Hi Ludovic In addition to what I have is this error now packetfence: pftest(9147) ERROR: [TCCAD] Unable to execute search (sAMAccountName=maile.halatuituia) from CN=Administrator,CN=Users,DC=tcc,DC=to on 10.0.1.10:389, we skip the rule. (pf::Authentication::Source::LDAPSource::_match_in_subclass)
From: Maile Halatuituia Sent: Wednesday, 7 October 2020 8:07 AM To: 'Ludovic Zammit' <[email protected]> Cc: [email protected] Subject: RE: [PacketFence-users] Authentication Failed. Hi Ludovic Is it possible that you can share your authentication source config so I can compare to mine From: Ludovic Zammit <[email protected]<mailto:[email protected]>> Sent: Wednesday, 7 October 2020 1:14 AM To: Maile Halatuituia <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: Re: [PacketFence-users] Authentication Failed. Hello, You get something like this for the portal section: [root@pf-testing pf]# bin/pftest authentication lzammit "" ZAMMIT-AD Testing authentication for "lzammit" Authenticating against 'ZAMMIT-AD' in context 'admin' Authentication FAILED against ZAMMIT-AD (Invalid login or password) Matched against ZAMMIT-AD for 'authentication' rule staff set_role : staff set_access_duration : 2Y Matched against ZAMMIT-AD for 'administration' rule catchall set_access_level : ALL Authenticating against 'ZAMMIT-AD' in context 'portal' Authentication FAILED against ZAMMIT-AD (Invalid login or password) Matched against ZAMMIT-AD for 'authentication' rule staff set_role : staff set_access_duration : 2Y Matched against ZAMMIT-AD for 'administration' rule catchall set_access_level : ALL If you don’t have that, your AD source is not configured properly. Then you have "Rejected in post-auth:” it means that the reject’s reason would be in the logs/packetfence.log. Thanks, Ludovic Zammit [email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca<http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) On Oct 5, 2020, at 4:11 PM, Maile Halatuituia <[email protected]<mailto:[email protected]>> wrote: Hi Ludovic Thanks for your reply . >> It looks like that you are not matching any rules in TCCAD. I have attached what I configure on my rules for reference. >> First click the test button on the source, make sure it’s green and working, >> then try to see if your username matches the rules: I also attached the username I use on the authentication source using the administrator account . I am not sure if I use it correctly or not. >>/usr/local/pf/bin/pftest authentication maile.halatuituia “” TCCAD Here is the result, not sure why the error but domain I joined OK. [root@pfence-cen bin]# ./pftest authentication maile.halatuituia "" TCCAD Testing authentication for "maile.halatuituia" Authenticating against 'TCCAD' in context 'admin' Authentication FAILED against TCCAD (Unable to validate credentials at the moment) Did not match against TCCAD for 'authentication' rules Did not match against TCCAD for 'administration' rules Authenticating against 'TCCAD' in context 'portal' Authentication FAILED against TCCAD (Unable to validate credentials at the moment) Did not match against TCCAD for 'authentication' rules Did not match against TCCAD for 'administration' rules Lastly I have also recreate another realm tcc.to below [1 tcc.to] permit_custom_attributes=disabled radius_auth_proxy_type=keyed-balance radius_auth_compute_in_pf=enabled admin_strip_username=enabled eduroam_radius_auth= domain=tccto radius_strip_username=enabled eduroam_radius_auth_proxy_type=keyed-balance eduroam_radius_acct= portal_strip_username=enabled eap=default radius_acct_proxy_type=load-balance radius_auth= ldap_source=TCCAD eduroam_radius_auth_compute_in_pf=enabled eduroam_radius_acct_proxy_type=load-balance radius_acct= but I still have the same error In addition to this I try to test from a Huawei Switch with a test command and here is what I see on the /usr/local/pf/logs/radius.log Oct 6 09:09:33 pfence-cen auth[2421]: (5406) rest: ERROR: Server returned: Oct 6 09:09:33 pfence-cen auth[2421]: (5406) rest: ERROR: {"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication failed on PacketFence"} Oct 6 09:09:33 pfence-cen auth[2421]: [mac:] Rejected user: [email protected]<mailto:[email protected]> Oct 6 09:09:33 pfence-cen auth[2421]: (5406) Rejected in post-auth: [[email protected]<mailto:[email protected]>] (from client 10.0.1.18/32 port 0) Oct 6 09:09:33 pfence-cen auth[2421]: (5406) Login incorrect (rest: Server returned:): [[email protected]<mailto:[email protected]>] (from client 10.0.1.18/32 port 0) From: Ludovic Zammit <[email protected]<mailto:[email protected]>> Sent: Tuesday, 6 October 2020 1:00 AM To: [email protected]<mailto:[email protected]> Cc: Maile Halatuituia <[email protected]<mailto:[email protected]>> Subject: Re: [PacketFence-users] Authentication Failed. Hello, That authentication looks ok but your authorization does not. It looks like that you are not matching any rules in TCCAD. First click the test button on the source, make sure it’s green and working, then try to see if your username matches the rules: /usr/local/pf/bin/pftest authentication maile.halatuituia “” TCCAD The AD source is looking for a [email protected]<mailto:[email protected]> and I doubt that’s your samaccountname, more like maile.halatuituia so, on the default realm, check strip on portal. If you don’t want to do it on the default realm, create tcc.to and strip it. Thanks, Ludovic Zammit [email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca<http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Oct 4, 2020, at 6:36 PM, Maile Halatuituia via PacketFence-users <[email protected]<mailto:[email protected]>> wrote: More info Appreciate if someone help Oct 5 11:12:26 pfence-cen httpd_aaa_err: Use of uninitialized value $role in concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. Oct 5 11:12:26 pfence-cen httpd_aaa_err: Use of uninitialized