Hello Maile, That’s your error there, fix it and fix your error.
Authentication.conf [TCCAD] cache_match=0 read_timeout=10 realms=default basedn=CN=Administrator,CN=Users,DC=tcc,DC=to monitor=1 shuffle=0 searchattributes= set_access_durations_action= scope=sub email_attribute=mail usernameattribute=sAMAccountName connection_timeout=1 encryption=none description=Domain Controller port=389 host=10.0.1.10 write_timeout=5 type=AD The “basedn” is missing. Remove your realm default also. Does that source show a green check if you click test next to the password? Thanks, Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Oct 6, 2020, at 3:31 PM, Maile Halatuituia <[email protected]> > wrote: > > Hi Ludovic > In addition to what I have is this error now > > packetfence: pftest(9147) ERROR: [TCCAD] Unable to execute search > (sAMAccountName=maile.halatuituia) from > CN=Administrator,CN=Users,DC=tcc,DC=to on 10.0.1.10:389, we skip the rule. > (pf::Authentication::Source::LDAPSource::_match_in_subclass) > > From: Maile Halatuituia > Sent: Wednesday, 7 October 2020 8:07 AM > To: 'Ludovic Zammit' <[email protected]> > Cc: [email protected] > Subject: RE: [PacketFence-users] Authentication Failed. > > Hi Ludovic > Is it possible that you can share your authentication source config so I can > compare to mine > > From: Ludovic Zammit <[email protected] <mailto:[email protected]>> > Sent: Wednesday, 7 October 2020 1:14 AM > To: Maile Halatuituia <[email protected] > <mailto:[email protected]>> > Cc: [email protected] > <mailto:[email protected]> > Subject: Re: [PacketFence-users] Authentication Failed. > > Hello, > > You get something like this for the portal section: > > [root@pf-testing pf]# bin/pftest authentication lzammit "" ZAMMIT-AD > Testing authentication for "lzammit" > > Authenticating against 'ZAMMIT-AD' in context 'admin' > Authentication FAILED against ZAMMIT-AD (Invalid login or password) > Matched against ZAMMIT-AD for 'authentication' rule staff > set_role : staff > set_access_duration : 2Y > Matched against ZAMMIT-AD for 'administration' rule catchall > set_access_level : ALL > > Authenticating against 'ZAMMIT-AD' in context 'portal' > Authentication FAILED against ZAMMIT-AD (Invalid login or password) > Matched against ZAMMIT-AD for 'authentication' rule staff > set_role : staff > set_access_duration : 2Y > Matched against ZAMMIT-AD for 'administration' rule catchall > set_access_level : ALL > > If you don’t have that, your AD source is not configured properly. > > Then you have "Rejected in post-auth:” it means that the reject’s reason > would be in the logs/packetfence.log. > > Thanks, > > Ludovic Zammit > [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: > www.inverse.ca <http://www.inverse.ca/> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <http://www.sogo.nu/>) and PacketFence (http://packetfence.org > <http://packetfence.org/>) > > > > > > On Oct 5, 2020, at 4:11 PM, Maile Halatuituia <[email protected] > <mailto:[email protected]>> wrote: > > Hi Ludovic > Thanks for your reply . > > >> It looks like that you are not matching any rules in TCCAD. > I have attached what I configure on my rules for reference. > > >> First click the test button on the source, make sure it’s green and > >> working, then try to see if your username matches the rules: > I also attached the username I use on the authentication source using the > administrator account . I am not sure if I use it correctly or not. > > >>/usr/local/pf/bin/pftest authentication maile.halatuituia “” TCCAD > > Here is the result, not sure why the error but domain I joined OK. > > [root@pfence-cen bin]# ./pftest authentication maile.halatuituia "" TCCAD > Testing authentication for "maile.halatuituia" > > Authenticating against 'TCCAD' in context 'admin' > Authentication FAILED against TCCAD (Unable to validate credentials at the > moment) > Did not match against TCCAD for 'authentication' rules > Did not match against TCCAD for 'administration' rules > > Authenticating against 'TCCAD' in context 'portal' > Authentication FAILED against TCCAD (Unable to validate credentials at the > moment) > Did not match against TCCAD for 'authentication' rules > Did not