Greetings,
I’m currently integrating PacketFence into our company network. Last week I created a cluster consisting of 3 nodes (one node per Site). While my test device works at every switch I connect it to, every new device gets rejected with the following radius.log message: Jun 14 15:46:14 packetfence auth[3093]: (177) rest: ERROR: Server returned no data Jun 14 15:46:14 packetfence auth[3093]: (177) Rejected in post-auth: [host/*******] (from client pf port 50113 cli f8:ca:b8:32:c7:fe via TLS tunnel) Jun 14 15:46:14 packetfence auth[3093]: (177) Login incorrect (rest: Request failed: 28 - Timeout was reached): [host/********** (from client pf port 50113 cli f8:ca:b8:32:c7:fe via TLS tunnel) Jun 14 15:46:14 packetfence auth[3093]: [mac:f8:ca:b8:32:c7:fe] Rejected user: host/anonymous Jun 14 15:46:14 packetfence auth[3093]: (177) Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed): [host/anonymous] (from client pf port 50113 cli f8:ca:b8:32:c7:fe) The log output from packetfence.log is like this: Jun 14 15:40:07 packetfence packetfence_httpd.aaa: httpd.aaa(2311) ERROR: [mac:f8:ca:b8:32:c7:fe] error creating SNMP v2c read connection to ********: No response from remote host "********" (pf::Switch::connectRead) Jun 14 15:40:07 packetfence packetfence_httpd.aaa: httpd.aaa(2311) INFO: [mac:f8:ca:b8:32:c7:fe] handling radius autz request: from switch_ip => (********), connection_type => Ethernet-EAP,switch_mac => (4c:5d:3c:0e:ab:0d), mac => [f8:ca:b8:32:c7:fe], port => 10113, username => "host/********" (pf::radius::authorize) Jun 14 15:40:07 packetfence packetfence_httpd.aaa: httpd.aaa(2311) INFO: [mac:f8:ca:b8:32:c7:fe] is doing machine auth with account 'host/********'. (pf::radius::authorize) Jun 14 15:40:07 packetfence packetfence_httpd.aaa: httpd.aaa(2311) INFO: [mac:f8:ca:b8:32:c7:fe] Instantiate profile 802.1x (pf::Connection::ProfileFactory::_from_profile) Jun 14 15:40:07 packetfence packetfence_httpd.aaa: httpd.aaa(2311) INFO: [mac:f8:ca:b8:32:c7:fe] Found authentication source(s) : 'EAP' for realm '*******' (pf::config::util::filter_authentication_sources) Jun 14 15:40:07 packetfence packetfence_httpd.aaa: httpd.aaa(2311) INFO: [mac:f8:ca:b8:32:c7:fe] Role has already been computed and we don't want to recompute it. (pf::role::getNodeInfoForAutoReg) Jun 14 15:40:07 packetfence packetfence_httpd.aaa: httpd.aaa(2311) WARN: [mac:f8:ca:b8:32:c7:fe] No category computed for autoreg (pf::role::getNodeInfoForAutoReg) Jun 14 15:40:07 packetfence packetfence_httpd.aaa: httpd.aaa(2311) INFO: [mac:f8:ca:b8:32:c7:fe] Found authentication source(s) : 'EAP' for realm '*******' (pf::config::util::filter_authentication_sources) Jun 14 15:40:07 packetfence packetfence_httpd.aaa: httpd.aaa(2311) INFO: [mac:f8:ca:b8:32:c7:fe] Role has already been computed and we don't want to recompute it. Getting role from node_info (pf::role::getRegisteredRole) Jun 14 15:40:07 packetfence packetfence_httpd.aaa: httpd.aaa(2311) INFO: [mac:f8:ca:b8:32:c7:fe] Username was defined "host/********" - returning role 'Clients' (pf::role::getRegisteredRole) Jun 14 15:40:07 packetfence packetfence_httpd.aaa: httpd.aaa(2311) INFO: [mac:f8:ca:b8:32:c7:fe] PID: "host/********", Status: reg Returned VLAN: (undefined), Role: Clients (pf::role::fetchRoleForNode) Jun 14 15:40:07 packetfence packetfence_httpd.aaa: httpd.aaa(2311) INFO: [mac:f8:ca:b8:32:c7:fe] (********) Added VLAN 10 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Jun 14 15:40:07 packetfence packetfence_httpd.aaa: httpd.aaa(2311) WARN: [mac:f8:ca:b8:32:c7:fe] No parameter ClientsRole found in conf/switches.conf for the switch ******** (pf::Switch::getRoleByName) Jun 14 15:40:07 packetfence packetfence_httpd.aaa: httpd.aaa(2311) INFO: [mac:f8:ca:b8:32:c7:fe] security_event 1300003 force-closed for f8:ca:b8:32:c7:fe (pf::security_event::security_event_force_close) Jun 14 15:40:07 packetfence packetfence_httpd.aaa: httpd.aaa(2311) INFO: [mac:f8:ca:b8:32:c7:fe] Instantiate profile 802.1x (pf::Connection::ProfileFactory::_from_profile) It’s strange that the authentication itself is successful, but the request get’s rejected anyway. I tried to increase the API-timeout value but it didn’t seem to produce any improvement. My api-frontend.log is full of errors like this one: Jun 14 15:53:13 packetfence api-frontend[2134]: t=2021-06-14T15:53:13+0200 lvl=warn msg="Couldn't acquire lock for pfconfig pool" pid=2134 request-uuid=e46ade44-cd13-11eb-bcc8-005056967019 Unfortunately, the only posts regarding this topic are from 2018 and state that the error should be fixed by now. I’m running the latest version and just applied the patches through pf-maint. I am using the Cluster-Addresses for the RADIUS-Config, I just assumed this was the right approach. It doesn’t matter if I just configure one RADIUS Server or all three, the result is the same. If there is any other information I can provide, please don’t hesitate to ask. Thank you in advance. Heiko Matthies [cid:2018_Signatur_ASAP_Engineering_607ba42f-d9c6-4abe-af16-b2b0953d2657.png] [cid:MK_FB_Podcast_20210201_70f02930-dafd-4abf-9139-c2414fbba13c.png]<https://asap.podigee.io/> ASAP Engineering GmbH Sachsstraße 1A | 85080 Gaimersheim Tel. +49 (8458) 3389 0<tel:+49%20(8458)%203389%200> | Fax. +49 (8458) 3389 399<fax:+49%20(8458)%203389%20399> heiko.matth...@asap.de<mailto:heiko.matth...@asap.de> | www.asap.de<http://www.asap.de> Geschäftsführer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz der Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408 Datenschutz: Ausführliche Informationen zum Umgang mit Ihren personenbezogenen Daten bei ASAP erhalten Sie auf unserer Website unter Datenschutz.<http://www.asap.de/datenschutz/>
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
