Re: [PacketFence-users] Performance problems with PF 8.0

[Ludovic Marcotte via PacketFence-users]

On 2018-04-30 5:48 PM, Truax, Peter via PacketFence-users wrote:

2.We experienced massive performance issues. We doubled our test 
server’s vm allocation of memory and processor up to 8 processors and 
32 GB of RAM. Even with this much horsepower, it still bogged down 
unlike 7.4. We moved back to 7.4 and every screen and function is 
snappy and quick.


What was consuming resources? V8 went through all load-testing performed 
prior a release and was as fast if not faster than v7.4.


3.Having to do with the performance issues above, we noticed when we 
did get the server settled down, that the Nodes tab was unbelievably 
slow. It took 30 seconds to 1 minute to bring up the screen.



There's a patch for this in the maintenance.

Thanks,

--
Ludovic Marcotte
lmarco...@inverse.ca  ::  +1.514.755.3630  ::  http://inverse.ca
Inverse inc. :: Leaders behind SOGo (http://sogo.nu), PacketFence 
(http://packetfence.org) and Fingerbank (http://fingerbank.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Bug PacketFence 8

[Fabrice Durand via PacketFence-users]

Can you share authentication.conf (remove sensible information)


Le 2018-05-02 à 12:52, Jeimerson C. Chaves via PacketFence-users a écrit :

Hello,

I installed PackerFence 8 on my lab, and I can not access the vlans.
As the logs and prints follow.

Thank you.

May  2 16:40:43 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] handling radius autz request: from
switch_ip => (10.190.90.24), connection_type =>
Ethernet-EAP,switch_mac => (00:16:47:53:3e:0c), mac =>
[00:0c:29:75:9d:61], port => 12, username => "administra...@samba.nac"
(pf::radius::authorize)
May  2 16:40:43 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
May  2 16:40:43 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Found authentication source(s) :
'SAMBA.NAC' for realm 'samba.nac'
(pf::config::util::filter_authentication_sources)
May  2 16:40:43 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Calling match with empty/invalid rule
class. Defaulting to 'authentication' (pf::authentication::match2)
May  2 16:40:43 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Using sources SAMBA.NAC for matching
(pf::authentication::match2)
May  2 16:40:43 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Use of uninitialized value in string eq
at /usr/local/pf/lib/pf/role.pm line 731.
  (pf::role::_check_bypass)
May  2 16:40:43 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Found authentication source(s) :
'SAMBA.NAC' for realm 'samba.nac'
(pf::config::util::filter_authentication_sources)
May  2 16:40:43 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Using sources SAMBA.NAC for matching
(pf::authentication::match2)
May  2 16:40:43 PacketFence-ZEN pfqueue: pfqueue(6064) INFO:
[mac:unknown] undefined source id provided
(pf::lookup::person::lookup_person)
May  2 16:40:43 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Use of uninitialized value $role in
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 478.
  (pf::role::getRegisteredRole)
May  2 16:40:43 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Username was NOT defined or unable to
match a role - returning node based role ''
(pf::role::getRegisteredRole)
May  2 16:40:43 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] PID: "administra...@samba.nac", Status:
reg Returned VLAN: (undefined), Role: (undefined)
(pf::role::fetchRoleForNode)
May  2 16:40:43 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Use of uninitialized value $vlanName in
hash element at /usr/local/pf/lib/pf/Switch.pm line 768.
  (pf::Switch::getVlanByName)
May  2 16:40:43 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Use of uninitialized value $vlanName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line
771.
  (pf::Switch::getVlanByName)
May  2 16:40:43 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] No parameter Vlan found in
conf/switches.conf for the switch 10.190.90.24
(pf::Switch::getVlanByName)
May  2 16:40:43 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Switch doesn't support Dynamic VLAN
assignment. Setting VLAN with SNMP on (10.190.90.24) ifIndex 12 to 0
(pf::radius::authorize)
May  2 16:40:43 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] violation 133 force-closed for
00:0c:29:75:9d:61 (pf::violation::violation_force_close)
May  2 16:40:43 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)


Com os melhores cumprimentos.

Jeimerson Chaves

Aviso de Confidencialidade: Este e-mail e quaisquer ficheiros
informáticos com ele transmitidos são confidenciais, podem conter
informação privilegiada e destinam-se ao conhecimento e uso exclusivo
da pessoa ou entidade a quem são dirigidos, não podendo o conteúdo dos
mesmos ser alterado. Caso tenha recebido este e-mail indevidamente,
queira informar de imediato o remetente e proceder à destruição da
mensagem e de eventuais cópias.

Confidentiality Warning: This e-mail and any files transmitted with it
are confidential and may be privileged and are intended solely for the
use of the individual or entity to whom they are addressed. Their
contents may not be altered. lf you are not the intended recipient of
this communication please notify the sender and delete and destroy all
copies immediately.


--
Check out 

Re: [PacketFence-users] Portal fqdn resolution from isolation and registration vlan

[Fabrice Durand via PacketFence-users]

Hello Cristian,

you don't have to allow the portal ip for the registration and isolation 
vlan.


