Re: [PacketFence-users] Post-Auth for RADIUS

Nathan, Josh via PacketFence-users Thu, 06 May 2021 02:21:42 -0700

Is there any way to get PacketFence to do any other debug logs?  Without
anything showing in either packetfence.log or the audit logs via the
console, I feel like I'm up a creek without a paddle.  What are my options?


With my 9.0 install, everything works fine except for Pixel devices (and I
don't want to mess with my production server too much to try and modify it).

Now with 10.2, my Pixel device connects, but I don't get any real logging
or VLAN assignments (the whole reason I want to use PF).

Joshua Nathan
*IT Supervisor*
Black Forest Academy

p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
a:
w: Hammersteiner Straße 50, 79400 Kandern
bfacademy.de




On Fri, Apr 30, 2021 at 1:56 PM Nathan, Josh <josh.nat...@bfacademy.de>
wrote:

> I don't know if it helps, but I'm doing PEAP authentication with
> MSCHAPv2.  I tried using the Provisioner, but that doesn't work from my
> Pixel 3a.  So I'm just manually putting in the connection information.  I
> do have a legit certificate.  And of course, the phone is authenticating...
> it's just that the post-auth (post-proxy?) isn't assigning the VLAN.
>
> I did have this working in PF 9.0, except that now my Pixel 3a phone won't
> connect to that, even when it has a legit certificate.
>
> Joshua Nathan
> *IT Supervisor*
> Black Forest Academy
>
> p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
> a:
> w: Hammersteiner Straße 50, 79400 Kandern
> bfacademy.de
>
>
>
>
> On Mon, Apr 26, 2021 at 3:51 PM Nathan, Josh <josh.nat...@bfacademy.de>
> wrote:
>
>> Hello Ludovic,
>>
>> OK, I made those changes, then did a "pfcmd service pf restart".
>>
>> No dice.  Exact same results.  Here's the end of the raddebug again in
>> case that helps.  Still nothing in packetfence.log.
>>
>> (17) Mon Apr 26 15:46:04 2021: Debug: Received Access-Request Id 93 from
>> 172.20.50.76:43555 to 172.20.104.31:1812 length 277
>> (17) Mon Apr 26 15:46:04 2021: Debug:   User-Name = "josh.nathan"
>> (17) Mon Apr 26 15:46:04 2021: Debug:   NAS-Identifier = "66d9e7f8b8a4"
>> (17) Mon Apr 26 15:46:04 2021: Debug:   Called-Station-Id =
>> "66-D9-E7-F8-B8-A4:BFA-EAP-Test"
>> (17) Mon Apr 26 15:46:04 2021: Debug:   NAS-Port-Type = Wireless-802.11
>> (17) Mon Apr 26 15:46:04 2021: Debug:   Service-Type = Framed-User
>> (17) Mon Apr 26 15:46:04 2021: Debug:   Calling-Station-Id =
>> "58-CB-52-37-5D-AB"
>> (17) Mon Apr 26 15:46:04 2021: Debug:   Connect-Info = "CONNECT 0Mbps
>> 802.11b"
>> (17) Mon Apr 26 15:46:04 2021: Debug:   Acct-Session-Id =
>> "52DAD7D4BB763411"
>> (17) Mon Apr 26 15:46:04 2021: Debug:   Acct-Multi-Session-Id =
>> "DBEED5366DD430AE"
>> (17) Mon Apr 26 15:46:04 2021: Debug:   WLAN-Pairwise-Cipher = 1027076
>> (17) Mon Apr 26 15:46:04 2021: Debug:   WLAN-Group-Cipher = 1027076
>> (17) Mon Apr 26 15:46:04 2021: Debug:   WLAN-AKM-Suite = 1027073
>> (17) Mon Apr 26 15:46:04 2021: Debug:   Framed-MTU = 1400
>> (17) Mon Apr 26 15:46:04 2021: Debug:   EAP-Message =
>> 0x02e4002e1900170303002300000000000000057749b9bde9be1ec64f7c9567e2867e5dc1d76f261821842d90f500
>> (17) Mon Apr 26 15:46:04 2021: Debug:   State =
>> 0xacaf705da54b69970120abcaacda4228
>> (17) Mon Apr 26 15:46:04 2021: Debug:   Message-Authenticator =
>> 0x0bed628cf8ff12e2250c3de6e9c1cc45
>> (17) Mon Apr 26 15:46:04 2021: Debug: Restoring &session-state
>> (17) Mon Apr 26 15:46:04 2021: Debug:
>> &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
>> (17) Mon Apr 26 15:46:04 2021: Debug:
>> &session-state:TLS-Session-Version = "TLS 1.2"
>> (17) Mon Apr 26 15:46:04 2021: Debug: # Executing section authorize from
>> file /usr/local/pf/raddb/sites-enabled/packetfence
>> (17) Mon Apr 26 15:46:04 2021: Debug:   authorize {
>> (17) Mon Apr 26 15:46:04 2021: Debug:     policy
>> packetfence-nas-ip-address {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (!NAS-IP-Address ||
