Re: [PacketFence-users] Windows client automatically login using hostname and hit non-exist realm
Hello Fabrice, Thank you for your explanation. Regards, Irvan. On Fri, Nov 4, 2022 at 7:37 PM Fabrice Durand wrote: > Hello Irvan, > > yes it's normal, we did some unlang to mimic the way the realm is set when > packetfence receives a machine authentication. > > > https://github.com/inverse-inc/packetfence/blob/devel/raddb/policy.d/packetfence#L36 > > Regards > Fabrice > > > Le ven. 4 nov. 2022 à 08:34, Irvan via PacketFence-users < > packetfence-users@lists.sourceforge.net> a écrit : > >> Hello Ludovic, >> >> Thank you for your explanation. >> How about the realm? According to log, when windows sends computer >> account as login, Packetfence put it on Realm = "binus.local". But we never >> stup that realm. >> Is it normal to? >> >> >> >> Regards, >> Irvan. >> >> On Thu, Nov 3, 2022 at 12:16 AM Zammit, Ludovic >> wrote: >> >>> Hello Irvan, >>> >>> It looks pretty normal that the windows sends the computer account >>> because it’s the default behavior. >>> >>> What is not normal, is that if you have at least one successful >>> authentication on the wifi with a username password, it should keep that >>> one and not re-ask again. >>> >>> All that can be configured on the SSID profile on windows. >>> >>> Thanks, >>> >>> >>> *Ludovic Zammit* >>> *Product Support Engineer Principal Lead* >>> *Cell:* +1.613.670.8432 >>> Akamai Technologies - Inverse >>> 145 Broadway >>> Cambridge, MA 02142 >>> Connect with Us: <https://community.akamai.com> >>> <http://blogs.akamai.com> <https://twitter.com/akamai> >>> <http://www.facebook.com/AkamaiTechnologies> >>> <http://www.linkedin.com/company/akamai-technologies> >>> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> >>> >>> On Nov 2, 2022, at 1:45 AM, Irvan via PacketFence-users < >>> packetfence-users@lists.sourceforge.net> wrote: >>> >>> Hello Everyone, >>> >>> >>> We have strange behaviour with Windows Client connecting to dot1x WiFi >>> on Packetfence using AD Authentication source. >>> >>> The symptoms are : >>> >>> - When the first time Windows client connect to SSID, it was asked for >>> username and password for login. >>> - But if client forget the SSID and try to reconnect, Windows never >>> asked username and password, it was automatically send hostname as login to >>> packetfence, and accepted by packetfence. >>> - The same thing happened when user comeback in the next day, Windows >>> send hostname as login instead of username and it also accepted by >>> packetfence >>> >>> We don't setup any machine auth, only user auth. Drill down to radius >>> log, we saw that hostname login hit a non-existe realm. Using username and >>> password client hit null realm. But when windows send hostname it hit >>> binus.local realm, which is never exist. >>> >>> Bellow are radius log and realm.conf >>> >>> 1. Using user auth >>> === >>> Request Time >>> 0 >>> >>> RADIUS Request >>> User-Name = "loudy.owen" >>> NAS-IP-Address = 10.21.36.41 >>> NAS-Port = 4 >>> Service-Type = Framed-User >>> State = 0x6067228e61c0382594e9daec37da5a60 >>> Called-Station-Id = "90:3a:72:03:18:90:BinusWifi-Staff.1x" >>> Calling-Station-Id = "70:66:55:34:28:f3" >>> NAS-Identifier = "90-3A-72-03-18-90" >>> NAS-Port-Type = Wireless-802.11 >>> Acct-Session-Id = "6361F1F4-03189001" >>> Acct-Multi-Session-Id = "88DA8FBC70CEC821" >>> Event-Timestamp = "Nov 2 2022 11:28:41 WIB" >>> Connect-Info = "CONNECT 802.11" >>> EAP-Message = 0x02a700061a03 >>> Chargeable-User-Identity = 0x00 >>> Location-Data = 0x31304944170d42696e7573205379616864616e >>> WLAN-Pairwise-Cipher = 1027076 >>> WLAN-Group-Cipher = 1027076 >>> WLAN-AKM-Suite = 1027073 >>> FreeRADIUS-Proxied-To = 127.0.0.1 >>> Ruckus-SSID = "BinusWifi-Staff.1x" >>> Ruckus-Wlan-Id = 508 >>> Ruckus-Location = "Binus Syahdan" >>> Ruckus-SCG-CBlade-IP = 180933220 >>> Ruckus-VLAN-ID = 1220 >>> Ruckus-BSSID = 0x903a7243189d >>> Ruckus-Zone-Name = "AP-Zone-Syahdan"
