You can see that it does not match your AD rule. I don’t know if it’s a problem because of the long samaccountname.
Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Feb 1, 2022, at 11:33 AM, Leon Pinto <leon.pi...@ilanzme.com> wrote: > > Hello, > > Thanks for your response… Result as below… It seems like it is authenticating > as “null” source and not the AD I expected it to… Did I miss some > configuration?... Thanks for all your support… > > root@packetfence11:/usr/local/bin# /usr/local/pf/bin/pftest authentication > SCTL-2D2SS0-G00-COCU02-INT-005 > Testing authentication for "SCTL-2D2SS0-G00-COCU02-INT-005" > > Authenticating against 'local' in context 'admin' > Authentication FAILED against local (Invalid login or password) > Did not match against local for 'authentication' rules > Did not match against local for 'administration' rules > > Authenticating against 'local' in context 'portal' > Authentication FAILED against local (Invalid login or password) > Did not match against local for 'authentication' rules > Did not match against local for 'administration' rules > > Authenticating against 'file1' in context 'admin' > Authentication FAILED against file1 (Invalid login or password) > Did not match against file1 for 'authentication' rules > Did not match against file1 for 'administration' rules > > Authenticating against 'file1' in context 'portal' > Authentication FAILED against file1 (Invalid login or password) > Did not match against file1 for 'authentication' rules > Did not match against file1 for 'administration' rules > > Authenticating against 'sms' in context 'admin' > Authentication FAILED against sms (Invalid login or password) > Matched against sms for 'authentication' rule catchall > set_role : guest > set_access_duration : 1D > Did not match against sms for 'administration' rules > > Authenticating against 'sms' in context 'portal' > Authentication FAILED against sms (Invalid login or password) > Matched against sms for 'authentication' rule catchall > set_role : guest > set_access_duration : 1D > Did not match against sms for 'administration' rules > > Authenticating against 'email' in context 'admin' > Authentication SUCCEEDED against email () > Matched against email for 'authentication' rule catchall > set_role : guest > set_access_duration : 1D > Did not match against email for 'administration' rules > > Authenticating against 'email' in context 'portal' > Authentication SUCCEEDED against email () > Matched against email for 'authentication' rule catchall > set_role : guest > set_access_duration : 1D > Did not match against email for 'administration' rules > > Authenticating against 'sponsor' in context 'admin' > Authentication SUCCEEDED against sponsor () > Matched against sponsor for 'authentication' rule catchall > set_role : guest > set_access_duration : 1D > Did not match against sponsor for 'administration' rules > > Authenticating against 'sponsor' in context 'portal' > Authentication SUCCEEDED against sponsor () > Matched against sponsor for 'authentication' rule catchall > set_role : guest > set_access_duration : 1D > Did not match against sponsor for 'administration' rules > > Authenticating against 'null' in context 'admin' > Authentication SUCCEEDED against null () > Matched against null for 'authentication' rule catchall > set_role : guest > set_access_duration : 1D > Did not match against null for 'administration' rules > > Authenticating against 'null' in context 'portal' > Authentication SUCCEEDED against null () > Matched against null for 'authentication' rule catchall > set_role : guest > set_access_duration : 1D > Did not match against null for 'administration' rules > > Authenticating against 'msad_vlan_4_2g4_services' in context 'admin' > Authentication FAILED against msad_vlan_4_2g4_services (Invalid login or > password) > Did not match against msad_vlan_4_2g4_services for 'authentication' rules > Did not match against msad_vlan_4_2g4_services for 'administration' rules > > Authenticating against 'msad_vlan_4_2g4_services' in context 'portal' > Authentication FAILED against msad_vlan_4_2g4_services (Invalid login or > password) > Did not match against msad_vlan_4_2g4_services for 'authentication' rules > Did not match against msad_vlan_4_2g4_services for 'administration' rules > > > > <image001.png> > > From: Zammit, Ludovic <luza...@akamai.com> > Sent: Tuesday, February 1, 2022 8:15 PM > To: Leon Pinto <leon.pi...