Re: [PacketFence-users] 802.1X fails authentication - No role computed by any sources - registration failed
ah ah there is a guy who replied on reddit
https://www.reddit.com/r/PacketFence/comments/12pw62q/8021x_fails_authentication_no_role_computed_by/
Le mar. 18 avr. 2023 à 18:09, Dan Clancey via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :
> Hello -
>
> I am currently in the process of evaluating packetfence as a NAC solution
> and am following the installation guide at
> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html to
> get started.
>
> After completing the steps in "Section 5: Getting Started." I connected a
> laptop to the configured switchport and the network adapter in windows
> states "Authentication Failed."
> I have confirmed that packetfence successfully joined the Domain and that
> the Authentication Source tests successfully.The sAMAccountName in AD
> matches DOMAIN\UserName listed below.
>
> When I check auditing I get the following information:
>
>> 04/17/2023 03:35 PM Accept 10.7.14.16 Unregistered b445065c08d7 10.248.0.5
>> 04/17/2023 03:35 PM Reject 10.7.14.16
>> Unregistered DOMAIN\UserName 10.248.0.5
>> 04/17/2023 03:35 PM Reject 10.7.14.16
>> Unregistered DOMAIN\UserName 10.248.0.5
>
>
> here is the output from packetfence.log:
>
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> INFO: [mac:b4:45:06:5c:08:d7] handling radius autz request: from switch_ip
>> => (10.248.0.5), connection_type => Ethernet-EAP,switch_mac =>
>> (28:34:a2:1a:56:b0), mac => [b4:45:06:5c:08:d7], port => 10148, username =>
>> "DOMAIN\UserName" (pf::radius::authorize)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> INFO: [mac:b4:45:06:5c:08:d7] Instantiate profile 8021x
>> (pf::Connection::ProfileFactory::_from_profile)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> INFO: [mac:b4:45:06:5c:08:d7] Found authentication source(s) : 'DC01' for
>> realm 'default' (pf::config::util::filter_authentication_sources)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> INFO: [mac:b4:45:06:5c:08:d7] Using sources DC01 for matching
>> (pf::authentication::match2)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> WARN: [mac:b4:45:06:5c:08:d7] [DC01 catchall] Searching for
>> (sAMAccountName= DOMAIN\UserName ), from DC=domain,DC=local, with scope
>> sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> INFO: [mac:b4:45:06:5c:08:d7] No rules matches or no category defined for
>> the node, set it as unreg. (pf::role::getNodeInfoForAutoReg)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> WARN: [mac:b4:45:06:5c:08:d7] No category computed for autoreg
>> (pf::role::getNodeInfoForAutoReg)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> WARN: [mac:b4:45:06:5c:08:d7] No role specified or found for pid
>> DOMAIN\UserName (MAC b4:45:06:5c:08:d7); assume maximum number of
>> registered nodes is reached (pf::node::is_max_reg_nodes_reached)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> ERROR: [mac:b4:45:06:5c:08:d7] no role computed by any sources -
>> registration of b4:45:06:5c:08:d7 to DOMAIN\UserName failed
>> (pf::registration::setup_node_for_registration)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> ERROR: [mac:b4:45:06:5c:08:d7] auto-registration of node failed no role
>> computed by any sources (pf::radius::authorize)
>> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
>> ERROR: [mac:b4:45:06:5c:08:d7] Database query failed with non retryable
>> error: Cannot add or update a child row: a foreign key constraint fails
>> (`pf`.`node`, CONSTRAINT `0_57` FOREIGN KEY (`pid`) REFERENCES `person`
>> (`pid`) ON DELETE CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT INTO
>> `node` ( `autoreg`, `bandwidth_balance`, `bypass_acls`, `bypass_role_id`,
>> `bypass_vlan`, `category_id`, `computername`, `detect_date`,
>> `device_class`, `device_manufacturer`, `device_score`, `device_type`,
>> `device_version`, `dhcp6_enterprise`, `dhcp6_fingerprint`,
>> `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, `last_dhcp`, `last_seen`,
>> `lastskip`, `mac`, `machine_account`, `notes`, `pid`, `regdate`,
>> `sessionid`, `status`, `time_balance`, `unregdate`, `user_agent`, `voip`)
>> VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
>> ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE KEY UPDATE `autoreg` = ?,
>> `last_seen` = ?, `pid` = ?]{yes, NULL, NULL, NULL, NULL, NULL, NULL,
>> 2023-04-17 14:46:50, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
>> -00-00 00:00:00, -00-00 00:00:00, 2023-04-17 15:35:12, -00-00
>> 00:00:00, b4:45:06:5c:08:d7, NULL, NULL, DOMAIN\UserName , -00-00
>> 00:00:00, NULL, unreg, NULL, -00-00 00:00:00, NULL, no, yes, 2023-04-17
>> 15:35:12, DOMAIN\UserName }
[PacketFence-users] 802.1X fails authentication - No role computed by any sources - registration failed
Hello -
I am currently in the process of evaluating packetfence as a NAC solution
and am following the installation guide at
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html to get
started.
