Re: [PacketFence-users] why is my radius working? :-)

2017-07-10 Thread Durand fabrice via PacketFence-users 

Hello Mj,


Le 2017-07-10 à 09:38, mj via PacketFence-users a écrit :

ghehe :-)

Happy that after some fiddling with REALMS config, our 802.1x radius 
auth is working now, but I am seeing behaviour that I don't understand.


I have _only_ configured the "DEFAULT" realm and left LOCAL and NULL 
empty. (also created no new ones)


DEFAULT is configured with strip, OURDOMAIN and OUR-AD-COMPUTERS as 
user-source. Radius has been restarted.


Puzzling behaviour:
Why is packetfence also authenticating USERS for our active directory 
during win7 clients logons? Win7 configured to use User or Computer 
authentication. Confirmed by tailing the radius logs during logons: 
first as computer, and after user logon the change to user.
When you start your computer , before login with your user account the 
device authenticate with the machine account. (this is what you 
configured on the device).





How can this work with the configured usersource??

The source OUR-AD-COMPUTERS goes to 
CN=Computers,DC=ad,DC=company,DC=com with servicePrincipalName is 
username attribute. Scope: one-level.


With that usersource, I would expect only machine account 
authentications to work. But machines AND users (are in CN=Users,...) 
both work.
It probably woks because the machine auth worked on the first time (i 
need logs to verify that).



How can that be? Radiusd/radiusd-auth/radius-acct have been restarted 
from the packetfence GUI.


So, in my case things appear to work TOO well..? Can anyone explain? 
Do I need to restart more services?



I need to check the config you did. (profiles.conf, authentication.conf)
Regards
Fabrice


MJ

-- 


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine authentication

2017-07-10 Thread Durand fabrice via PacketFence-users 

Hello Mj,


Le 2017-07-10 à 09:54, mj via PacketFence-users a écrit :

Hi,

I noticed two ERROR lines in your packetfence.log:
Jul 10 15:21:30 pfnac01 packetfence_httpd.aaa: httpd.aaa(23293) 
ERROR: [mac:00:9c:02:92:ea:b0] error creating SNMP v1 read connection 
to 10.10.10.4: No response from remote host "10.10.10.4" 
(pf::Switch::connectRead)



you probably configured the switch to do snmp v1 (pf side).


and
Jul 10 15:21:30 pfnac01 packetfence_httpd.aaa: httpd.aaa(23293) 
ERROR: [mac:00:9c:02:92:ea:b0] Error binding 'Connection reset by 
peer' (pf::LDAP::bind)


It happen after a time you didn't use the ldap connection. (it's more a 
warning).
Are you sure your config is valid? Perhaps try to get rid of those 
errors first.


But I'm no packetfence expert, and your dialogue is with Fabrice, so 
perhaps this advice can be disregarded :-)


MJ

-- 


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine authentication

2017-07-10 Thread Durand fabrice via PacketFence-users 

Hello Luca,


You need to test this source with a machine account (UserPrincipalName), 
not a user account (sAMAccountName), this is why it failled.



Try that:
/usr/local/pf/bin/pftest authentication host/LAB3-NB.dm.loc 
/reallystrongpassword DM_Machine_Auth_PDC


/Also capture the ldap traffic from the packetfence server (something 
like that: tshark -i eth0 -f "port 389" -w /tmp/ldap.pcap) and analyse 
the ldap.pcap file under wireshark.

Regards
Fabrice

Le 2017-07-10 à 09:50, luca comes a écrit :


It's really strange Fabrice,

because if I try it from the gui it tells me success but if I try from 
pftest doesn't work (perhaps I'm wrong with the command):



[root@pfnac01 ~]#/usr/local/pf/bin/pftest authentication ldapuser 
// DM_Machine_Auth_PDC


Testing authentication for "ldapuser"

Authenticating against DM_Machine_Auth_PDC
  Authentication FAILED against DM_Machine_Auth_PDC (Invalid login or 
password)

  Did not match against DM_Machine_Auth_PDC for 'authentication' rules
  Did not match against DM_Machine_Auth_PDC for 'administration' rules


But both the rules and the roles are defined:


_authentication.conf_:


[DM_Machine_Auth_PDC]
description=Domain Machine Authentication
password=
scope=sub
binddn=CN=ldapuser,OU=DMGROUP,DC=dm,DC=loc
basedn=OU=DMGROUP,DC=dm,DC=loc
email_attribute=mail
usernameattribute=ServicePrincipalName
connection_timeout=5
stripped_user_name=yes
encryption=none
dynamic_routing_module=AuthModule
port=389
type=AD
host=dc2dm.dm.loc

[DM_Machine_Auth_PDC rule prova]
description=
class=authentication
match=all
action0=set_access_duration=1h
action1=set_role=Dipendenti

_roles.conf_

[Dipendenti]
notes=Accesso VLAN 167
max_nodes_per_pid=2

[Dipendenti_2]
notes=Accesso VLAN 251
max_nodes_per_pid=2

[Test]
notes=Accesso VLAN 20
max_nodes_per_pid=1

[MAR]
notes=Machine Auth
max_nodes_per_pid=1



Inviato da Outlook 




*Da:* Fabrice Durand 
*Inviato:* lunedì 10 luglio 2017 15:30
*A:* luca comes; packetfence-users@lists.sourceforge.net
*Oggetto:* Re: [PacketFence-users] Machine authentication

Your issue is with the DM_Machine_Auth_PDC source.

Verify that you are able to bind with this source.

Also you can use pftest.



Le 2017-07-10 à 09:24, luca comes a écrit :


Hi Fabrice,

yes I was checking the debug and I saw it. In the attached 
packetfence.log I can see ERROR: [mac:00:9c:02:92:ea:b0] Error 
binding 'Connection reset by peer' (pf::LDAP::bind) but the domain 
join is still working with wbinf -u for example.



Luca


Inviato da Outlook 




*Da:* Fabrice Durand 
*Inviato:* lunedì 10 luglio 2017 15:06
*A:* luca comes; packetfence-users@lists.sourceforge.net
*Oggetto:* Re: [PacketFence-users] Machine authentication

The machine authentication is ok this time.

Do you have the packetfence.log for this device ?



Le 2017-07-10 à 08:58, luca comes a écrit :


Hello Fabrice,

attached you can find radius debug file of the transaction.


Thanks


Luca


Inviato da Outlook 




*Da:* Fabrice Durand 
*Inviato:* lunedì 10 luglio 2017 14:48
*A:* luca comes; packetfence-users@lists.sourceforge.net
*Oggetto:* Re: [PacketFence-users] Machine authentication

Hello Luca,

you need to have the realm to use the correct domain join.


Also what i need is the complete radius debug when you try machine 
authentication.


Regards

Fabrice



Le 2017-07-10 à 08:45, luca comes a écrit :


Hi Fabrice,

in this manner the error is not shown in radius.log but machine 
authentication is still not working. Also as the preceding email 
the domain (DM) is correctly joined and tested with wbinfo. But if 
I try a radtest vs my domain I obtain an Access-Reject. Any 
suggestio on how to troubleshoot this problem? I would like to go 
in production but with those results I have to leave.



Thanks


Luca


Inviato da Outlook 




*Da:* Fabrice Durand via PacketFence-users 


*Inviato:* lunedì 10 luglio 2017 14:23
*A:* packetfence-users@lists.sourceforge.net
*Cc:* Fabrice Durand
*Oggetto:* Re: [PacketFence-users] Machine authentication

Hello Luca,

add a realm dm.loc and assign it to your domain and restart radius.

Regards

Fabrice



Le 2017-07-10 à 05:58, luca comes via PacketFence-users a écrit :


I've found this error in radius.log


ERROR: mschap_machine: Program returned code (1) and output 
'Reading winbind reply failed! (0xc00

1)'


But the domain is working fine, how can I solve this?


Luca


Inviato da Outlook

[PacketFence-users] radius secret lost if master role moves

2017-07-10 Thread Sokolowski, Darryl via PacketFence-users 
Hi,
I have a 3-server packetfence 7.1 cluster.
It seems when the master role moves to another member, the radius 
authentication for mab begins failing and I get the 'server dead' message in 
the switch logs.
I found that if I retype the secret in the switch group gui, it begins working 
again.

I checked the switchs.conf on each server and all have the correct radius 
secret.
I reloaded the config (pfcmd configreload hard) and restarted the services, and 
it works until the master moves again.

Any suggestions?

Thanks





>>> CONFIDENTIALITY NOTICE <<<

This electronic mail (e-mail) message, including any and/or all attachments, is 
for the sole use of the intended recipient(s), and may contain confidential 
and/or privileged information, pertaining to business conducted under the 
direction and supervision of EarthColor, Inc. All e-mail messages, which may 
have been established as expressed views and/or opinions (stated either within 
the e-mail message or any of its attachments), are left to the sole 
responsibility of that of the sender, and are not necessarily attributed to 
EarthColor, Inc. Unauthorized interception, review, use, disclosure or 
distribution of any such information contained within this e-mail message 
and/or its attachment(s), is(are) strictly prohibited. If you are not the 
intended recipient, please contact the sender by replying to this e-mail 
message, along with the destruction of all copies of the original e-mail 
message (along with any attachments).
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] email registration always remains status "incomplete"

2017-07-10 Thread mj via PacketFence-users 

Hi,

We're using pf-7.1 with the captive portal with email registration. 
While everything appears to work (confirmation mails are sent, the links 
are working, users get "mail activation code has been verified. Access 
granted for a month" in their browsers.


Yet: under Reports / All authentications, the httpd.portal items remain 
marked either "incomplete". (and some "invalidated")


Under Reports / Email registrations they show up as "verified".

It seems strange: one screen says "verified" and the other screen says 
"incomplete" or "invalidated".


Any ideas?

MJ

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine authentication

2017-07-10 Thread luca comes via PacketFence-users 
Hi MJ,

any help is really appreciated I'm also not a packetfence expert  The first 
error I think is not relevant because I'm not using SNMP I will check it after 
the basic config will run fine. The other one is strange, as I was writing to 
Fabrice my source is apparently correctly configured but the roles/VLAN is not 
returned.


