Hi Ludovic I also saw an interesting command that you was sharing with Leon in his issues and I decided to run that to see if it gave any clues. As you will see in the highlighted section in the context of the portal the authentication succeeds. However it appears we might be hitting another source it failing and not moving through to test the others. Is this a bug. If so I am happy to raise it within the Github for the dev team to review?
Output. /usr/local/pf/bin/pftest authentication simon.sutcli...@rhdhv.com<mailto:simon.sutcli...@rhdhv.com> ***************** Testing authentication for simon.sutcli...@rhdhv.com<mailto:simon.sutcli...@rhdhv.com> Authenticating against 'local' in context 'admin' Authentication FAILED against local (Invalid login or password) Did not match against local for 'authentication' rules Did not match against local for 'administration' rules Authenticating against 'local' in context 'portal' Authentication FAILED against local (Invalid login or password) Did not match against local for 'authentication' rules Did not match against local for 'administration' rules Authenticating against 'CorporaterootAuth' in context 'admin' Authentication SUCCEEDED against CorporaterootAuth (Authentication successful.) Matched against CorporaterootAuth for 'authentication' rule catchall set_role : Staff set_access_duration : 1D Did not match against CorporaterootAuth for 'administration' rules Authenticating against 'CorporaterootAuth' in context 'portal' Authentication SUCCEEDED against CorporaterootAuth (Authentication successful.) Matched against CorporaterootAuth for 'authentication' rule catchall set_role : Staff set_access_duration : 1D Did not match against CorporaterootAuth for 'administration' rules Authenticating against 'RHDHV-Guest' in context 'admin' Authentication FAILED against RHDHV-Guest (Invalid login or password) Matched against RHDHV-Guest for 'authentication' rule catchall set_role : guest set_access_duration : 1h Did not match against RHDHV-Guest for 'administration' rules Authenticating against 'RHDHV-Guest' in context 'portal' Authentication FAILED against RHDHV-Guest (Invalid login or password) Matched against RHDHV-Guest for 'authentication' rule catchall set_role : guest set_access_duration : 1h Did not match against RHDHV-Guest for 'administration' rules Authenticating against 'corporateroot-TLS' in context 'admin' Authentication FAILED against corporateroot-TLS (Invalid login or password) Matched against corporateroot-TLS for 'authentication' rule Catchall set_role : User set_access_duration : 1D Did not match against corporateroot-TLS for 'administration' rules Authenticating against 'corporateroot-TLS' in context 'portal' Authentication FAILED against corporateroot-TLS (Invalid login or password) Matched against corporateroot-TLS for 'authentication' rule Catchall set_role : User set_access_duration : 1D Did not match against corporateroot-TLS for 'administration' rules Authenticating against 'file1' in context 'admin' Authentication FAILED against file1 (Invalid login or password) Did not match against file1 for 'authentication' rules Did not match against file1 for 'administration' rules Authenticating against 'file1' in context 'portal' Authentication FAILED against file1 (Invalid login or password) Did not match against file1 for 'authentication' rules Did not match against file1 for 'administration' rules Authenticating against 'AzureAD_Corporateroot_OpenID' in context 'admin' Authentication FAILED against AzureAD_Corporateroot_OpenID (Invalid login or password) Did not match against AzureAD_Corporateroot_OpenID for 'authentication' rules Did not match against AzureAD_Corporateroot_OpenID for 'administration' rules Authenticating against 'AzureAD_Corporateroot_OpenID' in context 'portal' Authentication FAILED against AzureAD_Corporateroot_OpenID (Invalid login or password) Did not match against AzureAD_Corporateroot_OpenID for 'authentication' rules Did not match against AzureAD_Corporateroot_OpenID for 'administration' rules Royal HaskoningDHV - Internal Use Only From: Simon Sutcliffe via PacketFence-users <packetfence-users@lists.sourceforge.net> Sent: 01 February 2022 16:52 To: Zammit, Ludovic <luza...@akamai.com>; packetfence-users@lists.sourceforge.net Cc: Simon Sutcliffe <simon.sutcli...@rhdhv.com>; Mahesh Veerappa <mahesh.veera...@rhdhv.com>; Raghuram Kuricheti <raghuram.kurich...@rhdhv.com> Subject: Re: [PacketFence-users] Understanding Status Page Authentication Problem - First logon works, subsequent attempts fail This message was sent from an e-mail domain unknown to Royal HaskoningDHV. Please be cautious. Thanks for the quick reply Ludovic, However let me quickly summarises the information below. AD connection. Working fine. First logon works using the UPN simon.sutcli...