Hello Fabrice, Thank you for your explanation.
Regards, Irvan. On Fri, Nov 4, 2022 at 7:37 PM Fabrice Durand <oeufd...@gmail.com> wrote: > Hello Irvan, > > yes it's normal, we did some unlang to mimic the way the realm is set when > packetfence receives a machine authentication. > > > https://github.com/inverse-inc/packetfence/blob/devel/raddb/policy.d/packetfence#L36 > > Regards > Fabrice > > > Le ven. 4 nov. 2022 à 08:34, Irvan via PacketFence-users < > packetfence-users@lists.sourceforge.net> a écrit : > >> Hello Ludovic, >> >> Thank you for your explanation. >> How about the realm? According to log, when windows sends computer >> account as login, Packetfence put it on Realm = "binus.local". But we never >> stup that realm. >> Is it normal to? >> >> >> >> Regards, >> Irvan. >> >> On Thu, Nov 3, 2022 at 12:16 AM Zammit, Ludovic <luza...@akamai.com> >> wrote: >> >>> Hello Irvan, >>> >>> It looks pretty normal that the windows sends the computer account >>> because it’s the default behavior. >>> >>> What is not normal, is that if you have at least one successful >>> authentication on the wifi with a username password, it should keep that >>> one and not re-ask again. >>> >>> All that can be configured on the SSID profile on windows. >>> >>> Thanks, >>> >>> >>> *Ludovic Zammit* >>> *Product Support Engineer Principal Lead* >>> *Cell:* +1.613.670.8432 >>> Akamai Technologies - Inverse >>> 145 Broadway >>> Cambridge, MA 02142 >>> Connect with Us: <https://community.akamai.com> >>> <http://blogs.akamai.com> <https://twitter.com/akamai> >>> <http://www.facebook.com/AkamaiTechnologies> >>> <http://www.linkedin.com/company/akamai-technologies> >>> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> >>> >>> On Nov 2, 2022, at 1:45 AM, Irvan via PacketFence-users < >>> packetfence-users@lists.sourceforge.net> wrote: >>> >>> Hello Everyone, >>> >>> >>> We have strange behaviour with Windows Client connecting to dot1x WiFi >>> on Packetfence using AD Authentication source. >>> >>> The symptoms are : >>> >>> - When the first time Windows client connect to SSID, it was asked for >>> username and password for login. >>> - But if client forget the SSID and try to reconnect, Windows never >>> asked username and password, it was automatically send hostname as login to >>> packetfence, and accepted by packetfence. >>> - The same thing happened when user comeback in the next day, Windows >>> send hostname as login instead of username and it also accepted by >>> packetfence >>> >>> We don't setup any machine auth, only user auth. Drill down to radius >>> log, we saw that hostname login hit a non-existe realm. Using username and >>> password client hit null realm. But when windows send hostname it hit >>> binus.local realm, which is never exist. >>> >>> Bellow are radius log and realm.conf >>> >>> 1. Using user auth >>> =============== >>> Request Time >>> 0 >>> >>> RADIUS Request >>> User-Name = "loudy.owen" >>> NAS-IP-Address = 10.21.36.41 >>> NAS-Port = 4 >>> Service-Type = Framed-User >>> State = 0x6067228e61c0382594e9daec37da5a60 >>> Called-Station-Id = "90:3a:72:03:18:90:BinusWifi-Staff.1x" >>> Calling-Station-Id = "70:66:55:34:28:f3" >>> NAS-Identifier = "90-3A-72-03-18-90" >>> NAS-Port-Type = Wireless-802.11 >>> Acct-Session-Id = "6361F1F4-03189001" >>> Acct-Multi-Session-Id = "88DA8FBC70CEC821" >>> Event-Timestamp = "Nov 2 2022 11:28:41 WIB" >>> Connect-Info = "CONNECT 802.11" >>> EAP-Message = 0x02a700061a03 >>> Chargeable-User-Identity = 0x00 >>> Location-Data = 0x31304944170d42696e7573205379616864616e >>> WLAN-Pairwise-Cipher = 1027076 >>> WLAN-Group-Cipher = 1027076 >>> WLAN-AKM-Suite = 1027073 >>> FreeRADIUS-Proxied-To = 127.0.0.1 >>> Ruckus-SSID = "BinusWifi-Staff.1x" >>> Ruckus-Wlan-Id = 508 >>> Ruckus-Location = "Binus Syahdan" >>> Ruckus-SCG-CBlade-IP = 180933220 >>> Ruckus-VLAN-ID = 1220 >>> Ruckus-BSSID = 0x903a7243189d >>> Ruckus-Zone-Name = "AP-Zone-Syahdan" >>> Ruckus-Wlan-Name = "VlanPool2" >>> EAP-Type = MSCHAPv2 >>> Stripped-User-Name = "loudy.owen" >>> Realm = "null" >>> Called-Station-SSID = "BinusWifi-Staff.1x" >>> PacketFence-Domain = "binus" >>> PacketFence-KeyBalanced = "10a6d36fd6ec338584a72fcbe75f86ba" >>> PacketFence-Radius-Ip = "10.200.210.87" >>> PacketFence-NTLMv2-Only = "" >>> PacketFence-Outer-User = "loudy.owen" >>> Attr-26.25053.155 = 0x5379616864616e2043616d707573 >>> User-Password = "******" >>> SQL-User-Name = "loudy.owen" >>> >>> RADIUS Reply >>> EAP-Message = 0x03a70004 >>> Message-Authenticator = 0x00000000000000000000000000000000 >>> User-Name = "loudy.owen" >>> REST-HTTP-Status-Code = 200 >>> >>> ============================================== >>> >>> 2. Using hostname >>> =============== >>> Request Time >>> 0 >>> >>> RADIUS Request >>> User-Name = "host/NB202007000166.binus.local" >>> NAS-IP-Address = 10.21.36.41 >>> NAS-Port = 4 >>> Service-Type = Framed-User >>> State = 0xb4483109b5402b5768b5cf1f24ad1e9e >>> Called-Station-Id = "90:3a:72:03:18:90:BinusWifi-Staff.1x" >>> Calling-Station-Id = "70:66:55:34:28:f3" >>> NAS-Identifier = "90-3A-72-03-18-90" >>> NAS-Port-Type = Wireless-802.11 >>> Acct-Session-Id = "6361F350-03189001" >>> Acct-Multi-Session-Id = "3DD47C3ED408529E" >>> Event-Timestamp = "Nov 2 2022 11:34:26 WIB" >>> Connect-Info = "CONNECT 802.11" >>> EAP-Message = 0x020800061a03 >>> Chargeable-User-Identity = 0x00 >>> Location-Data = 0x31304944170d42696e7573205379616864616e >>> WLAN-Pairwise-Cipher = 1027076 >>> WLAN-Group-Cipher = 1027076 >>> WLAN-AKM-Suite = 1027073 >>> FreeRADIUS-Proxied-To = 127.0.0.1 >>> Ruckus-SSID = "BinusWifi-Staff.1x" >>> Ruckus-Wlan-Id = 508 >>> Ruckus-Location = "Binus Syahdan" >>> Ruckus-SCG-CBlade-IP = 180933220 >>> Ruckus-VLAN-ID = 1220 >>> Ruckus-BSSID = 0x903a7243189d >>> Ruckus-Zone-Name = "AP-Zone-Syahdan" >>> Ruckus-Wlan-Name = "VlanPool2" >>> EAP-Type = MSCHAPv2 >>> Realm = "binus.local" >>> Called-Station-SSID = "BinusWifi-Staff.1x" >>> PacketFence-Domain = "binus" >>> PacketFence-KeyBalanced = "e080ae33e5dd7f64d0155f1a8dc95245" >>> PacketFence-Radius-Ip = "10.200.210.87" >>> PacketFence-NTLMv2-Only = "" >>> PacketFence-Outer-User = "host/NB202007000166.binus.local" >>> Attr-26.25053.155 = 0x5379616864616e2043616d707573 >>> User-Password = "******" >>> SQL-User-Name = "host/NB202007000166.binus.local" >>> >>> RADIUS Reply >>> MS-MPPE-Encryption-Policy = Encryption-Required >>> MS-MPPE-Encryption-Types = 4 >>> MS-MPPE-Send-Key = 0xb45a79e25b9f5bda45259afc13d0dc5c >>> MS-MPPE-Recv-Key = 0xe52d30f3e2977a2c1219c4200bc44678 >>> EAP-Message = 0x03080004 >>> Message-Authenticator = 0x00000000000000000000000000000000 >>> User-Name = "host/NB202007000166.binus.local" >>> REST-HTTP-Status-Code = 200 >>> >>> >>> 3. realm.conf >>> ========== >>> # Copyright (C) Inverse inc. >>> [1 DEFAULT] >>> radius_auth_compute_in_pf=enabled >>> radius_acct= >>> eduroam_radius_auth= >>> radius_auth= >>> eduroam_radius_acct= >>> radius_auth_proxy_type=keyed-balance >>> eduroam_radius_acct_proxy_type=load-balance >>> eduroam_radius_auth_proxy_type=keyed-balance >>> permit_custom_attributes=disabled >>> radius_acct_proxy_type=load-balance >>> eduroam_radius_auth_compute_in_pf=enabled >>> domain=binus >>> >>> [1 LOCAL] >>> eduroam_radius_acct= >>> radius_auth= >>> radius_acct= >>> eduroam_radius_acct_proxy_type=load-balance >>> radius_acct_proxy_type=load-balance >>> eduroam_radius_auth= >>> radius_auth_compute_in_pf=enabled >>> radius_auth_proxy_type=keyed-balance >>> permit_custom_attributes=disabled >>> eduroam_radius_auth_compute_in_pf=enabled >>> eduroam_radius_auth_proxy_type=keyed-balance >>> >>> [1 NULL] >>> radius_auth_compute_in_pf=enabled >>> radius_acct= >>> radius_auth= >>> eduroam_radius_auth= >>> eduroam_radius_auth_proxy_type=keyed-balance >>> eduroam_radius_acct= >>> radius_auth_proxy_type=keyed-balance >>> eduroam_radius_acct_proxy_type=load-balance >>> permit_custom_attributes=disabled >>> radius_acct_proxy_type=load-balance >>> eduroam_radius_auth_compute_in_pf=enabled >>> domain=binus >>> >>> ============================= >>> >>> How could this happened? Any advice? >>> >>> >>> Thanks in advance >>> >>> >>> Regards, >>> Irvan >>> _______________________________________________ >>> PacketFence-users mailing list >>> PacketFence-users@lists.sourceforge.net >>> >>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!SFNRQV2PR8ry-00A8fXYEKuTzZqZg4CQPmHkOABxoBZ8BUuBihHqubUhd6DemK1cAhf2LKJJakTGi6H5RFEO2J7YKZ2Qp9SUd0HP4Q$ >>> >>> >>> >> >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
