Re: [PacketFence-users] 802.1x role error
Hello José, IMO you should create 2 connection profiles, one for MAB (filter connection_type = Ethernet-NoEAP) and another one for 802.1x (filter connection_type = Ethernet-EAP). Once done, assign the correct authentication source to the MAB profile (sources you will see on the portal) . On the other profile (802.1x) enable autoregistration and assign the AD-users source on it. So now you should be able to see in the logs: INFO: [mac:00:0c:29:f6:0e:ac] Instantiate profile 802.1x (pf::Connection::ProfileFactory::_from_profile) The next thing to verify is if the user account administrator return a role when you try to authenticate. To verify that use the cli with "pftest authentication ..." and check the result, it should be an issue with the authentication rule or maybe because the realm (DOMAIN) is not stripped in radius. Regards Fabrice Le dim. 22 mai 2022 à 11:32, José Ramos via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > I don't need help anymore on that ! > > On Sat, May 21, 2022 at 2:22 PM José Ramos > wrote: > >> Hello ! I have configured 802.1x and mab. When I use mab and authenticate >> with an AD user on the portal I'm put in the right VLAN of my >> authentication source. >> >> 802.1x works aswell but always put me in VLAN 1 and does not assign >> roles. I tried to enable stripped username in the DEFAULT realm but it does >> not change anything. I also tried to strip from the switch but then the >> authentication is refused. >> >> Can I get some help pls ? Thank you ! >> >> Here are the logs : >> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo >> httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] handling radius autz request: >> from switch_ip => (10.0.0.10), connection_type => Ethernet-EAP,switch_mac >> => (aa:bb:cc:00:02:20), mac => [00:0c:29:f6:0e:ac], port => 3, username => >> "DOMAIN\Administrator" (pf::radius::authorize) >> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo >> httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Instantiate profile default >> (pf::Connection::ProfileFactory::_from_profile) >> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo >> httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Found authentication >> source(s) : 'AD-users' for realm 'default' >> (pf::config::util::filter_authentication_sources) >> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo >> httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Role has already been >> computed and we don't want to recompute it. >> (pf::role::getNodeInfoForAutoReg) >> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn >> httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] No category computed for >> autoreg (pf::role::getNodeInfoForAutoReg) >> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo >> httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Found authentication >> source(s) : 'AD-users' for realm 'default' >> (pf::config::util::filter_authentication_sources) >> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo >> httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Role has already been >> computed and we don't want to recompute it. Getting role from node_info >> (pf::role::getRegisteredRole) >> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn >> httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value >> $role in concatenation (.) or string at /usr/local/pf/lib/pf/role.pm >> line 489. >> 0001-01-01T00:00:00Z >> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo >> httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Username was NOT defined or >> unable to match a role - returning node based role '' >> (pf::role::getRegisteredRole) >> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo >> httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] PID: "default", Status: reg >> Returned VLAN: (undefined), Role: (undefined) (pf::role::fetchRoleForNode) >> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn >> httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value >> $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 633. >> 0001-01-01T00:00:00Z >> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn >> httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value >> $name in exists at /usr/local/pf/lib/pf/Switch.pm line 667. >> 0001-01-01T00:00:00Z >> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn >> httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value >> $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm >> line 640. >> 0001-01-01T00:00:00Z >> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn >> httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] No parameter Vlan found in >> conf/switches.conf for the switch 10.0.0.10 (pf::Switch::getVlanByName) >> 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn >> httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value >>
Re: [PacketFence-users] 802.1x role error
I don't need help anymore on that ! On Sat, May 21, 2022 at 2:22 PM José Ramos wrote: > Hello ! I have configured 802.1x and mab. When I use mab and authenticate > with an AD user on the portal I'm put in the right VLAN of my > authentication source. > > 802.1x works aswell but always put me in VLAN 1 and does not assign roles. > I tried to enable stripped username in the DEFAULT realm but it does not > change anything. I also tried to strip from the switch but then the > authentication is refused. > > Can I get some help pls ? Thank you ! > > Here are the logs : > 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo > httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] handling radius autz request: > from switch_ip => (10.0.0.10), connection_type => Ethernet-EAP,switch_mac > => (aa:bb:cc:00:02:20), mac => [00:0c:29:f6:0e:ac], port => 3, username => > "DOMAIN\Administrator" (pf::radius::authorize) > 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo > httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Instantiate profile default > (pf::Connection::ProfileFactory::_from_profile) > 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo > httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Found authentication > source(s) : 'AD-users' for realm 'default' > (pf::config::util::filter_authentication_sources) > 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo > httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Role has