Hello Josh, In authentication.conf remove all realm configuration related to all sources, leave the automatic selection to happen.
I’m assuming your are using that connection profile "BFA-WiFi”. Add the "JumpCloud-RADIUS” source. Try again and let me know. Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Apr 26, 2021, at 6:21 AM, Nathan, Josh <josh.nat...@bfacademy.de> wrote: > > Hello Ludovic, > > OK, here are those files. I'll mention as a "side"... while I do have a > "bfacademy.de > <https://urldefense.com/v3/__http://bfacademy.de__;!!GjvTz_vk!FFrO2sQq7J-ovBxfefGYXcVb0QArlA7MBayGiccYOlCIPtqLIYd601ooN94O_w$>" > realm configured, that one doesn't seem to work. I'm thinking that's > because our authentication provider doesn't use the domain name with the > username. Whenever I include the domain name in my authentication process, I > get invalid username/password. But if I authenticate without the domain > name, it works. Anyway, just including that info as an FYI. In our 9.0 > instance that's been quite happily working, we've not been using the domain > name either. Anyway... > > realms.conf: > [1 DEFAULT] > permit_custom_attributes=disabled > radius_auth_proxy_type=keyed-balance > radius_auth_compute_in_pf=enabled > eduroam_radius_auth= > eduroam_radius_auth_proxy_type=keyed-balance > eduroam_radius_acct= > radius_acct_proxy_type=load-balance > radius_auth=JumpCloud-RADIUS > eduroam_radius_auth_compute_in_pf=enabled > eduroam_radius_acct_proxy_type=load-balance > radius_acct= > > [1 LOCAL] > permit_custom_attributes=disabled > radius_auth_proxy_type=keyed-balance > radius_auth_compute_in_pf=enabled > eduroam_radius_auth= > eduroam_radius_auth_proxy_type=keyed-balance > eduroam_radius_acct= > radius_acct_proxy_type=load-balance > radius_auth=JumpCloud-RADIUS > eduroam_radius_auth_compute_in_pf=enabled > eduroam_radius_acct_proxy_type=load-balance > radius_acct= > > [1 bfacademy.de > <https://urldefense.com/v3/__http://bfacademy.de__;!!GjvTz_vk!FFrO2sQq7J-ovBxfefGYXcVb0QArlA7MBayGiccYOlCIPtqLIYd601ooN94O_w$>] > permit_custom_attributes=disabled > radius_auth_proxy_type=keyed-balance > radius_auth_compute_in_pf=disabled > admin_strip_username=enabled > eduroam_radius_auth= > radius_strip_username=enabled > eduroam_radius_auth_proxy_type=keyed-balance > eduroam_radius_acct= > portal_strip_username=enabled > eap=default > radius_acct_proxy_type=load-balance > radius_auth=JumpCloud-RADIUS > eduroam_radius_auth_compute_in_pf=disabled > eduroam_radius_acct_proxy_type=load-balance > regex=bfacademy.de > <https://urldefense.com/v3/__http://bfacademy.de__;!!GjvTz_vk!FFrO2sQq7J-ovBxfefGYXcVb0QArlA7MBayGiccYOlCIPtqLIYd601ooN94O_w$> > radius_acct= > > > profiles.conf: > [default] > reuse_dot1x_credentials=disabled > sources=JumpCloud-RADIUS > provisioners=android-TLS-test,windows-tls,ios,accept > > [BFA-WiFi] > locale= > advanced_filter= > provisioners= > filter=ssid:BFA-EAP-Test > autoregister=enabled > > authentication.conf: > [JumpCloud-RADIUS] > realms=bfacademy.de > <https://urldefense.com/v3/__http://bfacademy.de__;!!GjvTz_vk!FFrO2sQq7J-ovBxfefGYXcVb0QArlA7MBayGiccYOlCIPtqLIYd601ooN94O_w$>,local,default,null > options=type = auth > monitor=1 > secret=[redacted] > port=1812 > description=RADIUS source for authentication against JumpCloud > host=18.194.159.20 > timeout=5 > type=RADIUS > set_access_durations_action= > > [JumpCloud-RADIUS rule IsStaffDevice] > action0=set_role=staff > condition0=username,matches regexp,^[a-zA-Z]+\.[a-zA-Z0-9]+ > status=enabled > match=any > class=authentication > action1=set_access_duration=2W > description=Check if the login belongs to a staff member > > > > Joshua Nathan > IT Supervisor > Black Forest Academy > > p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056 > a: > w: Hammersteiner Straße 50, 79400 Kandern > bfacademy.de > <https://urldefense.com/v3/__http://bfacademy.de/__;!!GjvTz_vk!FFrO2sQq7J-ovBxfefGYXcVb0QArlA7MBayGiccYOlCIPtqLIYd601oRe_E-Bw$> > > > > > On Fri, Apr 23, 2021 at 5:30 PM Zammit, Ludovic <luza...@akamai.com > <mailto:luza...