Can you share your pf.conf and networks.conf and 
/usr/local/pf/var/conf/pfdns.conf


Regards
Fabrice

Le 2018-05-02 à 12:25, Cristian Mammoli via PacketFence-users a écrit :

Ok, then I have a problem:

I created a dns record for nac.apra.it on my corporate dns server that 
points to the portal interface (nac.apra.it is 
general.hostname+general.domain in pf.conf)


But even from an unregistered device pfdns resolves with this ip 
address instead of replying with its own ip in the registration o 
isolation vlan


I had to add an iptables rule to allow reaching the portal interface 
ip address from the isolation and registration vlan.


Of course the dns server passed to the clients in those vlan is 
packetfence (default configuration)



I tried deleting the portal interface and remove the A record from my 
corporate DNS server but them pfdns answers with NXDOMAIN when queried 
from an unregistered device.


In 7.4 this configuration worked (I erroneously thought that the 
portal interface was required but probably it wasn't used at all)


This is my pfdns.conf:

Display all 147 possibilities? (y or n)
[root@srvpf addons]# cat /usr/local/pf/conf/pfdns.conf
.:54 {
[% domain %]

proxy . /etc/resolv.conf
}

# all other domains are subject to interception
:53 {
    pfdns {
    }
    # Anything not handled by pfdns will be resolved normally
[% domain %]
[% inline %]

    # Default to system resolv.conf file
    proxy . /etc/resolv.conf
    log stdout
    errors
}

resolv.conf contains my corp dns servers

Regards

C.


Il 30/04/2018 14:59, Fabrice Durand via PacketFence-users ha scritto:

Hello Cristian,

pfdns is suppose to resolv the portal fqdn if the device is unreg or if
there is a violation.

Also if there is a passthrough that match the portal fqdn name then it
will forward the request to another server.

Portal interface is just an interface with the portal on it, it
generally use for web auth.
Regards
Fabrice


Le 2018-04-27 à 09:34, Cristian Mammoli via PacketFence-users a écrit :

Hi, isn't pfdns supposed to resolve the portal FQDN from isolation and
registration vlan? I'm using 8.0

ATM for me isn't working:

My pf.conf is:

[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=apra.it
#
# general.hostname
#
# Hostname of PacketFence system.  This is concatenated with the
domain in Apache rewriting rules and therefore must be resolvable by
clients.
hostname=nac

But the requests for "nac.apra.it" are forwarded upstream.

Btw, whats the network interface type "portal" for? Are the client
supposed to reach this interface for the portal? Is it mandatory?

Thanks

C.

--

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--

*Cristian Mammoli*
System Administrator

T.  +39 0731 719822
www.apra.it 


ApraSpa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e 
gli eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i 
destinatari designati, vogliate cortesemente informarci immediatamente 
con lo stesso mezzo ed eliminare il messaggio e i relativi eventuali 
allegati, senza trattenerne copia.




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] admin interface - 3 groups of AD users with different access?

[Auger, Ivan (ITS) via PacketFence-users]

I have one group of AD users that need full admin access (source is 
h1adnetwork), one group that needs Node Manager and Violation Manager (source 
is h1ad), and the rest of AD users should get no access.  I am running pf 8, 
same issue in pf 7.4.
 
Issue is that this works only for the first group, when evaluating a user in 
2nd group, I get access denied.  I want it to continue evaluating until it 
matches rules for authentication/administration  - here is the relevant section 
from pftest (somehow, I need to test for group membership in the 
“Authentication” step below so that it fails?):
 
Authenticating against 'h1adnetwork' in context 'admin'
  Authentication SUCCEEDED against h1adnetwork (Authentication successful.)
  Did not match against h1adnetwork for 'authentication' rules
  Did not match against h1adnetwork for 'administration' rules
 
Authenticating against 'h1adnetwork' in context 'portal'
  Authentication SUCCEEDED against h1adnetwork (Authentication successful.)
  Did not match against h1adnetwork for 'authentication' rules
  Did not match against h1adnetwork for 'administration' rules
 
Authenticating against 'h1ad' in context 'admin'
  Authentication SUCCEEDED against h1ad (Authentication successful.)
  Matched against h1ad for 'authentication' rules
    set_role : eusadmin
    set_unreg_date : 2020-12-31
  Matched against h1ad for 'administration' rules
    set_access_level : Violation Manager,Node Manager
 
 
 
Ivan Auger
 
 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Performance problems with PF 8.0

[Truax, Peter via PacketFence-users]

We tested both an upgrade and a full install of PacketFence 8.0. Here are our 
thoughts:


1.   The dashboard is very nice and gives good data. I do wish it were more 
customizable, (moving dashboard widgets would be nice) but it is a lot better 
than 7.4's dashboard.

2.   We experienced massive performance issues. We doubled our test 
server's vm allocation of memory and processor up to 8 processors and 32 GB of 
RAM. Even with this much horsepower, it still bogged down unlike 7.4. We moved 
back to 7.4 and every screen and function is snappy and quick.

3.   Having to do with the performance issues above, we noticed when we did 
get the server settled down, that the Nodes tab was unbelievably slow. It took 
30 seconds to 1 minute to bring up the screen.

4.   Looking at the log files, we noticed that the mariadb service was 
crashing about once every hour. This happened on both the upgrade and the full 
install.

5.   The new FingerBank is great! It accurately and automatically describes 
the devices.

Our environment is fairly small with 2000 devices. PF 7.4 performs exeptioanbly 
well. PF 8.0 may be more of a wait and see what 8.1 is like.