Re: [PacketFence-users] Windows client automatically login using hostname and hit non-exist realm
Hello Ludovic, Thank you for your explanation. How about the realm? According to log, when windows sends computer account as login, Packetfence put it on Realm = "binus.local". But we never stup that realm. Is it normal to? Regards, Irvan. On Thu, Nov 3, 2022 at 12:16 AM Zammit, Ludovic wrote: > Hello Irvan, > > It looks pretty normal that the windows sends the computer account because > it’s the default behavior. > > What is not normal, is that if you have at least one successful > authentication on the wifi with a username password, it should keep that > one and not re-ask again. > > All that can be configured on the SSID profile on windows. > > Thanks, > > > *Ludovic Zammit* > *Product Support Engineer Principal Lead* > *Cell:* +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: <https://community.akamai.com> <http://blogs.akamai.com> > <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> > <http://www.linkedin.com/company/akamai-technologies> > <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > > On Nov 2, 2022, at 1:45 AM, Irvan via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > > Hello Everyone, > > > We have strange behaviour with Windows Client connecting to dot1x WiFi on > Packetfence using AD Authentication source. > > The symptoms are : > > - When the first time Windows client connect to SSID, it was asked for > username and password for login. > - But if client forget the SSID and try to reconnect, Windows never asked > username and password, it was automatically send hostname as login to > packetfence, and accepted by packetfence. > - The same thing happened when user comeback in the next day, Windows send > hostname as login instead of username and it also accepted by packetfence > > We don't setup any machine auth, only user auth. Drill down to radius log, > we saw that hostname login hit a non-existe realm. Using username and > password client hit null realm. But when windows send hostname it hit > binus.local realm, which is never exist. > > Bellow are radius log and realm.conf > > 1. Using user auth > === > Request Time > 0 > > RADIUS Request > User-Name = "loudy.owen" > NAS-IP-Address = 10.21.36.41 > NAS-Port = 4 > Service-Type = Framed-User > State = 0x6067228e61c0382594e9daec37da5a60 > Called-Station-Id = "90:3a:72:03:18:90:BinusWifi-Staff.1x" > Calling-Station-Id = "70:66:55:34:28:f3" > NAS-Identifier = "90-3A-72-03-18-90" > NAS-Port-Type = Wireless-802.11 > Acct-Session-Id = "6361F1F4-03189001" > Acct-Multi-Session-Id = "88DA8FBC70CEC821" > Event-Timestamp = "Nov 2 2022 11:28:41 WIB" > Connect-Info = "CONNECT 802.11" > EAP-Message = 0x02a700061a03 > Chargeable-User-Identity = 0x00 > Location-Data = 0x31304944170d42696e7573205379616864616e > WLAN-Pairwise-Cipher = 1027076 > WLAN-Group-Cipher = 1027076 > WLAN-AKM-Suite = 1027073 > FreeRADIUS-Proxied-To = 127.0.0.1 > Ruckus-SSID = "BinusWifi-Staff.1x" > Ruckus-Wlan-Id = 508 > Ruckus-Location = "Binus Syahdan" > Ruckus-SCG-CBlade-IP = 180933220 > Ruckus-VLAN-ID = 1220 > Ruckus-BSSID = 0x903a7243189d > Ruckus-Zone-Name = "AP-Zone-Syahdan" > Ruckus-Wlan-Name = "VlanPool2" > EAP-Type = MSCHAPv2 > Stripped-User-Name = "loudy.owen" > Realm = "null" > Called-Station-SSID = "BinusWifi-Staff.1x" > PacketFence-Domain = "binus" > PacketFence-KeyBalanced = "10a6d36fd6ec338584a72fcbe75f86ba" > PacketFence-Radius-Ip = "10.200.210.87" > PacketFence-NTLMv2-Only = "" > PacketFence-Outer-User = "loudy.owen" > Attr-26.25053.155 = 0x5379616864616e2043616d707573 > User-Password = "**" > SQL-User-Name = "loudy.owen" > > RADIUS Reply > EAP-Message = 0x03a70004 > Message-Authenticator = 0x > User-Name = "loudy.owen" > REST-HTTP-Status-Code = 200 > > == > > 2. Using hostname > === > Request Time > 0 > > RADIUS Request > User-Name = "host/NB202007000166.binus.local" > NAS-IP-Address = 10.21.36.41 > NAS-Port = 4 > Service-Type = Framed-User > State = 0xb4483109b5402b5768b5cf1f24ad1e9e > Called-Station-Id = "90:3a:72:03:18:90:BinusWifi-Staff.1x" > Calling-Station-Id = "70:66:55:34:28:f3" > NAS-Identifier = "90-3A-72-03-18-90" > NAS-Port-Type = Wireless-802.11
[PacketFence-users] Windows client automatically login using hostname and hit non-exist realm
Hello Everyone, We have strange behaviour with Windows Client connecting to dot1x WiFi on Packetfence using AD Authentication source. The symptoms are : - When the first time Windows client connect to SSID, it was asked for username and password for login. - But if client forget the SSID and try to reconnect, Windows never asked username and password, it was automatically send hostname as login to packetfence, and accepted by packetfence. - The same thing happened when user comeback in the next day, Windows send hostname as login instead of username and it also accepted by packetfence We don't setup any machine auth, only user auth. Drill down to radius log, we saw that hostname login hit a non-existe realm. Using username and password client hit null realm. But when windows send hostname it hit binus.local realm, which is never exist. Bellow are radius log and realm.conf 1. Using user auth === Request Time 0 RADIUS Request User-Name = "loudy.owen" NAS-IP-Address = 10.21.36.41 NAS-Port = 4 Service-Type = Framed-User State = 0x6067228e61c0382594e9daec37da5a60 Called-Station-Id = "90:3a:72:03:18:90:BinusWifi-Staff.1x" Calling-Station-Id = "70:66:55:34:28:f3" NAS-Identifier = "90-3A-72-03-18-90" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "6361F1F4-03189001" Acct-Multi-Session-Id = "88DA8FBC70CEC821" Event-Timestamp = "Nov 2 2022 11:28:41 WIB" Connect-Info = "CONNECT 802.11" EAP-Message = 0x02a700061a03 Chargeable-User-Identity = 0x00 Location-Data = 0x31304944170d42696e7573205379616864616e WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027076 WLAN-AKM-Suite = 1027073 FreeRADIUS-Proxied-To = 127.0.0.1 Ruckus-SSID = "BinusWifi-Staff.1x" Ruckus-Wlan-Id = 508 Ruckus-Location = "Binus Syahdan" Ruckus-SCG-CBlade-IP = 180933220 Ruckus-VLAN-ID = 1220 Ruckus-BSSID = 0x903a7243189d Ruckus-Zone-Name = "AP-Zone-Syahdan" Ruckus-Wlan-Name = "VlanPool2" EAP-Type = MSCHAPv2 Stripped-User-Name = "loudy.owen" Realm = "null" Called-Station-SSID = "BinusWifi-Staff.1x" PacketFence-Domain = "binus" PacketFence-KeyBalanced = "10a6d36fd6ec338584a72fcbe75f86ba" PacketFence-Radius-Ip = "10.200.210.87" PacketFence-NTLMv2-Only = "" PacketFence-Outer-User = "loudy.owen" Attr-26.25053.155 = 0x5379616864616e2043616d707573 User-Password = "**" SQL-User-Name = "loudy.owen" RADIUS Reply EAP-Message = 0x03a70004 Message-Authenticator = 0x User-Name = "loudy.owen" REST-HTTP-Status-Code = 200 == 2. Using hostname === Request Time 0 RADIUS Request User-Name = "host/NB202007000166.binus.local" NAS-IP-Address = 10.21.36.41 NAS-Port = 4 Service-Type = Framed-User State = 