Hi Ludovic I do have a realm for the FQDN and for the short name of the Domain : both KABI and KABI.ADS.FRESENIUS.COM
The servicePrincipalName and the machine account are OK, as indicated before , I have this issue only when the authentication is proxied to the member named pf9-1 of a cluster of 3 on the two other members, the authentication works as expected And yesterday I found the cause of the problem, which seems to lie in the authorization part of packetfence, in the multi-domain module it seems to be some sort of json "serialization ?" issue (253) Thu Feb 20 17:21:38 2020: Debug: packetfence-multi-domain: perl_embed:: module = /usr/local/pf/raddb/mods-config/perl/packetfence-multi-domain.pm , func = authorize exit status= hash- or arrayref expected (not a simple scalar, use allow_nonref to allow this) at /usr/local/pf/lib/pfconfig/cached.pm line 182. with my minimal Debian 9 installation and the packetfence package the libjson-xs-perl doesn't seems to be sufficient or it is bogused ? When I added this lib : libcpanel-json-xs-perl it corrected my problem. I created a bug ticket in the PacketFence github to inform on this dependencie issue Best regards Franck From: EXTERN Ludovic Zammit <lzam...@inverse.ca> Sent: Tuesday, February 25, 2020 2:48 PM To: Franck Rakotonindrainy <franck.rakotonindra...@fresenius-kabi.com> Cc: packetfence-users@lists.sourceforge.net <packetfence-users@lists.sourceforge.net> Subject: Re: [PacketFence-users] Packetfence Cluster, one member not authenticating clients Hello Franck, Do you have a realm for kabi.ads.fresenius.com ? Do you use the default realm ? Make sure to split it on the radius it could help in some cases. That error message means that it’s PacketFence that reject the authentication so check in the logs/packetfence.log for that Mac address. It would be more likely that it could not authenticate the serviceprincipalname host/FV004837.kabi.ads.fresenius.com. Make sure you do match the correct source/rule for your device. The authentication part in radius looks good but the authorization in PacketFence is failing. Thanks, Ludovic Zammit lzam...@inverse.ca :: +1.514.447.4918 (x145) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) On Feb 20, 2020, at 8:03 AM, Franck Rakotonindrainy via PacketFence-users <packetfence-users@lists.sourceforge.net> wrote: Hello If anybody could explain me the meaning of this error : "the user session was previously rejected: returning reject again" Feb 19 15:34:49 nac9-1 auth[14910]: rlm_sql (sql): Opening additional connection (3), 1 of 63 pending slots used Feb 19 15:34:49 nac9-1 auth[14910]: (31) Invalid user: [host/FV004837.kabi.ads.fresenius.com] (from client pf port 20 cli a4:bb:6d:11:1f:cf via TLS tunnel) Feb 19 15:34:49 nac9-1 auth[14910]: (31) Login incorrect: [host/FV004837.kabi.ads.fresenius.com] (from client pf port 20 cli a4:bb:6d:11:1f:cf via TLS tunnel) Feb 19 15:34:49 nac9-1 auth[14910]: [mac:a4:bb:6d:11:1f:cf] Rejected user: host/FV004837.kabi.ads.fresenius.com Feb 19 15:34:49 nac9-1 auth[14910]: (32) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [host/FV004837.kabi.ads.fresenius.com] (from client pf port 20 cli a4:bb:6d:11:1f:cf) Feb 19 15:34:49 nac9-1 auth[14910]: (31) Invalid user: [host/FV004837.kabi.ads.fresenius.com] (from client pf port 20 cli a4:bb:6d:11:1f:cf via TLS tunnel) Feb 19 15:34:49 nac9-1 auth[14910]: (31) Login incorrect: [host/FV004837.kabi.ads.fresenius.com] (from client pf port 20 cli a4:bb:6d:11:1f:cf via TLS tunnel) Feb 19 15:34:49 nac9-1 auth[14910]: [mac:a4:bb:6d:11:1f:cf] Rejected user: host/FV004837.kabi.ads.fresenius.com Feb 19 15:34:49 nac9-1 auth[14910]: (32) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [host/FV004837.kabi.ads.fresenius.com] (from client pf port 20 cli a4:bb:6d:11:1f:cf) Feb 19 15:35:19 nac9-1 auth[14910]: Signalled to terminate one hour before it was OK on another member of the cluster Feb 19 14:35:08 nac9-3 auth[2946]: rlm_sql (sql): Opening additional connection (3600), 1 of 62 pending slots used Feb 19 14:35:08 nac9-3 auth[2946]: (93512) Login OK: [host/FV004837.kabi.ads.fresenius.com] (from client pf port 20 cli a4:bb:6d:11:1f:cf via TLS tunnel) Feb 19 14:35:08 nac9-3 auth[2946]: [mac:a4:bb:6d:11:1f:cf] Accepted user: host/FV004837.kabi.ads.fresenius.com and returned VLAN 1136 Feb 19 14:35:08 nac9-3 auth[2946]: (93513) Login OK: [host/FV004837.kabi.ads.fresenius.com] (from client pf port 20 cli a4:bb:6d:11:1f:cf) test with ntlm_auth is OK root@nac9-1:~# chroot /chroots/KABI/ ntlm_auth --domain KABI --username rakoto --password "*****" NT_STATUS_OK: Success (0x0) I have no idea on how to test a machine account with ntlm_auth , Can anyone help me on testing the radius authentication part ? And to help debugging, would it be possible to redirect authentication request to a specific member of the cluster ? Best regards. Franck _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
