex., 20 de mar. de 2020 às 14:32, Wagner Liegio <
>>> wagner.lie...@gmail.com> escreveu:
>>>
>>>> No, authentication is domain \ user using the 802.1x protocol
>>>>
>>>> Em sex., 20 de mar. de 2020 às 11:25, Zacharry Williams <
>>>> zachar...@gmail.com> escreveu:
>>>>
>>>>> Domain computers should be logging in with host\computername. Are you
>>>>> trying to do machine auth?
>>>>>
>>>>>
>>>>> On Fri, Mar 20, 2020, 5:59 AM Wagner Liegio <wagner.lie...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hello Zachary,
>>>>>>
>>>>>> I already performed this test, computers outside the domain using
>>>>>> username and password authenticate. My problem is domain computer. Please
>>>>>> help me resolve this.
>>>>>>
>>>>>> Em qui., 19 de mar. de 2020 às 23:41, Zacharry Williams via
>>>>>> PacketFence-users <packetfence-users@lists.sourceforge.net> escreveu:
>>>>>>
>>>>>>> Try logging in with just a username and password. No ANA\ or
>>>>>>> anything.
>>>>>>>
>>>>>>> On Thu, Mar 19, 2020, 7:31 PM Wagner Liegio via PacketFence-users <
>>>>>>> packetfence-users@lists.sourceforge.net> wrote:
>>>>>>>
>>>>>>>> Good afternoon,
>>>>>>>>
>>>>>>>> I made the suggested adjustments by activating the strip in radius,
>>>>>>>> created a new realm, and the error persists. User authentication
>>>>>>>> searching
>>>>>>>> for the domain only works, manually registering the node in the
>>>>>>>> packetfence. Therefore, the error still remains in the database when
>>>>>>>> trying
>>>>>>>> to register auto.
>>>>>>>> Below is the database error log:
>>>>>>>>
>>>>>>>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa:
>>>>>>>> httpd.aaa(6759) INFO: [mac:d0:94:66:db:ae:77] handling radius autz
>>>>>>>> request:
>>>>>>>> from switch_ip => (10.95.10.1), connection_type =>
>>>>>>>> Ethernet-EAP,switch_mac
>>>>>>>> => (c8:0c:c8:f1:25:20), mac => [d0:94:66:db:ae:77], port => 78774,
>>>>>>>> username
>>>>>>>> => "ANA\iran" (pf::radius::authorize)
>>>>>>>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa:
>>>>>>>> httpd.aaa(6759) INFO: [mac:d0:94:66:db:ae:77] Instantiate profile
>>>>>>>> 802.1x
>>>>>>>> (pf::Connection::ProfileFactory::_from_profile)
>>>>>>>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa:
>>>>>>>> httpd.aaa(6759) INFO: [mac:d0:94:66:db:ae:77] Found authentication
>>>>>>>> source(s) : 'Ana' for realm 'default'
>>>>>>>> (pf::config::util::filter_authentication_sources)
>>>>>>>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa:
>>>>>>>> httpd.aaa(6759) INFO: [mac:d0:94:66:db:ae:77] Using sources Ana for
>>>>>>>> matching (pf::authentication::match2)
>>>>>>>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa:
>>>>>>>> httpd.aaa(6759) INFO: [mac:d0:94:66:db:ae:77] LDAP testing connection
>>>>>>>> (pf::LDAP::expire_if)
>>>>>>>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa:
>>>>>>>> httpd.aaa(6759) WARN: [mac:d0:94:66:db:ae:77] No category computed for
>>>>>>>> autoreg (pf::role::getNodeInfoForAutoReg)
>>>>>>>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa:
>>>>>>>> httpd.aaa(6759) WARN: [mac:d0:94:66:db:ae:77] No role specified or
>>>>>>>> found
>>>>>>>> for pid ANA\iran (MAC d0:94:66:db:ae:77); assume maximum number of
>>>>>>>> registered nodes is reached (pf::node::is_max_reg_nodes_reached)
>>>>>>>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa:
>>>>>>>> httpd.aaa(6759) ERROR: [mac:d0:94:66:db:ae:77] max nodes per pid met or
>>>>>>>> exceeded - registration of d0:94:66:db:ae:77 to ANA\iran failed
