Hi Ludovic, *This is the pftest again. I have attached the requested files. Thanks again!!*
[image: image.png] On Fri, Mar 26, 2021 at 6:38 PM Ludovic Zammit <[email protected]> wrote: > Do the pftest again. > > It does not match the rule. > > Send me the conf/authentication.conf conf/profiles.conf and conf/realm.conf > > Thanks, > > On Mar 26, 2021, at 6:25 PM, Joel Rodriguez <[email protected]> > wrote: > > > Hi Ludovic, > > Tested after making that change. > > Here is the new authentication rule: > <image.png> > > It is still not sending back the VLAN (aaa override is enabled on the > WLC), and client devices are getting authenticated into the wireless even > if my authentication rule does not match. It seems that no matter what I do > nothing seems to make it work. We are trying to test this in a lab > environment and the plan is to roll it out to our customers, with the > appropriate support plan from PacketFence. > > *Why is the file1 source matched below?Is that normal? Any other ideas or > suggestions? At the end all we want is to authenticate against Active > Directory and based on group membership assign a specific vlan. Does that > make sense? Thanks Ludovic for your help.* > > This is the output of grep -i 56:59:f8:36:e1:55 > /usr/local/pf/logs/packetfence.log > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] > Unable to extract audit-session-id of Cisco-AVPair: service-type=Framed > (pf::Switch::getCiscoAvPairAttribute) > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] > handling radius autz request: from switch_ip => (172.16.99.99), > connection_type => Wireless-802.11-EAP,switch_mac => (2c:f8:9b:9d:5f:60), > mac => [56:59:f8:36:e1:55], port => 5, username => "test", ssid => > Rodriguez-EWC (pf::radius::authorize) > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] > Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] Found > authentication source(s) : 'file1' for realm 'null' > (pf::config::util::filter_authentication_sources) > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] Using > sources file1 for matching (pf::authentication::match2) > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] No > rules matches or no category defined for the node, set it as unreg. > (pf::role::getNodeInfoForAutoReg) > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] No > category computed for autoreg (pf::role::getNodeInfoForAutoReg) > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] Found > authentication source(s) : 'file1' for realm 'null' > (pf::config::util::filter_authentication_sources) > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] Role > has already been computed and we don't want to recompute it. Getting role > from node_info (pf::role::getRegisteredRole) > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] Use > of uninitialized value $role in concatenation (.) or string at > /usr/local/pf/lib/pf/role.pm line 489. > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] > Username was NOT defined or unable to match a role - returning node based > role '' (pf::role::getRegisteredRole) > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] PID: > "test", Status: reg Returned VLAN: (undefined), Role: (undefined) > (pf::role::fetchRoleForNode) > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] Use > of uninitialized value $vlanName in hash element at > /usr/local/pf/lib/pf/Switch.pm line 609. > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] Use > of uninitialized value $vlanName in concatenation (.) or string at > /usr/local/pf/lib/pf/Switch.pm line 612. > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] No > parameter Vlan found in conf/switches.conf for the switch 172.16.99.99 > (pf::Switch::getVlanByName) > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] Use > of uninitialized value $roleName in hash element at > /usr/local/pf/lib/pf/Switch.pm line 592. > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] Use > of uninitialized value $roleName in concatenation (.) or string at > /usr/local/pf/lib/pf/Switch.pm line 595. > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] > security_event 1300003 force-closed for 56:59:f8:36:e1:55 > (pf::security_event::security_event_force_close) > > /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence > packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] > Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) > > On Fri, Mar 26, 2021 at 3:30 PM Ludovic Zammit <[email protected]> wrote: > >> Hello Joel, >> >> The rule is wrong, it’s not the attribute distinguishedName but memberof. >> >> Do: memberof equals CN=vlan100…... >> >> Change it and re-test, it should work. >> >> Thanks, >> >> >> Ludovic Zammit >> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> >> >> >> >> >> >> >> On Mar 25, 2021, at 8:14 AM, Joel Rodriguez <[email protected]> >> wrote: >> >> Ludovic, >> >> test user is an Active Directory user that is in the vlan100 AD group. I >> want to authenticate against AD. >> This is the authentication rule. >> <image.png> >> >> and output >> >> <image.png> >> >> On Thu, Mar 25, 2021 at 8:09 AM Ludovic Zammit <[email protected]> >> wrote: >> >>> Where do you want to authenticate your test user? >>> >>> Where did you create it? >>> >>> Thanks, >>> >>> >>> Ludovic Zammit >>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>> (http://packetfence.org) >>> >>> >>> >>> >>> >>> >>> >>> >>> On Mar 24, 2021, at 4:19 PM, Joel Rodriguez <[email protected]> >>> wrote: >>> >>> Hi Ludovic, >>> >>> This is the output. >>> >>> <image.png> >>> >>> On Tue, Mar 23, 2021 at 1:40 PM Ludovic Zammit <[email protected]> >>> wrote: >>> >>>> Hello Joel, >>>> >>>> That output tells me that your node / username did not match any rule >>>> in any source. >>>> >>>> Do that and show me the result: >>>> >>>> grep -i MAC_ADDRESS /usr/local/pf/logs/packetfence.log >>>> >>>> Thanks, >>>> >>>> >>>> Ludovic Zammit >>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>> (http://packetfence.org) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Mar 23, 2021, at 1:33 PM, Joel Rodriguez < >>>> [email protected]> wrote: >>>> >>>> Ludovic can you help with my question below. Also this is the entire >>>> output as you can see in the RADIUS reply I do not see where PacketFence is >>>> sending back the VLAN. >>>> >>>> I am having an issue where I have a rule successfully match and is >>>> based on AD Group however even if the account used on the device is not on >>>> the correct AD Group it still successfully authenticate. I believe this is >>>> more of an AAA override issue is there anywhere on Packetfence where I can >>>> see if Packetfence is sending back the vlan assignment? All i see in the >>>> log is successful authentication nothing indicating it sent back a vlan >>>> override. Thank you in advance for your help. >>>> >>>> Request Time >>>> 0 >>>> RADIUS Request >>>> User-Name = "test" NAS-IP-Address = 172.16.99.99 NAS-Port = 5 >>>> Service-Type = Framed-User Framed-IP-Address = 172.16.100.174 Framed-MTU = >>>> 1485 State = 0x5ce103c05de81912a6fe102bc6c3d43e Called-Station-Id = >>>> "2c:21:21:9d:5f:60:Rdz-EWC Calling-Station-Id = "56:59:f8:36:e1:55" >>>> NAS-Identifier = "WLC2CF8.9B15.6E14" NAS-Port-Type = Wireless-802.11 >>>> Event-Timestamp = "Mar 16 2021 08:59:38 EDT" EAP-Message = 0x020900061a03 >>>> NAS-Port-Id = "capwap_90000004" Airespace-Wlan-Id = 1 Cisco-AVPair = >>>> "service-type=Framed" Cisco-AVPair = >>>> "audit-session-id=636310AC0000004094F18357" Cisco-AVPair = "method=dot1x" >>>> Cisco-AVPair = "addrv6=fe80::1ca6:189c:65f4:5770" Cisco-AVPair = >>>> "client-iif-id=469767067" Cisco-AVPair = "vlan-id=100" Cisco-AVPair = >>>> "cisco-wlan-ssid=Rdz-EWC" Cisco-AVPair = "wlan-profile-name=Rdz-EWC" >>>> FreeRADIUS-Proxied-To = 127.0.0.1 EAP-Type = MSCHAPv2 Stripped-User-Name = >>>> "test" Realm = "null" Called-Station-SSID = "Rdz-EWC" PacketFence-Domain = >>>> "NNGDomain" PacketFence-KeyBalanced = "6d5099cbb3bd042f6788696b2f8e2bfc" >>>> PacketFence-Radius-Ip = "172.16.100.95" PacketFence-NTLMv2-Only = "" >>>> PacketFence-Outer-User = "test" User-Password = "******" SQL-User-Name = >>>> "test" >>>> RADIUS Reply >>>> EAP-Message = 0x03090004 Message-Authenticator = >>>> 0x00000000000000000000000000000000 User-Name = "test" >>>> >>>> ---------- Forwarded message --------- >>>> From: Joel Rodriguez <[email protected]> >>>> Date: Tue, Mar 16, 2021 at 10:13 AM >>>> Subject: VLAN Override Issue >>>> To: <[email protected]> >>>> >>>> >>>> >>>> >>> >>
realm.conf
Description: Binary data
profiles.conf
Description: Binary data
authentication.conf
Description: Binary data
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
