Sure, here it is (at the bottom of email, I modified a search request just to ignore outdated logs).
According to the logs, EAPTLS authentication source was matched, but host wasn’t assigned to the role because it was already computed (but I have no idea when, before authentication I deleted MAC address from nodes list, and it’s auto registered host according to the relevant parameter of connection profile). My goal is to assign all hosts (with known and registered MAC addresses and with unknown and first time see MAC addresses) once they've been authenticated via EAPTLS into specific roles. root@packetfence:~# tail -f /usr/local/pf/logs/packetfence.log | grep 02:7a:87:11:54:dd Feb 15 15:54:06 packetfence pfperl-api-docker-wrapper[193686]: pfperl-api(10) INFO: [mac:[undef]] Request to /api/v1/dhcp/mac/02:7a:87:11:54:dd is unauthorized, will perform a login (pf::api::unifiedapiclient::call) Feb 15 15:54:07 packetfence pfqueue[221285]: pfqueue(221285) INFO: [mac:02:7a:87:11:54:dd] Trying generic MIB to force 802.1x port re-authentication. Your mileage may vary. If it doesn't work open a bug report with your hardware type. (pf::Switch::_dot1xPortReauthenticate) Feb 15 15:54:07 packetfence pfqueue[221285]: pfqueue(221285) ERROR: [mac:02:7a:87:11:54:dd] error creating SNMP v3 write connection to 192.168.100.2: An empty authProtocol was specified (pf::Switch::connectWriteTo) Feb 15 15:54:33 packetfence pfqueue[219798]: pfqueue(219798) WARN: [mac:unknown] Warning: 1062: Duplicate entry '02:7a:87:11:54:dd' for key 'PRIMARY' (pf::dal::db_execute) Feb 15 15:54:33 packetfence pfqueue[219798]: pfqueue(219798) INFO: [mac:unknown] DHCPACK from 192.168.100.254 (00:0c:29:35:5f:47) to host 02:7a:87:11:54:dd (192.168.22.102) for 691200 seconds (pf::dhcp::processor_v4::parse_dhcp_ack) Feb 15 15:54:33 packetfence pfqueue[219894]: pfqueue(219894) INFO: [mac:unknown] DHCPREQUEST from 02:7a:87:11:54:dd (192.168.22.102) (pf::dhcp::processor_v4::parse_dhcp_request) Feb 15 15:54:33 packetfence pfqueue[219894]: pfqueue(219894) INFO: [mac:02:7a:87:11:54:dd] Sending a firewall SSO 'Update' request for MAC '02:7a:87:11:54:dd' and IP '192.168.22.102' (pf::firewallsso::do_sso) Feb 15 15:54:33 packetfence pfqueue[221313]: pfqueue(221313) INFO: [mac:02:7a:87:11:54:dd] Instantiate profile dot1x_wired_profile (pf::Connection::ProfileFactory::_from_profile) Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) ERROR: [mac:02:7a:87:11:54:dd] error creating SNMP v3 read connection to 192.168.100.2: An empty privProtocol was specified (pf::Switch::connectRead) Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) INFO: [mac:02:7a:87:11:54:dd] handling radius autz request: from switch_ip => (192.168.100.2), connection_type => Ethernet-EAP,switch_mac => (00:04:96:9b:0a:db), mac => [02:7a:87:11:54:dd], port => 1017, username => "PC2-LAB$@ad.nps.local" (pf::radius::authorize) Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) INFO: [mac:02:7a:87:11:54:dd] Instantiate profile dot1x_wired_profile (pf::Connection::ProfileFactory::_from_profile) Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) INFO: [mac:02:7a:87:11:54:dd] Found authentication source(s) : 'Machine_auth' for realm 'ad.nps.local' (pf::config::util::filter_authentication_sources) Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) INFO: [mac:02:7a:87:11:54:dd] Role has already been computed and we don't want to recompute it. (pf::role::getNodeInfoForAutoReg) Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) WARN: [mac:02:7a:87:11:54:dd] No category computed for autoreg (pf::role::getNodeInfoForAutoReg) Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) INFO: [mac:02:7a:87:11:54:dd] Found authentication source(s) : 'Machine_auth' for realm 'ad.nps.local' (pf::config::util::filter_authentication_sources) Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) INFO: [mac:02:7a:87:11:54:dd] Role has already been computed and we don't want to recompute it. Getting role from node_info (pf::role::getRegisteredRole) Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) WARN: [mac:02:7a:87:11:54:dd] Use of uninitialized value $role in concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) INFO: [mac:02:7a:87:11:54:dd] Username was NOT defined or unable to match a role - returning node based role '' (pf::role::getRegisteredRole) Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) INFO: [mac:02:7a:87:11:54:dd] PID: "default", Status: reg Returned VLAN: (undefined), Role: (undefined) (pf::role::fetchRoleForNode) Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) INFO: [mac:02:7a:87:11:54:dd] security_event 1300003 force-closed for 02:7a:87:11:54:dd (pf::security_event::security_event_force_close) Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) INFO: [mac:02:7a:87:11:54:dd] Instantiate profile dot1x_wired_profile (pf::Connection::ProfileFactory::_from_profile) Feb 15 15:54:43 packetfence pfqueue[219984]: pfqueue(219984) INFO: [mac:02:7a:87:11:54:dd] Database /usr/local/fingerbank/db/fingerbank_Local.db was changed or handles weren't initialized. Creating handle. (fingerbank::DB::SQLite::build_handle) Feb 15 15:54:43 packetfence pfqueue[219984]: pfqueue(219984) INFO: [mac:02:7a:87:11:54:dd] Database /usr/local/fingerbank/db/fingerbank_Upstream.db was changed or handles weren't initialized. Creating handle. (fingerbank::DB::SQLite::build_handle) Feb 15 15:54:43 packetfence pfqueue[219984]: pfqueue(219984) INFO: [mac:02:7a:87:11:54:dd] Searching for 'Device' entries in schema(s) returned an empty set (fingerbank::Base::CRUD::search) Feb 15 15:54:43 packetfence pfqueue[219984]: pfqueue(219984) WARN: [mac:02:7a:87:11:54:dd] Unable to pull accounting history for device 02:7a:87:11:54:dd. The history set doesn't exist yet. (pf::accounting_events_history::latest_mac_history) ^C root@packetfence:~# -- Andrey Chernyakov Senior Network and Security Engineer email: chernya...@npsconsult.com NPS Consult S.A. L-5687, Dalheim Luxembourg On 15 Feb 2024 at 15:51 +0100, Zammit, Ludovic <luza...@akamai.com>, wrote: > Please do that: > > grep MAC-ADDRESS /usr/local/pf/logs/packetfence.log > > Show the output please. > > Thanks, > > Ludovic Zammit > Product Support Engineer Principal Lead > Cell: +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: > > > On Feb 15, 2024, at 9:49 AM, Andrey Chernyakov <chernya...@npsconsult.com> > > wrote: > > > > Hello Ludovic, > > > > Thanks for your reply. > > > > It’s clear, there are no connections to domain controllers, RADIUS is > > signed with valid certificate from Microsoft PKI and EAPTLS authentication > > works well. > > But Authentication source defined to use EAPTLS is just ignored by > > authentication process, machines aren’t getting the role defined in > > authentication rule (even with no conditions, catch-all rule), they always > > get registration role. > > > > -- > > Andrey Chernyakov > > Senior Network and Security Engineer > > > > email: chernya...@npsconsult.com > > > > NPS Consult S.A. > > L-5687, Dalheim > > Luxembourg > > On 15 Feb 2024 at 15:11 +0100, Zammit, Ludovic <luza...@akamai.com>, wrote: > > > Hello Andrey, > > > > > > For EAP TLS you don’t need to join the PF servers to your domain. > > > > > > You will need to add the Root CA that signed the user/computer certs > > > under Configuration > System Configuration > SSL Certificates > RADIUS > > > > RADIUS Certification Authority Certificate(s). > > > > > > Thanks, > > > > > > > > > > > > Ludovic Zammit > > > Product Support Engineer Principal Lead > > > Cell: +1.613.670.8432 > > > Akamai Technologies - Inverse > > > 145 Broadway > > > Cambridge, MA 02142 > > > Connect with Us: > > > > > > > On Feb 14, 2024, at 8:22 AM, Andrey Chernyakov via PacketFence-users > > > > <packetfence-users@lists.sourceforge.net> wrote: > > > > > > > > Hi, PacketFence community, > > > > > > > > Currently I’m evaluating EAPTLS authentication with machine > > > > certificates in my lab for wired network, but Authentication Source > > > > with EAPTLS doesn’t seem to be working. > > > > > > > > From my perspective, the configuration is good, EAP profile prefers TLS > > > > authentication, RADIUS has valid certificate signed by the same CA as > > > > machine certificates with I use for EAPTLS authentication. Connection > > > > profile allows auto-registration of devices. Authentication source > > > > should catch-all authentication attempts and assign devices to role > > > > (gaming, for example). > > > > > > > > The problem with such configuration is - devices are authenticated and > > > > auto-registered, but they aren’t matched with authentication source > > > > rules (last screenshot with log can prove it), and they are > > > > respectively registered with no role. But I need role in order to be > > > > able to assign devices with relevant profile. Below you can find > > > > screenshots from my lab, any ideas how to fix it? > > > > > > > > Appreciate your help in advance! > > > > > > > > <Screenshot 2024-02-12 at 16.04.15.png> > > > > <Screenshot 2024-02-12 at 16.04.48.png> > > > > <Screenshot 2024-02-12 at 16.05.35.png> > > > > <Attachment.png> > > > > > > > > -- > > > > Andrey Chernyakov > > > > Senior Network and Security Engineer > > > > > > > > email: chernya...@npsconsult.com > > > > > > > > NPS Consult S.A. > > > > L-5687, Dalheim > > > > Luxembourg > > > > _______________________________________________ > > > > PacketFence-users mailing list > > > > PacketFence-users@lists.sourceforge.net > > > > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!V0y-cm6QtbaX3LNvCqTm9ryY2N_3aGEiu4ikb0nOrYFq0feBL78xaFufS1HdtCJqH2S1thqJ0SJep9YaqRkOwJLp6aDXvcSB4ve5CA$ > > > >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