@akamai.com>> wrote: > Hello Nathan, > > Show me the content of your: > > - conf/realms.conf > - conf/profiles.conf > - conf/authentication.conf (JumpCloud-RADIUS section if that’s the source you > try to match) > >>> RADIUS request contains more than one realm. Keeping the first one 'null’ > > It’s defiantly the source of the issue I think. > > Thanks, > > Ludovic Zammit > Product Support Engineer Principal > > Cell: +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: <https://community.akamai.com/> > <http://blogs.akamai.com/> > <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!FFrO2sQq7J-ovBxfefGYXcVb0QArlA7MBayGiccYOlCIPtqLIYd601qJzqd6Eg$> > > <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!FFrO2sQq7J-ovBxfefGYXcVb0QArlA7MBayGiccYOlCIPtqLIYd601qItZ5yxg$> > > <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!FFrO2sQq7J-ovBxfefGYXcVb0QArlA7MBayGiccYOlCIPtqLIYd601rvJCG70Q$> > > <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!FFrO2sQq7J-ovBxfefGYXcVb0QArlA7MBayGiccYOlCIPtqLIYd601qO3_COQw$> > >> On Apr 23, 2021, at 9:05 AM, Nathan, Josh <josh.nat...@bfacademy.de >> <mailto:josh.nat...@bfacademy.de>> wrote: >> >> Well that was interesting... I made some quick tweaks as I saw the results >> of the command you had me run. Apparently neither "StrippedUser Name" nor >> "radius_request.User-Name" register. When I finally switched it to just >> "username", the pftest authentication command finally registered the rule. >> That being said, I'm still getting the same result, so I'm still including >> the information you asked for. Just to be thorough, I'm also including a >> fresh set of logs from packetfence.log and attaching the full raddebug from >> a connection test. As before, my phone does connect, but it's not being >> assigned the VLAN as it should. And from what I can see, the issue doesn't >> seem to be related to my configuration of the Ubiquiti equipment since it >> doesn't look like RADIUS is registering a target VLAN and PF isn't even >> including it in the RADIUS audit logs... >> >> /usr/local/pf/bin/pftest authentication josh.nathan "[password redacted]" >> Testing authentication for "josh.nathan" >> >> Authenticating against 'local' in context 'admin' >> Authentication FAILED against local (Invalid login or password) >> Did not match against local for 'authentication' rules >> Did not match against local for 'administration' rules >> >> Authenticating against 'local' in context 'portal' >> Authentication FAILED against local (Invalid login or password) >> Did not match against local for 'authentication' rules >> Did not match against local for 'administration' rules >> >> Authenticating against 'file1' in context 'admin' >> Authentication FAILED against file1 (Invalid login or password) >> Did not match against file1 for 'authentication' rules >> Did not match against file1 for 'administration' rules >> >> Authenticating against 'file1' in context 'portal' >> Authentication FAILED against file1 (Invalid login or password) >> Did not match against file1 for 'authentication' rules >> Did not match against file1 for 'administration' rules >> >> Authenticating against 'sms' in context 'admin' >> Authentication FAILED against sms (Invalid login or password) >> Matched against sms for 'authentication' rule catchall >> set_role : guest >> set_access_duration : 1D >> Did not match against sms for 'administration' rules >> >> Authenticating against 'sms' in context 'portal' >> Authentication FAILED against sms (Invalid login or password) >> Matched against sms for 'authentication' rule catchall >> set_role : guest >> set_access_duration : 1D >> Did not match against sms for 'administration' rules >> >> Authenticating against 'email' in context 'admin' >> Authentication SUCCEEDED against email () >> Matched against email for 'authentication' rule catchall >> set_role : guest >> set_access_duration : 1D >> Did not match against email for 'administration' rules >> >> Authenticating against 'email' in context 'portal' >> Authentication SUCCEEDED against email () >> Matched against email for 