@ilanzme.com> > Cc: packetfence-users@lists.sourceforge.net > Subject: Re: [PacketFence-users] Roles not assigned to certain types of users > - EAP TLS > > Do that command: > > /usr/local/bin/pftest authentication SCTL-2D2SS0-G00-COCU02-INT-005 “” > > Show me the result. > > Thanks, > > Ludovic Zammit > Product Support Engineer Principal > > Cell: +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: > <https://community.akamai.com/> <http://blogs.akamai.com/> > <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!DlJHXuOTyEELIMFmyQYZWHK45uE5OENSVZ2dJgpIZsTZgeyH0_r0eIUAbLUNeg$> > > <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!DlJHXuOTyEELIMFmyQYZWHK45uE5OENSVZ2dJgpIZsTZgeyH0_r0eIUpL9Ju_g$> > > <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!DlJHXuOTyEELIMFmyQYZWHK45uE5OENSVZ2dJgpIZsTZgeyH0_r0eIXFSzeofA$> > > <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!DlJHXuOTyEELIMFmyQYZWHK45uE5OENSVZ2dJgpIZsTZgeyH0_r0eIV4tHNyyA$> > > > >> On Feb 1, 2022, at 8:50 AM, Leon Pinto <leon.pi...@ilanzme.com >> <mailto:leon.pi...@ilanzme.com>> wrote: >> >> Hello, >> >> Thanks for all your response… Now, after a power failure, I can see that >> none of the devices are getting the correct role… I suspect that the pf is >> not able to understand the Username of the device though the username is to >> be resolved from the CN of the EAP-TLS certificate which is matching with >> the account in AD… My authentication source is Microsoft AD… The switch is >> an Alcatel 6450… >> >> Possible attributes for the username in my AD are as below in the >> Authentication sources as below: - >> >> <image004.jpg> >> >> I am going in circles with what could be the reason why the system is not >> able to understand the username to assign it the correct role… >> >> The logs are as below and I see some warnings… Cant understand what it >> means by uninitialized values in $Role, etc… >> >> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >> INFO: [mac:00:0c:ab:63:30:86] handling radius autz request: from switch_ip >> => (10.153.1.249), connection_type => Ethernet-EAP,switch_mac => >> (e8:e7:32:a6:fd:5e), mac => [00:0c:ab:63:30:86], port => 77, username => >> "SCTL-2D2SS0-G00-COCU02-INT-005" (pf::radius::authorize) >> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >> INFO: [mac:00:0c:ab:63:30:86] Instantiate profile cp_vlan_4_2g4 >> (pf::Connection::ProfileFactory::_from_profile) >> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >> INFO: [mac:00:0c:ab:63:30:86] Found authentication source(s) : '' for realm >> 'null' (pf::config::util::filter_authentication_sources) >> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >> INFO: [mac:00:0c:ab:63:30:86] No rules matches or no category defined for >> the node, set it as unreg. (pf::role::getNodeInfoForAutoReg) >> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >> WARN: [mac:00:0c:ab:63:30:86] No category computed for autoreg >> (pf::role::getNodeInfoForAutoReg) >> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >> INFO: [mac:00:0c:ab:63:30:86] Found authentication source(s) : '' for realm >> 'null' (pf::config::util::filter_authentication_sources) >> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >> INFO: [mac:00:0c:ab:63:30:86] Role has already been computed and we don't >> want to recompute it. Getting role from node_info >> (pf::role::getRegisteredRole) >> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >> WARN: [mac:00:0c:ab:63:30:86] Use of uninitialized value $role in >> concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. >> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >> INFO: [mac:00:0c:ab:63:30:86] Username was NOT defined or unable to match a >> role - returning node based role '' (pf::role::getRegisteredRole) >> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >> INFO: [mac:00:0c:ab:63:30:86] PID: "default", Status: reg Returned VLAN: >> (undefined), Role: (undefined) (pf::role::fetchRoleForNode) >> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >> WARN: [mac:00:0c:ab:63:30:86] Use of uninitialized value $vlanName in hash >> element at /usr/local/pf/lib/pf/Switch.pm line 633. >> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >> WARN: [mac:00:0c:ab:63:30:86] Use of uninitialized value $name in exists at >> /usr/local/pf/lib/pf/Switch.pm line 667. >> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >> WARN: [mac:00:0c:ab:63:30:86] Use of uninitialized value $vlanName in >> concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 640. >> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >> WARN: [mac:00:0c:ab:63:30:86] No parameter Vlan found in conf/switches.conf >> for the switch 10.153.1.249 (pf::Switch::getVlanByName) >> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >> INFO: [mac:00:0c:ab:63:30:86] security_event 1300003 force-closed for >> 00:0c:ab:63:30:86 (pf::security_event::security_event_force_close) >> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >> INFO: [mac:00:0c:ab:63:30:86] Instantiate profile cp_vlan_4_2g4 >> (pf::Connection::ProfileFactory::_from_profile) >> >> As far as I can see, the role is correctly configured and so is the switch… >> >> Roles >> >> <image018.jpg> >> >> <image020.jpg> >> >> Authentication Rule >> >> <image021.jpg> >> Radius response shows the correct user name as far as I can see… >> >> <image022.jpg> >> >> <image024.jpg> >> >> User definition in AD >> >> <image025.jpg> <image026.jpg> >> >> “switches.conf” too seems to have the correct entries of vlans… >> >> <image031.jpg> >> Sincerely appreciate if someone can help in where I could be going wrong >> with this… At this moment, I am lost as to what I might be missing out on…. >> >> Thanks for all your support… >> >> <image036.png> >> >> From: Leon Pinto via PacketFence-users >> <packetfence-users@lists.sourceforge.net >> <mailto:packetfence-users@lists.sourceforge.net>> >> Sent: Monday, January 31, 2022 11:21 PM >> To: 'Zammit, Ludovic' <luza...