Hello Nathan, Show me the content of your:
- conf/realms.conf - conf/profiles.conf - conf/authentication.conf (JumpCloud-RADIUS section if that’s the source you try to match) >> RADIUS request contains more than one realm. Keeping the first one 'null’ It’s defiantly the source of the issue I think. Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Apr 23, 2021, at 9:05 AM, Nathan, Josh <josh.nat...@bfacademy.de> wrote: > > Well that was interesting... I made some quick tweaks as I saw the results of > the command you had me run. Apparently neither "StrippedUser Name" nor > "radius_request.User-Name" register. When I finally switched it to just > "username", the pftest authentication command finally registered the rule. > That being said, I'm still getting the same result, so I'm still including > the information you asked for. Just to be thorough, I'm also including a > fresh set of logs from packetfence.log and attaching the full raddebug from a > connection test. As before, my phone does connect, but it's not being > assigned the VLAN as it should. And from what I can see, the issue doesn't > seem to be related to my configuration of the Ubiquiti equipment since it > doesn't look like RADIUS is registering a target VLAN and PF isn't even > including it in the RADIUS audit logs... > > /usr/local/pf/bin/pftest authentication josh.nathan "[password redacted]" > Testing authentication for "josh.nathan" > > Authenticating against 'local' in context 'admin' > Authentication FAILED against local (Invalid login or password) > Did not match against local for 'authentication' rules > Did not match against local for 'administration' rules > > Authenticating against 'local' in context 'portal' > Authentication FAILED against local (Invalid login or password) > Did not match against local for 'authentication' rules > Did not match against local for 'administration' rules > > Authenticating against 'file1' in context 'admin' > Authentication FAILED against file1 (Invalid login or password) > Did not match against file1 for 'authentication' rules > Did not match against file1 for 'administration' rules > > Authenticating against 'file1' in context 'portal' > Authentication FAILED against file1 (Invalid login or password) > Did not match against file1 for 'authentication' rules > Did not match against file1 for 'administration' rules > > Authenticating against 'sms' in context 'admin' > Authentication FAILED against sms (Invalid login or password) > Matched against sms for 'authentication' rule catchall > set_role : guest > set_access_duration : 1D > Did not match against sms for 'administration' rules > > Authenticating against 'sms' in context 'portal' > Authentication FAILED against sms (Invalid login or password) > Matched against sms for 'authentication' rule catchall > set_role : guest > set_access_duration : 1D > Did not match against sms for 'administration' rules > > Authenticating against 'email' in context 'admin' > Authentication SUCCEEDED against email () > Matched against email for 'authentication' rule catchall > set_role : guest > set_access_duration : 1D > Did not match against email for 'administration' rules > > Authenticating against 'email' in context 'portal' > Authentication SUCCEEDED against email () > Matched against email for 'authentication' rule catchall > set_role : guest > set_access_duration : 1D > Did not match against email for 'administration' rules > > Authenticating against 'sponsor' in context 'admin' > Authentication SUCCEEDED against sponsor () > Matched against sponsor for 'authentication' rule catchall > set_role : guest > set_access_duration : 1D > Did not match against sponsor for 'administration' rules > > Authenticating against 'sponsor' in context 'portal' > Authentication SUCCEEDED against sponsor () > Matched against sponsor for 'authentication' rule catchall > set_role : guest > set_access_duration : 1D > Did not match against sponsor for 'administration' rules > > Authenticating against 'null' in context 'admin' > Authentication SUCCEEDED against null () > Matched against null for 'authentication' rule catchall > set_role : guest > set_access_duration : 1D > Did not match against null for 'administration' rules > > Authenticating against 'null' in context 'portal' > Authentication SUCCEEDED against null () > Matched against null for 'authentication' rule catchall > set_role : guest > set_access_duration : 1D > Did not match against null for 'administration' rules > > Authenticating against 'JumpCloud-RADIUS' in context 'admin' > Authentication SUCCEEDED against JumpCloud-RADIUS (Authentication > successful.) > Matched against JumpCloud-RADIUS for 'authentication' rule IsStaffDevice > set_role : staff > set_access_duration : 2W > Did not match against JumpCloud-RADIUS for 'administration' rules > > Authenticating against 'JumpCloud-RADIUS' in context 'portal' > Authentication SUCCEEDED against JumpCloud-RADIUS (Authentication > successful.) > Matched against JumpCloud-RADIUS for 'authentication' rule IsStaffDevice > set_role : staff > set_access_duration : 2W > Did not match against JumpCloud-RADIUS for 'administration' rules > > > Fresh packetfence.log query: > > # grep 58:cb:52:37:5d:ab /usr/local/pf/logs/packetfence.log > Apr 23 14:49:58 gatekeeper packetfence_httpd.aaa: httpd.aaa(10390) INFO: > [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping > the first one 'null' (pf::radius::_parseRequest) > Apr 23 14:49:58 gatekeeper packetfence_httpd.aaa: httpd.aaa(10390) INFO: > [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping > the first one 'null' (pf::radius::_parseRequest) > Apr 23 14:49:58 gatekeeper packetfence_httpd.aaa: httpd.aaa(10390) INFO: > [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping > the first one 'null' (pf::radius::_parseRequest) > Apr 23 14:49:58 gatekeeper packetfence_httpd.aaa: httpd.aaa(10390) INFO: > [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping > the first one 'null' (pf::radius::_parseRequest) > Apr 23 14:49:58 gatekeeper packetfence_httpd.aaa: httpd.aaa(10390) INFO: > [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping > the first one 'null' (pf::radius::_parseRequest) > Apr 23 14:49:58 gatekeeper packetfence_httpd.aaa: httpd.aaa(10390) INFO: > [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping > the first one 'null' (pf::radius::_parseRequest) > Apr 23 14:49:59 gatekeeper packetfence_httpd.aaa: httpd.aaa(10390) INFO: > [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping > the first one 'null' (pf::radius::_parseRequest) > Apr 23 14:49:59 gatekeeper pfqueue: pfqueue(10475) INFO: > [mac:58:cb:52:37:5d:ab] Removing parking actions for 1a:03:00:cd:70:36 > (pf::parking::remove_parking_actions) > Apr 23 14:50:00 gatekeeper pfqueue: pfqueue(10475) WARN: > [mac:58:cb:52:37:5d:ab] Unable to pull accounting history for device > 58:cb:52:37:5d:ab. The history set doesn't exist yet. > (pf::accounting_events_history::latest_mac_history) > Apr 23 14:50:00 gatekeeper pfqueue: pfqueue(10475) WARN: > [mac:58:cb:52:37:5d:ab] Unable to pull accounting history for device > 58:cb:52:37:5d:ab. The history set doesn't exist yet. > (pf::accounting_events_history::latest_mac_history) > Apr 