Hello again, I’ve found the solution, after log analysis it was so obvious: enable Dot1x recompute role from portal parameter in connection profile.
Thank you, Ludovic, I’m beginner in PacketFence world, I wasn’t aware of packetfence.log file content. No questions anymore, highly appreciate your help! -- Andrey Chernyakov Senior Network and Security Engineer email: chernya...@npsconsult.com NPS Consult S.A. L-5687, Dalheim Luxembourg On 15 Feb 2024 at 16:05 +0100, Andrey Chernyakov <chernya...@npsconsult.com>, wrote: > Sure, here it is (at the bottom of email, I modified a search request just to > ignore outdated logs). > > According to the logs, EAPTLS authentication source was matched, but host > wasn’t assigned to the role because it was already computed (but I have no > idea when, before authentication I deleted MAC address from nodes list, and > it’s auto registered host according to the relevant parameter of connection > profile). > > My goal is to assign all hosts (with known and registered MAC addresses and > with unknown and first time see MAC addresses) once they've been > authenticated via EAPTLS into specific roles. > > root@packetfence:~# tail -f /usr/local/pf/logs/packetfence.log | grep > 02:7a:87:11:54:dd > > Feb 15 15:54:06 packetfence pfperl-api-docker-wrapper[193686]: pfperl-api(10) > INFO: [mac:[undef]] Request to /api/v1/dhcp/mac/02:7a:87:11:54:dd is > unauthorized, will perform a login (pf::api::unifiedapiclient::call) > Feb 15 15:54:07 packetfence pfqueue[221285]: pfqueue(221285) INFO: > [mac:02:7a:87:11:54:dd] Trying generic MIB to force 802.1x port > re-authentication. Your mileage may vary. If it doesn't work open a bug > report with your hardware type. (pf::Switch::_dot1xPortReauthenticate) > Feb 15 15:54:07 packetfence pfqueue[221285]: pfqueue(221285) ERROR: > [mac:02:7a:87:11:54:dd] error creating SNMP v3 write connection to > 192.168.100.2: An empty authProtocol was specified > (pf::Switch::connectWriteTo) > Feb 15 15:54:33 packetfence pfqueue[219798]: pfqueue(219798) WARN: > [mac:unknown] Warning: 1062: Duplicate entry '02:7a:87:11:54:dd' for key > 'PRIMARY' (pf::dal::db_execute) > Feb 15 15:54:33 packetfence pfqueue[219798]: pfqueue(219798) INFO: > [mac:unknown] DHCPACK from 192.168.100.254 (00:0c:29:35:5f:47) to host > 02:7a:87:11:54:dd (192.168.22.102) for 691200 seconds > (pf::dhcp::processor_v4::parse_dhcp_ack) > Feb 15 15:54:33 packetfence pfqueue[219894]: pfqueue(219894) INFO: > [mac:unknown] DHCPREQUEST from 02:7a:87:11:54:dd (192.168.22.102) > (pf::dhcp::processor_v4::parse_dhcp_request) > Feb 15 15:54:33 packetfence pfqueue[219894]: pfqueue(219894) INFO: > [mac:02:7a:87:11:54:dd] Sending a firewall SSO 'Update' request for MAC > '02:7a:87:11:54:dd' and IP '192.168.22.102' (pf::firewallsso::do_sso) > Feb 15 15:54:33 packetfence pfqueue[221313]: pfqueue(221313) INFO: > [mac:02:7a:87:11:54:dd] Instantiate profile dot1x_wired_profile > (pf::Connection::ProfileFactory::_from_profile) > Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) > ERROR: [mac:02:7a:87:11:54:dd] error creating SNMP v3 read connection to > 192.168.100.2: An empty privProtocol was specified (pf::Switch::connectRead) > Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) > INFO: [mac:02:7a:87:11:54:dd] handling radius autz request: from switch_ip => > (192.168.100.2), connection_type => Ethernet-EAP,switch_mac => > (00:04:96:9b:0a:db), mac => [02:7a:87:11:54:dd], port => 1017, username => > "PC2-LAB$@ad.nps.local" (pf::radius::authorize) > Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) > INFO: [mac:02:7a:87:11:54:dd] Instantiate