Re: [PacketFence-users] Login incorrect for authentication process from Wondows login
Hello Fabrice, Thank for your reply. Indeed, the problem seems to come from the assignment of the role in the source of authentication. When I test with eapol_test for the andenne\administrator account, it doesn't work. If I just test with administrator account it works. FYI, there are no conditions defined in the authentication rules. I feel like the problem is because the username variable contains the domain\username. Here is an excerpt from raddebug: (346) Thu Feb 2 11:00:46 2023: Debug: # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence (346) Thu Feb 2 11:00:46 2023: Debug: Post-Auth-Type REJECT { (346) Thu Feb 2 11:00:46 2023: Debug: update { (346) Thu Feb 2 11:00:46 2023: Debug: } # update = noop (346) Thu Feb 2 11:00:46 2023: Debug: if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) { (346) Thu Feb 2 11:00:46 2023: Debug: if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) -> FALSE (346) Thu Feb 2 11:00:46 2023: Debug: if ("%{%{control:PacketFence-Proxied-From}:-False}" == "True") { (346) Thu Feb 2 11:00:46 2023: Debug: EXPAND %{%{control:PacketFence-Proxied-From}:-False} (346) Thu Feb 2 11:00:46 2023: Debug: --> False (346) Thu Feb 2 11:00:46 2023: Debug: if ("%{%{control:PacketFence-Proxied-From}:-False}" == "True") -> FALSE (346) Thu Feb 2 11:00:46 2023: Debug: attr_filter.access_reject: EXPAND %{User-Name} (346) Thu Feb 2 11:00:46 2023: Debug: attr_filter.access_reject: --> andenne\\administrateur (346) Thu Feb 2 11:00:46 2023: Debug: attr_filter.access_reject: Matched entry DEFAULT at line 11 (346) Thu Feb 2 11:00:46 2023: Debug: [attr_filter.access_reject] = updated (346) Thu Feb 2 11:00:46 2023: Debug: attr_filter.packetfence_post_auth: EXPAND %{User-Name} (346) Thu Feb 2 11:00:46 2023: Debug: attr_filter.packetfence_post_auth: --> andenne\\administrateur (346) Thu Feb 2 11:00:46 2023: Debug: attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10 (346) Thu Feb 2 11:00:46 2023: Debug: [attr_filter.packetfence_post_auth] = updated (346) Thu Feb 2 11:00:46 2023: Debug: [eap] = noop (346) Thu Feb 2 11:00:46 2023: Debug: policy remove_reply_message_if_eap { (346) Thu Feb 2 11:00:46 2023: Debug: if (:EAP-Message && :Reply-Message) { (346) Thu Feb 2 11:00:46 2023: Debug: if (:EAP-Message && :Reply-Message) -> FALSE (346) Thu Feb 2 11:00:46 2023: Debug: else { (346) Thu Feb 2 11:00:46 2023: Debug: [noop] = noop (346) Thu Feb 2 11:00:46 2023: Debug: } # else = noop (346) Thu Feb 2 11:00:46 2023: Debug: } # policy remove_reply_message_if_eap = noop (346) Thu Feb 2 11:00:46 2023: Debug: linelog: EXPAND messages.%{%{reply:Packet-Type}:-default} (346) Thu Feb 2 11:00:46 2023: Debug: linelog: --> messages.Access-Reject (346) Thu Feb 2 11:00:46 2023: Debug: linelog: EXPAND [mac:%{Calling-Station-Id}] Rejected user: %{User-Name} (346) Thu Feb 2 11:00:46 2023: Debug: linelog: --> [mac:02:00:00:00:00:01] Rejected user: andenne\administrateur (346) Thu Feb 2 11:00:46 2023: Debug: linelog: EXPAND stdout (346) Thu Feb 2 11:00:46 2023: Debug: linelog: --> stdout (346) Thu Feb 2 11:00:46 2023: Debug: [linelog] = ok (346) Thu Feb 2 11:00:46 2023: Debug: } # Post-Auth-Type REJECT = updated (346) Thu Feb 2 11:00:46 2023: Debug: Delaying response for 1.00 seconds (346) Thu Feb 2 11:00:47 2023: Debug: Sending delayed response (346) Thu Feb 2 11:00:47 2023: Debug: Sent Access-Reject Id 9 from 127.0.0.1:1812 to 127.0.0.1:58643 length 44 Thank for your help, best regards, Didier. ***Didi**er Wa**lraet* *Gestionnaire informatique* CPAS Ville d'Andenne GSM: 0475 800 796 didier.walr...