value $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 608. Oct 5 11:12:26 pfence-cen httpd_aaa_err: Use of uninitialized value $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611. Oct 5 11:13:00 pfence-cen httpd_aaa_err: Use of uninitialized value $role in concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. Oct 5 11:13:00 pfence-cen httpd_aaa_err: Use of uninitialized value $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 608. Oct 5 11:13:00 pfence-cen httpd_aaa_err: Use of uninitialized value $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611. Oct 5 11:13:40 pfence-cen httpd_aaa_err: Use of uninitialized value $role in concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. Oct 5 11:13:40 pfence-cen httpd_aaa_err: Use of uninitialized value $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 608. Oct 5 11:13:40 pfence-cen httpd_aaa_err: Use of uninitialized value $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611. Oct 5 11:35:18 pfence-cen httpd_aaa_err: Use of uninitialized value $role in concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. Oct 5 11:35:18 pfence-cen httpd_aaa_err: Use of uninitialized value $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 608. Oct 5 11:35:18 pfence-cen httpd_aaa_err: Use of uninitialized value $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611. I might have more config to add but not sure what is it. Hopefully someone with this issue before help out Thanks. From: Maile Halatuituia via PacketFence-users <[email protected]<mailto:[email protected]>> Sent: Sunday, 4 October 2020 4:14 PM To: [email protected]<mailto:[email protected]> Cc: Maile Halatuituia <[email protected]<mailto:[email protected]>> Subject: Re: [PacketFence-users] Authentication Failed. resend From: Maile Halatuituia via PacketFence-users <[email protected]<mailto:[email protected]>> Sent: Friday, 2 October 2020 2:21 PM To: [email protected]<mailto:[email protected]> Cc: Maile Halatuituia <[email protected]<mailto:[email protected]>> Subject: [PacketFence-users] Authentication Failed. This is what it have. Logs 1. (/usr/local/pf/logs/packetfence.log) 2. Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: [mac:c8:f7:50:7f:18:4c] handling radius autz request: from switch_ip => (10.0.1.18), connection_type => Ethernet-NoEAP,switch_mac => (Unknown), mac => [c8:f7:50:7f:18:4c], port => 8204, username => "[email protected]<mailto:[email protected]>" (pf::radius::authorize) Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: [mac:c8:f7:50:7f:18:4c] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: [mac:c8:f7:50:7f:18:4c] Found authentication source(s) : 'local,TCCAD' for realm 'default' (pf::config::util::filter_authentication_sources) Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: [mac:c8:f7:50:7f:18:4c] Connection type is MAC-AUTH. Getting role from node_info (pf::role::getRegisteredRole) Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) WARN: [mac:c8:f7:50:7f:18:4c] Use of uninitialized value $role in concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. (pf::role::getRegisteredRole) Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: [mac:c8:f7:50:7f:18:4c] Username was NOT defined or unable to match a role - returning node based role '' (pf::role::getRegisteredRole) Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: [mac:c8:f7:50:7f:18:4c] PID: "default", Status: reg Returned VLAN: (undefined), Role: (undefined) (pf::role::fetchRoleForNode) Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) WARN: [mac:c8:f7:50:7f:18:4c] Use of uninitialized value $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 608. (pf::Switch::getVlanByName) Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) WARN: [mac:c8:f7:50:7f:18:4c] Use of uninitialized value $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611. (pf::Switch::getVlanByName) Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) WARN: [mac:c8:f7:50:7f:18:4c] No parameter Vlan found in conf/switches.conf for the switch 10.0.1.18 (pf::Switch::getVlanByName) 1. (/usr/local/pf/logs/radius.log) Oct 2 14:16:00 pfence-cen auth[80961]: Adding client 10.0.1.18/32 Oct 2 14:16:00 pfence-cen auth[80961]: [mac:c8:f7:50:7f:18:4c] Accepted user: and returned VLAN Oct 2 14:16:00 pfence-cen auth[80961]: (1612) Login OK: [[email protected]<mailto:[email protected]>] (from client 10.0.1.18/32 port 8204 cli c8:f7:50:7f:18:4c) Config File 1. Authentication.conf [TCCAD] cache_match=0 read_timeout=10 realms=default basedn=CN=Administrator,CN=Users,DC=tcc,DC=to monitor=1 shuffle=0 searchattributes= set_access_durations_action= scope=sub email_attribute=mail usernameattribute=sAMAccountName connection_timeout=1 encryption=none description=Domain Controller port=389 host=10.0.1.10 write_timeout=5 type=AD [TCCAD rule employee] action0=set_role=default status=enabled match=all class=authentication action1=set_unreg_date=2021-01-01 00:00:00 description=For all Wires Employee 1. Domain.conf [tccto] status=enabled ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2)))) registration=0 ntlm_cache_expiry=3600 dns_name=TCC.TO dns_servers=10.0.1.8,10.0.1.10 ou=Computers ntlm_cache_on_connection=disabled #workgroup=TCC.TO ntlm_cache_batch_one_at_a_time=disabled ad_server=10.0.1.10 sticky_dc=10.0.1.10 ntlm_cache_batch=disabled server_name=%h ntlmv2_only=0 workgroup=TCC-NETWORK # Copyright (C) Inverse inc. ~ Strangely the radius log above says but still I have authentication failed on the status, not only that but if I use any username or password its just keeps saying login OK. Looks like the authentication is correctly forward to the DC or something else. Would appreciate any help on this. FYI The domain is joined just fine with no problem [TCC] Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. <rule.png><administrator_accout.png> Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