@akamai.com <mailto:luza...@akamai.com>>; >> packetfence-users@lists.sourceforge.net >> <mailto:packetfence-users@lists.sourceforge.net> >> Cc: Leon Pinto <leon.pi...@ilanzme.com <mailto:leon.pi...@ilanzme.com>> >> Subject: Re: [PacketFence-users] Roles not assigned to certain types of >> users - EAP TLS >> >> Hello, >> >> Thanks a lot for your response… >> >> All our screenshots are in attached docs… logs etc… >> >> Also, as below… >> >> SCTL-2D2SS0-P02-HVR-OS15-026 à The case for which no vlan/role is assigned. >> >> SCTL-2D2SS0-G00-COCU02-INT-005 à The case for which correct vlan/role is >> assigned. >> >> <image037.png> >> >> >> SCTL-2D2SS0-P02-HVR-OS15-026 à The case for which no vlan/role is assigned >> (Radius Response) >> >> <image038.png> >> >> <image039.jpg> >> >> SCTL-2D2SS0-G00-COCU02-INT-005 à The case for which correct vlan/role is >> assigned (Radius Response) >> >> <image043.png> >> <image044.png> >> >> <image045.png> >> >> From: Zammit, Ludovic <luza...@akamai.com <mailto:luza...@akamai.com>> >> Sent: Monday, January 31, 2022 10:45 PM >> To: packetfence-users@lists.sourceforge.net >> <mailto:packetfence-users@lists.sourceforge.net> >> Cc: Leon Pinto <leon.pi...@ilanzme.com <mailto:leon.pi...@ilanzme.com>> >> Subject: Re: [PacketFence-users] Roles not assigned to certain types of >> users - EAP TLS >> >> Hello Leon, >> >> What’s the radius reply in the Auditing tab in Packetfence Web page for >> those two authentications ? >> >> Thanks, >> >> Ludovic Zammit >> Product Support Engineer Principal >> >> Cell: +1.613.670.8432 >> Akamai Technologies - Inverse >> 145 Broadway >> Cambridge, MA 02142 >> Connect with Us: >> <https://community.akamai.com/> <http://blogs.akamai.com/> >> <https://urldefense.com/v3/__https:/twitter.com/akamai__;!!GjvTz_vk!AJJV6ysqGuNRXj_9ybSO-_EE1qqsN2tFYfrg2jynvU__lVlyNAcHBjIetTi_wA$> >> >> <https://urldefense.com/v3/__http:/www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!AJJV6ysqGuNRXj_9ybSO-_EE1qqsN2tFYfrg2jynvU__lVlyNAcHBjICPzGHSg$> >> >> <https://urldefense.com/v3/__http:/www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!AJJV6ysqGuNRXj_9ybSO-_EE1qqsN2tFYfrg2jynvU__lVlyNAcHBjI656SUUA$> >> >> <https://urldefense.com/v3/__http:/www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!AJJV6ysqGuNRXj_9ybSO-_EE1qqsN2tFYfrg2jynvU__lVlyNAcHBjKIQxAuYw$> >> >> >> >>> On Jan 31, 2022, at 10:33 AM, Leon Pinto via PacketFence-users >>> <packetfence-users@lists.sourceforge.net >>> <mailto:packetfence-users@lists.sourceforge.net>> wrote: >>> >>> Hello community, >>> >>> We have a packet-fence installation where the Authentication source is an >>> Active Directory setup for Telephony 802.1x authentication based on >>> EAP-TLS… >>> >>> Version is 11.1 with Alcatel 6450 switch for 802.1x… >>> >>> Problem description >>> In our scenario, the Packet-fence is used to assign a proper VLAN to >>> authenticated/registered phones and this works fine for one type of devices >>> with certificates from the local PKI… Another type of devices from the >>> same PKI are authenticated and registered but they don’t get the correct >>> Role as expected… >>> >>> Refer the end result as below: - >>> >>> <image002.png> >>> >>> The 01/26 gets the correct VLAN (vlan 4) as configured in the Role. >>> The 01/28 does not gets the correct VLAN (vlan 4) as configured in the Role. >>> >>> <image004.png> >>> >>> I tried using other attributes like SPN, UPN etc. but we still have the >>> same issue as above… >>> >>> All configuration screenshots, logs, radius response etc. are in the >>> attached file… Any help is welcome… >>> >>> <image005.png> >>> >>> <Packet Fence - Problem >>> scenario.docx>_______________________________________________ >>> PacketFence-users mailing list >>> PacketFence-users@lists.sourceforge.net >>> <mailto:PacketFence-users@lists.sourceforge.net> >>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!D8zDtlI5jQ3y2JHK5aobEcrKViu5KSTg4CuTDP16zH3q1ySAjWpn4RwSGwto7NP6$ >>> >>> <https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!D8zDtlI5jQ3y2JHK5aobEcrKViu5KSTg4CuTDP16zH3q1ySAjWpn4RwSGwto7NP6$>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