Luca


Inviato da Outlook



Da: mj via PacketFence-users 
Inviato: lunedì 10 luglio 2017 15:54
A: packetfence-users@lists.sourceforge.net
Cc: mj
Oggetto: Re: [PacketFence-users] Machine authentication

Hi,

I noticed two ERROR lines in your packetfence.log:
> Jul 10 15:21:30 pfnac01 packetfence_httpd.aaa: httpd.aaa(23293) ERROR: 
> [mac:00:9c:02:92:ea:b0] error creating SNMP v1 read connection to 10.10.10.4: 
> No response from remote host "10.10.10.4" (pf::Switch::connectRead)


and
> Jul 10 15:21:30 pfnac01 packetfence_httpd.aaa: httpd.aaa(23293) ERROR: 
> [mac:00:9c:02:92:ea:b0] Error binding 'Connection reset by peer' 
> (pf::LDAP::bind)

Are you sure your config is valid? Perhaps try to get rid of those
errors first.

But I'm no packetfence expert, and your dialogue is with Fabrice, so
perhaps this advice can be disregarded :-)

MJ

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Unable to view the web configuration page after installation

2017-07-10 Thread Antoine Amacher via PacketFence-users 

Hello,

The httpd and haproxy process are not running.

Try this:

/usr/local/pf/bin/pfcmd service httpd.admin start

Thanks


On 07/10/2017 01:13 AM, Muralidhar Bg via PacketFence-users wrote:

Hi,

I installed packetfence following the instructions on 
https://packetfence.org/doc/PacketFence_Administration_Guide.html 



After installation I tried opening the 
https://@ip_of_packetfence:1443/configurator 
 page on my server


I get "unable to connect" error on the browser.

Also find the status of packetfence as given below
$ /usr/local/pf/bin/pfcmd service pf status
carbon-cache|1|0
carbon-relay|1|0
collectd|1|0
dhcpd|0|0
haproxy|1|0
httpd.aaa|1|0
httpd.admin|1|0
httpd.collector|0|0
httpd.dispatcher|1|0
httpd.graphite|1|0
httpd.parking|1|0
httpd.portal|1|0
httpd.proxy|0|0
httpd.webservices|1|0
iptables|1|0
keepalived|0|0
p0f|1|0
pfbandwidthd|0|0
pfdetect||0
pfdhcplistener|1|0
pfdns|0|0
pffilter|1|0
pfmon|1|0
pfqueue|1|0
pfsetvlan|0|0
pfsso|1|0
radiusd-acct|1|0
radiusd-auth|1|0
radsniff|1|0
redis_ntlm_cache|0|0
redis_queue|1|0
routes|0|-1
snmptrapd|0|0
statsd|1|0
winbindd|0|0

On further investigation I found out that mysql is not working as well 
(error as give below):


$ ERROR 2002 (HY000): Can't connect to local MySQL server through 
socket '/var/lib/mysql/mysql.sock' (2 "No such file or directory")


mysql and the rest of the dependencies were installed by running the 
packetfence installation command. I am running centOS 7 on my server. 
Please help!




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine authentication

2017-07-10 Thread mj via PacketFence-users 

Hi,

I noticed two ERROR lines in your packetfence.log:

Jul 10 15:21:30 pfnac01 packetfence_httpd.aaa: httpd.aaa(23293) ERROR: 
[mac:00:9c:02:92:ea:b0] error creating SNMP v1 read connection to 10.10.10.4: No response 
from remote host "10.10.10.4" (pf::Switch::connectRead)



and

Jul 10 15:21:30 pfnac01 packetfence_httpd.aaa: httpd.aaa(23293) ERROR: 
[mac:00:9c:02:92:ea:b0] Error binding 'Connection reset by peer' 
(pf::LDAP::bind)


Are you sure your config is valid? Perhaps try to get rid of those 
errors first.


But I'm no packetfence expert, and your dialogue is with Fabrice, so 
perhaps this advice can be disregarded :-)


MJ

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine authentication

2017-07-10 Thread luca comes via PacketFence-users 
It's really strange Fabrice,

because if I try it from the gui it tells me success but if I try from pftest 
doesn't work (perhaps I'm wrong with the command):


[root@pfnac01 ~]#/usr/local/pf/bin/pftest authentication ldapuser  
DM_Machine_Auth_PDC

Testing authentication for "ldapuser"

Authenticating against DM_Machine_Auth_PDC
  Authentication FAILED against DM_Machine_Auth_PDC (Invalid login or password)
  Did not match against DM_Machine_Auth_PDC for 'authentication' rules
  Did not match against DM_Machine_Auth_PDC for 'administration' rules


But both the rules and the roles are defined:


authentication.conf:


[DM_Machine_Auth_PDC]
description=Domain Machine Authentication
password=
scope=sub
binddn=CN=ldapuser,OU=DMGROUP,DC=dm,DC=loc
basedn=OU=DMGROUP,DC=dm,DC=loc
email_attribute=mail
usernameattribute=ServicePrincipalName
connection_timeout=5
stripped_user_name=yes
encryption=none
dynamic_routing_module=AuthModule
port=389
type=AD
host=dc2dm.dm.loc

[DM_Machine_Auth_PDC rule prova]
description=
class=authentication
match=all
action0=set_access_duration=1h
action1=set_role=Dipendenti

roles.conf

[Dipendenti]
notes=Accesso VLAN 167
max_nodes_per_pid=2

[Dipendenti_2]
notes=Accesso VLAN 251
max_nodes_per_pid=2

[Test]
notes=Accesso VLAN 20
max_nodes_per_pid=1

[MAR]
notes=Machine Auth
max_nodes_per_pid=1




Inviato da Outlook



Da: Fabrice Durand 
Inviato: lunedì 10 luglio 2017 15:30
A: luca comes; packetfence-users@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] Machine authentication


Your issue is with the DM_Machine_Auth_PDC source.

Verify that you are able to bind with this source.

Also you can use pftest.


Le 2017-07-10 à 09:24, luca comes a écrit :

Hi Fabrice,

yes I was checking the debug and I saw it. In the attached packetfence.log I 
can see ERROR: [mac:00:9c:02:92:ea:b0] Error binding 'Connection reset by peer' 
(pf::LDAP::bind) but the domain join is still working with wbinf -u for example.


Luca


Inviato da Outlook



Da: Fabrice Durand 
Inviato: lunedì 10 luglio 2017 15:06
A: luca comes; 
packetfence-users@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] Machine authentication


The machine authentication is ok this time.

Do you have the packetfence.log for this device ?


Le 2017-07-10 à 08:58, luca comes a écrit :

Hello Fabrice,

attached you can find radius debug file of the transaction.


Thanks


Luca


Inviato da Outlook



Da: Fabrice Durand 
Inviato: lunedì 10 luglio 2017 14:48
A: luca comes; 
packetfence-users@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] Machine authentication


Hello Luca,

you need to have the realm to use the correct domain join.


Also what i need is the complete radius debug when you try machine 
authentication.

Regards

Fabrice


Le 2017-07-10 à 08:45, luca comes a écrit :

Hi Fabrice,

in this manner the error is not shown in radius.log but machine authentication 
is still not working. Also as the preceding email the domain (DM) is correctly 
joined and tested with wbinfo. But if I try a radtest vs my domain I obtain an 
Access-Reject. Any suggestio on how to troubleshoot this problem? I would like 
to go in production but with those results I have to leave.


Thanks


Luca


Inviato da Outlook



Da: Fabrice Durand via PacketFence-users 

Inviato: lunedì 10 luglio 2017 14:23
A: 
packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Oggetto: Re: [PacketFence-users] Machine authentication


Hello Luca,

add a realm dm.loc and assign it to your domain and restart radius.

Regards

Fabrice


Le 2017-07-10 à 05:58, luca comes via PacketFence-users a écrit :

I've found this error in radius.log


ERROR: mschap_machine: Program returned code (1) and output 'Reading winbind 
reply failed! (0xc00
1)'


But the domain is working fine, how can I solve this?


Luca


Inviato da Outlook



Da: luca comes via PacketFence-users 

Inviato: lunedì 10 luglio 2017 11:42
A: 
packetfence-users@lists.sourceforge.net
Cc: luca comes
Oggetto: Re: [PacketFence-users] Machine authentication


Hi all,

any suggestion? I don't know what check, domain is correctly configured the 
test are fine (wbinfo -u etc.). I added my domain to the LOCAL realm as per 
Antoine mail but is

[PacketFence-users] Unable to view the web configuration page after installation

2017-07-10 Thread Muralidhar Bg via PacketFence-users 
Hi,

I installed packetfence following the instructions on
https://packetfence.org/doc/PacketFence_Administration_Guide.html

After installation I tried opening the https://@ip_of_packetfence:
1443/configurator page on my server

I get "unable to connect" error on the browser.