profile dot1x_wired_profile > (pf::Connection::ProfileFactory::_from_profile) > Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) > INFO: [mac:02:7a:87:11:54:dd] Found authentication source(s) : 'Machine_auth' > for realm 'ad.nps.local' (pf::config::util::filter_authentication_sources) > Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) > INFO: [mac:02:7a:87:11:54:dd] Role has already been computed and we don't > want to recompute it. (pf::role::getNodeInfoForAutoReg) > Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) > WARN: [mac:02:7a:87:11:54:dd] No category computed for autoreg > (pf::role::getNodeInfoForAutoReg) > Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) > INFO: [mac:02:7a:87:11:54:dd] Found authentication source(s) : 'Machine_auth' > for realm 'ad.nps.local' (pf::config::util::filter_authentication_sources) > Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) > INFO: [mac:02:7a:87:11:54:dd] Role has already been computed and we don't > want to recompute it. Getting role from node_info > (pf::role::getRegisteredRole) > Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) > WARN: [mac:02:7a:87:11:54:dd] Use of uninitialized value $role in > concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. > Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) > INFO: [mac:02:7a:87:11:54:dd] Username was NOT defined or unable to match a > role - returning node based role '' (pf::role::getRegisteredRole) > Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) > INFO: [mac:02:7a:87:11:54:dd] PID: "default", Status: reg Returned VLAN: > (undefined), Role: (undefined) (pf::role::fetchRoleForNode) > Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) > INFO: [mac:02:7a:87:11:54:dd] security_event 1300003 force-closed for > 02:7a:87:11:54:dd (pf::security_event::security_event_force_close) > Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) > INFO: [mac:02:7a:87:11:54:dd] Instantiate profile dot1x_wired_profile > (pf::Connection::ProfileFactory::_from_profile) > Feb 15 15:54:43 packetfence pfqueue[219984]: pfqueue(219984) INFO: > [mac:02:7a:87:11:54:dd] Database /usr/local/fingerbank/db/fingerbank_Local.db > was changed or handles weren't initialized. Creating handle. > (fingerbank::DB::SQLite::build_handle) > Feb 15 15:54:43 packetfence pfqueue[219984]: pfqueue(219984) INFO: > [mac:02:7a:87:11:54:dd] Database > /usr/local/fingerbank/db/fingerbank_Upstream.db was changed or handles > weren't initialized. Creating handle. (fingerbank::DB::SQLite::build_handle) > Feb 15 15:54:43 packetfence pfqueue[219984]: pfqueue(219984) INFO: > [mac:02:7a:87:11:54:dd] Searching for 'Device' entries in schema(s) returned > an empty set (fingerbank::Base::CRUD::search) > Feb 15 15:54:43 packetfence pfqueue[219984]: pfqueue(219984) WARN: > [mac:02:7a:87:11:54:dd] Unable to pull accounting history for device > 02:7a:87:11:54:dd. The history set doesn't exist yet. > (pf::accounting_events_history::latest_mac_history) > ^C > root@packetfence:~# > > -- > Andrey Chernyakov > Senior Network and Security Engineer > > email: chernya...@npsconsult.com > > NPS Consult S.A. > L-5687, Dalheim > Luxembourg > On 15 Feb 2024 at 15:51 +0100, Zammit, Ludovic <luza...@akamai.com>, wrote: > > Please do that: > > > > grep MAC-ADDRESS /usr/local/pf/logs/packetfence.log > > > > Show the output please. > > > > Thanks, > > > > Ludovic Zammit > > Product Support Engineer Principal Lead > > Cell: +1.613.670.8432 > > Akamai Technologies - Inverse > > 145 Broadway > > Cambridge, MA 02142 > > Connect with Us: > > > > > On Feb 15, 2024, at 9:49 AM, Andrey Chernyakov > > > <chernya...