Hello, Show me the conf/authentication.conf
You are defiantly registering that device with source where the rule is not well configured. On each rule, you need to return a Access Duration / Unregistration date and a Role. The Role need to be configured with the VLAN ID on the switch config. Thanks, Ludovic Zammit lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca <https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Apr 9, 2021, at 12:22 AM, Heusler Marie-Cécile > <marie-cecile.heus...@divtec.ch> wrote: > > Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: > [mac:2c:44:fd:65:ab:27] handling radius autz request: from switch_ip => > (192.168.137.200), connection_type => Ethernet-NoEAP,switch_mac => > (00:16:b9:0b:37:0d), mac => [2c:44:fd:65:ab:27], port => 19, username => > "2c44fd65ab27" (pf::radius::authorize) > Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: > [mac:2c:44:fd:65:ab:27] Instantiate profile default > (pf::Connection::ProfileFactory::_from_profile) > Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: > [mac:2c:44:fd:65:ab:27] Match rule Email-on-role (pf::access_filter::test) > Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: > [mac:2c:44:fd:65:ab:27] Found authentication source(s) : > 'local,file1,MonDomaine' for realm 'null' > (pf::config::util::filter_authentication_sources) > Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) WARN: > [mac:2c:44:fd:65:ab:27] No category computed for autoreg > (pf::role::getNodeInfoForAutoReg) > Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) WARN: > [mac:2c:44:fd:65:ab:27] No role specified or found for pid 2c44fd65ab27 (MAC > 2c:44:fd:65:ab:27); assume maximum number of registered nodes is reached > (pf::node::is_max_reg_nodes_reached) > Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) ERROR: > [mac:2c:44:fd:65:ab:27] no role computed by any sources - registration of > 2c:44:fd:65:ab:27 to 2c44fd65ab27 failed > (pf::registration::setup_node_for_registration) > Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) ERROR: > [mac:2c:44:fd:65:ab:27] auto-registration of node failed no role computed by > any sources (pf::radius::authorize) > Apr 9 06:21:21 TPI-PF1 packetfence_httpd.webservices: httpd.webservices(1907) > WARN: [mac:2c:44:fd:65:ab:27] Unable to pull accounting history for device > 2c:44:fd:65:ab:27. The history set doesn't exist yet. > (pf::accounting_events_history::latest_mac_history) > > > De : Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> > Envoyé : jeudi, 8 avril 2021 18:32 > À : Heusler Marie-Cécile > Cc : packetfence-users@lists.sourceforge.net > <mailto:packetfence-users@lists.sourceforge.net> > Objet : Re: VLAN for rejected machine > > Unregister your device and give the output of: > > grep 2c:44:fd:65:ab:27 /usr/local/pf/logs/packetfence.log > > Thanks, > > Ludovic Zammit > lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: > www.inverse.ca <https://www.inverse.ca/> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <http://www.sogo.nu/>) and PacketFence (http://packetfence.org > <http://packetfence.org/>) > > > > > > > >> On Apr 8, 2021, at 12:03 PM, Heusler Marie-Cécile >> <marie-cecile.heus...@divtec.ch <mailto:marie-cecile.heus...@divtec.ch>> >> wrote: >> >> So it's weird, because here are my logs when I connect an off-domain machine >> : >> >> Apr 8 18:02:06 TPI-PF1 auth[1993]: [mac:2c:44:fd:65:ab:27] Rejected user: >> 2c44fd65ab27 >> Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Rejected in post-auth: >> [2c44fd65ab27] (from client 192.168.137.200/32 port 19 cli 2c:44:fd:65:ab:27) >> Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Incorrect login: [2c44fd65ab27] >> (from client 192.168.137.200/32 port 19 cli 2c:44:fd:65:ab:27) >> Apr 8 18:02:06 TPI-PF1 auth[1993]: [mac:2c:44:fd:65:ab:27] Rejected user: >> 2c44fd65ab27 >> Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Rejected in post-auth: >> [2c44fd65ab27] (from client 192.168.137.200/32 port 19 cli 2c:44:fd:65:ab:27) >> Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Incorrect login: [2c44fd65ab27] >> (from client 192.168.137.200/32 port 19 cli 2c:44:fd:65:ab:27) >> >> And I get the message 'no role computed by any source >> >> >> However, if I create a 'null' source and create a profile with the filter >> "ethernet no-eap" and my null source, it works. >> >> >> >> De : Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> >> Envoyé : jeudi, 8 avril 2021 17:56 >> À : Heusler Marie-Cécile >> Cc : packetfence-users@lists.sourceforge.net >> <mailto:packetfence-users@lists.sourceforge.net> >> Objet : Re: VLAN for rejected machine >> >> No, it’s a default behavior, they will be put in VLAN 2 if they are >> unregistered. >> >> Thanks, >> >> Ludovic Zammit >> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: >> www.inverse.ca <https://www.inverse.ca/> >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >> <http://packetfence.org/>) >> >> >> >> >> >> >> >>> On Apr 8, 2021, at 10:25 AM, Heusler Marie-Cécile >>> <marie-cecile.heus...@divtec.ch <mailto:marie-cecile.heus...@divtec.ch>> >>> wrote: >>> >>> That's what I did, but do I have to create a specific source for that, and >>> a profile ? >>> De : Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> >>> Envoyé : jeudi, 8 avril 2021 16:11:59 >>> À : Heusler Marie-Cécile >>> Cc : packetfence-users@lists.sourceforge.net >>> <mailto:packetfence-users@lists.sourceforge.net> >>> Objet : Re: VLAN for rejected machine >>> >>> Ok so put VLAN 2 as the registration VLAN in your switch configuration >>> under Configuration > Policies and Access Control > Switches > Switch IP > >>> Roles > Registration -> 2 >>> >>> Thanks, >>> >>> Ludovic Zammit >>> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) >>> :: www.inverse.ca <https://www.inverse.ca/> >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>> <http://packetfence.org/>) >>> >>> >>> >>> >>> >>> >>> >>>> On Apr 8, 2021, at 9:48 AM, Heusler Marie-Cécile >>>> <marie-cecile.heus...@divtec.ch <mailto:marie-cecile.heus...@divtec.ch>> >>>> wrote: >>>> >>>> Not really. I just want that devices who don't match with my AD source go >>>> to the VLAN2 and can do nothing. >>>> >>>> >>>> >>>> De : Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> >>>> Envoyé : jeudi, 8 avril 2021 15:29 >>>> À : Heusler Marie-Cécile >>>> Cc : packetfence-users@lists.sourceforge.net >>>> <mailto:packetfence-users@lists.sourceforge.net> >>>> Objet : Re: VLAN for rejected machine >>>> >>>> Is this the registration VLAN ? >>>> >>>> Thanks, >>>> >>>> Ludovic Zammit >>>> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) >>>> :: www.inverse.ca <https://www.inverse.ca/> >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>> <http://packetfence.org/>) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> On Apr 8, 2021, at 8:12 AM, Heusler Marie-Cécile >>>>> <marie-cecile.heus...@divtec.ch <mailto:marie-cecile.heus...@divtec.ch>> >>>>> wrote: >>>>> >>>>> For the time being, VLAN2 simply serves as an isolation VLAN. The >>>>> workstations should not access anything from this VLAN. >>>>> >>>>> >>>>> De : Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> >>>>> Envoyé : jeudi, 8 avril 2021 13:33 >>>>> À : Heusler Marie-Cécile >>>>> Cc : packetfence-users@lists.sourceforge.net >>>>> <mailto:packetfence-users@lists.sourceforge.net> >>>>> Objet : Re: VLAN for rejected machine >>>>> >>>>> What’s the VLAN 2 and his purpose? >>>>> >>>>> Thanks, >>>>> >>>>> Ludovic Zammit >>>>> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) >>>>> :: www.inverse.ca <https://www.inverse.ca/> >>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>> <http://packetfence.org/>) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> On Apr 8, 2021, at 1:38 AM, Heusler Marie-Cécile >>>>>> <marie-cecile.heus...@divtec.ch <mailto:marie-cecile.heus...