Also find the status of packetfence as given below
$ /usr/local/pf/bin/pfcmd service pf status
carbon-cache|1|0
carbon-relay|1|0
collectd|1|0
dhcpd|0|0
haproxy|1|0
httpd.aaa|1|0
httpd.admin|1|0
httpd.collector|0|0
httpd.dispatcher|1|0
httpd.graphite|1|0
httpd.parking|1|0
httpd.portal|1|0
httpd.proxy|0|0
httpd.webservices|1|0
iptables|1|0
keepalived|0|0
p0f|1|0
pfbandwidthd|0|0
pfdetect||0
pfdhcplistener|1|0
pfdns|0|0
pffilter|1|0
pfmon|1|0
pfqueue|1|0
pfsetvlan|0|0
pfsso|1|0
radiusd-acct|1|0
radiusd-auth|1|0
radsniff|1|0
redis_ntlm_cache|0|0
redis_queue|1|0
routes|0|-1
snmptrapd|0|0
statsd|1|0
winbindd|0|0

On further investigation I found out that mysql is not working as well
(error as give below):

$ ERROR 2002 (HY000): Can't connect to local MySQL server through socket
'/var/lib/mysql/mysql.sock' (2 "No such file or directory")

mysql and the rest of the dependencies were installed by running the
packetfence installation command. I am running centOS 7 on my server.
Please help!
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] ?????? The switch(sg300) does not immediately respond to a pf client state change

2017-07-10 Thread ???????? via PacketFence-users 
Hello Ludovice,
Now I have changed switches config,but still can not immediately respond from 
pf:
[192.168.1.4]
description=sg300-2f
isolationVlan=60
registrationVlan=50
SNMPVersionTrap=3
SNMPUserNameTrap=private
SNMPAuthProtocolWrite=MD5
SNMPUserNameWrite=private
SNMPUserNameRead=private
SNMPAuthPasswordWrite=password
SNMPAuthPasswordRead=password
SNMPAuthProtocolTrap=MD5
SNMPEngineID=80090300af1f6efe59
SNMPPrivProtocolWrite=DES
SNMPPrivPasswordWrite=password
SNMPAuthPasswordTrap=password
SNMPPrivProtocolTrap=DES
SNMPPrivPasswordTrap=password
SNMPAuthProtocolRead=MD5
guestVlan=3
deauthMethod=SNMP
cliAccess=Y
ExternalPortalEnforcement=Y
qkm-si-labVlan=13
qkm-engVlan=11
qkm-siVlan=11
qkm-swVlan=12
qkm-finVlan=14
QKM-itVlan=16
qkm-2fVlan=15
radiusSecret=useStrongerSecret
mode=production
type=Cisco::SG300
cliPwd=admin123456@
cliUser=admin
cliEnablePwd=admin123456@
useCoA=N



--  --
??: "Ludovic Zammit";;
: 2017??7??7??(??) 8:59
??: "packetfence-users"; 
: ""; 
: Re: [PacketFence-users] The switch(sg300) does not immediately respond to 
a pf client state change



Hello,

You have to put the deauth method to SNMP, you have set it to radius:


deauthMethod=RADIUS


The CoA is not supported on that switch modele. The PF will try to bounce the 
port with an SNMP request (shut / no shut)
 
Thanks,
Ludovic Zammit lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 



 
 
On Jul 7, 2017, at 3:40 AM,  via PacketFence-users 
 wrote:

Hello,
I configured sg300 switches and pf,but I found it is not immediately possible 
to update the client status change of pf,for example:
I never registered the status of computer A as registered,and computer A needs 
to wait half an hour before the status is changed to register,This half hour is 
the time when the switch is revalidated   "dot1x timeout reauth-period 
1800".How do you make pf's client status change effective immediately?
I have connected computer with gi20 port.
sg300 config as below:


switch6efe59#sh run
config-file-header
switch6efe59
v1.3.7.18 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch


file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 3-4,11,14-16,50,60
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone_
voice vlan oui-table add 00096e Avaya___
voice vlan oui-table add 000fe2 H3C_Aolynk__
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone__
dot1x system-auth-control
hostname switch6efe59
encrypted radius-server key W5K9BRLcbxfj5NDlu3nHTlw0kOXjaL3ElMEFpkCXTsT1iuchvICQ
aRjE9EKiEa+3
encrypted radius-server host 192.168.1.30 key W5K9BRLcbxfj5NDlu3nHTlw0kOXjaL3ElM
EFpkCXTsT1iuchvICQaRjE9EKiEa+3 priority 3
aaa authentication login telnet local
aaa authentication login Console local radius
aaa authentication enable Console enable radius
aaa authentication dot1x default radius none
aaa accounting dot1x start-stop group radius
aaa accounting login start-stop group radius
line console
login authentication Console
enable authentication Console
password da39a3ee5e6b4b0d3255bfef95601890afd80709 encrypted
exit
username admin password encrypted 79a12a55b5d56faaef1a5a9ebccdf82fb637ae30 privi
lege 15
snmp-server engineID local 80090300af1f6efe59
snmp-server community useStrongerSecret rw 192.168.1.30 view Default
snmp-server host 192.168.1.30 traps version 2c useStrongerSecret
snmp-server host 192.168.1.30 version 3 auth private
snmp-server group readgroup v3 auth notify Default read Default
snmp-server group readgroup v3 priv notify Default read Default
snmp-server group writegroup v3 auth notify Default read Default write Default
snmp-server group writegroup v3 priv notify Default read Default write Default
encrypted snmp-server user public readgroup v3 auth md5 RTfVftohWzkj+bRMkALik3t+
Q4iVSEEJ1VUolT4eOXk=
encrypted snmp-server user private writegroup v3 auth md5 RTfVftohWzkj+bRMkALik3
t+Q4iVSEEJ1VUolT4eOXk= priv RTfVftohWzkj+bRMkALik3t+Q4iVSEEJ1VUolT4eOXk=
clock timezone " " 8
sntp unicast client enable
sntp unicast client poll
sntp server 192.168.2.242
ip telnet server
!
interface vlan 1
 ip address 192.168.1.4 255.255.255.0
!
interface vlan 3
 name Guest
 dot1x guest-vlan
!
interface vlan 4
 name kaoqin
!
interface vlan 11
 name si
!
interface vlan 16
 name IT
!
interface vlan 50
 name Registration
!
interface vlan 60
 name

[PacketFence-users] ?????? The switch(sg300) does not immediately respond to a pf client state change

2017-07-10 Thread ???????? via PacketFence-users 
Hello Ludovice,
thank you for your help,Now switch can change the response status immediately.
Security-TCP/UDP Services-SNMP Service need to select.




--  --
??: "";;
: 2017??7??10??(??) 4:03
??: "Ludovic Zammit"; 
"packetfence-users"; 

: ?? [PacketFence-users] The switch(sg300) does not immediately respond 
to a pf client state change



Hello Ludovice,
Now I have changed switches config,but still can not immediately respond from 
pf:
[192.168.1.4]
description=sg300-2f
isolationVlan=60
registrationVlan=50
SNMPVersionTrap=3
SNMPUserNameTrap=private
SNMPAuthProtocolWrite=MD5
SNMPUserNameWrite=private
SNMPUserNameRead=private
SNMPAuthPasswordWrite=password
SNMPAuthPasswordRead=password
SNMPAuthProtocolTrap=MD5
SNMPEngineID=80090300af1f6efe59
SNMPPrivProtocolWrite=DES
SNMPPrivPasswordWrite=password
SNMPAuthPasswordTrap=password
SNMPPrivProtocolTrap=DES
SNMPPrivPasswordTrap=password
SNMPAuthProtocolRead=MD5
guestVlan=3
deauthMethod=SNMP
cliAccess=Y
ExternalPortalEnforcement=Y
qkm-si-labVlan=13
qkm-engVlan=11
qkm-siVlan=11
qkm-swVlan=12
qkm-finVlan=14
QKM-itVlan=16
qkm-2fVlan=15
radiusSecret=useStrongerSecret
mode=production
type=Cisco::SG300
cliPwd=admin123456@
cliUser=admin
cliEnablePwd=admin123456@
useCoA=N



--  --
??: "Ludovic Zammit";;
: 2017??7??7??(??) 8:59
??: "packetfence-users"; 
: ""; 
: Re: [PacketFence-users] The switch(sg300) does not immediately respond to 
a pf client state change



Hello,

You have to put the deauth method to SNMP, you have set it to radius:


deauthMethod=RADIUS


The CoA is not supported on that switch modele. The PF will try to bounce the 
port with an SNMP request (shut / no shut)
 
Thanks,
Ludovic Zammit lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 



 
 
On Jul 7, 2017, at 3:40 AM,  via PacketFence-users 
 wrote:

Hello,
I configured sg300 switches and pf,but I found it is not immediately possible 
to update the client status change of pf,for example:
I never registered the status of computer A as registered,and computer A needs 
to wait half an hour before the status is changed to register,This half hour is 
the time when the switch is revalidated   "dot1x timeout reauth-period 
1800".How do you make pf's client status change effective immediately?
I have connected computer with gi20 port.
sg300 config as below:


switch6efe59#sh run
config-file-header
switch6efe59
v1.3.7.18 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch


file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 3-4,11,14-16,50,60
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone_
voice vlan oui-table add 00096e Avaya___
voice vlan oui-table add 000fe2 H3C_Aolynk__
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone__
dot1x system-auth-control
hostname switch6efe59
encrypted radius-server key W5K9BRLcbxfj5NDlu3nHTlw0kOXjaL3ElMEFpkCXTsT1iuchvICQ
aRjE9EKiEa+3
encrypted radius-server host 192.168.1.30 key W5K9BRLcbxfj5NDlu3nHTlw0kOXjaL3ElM
EFpkCXTsT1iuchvICQaRjE9EKiEa+3 priority 3
aaa authentication login telnet local
aaa authentication login Console local radius
aaa authentication enable Console enable radius
aaa authentication dot1x default radius none
aaa accounting dot1x start-stop group radius
aaa accounting login start-stop group radius
line console
login authentication Console
enable authentication Console
password da39a3ee5e6b4b0d3255bfef95601890afd80709 encrypted
exit
username admin password encrypted 79a12a55b5d56faaef1a5a9ebccdf82fb637ae30 privi
lege 15
snmp-server engineID local 80090300af1f6efe59
snmp-server community useStrongerSecret rw 192.168.1.30 view Default
snmp-server host 192.168.1.30 traps version 2c useStrongerSecret
snmp-server host 192.168.1.30 version 3 auth private
snmp-server group readgroup v3 auth notify Default read Default
snmp-server group readgroup v3 priv notify Default read Default
snmp-server group writegroup v3 auth notify Default read Default write Default
snmp-server group writegroup v3 priv notify Default read Default write Default
encrypted snmp-server user public readgroup v3 auth md5 RTfVftohWzkj+bRMkALik3t+
Q4iVSEEJ1VUolT4eOXk=
encrypted snmp-server user

[PacketFence-users] why is my radius working? :-)

2017-07-10 Thread mj via PacketFence-users 

ghehe :-)

Happy that after some fiddling with REALMS config, our 802.1x radius 
auth is working now, but I am seeing behaviour that I don't understand.


