[PacketFence-users] Weird role assignments

Thu, 22 Oct 2020 07:34:01 -0700 

Hi!
I'm currently investigating problems with role assignments in packetfence. Here are the specs: 

Packetfence 10.1.0 on Debian 9.13 attached via one ethernet interface
~20 Ubiquiti Access Points (managed by one Unifi-Controller)
The ssid uses radius assigned VLANs, from ID 771 (default) to 775


Packetfence is configured according to documentation for 802.1x with the 
difference, that the filter in the profile (named 802.1x)
is set to 'any' with Connection Type (1) Ethernet-EAP and (2) 
Wireless-802.11-EAP to support wired and wireless Auths in our network.



Also we have 2 internal sources: (1) HTL_AD (our Active Directory) and 
(2) file1 (currently unused). And the default external null Source.


Our AD Source has two authentication rules:
(1) Teachers with matches any
    member of    equals    cn=Teachers,OU=...
    member of    euqals    cn=Staff,OU=...
    with Action Role = Teacher
             Access Duration 1day

(2) Pupils with matches all
    member of    equals    cn=pupils,OU=...
    with Action Role = Pupil
            Access Duration 12 hours


In our Switches-Section of Packetfence, we created an Identifier for 
every AP and set 'Role mapping by VLAN-ID',
where we entered the different VLAN-IDs. Therefore role Teacher should 
get 772 and Pupil 773. The other IDs
are not currently used yet. All identifiers were cloned from the first 
one, so no differences in configuration.



The problem: it's not working and I can't debug it. Here are the details 
so far:



If User X (member of group Teachers) logs in from his mobile device, he 
is often put in VLAN 771, sometimes in 772



IF User Y (member of group pupils) logs in from his mobile device, he is 
often put in VLAN 771, sometimes in 773 and sometimes also 772.


Ok, so i did take a look in Auditing for both users:


When Node Information displays the Profile 802.1x the entry Role shows 
the given Rolename (Reason is empty) and the RADIUS reply is with

the correct Tunnel-Private-Group-ID (= the VLAN-ID)


When it's not working, the Profile is shown as n/a and Role is empty and 
therefore Tunnel-Private-Group-ID too.


And I can't pinpoint the source of the problem, because:

 - it's seems not to be user related (1500 identical, bulk-deployed 
useraccounts, some work sometimes, some don't)

 - it's not access point related (same configuration via unfii-controller)

 - it seems time related (User X gets the correct VLAN at 10:00, but 
not at 14:30, User Y gets correct VLAN on monday, but not the rest of  
the week)
 - debugging Packetfence is contradictory, because in Web-GUI/Auditing 
User Y gets Role Teacher, but a "pftest authentication UserY pwd" a few

   seconds later in the shell results in role pupil...

