Hello,
I've been trying to test PacketFence on our corporate network, but I keep running into roadblocks. I've tried to follow the PacketFence installation guide but am not able to do so because we do not use Microsoft Active Directory. The installation documentation guide is good but unfortunately written sequentially -- it pre-supposes you have access to an AD environment and in order to do the steps in later chapters (Say, Chapter 11), you had to have set up everything successfully in Chapter 4/5....
Our corporate environment contains little to no Microsoft products (only supporting the odd legacy workstation or laptop). Everything else is macOS, Linux or BSD.
All we're looking to do is simply have the Radius server set the VLAN on the port based on authentication. If you authenticate, you get network access. Otherwise, nothing. The most basic and simple use case of this software (which is why I'm sure the install guide starts there).
I am using the following setup:
-PacketFence 8.1 installed on CentOS 7.5 (IP: 10.111.111.1)
-Cisco 2960X 48 port switch (IP: 10.111.111.2)
-Test LDAP server (OpenDJ 2.5.2) which has been configured the same as our corporate LDAP server.
I managed to get everything installed nicely but run into issues at section 5.2 (Titled: Connecting PacketFence to a Microsoft Active Directory). Having no AD, I couldn't complete step 5.2 in its entirety (I have no Domain to define or REALM to join) but instead went to Authentication Sources and added my internal LDAP server. I receive the "Sucess !" message when trying the test button. I then configured the switch as in sections 5.3, 5.4 and 5.5. I even got out a Windows 10 Laptop to do step 5.6. However, it has never worked. I can never move beyond step 5.7.
Symptoms:
When I connect the ethernet cable to the laptop, I am immediately prompted for a Username/Password which I provide. However it says "Authentication Failed".
I've captured the output from the Radius debug using the following command run as root (Section 12.3): raddebug -t 300 -f /usr/local/pf/var/run/radiusd.sock
##### raddebug #####
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: Creating challenge hash with username: testuser
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: Client is using MS-CHAPv2
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: Executing: /usr/local/pf/bin/ntlm_auth_wrapper -- --request-nt-key --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: --> --username=testuser
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: Creating challenge hash with username: testuser
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: --> --challenge=8881e30a07b259b3
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: --> --nt-response=10a441d370fdb1c7723ca301f3885e45ca2bcd6ca6f61dd9
(13) Mon Oct 1 12:06:01 2018: ERROR: mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: External script failed
(13) Mon Oct 1 12:06:01 2018: ERROR: mschap: External script says: Reading winbind reply failed! (0xc0000001)
(13) Mon Oct 1 12:06:01 2018: ERROR: mschap: MS-CHAP2-Response is incorrect
(13) Mon Oct 1 12:06:01 2018: Debug: [mschap] = reject
(13) Mon Oct 1 12:06:01 2018: Debug: } # else = reject
(13) Mon Oct 1 12:06:01 2018: Debug: } # else = reject
(13) Mon Oct 1 12:06:01 2018: Debug: } # policy packetfence-mschap-authenticate = reject
(13) Mon Oct 1 12:06:01 2018: Debug: } # else = reject
(13) Mon Oct 1 12:06:01 2018: Debug: } # Auth-Type MS-CHAP = reject
(13) Mon Oct 1 12:06:01 2018: Debug: eap: Sending EAP Failure (code 4) ID 8 length 4
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: Executing: /usr/local/pf/bin/ntlm_auth_wrapper -- --request-nt-key --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: --> --username=testuser
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: Creating challenge hash with username: testuser
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: --> --challenge=8881e30a07b259b3
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: --> --nt-response=10a441d370fdb1c7723ca301f3885e45ca2bcd6ca6f61dd9
(13) Mon Oct 1 12:06:01 2018: ERROR: mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: External script failed
(13) Mon Oct 1 12:06:01 2018: ERROR: mschap: External script says: Reading winbind reply failed! (0xc0000001)
(13) Mon Oct 1 12:06:01 2018: ERROR: mschap: MS-CHAP2-Response is incorrect
(13) Mon Oct 1 12:06:01 2018: Debug: [mschap] = reject
(13) Mon Oct 1 12:06:01 2018: Debug: } # else = reject
(13) Mon Oct 1 12:06:01 2018: Debug: } # else = reject
(13) Mon Oct 1 12:06:01 2018: Debug: } # policy packetfence-mschap-authenticate = reject
(13) Mon Oct 1 12:06:01 2018: Debug: } # else = reject
(13) Mon Oct 1 12:06:01 2018: Debug: } # Auth-Type MS-CHAP = reject
(13) Mon Oct 1 12:06:01 2018: Debug: eap: Sending EAP Failure (code 4) ID 8 length 4
##################
Or example of the issue from radius.log