@rhdhv.com<mailto:simon.sutcli...@rhdhv.com> and we see the PF query the DC PF created a user simon.sutcli...@rhdhv.com<mailto:simon.sutcli...@rhdhv.com> Second logon fails and PF does not query the DC If I then use the SamAccountName 301...@corporateroot.net<mailto:301...@corporateroot.net> of the user simon.sutcli...@rhdhv.com<mailto:simon.sutcli...@rhdhv.com> logons on successfully and we see PF query the DC (The PF strips the @corporateroot.net) PF creates the user 301...@corporateroot.net<mailto:301...@corporateroot.net> Second attempt to logon with 301...@corporateroot.net<mailto:301...@corporateroot.net> fails and PF does not query the DC. If I then use 301571 this actual SamAccountName of the user the logon works and we see the PF query the DC PF Creates a user 301571 Second logon with 301571 fails and PF does not query the DC Hope that helps all the text below is just give you the settings we have in the various places we feel might have an impact. Seen the issue before, we cannot believe this is a bug but just something we are missing. Kind Regards Simon Simon Sutcliffe IT Architect, Workplace Solutions T +44 1733 336600 | M +44 7775 823368 | E simon.sutcli...@rhdhv.com<mailto:simon.sutcli...@rhdhv.com> | W www.royalhaskoningdhv.com<http://www.royalhaskoningdhv.com/> HaskoningDHV UK Ltd., a company of Royal HaskoningDHV | Rightwell House, Bretton, Peterborough PE3 8DW, United Kingdom [cid:image001.jpg@01D81805.5A7E4F40] Royal HaskoningDHV - Internal Use Only From: Zammit, Ludovic <luza...@akamai.com<mailto:luza...@akamai.com>> Sent: 01 February 2022 16:32 To: packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Cc: Simon Sutcliffe <simon.sutcli...@rhdhv.com<mailto:simon.sutcli...@rhdhv.com>>; Mahesh Veerappa <mahesh.veera...@rhdhv.com<mailto:mahesh.veera...@rhdhv.com>>; Raghuram Kuricheti <raghuram.kurich...@rhdhv.com<mailto:raghuram.kurich...@rhdhv.com>> Subject: Re: [PacketFence-users] Understanding Status Page Authentication Problem - First logon works, subsequent attempts fail Hello Simon, Quickly it looks like a mismatch on the usernames. bob is different from b...@domain.com<mailto:b...@domain.com> My guess is that when you login on the status page it splits your name and you have no device under the user “simon” Thanks, Ludovic Zammit Product Support Engineer Principal [https://www.akamai.com/us/en/multimedia/images/custom/2019/logo-no-tag-93x45.png] Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: [https://www.akamai.com/us/en/multimedia/images/custom/community.jpg]<https://community.akamai.com/>[https://www.akamai.com/us/en/multimedia/images/custom/rss.png]<http://blogs.akamai.com/>[https://www.akamai.com/us/en/multimedia/images/custom/twitter.png]<https://twitter.com/akamai>[https://www.akamai.com/us/en/multimedia/images/custom/fb.png]<http://www.facebook.com/AkamaiTechnologies>[https://www.akamai.com/us/en/multimedia/images/custom/in.png]<http://www.linkedin.com/company/akamai-technologies>[https://www.akamai.com/us/en/multimedia/images/custom/youtube.png]<http://www.youtube.com/user/akamaitechnologies?feature=results_main> On Feb 1, 2022, at 11:06 AM, Simon Sutcliffe via PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> wrote: Hi PF Team Does anyone have any ideas to the below issue please? As much as a team was are becoming to love and understand PacketFence there seems to be times (most days) when we just cannot understand what is happening any why. Today is one of those days 😊 We have got to the point of most of our use cases working with your great support on this mailing list and we feel a little embarrassed to even write this one as we know we are just doing something stupid. Problem – First logon works, subsequent attempts fail. This is our setup for background. Authentication Source - Active Directory (Interesting parts) Identifier <image002.png> Search Criteria <image003.png> No cache enabled <image010.png> Assigned Realms <image015.png> Testing Connection to AD works without issues <image016.png> Connection Profile – Defined so it does not fall blindly into the “default profile” <image017.png> Access to the connection profile controlled by this filter <image018.png> Authentication Sources Applied. <image019.png> Only connection profile provided with the Self Service Policy <image020.png> Logon Workflow. Logon with UPN of an account in the AD https://nac-test.corporateroot.net/status<https://urldefense.com/v3/__https:/nac-test.corporateroot.net/status__;!!GjvTz_vk!AWS1RWAcdqOHDI8q5TRlb3Xayll1mEtIqPH1kny8qa1fnjO0MxvPEwgvD-ZjOnii$> <image021.png> Successful logon <image022.png> Packetfence Log Info Jan 28 16:02:36 packetfence packetfence_httpd.portal[2104085]: httpd.portal(2104085) INFO: [mac:0] Realm source is part of the connection profile sources. Using it as the only auth source. (captiveportal::PacketFence::Controller::Authenticate::getSources) Jan 28 16:02:36 packetfence packetfence_httpd.portal[2104085]: httpd.portal(2104085) INFO: [mac:0] [CorporaterootAuth] Authentication successful for simon.sutcli...