>> NAS-IP-Address == "0.0.0.0"){
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (!NAS-IP-Address ||
>> NAS-IP-Address == "0.0.0.0") -> TRUE
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (!NAS-IP-Address ||
>> NAS-IP-Address == "0.0.0.0") {
>> (17) Mon Apr 26 15:46:04 2021: Debug:         update request {
>> (17) Mon Apr 26 15:46:04 2021: Debug:           EXPAND
>> %{Packet-Src-IP-Address}
>> (17) Mon Apr 26 15:46:04 2021: Debug:              --> 172.20.50.76
>> (17) Mon Apr 26 15:46:04 2021: Debug:         } # update request = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:       } # if (!NAS-IP-Address ||
>> NAS-IP-Address == "0.0.0.0") = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:     } # policy
>> packetfence-nas-ip-address = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:     update {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       EXPAND
>> %{Packet-Src-IP-Address}
>> (17) Mon Apr 26 15:46:04 2021: Debug:          --> 172.20.50.76
>> (17) Mon Apr 26 15:46:04 2021: Debug:       EXPAND
>> %{Packet-Dst-IP-Address}
>> (17) Mon Apr 26 15:46:04 2021: Debug:          --> 172.20.104.31
>> (17) Mon Apr 26 15:46:04 2021: Debug:       EXPAND %l
>> (17) Mon Apr 26 15:46:04 2021: Debug:          --> 1619444764
>> (17) Mon Apr 26 15:46:04 2021: Debug:     } # update = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:     policy
>> packetfence-set-realm-if-machine {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (User-Name =~
>> /host\/([a-z0-9_-]*)[\.](.*)/i) {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (User-Name =~
>> /host\/([a-z0-9_-]*)[\.](.*)/i)  -> FALSE
>> (17) Mon Apr 26 15:46:04 2021: Debug:     } # policy
>> packetfence-set-realm-if-machine = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:     policy
>> packetfence-balanced-key-policy {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (&PacketFence-KeyBalanced
>> && (&PacketFence-KeyBalanced =~ /^(.*)(.)$/i)) {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (&PacketFence-KeyBalanced
>> && (&PacketFence-KeyBalanced =~ /^(.*)(.)$/i))  -> FALSE
>> (17) Mon Apr 26 15:46:04 2021: Debug:       else {
>> (17) Mon Apr 26 15:46:04 2021: Debug:         update {
>> (17) Mon Apr 26 15:46:04 2021: Debug:           EXPAND
>> %{md5:%{Calling-Station-Id}%{User-Name}}
>> (17) Mon Apr 26 15:46:04 2021: Debug:              -->
>> 50bc5046614b032967fc88f562a08c92
>> (17) Mon Apr 26 15:46:04 2021: Debug:           EXPAND
>> %{md5:%{Calling-Station-Id}%{User-Name}}
>> (17) Mon Apr 26 15:46:04 2021: Debug:              -->
>> 50bc5046614b032967fc88f562a08c92
>> (17) Mon Apr 26 15:46:04 2021: Debug:         } # update = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:       } # else = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:     } # policy
>> packetfence-balanced-key-policy = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:     policy
>> packetfence-set-tenant-id {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (!NAS-IP-Address ||
>> NAS-IP-Address == "0.0.0.0"){
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (!NAS-IP-Address ||
>> NAS-IP-Address == "0.0.0.0") -> FALSE
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (
>> "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       EXPAND
>> %{%{control:PacketFence-Tenant-Id}:-0}
>> (17) Mon Apr 26 15:46:04 2021: Debug:          --> 0
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (
>> "%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  -> TRUE
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (
>> "%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  {
>> (17) Mon Apr 26 15:46:04 2021: Debug:         update control {
>> (17) Mon Apr 26 15:46:04 2021: Debug:           EXPAND %{User-Name}
>> (17) Mon Apr 26 15:46:04 2021: Debug:              --> josh.nathan
>> (17) Mon Apr 26 15:46:04 2021: Debug:           SQL-User-Name set to