I have _only_ configured the "DEFAULT" realm and left LOCAL and NULL 
empty. (also created no new ones)


DEFAULT is configured with strip, OURDOMAIN and OUR-AD-COMPUTERS as 
user-source. Radius has been restarted.


Puzzling behaviour:
Why is packetfence also authenticating USERS for our active directory 
during win7 clients logons? Win7 configured to use User or Computer 
authentication. Confirmed by tailing the radius logs during logons: 
first as computer, and after user logon the change to user.


How can this work with the configured usersource??

The source OUR-AD-COMPUTERS goes to CN=Computers,DC=ad,DC=company,DC=com 
with servicePrincipalName is username attribute. Scope: one-level.


With that usersource, I would expect only machine account 
authentications to work. But machines AND users (are in CN=Users,...) 
both work.


How can that be? Radiusd/radiusd-auth/radius-acct have been restarted 
from the packetfence GUI.


So, in my case things appear to work TOO well..? Can anyone explain? Do 
I need to restart more services?


MJ

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Machine authentication

2017-07-10 Thread Fabrice Durand via PacketFence-users 
Your issue is with the DM_Machine_Auth_PDC source.

Verify that you are able to bind with this source.

Also you can use pftest.



Le 2017-07-10 à 09:24, luca comes a écrit :
>
> Hi Fabrice,
>
> yes I was checking the debug and I saw it. In the attached
> packetfence.log I can see ERROR: [mac:00:9c:02:92:ea:b0] Error binding
> 'Connection reset by peer' (pf::LDAP::bind) but the domain join is
> still working with wbinf -u for example.
>
>
> Luca
>
>
> Inviato da Outlook 
>
>
>
> 
> *Da:* Fabrice Durand 
> *Inviato:* lunedì 10 luglio 2017 15:06
> *A:* luca comes; packetfence-users@lists.sourceforge.net
> *Oggetto:* Re: [PacketFence-users] Machine authentication
>  
>
> The machine authentication is ok this time.
>
> Do you have the packetfence.log for this device ?
>
>
>
> Le 2017-07-10 à 08:58, luca comes a écrit :
>>
>> Hello Fabrice,
>>
>> attached you can find radius debug file of the transaction.
>>
>>
>> Thanks
>>
>>
>> Luca
>>
>>
>> Inviato da Outlook 
>>
>>
>>
>> 
>> *Da:* Fabrice Durand 
>> *Inviato:* lunedì 10 luglio 2017 14:48
>> *A:* luca comes; packetfence-users@lists.sourceforge.net
>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>  
>>
>> Hello Luca,
>>
>> you need to have the realm to use the correct domain join.
>>
>>
>> Also what i need is the complete radius debug when you try machine
>> authentication.
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2017-07-10 à 08:45, luca comes a écrit :
>>>
>>> Hi Fabrice,
>>>
>>> in this manner the error is not shown in radius.log but machine
>>> authentication is still not working. Also as the preceding email the
>>> domain (DM) is correctly joined and tested with wbinfo. But if I try
>>> a radtest vs my domain I obtain an Access-Reject. Any suggestio on
>>> how to troubleshoot this problem? I would like to go in production
>>> but with those results I have to leave.
>>>
>>>
>>> Thanks
>>>
>>>
>>> Luca
>>>
>>>
>>> Inviato da Outlook 
>>>
>>>
>>>
>>> 
>>> *Da:* Fabrice Durand via PacketFence-users
>>> 
>>> *Inviato:* lunedì 10 luglio 2017 14:23
>>> *A:* packetfence-users@lists.sourceforge.net
>>> *Cc:* Fabrice Durand
>>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>>  
>>>
>>> Hello Luca,
>>>
>>> add a realm dm.loc and assign it to your domain and restart radius.
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>>
>>> Le 2017-07-10 à 05:58, luca comes via PacketFence-users a écrit :

 I've found this error in radius.log


 ERROR: mschap_machine: Program returned code (1) and output
 'Reading winbind reply failed! (0xc00
 1)'


 But the domain is working fine, how can I solve this?


 Luca


 Inviato da Outlook 



 
 *Da:* luca comes via PacketFence-users
 
 *Inviato:* lunedì 10 luglio 2017 11:42
 *A:* packetfence-users@lists.sourceforge.net
 *Cc:* luca comes
 *Oggetto:* Re: [PacketFence-users] Machine authentication
  

 Hi all,

 any suggestion? I don't know what check, domain is correctly
 configured the test are fine (wbinfo -u etc.). I added my domain to
 the LOCAL realm as per Antoine mail but is still doesn't work.


 Thanks for your help


 Luca


 Inviato da Outlook 



 
 *Da:* luca comes via PacketFence-users
 
 *Inviato:* venerdì 7 luglio 2017 17:40
 *A:* packetfence-users@lists.sourceforge.net
 *Cc:* luca comes
 *Oggetto:* Re: [PacketFence-users] Machine authentication
  

 Hi Antoine,

 thank you for your answer, unfortunately it doesn't work. Same
 behavior as before, any other suggestion?


 Luca


 Inviato da Outlook 



 
 *Da:* Antoine Amacher via PacketFence-users
 
 *Inviato:* venerdì 7 luglio 2017 17:20
 *A:* packetfence-users@lists.sourceforge.net
 *Cc:* Antoine Amacher
 *Oggetto:* Re: [PacketFence-users] Machine authentication
  

 Lucas,


 Map the domain on which they should authenticate with the REALM LOCAL.


 In configuration -> policies and access control -> realms


 Thanks

Re: [PacketFence-users] Machine authentication

2017-07-10 Thread luca comes via PacketFence-users 
Hi Fabrice,

yes I was checking the debug and I saw it. In the attached packetfence.log I 
can see ERROR: [mac:00:9c:02:92:ea:b0] Error binding 'Connection reset by peer' 
(pf::LDAP::bind) but the domain join is still working with wbinf -u for example.


Luca


Inviato da Outlook



Da: Fabrice Durand 
Inviato: lunedì 10 luglio 2017 15:06
A: luca comes; packetfence-users@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] Machine authentication


The machine authentication is ok this time.

Do you have the packetfence.log for this device ?


Le 2017-07-10 à 08:58, luca comes a écrit :

Hello Fabrice,

attached you can find radius debug file of the transaction.


Thanks


Luca


Inviato da Outlook



Da: Fabrice Durand 
Inviato: lunedì 10 luglio 2017 14:48
A: luca comes; 
packetfence-users@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] Machine authentication


Hello Luca,

you need to have the realm to use the correct domain join.


Also what i need is the complete radius debug when you try machine 
authentication.

Regards

Fabrice


Le 2017-07-10 à 08:45, luca comes a écrit :

Hi Fabrice,

in this manner the error is not shown in radius.log but machine authentication 
is still not working. Also as the preceding email the domain (DM) is correctly 
joined and tested with wbinfo. But if I try a radtest vs my domain I obtain an 
Access-Reject. Any suggestio on how to troubleshoot this problem? I would like 
to go in production but with those results I have to leave.


Thanks


Luca


Inviato da Outlook



Da: Fabrice Durand via PacketFence-users 

Inviato: lunedì 10 luglio 2017 14:23
A: 
packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Oggetto: Re: [PacketFence-users] Machine authentication


Hello Luca,

add a realm dm.loc and assign it to your domain and restart radius.

Regards

Fabrice


Le 2017-07-10 à 05:58, luca comes via PacketFence-users a écrit :

I've found this error in radius.log


ERROR: mschap_machine: Program returned code (1) and output 'Reading winbind 
reply failed! (0xc00
1)'


But the domain is working fine, how can I solve this?


Luca


Inviato da Outlook



Da: luca comes via PacketFence-users 

Inviato: lunedì 10 luglio 2017 11:42
A: 
packetfence-users@lists.sourceforge.net
Cc: luca comes
Oggetto: Re: [PacketFence-users] Machine authentication


Hi all,

any suggestion? I don't know what check, domain is correctly configured the 
test are fine (wbinfo -u etc.). I added my domain to the LOCAL realm as per 
Antoine mail but is still doesn't work.


Thanks for your help


Luca


Inviato da Outlook



Da: luca comes via PacketFence-users 

Inviato: venerdì 7 luglio 2017 17:40
A: 
packetfence-users@lists.sourceforge.net
Cc: luca comes
Oggetto: Re: [PacketFence-users] Machine authentication


Hi Antoine,

thank you for your answer, unfortunately it doesn't work. Same behavior as 
before, any other suggestion?


Luca


Inviato da Outlook



Da: Antoine Amacher via PacketFence-users 

Inviato: venerdì 7 luglio 2017 17:20
A: 
packetfence-users@lists.sourceforge.net
Cc: Antoine Amacher
Oggetto: Re: [PacketFence-users] Machine authentication


Lucas,


Map the domain on which they should authenticate with the REALM LOCAL.


In configuration -> policies and access control -> realms


Thanks

On 07/07/2017 11:15 AM, luca comes via PacketFence-users wrote:

Hi all,

I'm trying to do machine authentication vs Windows AD but it doesn't work. I've 
created the domain and the realm but in the radius debug log I can see that it 
is not catching the correct realm:



(20) Fri Jul  7 16:29:45 2017: Debug: Received Access-Request Id 103 from 
10.10.10.4:1645 to 172.27.17.5:1812 length 226
(20) Fri Jul  7 16:29:45 2017: Debug:   User-Name = "host/LAB3-NB.dm.loc"
(20) Fri Jul  7 16:29:45 2017: Debug:   Service-Type = Framed-User
(20) Fri Jul  7 16:29:45 2017: Debug:   Framed-MTU = 1500
(20) Fri Jul  7 16:29:45 2017: Debug:   Called-Station-Id = "00-22-91-6F-B8-81"
(20) Fri Jul  7 16:29:45

Re: [PacketFence-users] Machine authentication

2017-07-10 Thread Fabrice Durand via PacketFence-users 
The machine authentication is ok this time.