Regards

Peter Truax
Network Administrator
St. Martin's University

[cid:image001.png@01D3E091.7C552170]

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] (no subject)

[Pistaccio Giovanni via PacketFence-users]

HELP IN REGISTRATION

I cant seem to get past the email link sent during this process. After the
ten minutes access is granted.

Regards,

P
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PacketFence 8

[Fabrice Durand via PacketFence-users]

Hello Jeimerson,

it looks that your authentication source doesn't return any role.

Create a rule and assign a role and an access duration in your 
authentication source.


Regards

Fabrice



Le 2018-05-02 à 11:59, Jeimerson C. Chaves via PacketFence-users a écrit :

Hi, all.


In tests with PacketFence 8. i not sucess login.

Log


May  2 15:48:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:[undef]] CLI Access is not permit on this switch
10.190.90.25 (pf::radius::switch_access)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] handling radius autz request: from
switch_ip => (10.190.90.25), connection_type =>
Ethernet-EAP,switch_mac => (00:26:98:96:21:8a), mac =>
[00:0c:29:75:9d:61], port => 10010, username =>
"administra...@samba.nac" (pf::radius::authorize)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Could not find any IP phones through
discovery protocols for ifIndex 10010
(pf::Switch::getPhonesDPAtIfIndex)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Found authentication source(s) :
'SAMBA.NAC' for realm 'samba.nac'
(pf::config::util::filter_authentication_sources)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Calling match with empty/invalid rule
class. Defaulting to 'authentication' (pf::authentication::match2)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Using sources SAMBA.NAC for matching
(pf::authentication::match2)
May  2 15:48:48 PacketFence-ZEN pfqueue: pfqueue(4059) INFO:
[mac:unknown] undefined source id provided
(pf::lookup::person::lookup_person)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Use of uninitialized value in string eq
at /usr/local/pf/lib/pf/role.pm line 731.
  (pf::role::_check_bypass)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Found authentication source(s) :
'SAMBA.NAC' for realm 'samba.nac'
(pf::config::util::filter_authentication_sources)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Using sources SAMBA.NAC for matching
(pf::authentication::match2)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Use of uninitialized value $role in
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 478.
  (pf::role::getRegisteredRole)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Username was NOT defined or unable to
match a role - returning node based role ''
(pf::role::getRegisteredRole)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] PID: "administra...@samba.nac", Status:
reg Returned VLAN: (undefined), Role: (undefined)
(pf::role::fetchRoleForNode)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Use of uninitialized value $vlanName in
hash element at /usr/local/pf/lib/pf/Switch.pm line 768.
  (pf::Switch::getVlanByName)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Use of uninitialized value $vlanName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line
771.
  (pf::Switch::getVlanByName)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] No parameter Vlan found in
conf/switches.conf for the switch 10.190.90.25
(pf::Switch::getVlanByName)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Use of uninitialized value $roleName in
hash element at /usr/local/pf/lib/pf/Switch.pm line 751.
  (pf::Switch::getRoleByName)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Use of uninitialized value $roleName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line
754.
  (pf::Switch::getRoleByName)
May  2 15:48:49 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] violation 133 force-closed for
00:0c:29:75:9d:61 (pf::violation::violation_force_close)
May  2 15:48:49 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
May  2 15:51:41 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] handling radius autz request: from
switch_ip => (10.190.90.25), connection_type =>
Ethernet-EAP,switch_mac => (00:26:98:96:21:8a), mac =>

Re: [PacketFence-users] Portal fqdn resolution from isolation and registration vlan

[Cristian Mammoli via PacketFence-users]

Ok, then I have a problem:

I created a dns record for nac.apra.it on my corporate dns server that 
points to the portal interface (nac.apra.it is 
general.hostname+general.domain in pf.conf)


But even from an unregistered device pfdns resolves with this ip address 
instead of replying with its own ip in the registration o isolation vlan


I had to add an iptables rule to allow reaching the portal interface ip 
address from the isolation and registration vlan.


Of course the dns server passed to the clients in those vlan is 
packetfence (default configuration)



I tried deleting the portal interface and remove the A record from my 
corporate DNS server but them pfdns answers with NXDOMAIN when queried 
from an unregistered device.


In 7.4 this configuration worked (I erroneously thought that the portal 
interface was required but probably it wasn't used at all)


This is my pfdns.conf:

Display all 147 possibilities? (y or n)
[root@srvpf addons]# cat /usr/local/pf/conf/pfdns.conf
.:54 {
[% domain %]

proxy . /etc/resolv.conf
}

# all other domains are subject to interception
:53 {
    pfdns {
    }
    # Anything not handled by pfdns will be resolved normally
[% domain %]
[% inline %]

    # Default to system resolv.conf file
    proxy . /etc/resolv.conf
    log stdout
    errors
}

resolv.conf contains my corp dns servers

Regards

C.


Il 30/04/2018 14:59, Fabrice Durand via PacketFence-users ha scritto:

Hello Cristian,

pfdns is suppose to resolv the portal fqdn if the device is unreg or if
there is a violation.

Also if there is a passthrough that match the portal fqdn name then it
will forward the request to another server.