match against TCCAD for 'administration' rules > > Lastly I have also recreate another realm tcc.to below > > [1 tcc.to] > permit_custom_attributes=disabled > radius_auth_proxy_type=keyed-balance > radius_auth_compute_in_pf=enabled > admin_strip_username=enabled > eduroam_radius_auth= > domain=tccto > radius_strip_username=enabled > eduroam_radius_auth_proxy_type=keyed-balance > eduroam_radius_acct= > portal_strip_username=enabled > eap=default > radius_acct_proxy_type=load-balance > radius_auth= > ldap_source=TCCAD > eduroam_radius_auth_compute_in_pf=enabled > eduroam_radius_acct_proxy_type=load-balance > radius_acct= > > but I still have the same error > > In addition to this I try to test from a Huawei Switch with a test command > and here is what I see on the /usr/local/pf/logs/radius.log > > Oct 6 09:09:33 pfence-cen auth[2421]: (5406) rest: ERROR: Server returned: > Oct 6 09:09:33 pfence-cen auth[2421]: (5406) rest: ERROR: > {"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication > failed on PacketFence"} > Oct 6 09:09:33 pfence-cen auth[2421]: [mac:] Rejected user: > [email protected] <mailto:[email protected]> > Oct 6 09:09:33 pfence-cen auth[2421]: (5406) Rejected in post-auth: > [[email protected] <mailto:[email protected]>] (from client > 10.0.1.18/32 port 0) > Oct 6 09:09:33 pfence-cen auth[2421]: (5406) Login incorrect (rest: Server > returned:): [[email protected] <mailto:[email protected]>] > (from client 10.0.1.18/32 port 0) > > > From: Ludovic Zammit <[email protected] <mailto:[email protected]>> > Sent: Tuesday, 6 October 2020 1:00 AM > To: [email protected] > <mailto:[email protected]> > Cc: Maile Halatuituia <[email protected] > <mailto:[email protected]>> > Subject: Re: [PacketFence-users] Authentication Failed. > > Hello, > > That authentication looks ok but your authorization does not. > > It looks like that you are not matching any rules in TCCAD. > > First click the test button on the source, make sure it’s green and working, > then try to see if your username matches the rules: > > /usr/local/pf/bin/pftest authentication maile.halatuituia “” TCCAD > > The AD source is looking for a [email protected] > <mailto:[email protected]> and I doubt that’s your > samaccountname, more like maile.halatuituia so, on the default realm, check > strip on portal. If you don’t want to do it on the default realm, create > tcc.to and strip it. > > Thanks, > > Ludovic Zammit > [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: > www.inverse.ca <http://www.inverse.ca/> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <http://www.sogo.nu/>) and PacketFence (http://packetfence.org > <http://packetfence.org/>) > > > > > > > > On Oct 4, 2020, at 6:36 PM, Maile Halatuituia via PacketFence-users > <[email protected] > <mailto:[email protected]>> wrote: > > More info > > Appreciate if someone help > > Oct 5 11:12:26 pfence-cen httpd_aaa_err: Use of uninitialized value $role in > concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. > Oct 5 11:12:26 pfence-cen httpd_aaa_err: Use of uninitialized value > $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 608. > Oct 5 11:12:26 pfence-cen httpd_aaa_err: Use of uninitialized value > $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm > line 611. > Oct 5 11:13:00 pfence-cen httpd_aaa_err: Use of uninitialized value $role in > concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. > Oct 5 11:13:00 pfence-cen httpd_aaa_err: Use of uninitialized value > $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 608. > Oct 5 11:13:00 pfence-cen httpd_aaa_err: Use of uninitialized value > $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm > line 611. > Oct 5 11:13:40 pfence-cen httpd_aaa_err: Use of uninitialized value $role in > concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. > Oct 5 11:13:40 pfence-cen httpd_aaa_err: Use of uninitialized value > $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 608. > Oct 5 11:13:40 pfence-cen httpd_aaa_err: Use of uninitialized value > $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm > line 611. > Oct 5 11:35:18 pfence-cen httpd_aaa_err: Use of uninitialized value $role in > concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. > Oct 5 11:35:18 pfence-cen httpd_aaa_err: Use of uninitialized value > $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 608. > Oct 5 11:35:18 pfence-cen httpd_aaa_err: Use of uninitialized value > $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm > line 611. > > I might have more config to add but not sure what is it. Hopefully someone > with this issue before help out > Thanks. > > From: Maile Halatuituia via PacketFence-users > <[email protected] > <mailto:[email protected]>> > Sent: Sunday, 4 October 2020 4:14 PM > To: [email protected] > <mailto:[email protected]> > Cc: Maile Halatuituia <[email protected] > <mailto:[email protected]>> > Subject: Re: [PacketFence-users] Authentication Failed. > > resend > > From: Maile Halatuituia via PacketFence-users > <[email protected] > <mailto:[email protected]>> > Sent: Friday, 2 October 2020 2:21 PM > To: [email protected] > <mailto:[email protected]> > Cc: Maile Halatuituia <[email protected] > <mailto:[email protected]>> > Subject: [PacketFence-users] Authentication Failed. > > This is what it have. > > Logs > (/usr/local/pf/logs/packetfence.log) > > Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: > [mac:c8:f7:50:7f:18:4c] handling radius autz request: from switch_ip => > (10.0.1.18), connection_type => Ethernet-NoEAP,switch_mac => (Unknown), mac > => [c8:f7:50:7f:18:4c], port => 8204, username => "[email protected] > <mailto:[email protected]>" (pf::radius::authorize) > Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: > [mac:c8:f7:50:7f:18:4c] Instantiate profile default > (pf::Connection::ProfileFactory::_from_profile) > Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: > [mac:c8:f7:50:7f:18:4c] Found authentication source(s) : 'local,TCCAD' for > realm 'default' (pf::config::util::filter_authentication_sources) > Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: > [mac:c8:f7:50:7f:18:4c] Connection type is MAC-AUTH. Getting role from > node_info (pf::role::getRegisteredRole) > Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) WARN: > [mac:c8:f7:50:7f:18:4c] Use of uninitialized value $role in concatenation (.) > or string at /usr/local/pf/lib/pf/role.pm line 489. > (pf::role::getRegisteredRole) > Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: > [mac:c8:f7:50:7f:18:4c] Username was NOT defined or unable to match a role - > returning node based role '' (pf::role::getRegisteredRole) > Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) INFO: > [mac:c8:f7:50:7f:18:4c] PID: "default", Status: reg Returned VLAN: > (undefined), Role: (undefined) (pf::role::fetchRoleForNode) > Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) WARN: > [mac:c8:f7:50:7f:18:4c] Use of uninitialized value $vlanName in hash element > at /usr/local/pf/lib/pf/Switch.pm line 608. > (pf::Switch::getVlanByName) > Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) WARN: > [mac:c8:f7:50:7f:18:4c] Use of uninitialized value $vlanName in concatenation > (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611. > (pf::Switch::getVlanByName) > Oct 2 14:16:00 pfence-cen packetfence_httpd.aaa: httpd.aaa(2345) WARN: > [mac:c8:f7:50:7f:18:4c] No parameter Vlan found in conf/switches.conf for the > switch 10.0.1.18 (pf::Switch::getVlanByName) > > (/usr/local/pf/logs/radius.log) > Oct 2 14:16:00 pfence-cen auth[80961]: Adding client 10.0.1.18/32 > Oct 2 14:16:00 pfence-cen auth[80961]: [mac:c8:f7:50:7f:18:4c] Accepted > user: and returned VLAN > Oct 2 14:16:00 pfence-cen auth[80961]: (1612) Login OK: > [[email protected] <mailto:[email protected]>] (from client > 10.0.1.18/32 port 8204 cli c8:f7:50:7f:18:4c) > > Config File > > Authentication.conf > [TCCAD] > cache_match=0 > read_timeout=10 > realms=default > basedn=CN=Administrator,CN=Users,DC=tcc,DC=to > monitor=1 > shuffle=0 > searchattributes= > set_access_durations_action= > scope=sub > email_attribute=mail > usernameattribute=sAMAccountName > connection_timeout=1 > encryption=none > description=Domain Controller > port=389 > host=10.0.1.10 > write_timeout=5 > type=AD > > [TCCAD rule employee] > action0=set_role=default > status=enabled > match=all > class=authentication > action1=set_unreg_date=2021-01-01 