Hi, here the logs:
Mar 10 12:10:21 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] handling radius autz request: from switch_ip =>
(10.71.100.63), connection_type => Wireless-802.11-EAP,switch_mac =>
(b8:3a:5a:c1:8d:aa), mac => [02:de:ad:04:be:ef], port => 0, username =>
"Testy", ssid => htl-ar-ad (pf::radius::authorize)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Found authentication source(s) : '' for realm
'null' (pf::config::util::filter_authentication_sources)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Switch type 'pf::Switch::Aruba' does not support
MABFloatingDevices (pf::SwitchSupports::__ANON__)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Found authentication source(s) : '' for realm
'null' (pf::config::util::filter_authentication_sources)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Role has already been computed and we don't want
to recompute it. Getting role from node_info (pf::role::getRegisteredRole)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Use of uninitialized value $role in
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 483.
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Username was NOT defined or unable to match a
role - returning node based role '' (pf::role::getRegisteredRole)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] PID: "default", Status: reg Returned VLAN:
(undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] security_event 1300003 force-closed for
02:de:ad:04:be:ef (pf::security_event::security_event_force_close)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Mar 10 12:10:21 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] handling radius autz request: from switch_ip =>
(10.71.100.63), connection_type => Wireless-802.11-EAP,switch_mac =>
(b8:3a:5a:c1:8d:aa), mac => [02:de:ad:04:be:ef], port => 0, username =>
"Testy", ssid => htl-ar-ad (pf::radius::authorize)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Found authentication source(s) : '' for realm
'null' (pf::config::util::filter_authentication_sources)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Switch type 'pf::Switch::Aruba' does not support
MABFloatingDevices (pf::SwitchSupports::__ANON__)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Found authentication source(s) : '' for realm
'null' (pf::config::util::filter_authentication_sources)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Role has already been computed and we don't want
to recompute it. Getting role from node_info (pf::role::getRegisteredRole)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Use of uninitialized value $role in
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 483.
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Username was NOT defined or unable to match a
role - returning node based role '' (pf::role::getRegisteredRole)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] PID: "default", Status: reg Returned VLAN:
(undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] security_event 1300003 force-closed for
02:de:ad:04:be:ef (pf::security_event::security_event_force_close)
Mar 10 12:10:22 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] handling radius autz request: from switch_ip =>
(10.71.100.63), connection_type => Wireless-802.11-EAP,switch_mac =>
(b8:3a:5a:c1:8d:aa), mac => [02:de:ad:04:be:ef], port => 0, username =>
"Testy", ssid => htl-ar-ad (pf::radius::authorize)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Found authentication source(s) : '' for realm
'null' (pf::config::util::filter_authentication_sources)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Switch type 'pf::Switch::Aruba' does not support
MABFloatingDevices (pf::SwitchSupports::__ANON__)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] handling radius autz request: from switch_ip =>
(10.71.100.63), connection_type => Wireless-802.11-EAP,switch_mac =>
(b8:3a:5a:c1:8d:aa), mac => [02:de:ad:04:be:ef], port => 0, username =>
"Testy", ssid => htl-ar-ad (pf::radius::authorize)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Found authentication source(s) : '' for realm
'null' (pf::config::util::filter_authentication_sources)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Switch type 'pf::Switch::Aruba' does not support
MABFloatingDevices (pf::SwitchSupports::__ANON__)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Found authentication source(s) : '' for realm
'null' (pf::config::util::filter_authentication_sources)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Role has already been computed and we don't want
to recompute it. Getting role from node_info (pf::role::getRegisteredRole)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Use of uninitialized value $role in
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 483.
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Username was NOT defined or unable to match a
role - returning node based role '' (pf::role::getRegisteredRole)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] PID: "default", Status: reg Returned VLAN:
(undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Use of uninitialized value $vlanName in hash
element at /usr/local/pf/lib/pf/Switch.pm line 608.
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Use of uninitialized value $vlanName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611.
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] No parameter Vlan found in conf/switches.conf
for the switch 10.71.100.63 (pf::Switch::getVlanByName)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] security_event 1300003 force-closed for
02:de:ad:04:be:ef (pf::security_event::security_event_force_close)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Found authentication source(s) : '' for realm
'null' (pf::config::util::filter_authentication_sources)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Role has already been computed and we don't want
to recompute it. Getting role from node_info (pf::role::getRegisteredRole)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Use of uninitialized value $role in
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 483.
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Username was NOT defined or unable to match a
role - returning node based role '' (pf::role::getRegisteredRole)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] PID: "default", Status: reg Returned VLAN:
(undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Use of uninitialized value $vlanName in hash
element at /usr/local/pf/lib/pf/Switch.pm line 608.