Portal interface is just an interface with the portal on it, it
generally use for web auth.
Regards
Fabrice


Le 2018-04-27 à 09:34, Cristian Mammoli via PacketFence-users a écrit :

Hi, isn't pfdns supposed to resolve the portal FQDN from isolation and
registration vlan? I'm using 8.0

ATM for me isn't working:

My pf.conf is:

[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=apra.it
#
# general.hostname
#
# Hostname of PacketFence system.  This is concatenated with the
domain in Apache rewriting rules and therefore must be resolvable by
clients.
hostname=nac

But the requests for "nac.apra.it" are forwarded upstream.

Btw, whats the network interface type "portal" for? Are the client
supposed to reach this interface for the portal? Is it mandatory?

Thanks

C.

--

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--

*Cristian Mammoli*
System Administrator

T.  +39 0731 719822
www.apra.it 


ApraSpa

linksocial

*Avviso sulla tutela di informazioni riservate.* Questo messaggio è 
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli 
eventuali allegati, potrebbero contenere informazioni di carattere 
estremamente riservato e confidenziale. Qualora non foste i destinatari 
designati, vogliate cortesemente informarci immediatamente con lo stesso 
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza 
trattenerne copia.


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cant' Start FreeRadius on PacketFence

[Fabrice Durand via PacketFence-users]

Hello Xavier,

you are dealing with the wrong radiusd service , the correct one is
packetfence-radiusd-auth.

Also what you can try is the following (in /usr/local/pf/)

radiusd -d raddb/ -n auth -fxx -l stdout

And paste me the result.

Regards

Fabrice



Le 2018-04-26 à 05:00, Xav Tauran via PacketFence-users a écrit :
>
> Hello everyone !
> I'm deploying a NAC solution for a customer with PacketFence. I use
> freeradius (freeradius is automatically installed with PacketFence).
> However, I have a problem with FreeRadius. FreeRadius doesn't want to
> start on my virtual machine. (I use Centos 7).
> I have this issue when I want to start radiuds with the radius -X
> command :
>
> Debugger not attached
> Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013
> 0x1000105f (1.0.1e release) (in range 1.0.1 release - 1.0.1t rele)
> Security advisory CVE-2016-6304 (OCSP status request extension)
> For more information
> see https://www.openssl.org/news/secadv/20160922.txt
> 
> Once you have verified libssl has been correctly patched, set
> security.allow_vulnerable_openssl = 'CVE-2016-6304'
> Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013
> 0x1000105f (1.0.1e release) (in range 1.0.1 dev - 1.0.1f release)
> Security advisory CVE-2014-0160 (Heartbleed)
> For more information see http://heartbleed.com 
>
> When I check the status of radiusd with systemctl status radiusd, I
> have this result :
>
> root@localhost raddb]# systemctl status radiusd
> ● radiusd.service - FreeRADIUS multi-protocol policy server
> Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled;
> vendor preset: disabled)
> Active: inactive (dead)
> Docs: man:radiusd(8)
> man:radiusd.conf(5)
> http://wiki.freeradius.org/
> http://networkradius.com/doc/
>
> Can you help me ?
>
> Thank you very much in advance !
>
> Kind regards,
>
> Xavier TAURAN
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] eduroam

[Fabrice Durand via PacketFence-users]

Hello Will,



Le 2018-04-28 à 18:09, Will Halsall via PacketFence-users a écrit :
>
> Hi Folks
>
>  
>
>  
>
> Having a problem getting packetfence 7.4 to work with .ac.uk radius
> servers
>
>  
>
> 1.   Server 1 and server 2 have different secrets and I cannot see
> a way of configuring this
>
It's suppose to be the same for both servers.
Btw it's not really complicate to add it in PacketFence.
>
>  
>
> 2.   Tests even from one of the servers with the correct secret
> configured will not work. The radius-eduroam log gives the following
>
>  
>
> Apr 28 22:55:02 packetfence eduroam[2397]: (64) Login incorrect (Home
> Server says so): [0...@farn-ct.ac.uk] (from client 194.82.174.185
> port 0 cli 02:00:0
>
> 0:00:00:01)
>
> Apr 28 22:55:02 packetfence eduroam[2397]: rlm_sql (sql): Closing
> connection (5): Hit idle_timeout, was idle for 200 seconds
>
> Apr 28 22:55:02 packetfence eduroam[2397]: rlm_sql (sql): Closing
> connection (6): Hit idle_timeout, was idle for 200 seconds
>
> Apr 28 22:55:02 packetfence eduroam[2397]: rlm_sql (sql): Opening
> additional connection (7), 1 of 64 pending slots used
>
> Apr 28 22:55:02 packetfence eduroam[2397]: Need 2 more connections to
> reach min connections (3)
>
> Apr 28 22:55:02 packetfence eduroam[2397]: rlm_sql (sql): Opening
> additional connection (8), 1 of 63 pending slots used
>
> Apr 28 22:55:02 packetfence eduroam[2397]: [mac:02:00:00:00:00:01]
> Rejected user: 0...@farn-ct.ac.uk 
>
>  
>
> The radius logs from edurome.uk says the following:
>
>     reject_acc
>
>   
>
> 2018-04-28 21:55:04
>
>   
>
> roaming0
>
>   
>
> INFO
>
>   
>
> Access rejected for 0...@farn-ct.ac.uk: Loop detected
>
>  
>
> Any help would be appreciated
>
>  
>
Is 0...@farn-ct.ac.uk a local user ? if it the case then you need to
define farn-ct.ac.uk as a local realm in the eduroam source.
Regards
Fabrice