23 14:50:00 gatekeeper pfqueue: pfqueue(10492) WARN: > [mac:58:cb:52:37:5d:ab] Unable to match MAC address to IP '172.20.104.21' > (pf::ip4log::ip2mac) > Apr 23 14:50:00 gatekeeper pfqueue: pfqueue(10492) INFO: > [mac:58:cb:52:37:5d:ab] oldip (172.20.104.32) and newip (172.20.104.21) are > different for 58:cb:52:37:5d:ab - closing ip4log entry > (pf::api::update_ip4log) > Apr 23 14:50:01 gatekeeper packetfence_httpd.aaa: httpd.aaa(10390) INFO: > [mac:58:cb:52:37:5d:ab] Updating locationlog from accounting request > (pf::api::handle_accounting_metadata) > > Thank you! > > > Joshua Nathan > IT Supervisor > Black Forest Academy > > p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056 > a: > w: Hammersteiner Straße 50, 79400 Kandern > bfacademy.de > <https://urldefense.com/v3/__http://bfacademy.de/__;!!GjvTz_vk!G6xjCEDcR2WraV6R1ARgoSb2HNjnRLG2hY-EoIq4mkHJN_mEm7HiHP86FZUtOQ$> > > > > > On Thu, Apr 22, 2021 at 3:37 PM Zammit, Ludovic <luza...@akamai.com > <mailto:luza...@akamai.com>> wrote: > Can you show me the output of: > > /usr/local/pf/bin/pftest authentication josh.nathan “" > > Thanks, > > Ludovic Zammit > Product Support Engineer Principal > > Cell: +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: <https://community.akamai.com/> > <http://blogs.akamai.com/> > <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!G6xjCEDcR2WraV6R1ARgoSb2HNjnRLG2hY-EoIq4mkHJN_mEm7HiHP9548CQ1A$> > > <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!G6xjCEDcR2WraV6R1ARgoSb2HNjnRLG2hY-EoIq4mkHJN_mEm7HiHP-cF2_Gzg$> > > <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!G6xjCEDcR2WraV6R1ARgoSb2HNjnRLG2hY-EoIq4mkHJN_mEm7HiHP-LrVSryA$> > > <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!G6xjCEDcR2WraV6R1ARgoSb2HNjnRLG2hY-EoIq4mkHJN_mEm7HiHP_SfeOIoQ$> > >> On Apr 22, 2021, at 9:29 AM, Nathan, Josh <josh.nat...@bfacademy.de >> <mailto:josh.nat...@bfacademy.de>> wrote: >> >> I did. That last email is seriously all that's there. >> >> [root@gatekeeper ~]# grep 58:cb:52:37:5d:ab >> /usr/local/pf/logs/packetfence.log >> Apr 16 09:13:51 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping >> the first one 'null' (pf::radius::_parseRequest) >> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping >> the first one 'null' (pf::radius::_parseRequest) >> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping >> the first one 'null' (pf::radius::_parseRequest) >> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping >> the first one 'null' (pf::radius::_parseRequest) >> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping >> the first one 'null' (pf::radius::_parseRequest) >> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping >> the first one 'null' (pf::radius::_parseRequest) >> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping >> the first one 'null' (pf::radius::_parseRequest) >> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping >> the first one 'null' (pf::radius::_parseRequest) >> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >> [mac:58:cb:52:37:5d:ab] Updating locationlog from accounting request >> (pf::api::handle_accounting_metadata) >> >> That second entry from Apr 15 15:40:15 to Apr 15 15:41:04 is completely >> unfiltered. Absolutely everything logged between those times is there, and >> in that time frame I got a fairly sizable radius debug log (the end of which >> I included in my first email). >> >> I'm gathering from your email, though, that somehow my installation is >> broken? >> >> >> Joshua Nathan >> IT Supervisor >> Black Forest Academy >> >> p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056 >> a: >> w: Hammersteiner Straße 50, 79400 Kandern >> bfacademy.de >> <https://urldefense.com/v3/__http://bfacademy.de/__;!!GjvTz_vk!B7qezokXY0TqZivbu8796GT9wHac_nTZpP5E0VzzSWfmQwPEWrds3Q5ok_bHfw$> >> >> >> >> >> On Thu, Apr 22, 2021 at 3:17 PM Zammit, Ludovic <luza...