'authentication' rule catchall >> set_role : guest >> set_access_duration : 1D >> Did not match against email for 'administration' rules >> >> Authenticating against 'sponsor' in context 'admin' >> Authentication SUCCEEDED against sponsor () >> Matched against sponsor for 'authentication' rule catchall >> set_role : guest >> set_access_duration : 1D >> Did not match against sponsor for 'administration' rules >> >> Authenticating against 'sponsor' in context 'portal' >> Authentication SUCCEEDED against sponsor () >> Matched against sponsor for 'authentication' rule catchall >> set_role : guest >> set_access_duration : 1D >> Did not match against sponsor for 'administration' rules >> >> Authenticating against 'null' in context 'admin' >> Authentication SUCCEEDED against null () >> Matched against null for 'authentication' rule catchall >> set_role : guest >> set_access_duration : 1D >> Did not match against null for 'administration' rules >> >> Authenticating against 'null' in context 'portal' >> Authentication SUCCEEDED against null () >> Matched against null for 'authentication' rule catchall >> set_role : guest >> set_access_duration : 1D >> Did not match against null for 'administration' rules >> >> Authenticating against 'JumpCloud-RADIUS' in context 'admin' >> Authentication SUCCEEDED against JumpCloud-RADIUS (Authentication >> successful.) >> Matched against JumpCloud-RADIUS for 'authentication' rule IsStaffDevice >> set_role : staff >> set_access_duration : 2W >> Did not match against JumpCloud-RADIUS for 'administration' rules >> >> Authenticating against 'JumpCloud-RADIUS' in context 'portal' >> Authentication SUCCEEDED against JumpCloud-RADIUS (Authentication >> successful.) >> Matched against JumpCloud-RADIUS for 'authentication' rule IsStaffDevice >> set_role : staff >> set_access_duration : 2W >> Did not match against JumpCloud-RADIUS for 'administration' rules >> >> >> Fresh packetfence.log query: >> >> # grep 58:cb:52:37:5d:ab /usr/local/pf/logs/packetfence.log >> Apr 23 14:49:58 gatekeeper packetfence_httpd.aaa: httpd.aaa(10390) INFO: >> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping >> the first one 'null' (pf::radius::_parseRequest) >> Apr 23 14:49:58 gatekeeper packetfence_httpd.aaa: httpd.aaa(10390) INFO: >> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping >> the first one 'null' (pf::radius::_parseRequest) >> Apr 23 14:49:58 gatekeeper packetfence_httpd.aaa: httpd.aaa(10390) INFO: >> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping >> the first one 'null' (pf::radius::_parseRequest) >> Apr 23 14:49:58 gatekeeper packetfence_httpd.aaa: httpd.aaa(10390) INFO: >> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping >> the first one 'null' (pf::radius::_parseRequest) >> Apr 23 14:49:58 gatekeeper packetfence_httpd.aaa: httpd.aaa(10390) INFO: >> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping >> the first one 'null' (pf::radius::_parseRequest) >> Apr 23 14:49:58 gatekeeper packetfence_httpd.aaa: httpd.aaa(10390) INFO: >> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping >> the first one 'null' (pf::radius::_parseRequest) >> Apr 23 14:49:59 gatekeeper packetfence_httpd.aaa: httpd.aaa(10390) INFO: >> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. Keeping >> the first one 'null' (pf::radius::_parseRequest) >> Apr 23 14:49:59 gatekeeper pfqueue: pfqueue(10475) INFO: >> [mac:58:cb:52:37:5d:ab] Removing parking actions for 1a:03:00:cd:70:36 >> (pf::parking::remove_parking_actions) >> Apr 23 14:50:00 gatekeeper pfqueue: pfqueue(10475) WARN: >> [mac:58:cb:52:37:5d:ab] Unable to pull accounting history for device >> 58:cb:52:37:5d:ab. The history set doesn't exist yet. >> (pf::accounting_events_history::latest_mac_history) >> Apr 23 14:50:00 gatekeeper pfqueue: pfqueue(10475) WARN: >> [mac:58:cb:52:37:5d:ab] Unable to pull accounting history for device >> 58:cb:52:37:5d:ab. The history set doesn't exist yet. >> (pf::accounting_events_history::latest_mac_history) >> Apr 23 14:50:00 gatekeeper pfqueue: pfqueue(10492) WARN: >> [mac:58:cb:52:37:5d:ab] Unable