Hi,
We have one last remaing issue (for the moment.....) in our test-setup:
procurve 5400, 802.1x authentication, samba4 AD backend, packetfence 5.2.0.
I have added two user sources: ad-users (sAMAccountName) and
ad-computers (servicePrincipalName) on list number 2 and 3, below the
'default legacy source htpasswd'.
User authentication works, but machine auth does NOT work. Below is a
bit from the radius debug log. Manually running the ntln_auth command
(as root and as pf) gives the same result "Logon failure (0xc000006d)"
Obviously the workstation in question IS joined to the domain, and on
the regular network, I can logon normally.
Could anyone tell me where to look at, to solve this? If more logs are
needed, just let me know.
Thanks in advance!
> # Executing section authorize from file
> /usr/local/pf/raddb/sites-enabled/packetfence
> +group authorize {
> [suffix] No '@' in User-Name = "host/P002518.samba.company.com", skipping
> NULL due to config.
> ++[suffix] = noop
> [ntdomain] No '\' in User-Name = "host/P002518.samba.company.com", looking up
> realm NULL
> [ntdomain] Found realm "default"
> [ntdomain] Adding Stripped-User-Name = "host/P002518.samba.company.com"
> [ntdomain] Adding Realm = "default"
> [ntdomain] Authentication realm is LOCAL.
> ++[ntdomain] = ok
> ++[preprocess] = ok
> rlm_perl: Added pair HP-Capability-Advert = 0x011a0000000b28
> rlm_perl: Added pair HP-Capability-Advert = 0x011a0000000b2e
> rlm_perl: Added pair HP-Capability-Advert = 0x011a0000000b30
> rlm_perl: Added pair HP-Capability-Advert = 0x011a0000000b3d
> rlm_perl: Added pair HP-Capability-Advert = 0x0138
> rlm_perl: Added pair HP-Capability-Advert = 0x013a
> rlm_perl: Added pair HP-Capability-Advert = 0x0140
> rlm_perl: Added pair HP-Capability-Advert = 0x0141
> rlm_perl: Added pair HP-Capability-Advert = 0x0151
> rlm_perl: Added pair NAS-Port-Type = Ethernet
> rlm_perl: Added pair MS-RAS-Vendor = 11
> rlm_perl: Added pair Service-Type = Framed-User
> rlm_perl: Added pair Tunnel-Type = VLAN
> rlm_perl: Added pair State = 0xcc720d84c569141dda894508eb3f81d4
> rlm_perl: Added pair Called-Station-Id = 00-17-a4-b5-6e-00
> rlm_perl: Added pair Message-Authenticator = 0x42b57ae046a2e7f4ba0c6d07ad02
> rlm_perl: Added pair Connect-Info = CONNECT Ethernet 1000Mbps Full duplex
> rlm_perl: Added pair Realm = default
> rlm_perl: Added pair NAS-IP-Address = 192.87.143.248
> rlm_perl: Added pair Tunnel-Private-Group-Id = 1
> rlm_perl: Added pair NAS-Port-Id = A15
> rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
> rlm_perl: Added pair Calling-Station-Id = 2c-41-38-8f-f1-3a
> rlm_perl: Added pair PacketFence-Domain = intech
> rlm_perl: Added pair Framed-Protocol = PPP
> rlm_perl: Added pair User-Name = host/P002518.samba.company.com
> rlm_perl: Added pair NAS-Identifier = Procurve chassis
> rlm_perl: Added pair EAP-Message =
> 0x021b007b1900170301007024aa739cc370cd329ca0ed130474c0b1d66515e137ced852b7456ca03fa0d4d70fadb69284d59f73fdbb5358c1c0165c50ee33cc986c3efdc2221b775c5003b5dd8ea0e142d26591dd6d97fd47e612c
> rlm_perl: Added pair Stripped-User-Name = host/P002518.samba.company.com
> rlm_perl: Added pair NAS-Port = 15
> rlm_perl: Added pair Framed-MTU = 1480
> ++[packetfence-multi-domain] = updated
> [eap] EAP packet type response id 27 length 123
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Peap state phase2
> [peap] EAP type mschapv2
> [peap] Got tunneled request
> EAP-Message =
