Re: [PacketFence-users] Authentication Failed.

[Ludovic Zammit via PacketFence-users]

Hello,

You get something like this for the portal section:

[root@pf-testing pf]# bin/pftest authentication lzammit "" ZAMMIT-AD
Testing authentication for "lzammit"

Authenticating against 'ZAMMIT-AD' in context 'admin'
  Authentication FAILED against ZAMMIT-AD (Invalid login or password)
  Matched against ZAMMIT-AD for 'authentication' rule staff
    set_role : staff
    set_access_duration : 2Y
  Matched against ZAMMIT-AD for 'administration' rule catchall
    set_access_level : ALL

Authenticating against 'ZAMMIT-AD' in context 'portal'
  Authentication FAILED against ZAMMIT-AD (Invalid login or password)
  Matched against ZAMMIT-AD for 'authentication' rule staff
    set_role : staff
    set_access_duration : 2Y
  Matched against ZAMMIT-AD for 'administration' rule catchall
    set_access_level : ALL

If you don’t have that, your AD source is not configured properly.

Then you have "Rejected in post-auth:” it means that the reject’s reason would 
be in the logs/packetfence.log.

Thanks,

Ludovic Zammit
lzam...@inverse.ca <mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca <http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org <http://packetfence.org/>) 




> On Oct 5, 2020, at 4:11 PM, Maile Halatuituia <maile.halatuit...@tcc.to> 
> wrote:
> 
> Hi Ludovic
> Thanks for your reply .
>  
> >> It looks like that you are not matching any rules in TCCAD.
> I have attached what I configure on my rules for reference.
>  
> >> First click the test button on the source, make sure it’s green and 
> >> working, then try to see if your username matches the rules:
> I also attached the username I use on the authentication source using the 
> administrator account . I am not sure if I use it correctly or not.
>  
> >>/usr/local/pf/bin/pftest authentication maile.halatuituia “”  TCCAD
>  
> Here is the result, not sure why the error but domain I joined OK.
>  
> [root@pfence-cen bin]# ./pftest authentication maile.halatuituia "" TCCAD
> Testing authentication for "maile.halatuituia"
>  
> Authenticating against 'TCCAD' in context 'admin'
>   Authentication FAILED against TCCAD (Unable to validate credentials at the 
> moment)
>   Did not match against TCCAD for 'authentication' rules
>   Did not match against TCCAD for 'administration' rules
>  
> Authenticating against 'TCCAD' in context 'portal'
>   Authentication FAILED against TCCAD (Unable to validate credentials at the 
> moment)
>   Did not match against TCCAD for 'authentication' rules
>   Did not match against TCCAD for 'administration' rules
>  
> Lastly I have also recreate another realm tcc.to below
>  
> [1 tcc.to]
> permit_custom_attributes=disabled
> radius_auth_proxy_type=keyed-balance
> radius_auth_compute_in_pf=enabled
> admin_strip_username=enabled
> eduroam_radius_auth=
> domain=tccto
> radius_strip_username=enabled
> eduroam_radius_auth_proxy_type=keyed-balance
> eduroam_radius_acct=
> portal_strip_username=enabled
> eap=default
> radius_acct_proxy_type=load-balance
> radius_auth=
> ldap_source=TCCAD
> eduroam_radius_auth_compute_in_pf=enabled
> eduroam_radius_acct_proxy_type=load-balance
> radius_acct=
>  
> but I still have the same error
>  
> In addition to this I try to test from a Huawei Switch with a test command 
> and here is what I see on the /usr/local/pf/logs/radius.log
>  
> Oct  6 09:09:33 pfence-cen auth[2421]: (5406) rest: ERROR: Server returned:
> Oct  6 09:09:33 pfence-cen auth[2421]: (5406) rest: ERROR: 
> {"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication
>  failed on PacketFence"}
> Oct  6 09:09:33 pfence-cen auth[2421]: [mac:] Rejected user: 
> maile.halatuit...@tcc.to <mailto:maile.halatuit...@tcc.to>
> Oct  6 09:09:33 pfence-cen auth[2421]: (5406) Rejected in post-auth: 
> [maile.halatuit...@tcc.to <mailto:maile.halatuit...@tcc.to>] (from client 
> 10.0.1.18/32 port 0)
> Oct  6 09:09:33 pfence-cen auth[2421]: (5406) Login incorrect (rest: Server 
> returned:): [maile.halatuit...@tcc.to <mailto:maile.halatuit...@tcc.to>] 
> (from client 10.0.1.18/32 port 0)
>  
>  
> From: Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> 
> Sent: Tuesday, 6 October 2020 1:00 AM
> To: packetfence-users@lists.sourceforge.net 
> <mailto:packetfence-users@lists.sourceforge.net>
> Cc: Maile Halatuituia <maile.halatuit...@tcc.to 
> <mailto:maile.halatuit...@tcc.to>>
> Subject: Re: [PacketFence-users] Authentication Failed.
>  
> Hello, 
>  
> That authentication looks ok but your authorization does not.
>  
> It looks like that you are not matching any rules in TCCAD.
>  
> First click the test button on the source, make sure it’s green and working, 
> then try to see if your username matches the rules:
>  
> /usr/local/pf/bin/pftest authentication maile.halatuituia “”  TCCAD
>  
> The AD source is looking for a samaccountname=maile.halatuit...@tcc.to 
> <mailto:samaccountname=maile.halatuit...@tcc.to> and I doubt that’s your 
> samaccountname, more like maile.halatuituia so, on the default realm, check 