@cpas-andenne.be Le 01-02-23 à 17:19, Fabrice Durand a écrit : Hello Didier, Rejected in post-auth means that it has been rejected by the logic in PacketFence. Verify in the packetfence.log file to see what happens exactly when the device connects. Regards Fabrice Le mer. 1 févr. 2023 à 07:24, Didier Walraet via PacketFence-users a écrit : Hi everybody, We have a problem with authentication from Windows sessions. When I check with pftest it works : Authenticating against 'dcandenne' in context 'admin' Authentication SUCCEEDED against dcandenne (Authentication successful.) Matched against dcandenne for 'authentication' rule catchall set_role : default set_access_duration : 1D Did not match against dcandenne for 'administration' rules Authenticating against 'dcandenne' in context 'portal' Authentication SUCCEEDED against dcandenne (Authentication successful.) Matched against dcandenne for 'authentication' rule catchall set_role : default set_access_duration : 1D When I test with eapol_test it works : EAPOL: SUPP_BE entering state RECEIVE Received 184 bytes from
Re: [PacketFence-users] Login incorrect for authentication process from Wondows login
Hello Didier, Rejected in post-auth means that it has been rejected by the logic in PacketFence. Verify in the packetfence.log file to see what happens exactly when the device connects. Regards Fabrice Le mer. 1 févr. 2023 à 07:24, Didier Walraet via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > Hi everybody, > > We have a problem with authentication from Windows sessions. > > When I check with pftest it works : > > Authenticating against 'dcandenne' in context 'admin' > Authentication SUCCEEDED against dcandenne (Authentication successful.) > Matched against dcandenne for 'authentication' rule catchall > set_role : default > set_access_duration : 1D > Did not match against dcandenne for 'administration' rules > > Authenticating against 'dcandenne' in context 'portal' > Authentication SUCCEEDED against dcandenne (Authentication successful.) > Matched against dcandenne for 'authentication' rule catchall > set_role : default > set_access_duration : 1D > > When I test with eapol_test it works : > > EAPOL: SUPP_BE entering state RECEIVE > Received 184 bytes from RADIUS server > Received RADIUS message > RADIUS message: code=2 (Access-Accept) identifier=9 length=184 >Attribute 1 (User-Name) length=24 > Value: 'andenne\\administrateur' >Attribute 26 (Vendor-Specific) length=58 > Value: > 01371134c13273280210014b8952df27af1d66ef0394150828ddd278c2f3d80b7dd3b9b73d86f83a263ac27392fa5212d77f55bb4b58 >Attribute 26 (Vendor-Specific) length=58 > Value: > 01371034cf04b7c73dd8aae9b040a0061f528848602d0fadc4ca1fc08fec82bec34b09131f81621125e838d23812afec44aa01c6ac66 >Attribute 79 (EAP-Message) length=6 > Value: 038c0004 >Attribute 80 (Message-Authenticator) length=18 > Value: 5b9fb6bccfe5dd977dd2dcf5039787f3 > STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending > request, round trip time 0.00 sec > > RADIUS packet matching with station > MS-MPPE-Send-Key (sign) - hexdump(len=32): f8 f2 d3 fb 41 8e 70 62 33 4f > e4 b4 86 f0 82 6a 02 dc b7 e2 70 52 8f bb 1d b9 6c 63 07 6d d8 05 > MS-MPPE-Recv-Key (crypt) - hexdump(len=32): de 31 38 73 0f 11 