Do that command: /usr/local/bin/pftest authentication SCTL-2D2SS0-G00-COCU02-INT-005 “”
Show me the result. Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Feb 1, 2022, at 8:50 AM, Leon Pinto <leon.pi...@ilanzme.com> wrote: > > Hello, > > Thanks for all your response… Now, after a power failure, I can see that > none of the devices are getting the correct role… I suspect that the pf is > not able to understand the Username of the device though the username is to > be resolved from the CN of the EAP-TLS certificate which is matching with the > account in AD… My authentication source is Microsoft AD… The switch is an > Alcatel 6450… > > Possible attributes for the username in my AD are as below in the > Authentication sources as below: - > > <image004.jpg> > > I am going in circles with what could be the reason why the system is not > able to understand the username to assign it the correct role… > > The logs are as below and I see some warnings… Cant understand what it means > by uninitialized values in $Role, etc… > > Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) > INFO: [mac:00:0c:ab:63:30:86] handling radius autz request: from switch_ip => > (10.153.1.249), connection_type => Ethernet-EAP,switch_mac => > (e8:e7:32:a6:fd:5e), mac => [00:0c:ab:63:30:86], port => 77, username => > "SCTL-2D2SS0-G00-COCU02-INT-005" (pf::radius::authorize) > Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) > INFO: [mac:00:0c:ab:63:30:86] Instantiate profile cp_vlan_4_2g4 > (pf::Connection::ProfileFactory::_from_profile) > Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) > INFO: [mac:00:0c:ab:63:30:86] Found authentication source(s) : '' for realm > 'null' (pf::config::util::filter_authentication_sources) > Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) > INFO: [mac:00:0c:ab:63:30:86] No rules matches or no category defined for the > node, set it as unreg. (pf::role::getNodeInfoForAutoReg) > Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) > WARN: [mac:00:0c:ab:63:30:86] No category computed for autoreg > (pf::role::getNodeInfoForAutoReg) > Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) > INFO: [mac:00:0c:ab:63:30:86] Found authentication source(s) : '' for realm > 'null' (pf::config::util::filter_authentication_sources) > Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) > INFO: [mac:00:0c:ab:63:30:86] Role has already been computed and we don't > want to recompute it. Getting role from node_info > (pf::role::getRegisteredRole) > Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) > WARN: [mac:00:0c:ab:63:30:86] Use of uninitialized value $role in > concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. > Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) > INFO: [mac:00:0c:ab:63:30:86] Username was NOT defined or unable to match a > role - returning node based role '' (pf::role::getRegisteredRole) > Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) > INFO: [mac:00:0c:ab:63:30:86] PID: "default", Status: reg Returned VLAN: > (undefined), Role: (undefined) (pf::role::fetchRoleForNode) > Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) > WARN: [mac:00:0c:ab:63:30:86] Use of uninitialized value $vlanName in hash > element at /usr/local/pf/lib/pf/Switch.pm line 633. > Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) > WARN: [mac:00:0c:ab:63:30:86] Use of uninitialized value $name in exists at > /usr/local/pf/lib/pf/Switch.pm line 667. > Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) > WARN: [mac:00:0c:ab:63:30:86] Use of uninitialized value $vlanName in > concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 640. > Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) > WARN: [mac:00:0c:ab:63:30:86] No parameter Vlan found in conf/switches.conf > for the switch 10.153.1.249 (pf::Switch::getVlanByName) > Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) > INFO: [mac:00:0c:ab:63:30:86] security_event 1300003 force-closed for > 00:0c:ab:63:30:86 (pf::security_event::security_event_force_close) > Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) > INFO: [mac:00:0c:ab:63:30:86] Instantiate profile cp_vlan_4_2g4 > (pf::Connection::ProfileFactory::_from_profile) > > As far as I can see, the role is correctly configured and so is the switch… > > Roles > > <image018.jpg> > > <image020.jpg> > > Authentication Rule > > <image021.jpg> > Radius response shows the correct user name as far as I can see… > > <image022.jpg> > > <image024.jpg> > > User definition in AD > > <image025.jpg> <image026.jpg> > > “switches.conf” too seems to have the correct entries of vlans… > > <image031.jpg> > Sincerely appreciate if someone can help in where I could be going wrong with > this… At this moment, I am lost as to what I might be missing out on…. > > Thanks for all your support… > > <image036.png> > > From: Leon Pinto via PacketFence-users > <packetfence-users@lists.sourceforge.net > <mailto:packetfence-users@lists.sourceforge.net>> > Sent: Monday, January 31, 2022 11:21 PM > To: 'Zammit, Ludovic' <luza...