@npsconsult.com> wrote: > > > > > > Hello Ludovic, > > > > > > Thanks for your reply. > > > > > > It’s clear, there are no connections to domain controllers, RADIUS is > > > signed with valid certificate from Microsoft PKI and EAPTLS > > > authentication works well. > > > But Authentication source defined to use EAPTLS is just ignored by > > > authentication process, machines aren’t getting the role defined in > > > authentication rule (even with no conditions, catch-all rule), they > > > always get registration role. > > > > > > -- > > > Andrey Chernyakov > > > Senior Network and Security Engineer > > > > > > email: chernya...@npsconsult.com > > > > > > NPS Consult S.A. > > > L-5687, Dalheim > > > Luxembourg > > > On 15 Feb 2024 at 15:11 +0100, Zammit, Ludovic <luza...@akamai.com>, > > > wrote: > > > > Hello Andrey, > > > > > > > > For EAP TLS you don’t need to join the PF servers to your domain. > > > > > > > > You will need to add the Root CA that signed the user/computer certs > > > > under Configuration > System Configuration > SSL Certificates > RADIUS > > > > > RADIUS Certification Authority Certificate(s). > > > > > > > > Thanks, > > > > > > > > > > > > > > > > Ludovic Zammit > > > > Product Support Engineer Principal Lead > > > > Cell: +1.613.670.8432 > > > > Akamai Technologies - Inverse > > > > 145 Broadway > > > > Cambridge, MA 02142 > > > > Connect with Us: > > > > > > > > > On Feb 14, 2024, at 8:22 AM, Andrey Chernyakov via PacketFence-users > > > > > <packetfence-users@lists.sourceforge.net> wrote: > > > > > > > > > > Hi, PacketFence community, > > > > > > > > > > Currently I’m evaluating EAPTLS authentication with machine > > > > > certificates in my lab for wired network, but Authentication Source > > > > > with EAPTLS doesn’t seem to be working. > > > > > > > > > > From my perspective, the configuration is good, EAP profile prefers > > > > > TLS authentication, RADIUS has valid certificate signed by the same > > > > > CA as machine certificates with I use for EAPTLS authentication. > > > > > Connection profile allows auto-registration of devices. > > > > > Authentication source should catch-all authentication attempts and > > > > > assign devices to role (gaming, for example). > > > > > > > > > > The problem with such configuration is - devices are authenticated > > > > > and auto-registered, but they aren’t matched with authentication > > > > > source rules (last screenshot with log can prove it), and they are > > > > > respectively registered with no role. But I need role in order to be > > > > > able to assign devices with relevant profile. Below you can find > > > > > screenshots from my lab, any ideas how to fix it? > > > > > > > > > > Appreciate your help in advance! > > > > > > > > > > <Screenshot 2024-02-12 at 16.04.15.png> > > > > > <Screenshot 2024-02-12 at 16.04.48.png> > > > > > <Screenshot 2024-02-12 at 16.05.35.png> > > > > > <Attachment.png> > > > > > > > > > > -- > > > > > Andrey Chernyakov > > > > > Senior Network and Security Engineer > > > > > > > > > > email: chernya...@npsconsult.com > > > > > > > > > > NPS Consult S.A. > > > > > L-5687, Dalheim > > > > > Luxembourg > > > > > _______________________________________________ > > > > > PacketFence-users mailing list > > > > > PacketFence-users@lists.sourceforge.net > > > > > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!V0y-cm6QtbaX3LNvCqTm9ryY2N_3aGEiu4ikb0nOrYFq0feBL78xaFufS1HdtCJqH2S1thqJ0SJep9YaqRkOwJLp6aDXvcSB4ve5CA$ > > > > > >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