42 a6 1a c9 > 92 c8 be a8 10 14 62 b6 26 dc 8d 85 5c 63 7a fd 41 6b a8 09 6c cb > decapsulated EAP packet (code=3 id=140 len=4) from RADIUS server: EAP > Success > EAPOL: Received EAP-Packet frame > EAPOL: SUPP_BE entering state REQUEST > EAPOL: getSuppRsp > EAP: EAP entering state RECEIVED > EAP: Received EAP-Success > EAP: Status notification: completion (param=success) > EAP: EAP entering state SUCCESS > CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully > EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required > WPA: EAPOL processing complete > Cancelling authentication timeout > State: DISCONNECTED -> COMPLETED > EAPOL: SUPP_PAE entering state AUTHENTICATED > EAPOL: SUPP_BE entering state RECEIVE > EAPOL: SUPP_BE entering state SUCCESS > EAPOL: SUPP_BE entering state IDLE > eapol_sm_cb: result=1 > EAPOL: Successfully fetched key (len=32) > PMK from EAPOL - hexdump(len=32): de 31 38 73 0f 11 42 a6 1a c9 92 c8 be > a8 10 14 62 b6 26 dc 8d 85 5c 63 7a fd 41 6b a8 09 6c cb > No EAP-Key-Name received from server > WPA: Clear old PMK and PTK > EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit > ENGINE: engine deinit > MPPE keys OK: 1 mismatch: 0 > SUCCESS > > But when I try authentication from Windows, before opening of the user > session, with user credentials domain\username, it doesn't work : > > Feb 1 09:00:11 packetfence auth[9916]: (3332) Rejected in post-auth: > [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli > 04:7b:cb:43:d9:37 via TLS tunnel) > Feb 1 09:00:11 packetfence auth[9916]: (3332) Login incorrect: > [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli > 04:7b:cb:43:d9:37 via TLS tunnel) > Feb 1 09:00:11 packetfence auth[9916]: () Login incorrect (eap_peap: > The users session was previously rejected: returning reject (again.)): > [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli > 04:7b:cb:43:d9:37) > Feb 1 09:00:21 packetfence auth[9916]: (3343) Rejected in post-auth: > [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli > 04:7b:cb:43:d9:37 via TLS tunnel) > Feb 1 09:00:21 packetfence auth[9916]: (3343) Login incorrect: > [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli > 04:7b:cb:43:d9:37 via TLS tunnel) > > When I test with same username on Linux system it works : > > Feb 1 08:52:55 packetfence auth[9916]: (3293) Login OK: > [administrateur] (from client 10.185.2.154/32 port 1 cli > 04:0e:3c:f0:ed:5c via TLS tunnel) > Feb 1 08:52:55 packetfence auth[9916]: (3294) Login OK: [administrateur] > (from client 10.185.2.154/32 port 1 cli 04:0e:3c:f0:ed:5c) > Feb 1 09:00:10 packetfence auth[9916]: Adding client 10.185.2.154/32 > > Can anyone help me ? > > Best regards, > > Didier. > -- > > *Didi**er
[PacketFence-users] Login incorrect for authentication process from Wondows login
Hi everybody, We have a problem with authentication from Windows sessions. When I check with pftest it works : Authenticating against 'dcandenne' in context 'admin' Authentication SUCCEEDED against dcandenne (Authentication successful.) Matched against dcandenne for 'authentication' rule catchall set_role : default set_access_duration : 1D Did not match against dcandenne for 'administration' rules Authenticating against 'dcandenne' in context 'portal' Authentication SUCCEEDED against dcandenne (Authentication successful.) Matched against dcandenne for 'authentication' rule catchall set_role : default set_access_duration : 1D When I