>> 'josh.nathan'
>> (17) Mon Apr 26 15:46:04 2021: Debug:           Executing select query:
>>  SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname =
>> '172.20.50.76'), 0)
>> (17) Mon Apr 26 15:46:04 2021: Debug:           EXPAND %{sql: SELECT
>> IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname =
>> '%{NAS-IP-Address}'), 0)}
>> (17) Mon Apr 26 15:46:04 2021: Debug:              --> 0
>> (17) Mon Apr 26 15:46:04 2021: Debug:         } # update control = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:       } # if (
>> "%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (
>> &control:PacketFence-Tenant-Id == 0 ) {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (
>> &control:PacketFence-Tenant-Id == 0 )  -> TRUE
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (
>> &control:PacketFence-Tenant-Id == 0 )  {
>> (17) Mon Apr 26 15:46:04 2021: Debug:         update control {
>> (17) Mon Apr 26 15:46:04 2021: Debug:           EXPAND %{User-Name}
>> (17) Mon Apr 26 15:46:04 2021: Debug:              --> josh.nathan
>> (17) Mon Apr 26 15:46:04 2021: Debug:           SQL-User-Name set to
>> 'josh.nathan'
>> (17) Mon Apr 26 15:46:04 2021: Debug:           Executing select query:
>>  SELECT IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <=
>> INET_ATON('172.20.50.76') and INET_ATON('172.20.50.76') <= end_ip order by
>> range_length limit 1), 1)
>> (17) Mon Apr 26 15:46:04 2021: Debug:           EXPAND %{sql: SELECT
>> IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <=
>> INET_ATON('%{NAS-IP-Address}') and INET_ATON('%{NAS-IP-Address}') <= end_ip
>> order by range_length limit 1), 1)}
>> (17) Mon Apr 26 15:46:04 2021: Debug:              --> 1
>> (17) Mon Apr 26 15:46:04 2021: Debug:         } # update control = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:       } # if (
>> &control:PacketFence-Tenant-Id == 0 )  = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:     } # policy
>> packetfence-set-tenant-id = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:     policy
>> rewrite_calling_station_id {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (&Calling-Station-Id &&
>> (&Calling-Station-Id =~
>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>> {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (&Calling-Station-Id &&
>> (&Calling-Station-Id =~
>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>>  -> TRUE
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (&Calling-Station-Id &&
>> (&Calling-Station-Id =~
>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>>  {
>> (17) Mon Apr 26 15:46:04 2021: Debug:         update request {
>> (17) Mon Apr 26 15:46:04 2021: Debug:           EXPAND
>> %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
>> (17) Mon Apr 26 15:46:04 2021: Debug:              --> 58:cb:52:37:5d:ab
>> (17) Mon Apr 26 15:46:04 2021: Debug:         } # update request = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:         [updated] = updated
>> (17) Mon Apr 26 15:46:04 2021: Debug:       } # if (&Calling-Station-Id
>> && (&Calling-Station-Id =~
>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>>  = updated
>> (17) Mon Apr 26 15:46:04 2021: Debug:       ... skipping else: Preceding
>> "if" was taken
>> (17) Mon Apr 26 15:46:04 2021: Debug:     } # policy
>> rewrite_calling_station_id = updated
>> (17) Mon Apr 26 15:46:04 2021: Debug:     policy
>> rewrite_called_station_id {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if ((&Called-Station-Id) &&
>> (&Called-Station-Id =~
>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
>> {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if ((&Called-Station-Id) &&
>> (&Called-Station-Id =~
>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
>>  -> TRUE
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if ((&Called-Station-Id) &&
>> (&Called-Station-Id =~