@divtec.ch>> >>>>>> wrote: >>>>>> >>>>>> The devices are, for example, laptops that are not part of the domain. I >>>>>> want them to enter VLAN2, but I don't know them in advance. >>>>>> >>>>>> Where do I specify that I want them to be in VLAN2, without their login >>>>>> failing with my AD source? >>>>>> >>>>>> What I've tried to do so far is to create a second Authorization source, >>>>>> and a new profile that uses that source. I don't know if this is correct. >>>>>> >>>>>> >>>>>> <pastedImage.png> >>>>>> >>>>>> >>>>>> <pastedImage.png> >>>>>> >>>>>> >>>>>> >>>>>> Thanks >>>>>> De : Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> >>>>>> Envoyé : mercredi, 7 avril 2021 13:53:40 >>>>>> À : Heusler Marie-Cécile >>>>>> Cc : packetfence-users@lists.sourceforge.net >>>>>> <mailto:packetfence-users@lists.sourceforge.net> >>>>>> Objet : Re: VLAN for rejected machine >>>>>> >>>>>> With Mac authentication, you will need to pre-import your Mac address if >>>>>> you know them, create a VLAN filter that automatically a MAC OUI for >>>>>> example or you redirect the on the captive portal to give them an option >>>>>> to register themselves. >>>>>> >>>>>> In your case, if you don’t know them, you return a VLAN 2 (don’t forget >>>>>> to return VLAN 2 in the registration role in the switch configuration) >>>>>> and they will never get a role and registered. They will end up having >>>>>> access on VLAN 2. >>>>>> >>>>>> What are those devices ? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Ludovic Zammit >>>>>> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 >>>>>> (x145) :: www.inverse.ca <https://www.inverse.ca/> >>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>>> <http://packetfence.org/>) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> On Apr 7, 2021, at 1:25 AM, Heusler Marie-Cécile >>>>>>> <marie-cecile.heus...@divtec.ch >>>>>>> <mailto:marie-cecile.heus...@divtec.ch>> wrote: >>>>>>> >>>>>>> Ok, I enabled mac authentication, but now here are my radius logs once >>>>>>> I connect the node to the switch: >>>>>>> >>>>>>> >>>>>>> Apr 7 07:19:51 TPI-PF1 auth[1944]: Adding client 192.168.137.200/32 >>>>>>> Apr 7 07:19:51 TPI-PF1 auth[1944]: [mac:98:e7:f4:14:44:f0] Accepted >>>>>>> user: and returned VLAN >>>>>>> Apr 7 07:19:51 TPI-PF1 auth[1944]: (3879) Login OK: [98e7f41444f0] >>>>>>> (from client 192.168.137.200/32 port 19 cli 98:e7:f4:14:44:f0) >>>>>>> >>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>> [mac:98:e7:f4:14:44:f0] handling radius autz request: from switch_ip => >>>>>>> (192.168.137.200), connection_type => Ethernet-NoEAP,switch_mac => >>>>>>> (00:16:b9:0b:37:0d), mac => [98:e7:f4:14:44:f0], port => 19, username >>>>>>> => "98e7f41444f0" (pf::radius::authorize) >>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>> [mac:98:e7:f4:14:44:f0] Instantiate profile default >>>>>>> (pf::Connection::ProfileFactory::_from_profile) >>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>> [mac:98:e7:f4:14:44:f0] Match rule Email-on-role >>>>>>> (pf::access_filter::test) >>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>> [mac:98:e7:f4:14:44:f0] Found authentication source(s) : >>>>>>> 'local,file1,MonDomaine' for realm 'null' >>>>>>> (pf::config::util::filter_authentication_sources) >>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) WARN: >>>>>>> [mac:98:e7:f4:14:44:f0] No category computed for autoreg >>>>>>> (pf::role::getNodeInfoForAutoReg) >>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>> [mac:98:e7:f4:14:44:f0] Match rule Email-on-role >>>>>>> (pf::access_filter::test) >>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.webservices: >>>>>>> httpd.webservices(1790) WARN: [mac:98:e7:f4:14:44:f0] Unable to pull >>>>>>> accounting history for device 98:e7:f4:14:44:f0. The history set >>>>>>> doesn't exist