> strip on portal. If you don’t want to do it on the default realm, create 
> tcc.to and strip it.
>  
> Thanks,
> 
> Ludovic Zammit
> lzam...@inverse.ca <mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
> www.inverse.ca <http://www.inverse.ca/>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu 
> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org 
> <http://packetfence.org/>) 
>  
> 
> 
> 
> 
> On Oct 4, 2020, at 6:36 PM, Maile Halatuituia via PacketFence-users 
> <packetfence-users@lists.sourceforge.net 
> <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>  
> More info
>  
> Appreciate if someone help 
>  
> Oct  5 11:12:26 pfence-cen httpd_aaa_err: Use of uninitialized value $role in 
> concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489.
> Oct  5 11:12:26 pfence-cen httpd_aaa_err: Use of uninitialized value 
> $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 608.
> Oct  5 11:12:26 pfence-cen httpd_aaa_err: Use of uninitialized value 
> $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm 
> line 611.
> Oct  5 11:13:00 pfence-cen httpd_aaa_err: Use of uninitialized value $role in 
> concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489.
> Oct  5 11:13:00 pfence-cen httpd_aaa_err: Use of uninitialized value 
> $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 608.
> Oct  5 11:13:00 pfence-cen httpd_aaa_err: Use of uninitialized value 
> $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm 
> line 611.
> Oct  5 11:13:40 pfence-cen httpd_aaa_err: Use of uninitialized value $role in 
> concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489.
> Oct  5 11:13:40 pfence-cen httpd_aaa_err: Use of uninitialized value 
> $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 608.
> Oct  5 11:13:40 pfence-cen httpd_aaa_err: Use of uninitialized value 
> $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm 
> line 611.
> Oct  5 11:35:18 pfence-cen httpd_aaa_err: Use of uninitialized value $role in 
> concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489.
> Oct  5 11:35:18 pfence-cen httpd_aaa_err: Use of uninitialized value 
> $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 608.
> Oct  5 11:35:18 pfence-cen httpd_aaa_err: Use of uninitialized value 
> $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm 
> line 611.
>  
> I might have more config to add but not sure what is it. Hopefully someone 
> with this issue before help out
> Thanks.
>  
> From: Maile Halatuituia via PacketFence-users 
> <packetfence-users@lists.sourceforge.net 
> <mailto:packetfence-users@lists.sourceforge.net>> 
> Sent: Sunday, 4 October 2020 4:14 PM
> To: packetfence-users@lists.sourceforge.net 
> <mailto:packetfence-users@lists.sourceforge.net>
> Cc: Maile Halatuituia <maile.halatuit...@tcc.to 
> <mailto:maile.halatuit...@tcc.to>>
> Subject: Re: [PacketFence-users] Authentication Failed.
>  
> resend
>  
> From: Maile Halatuituia via PacketFence-users 
> <packetfence-users@lists.sourceforge.net 
> <mailto:packetfence-users@lists.sourceforge.net>> 
> Sent: Friday, 2 October 2020 2:21 PM
> To: packetfence-users@lists.sourceforge.net 
> <mailto:packetfence-users@lists.sourceforge.net>
> Cc: Maile Halatuituia <maile.halatuit...@tcc.to 
> <mailto:maile.halatuit...@tcc.to>>
> Subject: [PacketFence-users] Authentication Failed.
>  
> This is what it have.
>  
> Logs 
> (/usr/local/pf/logs/packetfence.log)
>  
> Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: 
> [mac:c8:f7:50:7f:18:4c] handling radius autz request: from switch_ip => 
> (10.0.1.18), connection_type => Ethernet-NoEAP,switch_mac => (Unknown), mac 
> => [c8:f7:50:7f:18:4c], port => 8204, username => "maile.halatuit...@tcc.to 
> <mailto:maile.halatuit...@tcc.to>" (pf::radius::authorize)
> Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: 
> [mac:c8:f7:50:7f:18:4c] Instantiate profile default 
> (pf::Connection::ProfileFactory::_from_profile)
> Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: 
> [mac:c8:f7:50:7f:18:4c] Found authentication source(s) : 'local,TCCAD' for 
> realm 'default' (pf::config::util::filter_authentication_sources)
> Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: 
> [mac:c8:f7:50:7f:18:4c] Connection type is MAC-AUTH. Getting role from 
> node_info (pf::role::getRegisteredRole)
> Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) WARN: 
> [mac:c8:f7:50:7f:18:4c] Use of uninitialized value $role in concatenation (.) 
> or string at /usr/local/pf/lib/pf/role.pm line 489.
> (pf::role::getRegisteredRole)
> Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: 
> [mac:c8:f7:50:7f:18:4c] Username was NOT defined or unable to match a role - 
> returning node based role '' (pf::role::getRegisteredRole)
> Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: 
> [mac:c8:f7:50:7f:18:4c] PID: "default", Status: reg Returned VLAN: 
> (undefined), Role: (undefined) (pf::role::fetchRoleForNode)
> Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) WARN: 