>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
>>  {
>> (17) Mon Apr 26 15:46:04 2021: Debug:         update request {
>> (17) Mon Apr 26 15:46:04 2021: Debug:           EXPAND
>> %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
>> (17) Mon Apr 26 15:46:04 2021: Debug:              --> 66:d9:e7:f8:b8:a4
>> (17) Mon Apr 26 15:46:04 2021: Debug:         } # update request = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:         if ("%{8}") {
>> (17) Mon Apr 26 15:46:04 2021: Debug:         EXPAND %{8}
>> (17) Mon Apr 26 15:46:04 2021: Debug:            --> BFA-EAP-Test
>> (17) Mon Apr 26 15:46:04 2021: Debug:         if ("%{8}")  -> TRUE
>> (17) Mon Apr 26 15:46:04 2021: Debug:         if ("%{8}")  {
>> (17) Mon Apr 26 15:46:04 2021: Debug:           update request {
>> (17) Mon Apr 26 15:46:04 2021: Debug:             EXPAND
>> %{Called-Station-Id}:%{8}
>> (17) Mon Apr 26 15:46:04 2021: Debug:                -->
>> 66:d9:e7:f8:b8:a4:BFA-EAP-Test
>> (17) Mon Apr 26 15:46:04 2021: Debug:             EXPAND %{8}
>> (17) Mon Apr 26 15:46:04 2021: Debug:                --> BFA-EAP-Test
>> (17) Mon Apr 26 15:46:04 2021: Debug:           } # update request = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:         } # if ("%{8}")  = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:         ... skipping elsif:
>> Preceding "if" was taken
>> (17) Mon Apr 26 15:46:04 2021: Debug:         ... skipping elsif:
>> Preceding "if" was taken
>> (17) Mon Apr 26 15:46:04 2021: Debug:         ... skipping elsif:
>> Preceding "if" was taken
>> (17) Mon Apr 26 15:46:04 2021: Debug:         [updated] = updated
>> (17) Mon Apr 26 15:46:04 2021: Debug:       } # if ((&Called-Station-Id)
>> && (&Called-Station-Id =~
>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
>>  = updated
>> (17) Mon Apr 26 15:46:04 2021: Debug:       ... skipping else: Preceding
>> "if" was taken
>> (17) Mon Apr 26 15:46:04 2021: Debug:     } # policy
>> rewrite_called_station_id = updated
>> (17) Mon Apr 26 15:46:04 2021: Debug:     if ( "%{client:shortname}" =~
>> /eduroam_tlrs/ ) {
>> (17) Mon Apr 26 15:46:04 2021: Debug:     EXPAND %{client:shortname}
>> (17) Mon Apr 26 15:46:04 2021: Debug:        --> 172.20.50.76/32
>> (17) Mon Apr 26 15:46:04 2021: Debug:     if ( "%{client:shortname}" =~
>> /eduroam_tlrs/ )  -> FALSE
>> (17) Mon Apr 26 15:46:04 2021: Debug:     policy filter_username {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (&User-Name) {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (&User-Name)  -> TRUE
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (&User-Name)  {
>> (17) Mon Apr 26 15:46:04 2021: Debug:         if (&User-Name =~ / /) {
>> (17) Mon Apr 26 15:46:04 2021: Debug:         if (&User-Name =~ / /)  ->
>> FALSE
>> (17) Mon Apr 26 15:46:04 2021: Debug:         if (&User-Name =~ /@[^@]*@/
>> ) {
>> (17) Mon Apr 26 15:46:04 2021: Debug:         if (&User-Name =~ /@[^@]*@/
>> )  -> FALSE
>> (17) Mon Apr 26 15:46:04 2021: Debug:         if (&User-Name =~ /\.\./ ) {
>> (17) Mon Apr 26 15:46:04 2021: Debug:         if (&User-Name =~ /\.\./ )
>>  -> FALSE
>> (17) Mon Apr 26 15:46:04 2021: Debug:         if ((&User-Name =~ /@/) &&
>> (&User-Name !~ /@(.+)\.(.+)$/))  {
>> (17) Mon Apr 26 15:46:04 2021: Debug:         if ((&User-Name =~ /@/) &&
>> (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
>> (17) Mon Apr 26 15:46:04 2021: Debug:         if (&User-Name =~ /\.$/)  {
>> (17) Mon Apr 26 15:46:04 2021: Debug:         if (&User-Name =~ /\.$/)
>> -> FALSE
>> (17) Mon Apr 26 15:46:04 2021: Debug:         if (&User-Name =~ /@\./)  {
>> (17) Mon Apr 26 15:46:04 2021: Debug:         if (&User-Name =~ /@\./)
>> -> FALSE
>> (17) Mon Apr 26 15:46:04 2021: Debug:       } # if (&User-Name)  = updated
>> (17) Mon Apr 26 15:46:04 2021: Debug:     } # policy filter_username =
>> updated