>>>>>>>> (pf::registration::setup_node_for_registration)
>>>>>>>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa:
>>>>>>>> httpd.aaa(6759) ERROR: [mac:d0:94:66:db:ae:77] auto-registration of
>>>>>>>> node
>>>>>>>> failed max nodes per pid met or exceeded (pf::radius::authorize)
>>>>>>>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa:
>>>>>>>> httpd.aaa(6759) ERROR: [mac:d0:94:66:db:ae:77] Database query failed
>>>>>>>> with
>>>>>>>> non retryable error: Cannot add or update a child row: a foreign key
>>>>>>>> constraint fails (`pf`.`node`, CONSTRAINT `0_57` FOREIGN KEY
>>>>>>>> (`tenant_id`,
>>>>>>>> `pid`) REFERENCES `person` (`tenant_id`, `pid`) ON DELETE CASCADE ON
>>>>>>>> UPDATE
>>>>>>>> CASCADE) (errno: 1452) [INSERT INTO `node` ( `autoreg`,
>>>>>>>> `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`, `category_id`,
>>>>>>>> `computername`, `detect_date`, `device_class`, `device_manufacturer`,
>>>>>>>> `device_score`, `device_type`, `device_version`, `dhcp6_enterprise`,
>>>>>>>> `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`,
>>>>>>>> `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`,
>>>>>>>> `notes`,
>>>>>>>> `pid`, `regdate`, `sessionid`, `status`, `tenant_id`, `time_balance`,
>>>>>>>> `unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?,
>>>>>>>> ?,
>>>>>>>> ?, ?, ?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? )
>>>>>>>> ON
>>>>>>>> DUPLICATE KEY UPDATE `autoreg` = ?, `last_seen` = NOW(), `pid` = ?,
>>>>>>>> `status` = ?, `tenant_id` = ?]{yes, NULL, NULL, NULL, NULL, NULL,
>>>>>>>> 2020-03-19 18:15:11, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
>>>>>>>> NULL,
>>>>>>>> 0000-00-00 00:00:00, 0000-00-00 00:00:00, 0000-00-00 00:00:00,
>>>>>>>> d0:94:66:db:ae:77, NULL, NULL, ANA\iran, 0000-00-00 00:00:00, NULL,
>>>>>>>> reg, 1,
>>>>>>>> NULL, 0000-00-00 00:00:00, NULL, no, yes, ANA\iran, reg, 1}
>>>>>>>> (pf::dal::db_execute)
>>>>>>>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa:
>>>>>>>> httpd.aaa(6759) ERROR: [mac:d0:94:66:db:ae:77] Cannot save
>>>>>>>> d0:94:66:db:ae:77 error (500) (pf::radius::authorize)
>>>>>>>>
>>>>>>>> Em qua., 18 de mar. de 2020 às 21:34, Durand fabrice via
>>>>>>>> PacketFence-users <packetfence-users@lists.sourceforge.net>
>>>>>>>> escreveu:
>>>>>>>>
>>>>>>>>> Try that:
>>>>>>>>>
>>>>>>>>> pftest authentication ANA\pereira ""
>>>>>>>>>
>>>>>>>>> and
>>>>>>>>>
>>>>>>>>> pftest authentication pereira ""
>>>>>>>>>
>>>>>>>>> to see if the user is found and if it match a rule.
>>>>>>>>>
>>>>>>>>> If the second one works then in the ANA realm enable strip in
>>>>>>>>> radius.
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>>
>>>>>>>>> Fabrice
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Le 20-03-18 à 20 h 13, Zacharry Williams via PacketFence-users a
>>>>>>>>> écrit :
>>>>>>>>>
>>>>>>>>> Gonna take a wild guess here, in your realms config turn on strip
>>>>>>>>> radius for null and your domain and and try logging on with just your
>>>>>>>>> username and password. I'm guessing your realms config isn't
>>>>>>>>> matching. For
>>>>>>>>> us we had three domains and we had to add them all. For example
>>>>>>>>> COMPANY.ORG, COMPANY.LAN, COMPANY.COM.
>>>>>>>>>
>>>>>>>>> On Wed, Mar 18, 2020, 12:43 PM Wagner Liegio via PacketFence-users
>>>>>>>>> <packetfence-users@lists.sourceforge.net> wrote:
>>>>>>>>>
>>>>>>>>>> Good afternoon,
>>>>>>>>>>
>>>>>>>>>> Follow the requested files attached.