@akamai.com >> <mailto:luza...@akamai.com>> wrote: >> Hello Nathan, >> >> Show me the output of: >> >> grep 58:cb:52:37:5d:ab /usr/local/pf/logs/packetfence.log >> >> Thanks, >> >> Ludovic Zammit >> Product Support Engineer Principal >> >> Cell: +1.613.670.8432 >> Akamai Technologies - Inverse >> 145 Broadway >> Cambridge, MA 02142 >> Connect with Us: <https://community.akamai.com/> >> <http://blogs.akamai.com/> >> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!B7qezokXY0TqZivbu8796GT9wHac_nTZpP5E0VzzSWfmQwPEWrds3Q430QvTww$> >> >> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!B7qezokXY0TqZivbu8796GT9wHac_nTZpP5E0VzzSWfmQwPEWrds3Q4x4PfWoQ$> >> >> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!B7qezokXY0TqZivbu8796GT9wHac_nTZpP5E0VzzSWfmQwPEWrds3Q5dlvv3hQ$> >> >> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!B7qezokXY0TqZivbu8796GT9wHac_nTZpP5E0VzzSWfmQwPEWrds3Q5u1tKdpQ$> >> >>> On Apr 22, 2021, at 2:35 AM, Nathan, Josh <josh.nat...@bfacademy.de >>> <mailto:josh.nat...@bfacademy.de>> wrote: >>> >>> Any further insights regarding what I could try or where I should look? >>> I've not had any luck this week at figuring anything out, either. :-/ >>> >>> >>> Joshua Nathan >>> IT Supervisor >>> Black Forest Academy >>> >>> p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056 >>> a: >>> w: Hammersteiner Straße 50, 79400 Kandern >>> bfacademy.de >>> <https://urldefense.com/v3/__http://bfacademy.de/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmISt3FAmr$> >>> >>> >>> >>> >>> On Fri, Apr 16, 2021 at 9:39 AM Nathan, Josh <josh.nat...@bfacademy.de >>> <mailto:josh.nat...@bfacademy.de>> wrote: >>> Hello Ludovic, >>> >>> OK, here's from this morning: >>> >>> [root@gatekeeper ~]# grep 58:cb:52:37:5d:ab >>> /usr/local/pf/logs/packetfence.log >>> Apr 16 09:13:51 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] Updating locationlog from accounting request >>> (pf::api::handle_accounting_metadata) >>> >>> And here's from yesterday during that 15:40 timeframe if that helps: >>> >>> Apr 15 15:40:15 gatekeeper packetfence: pfperl-api(2161) INFO: Using 300 >>> resolution threshold (pf::pfcron::task::cluster_check::run) >>> Apr 15 15:40:15 gatekeeper packetfence: pfperl-api(2161) INFO: All cluster >>> members are running the same configuration version >>> (pf::pfcron::task::cluster_check::run) >>> Apr 15 15:40:15 gatekeeper packetfence: pfperl-api(2162) INFO: getting >>> security_events triggers for accounting cleanup >>> (pf::accounting::acct_maintenance) >>> Apr 15 15:40:42 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] Updating locationlog from accounting request >>> (pf::api::handle_accounting_metadata) >>> Apr 15 15:41:04 gatekeeper pfqueue: pfqueue(17589) WARN: >>> [mac:00:25:90:87:e9:50] Unable to pull accounting history for device >>> 00:25:90:87:e9:50. The history set doesn't exist yet. >>> (pf::accounting_events_history::latest_mac_history) >>> >>> >>> Joshua Nathan >>> IT Supervisor >>> Black Forest Academy >>> >>> p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056 >>> a: >>> w: Hammersteiner Straße 50, 79400 Kandern >>> bfacademy.de >>> <https://urldefense.com/v3/__http://bfacademy.de/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmISt3FAmr$> >>> >>> >>> >>> >>> On Thu, Apr 15, 2021 at 3:52 PM Ludovic Zammit <lzam...