>  
>
> Thanks
>
>  
>
> Will
>
>  
>
>  
>
>  
>
> 
>
> This message is intended only for the use of the person(s) to
> whom it is addressed, and may contain privileged and confidential
> information.
> If it has come to you in error, please contact the sender as soon as
> possible,
> and note that you must take no action based on the content, nor must
> you copy,
> distribute, or show the content to any other person.
>
>
> In accordance with its legal obligations, Farnborough College of
> Technology reserves the right to monitor the content of e-mails sent and
> received, but will not do so routinely.
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Portal fqdn resolution from isolation and registration vlan

[Fabrice Durand via PacketFence-users]

Hello Cristian,

pfdns is suppose to resolv the portal fqdn if the device is unreg or if
there is a violation.

Also if there is a passthrough that match the portal fqdn name then it
will forward the request to another server.

Portal interface is just an interface with the portal on it, it
generally use for web auth.
Regards
Fabrice


Le 2018-04-27 à 09:34, Cristian Mammoli via PacketFence-users a écrit :
> Hi, isn't pfdns supposed to resolve the portal FQDN from isolation and
> registration vlan? I'm using 8.0
>
> ATM for me isn't working:
>
> My pf.conf is:
>
> [general]
> #
> # general.domain
> #
> # Domain name of PacketFence system.
> domain=apra.it
> #
> # general.hostname
> #
> # Hostname of PacketFence system.  This is concatenated with the
> domain in Apache rewriting rules and therefore must be resolvable by
> clients.
> hostname=nac
>
> But the requests for "nac.apra.it" are forwarded upstream.
>
> Btw, whats the network interface type "portal" for? Are the client
> supposed to reach this interface for the portal? Is it mandatory?
>
> Thanks
>
> C.
>
> --
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] admin interface - 3 groups of AD users with different access?

[Auger, Ivan (ITS) via PacketFence-users]

I have one group of AD users that need full admin access (source is 
h1adnetwork), one group that needs Node Manager and Violation Manager (source 
is h1ad), and the rest of AD users should get no access.  I am running pf 8, 
same issue in pf 7.4.

Issue is that this works only for the first group, when evaluating a user in 
2nd group, I get access denied.  I want it to continue evaluating until it 
matches rules for authentication/administration  - here is the relevant section 
from pftest (somehow, I need to test for group membership in the 
"Authentication" step below so that it fails?):

Authenticating against 'h1adnetwork' in context 'admin'
  Authentication SUCCEEDED against h1adnetwork (Authentication successful.)
  Did not match against h1adnetwork for 'authentication' rules
  Did not match against h1adnetwork for 'administration' rules

Authenticating against 'h1adnetwork' in context 'portal'
  Authentication SUCCEEDED against h1adnetwork (Authentication successful.)
  Did not match against h1adnetwork for 'authentication' rules
  Did not match against h1adnetwork for 'administration' rules

Authenticating against 'h1ad' in context 'admin'
  Authentication SUCCEEDED against h1ad (Authentication successful.)
  Matched against h1ad for 'authentication' rules
set_role : eusadmin
set_unreg_date : 2020-12-31
  Matched against h1ad for 'administration' rules
set_access_level : Violation Manager,Node Manager



Ivan Auger
Asst Dir Inf Tech Serv 1

Office of Information Technology Services
Biggs Lab, D280, Albany NY 12201
p: (518) 473-0773  |  c: (518) 300-0439 | 
ivan.au...@its.ny.gov


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PacketFence 8

[Jeimerson C. Chaves via PacketFence-users]

Hi, all.


In tests with PacketFence 8. i not sucess login.