yet. (pf::accounting_events_history::latest_mac_history) >>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>> [mac:98:e7:f4:14:44:f0] Found authentication source(s) : >>>>>>> 'local,file1,MonDomaine' for realm 'null' >>>>>>> (pf::config::util::filter_authentication_sources) >>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>> [mac:98:e7:f4:14:44:f0] Connection type is MAC-AUTH. Getting role from >>>>>>> node_info (pf::role::getRegisteredRole) >>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) WARN: >>>>>>> [mac:98:e7:f4:14:44:f0] Use of uninitialized value $role in >>>>>>> concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. >>>>>>> (pf::role::getRegisteredRole) >>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>> [mac:98:e7:f4:14:44:f0] Username was NOT defined or unable to match a >>>>>>> role - returning node based role '' (pf::role::getRegisteredRole) >>>>>>> >>>>>>> >>>>>>> >>>>>>> I tried to create a new connection profile, but the result is the same. >>>>>>> >>>>>>> Any ideas? >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> >>>>>>> De : Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> >>>>>>> Envoyé : mardi, 6 avril 2021 19:48 >>>>>>> À : Heusler Marie-Cécile >>>>>>> Cc : packetfence-users@lists.sourceforge.net >>>>>>> <mailto:packetfence-users@lists.sourceforge.net> >>>>>>> Objet : Re: VLAN for rejected machine >>>>>>> >>>>>>> You can’t because if those not joined machines connect over 802.1x they >>>>>>> will fail and stay there. >>>>>>> >>>>>>> What you want to do is 802.1x + Mac authentication bypass (MAB) on the >>>>>>> switch port. >>>>>>> >>>>>>> A none corporate machine should do MAB and land on the captive portal >>>>>>> and authenticate. If you want to skip that part, you can put VLAN ID 2 >>>>>>> in the registration role on the switch so everyone that do Mac >>>>>>> authentication would be redirected on VLAN 2. >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Ludovic Zammit >>>>>>> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 >>>>>>> (x145) :: www.inverse.ca <https://www.inverse.ca/> >>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>>>> <http://packetfence.org/>) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Apr 6, 2021, at 1:33 PM, Heusler Marie-Cécile >>>>>>>> <marie-cecile.heus...@divtec.ch >>>>>>>> <mailto:marie-cecile.heus...@divtec.ch>> wrote: >>>>>>>> >>>>>>>> Hello >>>>>>>> >>>>>>>> I have an authentication source that gives the role VLAN1 to the >>>>>>>> corporate machines. >>>>>>>> >>>>>>>> >>>>>>>> <pastedImage.png> >>>>>>>> >>>>>>>> <pastedImage.png> >>>>>>>> >>>>>>>> >>>>>>>> Now I want to give to the non-corporate machines the role VLAN2. >>>>>>>> However, I can't assign a role to a node that can't login to the >>>>>>>> source. >>>>>>>> >>>>>>>> >>>>>>>> Adding client 10.104.92.130/32 >>>>>>>> Apr 6 19:11:06 packetfence auth[19459]: (195) chrooted_mschap_machine: >>>>>>>> ERROR: Program returned code (1) and output 'Logon failure >>>>>>>> (0xc000006d)' >>>>>>>> Apr 6 19:11:06 packetfence auth[19459]: (195) Login incorrect >>>>>>>> (chrooted_mschap_machine: Program returned code (1) and output 'Logon >>>>>>>> failure (0xc000006d)'): [host/client.tpi.local] (from client >>>>>>>> 10.104.92.130/32 port 21 cli 2c:44:fd:65:ab:27 via TLS tunnel) >>>>>>>> Apr 6 19:11:06 packetfence auth[19459]: [mac:2c:44:fd:65:ab:27] >>>>>>>> Rejected user: host/client.tpi.local >>>>>>>> Apr 6 19:11:06 packetfence auth[19459]: (196) Login incorrect >>>>>>>> (eap_peap: The users session was previously rejected: returning reject >>>>>>>> (again.)): [host/client.tpi.local] (from client 10.104.92.130/32 port >>>>>>>> 21 cli 2c:44:fd:65:ab:27) >>>>>>>> >>>>>>>> >>>>>>>> A client that are not in the domain will have a login incorrect. But >>>>>>>> how can I say that every client out of the domain will move to the >>>>>>>> VLAN2 role ? >>>>>>>> >>>>>>>> >>>>>>>> Thank you for your reply.
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