to match MAC address to IP '172.20.104.21' >> (pf::ip4log::ip2mac) >> Apr 23 14:50:00 gatekeeper pfqueue: pfqueue(10492) INFO: >> [mac:58:cb:52:37:5d:ab] oldip (172.20.104.32) and newip (172.20.104.21) are >> different for 58:cb:52:37:5d:ab - closing ip4log entry >> (pf::api::update_ip4log) >> Apr 23 14:50:01 gatekeeper packetfence_httpd.aaa: httpd.aaa(10390) INFO: >> [mac:58:cb:52:37:5d:ab] Updating locationlog from accounting request >> (pf::api::handle_accounting_metadata) >> >> Thank you! >> >> >> Joshua Nathan >> IT Supervisor >> Black Forest Academy >> >> p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056 >> a: >> w: Hammersteiner Straße 50, 79400 Kandern >> bfacademy.de >> <https://urldefense.com/v3/__http://bfacademy.de/__;!!GjvTz_vk!G6xjCEDcR2WraV6R1ARgoSb2HNjnRLG2hY-EoIq4mkHJN_mEm7HiHP86FZUtOQ$> >> >> >> >> >> On Thu, Apr 22, 2021 at 3:37 PM Zammit, Ludovic <luza...@akamai.com >> <mailto:luza...@akamai.com>> wrote: >> Can you show me the output of: >> >> /usr/local/pf/bin/pftest authentication josh.nathan “" >> >> Thanks, >> >> Ludovic Zammit >> Product Support Engineer Principal >> >> Cell: +1.613.670.8432 >> Akamai Technologies - Inverse >> 145 Broadway >> Cambridge, MA 02142 >> Connect with Us: <https://community.akamai.com/> >> <http://blogs.akamai.com/> >> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!G6xjCEDcR2WraV6R1ARgoSb2HNjnRLG2hY-EoIq4mkHJN_mEm7HiHP9548CQ1A$> >> >> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!G6xjCEDcR2WraV6R1ARgoSb2HNjnRLG2hY-EoIq4mkHJN_mEm7HiHP-cF2_Gzg$> >> >> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!G6xjCEDcR2WraV6R1ARgoSb2HNjnRLG2hY-EoIq4mkHJN_mEm7HiHP-LrVSryA$> >> >> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!G6xjCEDcR2WraV6R1ARgoSb2HNjnRLG2hY-EoIq4mkHJN_mEm7HiHP_SfeOIoQ$> >> >>> On Apr 22, 2021, at 9:29 AM, Nathan, Josh <josh.nat...@bfacademy.de >>> <mailto:josh.nat...@bfacademy.de>> wrote: >>> >>> I did. That last email is seriously all that's there. >>> >>> [root@gatekeeper ~]# grep 58:cb:52:37:5d:ab >>> /usr/local/pf/logs/packetfence.log >>> Apr 16 09:13:51 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>> Keeping the first one 'null' (pf::radius::_parseRequest) >>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>> [mac:58:cb:52:37:5d:ab] Updating locationlog from accounting request >>> (pf::api::handle_accounting_metadata) >>> >>> That second entry from Apr 15 15:40:15 to Apr 15 15:41:04 is completely >>> unfiltered. Absolutely everything logged between those times is there, and >>> in that time frame I got a fairly sizable radius debug log (the end of >>> which I included in my first email). >>> >>> I'm gathering from your email, though, that somehow my installation is >>> broken? >>> >>> >>> Joshua Nathan >>> IT Supervisor >>> Black Forest Academy >>> >>> p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056 >>> a: >>> w: Hammersteiner Straße 50, 79400 Kandern >>> bfacademy.de >>> <https://urldefense.com/v3/__http://bfacademy.de/__;!!GjvTz_vk!B7qezokXY0TqZivbu8796GT9wHac_nTZpP5E0VzzSWfmQwPEWrds3Q5ok_bHfw$> >>> >>> >>> >>> >>> On Thu, Apr 22, 2021 at 3:17 PM Zammit, Ludovic <luza...@akamai.com >>> <mailto:luza...@akamai.com>> wrote: >>> Hello Nathan, >>> >>> Show me the output of: >>> >>> grep 58:cb:52:37:5d:ab /usr/local/pf/logs/packetfence.log >>> >>> Thanks, >>> >>> Ludovic Zammit >>> Product Support Engineer Principal >>> >>> Cell: +1.613.670.8432 >>> Akamai Technologies - Inverse >>> 145 Broadway >>> Cambridge, MA 02142 >>> Connect with Us: <https://community.akamai.com/> >>> <http://blogs.akamai.com/> >>> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!B7qezokXY0TqZivbu8796GT9wHac_nTZpP5E0VzzSWfmQwPEWrds3Q430QvTww$> >>> >>> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!B7qezokXY0TqZivbu8796GT9wHac_nTZpP5E0VzzSWfmQwPEWrds3Q4x4PfWoQ$> >>> >>> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!B7qezokXY0TqZivbu8796GT9wHac_nTZpP5E0VzzSWfmQwPEWrds3Q5dlvv3hQ$> >>> >>> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!B7qezokXY0TqZivbu8796GT9wHac_nTZpP5E0VzzSWfmQwPEWrds3Q5u1tKdpQ$> >>> >>>> On Apr 22, 2021, at 2:35 AM, Nathan, Josh <josh.nat...