@inverse.ca >>> <mailto:lzam...@inverse.ca>> wrote: >>> Hello Nathan, >>> >>> Show me the output of: >>> >>> grep 58:cb:52:37:5d:ab /usr/local/pf/logs/packetfence.log >>> >>> Thanks, >>> >>> Ludovic Zammit >>> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) >>> :: www.inverse.ca <https://www.inverse.ca/> >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>> <https://urldefense.com/v3/__http://www.sogo.nu/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmIdmZL8FU$>) >>> and PacketFence (http://packetfence.org <http://packetfence.org/>) >>> >>> >>> >>> >>> >>> >>> >>>> On Apr 15, 2021, at 9:48 AM, Nathan, Josh via PacketFence-users >>>> <packetfence-users@lists.sourceforge.net >>>> <mailto:packetfence-users@lists.sourceforge.net>> wrote: >>>> >>>> Hello, >>>> >>>> So, I'm trying to configure a 10.2 Zen version of PF. Our user >>>> authentication happens via RADIUS. So I configured our RADIUS server >>>> under the "Internal Sources" section, and everything is now "mostly" >>>> working. My devices authenticate, but the Authentication Rules don't seem >>>> to be taking effect. >>>> >>>> When I try using the debug command for RADIUS (raddebug -f >>>> /usr/local/pf/var/run/radiusd.sock -t 3600), here's what I get. There >>>> must be a setting I'm missing somewhere. The packetfence.log file is >>>> effectively silent on the issue. >>>> >>>> (327) Thu Apr 15 15:40:43 2021: Debug: rest: Processing response header >>>> (327) Thu Apr 15 15:40:43 2021: Debug: rest: Status : 200 (OK) >>>> (327) Thu Apr 15 15:40:43 2021: Debug: rest: Type : json >>>> (application/json) >>>> (327) Thu Apr 15 15:40:43 2021: Debug: rest: Parsing attribute >>>> "control:PacketFence-Authorization-Status" >>>> (327) Thu Apr 15 15:40:43 2021: Debug: rest: EXPAND allow >>>> (327) Thu Apr 15 15:40:43 2021: Debug: rest: --> allow >>>> (327) Thu Apr 15 15:40:43 2021: Debug: rest: >>>> PacketFence-Authorization-Status := "allow" >>>> (327) Thu Apr 15 15:40:43 2021: Debug: [rest] = updated >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap: Peer sent EAP Response (code >>>> 2) ID 56 length 46 >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap: Continuing tunnel setup >>>> (327) Thu Apr 15 15:40:43 2021: Debug: [eap] = ok >>>> (327) Thu Apr 15 15:40:43 2021: Debug: } # authorize = ok >>>> (327) Thu Apr 15 15:40:43 2021: Debug: Found Auth-Type = eap >>>> (327) Thu Apr 15 15:40:43 2021: Debug: # Executing group from file >>>> /usr/local/pf/raddb/sites-enabled/packetfence >>>> (327) Thu Apr 15 15:40:43 2021: Debug: authenticate { >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap: Expiring EAP session with >>>> state 0xce6b3ab6c75323c5 >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap: Finished EAP session with >>>> state 0xce6b3ab6c75323c5 >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap: Previous EAP request found for >>>> state 0xce6b3ab6c75323c5, released from the list >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap: Peer sent packet with method >>>> EAP PEAP (25) >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap: Calling submodule eap_peap to >>>> process data >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: Continuing EAP-TLS >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: [eaptls verify] = ok >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: Done initial handshake >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: [eaptls process] = ok >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: Session established. >>>> Decoding tunneled attributes >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: PEAP state send tlv >>>> success >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: Received EAP-TLV response >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: Success >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: Using saved attributes >>>> from the original Access-Accept >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: User-Name = >>>> "josh.nathan" >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap: Sending EAP Success (code 3) >>>> ID 56 length 4 >>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap: Freeing handler >>>> (327) Thu Apr 15 15:40:43 2021: Debug: [eap] = ok >>>> (327) Thu Apr 15 15:40:43 2021: Debug: } # authenticate = ok >>>> (327) Thu Apr 15 15:40:43 2021: Debug: # Executing section post-auth from >>>> file /usr/local/pf/raddb/sites-enabled/packetfence >>>> (327) Thu Apr 15 15:40:43 2021: Debug: post-auth { >>>> (327) Thu Apr 15 15:40:43 2021: Debug: update { >>>> (327) Thu Apr 15 15:40:43 2021: Debug: EXPAND >>>> %{Packet-Src-IP-Address} >>>> (327) Thu Apr 15 15:40:43 2021: Debug: --> 172.20.50.76 >>>> (327) Thu Apr 15 15:40:43 2021: Debug: EXPAND >>>> %{Packet-Dst-IP-Address} >>>> (327) Thu Apr 15 15:40:43 2021: Debug: --> 172.20.104.31 >>>> (327) Thu Apr 15 15:40:43 2021: Debug: } # update = noop >>>> (327) Thu Apr 15 15:40:43 2021: Debug: policy >>>> packetfence-set-tenant-id { >>>> (327) Thu Apr 15 15:40:43 2021: Debug: if (!NAS-IP-Address || >>>> NAS-IP-Address == "0.0.0.0"){ >>>> (327) Thu Apr 15 15:40:43 2021: Debug: if (!NAS-IP-Address || >>>> NAS-IP-Address == "0.0.0.0") -> FALSE >>>> (327) Thu Apr 15 15:40:43 2021: Debug: if ( >>>> "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { >>>> (327) Thu Apr 15 15:40:43 2021: Debug: EXPAND >>>> %{%{control:PacketFence-Tenant-Id}:-0} >>>> (327) Thu Apr 15 15:40:43 2021: Debug: --> 1 >>>> (327) Thu Apr 15 15:40:43 2021: Debug: if ( >>>> "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> FALSE >>>> (327) Thu Apr 15 15:40:43 2021: Debug: if ( >>>> &control:PacketFence-Tenant-Id == 0 ) { >>>> (327) Thu Apr 15 15:40:43 2021: Debug: if ( >>>> &control:PacketFence-Tenant-Id == 0 ) -> FALSE >>>> (327) Thu Apr 15 15:40:43 2021: Debug: } # policy >>>> packetfence-set-tenant-id = noop >>>> (327) Thu Apr 15 15:40:43 2021: Debug: if >>>> ("%{%{control:PacketFence-Proxied-From}:-False}" == "True") { >>>> (327) Thu Apr 15 15:40:43 2021: Debug: EXPAND >>>> %{%{control:PacketFence-Proxied-From}:-False} >>>> (327) Thu Apr 15 15:40:43 2021: Debug: --> False >>>> (327) Thu Apr 15 15:40:43 2021: Debug: if >>>> ("%{%{control:PacketFence-Proxied-From}:-False}" == "True") -> FALSE >>>> (327) Thu Apr 15 15:40:43 2021: Debug: if (! EAP-Type || (EAP-Type != >>>> TTLS && EAP-Type != PEAP) ) { >>>> (327) Thu Apr 15 15:40:43 2021: Debug: if (! EAP-Type || (EAP-Type != >>>> TTLS && EAP-Type != PEAP) ) -> FALSE >>>> (327) Thu Apr 15 15:40:43 2021: Debug: attr_filter.packetfence_post_auth: >>>> EXPAND %{User-Name} >>>> (327) Thu Apr 15 15:40:43 2021: Debug: attr_filter.packetfence_post_auth: >>>> --> josh.nathan >>>> (327) Thu Apr 15 15:40:43 2021: Debug: attr_filter.packetfence_post_auth: >>>> Matched entry DEFAULT at line 10 >>>> (327) Thu Apr 15 15:40:43 2021: Debug: >>>> [attr_filter.packetfence_post_auth] = updated >>>> (327) Thu Apr 15 15:40:43 2021: Debug: linelog: EXPAND >>>> messages.