00:00:00 > description=For all Wires Employee > > Domain.conf > > [tccto] > status=enabled > ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2)))) > registration=0 > ntlm_cache_expiry=3600 > dns_name=TCC.TO > dns_servers=10.0.1.8,10.0.1.10 > ou=Computers > ntlm_cache_on_connection=disabled > #workgroup=TCC.TO > ntlm_cache_batch_one_at_a_time=disabled > ad_server=10.0.1.10 > sticky_dc=10.0.1.10 > ntlm_cache_batch=disabled > server_name=%h > ntlmv2_only=0 > workgroup=TCC-NETWORK > # Copyright (C) Inverse inc. > ~ > Strangely the radius log above says but still I have authentication failed on > the status, not only that but if I use any username or password its just > keeps saying login OK. Looks like the authentication is correctly forward to > the DC or something else. Would appreciate any help on this. > > FYI > The domain is joined just fine with no problem > > Confidentiality Notice: > This email (including any attachment) is intended for internal use only. Any > unauthorized use, dissemination or copying of the content is prohibited. If > you are not the intended recipient and have received this e-mail in error, > please notify the sender by email and delete this email and any attachment. > Confidentiality Notice: > This email (including any attachment) is intended for internal use only. Any > unauthorized use, dissemination or copying of the content is prohibited. If > you are not the intended recipient and have received this e-mail in error, > please notify the sender by email and delete this email and any attachment. > Confidentiality Notice: > This email (including any attachment) is intended for internal use only. Any > unauthorized use, dissemination or copying of the content is prohibited. If > you are not the intended recipient and have received this e-mail in error, > please notify the sender by email and delete this email and any attachment. > Confidentiality Notice: > This email (including any attachment) is intended for internal use only. Any > unauthorized use, dissemination or copying of the content is prohibited. If > you are not the intended recipient and have received this e-mail in error, > please notify the sender by email and delete this email and any attachment. > Confidentiality Notice: > This email (including any attachment) is intended for internal use only. Any > unauthorized use, dissemination or copying of the content is prohibited. If > you are not the intended recipient and have received this e-mail in error, > please notify the sender by email and delete this email and any attachment. > _______________________________________________ > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > <https://lists.sourceforge.net/lists/listinfo/packetfence-users> > > Confidentiality Notice: > This email (including any attachment) is intended for internal use only. Any > unauthorized use, dissemination or copying of the content is prohibited. If > you are not the intended recipient and have received this e-mail in error, > please notify the sender by email and delete this email and any attachment. > Confidentiality Notice: > This email (including any attachment) is intended for internal use only. Any > unauthorized use, dissemination or copying of the content is prohibited. If > you are not the intended recipient and have received this e-mail in error, > please notify the sender by email and delete this email and any attachment. > <rule.png><administrator_accout.png> > > Confidentiality Notice: > > This email (including any attachment) is intended for internal use only. Any > unauthorized use, dissemination or copying of the content is prohibited. If > you are not the intended recipient and have received this e-mail in error, > please notify the sender by email and delete this email and any attachment. > > Confidentiality Notice: > > This email (including any attachment) is intended for internal use only. Any > unauthorized use, dissemination or copying of the content is prohibited. If > you are not the intended recipient and have received this e-mail in error, > please notify the sender by email and delete this email and any attachment. >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