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] Use of uninitialized value $vlanName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611.
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) WARN:
[mac:02:de:ad:04:be:ef] No parameter Vlan found in conf/switches.conf
for the switch 10.71.100.63 (pf::Switch::getVlanByName)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] security_event 1300003 force-closed for
02:de:ad:04:be:ef (pf::security_event::security_event_force_close)
Mar 10 12:46:06 ippf packetfence_httpd.aaa: httpd.aaa(848) INFO:
[mac:02:de:ad:04:be:ef] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
So, it looks like I don't get a role. I use the condition "memberOf
equals CN=SpecificGroup, OU=Groups,CN=OURDOMAIN" in the authentications
rules. How can I debug Active Directory group
membership evaluation on packetfence?
kind regards
On 10.03.2020 16:09, Ludovic Zammit wrote:
Ok, so if you are doing 802.1x then most of the time you do
auto-registration where you don’t display the captive portal.
In that case, your access would be computed on the fly. Do that and
remove device info:
grep MAC_ADDRESS /usr/local/pf/logs/packetfence.log
My guess is that you don’t match or get the VLAN for the proper role.
Check for the auto register option on the connection profile.
Thanks,
Ludovic Zammit
lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145)
::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
On Mar 10, 2020, at 11:04 AM, Christian Sudec <c.su...@htlwrn.ac.at
<mailto:c.su...@htlwrn.ac.at>> wrote:
Hello Ludovic!
On 10.03.2020 14:42, Ludovic Zammit wrote:
Hello Christian,
Are you doing VLAN enforcement or Role enforcement ?
We're doing only 'RADIUS Enforcement' as this is the requirement for
802.1x (both
wireless and wired).
On Aruba you have to do one of them, not both at the same time.
What do you mean? When doing 802.1x packetfence uses the the username
and password
with its authentication rules to determine the role (eg.
teacher/pupil), which is used in the
switch-profile with "Role mapping by VLAN ID" to provide the correct
VLAN (772/773).
How are you redirected on the captive portal ? By a radius request ?
There ist no captive portal, because no guests are allowed.
Once you get authenticated PF sends a radius disconnect message to
the AP to kick your Mac address out for the client to reconnect
immediately and get the production vlan/role
That's my question: there is no Tunnel-Private-Group-ID and no
disconnect message. How and where do
I set/debug these?
Check the logs/packetfence.log for your Mac address the activity and
see if you can find any error.
Nothing useful (at least for me) in there:
Mar 10 12:10:22 ippf auth[1659]: (14606) Login OK: [Testy] (from
client 10.71.100.63/32 port 0 cli bc:d1:d3:31:13:78 via TLS tunnel)
Mar 10 12:10:22 ippf auth[1659]: [mac:bc:d1:d3:31:13:78] Accepted
user: Testy and returned VLAN
Mar 10 12:10:22 ippf auth[1659]: (14607) Login OK: [Testy] (from
client 10.71.100.63/32 port 0 cli bc:d1:d3:31:13:78)
As you can see: returned VLAN - but I don't get one...
kind regards
Thanks,
Ludovic Zammit
lzam...@inverse.ca <mailto:lzam...@inverse.ca>
<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
On Mar 10, 2020, at 8:00 AM, Christian Sudec via PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
<mailto:packetfence-users@lists.sourceforge.net>> wrote:
Hi everybody!
First the current situation so far:
We installed a test-network, where the packetfence-server is
reachable with an ip 10.5.1.4 (type management)
and set 'RADIUS enforcement' as chosen method.
Next we installed a Mikrotik-Switch (POE) with 4 VLANS (771-774)
and attached an Aruba-AP to a trunk port
with the mentioned VLANs. The default VLAN is 771 and the AP gets
an IP and can connect to the pf-server.
Now we created an authentication-source to our AD and created a
switch-template for the AP. There are two
roles based on AD-group-membership: teachers (VID 772) and pupils
(VID 773) - set in the switch profile under
'Role mapping by VLAN ID'.
As far as it was possible, we set up the AP according to the
packetfence device configuration guide, because
the guide refers to ArubaOS 5.x, but we are already at 8.6.0.2.
Now we are stuck: everybody can login with an ad-username (and
pasword), but the user doesn't get
transferred to the correct vlan and stays in the default. In
'Auditing' I can see at 'Node Information' the
Role N/A and there is no Tunnel-Private-Group-ID in the RADIUS Reply.
Can somebody enlighten me on what to check or what to set / how to
debug?
kind regards
Chris
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users