already been > computed and we don't want to recompute it. > (pf::role::getNodeInfoForAutoReg) > 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn > httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] No category computed for > autoreg (pf::role::getNodeInfoForAutoReg) > 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo > httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Found authentication > source(s) : 'AD-users' for realm 'default' > (pf::config::util::filter_authentication_sources) > 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo > httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Role has already been > computed and we don't want to recompute it. Getting role from node_info > (pf::role::getRegisteredRole) > 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn > httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value > $role in concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line > 489. > 0001-01-01T00:00:00Z > 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo > httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Username was NOT defined or > unable to match a role - returning node based role '' > (pf::role::getRegisteredRole) > 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo > httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] PID: "default", Status: reg > Returned VLAN: (undefined), Role: (undefined) (pf::role::fetchRoleForNode) > 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn > httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value > $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 633. > 0001-01-01T00:00:00Z > 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn > httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value > $name in exists at /usr/local/pf/lib/pf/Switch.pm line 667. > 0001-01-01T00:00:00Z > 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn > httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value > $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm > line 640. > 0001-01-01T00:00:00Z > 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn > httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] No parameter Vlan found in > conf/switches.conf for the switch 10.0.0.10 (pf::Switch::getVlanByName) > 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn > httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value > $roleName in hash element at /usr/local/pf/lib/pf/Switch.pm line 590. > 0001-01-01T00:00:00Z > 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn > httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value > $name in exists at /usr/local/pf/lib/pf/Switch.pm line 611. > 0001-01-01T00:00:00Z > 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn > httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value > $roleName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm > line 597. > 0001-01-01T00:00:00Z > 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn > httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] No parameter Role found in > conf/switches.conf for the switch 10.0.0.10 (pf::Switch::getRoleByName) > ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] 802.1x role error
Hello ! I have configured 802.1x and mab. When I use mab and authenticate with an AD user on the portal I'm put in the right VLAN of my authentication source. 802.1x works aswell but always put me in VLAN 1 and does not assign roles. I tried to enable stripped username in the DEFAULT realm but it does not change anything. I also tried to strip from the switch but then the authentication is refused. Can I get some help pls ? Thank you ! Here are the logs : 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] handling radius autz request: from switch_ip => (10.0.0.10), connection_type => Ethernet-EAP,switch_mac => (aa:bb:cc:00:02:20), mac => [00:0c:29:f6:0e:ac], port => 3, username => "DOMAIN\Administrator" (pf::radius::authorize) 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Found authentication source(s) : 'AD-users' for realm 'default' (pf::config::util::filter_authentication_sources) 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Role has already been computed and we don't want to recompute it. (pf::role::getNodeInfoForAutoReg) 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] No category computed for autoreg (pf::role::getNodeInfoForAutoReg) 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Found authentication source(s) : 'AD-users' for realm 'default' (pf::config::util::filter_authentication_sources) 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Role has already been computed and we don't want to recompute it. Getting role from node_info (pf::role::getRegisteredRole) 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value $role in concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. 0001-01-01T00:00:00Z 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] Username was NOT defined or unable to match a role - returning node based role '' (pf::role::getRegisteredRole) 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaainfo httpd.aaa(1558) INFO: [mac:00:0c:29:f6:0e:ac] PID: "default", Status: reg Returned VLAN: (undefined), Role: (undefined) (pf::role::fetchRoleForNode) 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 633. 0001-01-01T00:00:00Z 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value $name in exists at /usr/local/pf/lib/pf/Switch.pm line 667. 0001-01-01T00:00:00Z 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 640. 0001-01-01T00:00:00Z 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] No parameter Vlan found in conf/switches.conf for the switch 10.0.0.10 (pf::Switch::getVlanByName) 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value $roleName in hash element at /usr/local/pf/lib/pf/Switch.pm line 590. 0001-01-01T00:00:00Z 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value $name in exists at /usr/local/pf/lib/pf/Switch.pm line 611. 0001-01-01T00:00:00Z 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] Use of uninitialized value $roleName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 597. 0001-01-01T00:00:00Z 2022-05-21T14:09:39Zpftestpacketfence_httpd.aaahttpd.aaawarn httpd.aaa(1558) WARN: [mac:00:0c:29:f6:0e:ac] No parameter Role found in conf/switches.conf for the switch 10.0.0.10 (pf::Switch::getRoleByName) ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users