Do you have the packetfence.log for this device ?



Le 2017-07-10 à 08:58, luca comes a écrit :
>
> Hello Fabrice,
>
> attached you can find radius debug file of the transaction.
>
>
> Thanks
>
>
> Luca
>
>
> Inviato da Outlook 
>
>
>
> 
> *Da:* Fabrice Durand 
> *Inviato:* lunedì 10 luglio 2017 14:48
> *A:* luca comes; packetfence-users@lists.sourceforge.net
> *Oggetto:* Re: [PacketFence-users] Machine authentication
>  
>
> Hello Luca,
>
> you need to have the realm to use the correct domain join.
>
>
> Also what i need is the complete radius debug when you try machine
> authentication.
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-07-10 à 08:45, luca comes a écrit :
>>
>> Hi Fabrice,
>>
>> in this manner the error is not shown in radius.log but machine
>> authentication is still not working. Also as the preceding email the
>> domain (DM) is correctly joined and tested with wbinfo. But if I try
>> a radtest vs my domain I obtain an Access-Reject. Any suggestio on
>> how to troubleshoot this problem? I would like to go in production
>> but with those results I have to leave.
>>
>>
>> Thanks
>>
>>
>> Luca
>>
>>
>> Inviato da Outlook 
>>
>>
>>
>> 
>> *Da:* Fabrice Durand via PacketFence-users
>> 
>> *Inviato:* lunedì 10 luglio 2017 14:23
>> *A:* packetfence-users@lists.sourceforge.net
>> *Cc:* Fabrice Durand
>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>  
>>
>> Hello Luca,
>>
>> add a realm dm.loc and assign it to your domain and restart radius.
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2017-07-10 à 05:58, luca comes via PacketFence-users a écrit :
>>>
>>> I've found this error in radius.log
>>>
>>>
>>> ERROR: mschap_machine: Program returned code (1) and output 'Reading
>>> winbind reply failed! (0xc00
>>> 1)'
>>>
>>>
>>> But the domain is working fine, how can I solve this?
>>>
>>>
>>> Luca
>>>
>>>
>>> Inviato da Outlook 
>>>
>>>
>>>
>>> 
>>> *Da:* luca comes via PacketFence-users
>>> 
>>> *Inviato:* lunedì 10 luglio 2017 11:42
>>> *A:* packetfence-users@lists.sourceforge.net
>>> *Cc:* luca comes
>>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>>  
>>>
>>> Hi all,
>>>
>>> any suggestion? I don't know what check, domain is correctly
>>> configured the test are fine (wbinfo -u etc.). I added my domain to
>>> the LOCAL realm as per Antoine mail but is still doesn't work.
>>>
>>>
>>> Thanks for your help
>>>
>>>
>>> Luca
>>>
>>>
>>> Inviato da Outlook 
>>>
>>>
>>>
>>> 
>>> *Da:* luca comes via PacketFence-users
>>> 
>>> *Inviato:* venerdì 7 luglio 2017 17:40
>>> *A:* packetfence-users@lists.sourceforge.net
>>> *Cc:* luca comes
>>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>>  
>>>
>>> Hi Antoine,
>>>
>>> thank you for your answer, unfortunately it doesn't work. Same
>>> behavior as before, any other suggestion?
>>>
>>>
>>> Luca
>>>
>>>
>>> Inviato da Outlook 
>>>
>>>
>>>
>>> 
>>> *Da:* Antoine Amacher via PacketFence-users
>>> 
>>> *Inviato:* venerdì 7 luglio 2017 17:20
>>> *A:* packetfence-users@lists.sourceforge.net
>>> *Cc:* Antoine Amacher
>>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>>  
>>>
>>> Lucas,
>>>
>>>
>>> Map the domain on which they should authenticate with the REALM LOCAL.
>>>
>>>
>>> In configuration -> policies and access control -> realms
>>>
>>>
>>> Thanks
>>>
>>>
>>> On 07/07/2017 11:15 AM, luca comes via PacketFence-users wrote:

 Hi all,

 I'm trying to do machine authentication vs Windows AD but it
 doesn't work. I've created the domain and the realm but in the
 radius debug log I can see that it is not catching the correct realm:



 (20) Fri Jul  7 16:29:45 2017: Debug: Received Access-Request Id
 103 from 10.10.10.4:1645 to 172.27.17.5:1812 length 226
 (20) Fri Jul  7 16:29:45 2017: Debug:   User-Name =
 "host/LAB3-NB.dm.loc"
 (20) Fri Jul  7 16:29:45 2017: Debug:   Service-Type = Framed-User
 (20) Fri Jul  7 16:29:45 2017: Debug:   Framed-MTU = 1500
 (20) Fri Jul  7 16:29:45 2017: Debug:   Called-Station-Id =
 "00-22-91-6F-B8-81"
 (20) Fri Jul  7 16:29:45 2017: Debug:   Calling-Station-Id =
 "00-9C-02-92-EA-B0"
 (20) Fri Jul  7 16:29:45 2017: Debug:   EAP-Message =
 0x0201001801686f73742f4c4142332d4e422e646d2e6c6f63
 (20)

Re: [PacketFence-users] Machine authentication

2017-07-10 Thread Fabrice Durand via PacketFence-users 
Hello Luca,

you need to have the realm to use the correct domain join.


Also what i need is the complete radius debug when you try machine
authentication.

Regards

Fabrice



Le 2017-07-10 à 08:45, luca comes a écrit :
>
> Hi Fabrice,
>
> in this manner the error is not shown in radius.log but machine
> authentication is still not working. Also as the preceding email the
> domain (DM) is correctly joined and tested with wbinfo. But if I try a
> radtest vs my domain I obtain an Access-Reject. Any suggestio on how
> to troubleshoot this problem? I would like to go in production but
> with those results I have to leave.
>
>
> Thanks
>
>
> Luca
>
>
> Inviato da Outlook 
>
>
>
> 
> *Da:* Fabrice Durand via PacketFence-users
> 
> *Inviato:* lunedì 10 luglio 2017 14:23
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand
> *Oggetto:* Re: [PacketFence-users] Machine authentication
>  
>
> Hello Luca,
>
> add a realm dm.loc and assign it to your domain and restart radius.
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-07-10 à 05:58, luca comes via PacketFence-users a écrit :
>>
>> I've found this error in radius.log
>>
>>
>> ERROR: mschap_machine: Program returned code (1) and output 'Reading
>> winbind reply failed! (0xc00
>> 1)'
>>
>>
>> But the domain is working fine, how can I solve this?
>>
>>
>> Luca
>>
>>
>> Inviato da Outlook 
>>
>>
>>
>> 
>> *Da:* luca comes via PacketFence-users
>> 
>> *Inviato:* lunedì 10 luglio 2017 11:42
>> *A:* packetfence-users@lists.sourceforge.net
>> *Cc:* luca comes
>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>  
>>
>> Hi all,
>>
>> any suggestion? I don't know what check, domain is correctly
>> configured the test are fine (wbinfo -u etc.). I added my domain to
>> the LOCAL realm as per Antoine mail but is still doesn't work.
>>
>>
>> Thanks for your help
>>
>>
>> Luca
>>
>>
>> Inviato da Outlook 
>>
>>
>>
>> 
>> *Da:* luca comes via PacketFence-users
>> 
>> *Inviato:* venerdì 7 luglio 2017 17:40
>> *A:* packetfence-users@lists.sourceforge.net
>> *Cc:* luca comes
>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>  
>>
>> Hi Antoine,
>>
>> thank you for your answer, unfortunately it doesn't work. Same
>> behavior as before, any other suggestion?
>>
>>
>> Luca
>>
>>
>> Inviato da Outlook 
>>
>>
>>
>> 
>> *Da:* Antoine Amacher via PacketFence-users
>> 
>> *Inviato:* venerdì 7 luglio 2017 17:20
>> *A:* packetfence-users@lists.sourceforge.net
>> *Cc:* Antoine Amacher
>> *Oggetto:* Re: [PacketFence-users] Machine authentication
>>  
>>
>> Lucas,
>>
>>
>> Map the domain on which they should authenticate with the REALM LOCAL.
>>
>>
>> In configuration -> policies and access control -> realms
>>
>>
>> Thanks
>>
>>
>> On 07/07/2017 11:15 AM, luca comes via PacketFence-users wrote:
>>>
>>> Hi all,
>>>
>>> I'm trying to do machine authentication vs Windows AD but it doesn't
>>> work. I've created the domain and the realm but in the radius debug
>>> log I can see that it is not catching the correct realm:
>>>
>>>
>>>
>>> (20) Fri Jul  7 16:29:45 2017: Debug: Received Access-Request Id 103
>>> from 10.10.10.4:1645 to 172.27.17.5:1812 length 226
>>> (20) Fri Jul  7 16:29:45 2017: Debug:   User-Name =
>>> "host/LAB3-NB.dm.loc"
>>> (20) Fri Jul  7 16:29:45 2017: Debug:   Service-Type = Framed-User
>>> (20) Fri Jul  7 16:29:45 2017: Debug:   Framed-MTU = 1500
>>> (20) Fri Jul  7 16:29:45 2017: Debug:   Called-Station-Id =
>>> "00-22-91-6F-B8-81"
>>> (20) Fri Jul  7 16:29:45 2017: Debug:   Calling-Station-Id =
>>> "00-9C-02-92-EA-B0"
>>> (20) Fri Jul  7 16:29:45 2017: Debug:   EAP-Message =
>>> 0x0201001801686f73742f4c4142332d4e422e646d2e6c6f63
>>> (20) Fri Jul  7 16:29:45 2017: Debug:   Message-Authenticator =
>>> 0xcf9553149f5c843907b87d3758e0b7d8
>>> (20) Fri Jul  7 16:29:45 2017: Debug:   Cisco-AVPair =
>>> "audit-session-id=0A0A0A0400DEBBDF4BBE"
>>> (20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port-Type = Ethernet
>>> (20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port = 50101
>>> (20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port-Id =
>>> "GigabitEthernet1/0/1"
>>> (20) Fri Jul  7 16:29:45 2017: Debug:   NAS-IP-Address = 10.10.10.4
>>> 
>>>
>>> 
>>>
>>> (20) Fri Jul  7 16:29:46 2017: Debug: suffix: Checking for suffix
>>> after "@"
>>> (20) Fri Jul  7 16:29:46 2017: Debug: suffix: No '@' in User-Name =
>>> "host/LAB3-NB.dm.loc", skipping NULL due to config.
>>> (20) Fri Jul  7 16:29:46 2017:

Re: [PacketFence-users] Machine authentication

2017-07-10 Thread luca comes via PacketFence-users 
Hi Fabrice,

in this manner the error is not shown in radius.log but machine authentication 
is still not working. Also as the preceding email the domain (DM) is correctly 
joined and tested with wbinfo. But if I try a radtest vs my domain I obtain an 
Access-Reject. Any suggestio on how to troubleshoot this problem? I would like 
to go in production but with those results I have to leave.


