Re: [PacketFence-users] Authentication Failed.

[Maile Halatuituia via PacketFence-users]

Hi Ludovic
Is it possible that you can share your authentication source config so I can 
compare to mine

From: Ludovic Zammit <lzam...@inverse.ca>
Sent: Wednesday, 7 October 2020 1:14 AM
To: Maile Halatuituia <maile.halatuit...@tcc.to>
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Authentication Failed.

Hello,

You get something like this for the portal section:

[root@pf-testing pf]# bin/pftest authentication lzammit "" ZAMMIT-AD
Testing authentication for "lzammit"

Authenticating against 'ZAMMIT-AD' in context 'admin'
  Authentication FAILED against ZAMMIT-AD (Invalid login or password)
  Matched against ZAMMIT-AD for 'authentication' rule staff
    set_role : staff
    set_access_duration : 2Y
  Matched against ZAMMIT-AD for 'administration' rule catchall
    set_access_level : ALL

Authenticating against 'ZAMMIT-AD' in context 'portal'
  Authentication FAILED against ZAMMIT-AD (Invalid login or password)
  Matched against ZAMMIT-AD for 'authentication' rule staff
    set_role : staff
    set_access_duration : 2Y
  Matched against ZAMMIT-AD for 'administration' rule catchall
    set_access_level : ALL

If you don’t have that, your AD source is not configured properly.

Then you have "Rejected in post-auth:” it means that the reject’s reason would 
be in the logs/packetfence.log.

Thanks,

Ludovic Zammit

lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)





On Oct 5, 2020, at 4:11 PM, Maile Halatuituia 
<maile.halatuit...@tcc.to<mailto:maile.halatuit...@tcc.to>> wrote:

Hi Ludovic
Thanks for your reply .

>> It looks like that you are not matching any rules in TCCAD.
I have attached what I configure on my rules for reference.

>> First click the test button on the source, make sure it’s green and working, 
>> then try to see if your username matches the rules:
I also attached the username I use on the authentication source using the 
administrator account . I am not sure if I use it correctly or not.

>>/usr/local/pf/bin/pftest authentication maile.halatuituia “”  TCCAD

Here is the result, not sure why the error but domain I joined OK.

[root@pfence-cen bin]# ./pftest authentication maile.halatuituia "" TCCAD
Testing authentication for "maile.halatuituia"

Authenticating against 'TCCAD' in context 'admin'
  Authentication FAILED against TCCAD (Unable to validate credentials at the 
moment)
  Did not match against TCCAD for 'authentication' rules
  Did not match against TCCAD for 'administration' rules

Authenticating against 'TCCAD' in context 'portal'
  Authentication FAILED against TCCAD (Unable to validate credentials at the 
moment)
  Did not match against TCCAD for 'authentication' rules
  Did not match against TCCAD for 'administration' rules

Lastly I have also recreate another realm tcc.to below

[1 tcc.to]
permit_custom_attributes=disabled
radius_auth_proxy_type=keyed-balance
radius_auth_compute_in_pf=enabled
admin_strip_username=enabled
eduroam_radius_auth=
domain=tccto
radius_strip_username=enabled
eduroam_radius_auth_proxy_type=keyed-balance
eduroam_radius_acct=
portal_strip_username=enabled
eap=default
radius_acct_proxy_type=load-balance
radius_auth=
ldap_source=TCCAD
eduroam_radius_auth_compute_in_pf=enabled
eduroam_radius_acct_proxy_type=load-balance
radius_acct=

but I still have the same error

In addition to this I try to test from a Huawei Switch with a test command and 
here is what I see on the /usr/local/pf/logs/radius.log

Oct  6 09:09:33 pfence-cen auth[2421]: (5406) rest: ERROR: Server returned:
Oct  6 09:09:33 pfence-cen auth[2421]: (5406) rest: ERROR: 
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication
 failed on PacketFence"}
Oct  6 09:09:33 pfence-cen auth[2421]: [mac:] Rejected user: 
maile.halatuit...@tcc.to<mailto:maile.halatuit...@tcc.to>
Oct  6 09:09:33 pfence-cen auth[2421]: (5406) Rejected in post-auth: 
[maile.halatuit...@tcc.to<mailto:maile.halatuit...@tcc.to>] (from client 
10.0.1.18/32 port 0)
Oct  6 09:09:33 pfence-cen auth[2421]: (5406) Login incorrect (rest: Server 
returned:): [maile.halatuit...@tcc.to<mailto:maile.halatuit...@tcc.to>] (from 
client 10.0.1.18/32 port 0)


From: Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>>
Sent: Tuesday, 6 October 2020 1:00 AM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Maile Halatuituia 
<maile.halatuit...@tcc.to<mailto:maile.halatuit...@tcc.to>>
Subject: Re: [PacketFence-users] Authentication Failed.