>> (17) Mon Apr 26 15:46:04 2021: Debug:     policy filter_password {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (&User-Password &&
>>  (&User-Password != "%{string:User-Password}")) {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (&User-Password &&
>>  (&User-Password != "%{string:User-Password}"))  -> FALSE
>> (17) Mon Apr 26 15:46:04 2021: Debug:     } # policy filter_password =
>> updated
>> (17) Mon Apr 26 15:46:04 2021: Debug:     [preprocess] = ok
>> (17) Mon Apr 26 15:46:04 2021: Debug:     [mschap] = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug: suffix: Checking for suffix after
>> "@"
>> (17) Mon Apr 26 15:46:04 2021: Debug: suffix: No '@' in User-Name =
>> "josh.nathan", skipping NULL due to config.
>> (17) Mon Apr 26 15:46:04 2021: Debug:     [suffix] = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug: ntdomain: Checking for prefix
>> before "\"
>> (17) Mon Apr 26 15:46:04 2021: Debug: ntdomain: No '\' in User-Name =
>> "josh.nathan", looking up realm NULL
>> (17) Mon Apr 26 15:46:04 2021: Debug: ntdomain: Found realm "null"
>> (17) Mon Apr 26 15:46:04 2021: Debug: ntdomain: Adding Stripped-User-Name
>> = "josh.nathan"
>> (17) Mon Apr 26 15:46:04 2021: Debug: ntdomain: Adding Realm = "null"
>> (17) Mon Apr 26 15:46:04 2021: Debug: ntdomain: Authentication realm is
>> LOCAL
>> (17) Mon Apr 26 15:46:04 2021: Debug:     [ntdomain] = ok
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Expanding URI components
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: EXPAND http://127.0.0.1:7070
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest:    --> http://127.0.0.1:7070
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: EXPAND //radius/rest/filter
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest:    --> //radius/rest/filter
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Sending HTTP POST to "
>> http://127.0.0.1:7070//radius/rest/filter";
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute "User-Name"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "NAS-IP-Address"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "Service-Type"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "Framed-MTU"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute "State"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "Called-Station-Id"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "Calling-Station-Id"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "NAS-Identifier"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "NAS-Port-Type"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "Acct-Session-Id"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "Acct-Multi-Session-Id"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "Event-Timestamp"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "Connect-Info"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "EAP-Message"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "Message-Authenticator"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "WLAN-Pairwise-Cipher"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "WLAN-Group-Cipher"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "WLAN-AKM-Suite"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "Stripped-User-Name"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute "Realm"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "SQL-User-Name"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "FreeRADIUS-Client-IP-Address"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "Called-Station-SSID"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "PacketFence-KeyBalanced"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Encoding attribute
>> "PacketFence-Radius-Ip"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Processing response header
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest:   Status : 100 (Continue)
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Continuing...