Thanks


Luca


Inviato da Outlook



Da: Fabrice Durand via PacketFence-users 

Inviato: lunedì 10 luglio 2017 14:23
A: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Oggetto: Re: [PacketFence-users] Machine authentication


Hello Luca,

add a realm dm.loc and assign it to your domain and restart radius.

Regards

Fabrice


Le 2017-07-10 à 05:58, luca comes via PacketFence-users a écrit :

I've found this error in radius.log


ERROR: mschap_machine: Program returned code (1) and output 'Reading winbind 
reply failed! (0xc00
1)'


But the domain is working fine, how can I solve this?


Luca


Inviato da Outlook



Da: luca comes via PacketFence-users 

Inviato: lunedì 10 luglio 2017 11:42
A: 
packetfence-users@lists.sourceforge.net
Cc: luca comes
Oggetto: Re: [PacketFence-users] Machine authentication


Hi all,

any suggestion? I don't know what check, domain is correctly configured the 
test are fine (wbinfo -u etc.). I added my domain to the LOCAL realm as per 
Antoine mail but is still doesn't work.


Thanks for your help


Luca


Inviato da Outlook



Da: luca comes via PacketFence-users 

Inviato: venerdì 7 luglio 2017 17:40
A: 
packetfence-users@lists.sourceforge.net
Cc: luca comes
Oggetto: Re: [PacketFence-users] Machine authentication


Hi Antoine,

thank you for your answer, unfortunately it doesn't work. Same behavior as 
before, any other suggestion?


Luca


Inviato da Outlook



Da: Antoine Amacher via PacketFence-users 

Inviato: venerdì 7 luglio 2017 17:20
A: 
packetfence-users@lists.sourceforge.net
Cc: Antoine Amacher
Oggetto: Re: [PacketFence-users] Machine authentication


Lucas,


Map the domain on which they should authenticate with the REALM LOCAL.


In configuration -> policies and access control -> realms


Thanks

On 07/07/2017 11:15 AM, luca comes via PacketFence-users wrote:

Hi all,

I'm trying to do machine authentication vs Windows AD but it doesn't work. I've 
created the domain and the realm but in the radius debug log I can see that it 
is not catching the correct realm:



(20) Fri Jul  7 16:29:45 2017: Debug: Received Access-Request Id 103 from 
10.10.10.4:1645 to 172.27.17.5:1812 length 226
(20) Fri Jul  7 16:29:45 2017: Debug:   User-Name = "host/LAB3-NB.dm.loc"
(20) Fri Jul  7 16:29:45 2017: Debug:   Service-Type = Framed-User
(20) Fri Jul  7 16:29:45 2017: Debug:   Framed-MTU = 1500
(20) Fri Jul  7 16:29:45 2017: Debug:   Called-Station-Id = "00-22-91-6F-B8-81"
(20) Fri Jul  7 16:29:45 2017: Debug:   Calling-Station-Id = "00-9C-02-92-EA-B0"
(20) Fri Jul  7 16:29:45 2017: Debug:   EAP-Message = 
0x0201001801686f73742f4c4142332d4e422e646d2e6c6f63
(20) Fri Jul  7 16:29:45 2017: Debug:   Message-Authenticator = 
0xcf9553149f5c843907b87d3758e0b7d8
(20) Fri Jul  7 16:29:45 2017: Debug:   Cisco-AVPair = 
"audit-session-id=0A0A0A0400DEBBDF4BBE"
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port-Type = Ethernet
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port = 50101
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port-Id = "GigabitEthernet1/0/1"
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-IP-Address = 10.10.10.4




(20) Fri Jul  7 16:29:46 2017: Debug: suffix: Checking for suffix after "@"
(20) Fri Jul  7 16:29:46 2017: Debug: suffix: No '@' in User-Name = 
"host/LAB3-NB.dm.loc", skipping NULL due to config.
(20) Fri Jul  7 16:29:46 2017: Debug: [suffix] = noop
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Checking for prefix before "\"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: No '\' in User-Name = 
"host/LAB3-NB.dm.loc", looking up realm NULL
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Found realm "null"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Adding Stripped-User-Name = 
"host/LAB3-NB.dm.loc"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Adding Realm = "null"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Authentication realm is LOCAL
(20) Fri Jul  7 16:29:46 2017:

Re: [PacketFence-users] Machine authentication

2017-07-10 Thread luca comes via PacketFence-users 
Hi MJ,

yes the same as you, and I can't find a solution. I don't know if the messages 
are related to the host authentication doesn't working.


Luca


Inviato da Outlook



Da: mj via PacketFence-users 
Inviato: lunedì 10 luglio 2017 14:22
A: packetfence-users@lists.sourceforge.net
Cc: mj
Oggetto: Re: [PacketFence-users] Machine authentication

Just to say that I am following this thread with interest, as I
currently have the same issue on my (debian8) install.

GUI says: domain join OK

Also, in CLI, I can do:
root@pf:/chroots/DOMAIN/etc/samba# chroot /chroots/DOMAIN ntlm_auth
--username=testuser
Password:
NT_STATUS_OK: Success (0x0)

But doing radtest in cli/chroot gives:
root@pf:/chroots/DOMAIN/etc/samba# chroot /chroots/DOMAIN radtest -t
mschap -x testuser testpasswd localhost:18120 12 testing123
Sent Access-Request Id 55 from 0.0.0.0:55804 to 127.0.0.1:18120 length 133
User-Name = "testuser"
MS-CHAP-Password = "testpasswd"
NAS-IP-Address = 192.x.y.z (=packetfence ip)
NAS-Port = 12
Message-Authenticator = 0x00
Cleartext-Password = "testpasswd"
MS-CHAP-Challenge = 0x91acda8016
MS-CHAP-Response =
0x0001b8b70be9c9dee2a5298cd8cf1b3
Received Access-Reject Id 55 from 127.0.0.1:18120 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject

and during radtest the following is logged in radius.log:
Jul 10 14:13:31 pf auth[15670]: (283) Rejected in post-auth: [testuser]
(from client localhost port 12)
Jul 10 14:14:06 pf auth[15670]: (284) rest: ERROR: Server returned:
Jul 10 14:14:06 pf auth[15670]: (284) rest: ERROR: {"Reply-Message":"CLI
Access is not allowed by PacketFence on this
switch","control:PacketFence-Authorization-Status":"allow"}

Are you seeing this same message about CLI access?

MJ

On 07/10/2017 11:58 AM, luca comes via PacketFence-users wrote:
> I've found this error in radius.log
>
>
> ERROR: mschap_machine: Program returned code (1) and output 'Reading
> winbind reply failed! (0xc00
> 1)'
>
>
> But the domain is working fine, how can I solve this?
>
>
> Luca
>
>
> Inviato da Outlook 
>
>
>
> 
> *Da:* luca comes via PacketFence-users
> 
> *Inviato:* lunedì 10 luglio 2017 11:42
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* luca comes
> *Oggetto:* Re: [PacketFence-users] Machine authentication
>
> Hi all,
>
> any suggestion? I don't know what check, domain is correctly configured
> the test are fine (wbinfo -u etc.). I added my domain to the LOCAL realm
> as per Antoine mail but is still doesn't work.
>
>
> Thanks for your help
>
>
> Luca
>
>
> Inviato da Outlook 
>
>
>
> 
> *Da:* luca comes via PacketFence-users
> 
> *Inviato:* venerdì 7 luglio 2017 17:40
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* luca comes
> *Oggetto:* Re: [PacketFence-users] Machine authentication
>
> Hi Antoine,
>
> thank you for your answer, unfortunately it doesn't work. Same behavior
> as before, any other suggestion?
>
>
> Luca
>
>
> Inviato da Outlook 
>
>
>
> 
> *Da:* Antoine Amacher via PacketFence-users
> 
> *Inviato:* venerdì 7 luglio 2017 17:20
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* Antoine Amacher
> *Oggetto:* Re: [PacketFence-users] Machine authentication
>
> Lucas,
>
>
> Map the domain on which they should authenticate with the REALM LOCAL.
>
>
> In configuration -> policies and access control -> realms
>
>
> Thanks
>
>
> On 07/07/2017 11:15 AM, luca comes via PacketFence-users wrote:
>>
>> Hi all,
>>
>> I'm trying to do machine authentication vs Windows AD but it doesn't
>> work. I've created the domain and the realm but in the radius debug
>> log I can see that it is not catching the correct realm:
>>
>>
>>
>> (20) Fri Jul  7 16:29:45 2017: Debug: Received Access-Request Id 103
>> from 10.10.10.4:1645 to 172.27.17.5:1812 length 226
>> (20) Fri Jul  7 16:29:45 2017: Debug:   User-Name = "host/LAB3-NB.dm.loc"
>> (20) Fri Jul  7 16:29:45 2017: Debug:   Service-Type = Framed-User
>> (20) Fri Jul  7 16:29:45 2017: Debug:   Framed-MTU = 1500
>> (20) Fri Jul  7 16:29:45 2017: Debug:   Called-Station-Id =
>> "00-22-91-6F-B8-81"
>> (20) Fri Jul  7 16:29:45 2017: Debug:   Calling-Station-Id =
>> "00-9C-02-92-EA-B0"
>> (20) Fri Jul  7 16:29:45 2017: Debug:   EAP-Message =
>> 0x0201001801686f73742f4c4142332d4e422e646d2e6c6f63
>> (20) Fri Jul  7 16:29:45 2017: Debug:   Message-Authenticator =
>> 0xcf9553149f5c843907b87d3758e0b7d8
>> (20) Fri

Re: [PacketFence-users] Machine authentication

2017-07-10 Thread Fabrice Durand via PacketFence-users 
Hello Luca,

add a realm dm.loc and assign it to your domain and restart radius.