0xb4483109b5402b5768b5cf1f24ad1e9e Called-Station-Id = "90:3a:72:03:18:90:BinusWifi-Staff.1x" Calling-Station-Id = "70:66:55:34:28:f3" NAS-Identifier = "90-3A-72-03-18-90" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "6361F350-03189001" Acct-Multi-Session-Id = "3DD47C3ED408529E" Event-Timestamp = "Nov 2 2022 11:34:26 WIB" Connect-Info = "CONNECT 802.11" EAP-Message = 0x020800061a03 Chargeable-User-Identity = 0x00 Location-Data = 0x31304944170d42696e7573205379616864616e WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027076 WLAN-AKM-Suite = 1027073 FreeRADIUS-Proxied-To = 127.0.0.1 Ruckus-SSID = "BinusWifi-Staff.1x" Ruckus-Wlan-Id = 508 Ruckus-Location = "Binus Syahdan" Ruckus-SCG-CBlade-IP = 180933220 Ruckus-VLAN-ID = 1220 Ruckus-BSSID = 0x903a7243189d Ruckus-Zone-Name = "AP-Zone-Syahdan" Ruckus-Wlan-Name = "VlanPool2" EAP-Type = MSCHAPv2 Realm = "binus.local" Called-Station-SSID = "BinusWifi-Staff.1x" PacketFence-Domain = "binus" PacketFence-KeyBalanced = "e080ae33e5dd7f64d0155f1a8dc95245" PacketFence-Radius-Ip = "10.200.210.87" PacketFence-NTLMv2-Only = "" PacketFence-Outer-User = "host/NB202007000166.binus.local" Attr-26.25053.155 = 0x5379616864616e2043616d707573 User-Password = "**" SQL-User-Name = "host/NB202007000166.binus.local" RADIUS Reply MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4 MS-MPPE-Send-Key = 0xb45a79e25b9f5bda45259afc13d0dc5c MS-MPPE-Recv-Key = 0xe52d30f3e2977a2c1219c4200bc44678 EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = "host/NB202007000166.binus.local" REST-HTTP-Status-Code = 200 3. realm.conf == # Copyright (C) Inverse inc. [1 DEFAULT] radius_auth_compute_in_pf=enabled radius_acct= eduroam_radius_auth= radius_auth= eduroam_radius_acct= radius_auth_proxy_type=keyed-balance eduroam_radius_acct_proxy_type=load-balance eduroam_radius_auth_proxy_type=keyed-balance permit_custom_attributes=disabled radius_acct_proxy_type=load-balance eduroam_radius_auth_compute_in_pf=enabled domain=binus [1 LOCAL] eduroam_radius_acct= radius_auth= radius_acct= eduroam_radius_acct_proxy_type=load-balance radius_acct_proxy_type=load-balance eduroam_radius_auth= radius_auth_compute_in_pf=enabled radius_auth_proxy_type=keyed-balance
Re: [PacketFence-users] 802.1x EAP-TTLS PAP with Azure AD not working
Hi, Thanks for the respon. First, I apologize for masking the domain name using domain.edu. From now on I'll use the real domain name. I run the eapol_test again, open the /us/local/pf/logs/packetfence.log and /usr/local/pf/logs/radius.log. Here's what I got. /usr/local/pf/logs/packetfence.log: Apr 11 10:06:29 packetfence packetfence[483956]: pfperl-api(432247) INFO: Using 300 resolution threshold (pf::pfcron::task::cluster_check::run) Apr 11 10:06:29 packetfence packetfence[483956]: pfperl-api(432247) INFO: All cluster members are running the same configuration version (pf::pfcron::task::cluster_check::run) Apr 11 10:06:29 packetfence packetfence[483957]: pfperl-api(432247) INFO: getting security_events triggers for accounting cleanup (pf::accounting::acct_maintenance) Apr 11 10:06:29 packetfence packetfence[483960]: pfperl-api(405077) INFO: processed 0 security_events during security_event maintenance (1649646389.11398 1649646389.12184) (pf::security_event::security_event_maintenance) Apr 11 10:06:29 packetfence packetfence[483960]: pfperl-api(405077) INFO: processed 0 security_events during security_event maintenance (1649646389.12392 1649646389.12672) (pf::security_event::security_event_maintenance) Apr 11 10:07:29 packetfence packetfence[484024]: pfperl-api(432247) INFO: processed 0 security_events during security_event