test with eapol_test it works : EAPOL: SUPP_BE entering state RECEIVE Received 184 bytes from RADIUS server Received RADIUS message RADIUS message: code=2 (Access-Accept) identifier=9 length=184 Attribute 1 (User-Name) length=24 Value: 'andenne\\administrateur' Attribute 26 (Vendor-Specific) length=58 Value: 01371134c13273280210014b8952df27af1d66ef0394150828ddd278c2f3d80b7dd3b9b73d86f83a263ac27392fa5212d77f55bb4b58 Attribute 26 (Vendor-Specific) length=58 Value: 01371034cf04b7c73dd8aae9b040a0061f528848602d0fadc4ca1fc08fec82bec34b09131f81621125e838d23812afec44aa01c6ac66 Attribute 79 (EAP-Message) length=6 Value: 038c0004 Attribute 80 (Message-Authenticator) length=18 Value: 5b9fb6bccfe5dd977dd2dcf5039787f3 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station MS-MPPE-Send-Key (sign) - hexdump(len=32): f8 f2 d3 fb 41 8e 70 62 33 4f e4 b4 86 f0 82 6a 02 dc b7 e2 70 52 8f bb 1d b9 6c 63 07 6d d8 05 MS-MPPE-Recv-Key (crypt) - hexdump(len=32): de 31 38 73 0f 11 42 a6 1a c9 92 c8 be a8 10 14 62 b6 26 dc 8d 85 5c 63 7a fd 41 6b a8 09 6c cb decapsulated EAP packet (code=3 id=140 len=4) from RADIUS server: EAP Success EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: Status notification: completion (param=success) EAP: EAP entering state SUCCESS CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required WPA: EAPOL processing complete Cancelling authentication timeout State: DISCONNECTED -> COMPLETED EAPOL: SUPP_PAE entering state AUTHENTICATED EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state SUCCESS EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: result=1 EAPOL: Successfully fetched key (len=32) PMK from EAPOL - hexdump(len=32): de 31 38 73 0f 11 42 a6 1a c9 92 c8 be a8 10 14 62 b6 26 dc 8d 85 5c 63 7a fd 41 6b a8 09 6c cb No EAP-Key-Name received from server WPA: Clear old PMK and PTK EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 1 mismatch: 0 SUCCESS But when I try authentication from Windows, before opening of the user session, with user credentials domain\username, it doesn't work : Feb 1 09:00:11 packetfence auth[9916]: (3332) Rejected in post-auth: [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli 04:7b:cb:43:d9:37 via TLS tunnel) Feb 1 09:00:11 packetfence auth[9916]: (3332) Login incorrect: [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli 04:7b:cb:43:d9:37 via TLS tunnel) Feb 1 09:00:11 packetfence auth[9916]: () Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli 04:7b:cb:43:d9:37) Feb 1 09:00:21 packetfence auth[9916]: (3343) Rejected in post-auth: [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli 04:7b:cb:43:d9:37 via TLS tunnel) Feb 1 09:00:21 packetfence auth[9916]: (3343) Login incorrect: [ANDENNE\Administrateur] (from client 10.185.2.154/32 port 1 cli 04:7b:cb:43:d9:37 via TLS tunnel) When I test with same username on Linux system it works : Feb 1 08:52:55 packetfence auth[9916]: (3293) Login OK: [administrateur] (from client 10.185.2.154/32 port 1 cli 04:0e:3c:f0:ed:5c via TLS tunnel) Feb 1 08:52:55 packetfence auth[9916]: (3294) Login OK: [administrateur] (from client 10.185.2.154/32 port 1 cli 04:0e:3c:f0:ed:5c) Feb 1 09:00:10 packetfence auth[9916]: Adding client 10.185.2.154/32 Can anyone help me ? Best regards, Didier. -- ***Didi**er Wa**lraet* *Gestionnaire informatique* CPAS Ville d'Andenne GSM: 0475 800 796 didier.walr...@cpas-andenne.be ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users