Do the pftest again. It does not match the rule.
Send me the conf/authentication.conf conf/profiles.conf and conf/realm.conf Thanks, > On Mar 26, 2021, at 6:25 PM, Joel Rodriguez <[email protected]> > wrote: > > > Hi Ludovic, > > Tested after making that change. > > Here is the new authentication rule: > <image.png> > > It is still not sending back the VLAN (aaa override is enabled on the WLC), > and client devices are getting authenticated into the wireless even if my > authentication rule does not match. It seems that no matter what I do nothing > seems to make it work. We are trying to test this in a lab environment and > the plan is to roll it out to our customers, with the appropriate support > plan from PacketFence. > > Why is the file1 source matched below?Is that normal? Any other ideas or > suggestions? At the end all we want is to authenticate against Active > Directory and based on group membership assign a specific vlan. Does that > make sense? Thanks Ludovic for your help. > > This is the output of grep -i 56:59:f8:36:e1:55 > /usr/local/pf/logs/packetfence.log > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] Unable > to extract audit-session-id of Cisco-AVPair: service-type=Framed > (pf::Switch::getCiscoAvPairAttribute) > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] > handling radius autz request: from switch_ip => (172.16.99.99), > connection_type => Wireless-802.11-EAP,switch_mac => (2c:f8:9b:9d:5f:60), mac > => [56:59:f8:36:e1:55], port => 5, username => "test", ssid => Rodriguez-EWC > (pf::radius::authorize) > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] > Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] Found > authentication source(s) : 'file1' for realm 'null' > (pf::config::util::filter_authentication_sources) > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] Using > sources file1 for matching (pf::authentication::match2) > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] No > rules matches or no category defined for the node, set it as unreg. > (pf::role::getNodeInfoForAutoReg) > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] No > category computed for autoreg (pf::role::getNodeInfoForAutoReg) > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] Found > authentication source(s) : 'file1' for realm 'null' > (pf::config::util::filter_authentication_sources) > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] Role > has already been computed and we don't want to recompute it. Getting role > from node_info (pf::role::getRegisteredRole) > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] Use of > uninitialized value $role in concatenation (.) or string at > /usr/local/pf/lib/pf/role.pm line 489. > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] > Username was NOT defined or unable to match a role - returning node based > role '' (pf::role::getRegisteredRole) > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] PID: > "test", Status: reg Returned VLAN: (undefined), Role: (undefined) > (pf::role::fetchRoleForNode) > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] Use of > uninitialized value $vlanName in hash element at > /usr/local/pf/lib/pf/Switch.pm line 609. > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] Use of > uninitialized value $vlanName in concatenation (.) or string at > /usr/local/pf/lib/pf/Switch.pm line 612. > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] No > parameter Vlan found in conf/switches.conf for the switch 172.16.99.99 > (pf::Switch::getVlanByName) > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] Use of > uninitialized value $roleName in hash element at > /usr/local/pf/lib/pf/Switch.pm line 592. > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] Use of > uninitialized value $roleName in concatenation (.) or string at > /usr/local/pf/lib/pf/Switch.pm line 595. > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] > security_event 1300003 force-closed for 56:59:f8:36:e1:55 > (pf::security_event::security_event_force_close) > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] > Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) > >> On Fri, Mar 26, 2021 at 3:30 PM Ludovic Zammit <[email protected]> wrote: >> Hello Joel, >> >> The rule is wrong, it’s not the attribute distinguishedName but memberof. >> >> Do: