Re: [PacketFence-users] ldap authentication failed

[Fabrice Durand via PacketFence-users]

Hello Nikunj,
you can use ldap for peap only if you can grab the password in clear text
or with NT-Hash

http://deployingradius.com/documents/protocols/compatibility.html

So how do you configure that ?

Or join the packetfence server to the domain.

Regards
Fabrice



Le mer. 23 nov. 2022 à 08:47, Nikunj Vacchani via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello
>
>
>
> I m able to authenticate with local user but I m not able to authenticate
> with my ldap server users,
>
>
>
> I m facing error,
>
>
>
> PacketFence-KeyBalanced = "1acc010ea4ece6928d7a7f0c37444c0f"
>
> PacketFence-Radius-Ip = "10.20.40.153"
>
> Event-Timestamp = "Nov 17 2022 12:42:35 IST"
>
> Acct-Session-Id = "05000132"
>
> NAS-Port = 53
>
> NAS-IP-Address = 11.11.11.240
>
> PacketFence-NTLMv2-Only = ""
>
> EAP-Message =
> 0x020800431a0208003e319e88dd03b1c260dbc55155c80f85eed0eed23b3c6bbfe523b45578ae1d11d4211d136139d7394e6a005252555c74657374
>
> FreeRADIUS-Proxied-To = 127.0.0.1
>
> EAP-Type = MSCHAPv2
>
> MS-CHAP2-Response =
> 0x08529e88dd03b1c260dbc55155c80f85eed0eed23b3c6bbfe523b45578ae1d11d4211d136139d7394e6a
>
> Calling-Station-Id = "54:05:db:0a:ae:a4"
>
> Stripped-User-Name = "test"
>
> User-Name = "RRU\\test"
>
> PacketFence-Outer-User = "RRU\\test"
>
> NAS-Port-Type = Ethernet
>
> PacketFence-Domain = "RRUAD01"
>
> MS-CHAP-Challenge = 0xa88d981c98c2e8b5e0512896662f75d3
>
> Realm = "default"
>
> MS-CHAP-User-Name = "RRU\\test"
>
> State = 0x0e2308c40e2b12014ce5e92689785f0a
>
> Module-Failure-Message = "chrooted_mschap: Program returned code (1) and
> output 'The attempted logon is invalid. This is either due to a bad
> username or authentication information. (0xc06d)'"
>
> Module-Failure-Message = "chrooted_mschap: External script says: The
> attempted logon is invalid. This is either due to a bad username or
> authentication information. (0xc06d)"
>
> Module-Failure-Message = "chrooted_mschap: MS-CHAP2-Response is incorrect"
>
> User-Password = "**"
>
> SQL-User-Name = "RRUtest"
>
> RADIUS Reply
>
> MS-CHAP-Error = "\010E=691 R=0 C=fefbe43603701f99844df4f72dfc01ac V=3
> M=Authentication rejected"
>
> EAP-Message = 0x04080004
>
> Message-Authenticator = 0x
>
>
>
>
>
> Anyone have idea, how to resolve this error.
>
>
>
> Thanks & Regards,
>
> Nikunj Vachhani.
>
> Network Engineer.
>
> 99091 10490
>
>
>
> *From:* Nikunj Vacchani via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Sent:* 16 November 2022 07:29 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Nikunj Vacchani 
> *Subject:* [PacketFence-users] ldap authentication failed
>
>
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
>
> Hello everyone,
>
>
>
> I m facing issue when I m trying to authenticate with LDAP user.
>
>
>
> ERROR,
>
>
>
> chrooted_mschap: Program returned code (1) and output 'The attempted logon
> is invalid. This is either due to a bad username or authentication
> information. (0xc06d)'
>
>
>
> how to resolve this issue.
>
>
>
> Thanks & Regards,
>
> Nikunj Vachhani.
>
> Network Engineer.
>
> 99091 10490
>
>
>
> DISCLAIMER : The content of this email is confidential and intended for
> the recipient specified in message only. It is strictly forbidden to share
> any part of this message with any third party, without a written consent of
> the sender. If you received this message by mistake, please reply to this
> message and follow with its deletion, so that we can ensure such a mistake
> does not occur in the future.
> DISCLAIMER : The content of this email is confidential and intended for
> the recipient specified in message only. It is strictly forbidden to share
> any part of this message with any third party, without a written consent of
> the sender. If you received this message by mistake, please reply to this
> message and follow with its deletion, so that we can ensure such a mistake
> does not occur in the future.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] New v12.1 - RADIUS - Configure the Eduroam source

[Fabrice Durand via PacketFence-users]

Hello Thirunavukkarasu,

in the authentication source , add a new RADIUS source (like
tlrs1.eduroam.us ) and after create the eduroam source where you will
select the RADIUS source you created previously.

