Hello Cristian, thanks for the raport. On my side i was able to replicate the issue and i pushed a fix in the maintenance branch. So you can run /usr/local/pf/addons/pf-main.pl and restart httpd.aaa service.
Regards Fabrice Le mar. 27 avr. 2021 à 11:00, Cristian Mammoli via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > Hi, I noticed that after the upgrade to 10.3 I can authenticate to the > devices cli with any password (!!!!) > I reverted to 10.2 and it works correctly: > > auth.conf: > [apra-user-auth-dc01] > cache_match=0 > realms=apra,apra.it,default,null > basedn=dc=apra,dc=it > password=xxxxxxxxxxxxxxxxxxxx > set_access_level_action= > scope=sub > email_attribute=mail > usernameattribute=sAMAccountName > connection_timeout=5 > binddn=cn=packetfence,cn=Users,dc=apra,dc=it > encryption=starttls > port=389 > description=Apra User authentication > host=192.168.0.7,192.168.0.76 > type=AD > read_timeout=10 > write_timeout=5 > monitor=1 > dynamic_routing_module=AuthModule > shuffle=1 > searchattributes= > set_access_durations_action= > > [apra-user-auth-dc01 rule Administrator] > action0=set_access_level=ALL > condition0=memberOf,equals,CN=Apra Admins,OU=Admins,OU=Utenti,DC=apra,DC=it > status=enabled > match=any > condition1=sAMAccountName,equals,nms > class=administration > action1=mark_as_sponsor=1 > > [group switch_jesi_accesso] > description=Switch Jesi Accesso > VoIPEnabled=Y > registrationVlan=112 > SNMPCommunityWrite=xxxxxxxxxxxxxxxx > guestVlan=99 > deauthMethod=RADIUS > type=Cisco::Catalyst_2960 > employeesVlan=24 > isolationVlan=113 > radiusSecret=xxxxxxxxxxxxxxxxxxxx > SNMPVersion=2c > consultantsVlan=24 > voiceVlan=14 > machineauthVlan=24 > defaultVlan=1 > staff_itVlan=24 > printersVlan=1 > ap_managementVlan=-1 > videosorveglianzaVlan=21 > always_trigger=1 > cliAccess=Y > adiacentVlan=17 > uplink_dynamic=0 > > > As long as a user is member of the "CN=Apra > Admins,OU=Admins,OU=Utenti,DC=apra,DC=it" any password is accepted, on any > type of switch. > > This is a log from 10.3 (with wrong password): > Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) WARN: > [mac:58:03:fb:51:bc:35] Trying to match IP address with an invalid MAC > address 'undef' (pf::ip4log::mac2ip) > Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: > [mac:58:03:fb:51:bc:35] Instantiate profile default > (pf::Connection::ProfileFactory::_from_profile) > Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: > [mac:58:03:fb:51:bc:35] Found authentication source(s) : > 'local,apra-machine-auth-dc01,apra-user-auth-dc01' for realm 'null' > (pf::config::util::filter_authentication_sources) > Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: > [mac:58:03:fb:51:bc:35] Using sources local, apra-machine-auth-dc01, > apra-user-auth-dc01 for matching (pf::authentication::match2) > Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) WARN: > [mac:58:03:fb:51:bc:35] [apra-user-auth-dc01 Administrator] Searching for > (&(sAMAccountName=c.mammoli.adm)(|(memberOf=CN=Apra > Admins,OU=Admins,OU=Utenti,DC=apra,DC=it)(sAMAccountName=nms))), from > dc=apra,dc=it, with scope sub > (pf::Authentication::Source::LDAPSource::match_in_subclass) > Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: > [mac:58:03:fb:51:bc:35] LDAP testing connection (pf::LDAP::expire_if) > Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: > [mac:58:03:fb:51:bc:35] Matched rule (Administrator) in source > apra-user-auth-dc01, returning actions. > (pf::Authentication::Source::match_rule) > Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: > [mac:58:03:fb:51:bc:35] Matched rule (Administrator) in source > apra-user-auth-dc01, returning actions. (pf::Authentication::Source::match) > Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: > [mac:58:03:fb:51:bc:35] User c.mammoli.adm logged in 192.168.16.48 with > write access (pf::Switch::Cisco::returnAuthorizeWrite) > > 10.2 (wrong password): > Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: > [mac:d0:22:be:5f:2c:35] Trying to match IP address with an invalid MAC > address 'undef' (pf::ip4log::mac2ip) > Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: > [mac:d0:22:be:5f:2c:35] Found authentication source(s) : > 'local,apra-machine-auth-dc01,apra-user-auth-dc01' for realm 'null' > (pf::config::util::filter_authentication_sources) > Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: > [mac:d0:22:be:5f:2c:35] Use of uninitialized value in numeric ne (!=) at > /usr/local/pf/lib/pf/radius.pm line 921. > Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: > [mac:d0:22:be:5f:2c:35] Use of uninitialized value in numeric ne (!