#### radius.log ####
Oct 1 13:55:43 packetfence8-1 auth[35178]: rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 96 seconds
Oct 1 13:55:43 packetfence8-1 auth[35178]: rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 96 seconds
Oct 1 13:55:43 packetfence8-1 auth[35178]: rlm_sql (sql): Opening additional connection (2), 1 of 64 pending slots used
Oct 1 13:55:43 packetfence8-1 auth[35178]: Need 2 more connections to reach min connections (3)
Oct 1 13:55:43 packetfence8-1 auth[35178]: rlm_sql (sql): Opening additional connection (3), 1 of 63 pending slots used
Oct 1 13:55:43 packetfence8-1 auth[35178]: (13) mschap: ERROR: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'
Oct 1 13:55:43 packetfence8-1 auth[35178]: (13) Login incorrect (mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'): [testuser] (from client 10.111.111.2 port 50121 cli a0:ce:c8:09:9a:b4 via TLS tunnel)
Oct 1 13:55:43 packetfence8-1 auth[35178]: (14) eap_peap: This means you need to read the PREVIOUS messages in the debug output
Oct 1 13:55:43 packetfence8-1 auth[35178]: (14) eap_peap: to find out the reason why the user was rejected
Oct 1 13:55:43 packetfence8-1 auth[35178]: (14) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
Oct 1 13:55:43 packetfence8-1 auth[35178]: (14) eap_peap: what went wrong, and how to fix the problem
Oct 1 13:55:43 packetfence8-1 auth[35178]: (14) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [testuser] (from client 10.111.111.2 port 50121 cli a0:ce:c8:09:9a:b4)
Oct 1 13:55:43 packetfence8-1 auth[35178]: [mac:a0:ce:c8:09:9a:b4] Rejected user: testuser
Oct 1 13:55:43 packetfence8-1 auth[35178]: rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 96 seconds
Oct 1 13:55:43 packetfence8-1 auth[35178]: rlm_sql (sql): Opening additional connection (2), 1 of 64 pending slots used
Oct 1 13:55:43 packetfence8-1 auth[35178]: Need 2 more connections to reach min connections (3)
Oct 1 13:55:43 packetfence8-1 auth[35178]: rlm_sql (sql): Opening additional connection (3), 1 of 63 pending slots used
Oct 1 13:55:43 packetfence8-1 auth[35178]: (13) mschap: ERROR: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'
Oct 1 13:55:43 packetfence8-1 auth[35178]: (13) Login incorrect (mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'): [testuser] (from client 10.111.111.2 port 50121 cli a0:ce:c8:09:9a:b4 via TLS tunnel)
Oct 1 13:55:43 packetfence8-1 auth[35178]: (14) eap_peap: This means you need to read the PREVIOUS messages in the debug output
Oct 1 13:55:43 packetfence8-1 auth[35178]: (14) eap_peap: to find out the reason why the user was rejected
Oct 1 13:55:43 packetfence8-1 auth[35178]: (14) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
Oct 1 13:55:43 packetfence8-1 auth[35178]: (14) eap_peap: what went wrong, and how to fix the problem
Oct 1 13:55:43 packetfence8-1 auth[35178]: (14) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [testuser] (from client 10.111.111.2 port 50121 cli a0:ce:c8:09:9a:b4)
Oct 1 13:55:43 packetfence8-1 auth[35178]: [mac:a0:ce:c8:09:9a:b4] Rejected user: testuser
###############
I've seen the "windbind reply fail previously" posted on the message board here but for a different use case: https://www.mail-archive.com/[email protected]/msg15094.html
I tried adding the required portions to packetfence-tunnel template file:
##########
# The ldap module reads passwords from the LDAP database.
ldap
if (ok) {
update control {
&MS-CHAP-Use-NTLM-Auth := No
}
}
##########But now my Radius server won't start up. It's saying there's no LDAP module installed. Here is the output from 'journalctl -xe':##########Oct 01 14:56:41 packetfence8-1.testdomain.local radiusd[43004]: /usr/local/pf/raddb/sites-enabled/packetfence-tunnel[122]: Failed to find "ldap" as a module or policy.
Oct 01 14:56:41 packetfence8-1.testdomain.local radiusd[43004]: /usr/local/pf/raddb/sites-enabled/packetfence-tunnel[122]: Please verify that the configuration exists in /usr/local/pf/raddb/mods-enabled/ldap.
Oct 01 14:56:41 packetfence8-1.testdomain.local radiusd[43004]: /usr/local/pf/raddb/sites-enabled/packetfence-tunnel[25]: Errors parsing authorize section.##########I don't want to start hacking around with the Freeradius instance in PacketFence blindly. I don't know Freeradius (and was hoping PacketFence would buffer me from having to hack together config files) but it appears this is where my issues are.So! Could anybody recommend a way to move forward ?I don't want to believe that PacketFence has AD as a requirement for usage, but it seems like every guide or tutorial about Packetfence involves it. Every error code or issue I look up has something to do with AD. It even appears to be an integral part of the PacketFence GUI.I hope in the future the developpers would take into consideration that not everybody uses Microsoft products.-J
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