************************ The Packetfence.log of an successful user:

Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:34:e1:2d:4b:xx:47] Instantiate profile 802.1x 
(pf::Connection::ProfileFactory::_from_profile)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:34:e1:2d:4b:xx:47] handling radius autz request: from switch_ip => 
(10.71.100.144), connection_type => Wireless-802.11-EAP,switch_mac => 
(76:83:c2:c8:xx:79), mac => [34:e1:2d:4b:xx:47], port => 0, username => 
"USER_Y", ssid => htl-ui-ad (pf::radius::authorize)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:34:e1:2d:4b:xx:47] Instantiate profile 802.1x 
(pf::Connection::ProfileFactory::_from_profile)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:34:e1:2d:4b:xx:47] Found authentication source(s) : 'HTL_AD' for 
realm 'null' (pf::config::util::filter_authentication_sources)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:34:e1:2d:4b:xx:47] Role has already been computed and we don't want 
to recompute it. (pf::role::getNodeInfoForAutoReg)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) WARN: 
[mac:34:e1:2d:4b:xx:47] No category computed for autoreg 
(pf::role::getNodeInfoForAutoReg)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:34:e1:2d:4b:xx:47] Found authentication source(s) : 'HTL_AD' for 
realm 'null' (pf::config::util::filter_authentication_sources)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:34:e1:2d:4b:xx:47] Role has already been computed and we don't want 
to recompute it. Getting role from node_info (pf::role::getRegisteredRole)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:34:e1:2d:4b:xx:47] Username was defined "USER_Y" - returning role 
'Pupil' (pf::role::getRegisteredRole)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:34:e1:2d:4b:xx:47] PID: "USER_Y", Status: reg Returned VLAN: 
(undefined), Role: Pupil (pf::role::fetchRoleForNode)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:34:e1:2d:4b:xx:47] (10.71.100.144) Added VLAN 773 to the returned 
RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:34:e1:2d:4b:xx:47] security_event 1300003 force-closed for 
34:e1:2d:4b:xx:47 (pf::security_event::security_event_force_close)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:34:e1:2d:4b:xx:47] Instantiate profile 802.1x 
(pf::Connection::ProfileFactory::_from_profile)
Oct 22 13:29:38 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:34:e1:2d:4b:xx:47] Updating locationlog from accounting request 
(pf::api::handle_accounting_metadata)
Oct 22 13:29:38 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:34:e1:2d:4b:xx:47] Updating locationlog from accounting request 
(pf::api::handle_accounting_metadata)



********************* This is, when Role-Assignment is unsuccessful:

Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:0e:73:54:81:xx:98] handling radius autz request: from switch_ip => 
(10.71.100.112), connection_type => Wireless-802.11-EAP,switch_mac => 
(e2:63:da:65:xx:29), mac => [0e:73:54:81:xx:98], port => 0, username => 
"USER_X", ssid => htl-ui-ad (pf::radius::authorize)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:0e:73:54:81:xx:98] Instantiate profile 802.1x 
(pf::Connection::ProfileFactory::_from_profile)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:0e:73:54:81:xx:98] Found authentication source(s) : 'HTL_AD' for 
realm 'null' (pf::config::util::filter_authentication_sources)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:0e:73:54:81:xx:98] Role has already been computed and we don't want 
to recompute it. (pf::role::getNodeInfoForAutoReg)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) WARN: 
[mac:0e:73:54:81:xx:98] No category computed for autoreg 
(pf::role::getNodeInfoForAutoReg)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:0e:73:54:81:xx:98] Found authentication source(s) : 'HTL_AD' for 
realm 'null' (pf::config::util::filter_authentication_sources)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:0e:73:54:81:xx:98] Role has already been computed and we don't want 
to recompute it. Getting role from node_info (pf::role::getRegisteredRole)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) WARN: 
[mac:0e:73:54:81:xx:98] Use of uninitialized value $role in 
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489.
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:0e:73:54:81:xx:98] Username was NOT defined or unable to match a 
role - returning node based role '' (pf::role::getRegisteredRole)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:0e:73:54:81:xx:98] PID: "default", Status: reg Returned VLAN: 
(undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) WARN: 
[mac:0e:73:54:81:xx:98] Use of uninitialized value $vlanName in hash 
element at /usr/local/pf/lib/pf/Switch.pm line 608.
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) WARN: 
[mac:0e:73:54:81:xx:98] Use of uninitialized value $vlanName in 
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611.
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) WARN: 
[mac:0e:73:54:81:xx:98] No parameter Vlan found in conf/switches.conf 
for the switch 10.71.100.112 (pf::Switch::getVlanByName)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:0e:73:54:81:xx:98] security_event 1300003 force-closed for 
0e:73:54:81:xx:98 (pf::security_event::security_event_force_close)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:0e:73:54:81:xx:98] Instantiate profile 802.1x 
(pf::Connection::ProfileFactory::_from_profile)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO: 
[mac:0e:73:54:81:xx:98] Updating locationlog from accounting request 
(pf::api::handle_accounting_metadata)



I hope someone can help me. Just ask if you need any more logs or 
information.


regards
Chris

P.S.: MAC-addresses were obfuscated in the log!


_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users














    











					Reply via email to