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Processing response header
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest:   Status : 200 (OK)
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest:   Type   : json
>> (application/json)
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: Parsing attribute
>> "control:PacketFence-Authorization-Status"
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest: EXPAND allow
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest:    --> allow
>> (17) Mon Apr 26 15:46:04 2021: Debug: rest:
>> PacketFence-Authorization-Status := "allow"
>> (17) Mon Apr 26 15:46:04 2021: Debug:     [rest] = updated
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap: Peer sent EAP Response (code
>> 2) ID 228 length 46
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap: Continuing tunnel setup
>> (17) Mon Apr 26 15:46:04 2021: Debug:     [eap] = ok
>> (17) Mon Apr 26 15:46:04 2021: Debug:   } # authorize = ok
>> (17) Mon Apr 26 15:46:04 2021: Debug: Found Auth-Type = eap
>> (17) Mon Apr 26 15:46:04 2021: Debug: # Executing group from file
>> /usr/local/pf/raddb/sites-enabled/packetfence
>> (17) Mon Apr 26 15:46:04 2021: Debug:   authenticate {
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap: Expiring EAP session with
>> state 0xacaf705da54b6997
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap: Finished EAP session with
>> state 0xacaf705da54b6997
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap: Previous EAP request found for
>> state 0xacaf705da54b6997, released from the list
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap: Peer sent packet with method
>> EAP PEAP (25)
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap: Calling submodule eap_peap to
>> process data
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap_peap: Continuing EAP-TLS
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap_peap: [eaptls verify] = ok
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap_peap: Done initial handshake
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap_peap: [eaptls process] = ok
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap_peap: Session established.
>> Decoding tunneled attributes
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap_peap: PEAP state send tlv
>> success
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap_peap: Received EAP-TLV response
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap_peap: Success
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap_peap: Using saved attributes
>> from the original Access-Accept
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap_peap:   User-Name =
>> "josh.nathan"
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap: Sending EAP Success (code 3)
>> ID 228 length 4
>> (17) Mon Apr 26 15:46:04 2021: Debug: eap: Freeing handler
>> (17) Mon Apr 26 15:46:04 2021: Debug:     [eap] = ok
>> (17) Mon Apr 26 15:46:04 2021: Debug:   } # authenticate = ok
>> (17) Mon Apr 26 15:46:04 2021: Debug: # Executing section post-auth from
>> file /usr/local/pf/raddb/sites-enabled/packetfence
>> (17) Mon Apr 26 15:46:04 2021: Debug:   post-auth {
>> (17) Mon Apr 26 15:46:04 2021: Debug:     update {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       EXPAND
>> %{Packet-Src-IP-Address}
>> (17) Mon Apr 26 15:46:04 2021: Debug:          --> 172.20.50.76
>> (17) Mon Apr 26 15:46:04 2021: Debug:       EXPAND
>> %{Packet-Dst-IP-Address}
>> (17) Mon Apr 26 15:46:04 2021: Debug:          --> 172.20.104.31
>> (17) Mon Apr 26 15:46:04 2021: Debug:     } # update = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:     policy
>> packetfence-set-tenant-id {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (!NAS-IP-Address ||
>> NAS-IP-Address == "0.0.0.0"){
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (!NAS-IP-Address ||
>> NAS-IP-Address == "0.0.0.0") -> FALSE
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (
>> "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       EXPAND
>> %{%{control:PacketFence-Tenant-Id}:-0}