memberof equals CN=vlan100…... >> >> Change it and re-test, it should work. >> >> Thanks, >> >> Ludovic Zammit >> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> >> >> >> >> >> >>> On Mar 25, 2021, at 8:14 AM, Joel Rodriguez <[email protected]> >>> wrote: >>> >>> Ludovic, >>> >>> test user is an Active Directory user that is in the vlan100 AD group. I >>> want to authenticate against AD. >>> This is the authentication rule. >>> <image.png> >>> >>> and output >>> >>> <image.png> >>> >>>> On Thu, Mar 25, 2021 at 8:09 AM Ludovic Zammit <[email protected]> wrote: >>>> Where do you want to authenticate your test user? >>>> >>>> Where did you create it? >>>> >>>> Thanks, >>>> >>>> Ludovic Zammit >>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>> (http://packetfence.org) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> On Mar 24, 2021, at 4:19 PM, Joel Rodriguez <[email protected]> >>>>> wrote: >>>>> >>>>> Hi Ludovic, >>>>> >>>>> This is the output. >>>>> >>>>> <image.png> >>>>> >>>>>> On Tue, Mar 23, 2021 at 1:40 PM Ludovic Zammit <[email protected]> >>>>>> wrote: >>>>>> Hello Joel, >>>>>> >>>>>> That output tells me that your node / username did not match any rule in >>>>>> any source. >>>>>> >>>>>> Do that and show me the result: >>>>>> >>>>>> grep -i MAC_ADDRESS /usr/local/pf/logs/packetfence.log >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Ludovic Zammit >>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>>> (http://packetfence.org) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> On Mar 23, 2021, at 1:33 PM, Joel Rodriguez >>>>>>> <[email protected]> wrote: >>>>>>> >>>>>>> Ludovic can you help with my question below. Also this is the entire >>>>>>> output as you can see in the RADIUS reply I do not see where >>>>>>> PacketFence is sending back the VLAN. >>>>>>> >>>>>>> I am having an issue where I have a rule successfully match and is >>>>>>> based on AD Group however even if the account used on the device is not >>>>>>> on the correct AD Group it still successfully authenticate. I believe >>>>>>> this is more of an AAA override issue is there anywhere on Packetfence >>>>>>> where I can see if Packetfence is sending back the vlan assignment? All >>>>>>> i see in the log is successful authentication nothing indicating it >>>>>>> sent back a vlan override. Thank you in advance for your help. >>>>>>> >>>>>>> Request Time >>>>>>> 0 >>>>>>> RADIUS Request >>>>>>> User-Name = "test" >>>>>>> NAS-IP-Address = 172.16.99.99 >>>>>>> NAS-Port = 5 >>>>>>> Service-Type = Framed-User >>>>>>> Framed-IP-Address = 172.16.100.174 >>>>>>> Framed-MTU = 1485 >>>>>>> State = 0x5ce103c05de81912a6fe102bc6c3d43e >>>>>>> Called-Station-Id = "2c:21:21:9d:5f:60:Rdz-EWC >>>>>>> Calling-Station-Id = "56:59:f8:36:e1:55" >>>>>>> NAS-Identifier = "WLC2CF8.9B15.6E14" >>>>>>> NAS-Port-Type = Wireless-802.11 >>>>>>> Event-Timestamp = "Mar 16 2021 08:59:38 EDT" >>>>>>> EAP-Message = 0x020900061a03 >>>>>>> NAS-Port-Id = "capwap_90000004" >>>>>>> Airespace-Wlan-Id = 1 >>>>>>> Cisco-AVPair = "service-type=Framed" >>>>>>> Cisco-AVPair = "audit-session-id=636310AC0000004094F18357" >>>>>>> Cisco-AVPair = "method=dot1x" >>>>>>> Cisco-AVPair = "addrv6=fe80::1ca6:189c:65f4:5770" >>>>>>> Cisco-AVPair = "client-iif-id=469767067" >>>>>>> Cisco-AVPair = "vlan-id=100" >>>>>>> Cisco-AVPair = "cisco-wlan-ssid=Rdz-EWC" >>>>>>> Cisco-AVPair = "wlan-profile-name=Rdz-EWC" >>>>>>> FreeRADIUS-Proxied-To = 127.0.0.1 >>>>>>> EAP-Type = MSCHAPv2 >>>>>>> Stripped-User-Name = "test" >>>>>>> Realm = "null" >>>>>>> Called-Station-SSID = "Rdz-EWC" >>>>>>> PacketFence-Domain = "NNGDomain" >>>>>>> PacketFence-KeyBalanced = "6d5099cbb3bd042f6788696b2f8e2bfc" >>>>>>> PacketFence-Radius-Ip = "172.16.100.95" >>>>>>> PacketFence-NTLMv2-Only = "" >>>>>>> PacketFence-Outer-User = "test" >>>>>>> User-Password = "******" >>>>>>> SQL-User-Name = "test" >>>>>>> RADIUS Reply >>>>>>> EAP-Message = 0x03090004 >>>>>>> Message-Authenticator = 0x00000000000000000000000000000000 >>>>>>> User-Name = "test" >>>>>>> >>>>>>> ---------- Forwarded message --------- >>>>>>> From: Joel Rodriguez <[email protected]> >>>>>>> Date: Tue, Mar 16, 2021 at 10:13 AM >>>>>>> Subject: VLAN Override Issue >>>>>>> To: <[email protected]> >>>>>>> >>>>>>> >>>>>> >>>> >>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