=) at > /usr/local/pf/lib/pf/radius.pm line 921. > Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: > [mac:d0:22:be:5f:2c:35] LDAP testing connection (pf::LDAP::expire_if) > Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: > [mac:d0:22:be:5f:2c:35] [apra-machine-auth-dc01] No entries found (0) with > filter (servicePrincipalName=c.mammoli.adm) from dc=apra,dc=it on > 192.168.0.7:389 (pf::Authentication::Source::LDAPSource::authenticate) > Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: > [mac:d0:22:be:5f:2c:35] LDAP testing connection (pf::LDAP::expire_if) > Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: > [mac:d0:22:be:5f:2c:35] [apra-user-auth-dc01] User CN=Cristian Mammoli > Adm,OU=Admins,OU=Utenti,DC=apra,DC=it cannot bind from dc=apra,dc=it on > 192.168.0.7:389 (pf::Authentication::Source::LDAPSource::authenticate) > Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: > [mac:d0:22:be:5f:2c:35] User c.mammoli.adm tried to login in 192.168.16.48 > but authentication failed (pf::radius::switch_access) > > > 10.3 (Correct password) > Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: > [mac:f4:60:e2:c9:03:ec] Trying to match IP address with an invalid MAC > address 'undef' (pf::ip4log::mac2ip) > Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: > [mac:f4:60:e2:c9:03:ec] Found authentication source(s) : > 'local,apra-machine-auth-dc01,apra-user-auth-dc01' for realm 'null' > (pf::config::util::filter_authentication_sources) > Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: > [mac:f4:60:e2:c9:03:ec] Use of uninitialized value in numeric ne (!=) at > /usr/local/pf/lib/pf/radius.pm line 921. > Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: > [mac:f4:60:e2:c9:03:ec] Use of uninitialized value in numeric ne (!=) at > /usr/local/pf/lib/pf/radius.pm line 921. > Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: > [mac:f4:60:e2:c9:03:ec] LDAP testing connection (pf::LDAP::expire_if) > Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: > [mac:f4:60:e2:c9:03:ec] [apra-machine-auth-dc01] No entries found (0) with > filter (servicePrincipalName=c.mammoli.adm) from dc=apra,dc=it on > 192.168.0.7:389 (pf::Authentication::Source::LDAPSource::authenticate) > Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: > [mac:f4:60:e2:c9:03:ec] LDAP testing connection (pf::LDAP::expire_if) > Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: > [mac:f4:60:e2:c9:03:ec] [apra-user-auth-dc01] Authentication successful for > c.mammoli.adm (pf::Authentication::Source::LDAPSource::authenticate) > Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: > [mac:f4:60:e2:c9:03:ec] Authentication successful for c.mammoli.adm in > source apra-user-auth-dc01 (AD) (pf::authentication::authenticate) > Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: > [mac:f4:60:e2:c9:03:ec] Using sources apra-user-auth-dc01 for matching > (pf::authentication::match2) > Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: > [mac:f4:60:e2:c9:03:ec] [apra-user-auth-dc01 Administrator] Searching for > (&(sAMAccountName=c.mammoli.adm)(|(memberOf=CN=Apra > Admins,OU=Admins,OU=Utenti,DC=apra,DC=it)(sAMAccountName=nms))), from > dc=apra,dc=it, with scope sub > (pf::Authentication::Source::LDAPSource::match_in_subclass) > Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: > [mac:f4:60:e2:c9:03:ec] LDAP testing connection (pf::LDAP::expire_if) > Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: > [mac:f4:60:e2:c9:03:ec] Matched rule (Administrator) in source > apra-user-auth-dc01, returning actions. > (pf::Authentication::Source::match_rule) > Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: > [mac:f4:60:e2:c9:03:ec] Matched rule (Administrator) in source > apra-user-auth-dc01, returning actions. (pf::Authentication::Source::match) > Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: > [mac:f4:60:e2:c9:03:ec] User c.mammoli.adm logged in 192.168.16.48 with > write access (pf::Switch::Cisco::returnAuthorizeWrite) > Apr 27 16:53:48 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: > [mac:f4:60:e2:c9:03:ec] Match rule set_enable_perm_in_radius_reponse > (pf::access_filter::radius::test) > > Dumping ldap traffic on 10.3 I only see a search request for my username, > no binds... > > -- > > *Cristian Mammoli* > Network and Computer Systems Administrator > > T. +39 0731719822 > www.apra.it > > [image: Apra Spa] > <https://www.apra.it/> > [image: linksocial] > > *Avviso sulla tutela di informazioni riservate.* Questo messaggio è stato > spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli eventuali > allegati, potrebbero contenere informazioni di carattere estremamente > riservato e confidenziale. Qualora non foste i destinatari designati, > vogliate cortesemente informarci immediatamente con lo stesso mezzo ed > eliminare il messaggio e i relativi eventuali allegati, senza trattenerne > copia. > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