@rhdhv.com<mailto:simon.sutcli...@rhdhv.com>(pf::Authentication::Source::LDAPSource::authenticate) Jan 28 16:02:36 packetfence packetfence_httpd.portal[2104085]: httpd.portal(2104085) INFO: [mac:0] Authentication successful for simon.sutcli...@rhdhv.com<mailto:simon.sutcli...@rhdhv.com> in source CorporaterootAuth (AD) (pf::authentication::authenticate) Jan 28 16:02:36 packetfence packetfence_httpd.portal[2104085]: httpd.portal(2104085) INFO: [mac:0] person simon.sutcli...@rhdhv.com<mailto:simon.sutcli...@rhdhv.com> added (pf::person::person_add) Jan 28 16:02:36 packetfence packetfence_httpd.portal[2104085]: httpd.portal(2104085) INFO: [mac:0] Successfully authenticated simon.sutcli...@rhdhv.com/10.251.41.29/0<mailto:simon.sutcli...@rhdhv.com/10.251.41.29/0>(captiveportal::PacketFence::Controller::Authenticate::authenticationLogin) User account created within users <image023.png> Press Logout, and attempt to logon again. <image024.png> Logon Fails. Packetfence log info Jan 28 16:04:11 packetfence packetfence_httpd.portal[2103908]: httpd.portal(2103908) INFO: [mac:0] Realm source is part of the connection profile sources. Using it as the only auth source. (captiveportal::PacketFence::Controller::Authenticate::getSources) Additional Information If we now logon as the SamAccountName name of the account above this will allow us to logon once, cerates an account and then never again. Hence every unique named account can access successfully once, the account appears in the users list. On the domain controller we only see the first authentication request but never another for the account. Deleting the account in the users list allows the account to logon again once. We initially thought this was because the users was being used as a authentication source and the password was “Blank”. We create an account directly within the users list using the create button and provide a password but found these accounts can also not logon to the status portal (however could logon to the admin portal if we gave them the required permissions). We have a feature request in place in GitHub to allow OpenID logon for the status page as we want to remove username and passwords from our orginisation. But to get though the lab for now we cannot even get this bit to work. Help please, can you guide us to the thing we have missed our misconfigured \ misunderstood as this is also driving us mad. If you require more information then please let me know. Kind Regards Simon Simon Sutcliffe IT Architect, Workplace Solutions T +44 1733 336600 | M +44 7775 823368 | E simon.sutcli...@rhdhv.com<mailto:simon.sutcli...@rhdhv.com> | W www.royalhaskoningdhv.com<https://urldefense.com/v3/__http:/www.royalhaskoningdhv.com/__;!!GjvTz_vk!AWS1RWAcdqOHDI8q5TRlb3Xayll1mEtIqPH1kny8qa1fnjO0MxvPEwgvD4ixfDST$> HaskoningDHV UK Ltd., a company of Royal HaskoningDHV <image025.jpg> Royal HaskoningDHV - Internal Use Only This email and any attachments are intended solely for the use of the addressee(s); disclosure or copying by others than the intended person(s) is strictly prohibited. If you have received this email in error, please treat this email as confidential, notify the sender and delete all copies of the email immediately This email and any attachments are intended solely for the use of the addressee(s); disclosure or copying by others than the intended person(s) is strictly prohibited. If you have received this email in error, please treat this email as confidential, notify the sender and delete all copies of the email immediately _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!AWS1RWAcdqOHDI8q5TRlb3Xayll1mEtIqPH1kny8qa1fnjO0MxvPEwgvD_gj2aed$<https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!AWS1RWAcdqOHDI8q5TRlb3Xayll1mEtIqPH1kny8qa1fnjO0MxvPEwgvD_gj2aed$> This email and any attachments are intended solely for the use of the addressee(s); disclosure or copying by others than the intended person(s) is strictly prohibited. If you have received this email in error, please treat this email as confidential, notify the sender and delete all copies of the email immediately This email and any attachments are intended solely for the use of the addressee(s); disclosure or copying by others than the intended person(s) is strictly prohibited. If you have received this email in error, please treat this email as confidential, notify the sender and delete all copies of the email immediately
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