@bfacademy.de >>>> <mailto:josh.nat...@bfacademy.de>> wrote: >>>> >>>> Any further insights regarding what I could try or where I should look? >>>> I've not had any luck this week at figuring anything out, either. :-/ >>>> >>>> >>>> Joshua Nathan >>>> IT Supervisor >>>> Black Forest Academy >>>> >>>> p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056 >>>> a: >>>> w: Hammersteiner Straße 50, 79400 Kandern >>>> bfacademy.de >>>> <https://urldefense.com/v3/__http://bfacademy.de/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmISt3FAmr$> >>>> >>>> >>>> >>>> >>>> On Fri, Apr 16, 2021 at 9:39 AM Nathan, Josh <josh.nat...@bfacademy.de >>>> <mailto:josh.nat...@bfacademy.de>> wrote: >>>> Hello Ludovic, >>>> >>>> OK, here's from this morning: >>>> >>>> [root@gatekeeper ~]# grep 58:cb:52:37:5d:ab >>>> /usr/local/pf/logs/packetfence.log >>>> Apr 16 09:13:51 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>>> Keeping the first one 'null' (pf::radius::_parseRequest) >>>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>>> Keeping the first one 'null' (pf::radius::_parseRequest) >>>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>>> Keeping the first one 'null' (pf::radius::_parseRequest) >>>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>>> Keeping the first one 'null' (pf::radius::_parseRequest) >>>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>>> Keeping the first one 'null' (pf::radius::_parseRequest) >>>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>>> Keeping the first one 'null' (pf::radius::_parseRequest) >>>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>>> Keeping the first one 'null' (pf::radius::_parseRequest) >>>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>>> Keeping the first one 'null' (pf::radius::_parseRequest) >>>> Apr 16 09:13:52 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>>> [mac:58:cb:52:37:5d:ab] Updating locationlog from accounting request >>>> (pf::api::handle_accounting_metadata) >>>> >>>> And here's from yesterday during that 15:40 timeframe if that helps: >>>> >>>> Apr 15 15:40:15 gatekeeper packetfence: pfperl-api(2161) INFO: Using 300 >>>> resolution threshold (pf::pfcron::task::cluster_check::run) >>>> Apr 15 15:40:15 gatekeeper packetfence: pfperl-api(2161) INFO: All cluster >>>> members are running the same configuration version >>>> (pf::pfcron::task::cluster_check::run) >>>> Apr 15 15:40:15 gatekeeper packetfence: pfperl-api(2162) INFO: getting >>>> security_events triggers for accounting cleanup >>>> (pf::accounting::acct_maintenance) >>>> Apr 15 15:40:42 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>>> Keeping the first one 'null' (pf::radius::_parseRequest) >>>> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>>> Keeping the first one 'null' (pf::radius::_parseRequest) >>>> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>>> Keeping the first one 'null' (pf::radius::_parseRequest) >>>> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>>> Keeping the first one 'null' (pf::radius::_parseRequest) >>>> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>>> Keeping the first one 'null' (pf::radius::_parseRequest) >>>> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>>> Keeping the first one 'null' (pf::radius::_parseRequest) >>>> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>>> Keeping the first one 'null' (pf::radius::_parseRequest) >>>> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>>> [mac:58:cb:52:37:5d:ab] RADIUS request contains more than one realm. >>>> Keeping the first one 'null' (pf::radius::_parseRequest) >>>> Apr 15 15:40:43 gatekeeper packetfence_httpd.aaa: httpd.aaa(2054) INFO: >>>> [mac:58:cb:52:37:5d:ab] Updating locationlog from accounting request >>>> (pf::api::handle_accounting_metadata) >>>> Apr 15 15:41:04 gatekeeper pfqueue: pfqueue(17589) WARN: >>>> [mac:00:25:90:87:e9:50] Unable to pull accounting history for device >>>> 00:25:90:87:e9:50. The history set doesn't exist yet. >>>> (pf::accounting_events_history::latest_mac_history) >>>> >>>> >>>> Joshua Nathan >>>> IT Supervisor >>>> Black Forest Academy >>>> >>>> p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056 >>>> a: >>>> w: Hammersteiner Straße 50, 79400 Kandern >>>> bfacademy.de >>>> <https://urldefense.com/v3/__http://bfacademy.de/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmISt3FAmr$> >>>> >>>> >>>> >>>> >>>> On Thu, Apr 15, 2021 at 3:52 PM Ludovic Zammit <lzam...