Regards
Fabrice


Le mer. 23 nov. 2022 à 08:46, P.Thirunavukkarasu via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi Team,
> Now in the document for v12.1 the following is the new addition.
> That it is given to configure each RADIUS source for eduroam servers
>
>
>
>
>
> *https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_eduroam
> First
> create RADIUS sources for each Eduroam servers you want to define.To do
> that click New internal source and choose RADIUS.Fill the Name,
> Description, Host, Port, Secret and disable Monitor. (The information to
> configure that source could be found on the Eduroam platform)*
> I am not clear in configuring the RADIUS sources for the eduroam
> Can anyone plz explain this?
> Regards,
> Thirunavukkarasu
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] New v12.1 - RADIUS - Configure the Eduroam source

[P.Thirunavukkarasu via PacketFence-users]

Hi Team,
Now in the document for v12.1 the following is the new addition.
That it is given to configure each RADIUS source for eduroam servers





*https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_eduroam
First
create RADIUS sources for each Eduroam servers you want to define.To do
that click New internal source and choose RADIUS.Fill the Name,
Description, Host, Port, Secret and disable Monitor. (The information to
configure that source could be found on the Eduroam platform)*
I am not clear in configuring the RADIUS sources for the eduroam
Can anyone plz explain this?
Regards,
Thirunavukkarasu
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] ldap authentication failed

[Nikunj Vacchani via PacketFence-users]

Hello

I m able to authenticate with local user but I m not able to authenticate with 
my ldap server users,

I m facing error,

PacketFence-KeyBalanced = "1acc010ea4ece6928d7a7f0c37444c0f"
PacketFence-Radius-Ip = "10.20.40.153"
Event-Timestamp = "Nov 17 2022 12:42:35 IST"
Acct-Session-Id = "05000132"
NAS-Port = 53
NAS-IP-Address = 11.11.11.240
PacketFence-NTLMv2-Only = ""
EAP-Message = 
0x020800431a0208003e319e88dd03b1c260dbc55155c80f85eed0eed23b3c6bbfe523b45578ae1d11d4211d136139d7394e6a005252555c74657374
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
MS-CHAP2-Response = 
0x08529e88dd03b1c260dbc55155c80f85eed0eed23b3c6bbfe523b45578ae1d11d4211d136139d7394e6a
Calling-Station-Id = "54:05:db:0a:ae:a4"
Stripped-User-Name = "test"
User-Name = "RRU\\test"
PacketFence-Outer-User = "RRU\\test"
NAS-Port-Type = Ethernet
PacketFence-Domain = "RRUAD01"
MS-CHAP-Challenge = 0xa88d981c98c2e8b5e0512896662f75d3
Realm = "default"
MS-CHAP-User-Name = "RRU\\test"
State = 0x0e2308c40e2b12014ce5e92689785f0a
Module-Failure-Message = "chrooted_mschap: Program returned code (1) and output 
'The attempted logon is invalid. This is either due to a bad username or 
authentication information. (0xc06d)'"
Module-Failure-Message = "chrooted_mschap: External script says: The attempted 
logon is invalid. This is either due to a bad username or authentication 
information. (0xc06d)"
Module-Failure-Message = "chrooted_mschap: MS-CHAP2-Response is incorrect"
User-Password = "**"
SQL-User-Name = "RRUtest"
RADIUS Reply
MS-CHAP-Error = "\010E=691 R=0 C=fefbe43603701f99844df4f72dfc01ac V=3 
M=Authentication rejected"
EAP-Message = 0x04080004
Message-Authenticator = 0x


Anyone have idea, how to resolve this error.

Thanks & Regards,
Nikunj Vachhani.
Network Engineer.
99091 10490

From: Nikunj Vacchani via PacketFence-users 

Sent: 16 November 2022 07:29 PM
To: packetfence-users@lists.sourceforge.net
Cc: Nikunj Vacchani 
Subject: [PacketFence-users] ldap authentication failed

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.