After completing the steps in "Section 5: Getting Started." I connected a
laptop to the configured switchport and the network adapter in windows
states "Authentication Failed."
I have confirmed that packetfence successfully joined the Domain and that
the Authentication Source tests successfully.The sAMAccountName in AD
matches DOMAIN\UserName listed below.
When I check auditing I get the following information:
> 04/17/2023 03:35 PM Accept 10.7.14.16 Unregistered b445065c08d7 10.248.0.5
> 04/17/2023 03:35 PM Reject 10.7.14.16
> Unregistered DOMAIN\UserName 10.248.0.5
> 04/17/2023 03:35 PM Reject 10.7.14.16
> Unregistered DOMAIN\UserName 10.248.0.5
here is the output from packetfence.log:
Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> INFO: [mac:b4:45:06:5c:08:d7] handling radius autz request: from switch_ip
> => (10.248.0.5), connection_type => Ethernet-EAP,switch_mac =>
> (28:34:a2:1a:56:b0), mac => [b4:45:06:5c:08:d7], port => 10148, username =>
> "DOMAIN\UserName" (pf::radius::authorize)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> INFO: [mac:b4:45:06:5c:08:d7] Instantiate profile 8021x
> (pf::Connection::ProfileFactory::_from_profile)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> INFO: [mac:b4:45:06:5c:08:d7] Found authentication source(s) : 'DC01' for
> realm 'default' (pf::config::util::filter_authentication_sources)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> INFO: [mac:b4:45:06:5c:08:d7] Using sources DC01 for matching
> (pf::authentication::match2)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> WARN: [mac:b4:45:06:5c:08:d7] [DC01 catchall] Searching for
> (sAMAccountName= DOMAIN\UserName ), from DC=domain,DC=local, with scope
> sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> INFO: [mac:b4:45:06:5c:08:d7] No rules matches or no category defined for
> the node, set it as unreg. (pf::role::getNodeInfoForAutoReg)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> WARN: [mac:b4:45:06:5c:08:d7] No category computed for autoreg
> (pf::role::getNodeInfoForAutoReg)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> WARN: [mac:b4:45:06:5c:08:d7] No role specified or found for pid
> DOMAIN\UserName (MAC b4:45:06:5c:08:d7); assume maximum number of
> registered nodes is reached (pf::node::is_max_reg_nodes_reached)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> ERROR: [mac:b4:45:06:5c:08:d7] no role computed by any sources -
> registration of b4:45:06:5c:08:d7 to DOMAIN\UserName failed
> (pf::registration::setup_node_for_registration)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> ERROR: [mac:b4:45:06:5c:08:d7] auto-registration of node failed no role
> computed by any sources (pf::radius::authorize)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> ERROR: [mac:b4:45:06:5c:08:d7] Database query failed with non retryable
> error: Cannot add or update a child row: a foreign key constraint fails
> (`pf`.`node`, CONSTRAINT `0_57` FOREIGN KEY (`pid`) REFERENCES `person`
> (`pid`) ON DELETE CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT INTO
> `node` ( `autoreg`, `bandwidth_balance`, `bypass_acls`, `bypass_role_id`,
> `bypass_vlan`, `category_id`, `computername`, `detect_date`,
> `device_class`, `device_manufacturer`, `device_score`, `device_type`,
> `device_version`, `dhcp6_enterprise`, `dhcp6_fingerprint`,
> `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, `last_dhcp`, `last_seen`,
> `lastskip`, `mac`, `machine_account`, `notes`, `pid`, `regdate`,
> `sessionid`, `status`, `time_balance`, `unregdate`, `user_agent`, `voip`)
> VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE KEY UPDATE `autoreg` = ?,
> `last_seen` = ?, `pid` = ?]{yes, NULL, NULL, NULL, NULL, NULL, NULL,
> 2023-04-17 14:46:50, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
> -00-00 00:00:00, -00-00 00:00:00, 2023-04-17 15:35:12, -00-00
> 00:00:00, b4:45:06:5c:08:d7, NULL, NULL, DOMAIN\UserName , -00-00
> 00:00:00, NULL, unreg, NULL, -00-00 00:00:00, NULL, no, yes, 2023-04-17
> 15:35:12, DOMAIN\UserName } (pf::dal::db_execute)
> Apr 17 15:35:12 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> ERROR: [mac:b4:45:06:5c:08:d7] Cannot save b4:45:06:5c:08:d7 error (500)
> (pf::radius::authorize)
> Apr 17 15:35:25 packetfence httpd.aaa-docker-wrapper[3008]: httpd.aaa(7)
> INFO: [mac:b4:45:06:5c:08:d7] handling radius autz request: from switch_ip
> =>