> 0x021b005b1a021b005631bd6cee051bdb1f0eb317c91ad5ce988b0000000000000000f64841503030323531382e73616d62612e6d657269742e756e752e656475
> server packetfence {
> [peap] Setting User-Name to host/P002518.samba.company.com
> Sending tunneled request
> EAP-Message =
> 0x021b005b1a021b005631bd6cee051bdb1f0eb317c91ad5ce988b0000000000000000f64841ed148986f73742f503030323531382e73616d62612e6d657269742e756e752e656475
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "host/P002518.samba.company.com"
> State = 0xb1c5c8ddb1ded38d361204
> HP-Capability-Advert += 0x011a0000000b28
> HP-Capability-Advert += 0x011a0000000b2e
> HP-Capability-Advert += 0x011a0000000b30
> HP-Capability-Advert += 0x011a0000000b3d
> HP-Capability-Advert += 0x0138
> HP-Capability-Advert += 0x013a
> HP-Capability-Advert += 0x0140
> HP-Capability-Advert += 0x0141
> HP-Capability-Advert += 0x0151
> NAS-Port-Type = Ethernet
> MS-RAS-Vendor = 11
> Service-Type = Framed-User
> Tunnel-Type:0 = VLAN
> Called-Station-Id = "00-17-a4-b5-6e-00"
> Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
> NAS-IP-Address = 192.87.143.248
> Tunnel-Private-Group-Id:0 = "1"
> NAS-Port-Id = "A15"
> Tunnel-Medium-Type:0 = IEEE-802
> Calling-Station-Id = "2c-41-38-8f-f1-3a"
> PacketFence-Domain = "intech"
> Framed-Protocol = PPP
> NAS-Identifier = "Procurve chassis"
> NAS-Port = 15
> Framed-MTU = 1480
> server packetfence-tunnel {
> # Executing section authorize from file
> /usr/local/pf/raddb/sites-enabled/packetfence-tunnel
> +group authorize {
> [suffix] No '@' in User-Name = "host/P002518.samba.company.com", skipping
> NULL due to config.
> ++[suffix] = noop
> [ntdomain] No '\' in User-Name = "host/P002518.samba.company.com", looking up
> realm NULL
> [ntdomain] Found realm "default"
> [ntdomain] Adding Stripped-User-Name = "host/P002518.samba.company.com"
> [ntdomain] Adding Realm = "default"
> [ntdomain] Authentication realm is LOCAL.
> ++[ntdomain] = ok
> rlm_perl: Added pair NAS-Port-Type = Ethernet
> rlm_perl: Added pair HP-Capability-Advert = 0x011a0000000b28
> rlm_perl: Added pair HP-Capability-Advert = 0x011a0000000b2e
> rlm_perl: Added pair HP-Capability-Advert = 0x011a0000000b30
> rlm_perl: Added pair HP-Capability-Advert = 0x011a0000000b3d
> rlm_perl: Added pair HP-Capability-Advert = 0x0138
> rlm_perl: Added pair HP-Capability-Advert = 0x013a
> rlm_perl: Added pair HP-Capability-Advert = 0x0140
> rlm_perl: Added pair HP-Capability-Advert = 0x0141
> rlm_perl: Added pair HP-Capability-Advert = 0x0151
> rlm_perl: Added pair MS-RAS-Vendor = 11
> rlm_perl: Added pair Service-Type = Framed-User
> rlm_perl: Added pair Tunnel-Type = VLAN
> rlm_perl: Added pair Called-Station-Id = 00-17-a4-b5-6e-00
> rlm_perl: Added pair State = 0xb1c5c8ddb209eec8e7d38d361204
> rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
> rlm_perl: Added pair Connect-Info = CONNECT Ethernet 1000Mbps Full duplex
> rlm_perl: Added pair Realm = default
> rlm_perl: Added pair NAS-IP-Address = 192.87.143.248
> rlm_perl: Added pair NAS-Port-Id = A15
> rlm_perl: Added pair Tunnel-Private-Group-Id = 1
> rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
> rlm_perl: Added pair Calling-Station-Id = 2c-41-38-8f-f1-3a
> rlm_perl: Added pair Framed-Protocol = PPP
> rlm_perl: Added pair PacketFence-Domain = intech
> rlm_perl: Added pair User-Name = host/P002518.samba.company.com
> rlm_perl: Added pair NAS-Identifier = Procurve chassis
> rlm_perl: Added pair EAP-Message =