Log


May  2 15:48:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:[undef]] CLI Access is not permit on this switch
10.190.90.25 (pf::radius::switch_access)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] handling radius autz request: from
switch_ip => (10.190.90.25), connection_type =>
Ethernet-EAP,switch_mac => (00:26:98:96:21:8a), mac =>
[00:0c:29:75:9d:61], port => 10010, username =>
"administra...@samba.nac" (pf::radius::authorize)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Could not find any IP phones through
discovery protocols for ifIndex 10010
(pf::Switch::getPhonesDPAtIfIndex)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Found authentication source(s) :
'SAMBA.NAC' for realm 'samba.nac'
(pf::config::util::filter_authentication_sources)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Calling match with empty/invalid rule
class. Defaulting to 'authentication' (pf::authentication::match2)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Using sources SAMBA.NAC for matching
(pf::authentication::match2)
May  2 15:48:48 PacketFence-ZEN pfqueue: pfqueue(4059) INFO:
[mac:unknown] undefined source id provided
(pf::lookup::person::lookup_person)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Use of uninitialized value in string eq
at /usr/local/pf/lib/pf/role.pm line 731.
 (pf::role::_check_bypass)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Found authentication source(s) :
'SAMBA.NAC' for realm 'samba.nac'
(pf::config::util::filter_authentication_sources)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Using sources SAMBA.NAC for matching
(pf::authentication::match2)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Use of uninitialized value $role in
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 478.
 (pf::role::getRegisteredRole)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Username was NOT defined or unable to
match a role - returning node based role ''
(pf::role::getRegisteredRole)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] PID: "administra...@samba.nac", Status:
reg Returned VLAN: (undefined), Role: (undefined)
(pf::role::fetchRoleForNode)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Use of uninitialized value $vlanName in
hash element at /usr/local/pf/lib/pf/Switch.pm line 768.
 (pf::Switch::getVlanByName)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Use of uninitialized value $vlanName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line
771.
 (pf::Switch::getVlanByName)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] No parameter Vlan found in
conf/switches.conf for the switch 10.190.90.25
(pf::Switch::getVlanByName)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Use of uninitialized value $roleName in
hash element at /usr/local/pf/lib/pf/Switch.pm line 751.
 (pf::Switch::getRoleByName)
May  2 15:48:48 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
WARN: [mac:00:0c:29:75:9d:61] Use of uninitialized value $roleName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line
754.
 (pf::Switch::getRoleByName)
May  2 15:48:49 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] violation 133 force-closed for
00:0c:29:75:9d:61 (pf::violation::violation_force_close)
May  2 15:48:49 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
May  2 15:51:41 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] handling radius autz request: from
switch_ip => (10.190.90.25), connection_type =>
Ethernet-EAP,switch_mac => (00:26:98:96:21:8a), mac =>
[00:0c:29:75:9d:61], port => 10010, username =>
"administra...@samba.nac" (pf::radius::authorize)
May  2 15:51:41 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2227)
INFO: [mac:00:0c:29:75:9d:61] Could not find any IP phones through
discovery protocols for ifIndex 10010

Re: [PacketFence-users] eduroam authentication

[Fabrice Durand via PacketFence-users]

Hello Will,

it looks that the authentication fail in the chroot.

What you can try is the following:

chroot /chroots/RadiusAD

wbinfo -u

ntlm_auth --userbane=helpdesk --password=...

And let me know the result.

Regards

Fabrice



Le 2018-05-02 à 03:39, Will Halsall via PacketFence-users a écrit :


Hi Folks

I am still having problems with the eduroam authentication to our AD 
domain. I am now getting rejected although the username and password 
are correct


Below are the radius logs for the test and was wondering if anyone 
could shed some light on my problem


Thanks

Will Halsall

ap: Finished EAP session with state 0xdecad538decdcfad

(7) eap: Previous EAP request found for state 0xdecad538decdcfad, 
released from the list


(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)

(7) eap: Calling submodule eap_mschapv2 to process data

(7) eap_mschapv2: # Executing group from file 
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel


(7) eap_mschapv2: Auth-Type MS-CHAP {

(7) packetfence: $RAD_REQUEST{'User-Name'} = :User-Name -> 
'helpd...@farn-ct.ac.uk'


(7) packetfence: $RAD_REQUEST{'NAS-IP-Address'} = 
:NAS-IP-Address -> '127.0.0.1'


(7) packetfence: $RAD_REQUEST{'Service-Type'} = :Service-Type 
-> 'Authenticate-Only'


(7) packetfence: $RAD_REQUEST{'Framed-MTU'} = :Framed-MTU -> 
'1400'


(7) packetfence: $RAD_REQUEST{'State'} = :State -> 
'0xdecad538decdcfad2cf97d0726a24922'


(7) packetfence: $RAD_REQUEST{'Calling-Station-Id'} = 
:Calling-Station-Id -> '02:00:00:00:00:01'


(7) packetfence: $RAD_REQUEST{'NAS-Identifier'} = 
:NAS-Identifier -> 'eduroamUK-test'


(7) packetfence: $RAD_REQUEST{'NAS-Port-Type'} = 
:NAS-Port-Type -> 'Wireless-802.11'


(7) packetfence: $RAD_REQUEST{'Event-Timestamp'} = 
:Event-Timestamp -> 'May  2 2018 00:06:23 BST'


(7) packetfence: $RAD_REQUEST{'Connect-Info'} = :Connect-Info 
-> 'eduroam UK test'


(7) packetfence: $RAD_REQUEST{'EAP-Message'} = :EAP-Message -> 
'0x020700511a0207004c319f14a65ad77f1546d8aca5f2196626dbff9d32e6c1679c7f27c071374f109360595818fb0202de960068656c706465736b406661726e2d63742e61632e756b'


(7) packetfence: $RAD_REQUEST{'Operator-Name'} = 
:Operator-Name -> '1eduroam.uk'


(7) packetfence: $RAD_REQUEST{'FreeRADIUS-Proxied-To'} = 
:FreeRADIUS-Proxied-To -> '127.0.0.1'


(7) packetfence: $RAD_REQUEST{'MS-CHAP-Challenge'} = 
:MS-CHAP-Challenge -> '0xc7f5b2bc7fe7c7b528641a052426ae7a'


(7) packetfence: $RAD_REQUEST{'MS-CHAP2-Response'} = 
:MS-CHAP2-Response -> 
'0x07659f14a65ad77f1546d8aca5f2196626dbff9d32e6c1679c7f27c071374f109360595818fb0202de96'


(7) packetfence: $RAD_REQUEST{'EAP-Type'} = :EAP-Type -> 
'MSCHAPv2'


(7) packetfence: $RAD_REQUEST{'Realm'} = :Realm -> 'farn-ct.ac.uk'