%{%{reply:Packet-Type}:-default} >>>> (327) Thu Apr 15 15:40:43 2021: Debug: linelog: --> >>>> messages.Access-Accept >>>> (327) Thu Apr 15 15:40:43 2021: Debug: linelog: EXPAND >>>> [mac:%{Calling-Station-Id}] Accepted user: %{reply:User-Name} and returned >>>> VLAN %{reply:Tunnel-Private-Group-ID} >>>> (327) Thu Apr 15 15:40:43 2021: Debug: linelog: --> >>>> [mac:58:cb:52:37:5d:ab] Accepted user: josh.nathan and returned VLAN >>>> (327) Thu Apr 15 15:40:43 2021: Debug: [linelog] = ok >>>> (327) Thu Apr 15 15:40:43 2021: Debug: } # post-auth = updated >>>> (327) Thu Apr 15 15:40:43 2021: Debug: Sent Access-Accept Id 229 from >>>> 172.20.104.31:1812 >>>> <https://urldefense.com/v3/__http://172.20.104.31:1812/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmIQCj3ZD8$> >>>> to 172.20.50.76:40485 >>>> <https://urldefense.com/v3/__http://172.20.50.76:40485/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmIavZqZFs$> >>>> length 0 >>>> (327) Thu Apr 15 15:40:43 2021: Debug: User-Name = "josh.nathan" >>>> (327) Thu Apr 15 15:40:43 2021: Debug: MS-MPPE-Recv-Key = >>>> 0x600da060c2faa9fdf49eb732f5110f438b5d71f66e661345f268bf24252e85c3 >>>> (327) Thu Apr 15 15:40:43 2021: Debug: MS-MPPE-Send-Key = >>>> 0x8d6d99afd78af3ebade3b3869adc9ceef8f9782d323d553bce8cf5c1511d05d1 >>>> (327) Thu Apr 15 15:40:43 2021: Debug: EAP-Message = 0x03380004 >>>> (327) Thu Apr 15 15:40:43 2021: Debug: Message-Authenticator = >>>> 0x00000000000000000000000000000000 >>>> (327) Thu Apr 15 15:40:43 2021: Debug: Finished request >>>> (317) Thu Apr 15 15:40:44 2021: Debug: Cleaning up request packet ID 219 >>>> with timestamp +4564 >>>> (318) Thu Apr 15 15:40:44 2021: Debug: Cleaning up request packet ID 220 >>>> with timestamp +4564 >>>> (319) Thu Apr 15 15:40:44 2021: Debug: Cleaning up request packet ID 221 >>>> with timestamp +4564 >>>> (328) Thu Apr 15 15:40:45 2021: Debug: Received Status-Server Id 161 from >>>> 127.0.0.1:45116 >>>> <https://urldefense.com/v3/__http://127.0.0.1:45116/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmIf5Jx0mf$> >>>> to 127.0.0.1:18121 >>>> <https://urldefense.com/v3/__http://127.0.0.1:18121/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmIecH5d9e$> >>>> length 50 >>>> (328) Thu Apr 15 15:40:45 2021: Debug: Message-Authenticator = >>>> 0x0630aabb861db1ebd2a0892a5d55941e >>>> (328) Thu Apr 15 15:40:45 2021: Debug: FreeRADIUS-Statistics-Type = 15 >>>> (328) Thu Apr 15 15:40:45 2021: Debug: # Executing group from file >>>> /usr/local/pf/raddb/sites-enabled/status >>>> (328) Thu Apr 15 15:40:45 2021: Debug: Autz-Type Status-Server { >>>> (328) Thu Apr 15 15:40:45 2021: Debug: [ok] = ok >>>> (328) Thu Apr 15 15:40:45 2021: Debug: } # Autz-Type Status-Server = ok >>>> (328) Thu Apr 15 15:40:45 2021: Debug: Sent Access-Accept Id 161 from >>>> 127.0.0.1:18121 >>>> <https://urldefense.com/v3/__http://127.0.0.1:18121/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmIecH5d9e$> >>>> to 127.0.0.1:45116 >>>> <https://urldefense.com/v3/__http://127.0.0.1:45116/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmIf5Jx0mf$> >>>> length 0 >>>> >>>> >>>> Thank you for any guidance you can give! >>>> >>>> >>>> Joshua Nathan >>>> IT Supervisor >>>> Black Forest Academy >>>> >>>> p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056 >>>> a: >>>> w: Hammersteiner Straße 50, 79400 Kandern >>>> bfacademy.de >>>> <https://urldefense.com/v3/__http://bfacademy.de/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmISt3FAmr$> >>>> >>>> >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> PacketFence-users@lists.sourceforge.net >>>> <mailto:PacketFence-users@lists.sourceforge.net> >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> <https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmIW82ehl3$> >>> >> > > <radiusdebug.log><RadiusAuditLogs.png>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
