Hello,
I am trying to get MAC auth working on packetfence-8.3.0-1.el7.noarch to
replicate a legacy system we currently have going. (We may use more
advanced features later.)
I have exported some systems from the old system via MySQL CSV and
imported them into PF; they show up as registered in the web UI and via
"pfcmd node view <mac>".
I have added a 'switch' to PF:
[10.0.0.22]
description=Nagios
useCoA=N
radiusSecret=rads3cret
group=Desktops
inlineTrigger=
[group Desktops]
inlineTrigger=always::1
description=Desktops
VLAN_101Vlan=101
VLAN_100Vlan=100
[...]
VLAN_544Vlan=544
VLAN_125Vlan=125
VLAN_562Vlan=562
cliAccess=Y
I have also added the following to "pf/raddb/users" so that we can monitor
via Nagios (which is what we're doing with the legacy system):
nagios Cleartext-Password := "nagPass"
However, when I try to test MACauth:
$ echo
"User-Name=08:00:29:d2:51:91,User-Password=08:00:29:d2:51:91" |
/usr/bin/radclient -s pf1.net auth rads3cret
Received response ID 189, code 3, length = 20
Total approved auths: 0
Total denied auths: 1
Total lost auths: 0
I get the following in "pf/logs/packetfence.log":
May 6 12:58:23 net-pf1 packetfence_httpd.aaa: httpd.aaa(6385)
ERROR: [mac:[undef]] unable to read password file
'/usr/local/pf/conf/admin.conf'
(pf::Authentication::Source::HtpasswdSource::authenticate)
May 6 12:58:23 net-pf1 packetfence_httpd.aaa: httpd.aaa(6385)
INFO: [mac:[undef]] User 08:00:27:d2:51:90 tried to login in
10.0.0.22 but authentication failed (pf::radius::switch_access)
And the following in "pf/logs/radius.log":
May 6 12:59:01 pf1 auth[8108]: Need 7 more connections to reach
10 spares
May 6 12:59:01 pf1 auth[8108]: rlm_sql (sql): Opening additional
connection (9), 1 of 61 pending slots used
May 6 12:59:01 pf1 auth[8108]: rlm_rest (rest): Closing
connection (6): Hit idle_timeout, was idle for 85 seconds
May 6 12:59:01 pf1 auth[8108]: (5) rest: ERROR: Server returned:
May 6 12:59:01 pf1 auth[8108]: (5) rest: ERROR:
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication
failed on PacketFence"}
May 6 12:59:01 pf1 auth[8108]: Need 1 more connections to reach
min connections (3)
May 6 12:59:01 pf1 auth[8108]: rlm_rest (rest): Opening
additional connection (8), 1 of 62 pending slots used
May 6 12:59:01 pf1 auth[8108]: [mac:] Rejected user:
08:00:29:d2:51:91
May 6 12:59:01 pf1 auth[8108]: (5) Rejected in post-auth:
[08:00:29:d2:51:91] (from client 10.0.0.22 port 0)
May 6 12:59:01 pf1 auth[8108]: (5) Login incorrect (rest: Server
returned:): [08:00:29:d2:51:91] (from client 10.0.0.22 port 0)
The file "pf/conf/authentication.conf" is basically the default:
[local]
description=Local Users
type=SQL
dynamic_routing_module=AuthModule
[file1]
description=Legacy Source
path=/usr/local/pf/conf/admin.conf
type=Htpasswd
realms=null
dynamic_routing_module=AuthModule
[...]
Pointing it at the current setup:
$ echo
"User-Name=08:00:29:d2:51:91,User-Password=08:00:29:d2:51:91" |
/usr/bin/radclient radius1.net auth rads3cret
Received response ID 218, code 2, length = 37
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "100"
Similar results if I use 'echo "User-Name=nagios,User-Password=nagPass"':
works on the legacy systems where the nagios account is in
/etc/freeradius/users, does not work with PF.
How do I get MACauth working? radiusd(8) does not seem to be talking to
MySQL to look up the MAC addresses.
Thanks for any info.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