>>>>>>>>>>
>>>>>>>>>> Em ter., 17 de mar. de 2020 às 14:16, Ludovic Zammit <
>>>>>>>>>> lzam...@inverse.ca> escreveu:
>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> Could you post the result fo those two commands:
>>>>>>>>>>>
>>>>>>>>>>> cat /usr/local/pf/conf/authentication.conf
>>>>>>>>>>>
>>>>>>>>>>> cat /usr/local/pf/conf/profiles.conf
>>>>>>>>>>>
>>>>>>>>>>> remove your informations.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>>
>>>>>>>>>>> Ludovic zammitlzam...@inverse.ca :: +1.514.447.4918 (x145) ::
>>>>>>>>>>> www.inverse.ca
>>>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>>>>>>>>>>> PacketFence (http://packetfence.org)
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Mar 17, 2020, at 9:42 AM, Wagner Liegio via PacketFence-users
>>>>>>>>>>> <packetfence-users@lists.sourceforge.net> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Good Morning,
>>>>>>>>>>>
>>>>>>>>>>> The rules, functions are standard on the Zen packetfence 9.3
>>>>>>>>>>> that I downloaded from the site, I will send some images of how the
>>>>>>>>>>> configuration is through the webgui, so I noticed everything is
>>>>>>>>>>> correct,
>>>>>>>>>>> what is happening is that the function and the rule is not being
>>>>>>>>>>> applied
>>>>>>>>>>> for some reason that I don't know.
>>>>>>>>>>>
>>>>>>>>>>> <image.png>
>>>>>>>>>>>
>>>>>>>>>>> <image.png>
>>>>>>>>>>>
>>>>>>>>>>> <image.png>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Em ter., 17 de mar. de 2020 às 00:04, Zacharry Williams via
>>>>>>>>>>> PacketFence-users <packetfence-users@lists.sourceforge.net>
>>>>>>>>>>> escreveu:
>>>>>>>>>>>
>>>>>>>>>>>> Check and make sure your realms are defined also.
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Mar 16, 2020, 4:58 PM Brandt Winchell via
>>>>>>>>>>>> PacketFence-users <packetfence-users@lists.sourceforge.net>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I know when I ran into this issue, it had to do with the
>>>>>>>>>>>>> authorization source for AD. In the source, I had an
>>>>>>>>>>>>> authentication rule
>>>>>>>>>>>>> that matched the sAMAccountName is member of “group name”. The
>>>>>>>>>>>>> group name
>>>>>>>>>>>>> must be the AD DN (distinguished name) of the group.
>>>>>>>>>>>>> CN=%security group
>>>>>>>>>>>>> you want%,OU=%OU the object resides in%,DC=%your
>>>>>>>>>>>>> domain%,DC=%domain suffix%
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> *From:* Wagner Liegio via PacketFence-users <
>>>>>>>>>>>>> packetfence-users@lists.sourceforge.net>
>>>>>>>>>>>>> *Sent:* Monday, March 16, 2020 1:08 PM
>>>>>>>>>>>>> *To:* packetfence-users@lists.sourceforge.net
>>>>>>>>>>>>> *Cc:* Wagner Liegio <wagner.lie...@gmail.com>
>>>>>>>>>>>>> *Subject:* [PacketFence-users] authentication sources
>>>>>>>>>>>>> packetfence 9.3
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Good afternoon, I'm facing the same problem only in version
>>>>>>>>>>>>> 9.3. I have done everything I can think of, reconfigured the
>>>>>>>>>>>>> domain, the
>>>>>>>>>>>>> connection profile, checked the rules and functions. The error
>>>>>>>>>>>>> follows: No
>>>>>>>>>>>>> role specified or found for pid ANA \ pereira (MAC d0: 94: 66:
>>>>>>>>>>>>> db: ee: 7d);
>>>>>>>>>>>>> assumes maximum number of registered nodes is reached (pf :: node
>>>>>>>>>>>>> ::
>>>>>>>>>>>>> is_max_reg_nodes_reached)
