Hmm. Pretty sure I had it disabled but I will test it again to make
sure.
Thanks!
-Ryan
This e-mail message together with any attachments or reply should not be
considered private or confidential because it may be archived and
subject to public disclosure under certain circumstances, such as
requests made pursuant to Wisconsin public records law.
The message is intended solely for the use of the individual or entity
to which they are addressed. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete this
e-mail from your system. Please note that the views or opinions
presented in this e-mail are solely those of the author and do not
necessarily represent those of the School District of Hartford Jt. #1.
Any unauthorized use, distribution, copying or disclosure by you or to
any other person is prohibited.
>>> Durand fabrice via PacketFence-users
<packetfence-users@lists.sourceforge.net> 1/5/2020 3:14 PM >>>
Hello Ryan,
it looks that you enabled autoregister on the connection profile.
Disable it and retry.
Regards
Fabrice
Le 19-12-25 à 10 h 08, Ryan Radschlag via PacketFence-users a écrit :
We're trying to get down to having one open ssid, having people be
dumped into the registration vlan by default, sending them to the
captive portal if not yet registered, and then having packetfence put
people in the correct vlans after registering their node. So I have
unrouted isolation and registration vlans directly attached to
packetfence/wlan controller and then the other vlans are only attached
to the wlan controller.
I have a mac blacklist enabled on the wlan controller to force it to do
a RADIUS request to packetfence for authentication. If I disable that
I'm directed to the portal (no RADIUS requests though, which is as it
should be) so I know I'm on the correct vlan and the nodes can see the
packetfence server.
So, I connect to the wireless network. And I see the wlan controller
send the radius request with the mac address of the machine as the
username and the mac address as the password. But then I see packetfence
send a reject message to the wlan controller. When I look in the web
interface under the RADIUS audit log. All of the requests from nodes
that are supposed to be mac based authentication don't have anything in
the mac address field or the Calling-Station-Id field and you see the
[mac:[undef]] in the packetfence.log. My question is, should the fields
be populated by the mac address when doing mac auth or am I looking in
the wrong direction? Is packetfence parsing the RADIUS request
incorrectly? Is there a way to do a rewrite and graft the username into
the mac address/calling-station-id field if that is the case? If I do
802.1x auth, the mac address and calling-station-id fields are populated
correctly. I've included the packetfence and radius logs below.
RADIUS.LOG:
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing connection
(0): Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing connection
(2): Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing connection
(1): Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Opening additional
connection (3), 1 of 64 pending slots used
Dec 24 10:37:42 hsd-pf-1 auth[12979]: Need 2 more connections to reach
min connections (3)
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Opening additional
connection (4), 1 of 63 pending slots used
Dec 24 10:37:42 hsd-pf-1 auth[12979]: Adding client *REDACTED*
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Closing
connection (0): Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Closing
connection (1): Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Opening
additional connection (2), 1 of 64 pend
ing slots used
Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) rest: ERROR: Server
returned:
Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) rest:
ERROR:{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication
failed on PacketFence"}
Dec 24 10:37:42 hsd-pf-1 auth[12979]: Need 2 more connections to reach
min connections (3)
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Opening
additional connection (3), 1 of 63 pending slots used
Dec 24 10:37:42 hsd-pf-1 auth[12979]: [mac:] Rejected user:
a8:1d:16:7d:c8:11
Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) Rejected in post-auth:
[a8:1d:16:7d:c8:11] (from client *REDACTED* port 0)
Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) Login incorrect (rest:
Server returned:): [a8:1d:16:7d:c8:11] (from client *REDACTED* port 0)
PACKETFENCE.LOG
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) WARN:
[mac:[undef]] Trying to match IP address with an invalid MAC address
'undef' (pf::ip4log::mac2ip)
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) INFO:
[mac:[undef]] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) INFO:
[mac:[undef]] Found authentication source(s) : 'local,file1,LDAP-1' for
realm 'null' (pf::config::util::filter_authentication_sources)
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) INFO:
[mac:[undef]] LDAP testing connection (pf::LDAP::expire_if)
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) WARN:
[mac:[undef]] [LDAP-1] No entries found (0) with filter
(cn=a8:1d:16:7d:c8:11) from o=*REDACTED* on *REDACTED*:636
(pf::Authentication::Source::LDAPSource::authenticate)
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) INFO:
[mac:[undef]] User a8:1d:16:7d:c8:11 tried to login in 00:50:56:8f:b0:a6
but authentication failed (pf::radius::switch_access)
Any pointers would be appreciated!
Thanks!
-Ryan
This e-mail message together with any attachments or reply should not
be considered private or confidential because it may be archived and
subject to public disclosure under certain circumstances, such as
requests made pursuant to Wisconsin public records law.
The message is intended solely for the use of the individual or entity
to which they are addressed. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete this
e-mail from your system. Please note that the views or opinions
presented in this e-mail are solely those of the author and do not
necessarily represent those of the School District of Hartford Jt. #1.
Any unauthorized use, distribution, copying or disclosure by you or to
any other person is prohibited.
_______________________________________________PacketFence-users
mailing
listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