Regards

Fabrice



Le 2017-07-10 à 05:58, luca comes via PacketFence-users a écrit :
>
> I've found this error in radius.log
>
>
> ERROR: mschap_machine: Program returned code (1) and output 'Reading
> winbind reply failed! (0xc00
> 1)'
>
>
> But the domain is working fine, how can I solve this?
>
>
> Luca
>
>
> Inviato da Outlook 
>
>
>
> 
> *Da:* luca comes via PacketFence-users
> 
> *Inviato:* lunedì 10 luglio 2017 11:42
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* luca comes
> *Oggetto:* Re: [PacketFence-users] Machine authentication
>  
>
> Hi all,
>
> any suggestion? I don't know what check, domain is correctly
> configured the test are fine (wbinfo -u etc.). I added my domain to
> the LOCAL realm as per Antoine mail but is still doesn't work.
>
>
> Thanks for your help
>
>
> Luca
>
>
> Inviato da Outlook 
>
>
>
> 
> *Da:* luca comes via PacketFence-users
> 
> *Inviato:* venerdì 7 luglio 2017 17:40
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* luca comes
> *Oggetto:* Re: [PacketFence-users] Machine authentication
>  
>
> Hi Antoine,
>
> thank you for your answer, unfortunately it doesn't work. Same
> behavior as before, any other suggestion?
>
>
> Luca
>
>
> Inviato da Outlook 
>
>
>
> 
> *Da:* Antoine Amacher via PacketFence-users
> 
> *Inviato:* venerdì 7 luglio 2017 17:20
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* Antoine Amacher
> *Oggetto:* Re: [PacketFence-users] Machine authentication
>  
>
> Lucas,
>
>
> Map the domain on which they should authenticate with the REALM LOCAL.
>
>
> In configuration -> policies and access control -> realms
>
>
> Thanks
>
>
> On 07/07/2017 11:15 AM, luca comes via PacketFence-users wrote:
>>
>> Hi all,
>>
>> I'm trying to do machine authentication vs Windows AD but it doesn't
>> work. I've created the domain and the realm but in the radius debug
>> log I can see that it is not catching the correct realm:
>>
>>
>>
>> (20) Fri Jul  7 16:29:45 2017: Debug: Received Access-Request Id 103
>> from 10.10.10.4:1645 to 172.27.17.5:1812 length 226
>> (20) Fri Jul  7 16:29:45 2017: Debug:   User-Name = "host/LAB3-NB.dm.loc"
>> (20) Fri Jul  7 16:29:45 2017: Debug:   Service-Type = Framed-User
>> (20) Fri Jul  7 16:29:45 2017: Debug:   Framed-MTU = 1500
>> (20) Fri Jul  7 16:29:45 2017: Debug:   Called-Station-Id =
>> "00-22-91-6F-B8-81"
>> (20) Fri Jul  7 16:29:45 2017: Debug:   Calling-Station-Id =
>> "00-9C-02-92-EA-B0"
>> (20) Fri Jul  7 16:29:45 2017: Debug:   EAP-Message =
>> 0x0201001801686f73742f4c4142332d4e422e646d2e6c6f63
>> (20) Fri Jul  7 16:29:45 2017: Debug:   Message-Authenticator =
>> 0xcf9553149f5c843907b87d3758e0b7d8
>> (20) Fri Jul  7 16:29:45 2017: Debug:   Cisco-AVPair =
>> "audit-session-id=0A0A0A0400DEBBDF4BBE"
>> (20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port-Type = Ethernet
>> (20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port = 50101
>> (20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port-Id =
>> "GigabitEthernet1/0/1"
>> (20) Fri Jul  7 16:29:45 2017: Debug:   NAS-IP-Address = 10.10.10.4
>> 
>>
>> 
>>
>> (20) Fri Jul  7 16:29:46 2017: Debug: suffix: Checking for suffix
>> after "@"
>> (20) Fri Jul  7 16:29:46 2017: Debug: suffix: No '@' in User-Name =
>> "host/LAB3-NB.dm.loc", skipping NULL due to config.
>> (20) Fri Jul  7 16:29:46 2017: Debug: [suffix] = noop
>> (20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Checking for prefix
>> before "\"
>> (20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: No '\' in User-Name =
>> "host/LAB3-NB.dm.loc", looking up realm NULL
>> (20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Found realm "null"
>> (20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Adding
>> Stripped-User-Name = "host/LAB3-NB.dm.loc"
>> (20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Adding Realm = "null"
>> (20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Authentication realm
>> is LOCAL
>> (20) Fri Jul  7 16:29:46 2017: Debug: [ntdomain] = ok
>>
>>
>> How can I solve this? Obviously the machine is correctly joined to
>> the domain below the servicePrincipalName associated:
>>
>>
>> TERMSRV/LAB3-NB.dm.loc
>> TERMSRV/LAB3-NB
>> RestrictedKrbHost/LAB3-NB
>> HOST/LAB3-NB
>> RestrictedKrbHost/LAB3-NB.dm.loc
>> HOST/LAB3-NB.dm.loc
>>
>>
>> Anyone that can suggest me what to check?
>>
>>
>> Thank you in advance.
>>
>>
>> Luca
>>
>>
>> Inviato da Outlook 
>>
>>
>>
>> --
>> Check out the vibrant tech community on

Re: [PacketFence-users] Machine authentication

2017-07-10 Thread mj via PacketFence-users 
Just to say that I am following this thread with interest, as I 
currently have the same issue on my (debian8) install.


GUI says: domain join OK

Also, in CLI, I can do:
root@pf:/chroots/DOMAIN/etc/samba# chroot /chroots/DOMAIN ntlm_auth 
--username=testuser

Password:
NT_STATUS_OK: Success (0x0)

But doing radtest in cli/chroot gives:
root@pf:/chroots/DOMAIN/etc/samba# chroot /chroots/DOMAIN radtest -t 
mschap -x testuser testpasswd localhost:18120 12 testing123

Sent Access-Request Id 55 from 0.0.0.0:55804 to 127.0.0.1:18120 length 133
User-Name = "testuser"
MS-CHAP-Password = "testpasswd"
NAS-IP-Address = 192.x.y.z (=packetfence ip)
NAS-Port = 12
Message-Authenticator = 0x00
Cleartext-Password = "testpasswd"
MS-CHAP-Challenge = 0x91acda8016
	MS-CHAP-Response = 
0x0001b8b70be9c9dee2a5298cd8cf1b3

Received Access-Reject Id 55 from 127.0.0.1:18120 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject

and during radtest the following is logged in radius.log:
Jul 10 14:13:31 pf auth[15670]: (283) Rejected in post-auth: [testuser] 
(from client localhost port 12)

Jul 10 14:14:06 pf auth[15670]: (284) rest: ERROR: Server returned:
Jul 10 14:14:06 pf auth[15670]: (284) rest: ERROR: {"Reply-Message":"CLI 
Access is not allowed by PacketFence on this 
switch","control:PacketFence-Authorization-Status":"allow"}


Are you seeing this same message about CLI access?

MJ

On 07/10/2017 11:58 AM, luca comes via PacketFence-users wrote:

I've found this error in radius.log


ERROR: mschap_machine: Program returned code (1) and output 'Reading 
winbind reply failed! (0xc00

1)'


But the domain is working fine, how can I solve this?


Luca


Inviato da Outlook 




*Da:* luca comes via PacketFence-users 


*Inviato:* lunedì 10 luglio 2017 11:42
*A:* packetfence-users@lists.sourceforge.net
*Cc:* luca comes
*Oggetto:* Re: [PacketFence-users] Machine authentication

Hi all,

any suggestion? I don't know what check, domain is correctly configured 
the test are fine (wbinfo -u etc.). I added my domain to the LOCAL realm 
as per Antoine mail but is still doesn't work.



Thanks for your help


Luca


Inviato da Outlook 




*Da:* luca comes via PacketFence-users 


*Inviato:* venerdì 7 luglio 2017 17:40
*A:* packetfence-users@lists.sourceforge.net
*Cc:* luca comes
*Oggetto:* Re: [PacketFence-users] Machine authentication

Hi Antoine,

thank you for your answer, unfortunately it doesn't work. Same behavior 
as before, any other suggestion?



Luca


Inviato da Outlook 




*Da:* Antoine Amacher via PacketFence-users 


*Inviato:* venerdì 7 luglio 2017 17:20
*A:* packetfence-users@lists.sourceforge.net
*Cc:* Antoine Amacher
*Oggetto:* Re: [PacketFence-users] Machine authentication

Lucas,


Map the domain on which they should authenticate with the REALM LOCAL.