@inverse.ca >>>> <mailto:lzam...@inverse.ca>> wrote: >>>> Hello Nathan, >>>> >>>> Show me the output of: >>>> >>>> grep 58:cb:52:37:5d:ab /usr/local/pf/logs/packetfence.log >>>> >>>> Thanks, >>>> >>>> Ludovic Zammit >>>> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) >>>> :: www.inverse.ca <https://www.inverse.ca/> >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>> <https://urldefense.com/v3/__http://www.sogo.nu/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmIdmZL8FU$>) >>>> and PacketFence (http://packetfence.org <http://packetfence.org/>) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> On Apr 15, 2021, at 9:48 AM, Nathan, Josh via PacketFence-users >>>>> <packetfence-users@lists.sourceforge.net >>>>> <mailto:packetfence-users@lists.sourceforge.net>> wrote: >>>>> >>>>> Hello, >>>>> >>>>> So, I'm trying to configure a 10.2 Zen version of PF. Our user >>>>> authentication happens via RADIUS. So I configured our RADIUS server >>>>> under the "Internal Sources" section, and everything is now "mostly" >>>>> working. My devices authenticate, but the Authentication Rules don't >>>>> seem to be taking effect. >>>>> >>>>> When I try using the debug command for RADIUS (raddebug -f >>>>> /usr/local/pf/var/run/radiusd.sock -t 3600), here's what I get. There >>>>> must be a setting I'm missing somewhere. The packetfence.log file is >>>>> effectively silent on the issue. >>>>> >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: rest: Processing response header >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: rest: Status : 200 (OK) >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: rest: Type : json >>>>> (application/json) >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: rest: Parsing attribute >>>>> "control:PacketFence-Authorization-Status" >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: rest: EXPAND allow >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: rest: --> allow >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: rest: >>>>> PacketFence-Authorization-Status := "allow" >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: [rest] = updated >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap: Peer sent EAP Response (code >>>>> 2) ID 56 length 46 >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap: Continuing tunnel setup >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: [eap] = ok >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: } # authorize = ok >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: Found Auth-Type = eap >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: # Executing group from file >>>>> /usr/local/pf/raddb/sites-enabled/packetfence >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: authenticate { >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap: Expiring EAP session with >>>>> state 0xce6b3ab6c75323c5 >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap: Finished EAP session with >>>>> state 0xce6b3ab6c75323c5 >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap: Previous EAP request found >>>>> for state 0xce6b3ab6c75323c5, released from the list >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap: Peer sent packet with method >>>>> EAP PEAP (25) >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap: Calling submodule eap_peap to >>>>> process data >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: Continuing EAP-TLS >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: [eaptls verify] = ok >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: Done initial handshake >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: [eaptls process] = ok >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: Session established. >>>>> Decoding tunneled attributes >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: PEAP state send tlv >>>>> success >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: Received EAP-TLV response >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: Success >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: Using saved attributes >>>>> from the original Access-Accept >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap_peap: User-Name = >>>>> "josh.nathan" >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap: Sending EAP Success (code 3) >>>>> ID 56 length 4 >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: eap: Freeing handler >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: [eap] = ok >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: } # authenticate = ok >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: # Executing section post-auth from >>>>> file /usr/local/pf/raddb/sites-enabled/packetfence >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: post-auth { >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: update { >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: EXPAND >>>>> %{Packet-Src-IP-Address} >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: --> 172.20.50.76 >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: EXPAND >>>>> %{Packet-Dst-IP-Address} >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: --> 172.20.104.31 >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: } # update = noop >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: policy >>>>> packetfence-set-tenant-id { >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: if (!NAS-IP-Address || >>>>> NAS-IP-Address == "0.0.0.0"){ >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: if (!NAS-IP-Address || >>>>> NAS-IP-Address == "0.0.0.0") -> FALSE >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: if ( >>>>> "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") { >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: EXPAND >>>>> %{%{control:PacketFence-Tenant-Id}:-0} >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: --> 1 >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: if ( >>>>> "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> FALSE >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: if ( >>>>> &control:PacketFence-Tenant-Id == 0 ) { >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: if ( >>>>> &control:PacketFence-Tenant-Id == 0 ) -> FALSE >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: } # policy >>>>> packetfence-set-tenant-id = noop >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: if >>>>> ("%{%{control:PacketFence-Proxied-From}:-False}" == "True") { >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: EXPAND >>>>> %{%{control:PacketFence-Proxied-From}:-False} >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: --> False >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: if >>>>> ("%{%{control:PacketFence-Proxied-From}:-False}" == "True") -> FALSE >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: if (! EAP-Type || (EAP-Type != >>>>> TTLS && EAP-Type != PEAP) ) { >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: if (! EAP-Type || (EAP-Type != >>>>> TTLS && EAP-Type != PEAP) ) -> FALSE >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: attr_filter.packetfence_post_auth: >>>>> EXPAND %{User-Name} >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: attr_filter.packetfence_post_auth: >>>>> --> josh.nathan >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: attr_filter.packetfence_post_auth: >>>>> Matched entry DEFAULT at line 10 >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: >>>>> [attr_filter.packetfence_post_auth] = updated >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: linelog: EXPAND >>>>> messages.