maintenance (1649646449.0738 1649646449.08153) (pf::security_event::security_event_maintenance) Apr 11 10:07:29 packetfence packetfence[484024]: pfperl-api(432247) INFO: processed 0 security_events during security_event maintenance (1649646449.08332 1649646449.0853) (pf::security_event::security_event_maintenance) Apr 11 10:07:29 packetfence packetfence[484025]: pfperl-api(403770) INFO: Using 300 resolution threshold (pf::pfcron::task::cluster_check::run) Apr 11 10:07:29 packetfence packetfence[484025]: pfperl-api(403770) INFO: All cluster members are running the same configuration version (pf::pfcron::task::cluster_check::run) Apr 11 10:07:29 packetfence packetfence[484026]: pfperl-api(414007) INFO: getting security_events triggers for accounting cleanup (pf::accounting::acct_maintenance) Apr 11 10:08:29 packetfence packetfence[484109]: pfperl-api(403770) INFO: getting security_events triggers for accounting cleanup (pf::accounting::acct_maintenance) Apr 11 10:08:29 packetfence packetfence[484108]: pfperl-api(405077) INFO: Using 300 resolution threshold (pf::pfcron::task::cluster_check::run) Apr 11 10:08:29 packetfence packetfence[484108]: pfperl-api(405077) INFO: All cluster members are running the same configuration version (pf::pfcron::task::cluster_check::run) Apr 11 10:08:29 packetfence packetfence[484111]: pfperl-api(405077) INFO: processed 0 security_events during security_event maintenance (1649646509.10386 1649646509.11199) (pf::security_event::security_event_maintenance) Apr 11 10:08:29 packetfence packetfence[484111]: pfperl-api(405077) INFO: processed 0 security_events during security_event maintenance (1649646509.11402 1649646509.1159) (pf::security_event::security_event_maintenance) /usr/local/pf/logs/radius.log : Apr 11 10:04:45 packetfence auth[33321]: rlm_perl: oauth2 worker (binus.edu): sync Apr 11 10:05:07 packetfence auth[33321]: rlm_perl: oauth2 worker (binus.edu): died, sleeping for 100 seconds Apr 11 10:06:47 packetfence auth[33321]: rlm_perl: oauth2 worker (binus.edu): sync Apr 11 10:07:08 packetfence auth[33321]: rlm_perl: oauth2 worker (binus.edu): died, sleeping for 100 seconds Apr 11 10:07:56 packetfence auth[33321]: (46117) Ignoring duplicate packet from client pf port 57731 - ID: 6 due to unfinished request in component authenticate module eap_ttls Apr 11 10:08:02 packetfence auth[33321]: (46117) Ignoring duplicate packet from client pf port 57731 - ID: 6 due to unfinished request in component authenticate module eap_ttls Apr 11 10:08:04 packetfence auth[33321]: Unresponsive child for request 46117, in component authenticate module eap_ttls Apr 11 10:08:14 packetfence auth[33321]: (46119) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x04996e9c01657bf4 Apr 11 10:08:14 packetfence auth[33321]: (46119) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x04996e9c01657bf4 Apr 11 10:08:14 packetfence auth[33321]: [mac:02:00:00:00:00:01] Rejected user: testing.netw...@binus.edu Apr 11 10:08:14 packetfence auth[33321]: (46119) Login incorrect (eap: rlm_eap (EAP): No EAP session matching state 0x04996e9c01657bf4): [ testing.netw...@binus.edu] (from client pf port 0 cli 02:00:00:00:00:01) Apr 11 10:08:48 packetfence auth[33321]: rlm_perl: oauth2 worker (binus.edu): sync Apr 11 10:09:08 packetfence auth[33321]: rlm_perl: oauth2 worker (binus.edu): died, sleeping for 100 seconds Any help would be appreciated Regards, Irvan. On Sat, Apr 9, 2022 at 3:19 AM Zammit, Ludovic wrote: > Hello there, > > The reject in post auth means that it’s PF that rejects you. > > Check into the /usr/local/pf/logs/packetfence.log to see the exact