> 0x02151bdb1f0eb317c91ad5ce988b0000000000000000f64841ed14890d8b7193cce1a50ff2e21ca06b489593079900686f73742f503030323531382e73616d62612e6d657269742e756e752e656475
> rlm_perl: Added pair Stripped-User-Name = host/P002518.samba.company.com
> rlm_perl: Added pair NAS-Port = 15
> rlm_perl: Added pair Framed-MTU = 1480
> ++[packetfence-multi-domain] = updated
> [eap] EAP packet type response id 27 length 91
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> ++[files] = noop
> ++[expiration] = noop
> ++[logintime] = noop
> +} # group authorize = updated
> Found Auth-Type = EAP
> # Executing group from file
> /usr/local/pf/raddb/sites-enabled/packetfence-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] # Executing group from file
> /usr/local/pf/raddb/sites-enabled/packetfence-tunnel
> [mschapv2] +group MS-CHAP {
> [mschapv2] ++? if (PacketFence-Domain)
> [mschapv2] ? Evaluating (PacketFence-Domain) -> TRUE
> [mschapv2] ++? if (PacketFence-Domain) -> TRUE
> [mschapv2] ++if (PacketFence-Domain) {
> [chrooted_mschap] Creating challenge hash with username:
> host/P002518.samba.company.com
> [chrooted_mschap] Client is using MS-CHAPv2 for
> host/P002518.samba.company.com, we need NT-Password
> [chrooted_mschap] expand: /chroots/%{PacketFence-Domain} ->
> /chroots/intech
> [chrooted_mschap] expand: %{Stripped-User-Name} ->
> host/P002518.samba.company.com
> [chrooted_mschap] expand:
> --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}} ->
> --username=host/P002518.samba.company.com
> [chrooted_mschap] Creating challenge hash with username:
> host/P002518.samba.company.com
> [chrooted_mschap] expand: --challenge=%{mschap:Challenge:-00} ->
> --challenge=6cac55081ab
> [chrooted_mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
> --nt-response=f64841ed14890d8b7193cce1a50f930799
> Exec output: Logon failure (0xc000006d)
> Exec plaintext: Logon failure (0xc000006d)
> [chrooted_mschap] Exec: program returned: 1
> [chrooted_mschap] External script failed.
> [chrooted_mschap] FAILED: MS-CHAP2-Response is incorrect
> +++[chrooted_mschap] = reject
> ++} # if (PacketFence-Domain) = reject
> +} # group MS-CHAP = reject
> [eap] Freeing handler
> ++[eap] = reject
> +} # group authenticate = reject
> Failed to authenticate the user.
> Login incorrect (chrooted_mschap: External script says Logon failure
> (0xc000006d)): [host/P002518.samba.company.com] (from client 192.87.143.248
> port 15 cli 2c-41-38-8f-f1-3a via TLS tunnel)
> Using Post-Auth-Type REJECT
> # Executing group from file
> /usr/local/pf/raddb/sites-enabled/packetfence-tunnel
> +group REJECT {
> [attr_filter.access_reject] expand: %{User-Name} ->
> host/P002518.samba.company.com
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> } # server packetfence-tunnel
> [peap] Got tunneled reply code 3
> MS-CHAP-Error = "\033E=691 R=0"
> EAP-Message = 0x041b0004
> Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Got tunneled reply RADIUS code Access-Reject
> MS-CHAP-Error = "\033E=691 R=0"
> EAP-Message = 0x041b0004
> Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Tunneled authentication was rejected.
> [peap] FAILURE
> ++[eap] = handled
> +} # group authenticate = handled
> } # server packetfence
> Sending Access-Challenge of id 61 to 192.87.143.248 port 1812
> EAP-Message =
> 0x011c002b1900170301002094a172dfdda892fe5013217d966ba603fc6f011240d8053166ee1d219f
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xcc720d84c66e14a894508eb3f81d4
> Finished request 10.
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