Hello,

That authentication looks ok but your authorization does not.

It looks like that you are not matching any rules in TCCAD.

First click the test button on the source, make sure it’s green and working, 
then try to see if your username matches the rules:

/usr/local/pf/bin/pftest authentication maile.halatuituia “”  TCCAD

The AD source is looking for a 
samaccountname=maile.halatuit...@tcc.to<mailto:samaccountname=maile.halatuit...@tcc.to>
 and I doubt that’s your samaccountname, more like maile.halatuituia so, on the 
default realm, check strip on portal. If you don’t want to do it on the default 
realm, create tcc.to and strip it.

Thanks,

Ludovic Zammit

lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<http://www.inverse.ca/>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)







On Oct 4, 2020, at 6:36 PM, Maile Halatuituia via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 wrote:

More info

Appreciate if someone help

Oct  5 11:12:26 pfence-cen httpd_aaa_err: Use of uninitialized value $role in 
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489.
Oct  5 11:12:26 pfence-cen httpd_aaa_err: Use of uninitialized value $vlanName 
in hash element at /usr/local/pf/lib/pf/Switch.pm line 608.
Oct  5 11:12:26 pfence-cen httpd_aaa_err: Use of uninitialized value $vlanName 
in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611.
Oct  5 11:13:00 pfence-cen httpd_aaa_err: Use of uninitialized value $role in 
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489.
Oct  5 11:13:00 pfence-cen httpd_aaa_err: Use of uninitialized value $vlanName 
in hash element at /usr/local/pf/lib/pf/Switch.pm line 608.
Oct  5 11:13:00 pfence-cen httpd_aaa_err: Use of uninitialized value $vlanName 
in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611.
Oct  5 11:13:40 pfence-cen httpd_aaa_err: Use of uninitialized value $role in 
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489.
Oct  5 11:13:40 pfence-cen httpd_aaa_err: Use of uninitialized value $vlanName 
in hash element at /usr/local/pf/lib/pf/Switch.pm line 608.
Oct  5 11:13:40 pfence-cen httpd_aaa_err: Use of uninitialized value $vlanName 
in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611.
Oct  5 11:35:18 pfence-cen httpd_aaa_err: Use of uninitialized value $role in 
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489.
Oct  5 11:35:18 pfence-cen httpd_aaa_err: Use of uninitialized value $vlanName 
in hash element at /usr/local/pf/lib/pf/Switch.pm line 608.
Oct  5 11:35:18 pfence-cen httpd_aaa_err: Use of uninitialized value $vlanName 
in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611.

I might have more config to add but not sure what is it. Hopefully someone with 
this issue before help out
Thanks.

From: Maile Halatuituia via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Sent: Sunday, 4 October 2020 4:14 PM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Maile Halatuituia 
<maile.halatuit...@tcc.to<mailto:maile.halatuit...@tcc.to>>
Subject: Re: [PacketFence-users] Authentication Failed.

resend

From: Maile Halatuituia via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Sent: Friday, 2 October 2020 2:21 PM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Maile Halatuituia 
<maile.halatuit...@tcc.to<mailto:maile.halatuit...@tcc.to>>
Subject: [PacketFence-users] Authentication Failed.

This is what it have.

Logs

  1.  (/usr/local/pf/logs/packetfence.log)
  2.
Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: 
[mac:c8:f7:50:7f:18:4c] handling radius autz request: from switch_ip => 
(10.0.1.18), connection_type => Ethernet-NoEAP,switch_mac => (Unknown), mac => 
[c8:f7:50:7f:18:4c], port => 8204, username => 
"maile.halatuit...@tcc.to<mailto:maile.halatuit...@tcc.to>" 
(pf::radius::authorize)
Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: 
[mac:c8:f7:50:7f:18:4c] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: 
[mac:c8:f7:50:7f:18:4c] Found authentication source(s) : 'local,TCCAD' for 
realm 'default' (pf::config::util::filter_authentication_sources)
Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: 
[mac:c8:f7:50:7f:18:4c] Connection type is MAC-AUTH. Getting role from 
node_info (pf::role::getRegisteredRole)
Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) WARN: 
[mac:c8:f7:50:7f:18:4c] Use of uninitialized value $role in concatenation (.) 
or string at /usr/local/pf/lib/pf/role.pm line 489.
(pf::role::getRegisteredRole)
Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: 
[mac:c8:f7:50:7f:18:4c] Username was NOT defined or unable to match a role - 
returning node based role '' (pf::role::getRegisteredRole)
Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: 
[mac:c8:f7:50:7f:18:4c] PID: "default", Status: reg Returned VLAN: (undefined), 
Role: (undefined) (pf::role::fetchRoleForNode)
Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) WARN: 
[mac:c8:f7:50:7f:18:4c] Use of uninitialized value $vlanName in hash element at 
/usr/local/pf/lib/pf/Switch.pm line 608.
(pf::Switch::getVlanByName)
Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) WARN: 
[mac:c8:f7:50:7f:18:4c] Use of uninitialized value $vlanName in concatenation 
(.) or string at /usr/local/pf/lib/pf/Switch.pm line 611.
(pf::Switch::getVlanByName)
Oct  2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) WARN: 
[mac:c8:f7:50:7f:18:4c] No parameter Vlan found in conf/switches.conf for the 
switch 10.0.1.18 (pf::Switch::getVlanByName)