@akamai.com <mailto:luza...@akamai.com>>; > packetfence-users@lists.sourceforge.net > <mailto:packetfence-users@lists.sourceforge.net> > Cc: Leon Pinto <leon.pi...@ilanzme.com <mailto:leon.pi...@ilanzme.com>> > Subject: Re: [PacketFence-users] Roles not assigned to certain types of users > - EAP TLS > > Hello, > > Thanks a lot for your response… > > All our screenshots are in attached docs… logs etc… > > Also, as below… > > SCTL-2D2SS0-P02-HVR-OS15-026 à The case for which no vlan/role is assigned. > > SCTL-2D2SS0-G00-COCU02-INT-005 à The case for which correct vlan/role is > assigned. > > <image037.png> > > > SCTL-2D2SS0-P02-HVR-OS15-026 à The case for which no vlan/role is assigned > (Radius Response) > > <image038.png> > > <image039.jpg> > > SCTL-2D2SS0-G00-COCU02-INT-005 à The case for which correct vlan/role is > assigned (Radius Response) > > <image043.png> > <image044.png> > > <image045.png> > > From: Zammit, Ludovic <luza...@akamai.com <mailto:luza...@akamai.com>> > Sent: Monday, January 31, 2022 10:45 PM > To: packetfence-users@lists.sourceforge.net > <mailto:packetfence-users@lists.sourceforge.net> > Cc: Leon Pinto <leon.pi...@ilanzme.com <mailto:leon.pi...@ilanzme.com>> > Subject: Re: [PacketFence-users] Roles not assigned to certain types of users > - EAP TLS > > Hello Leon, > > What’s the radius reply in the Auditing tab in Packetfence Web page for those > two authentications ? > > Thanks, > > Ludovic Zammit > Product Support Engineer Principal > > Cell: +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: > <https://community.akamai.com/> <http://blogs.akamai.com/> > <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!AJJV6ysqGuNRXj_9ybSO-_EE1qqsN2tFYfrg2jynvU__lVlyNAcHBjIetTi_wA$> > > <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!AJJV6ysqGuNRXj_9ybSO-_EE1qqsN2tFYfrg2jynvU__lVlyNAcHBjICPzGHSg$> > > <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!AJJV6ysqGuNRXj_9ybSO-_EE1qqsN2tFYfrg2jynvU__lVlyNAcHBjI656SUUA$> > > <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!AJJV6ysqGuNRXj_9ybSO-_EE1qqsN2tFYfrg2jynvU__lVlyNAcHBjKIQxAuYw$> > > > >> On Jan 31, 2022, at 10:33 AM, Leon Pinto via PacketFence-users >> <packetfence-users@lists.sourceforge.net >> <mailto:packetfence-users@lists.sourceforge.net>> wrote: >> >> Hello community, >> >> We have a packet-fence installation where the Authentication source is an >> Active Directory setup for Telephony 802.1x authentication based on EAP-TLS… >> >> Version is 11.1 with Alcatel 6450 switch for 802.1x… >> >> Problem description >> In our scenario, the Packet-fence is used to assign a proper VLAN to >> authenticated/registered phones and this works fine for one type of devices >> with certificates from the local PKI… Another type of devices from the same >> PKI are authenticated and registered but they don’t get the correct Role as >> expected… >> >> Refer the end result as below: - >> >> <image002.png> >> >> The 01/26 gets the correct VLAN (vlan 4) as configured in the Role. >> The 01/28 does not gets the correct VLAN (vlan 4) as configured in the Role. >> >> <image004.png> >> >> I tried using other attributes like SPN, UPN etc. but we still have the same >> issue as above… >> >> All configuration screenshots, logs, radius response etc. are in the >> attached file… Any help is welcome… >> >> <image005.png> >> >> <Packet Fence - Problem >> scenario.docx>_______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> <mailto:PacketFence-users@lists.sourceforge.net> >> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!D8zDtlI5jQ3y2JHK5aobEcrKViu5KSTg4CuTDP16zH3q1ySAjWpn4RwSGwto7NP6$ >> >> <https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!D8zDtlI5jQ3y2JHK5aobEcrKViu5KSTg4CuTDP16zH3q1ySAjWpn4RwSGwto7NP6$>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