>> (17) Mon Apr 26 15:46:04 2021: Debug:          --> 1
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (
>> "%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  -> FALSE
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (
>> &control:PacketFence-Tenant-Id == 0 ) {
>> (17) Mon Apr 26 15:46:04 2021: Debug:       if (
>> &control:PacketFence-Tenant-Id == 0 )  -> FALSE
>> (17) Mon Apr 26 15:46:04 2021: Debug:     } # policy
>> packetfence-set-tenant-id = noop
>> (17) Mon Apr 26 15:46:04 2021: Debug:     if
>> ("%{%{control:PacketFence-Proxied-From}:-False}" == "True") {
>> (17) Mon Apr 26 15:46:04 2021: Debug:     EXPAND
>> %{%{control:PacketFence-Proxied-From}:-False}
>> (17) Mon Apr 26 15:46:04 2021: Debug:        --> False
>> (17) Mon Apr 26 15:46:04 2021: Debug:     if
>> ("%{%{control:PacketFence-Proxied-From}:-False}" == "True")  -> FALSE
>> (17) Mon Apr 26 15:46:04 2021: Debug:     if (! EAP-Type || (EAP-Type !=
>> TTLS  && EAP-Type != PEAP) ) {
>> (17) Mon Apr 26 15:46:04 2021: Debug:     if (! EAP-Type || (EAP-Type !=
>> TTLS  && EAP-Type != PEAP) )  -> FALSE
>> (17) Mon Apr 26 15:46:04 2021: Debug: attr_filter.packetfence_post_auth:
>> EXPAND %{User-Name}
>> (17) Mon Apr 26 15:46:04 2021: Debug: attr_filter.packetfence_post_auth:
>>    --> josh.nathan
>> (17) Mon Apr 26 15:46:04 2021: Debug: attr_filter.packetfence_post_auth:
>> Matched entry DEFAULT at line 10
>> (17) Mon Apr 26 15:46:04 2021: Debug:
>> [attr_filter.packetfence_post_auth] = updated
>> (17) Mon Apr 26 15:46:04 2021: Debug: linelog: EXPAND
>> messages.%{%{reply:Packet-Type}:-default}
>> (17) Mon Apr 26 15:46:04 2021: Debug: linelog:    -->
>> messages.Access-Accept
>> (17) Mon Apr 26 15:46:04 2021: Debug: linelog: EXPAND
>> [mac:%{Calling-Station-Id}] Accepted user: %{reply:User-Name} and returned
>> VLAN %{reply:Tunnel-Private-Group-ID}
>> (17) Mon Apr 26 15:46:04 2021: Debug: linelog:    -->
>> [mac:58:cb:52:37:5d:ab] Accepted user: josh.nathan and returned VLAN
>> (17) Mon Apr 26 15:46:04 2021: Debug:     [linelog] = ok
>> (17) Mon Apr 26 15:46:04 2021: Debug:   } # post-auth = updated
>> (17) Mon Apr 26 15:46:04 2021: Debug: Sent Access-Accept Id 93 from
>> 172.20.104.31:1812 to 172.20.50.76:43555 length 0
>> (17) Mon Apr 26 15:46:04 2021: Debug:   User-Name = "josh.nathan"
>> (17) Mon Apr 26 15:46:04 2021: Debug:   MS-MPPE-Recv-Key =
>> 0x7c0a1d6d086882905490447f73c59438006b8fb7a497cd446582272729ff160a
>> (17) Mon Apr 26 15:46:04 2021: Debug:   MS-MPPE-Send-Key =
>> 0xaf527d253335b877cd2073364c49c1e79a15da97037db30b95de703b20fe0aa3
>> (17) Mon Apr 26 15:46:04 2021: Debug:   EAP-Message = 0x03e40004
>> (17) Mon Apr 26 15:46:04 2021: Debug:   Message-Authenticator =
>> 0x00000000000000000000000000000000
>> (17) Mon Apr 26 15:46:04 2021: Debug: Finished request
>> (6) Mon Apr 26 15:46:05 2021: Debug: Cleaning up request packet ID 14
>> with timestamp +93
>>
>>
>> Joshua Nathan
>> *IT Supervisor*
>> Black Forest Academy
>>
>> p: +49 (0) 7626 9161 631 m: +49 (0) 152 3452 0056
>> a:
>> w: Hammersteiner Straße 50, 79400 Kandern
>> bfacademy.de
>>
>>
>>
>>
>> On Mon, Apr 26, 2021 at 3:31 PM Zammit, Ludovic <luza...@akamai.com>
>> wrote:
>>
>>> Hello Josh,
>>>
>>> In authentication.conf remove all realm configuration related to all
>>> sources, leave the automatic selection to happen.
>>>
>>> I’m assuming your are using that connection profile "BFA-WiFi”. Add the
>>> "JumpCloud-RADIUS” source.
>>>
>>> Try again and let me know.
>>>
>>> Thanks,
>>>
>>> *Ludovic Zammit*
>>> *Product Support Engineer Principal*
>>> *Cell:* +1.613.670.8432
>>> Akamai Technologies - Inverse
>>> 145 Broadway
>>> Cambridge, MA 02142
>>> Connect with Us: <https://community.akamai.com>
>>> <http://blogs.akamai.com> <https://twitter.com/akamai>
>>> <http://www.facebook.com/AkamaiTechnologies>
>>> <http://www.linkedin.com/company/akamai-technologies>
>>> <http://www.youtube.com/user/akamaitechnologies?feature=results_main>
>>>
>>>

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Post-Auth for RADIUS

Reply via email to