(7) packetfence: $RAD_REQUEST{'MS-CHAP-User-Name'} = 
:MS-CHAP-User-Name -> 'helpd...@farn-ct.ac.uk'


(7) packetfence: $RAD_REQUEST{'PacketFence-Domain'} = 
:PacketFence-Domain -> 'RadiusAD'


(7) packetfence: $RAD_CHECK{'Auth-Type'} = :Auth-Type -> 'eap'

(7) packetfence: $RAD_CHECK{'Proxy-To-Realm'} = 
:Proxy-To-Realm -> 'LOCAL'


(7) packetfence: $RAD_CHECK{'Tmp-Integer-2'} = :Tmp-Integer-2 
-> '0'


(7) packetfence: $RAD_CONFIG{'Auth-Type'} = :Auth-Type -> 'eap'

(7) packetfence: $RAD_CONFIG{'Proxy-To-Realm'} = 
:Proxy-To-Realm -> 'LOCAL'


(7) packetfence: $RAD_CONFIG{'Tmp-Integer-2'} = :Tmp-Integer-2 
-> '0'


(7) packetfence: :NAS-Port-Type = 
$RAD_REQUEST{'NAS-Port-Type'} -> 'Wireless-802.11'


(7) packetfence: :Service-Type = $RAD_REQUEST{'Service-Type'} 
-> 'Authenticate-Only'


(7) packetfence: :Operator-Name = 
$RAD_REQUEST{'Operator-Name'} -> '1eduroam.uk'


(7) packetfence: :State = $RAD_REQUEST{'State'} -> 
'0xdecad538decdcfad2cf97d0726a24922'


(7) packetfence: :FreeRADIUS-Proxied-To = 
$RAD_REQUEST{'FreeRADIUS-Proxied-To'} -> '127.0.0.1'


(7) packetfence: :Connect-Info = $RAD_REQUEST{'Connect-Info'} 
-> 'eduroam UK test'


(7) packetfence: :Realm = $RAD_REQUEST{'Realm'} -> 'farn-ct.ac.uk'

(7) packetfence: :EAP-Type = $RAD_REQUEST{'EAP-Type'} -> 
'MSCHAPv2'


(7) packetfence: :NAS-IP-Address = 
$RAD_REQUEST{'NAS-IP-Address'} -> '127.0.0.1'


(7) packetfence: :Calling-Station-Id = 
$RAD_REQUEST{'Calling-Station-Id'} -> '02:00:00:00:00:01'


(7) packetfence: :MS-CHAP-User-Name = 
$RAD_REQUEST{'MS-CHAP-User-Name'} -> 'helpd...@farn-ct.ac.uk'


(7) packetfence: :MS-CHAP-Challenge = 
$RAD_REQUEST{'MS-CHAP-Challenge'} -> '0xc7f5b2bc7fe7c7b528641a052426ae7a'


(7) packetfence: :PacketFence-Domain = 
$RAD_REQUEST{'PacketFence-Domain'} -> 'RadiusAD'


(7) packetfence: :User-Name = $RAD_REQUEST{'User-Name'} -> 
'helpd...@farn-ct.ac.uk'


(7) packetfence: :NAS-Identifier = 
$RAD_REQUEST{'NAS-Identifier'} -> 'eduroamUK-test'


(7) packetfence: :Event-Timestamp = 
$RAD_REQUEST{'Event-Timestamp'} -> 'May  2 2018 00:06:23 BST'


(7) packetfence: :EAP-Message = $RAD_REQUEST{'EAP-Message'} -> 

[PacketFence-users] eduroam authentication

[Will Halsall via PacketFence-users]

Hi Folks

I am still having problems with the eduroam authentication to our AD domain. I 
am now getting rejected although the username and password are correct

Below are the radius logs for the test and was wondering if anyone could shed 
some light on my problem