%{%{reply:Packet-Type}:-default} >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: linelog: --> >>>>> messages.Access-Accept >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: linelog: EXPAND >>>>> [mac:%{Calling-Station-Id}] Accepted user: %{reply:User-Name} and >>>>> returned VLAN %{reply:Tunnel-Private-Group-ID} >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: linelog: --> >>>>> [mac:58:cb:52:37:5d:ab] Accepted user: josh.nathan and returned VLAN >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: [linelog] = ok >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: } # post-auth = updated >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: Sent Access-Accept Id 229 from >>>>> 172.20.104.31:1812 >>>>> <https://urldefense.com/v3/__http://172.20.104.31:1812/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmIQCj3ZD8$> >>>>> to 172.20.50.76:40485 >>>>> <https://urldefense.com/v3/__http://172.20.50.76:40485/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmIavZqZFs$> >>>>> length 0 >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: User-Name = "josh.nathan" >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: MS-MPPE-Recv-Key = >>>>> 0x600da060c2faa9fdf49eb732f5110f438b5d71f66e661345f268bf24252e85c3 >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: MS-MPPE-Send-Key = >>>>> 0x8d6d99afd78af3ebade3b3869adc9ceef8f9782d323d553bce8cf5c1511d05d1 >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: EAP-Message = 0x03380004 >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: Message-Authenticator = >>>>> 0x00000000000000000000000000000000 >>>>> (327) Thu Apr 15 15:40:43 2021: Debug: Finished request >>>>> (317) Thu Apr 15 15:40:44 2021: Debug: Cleaning up request packet ID 219 >>>>> with timestamp +4564 >>>>> (318) Thu Apr 15 15:40:44 2021: Debug: Cleaning up request packet ID 220 >>>>> with timestamp +4564 >>>>> (319) Thu Apr 15 15:40:44 2021: Debug: Cleaning up request packet ID 221 >>>>> with timestamp +4564 >>>>> (328) Thu Apr 15 15:40:45 2021: Debug: Received Status-Server Id 161 from >>>>> 127.0.0.1:45116 >>>>> <https://urldefense.com/v3/__http://127.0.0.1:45116/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmIf5Jx0mf$> >>>>> to 127.0.0.1:18121 >>>>> <https://urldefense.com/v3/__http://127.0.0.1:18121/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmIecH5d9e$> >>>>> length 50 >>>>> (328) Thu Apr 15 15:40:45 2021: Debug: Message-Authenticator = >>>>> 0x0630aabb861db1ebd2a0892a5d55941e >>>>> (328) Thu Apr 15 15:40:45 2021: Debug: FreeRADIUS-Statistics-Type = 15 >>>>> (328) Thu Apr 15 15:40:45 2021: Debug: # Executing group from file >>>>> /usr/local/pf/raddb/sites-enabled/status >>>>> (328) Thu Apr 15 15:40:45 2021: Debug: Autz-Type Status-Server { >>>>> (328) Thu Apr 15 15:40:45 2021: Debug: [ok] = ok >>>>> (328) Thu Apr 15 15:40:45 2021: Debug: } # Autz-Type Status-Server = ok >>>>> (328) Thu Apr 15 15:40:45 2021: Debug: Sent Access-Accept Id 161 from >>>>> 127.0.0.1:18121 >>>>> <https://urldefense.com/v3/__http://127.0.0.1:18121/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmIecH5d9e$> >>>>> to 127.0.0.1:45116 >>>>> <https://urldefense.com/v3/__http://127.0.0.1:45116/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmIf5Jx0mf$> >>>>> length 0 >>>>> >>>>> >>>>> Thank you for any guidance you can give! >>>>> >>>>> >>>>> Joshua Nathan >>>>> IT Supervisor >>>>> Black Forest Academy >>>>> >>>>> p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056 >>>>> a: >>>>> w: Hammersteiner Straße 50, 79400 Kandern >>>>> bfacademy.de >>>>> <https://urldefense.com/v3/__http://bfacademy.de/__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmISt3FAmr$> >>>>> >>>>> >>>>> _______________________________________________ >>>>> PacketFence-users mailing list >>>>> PacketFence-users@lists.sourceforge.net >>>>> <mailto:PacketFence-users@lists.sourceforge.net> >>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>> <https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Gh7_gb4ulBDLBsfliq32776EAGf4dgeMb6C4VmGLDzKUEgQ50QhydedmIW82ehl3$> >>>> >>> >> >> <radiusdebug.log><RadiusAuditLogs.png> >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