In configuration -> policies and access control -> realms


Thanks


On 07/07/2017 11:15 AM, luca comes via PacketFence-users wrote:


Hi all,

I'm trying to do machine authentication vs Windows AD but it doesn't 
work. I've created the domain and the realm but in the radius debug 
log I can see that it is not catching the correct realm:




(20) Fri Jul  7 16:29:45 2017: Debug: Received Access-Request Id 103 
from 10.10.10.4:1645 to 172.27.17.5:1812 length 226

(20) Fri Jul  7 16:29:45 2017: Debug:   User-Name = "host/LAB3-NB.dm.loc"
(20) Fri Jul  7 16:29:45 2017: Debug:   Service-Type = Framed-User
(20) Fri Jul  7 16:29:45 2017: Debug:   Framed-MTU = 1500
(20) Fri Jul  7 16:29:45 2017: Debug:   Called-Station-Id = 
"00-22-91-6F-B8-81"
(20) Fri Jul  7 16:29:45 2017: Debug:   Calling-Station-Id = 
"00-9C-02-92-EA-B0"
(20) Fri Jul  7 16:29:45 2017: Debug:   EAP-Message = 
0x0201001801686f73742f4c4142332d4e422e646d2e6c6f63
(20) Fri Jul  7 16:29:45 2017: Debug:   Message-Authenticator = 
0xcf9553149f5c843907b87d3758e0b7d8
(20) Fri Jul  7 16:29:45 2017: Debug:   Cisco-AVPair = 
"audit-session-id=0A0A0A0400DEBBDF4BBE"

(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port-Type = Ethernet
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port = 50101
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port-Id = 
"GigabitEthernet1/0/1"

(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-IP-Address = 10.10.10.4




(20) Fri Jul  7 16:29:46 2017: Debug: suffix: Checking for suffix 
after "@"
(20) Fri Jul  7 16:29:46 2017: Debug: suffix: No '@' in User-Name = 
"host/LAB3-NB.dm.loc", skipping NULL due to config.

(20) Fri Jul  7 16:29:46 2017: Debug:

Re: [PacketFence-users] Machine authentication

2017-07-10 Thread luca comes via PacketFence-users 
I've found this error in radius.log


ERROR: mschap_machine: Program returned code (1) and output 'Reading winbind 
reply failed! (0xc00
1)'


But the domain is working fine, how can I solve this?


Luca


Inviato da Outlook



Da: luca comes via PacketFence-users 
Inviato: lunedì 10 luglio 2017 11:42
A: packetfence-users@lists.sourceforge.net
Cc: luca comes
Oggetto: Re: [PacketFence-users] Machine authentication


Hi all,

any suggestion? I don't know what check, domain is correctly configured the 
test are fine (wbinfo -u etc.). I added my domain to the LOCAL realm as per 
Antoine mail but is still doesn't work.


Thanks for your help


Luca


Inviato da Outlook



Da: luca comes via PacketFence-users 
Inviato: venerdì 7 luglio 2017 17:40
A: packetfence-users@lists.sourceforge.net
Cc: luca comes
Oggetto: Re: [PacketFence-users] Machine authentication


Hi Antoine,

thank you for your answer, unfortunately it doesn't work. Same behavior as 
before, any other suggestion?


Luca


Inviato da Outlook



Da: Antoine Amacher via PacketFence-users 

Inviato: venerdì 7 luglio 2017 17:20
A: packetfence-users@lists.sourceforge.net
Cc: Antoine Amacher
Oggetto: Re: [PacketFence-users] Machine authentication


Lucas,


Map the domain on which they should authenticate with the REALM LOCAL.


In configuration -> policies and access control -> realms


Thanks

On 07/07/2017 11:15 AM, luca comes via PacketFence-users wrote:

Hi all,

I'm trying to do machine authentication vs Windows AD but it doesn't work. I've 
created the domain and the realm but in the radius debug log I can see that it 
is not catching the correct realm:



(20) Fri Jul  7 16:29:45 2017: Debug: Received Access-Request Id 103 from 
10.10.10.4:1645 to 172.27.17.5:1812 length 226
(20) Fri Jul  7 16:29:45 2017: Debug:   User-Name = "host/LAB3-NB.dm.loc"
(20) Fri Jul  7 16:29:45 2017: Debug:   Service-Type = Framed-User
(20) Fri Jul  7 16:29:45 2017: Debug:   Framed-MTU = 1500
(20) Fri Jul  7 16:29:45 2017: Debug:   Called-Station-Id = "00-22-91-6F-B8-81"
(20) Fri Jul  7 16:29:45 2017: Debug:   Calling-Station-Id = "00-9C-02-92-EA-B0"
(20) Fri Jul  7 16:29:45 2017: Debug:   EAP-Message = 
0x0201001801686f73742f4c4142332d4e422e646d2e6c6f63
(20) Fri Jul  7 16:29:45 2017: Debug:   Message-Authenticator = 
0xcf9553149f5c843907b87d3758e0b7d8
(20) Fri Jul  7 16:29:45 2017: Debug:   Cisco-AVPair = 
"audit-session-id=0A0A0A0400DEBBDF4BBE"
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port-Type = Ethernet
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port = 50101
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port-Id = "GigabitEthernet1/0/1"
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-IP-Address = 10.10.10.4




(20) Fri Jul  7 16:29:46 2017: Debug: suffix: Checking for suffix after "@"
(20) Fri Jul  7 16:29:46 2017: Debug: suffix: No '@' in User-Name = 
"host/LAB3-NB.dm.loc", skipping NULL due to config.
(20) Fri Jul  7 16:29:46 2017: Debug: [suffix] = noop
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Checking for prefix before "\"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: No '\' in User-Name = 
"host/LAB3-NB.dm.loc", looking up realm NULL
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Found realm "null"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Adding Stripped-User-Name = 
"host/LAB3-NB.dm.loc"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Adding Realm = "null"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Authentication realm is LOCAL
(20) Fri Jul  7 16:29:46 2017: Debug: [ntdomain] = ok


How can I solve this? Obviously the machine is correctly joined to the domain 
below the servicePrincipalName associated:


TERMSRV/LAB3-NB.dm.loc
TERMSRV/LAB3-NB
RestrictedKrbHost/LAB3-NB
HOST/LAB3-NB
RestrictedKrbHost/LAB3-NB.dm.loc
HOST/LAB3-NB.dm.loc


Anyone that can suggest me what to check?


Thank you in advance.


Luca


Inviato da Outlook



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Antoine Amacher
aamac...@inverse.ca  ::  
www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and 
PacketFence (www.packetfence.org)

Re: [PacketFence-users] Machine authentication

2017-07-10 Thread luca comes via PacketFence-users 
Hi all,

any suggestion? I don't know what check, domain is correctly configured the 
test are fine (wbinfo -u etc.). I added my domain to the LOCAL realm as per 
Antoine mail but is still doesn't work.


Thanks for your help


Luca


Inviato da Outlook



Da: luca comes via PacketFence-users 
Inviato: venerdì 7 luglio 2017 17:40
A: packetfence-users@lists.sourceforge.net
Cc: luca comes
Oggetto: Re: [PacketFence-users] Machine authentication


Hi Antoine,

thank you for your answer, unfortunately it doesn't work. Same behavior as 
before, any other suggestion?


Luca


Inviato da Outlook



Da: Antoine Amacher via PacketFence-users 

Inviato: venerdì 7 luglio 2017 17:20
A: packetfence-users@lists.sourceforge.net
Cc: Antoine Amacher
Oggetto: Re: [PacketFence-users] Machine authentication


Lucas,


Map the domain on which they should authenticate with the REALM LOCAL.


In configuration -> policies and access control -> realms


Thanks

On 07/07/2017 11:15 AM, luca comes via PacketFence-users wrote:

Hi all,

I'm trying to do machine authentication vs Windows AD but it doesn't work. I've 
created the domain and the realm but in the radius debug log I can see that it 
is not catching the correct realm:



(20) Fri Jul  7 16:29:45 2017: Debug: Received Access-Request Id 103 from 
10.10.10.4:1645 to 172.27.17.5:1812 length 226
(20) Fri Jul  7 16:29:45 2017: Debug:   User-Name = "host/LAB3-NB.dm.loc"
(20) Fri Jul  7 16:29:45 2017: Debug:   Service-Type = Framed-User
(20) Fri Jul  7 16:29:45 2017: Debug:   Framed-MTU = 1500
(20) Fri Jul  7 16:29:45 2017: Debug:   Called-Station-Id = "00-22-91-6F-B8-81"
(20) Fri Jul  7 16:29:45 2017: Debug:   Calling-Station-Id = "00-9C-02-92-EA-B0"
(20) Fri Jul  7 16:29:45 2017: Debug:   EAP-Message = 
0x0201001801686f73742f4c4142332d4e422e646d2e6c6f63
(20) Fri Jul  7 16:29:45 2017: Debug:   Message-Authenticator = 
0xcf9553149f5c843907b87d3758e0b7d8
(20) Fri Jul  7 16:29:45 2017: Debug:   Cisco-AVPair = 
"audit-session-id=0A0A0A0400DEBBDF4BBE"
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port-Type = Ethernet
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port = 50101
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-Port-Id = "GigabitEthernet1/0/1"
(20) Fri Jul  7 16:29:45 2017: Debug:   NAS-IP-Address = 10.10.10.4




(20) Fri Jul  7 16:29:46 2017: Debug: suffix: Checking for suffix after "@"
(20) Fri Jul  7 16:29:46 2017: Debug: suffix: No '@' in User-Name = 
"host/LAB3-NB.dm.loc", skipping NULL due to config.
(20) Fri Jul  7 16:29:46 2017: Debug: [suffix] = noop
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Checking for prefix before "\"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: No '\' in User-Name = 
"host/LAB3-NB.dm.loc", looking up realm NULL
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Found realm "null"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Adding Stripped-User-Name = 
"host/LAB3-NB.dm.loc"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Adding Realm = "null"
(20) Fri Jul  7 16:29:46 2017: Debug: ntdomain: Authentication realm is LOCAL
(20) Fri Jul  7 16:29:46 2017: Debug: [ntdomain] = ok


How can I solve this? Obviously the machine is correctly joined to the domain 
below the servicePrincipalName associated:


TERMSRV/LAB3-NB.dm.loc
TERMSRV/LAB3-NB
RestrictedKrbHost/LAB3-NB
HOST/LAB3-NB
RestrictedKrbHost/LAB3-NB.dm.loc
HOST/LAB3-NB.dm.loc


Anyone that can suggest me what to check?


Thank you in advance.


Luca


Inviato da Outlook



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Antoine Amacher
aamac...@inverse.ca  ::  
www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and 
PacketFence (www.packetfence.org)
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users