Thanks

Will Halsall

ap: Finished EAP session with state 0xdecad538decdcfad
(7) eap: Previous EAP request found for state 0xdecad538decdcfad, released from 
the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file 
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
(7) eap_mschapv2:   Auth-Type MS-CHAP {
(7) packetfence:   $RAD_REQUEST{'User-Name'} = :User-Name -> 
'helpd...@farn-ct.ac.uk'
(7) packetfence:   $RAD_REQUEST{'NAS-IP-Address'} = :NAS-IP-Address -> 
'127.0.0.1'
(7) packetfence:   $RAD_REQUEST{'Service-Type'} = :Service-Type -> 
'Authenticate-Only'
(7) packetfence:   $RAD_REQUEST{'Framed-MTU'} = :Framed-MTU -> '1400'
(7) packetfence:   $RAD_REQUEST{'State'} = :State -> 
'0xdecad538decdcfad2cf97d0726a24922'
(7) packetfence:   $RAD_REQUEST{'Calling-Station-Id'} = 
:Calling-Station-Id -> '02:00:00:00:00:01'
(7) packetfence:   $RAD_REQUEST{'NAS-Identifier'} = :NAS-Identifier -> 
'eduroamUK-test'
(7) packetfence:   $RAD_REQUEST{'NAS-Port-Type'} = :NAS-Port-Type -> 
'Wireless-802.11'
(7) packetfence:   $RAD_REQUEST{'Event-Timestamp'} = :Event-Timestamp 
-> 'May  2 2018 00:06:23 BST'
(7) packetfence:   $RAD_REQUEST{'Connect-Info'} = :Connect-Info -> 
'eduroam UK test'
(7) packetfence:   $RAD_REQUEST{'EAP-Message'} = :EAP-Message -> 
'0x020700511a0207004c319f14a65ad77f1546d8aca5f2196626dbff9d32e6c1679c7f27c071374f109360595818fb0202de960068656c706465736b406661726e2d63742e61632e756b'
(7) packetfence:   $RAD_REQUEST{'Operator-Name'} = :Operator-Name -> 
'1eduroam.uk'
(7) packetfence:   $RAD_REQUEST{'FreeRADIUS-Proxied-To'} = 
:FreeRADIUS-Proxied-To -> '127.0.0.1'
(7) packetfence:   $RAD_REQUEST{'MS-CHAP-Challenge'} = 
:MS-CHAP-Challenge -> '0xc7f5b2bc7fe7c7b528641a052426ae7a'
(7) packetfence:   $RAD_REQUEST{'MS-CHAP2-Response'} = 
:MS-CHAP2-Response -> 
'0x07659f14a65ad77f1546d8aca5f2196626dbff9d32e6c1679c7f27c071374f109360595818fb0202de96'
(7) packetfence:   $RAD_REQUEST{'EAP-Type'} = :EAP-Type -> 'MSCHAPv2'
(7) packetfence:   $RAD_REQUEST{'Realm'} = :Realm -> 'farn-ct.ac.uk'
(7) packetfence:   $RAD_REQUEST{'MS-CHAP-User-Name'} = 
:MS-CHAP-User-Name -> 'helpd...@farn-ct.ac.uk'
(7) packetfence:   $RAD_REQUEST{'PacketFence-Domain'} = 
:PacketFence-Domain -> 'RadiusAD'
(7) packetfence:   $RAD_CHECK{'Auth-Type'} = :Auth-Type -> 'eap'
(7) packetfence:   $RAD_CHECK{'Proxy-To-Realm'} = :Proxy-To-Realm -> 
'LOCAL'
(7) packetfence:   $RAD_CHECK{'Tmp-Integer-2'} = :Tmp-Integer-2 -> '0'
(7) packetfence:   $RAD_CONFIG{'Auth-Type'} = :Auth-Type -> 'eap'
(7) packetfence:   $RAD_CONFIG{'Proxy-To-Realm'} = :Proxy-To-Realm -> 
'LOCAL'
(7) packetfence:   $RAD_CONFIG{'Tmp-Integer-2'} = :Tmp-Integer-2 -> '0'
(7) packetfence: :NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 
'Wireless-802.11'
(7) packetfence: :Service-Type = $RAD_REQUEST{'Service-Type'} -> 
'Authenticate-Only'
(7) packetfence: :Operator-Name = $RAD_REQUEST{'Operator-Name'} -> 
'1eduroam.uk'
(7) packetfence: :State = $RAD_REQUEST{'State'} -> 
'0xdecad538decdcfad2cf97d0726a24922'
(7) packetfence: :FreeRADIUS-Proxied-To = 
$RAD_REQUEST{'FreeRADIUS-Proxied-To'} -> '127.0.0.1'
(7) packetfence: :Connect-Info = $RAD_REQUEST{'Connect-Info'} -> 
'eduroam UK test'
(7) packetfence: :Realm = $RAD_REQUEST{'Realm'} -> 'farn-ct.ac.uk'
(7) packetfence: :EAP-Type = $RAD_REQUEST{'EAP-Type'} -> 'MSCHAPv2'
(7) packetfence: :NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> 
'127.0.0.1'
(7) packetfence: :Calling-Station-Id = 
$RAD_REQUEST{'Calling-Station-Id'} -> '02:00:00:00:00:01'
(7) packetfence: :MS-CHAP-User-Name = $RAD_REQUEST{'MS-CHAP-User-Name'} 
-> 'helpd...@farn-ct.ac.uk'
(7) packetfence: :MS-CHAP-Challenge = $RAD_REQUEST{'MS-CHAP-Challenge'} 
-> '0xc7f5b2bc7fe7c7b528641a052426ae7a'
(7) packetfence: :PacketFence-Domain = 
$RAD_REQUEST{'PacketFence-Domain'} -> 'RadiusAD'
(7) packetfence: :User-Name = $RAD_REQUEST{'User-Name'} -> 
'helpd...@farn-ct.ac.uk'
(7) packetfence: :NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 
'eduroamUK-test'
(7) packetfence: :Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 
'May  2 2018 00:06:23 BST'
(7) packetfence: :EAP-Message = $RAD_REQUEST{'EAP-Message'} -> 
'0x020700511a0207004c319f14a65ad77f1546d8aca5f2196626dbff9d32e6c1679c7f27c071374f109360595818fb0202de960068656c706465736b406661726e2d63742e61632e756b'
(7) packetfence: :MS-CHAP2-Response = $RAD_REQUEST{'MS-CHAP2-Response'} 
-> 
'0x07659f14a65ad77f1546d8aca5f2196626dbff9d32e6c1679c7f27c071374f109360595818fb0202de96'
(7) packetfence: :Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1400'
(7) packetfence: :Auth-Type = $RAD_CHECK{'Auth-Type'} ->