>>>>>>>>>>>>> plpcktfpdin01 packetfence_httpd.aaa: httpd.aaa (9837) ERROR:
>>>>>>>>>>>>> [mac: d0: 94: 66: db: ee: 7d] max nodes per pid met or exceeded -
>>>>>>>>>>>>> registration of d0: 94: 66: db: ae: 7d to ANA \ pereira failed
>>>>>>>>>>>>> (pf :: registration :: setup_node_for_registration)
>>>>>>>>>>>>> plpcktfpdin01 packetfence_httpd.aaa: httpd.aaa (9837) ERROR:
>>>>>>>>>>>>> [mac: d0: 94: 66: db: ee: 7d] auto-registration of node failed
>>>>>>>>>>>>> max nodes
>>>>>>>>>>>>> per pid met or exceeded (pf :: radius :: authorize)
>>>>>>>>>>>>> plpcktfpdin01 packetfence_httpd.aaa: httpd.aaa (9837) ERROR:
>>>>>>>>>>>>> [mac: d0: 94: 66: db: ee: 7d] Database query failed with non
>>>>>>>>>>>>> retryable
>>>>>>>>>>>>> error: Cannot add or update a child row: a foreign key constraint
>>>>>>>>>>>>> fails
>>>>>>>>>>>>> (pf.node, CONSTRAINT 0_57 FOREIGN KEY (tenant_id, pid)
>>>>>>>>>>>>> REFERENCES person (tenant_id, pid) ON DELETE CASCADE ON UPDATE
>>>>>>>>>>>>> CASCADE)
>>>>>>>>>>>>> (errno: 1452) [INSERT INTO node
>>>>>>>>>>>>> (autoreg, bandwidth_balance, bypass_role_id, bypass_vlan,
>>>>>>>>>>>>> category_id, computername, detect_date, device_class,
>>>>>>>>>>>>> device_manufacturer,
>>>>>>>>>>>>> device_score, device_type,
>>>>>>>>>>>>> device_version, dhcp6_enterprise, dhcp6_fingerprint,
>>>>>>>>>>>>> dhcp_fingerprint, dhcp_vendor, last_arp, last_dhcp, last_seen,
>>>>>>>>>>>>> lastskip,
>>>>>>>>>>>>> mac, machine_account, notes, regdate, sessionid, status,
>>>>>>>>>>>>> tenant_id,
>>>>>>>>>>>>> time_balance, void, user? ?,?,?,?,?,?,?,?,?,?,?,?,?,?, NOW
>>>>>>>>>>>>> (),?,?,?,?,?,?,?,?,?, ?,?,?,?) ON DUPLICATE KEY UPDATE autoreg =
>>>>>>>>>>>>> ?,
>>>>>>>>>>>>> Last_seen = NOW (), pid = ?, Status = ?, Tenant_id` =?] {Yes,
>>>>>>>>>>>>> NULL, NULL,
>>>>>>>>>>>>> NULL, NULL, NULL, 2020 - 03-13 19:08:50, NULL, NULL, NULL, NULL,
>>>>>>>>>>>>> NULL,
>>>>>>>>>>>>> NULL, NULL, NULL, NULL,
>>>>>>>>>>>>> 0000-00-00 00:00:00, 0000-00-00 00:00:00, 0000-00-00
>>>>>>>>>>>>> 00:00:00, d0: 94: 66: db: ae: 7d, NULL, NULL, ANA \ pereira,
>>>>>>>>>>>>> 0000-00-00
>>>>>>>>>>>>> 00:00:00, NULL, reg, 1, NULL, 0000-00-00 00:00:00, NULL, no, yes,
>>>>>>>>>>>>> ANA \
>>>>>>>>>>>>> pereira, reg, 1}
>>>>>>>>>>>>> (pf :: dal :: db_execute)
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> PacketFence-users mailing list
>>>>>>>>>>>>> PacketFence-users@lists.sourceforge.net
>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> PacketFence-users mailing list
>>>>>>>>>>>> PacketFence-users@lists.sourceforge.net
>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> PacketFence-users mailing list
>>>>>>>>>>> PacketFence-users@lists.sourceforge.net
>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>> PacketFence-users mailing list
>>>>>>>>>> PacketFence-users@lists.sourceforge.net
>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> PacketFence-users mailing
>>>>>>>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> PacketFence-users mailing list
>>>>>>>>> PacketFence-users@lists.sourceforge.net
>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> PacketFence-users mailing list
>>>>>>>> PacketFence-users@lists.sourceforge.net
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> PacketFence-users mailing list
>>>>>>> PacketFence-users@lists.sourceforge.net
>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>
>>>>>>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
