Hello, Can you tell me one use case that you want to achieve with EAP TLS authentication ?
Thanks, Ludovic Zammit Product Support Engineer Principal Lead Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Mar 12, 2024, at 10:33 AM, Jochen Ackermann > <jochen.ackerm...@igd.fraunhofer.de> wrote: > > On 06.03.2024 17:22, Zammit, Ludovic wrote: >> Correct, I’m referring to the computer authentication mode on the windows >> supplicant setup. >> All authentication interaction would logged into the >> /usr/local/pf/logs/packetfence.log you do the following: >> grep MAC-ADDRESS /usr/local/pf/logs/packetfence.log > > > Hello Ludovic, > > thank you for pointing out the logfile, but unfortunately I don't know what > to look for (although I could be missing the obvious here). AFAIK the > hostname has to follow the form host/hostname or hostname$ to signify a > machine name to AD, but I don't know why packetfence would treat it as a > username or how to identify the mismatch in the logfile. To me the line > "modify of non-existent person host\myhost..." and "Already did a person > lookup for host/myhost..." in the packetfence.log look suspicious, but I > can't see a reason for switching to person/user. > > I also include excerpts from the raddebug log and would be glad if you (or > someone) could tell me where to look for clues (or if maybe the relevant part > is missing). > > I also tried to employ EXAMPLE_eap-tls-preProcess to set the name to myhost$, > but while the rule is matched (according to packetfence.log), I can see noc > changes and moreover I'm not sure which parameter exactly to set. > TLS-Stripped-Username, as well as some others, didn't seem to have any > effect, the log output at least stays the same. > > > Radius filter: > [eap-tls-preProcess-MachineAuth] > status=disabled > top_op=and > description=Preprocess attribute for EAP-TLS > merge_answer=no > condition=connection_type =~ "Ethernet-EAP" && > (contains(radius_request.User-Name, "host/") || > contains(radius_request.username, "host/") || contains(username, "host/")) > scopes=preProcess > answer.0=TLS-Stripped-UserName = > ${BuildFromMatch($radius_request.TLS-Client-Cert-Subject-Alt-Name,"^[^.]+","$0"."$")} > > > from packetfence.log: > is doing machine auth with account 'host/myhost.my.domain'. > (pf::radius::_machine_auth_detection) > Instantiate profile cProfile-8021x-machine-auth > (pf::Connection::ProfileFactory::_from_profile) > Found authentication source(s) : 'AuthSource-machine' for realm 'my.domain' > (pf::config::util::filter_authentication_sources) > Using sources AuthSource-machine for matching (pf::authentication::match2) > Matched rule (rule-vlan5) in source AuthSource-machine, returning actions. > (pf::Authentication::Source::match) > modify of non-existent person host/myhost.my.domain attempted - person added > (pf::person::person_modify) > Found authentication source(s) : 'AuthSource-machine' for realm 'my.domain' > (pf::config::util::filter_authentication_sources) > Role has already been computed and we don't want to recompute it. Getting > role from node_info (pf::role::getRegisteredRole) > Username was defined "host/myhost.my.domain" - returning role 'role-vlan5' > (pf::role::getRegisteredRole) > PID: "host/myhost.my.domain", Status: reg Returned VLAN: (undefined), Role: > role-vlan5 (pf::role::fetchRoleForNode) > Already did a person lookup for host/myhost.my.domain > (pf::lookup::person::lookup_person) > (10.1.1.1) Added VLAN 5 to the returned RADIUS Access-Accept > (pf::Switch::Template::returnRadiusAccessAccept) > > > from raddebug -f > (222) Debug: Received Access-Request Id 198 from 10.1.1.1:1645 to > 10.1.1.10:1812 length 264 > (222) Debug: User-Name = "host/myhost.my.domain" > (222) Debug: authorize { > (222) Debug: policy packetfence-set-realm-if-machine { > (222) Debug: if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) { > (222) Debug: if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) -> TRUE > (222) Debug: if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) { > (222) Debug: update { > (222) Debug: EXPAND %{2} > (222) Debug: --> my.domain > (222) Debug: } # update = noop > (222) Debug: } # if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) = noop > (222) Debug: } # policy packetfence-set-realm-if-machine = noop > ... > (222) Debug: policy filter_username { > (222) Debug: if (&User-Name) { > (222) Debug: if (&User-Name) -> TRUE > (222) Debug: if (&User-Name) { > (222) Debug: if (&User-Name =~ / /) { > (222) Debug: if (&User-Name =~ / /) -> FALSE > (222) Debug: if (&User-Name =~ /@[^@]*@/ ) { > (222) Debug: if (&User-Name =~ /@[^@]*@/ ) -> FALSE > (222) Debug: if (&User-Name =~ /\.\./ ) { > (222) Debug: if (&User-Name =~ /\.\./ ) -> FALSE > (222) Debug: if ((&User-Name =~ /@/) && (&User-Name !~ > /@(.+)\.(.+)$/)) { > (222) Debug: if ((&User-Name =~ /@/) && (&User-Name !~ > /@(.+)\.(.+)$/)) -> FALSE > (222) Debug: if (&User-Name =~ /\.$/) { > (222) Debug: if (&User-Name =~ /\.$/) -> FALSE > (222) Debug: if (&User-Name =~ /@\./) { > (222) Debug: if (&User-Name =~ /@\./) -> FALSE > (222) Debug: } # if (&User-Name) = updated > (222) Debug: } # policy filter_username = updated > ... > (222) Debug: if (Realm =~ /my.domain$/) { > (222) Debug: if (Realm =~ /my.domain$/) -> TRUE > (222) Debug: if (Realm =~ /my.domain$/) { > (222) Debug: default-EAP-TLS: Peer sent EAP Response (code 2) ID 3 length 6 > (222) Debug: default-EAP-TLS: No EAP Start, assuming it's an on-going EAP > conversation > (222) Debug: [default-EAP-TLS] = updated > (222) Debug: } # if (Realm =~ /my.domain$/) = updated > (222) Debug: ... skipping elsif: Preceding "if" was taken > (222) Debug: ... skipping else: Preceding "if" was taken > (222) Debug: if ( !EAP-Message && "%{%{Control:Auth-type}:-No-MS_CHAP}" > != "MS-CHAP") { > (222) Debug: if ( !EAP-Message && "%{%{Control:Auth-type}:-No-MS_CHAP}" > != "MS-CHAP") -> FALSE > (222) Debug: if ("%{%{Control:Auth-type}:-No-MS_CHAP}" == "MS-CHAP") { > (222) Debug: EXPAND %{%{Control:Auth-type}:-No-MS_CHAP} > (222) Debug: --> default-EAP-TLS > (222) Debug: if ("%{%{Control:Auth-type}:-No-MS_CHAP}" == "MS-CHAP") -> > FALSE > ... > ... > (228) Debug: # Executing section authorize from file > /usr/local/pf/raddb/sites-enabled/packetfence > (228) Debug: authorize { > (228) Debug: policy packetfence-set-realm-if-machine { > (228) Debug: if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) { > (228) Debug: if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) -> TRUE > (228) Debug: if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) { > (228) Debug: update { > (228) Debug: EXPAND %{2} > (228) Debug: --> my.domain > (228) Debug: } # update = noop > (228) Debug: } # if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) = noop > (228) Debug: } # policy packetfence-set-realm-if-machine = noop > ... > (228) Debug: default-EAP-TLS: Calling submodule eap_tls to process data > ... > (228) Debug: eap_tls: (TLS) Creating attributes from client certificate > ... > (228) Debug: eap_tls: TLS-Client-Cert-Common-Name := "myhost.my.domain" > (228) Debug: eap_tls: TLS-Client-Cert-Subject-Alt-Name-Upn := > "myhost$@my.domain" > (228) Debug: eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := > "myhost.my.domain" > ... > (229) Debug: Received Access-Request Id 205 from 10.1.1.1:1645 to > 10.1.1.10:1812 length 264 > (229) Debug: User-Name = "host/myhost.my.domain" >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