> [mac:c8:f7:50:7f:18:4c] Use of uninitialized value $vlanName in hash element 
> at /usr/local/pf/lib/pf/Switch.pm line 608.
> (pf::Switch::getVlanByName)
> Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) WARN: 
> [mac:c8:f7:50:7f:18:4c] Use of uninitialized value $vlanName in concatenation 
> (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611.
> (pf::Switch::getVlanByName)
> Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) WARN: 
> [mac:c8:f7:50:7f:18:4c] No parameter Vlan found in conf/switches.conf for the 
> switch 10.0.1.18 (pf::Switch::getVlanByName)
>  
> (/usr/local/pf/logs/radius.log)
> Oct  2 14:16:00 pfence-cen auth[80961]: Adding client 10.0.1.18/32
> Oct  2 14:16:00 pfence-cen auth[80961]: [mac:c8:f7:50:7f:18:4c] Accepted 
> user:  and returned VLAN
> Oct  2 14:16:00 pfence-cen auth[80961]: (1612) Login OK: 
> [maile.halatuit...@tcc.to <mailto:maile.halatuit...@tcc.to>] (from client 
> 10.0.1.18/32 port 8204 cli c8:f7:50:7f:18:4c)
>  
> Config File
>  
> Authentication.conf
> [TCCAD]
> cache_match=0
> read_timeout=10
> realms=default
> basedn=CN=Administrator,CN=Users,DC=tcc,DC=to
> monitor=1
> shuffle=0
> searchattributes=
> set_access_durations_action=
> scope=sub
> email_attribute=mail
> usernameattribute=sAMAccountName
> connection_timeout=1
> encryption=none
> description=Domain Controller
> port=389
> host=10.0.1.10
> write_timeout=5
> type=AD
>  
> [TCCAD rule employee]
> action0=set_role=default
> status=enabled
> match=all
> class=authentication
> action1=set_unreg_date=2021-01-01 00:00:00
> description=For all Wires Employee
>  
> Domain.conf
>  
> [tccto]
> status=enabled
> ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2))))
> registration=0
> ntlm_cache_expiry=3600
> dns_name=TCC.TO
> dns_servers=10.0.1.8,10.0.1.10
> ou=Computers
> ntlm_cache_on_connection=disabled
> #workgroup=TCC.TO
> ntlm_cache_batch_one_at_a_time=disabled
> ad_server=10.0.1.10
> sticky_dc=10.0.1.10
> ntlm_cache_batch=disabled
> server_name=%h
> ntlmv2_only=0
> workgroup=TCC-NETWORK
> # Copyright (C) Inverse inc.
> ~
> Strangely the radius log above says but still I have authentication failed on 
> the status, not only that but if I use any username or password its just 
> keeps saying login OK. Looks like the authentication is correctly forward to 
> the DC or something else. Would appreciate any help on this.
>  
> FYI
> The domain is joined just fine with no problem
> 
> Confidentiality Notice:
> This email (including any attachment) is intended for internal use only. Any 
> unauthorized use, dissemination or copying of the content is prohibited. If 
> you are not the intended recipient and have received this e-mail in error, 
> please notify the sender by email and delete this email and any attachment. 
> Confidentiality Notice:
> This email (including any attachment) is intended for internal use only. Any 
> unauthorized use, dissemination or copying of the content is prohibited. If 
> you are not the intended recipient and have received this e-mail in error, 
> please notify the sender by email and delete this email and any attachment. 
> Confidentiality Notice:
> This email (including any attachment) is intended for internal use only. Any 
> unauthorized use, dissemination or copying of the content is prohibited. If 
> you are not the intended recipient and have received this e-mail in error, 
> please notify the sender by email and delete this email and any attachment. 
> Confidentiality Notice:
> This email (including any attachment) is intended for internal use only. Any 
> unauthorized use, dissemination or copying of the content is prohibited. If 
> you are not the intended recipient and have received this e-mail in error, 
> please notify the sender by email and delete this email and any attachment. 
> Confidentiality Notice:
> This email (including any attachment) is intended for internal use only. Any 
> unauthorized use, dissemination or copying of the content is prohibited. If 
> you are not the intended recipient and have received this e-mail in error, 
> please notify the sender by email and delete this email and any attachment.
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> <mailto:PacketFence-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>  
> Confidentiality Notice:
> 
> This email (including any attachment) is intended for internal use only. Any 
> unauthorized use, dissemination or copying of the content is prohibited. If 
> you are not the intended recipient and have received this e-mail in error, 
> please notify the sender by email and delete this email and any attachment. 
> 
> Confidentiality Notice:
> 
> This email (including any attachment) is intended for internal use only. Any 
> unauthorized use, dissemination or copying of the content is prohibited. If 
> you are not the intended recipient and have received this e-mail in error, 
> please notify the sender by email and delete this email and any attachment. 
> 
> <rule.png><administrator_accout.png>



_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users