  1.  (/usr/local/pf/logs/radius.log)
Oct  2 14:16:00 pfence-cen auth[80961]: Adding client 10.0.1.18/32
Oct  2 14:16:00 pfence-cen auth[80961]: [mac:c8:f7:50:7f:18:4c] Accepted user:  
and returned VLAN
Oct  2 14:16:00 pfence-cen auth[80961]: (1612) Login OK: 
[maile.halatuit...@tcc.to<mailto:maile.halatuit...@tcc.to>] (from client 
10.0.1.18/32 port 8204 cli c8:f7:50:7f:18:4c)

Config File


  1.  Authentication.conf
[TCCAD]
cache_match=0
read_timeout=10
realms=default
basedn=CN=Administrator,CN=Users,DC=tcc,DC=to
monitor=1
shuffle=0
searchattributes=
set_access_durations_action=
scope=sub
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=1
encryption=none
description=Domain Controller
port=389
host=10.0.1.10
write_timeout=5
type=AD

[TCCAD rule employee]
action0=set_role=default
status=enabled
match=all
class=authentication
action1=set_unreg_date=2021-01-01 00:00:00
description=For all Wires Employee


  1.  Domain.conf

[tccto]
status=enabled
ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2))))
registration=0
ntlm_cache_expiry=3600
dns_name=TCC.TO
dns_servers=10.0.1.8,10.0.1.10
ou=Computers
ntlm_cache_on_connection=disabled
#workgroup=TCC.TO
ntlm_cache_batch_one_at_a_time=disabled
ad_server=10.0.1.10
sticky_dc=10.0.1.10
ntlm_cache_batch=disabled
server_name=%h
ntlmv2_only=0
workgroup=TCC-NETWORK
# Copyright (C) Inverse inc.
~
Strangely the radius log above says but still I have authentication failed on 
the status, not only that but if I use any username or password its just keeps 
saying login OK. Looks like the authentication is correctly forward to the DC 
or something else. Would appreciate any help on this.

FYI
The domain is joined just fine with no problem
[TCC]
Confidentiality Notice:
This email (including any attachment) is intended for internal use only. Any 
unauthorized use, dissemination or copying of the content is prohibited. If you 
are not the intended recipient and have received this e-mail in error, please 
notify the sender by email and delete this email and any attachment.
Confidentiality Notice:
This email (including any attachment) is intended for internal use only. Any 
unauthorized use, dissemination or copying of the content is prohibited. If you 
are not the intended recipient and have received this e-mail in error, please 
notify the sender by email and delete this email and any attachment.
Confidentiality Notice:
This email (including any attachment) is intended for internal use only. Any 
unauthorized use, dissemination or copying of the content is prohibited. If you 
are not the intended recipient and have received this e-mail in error, please 
notify the sender by email and delete this email and any attachment.
Confidentiality Notice:
This email (including any attachment) is intended for internal use only. Any 
unauthorized use, dissemination or copying of the content is prohibited. If you 
are not the intended recipient and have received this e-mail in error, please 
notify the sender by email and delete this email and any attachment.
Confidentiality Notice:
This email (including any attachment) is intended for internal use only. Any 
unauthorized use, dissemination or copying of the content is prohibited. If you 
are not the intended recipient and have received this e-mail in error, please 
notify the sender by email and delete this email and any attachment.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Confidentiality Notice:
This email (including any attachment) is intended for internal use only. Any 
unauthorized use, dissemination or copying of the content is prohibited. If you 
are not the intended recipient and have received this e-mail in error, please 
notify the sender by email and delete this email and any attachment.
Confidentiality Notice:
This email (including any attachment) is intended for internal use only. Any 
unauthorized use, dissemination or copying of the content is prohibited. If you 
are not the intended recipient and have received this e-mail in error, please 
notify the sender by email and delete this email and any attachment.
<rule.png><administrator_accout.png>


Confidentiality Notice:

This email (including any attachment) is intended for internal use only. Any 
unauthorized use, dissemination or copying of the content is prohibited. If you 
are not the intended recipient and have received this e-mail in error, please 
notify the sender by email and delete this email and any attachment.

Confidentiality Notice:

This email (including any attachment) is intended for internal use only. Any 
unauthorized use, dissemination or copying of the content is prohibited. If you 
are not the intended recipient and have received this e-mail in error, please 
notify the sender by email and delete this email and any attachment.


_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users