Hello everyone,

I m facing issue when I m trying to authenticate with LDAP user.

ERROR,

chrooted_mschap: Program returned code (1) and output 'The attempted logon is 
invalid. This is either due to a bad username or authentication information. 
(0xc06d)'

how to resolve this issue.

Thanks & Regards,
Nikunj Vachhani.
Network Engineer.
99091 10490

DISCLAIMER : The content of this email is confidential and intended for the 
recipient specified in message only. It is strictly forbidden to share any part 
of this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not occur 
in the future.
DISCLAIMER : The content of this email is confidential and intended for the 
recipient specified in message only. It is strictly forbidden to share any part 
of this message with any third party, without a written consent of the sender. 
If you received this message by mistake, please reply to this message and 
follow with its deletion, so that we can ensure such a mistake does not occur 
in the future.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Old device help

[Andrea Lenarduzzi via PacketFence-users]

Hi, I've PF 12 and these are my switches:MLPS master site Cisco 9200/9300, 
Huawei S5735MPLS remote sites: Hp 2626 J4900B max firmware 10_119
On my master site I can do what i want beacuse switches supports all PF 
features. On remote sites, I need only to allow know PC to use networks and 
parking unkowed hosts with notify.Is it possible?___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Disable default connection profile

[James Andrewartha via PacketFence-users]

Hi Fabrice,

Having nothing work if nothing matches is my goal, since I don’t want to allow 
PEAP-MSCHAPv2 authentication on some SSIDs, but need AD as an authentication 
source for admin. Although writing that I remember that admin rules are 
different to authentication rules. So what I really want is for successful auth 
that doesn’t match a connection profile to not work.

The example I have is I’m testing EAP-TLS on Windows which works when 
configured with a wifi profile from Intune, but when I joined manually, it used 
machine account (password) auth and got stuck in the registration VLAN, which 
was very confusing until I realised what happened. The only connection profile 
that matched that SSID also required Connection Sub Type EAP-TLS, so it fell 
back to the default connection profile.

Nov 15 15:06:07 kerr pfqueue[2158733]: pfqueue(2158733) INFO: 
[mac:6c:a1:00:4e:15:8b] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Nov 15 15:06:11 kerr packetfence_httpd.aaa[2066451]: httpd.aaa(1480) INFO: 
[mac:7c:b2:7d:48:c2:c7] handling radius autz request: from switch_ip => 
(10.20.0.1), connection_type => Wireless-802.11-EAP,switch_mac => 
(e8:ed:d6:1d:b6:e0), mac => [7c:b2:7d:48:c2:c7], port => external, username => 
"host/ITE22001.ad.ccgs.wa.edu.au", ssid => CCGS Students2 
(pf::radius::authorize)
Nov 15 15:06:11 kerr packetfence_httpd.aaa[2066451]: httpd.aaa(1480) INFO: 
[mac:7c:b2:7d:48:c2:c7] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Nov 15 15:06:11 kerr packetfence_httpd.aaa[2066451]: httpd.aaa(1480) INFO: 
[mac:7c:b2:7d:48:c2:c7] is of status unreg; belongs into registration VLAN 
(pf::role::getRegistrationRole)

I guess the more general question is what determines the lookup order for a 
connection attempt against the connection profiles?

Thanks,

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877


From: Fabrice Durand 
Sent: Wednesday, 16 November 2022 9:47 PM
To: packetfence-users@lists.sourceforge.net
Cc: James Andrewartha 
Subject: Re: [PacketFence-users] Disable default connection profile

Hello James,

trying to remove the default profile is not a good idea since if no profile 
matches then nothing will work.

The default is the last resort one if no one matches , so be sure to have one 
who matches your filter (like the ssid) and keep the default one.

Regards
Fabrice

Le mer. 16 nov. 2022 à 08:30, James Andrewartha via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 a écrit :
Hi,

I'm trying to understand connection profiles, and so wanted to disable
the default so it's not matched, or at least not matched first. But I
can't disable it or reorder it. I tried this at the top of profiles.conf
but that just disabled all the other profiles instead:

[default]
status=disabled

Should I just be changing it to suit my own needs? Or could I delete
profiles.conf.defaults?

Thanks,

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users