Hello Simon, You are probably correct, it looks like a bug because the correct source is selected but it does not match, please raise a bug into our GitHub and we will check it out.
Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Feb 2, 2022, at 2:25 AM, Simon Sutcliffe <simon.sutcli...@rhdhv.com> wrote: > > Hi Ludovic > > I also saw an interesting command that you was sharing with Leon in his > issues and I decided to run that to see if it gave any clues. As you will > see in the highlighted section in the context of the portal the > authentication succeeds. However it appears we might be hitting another > source it failing and not moving through to test the others. Is this a bug. > If so I am happy to raise it within the Github for the dev team to review? > > Output. > > /usr/local/pf/bin/pftest authentication simon.sutcli...@rhdhv.com > <mailto:simon.sutcli...@rhdhv.com> ***************** > Testing authentication for simon.sutcli...@rhdhv.com > <mailto:simon.sutcli...@rhdhv.com> > > Authenticating against 'local' in context 'admin' > Authentication FAILED against local (Invalid login or password) > Did not match against local for 'authentication' rules > Did not match against local for 'administration' rules > > Authenticating against 'local' in context 'portal' > Authentication FAILED against local (Invalid login or password) > Did not match against local for 'authentication' rules > Did not match against local for 'administration' rules > > Authenticating against 'CorporaterootAuth' in context 'admin' > Authentication SUCCEEDED against CorporaterootAuth (Authentication > successful.) > Matched against CorporaterootAuth for 'authentication' rule catchall > set_role : Staff > set_access_duration : 1D > Did not match against CorporaterootAuth for 'administration' rules > > Authenticating against 'CorporaterootAuth' in context 'portal' > Authentication SUCCEEDED against CorporaterootAuth (Authentication > successful.) > Matched against CorporaterootAuth for 'authentication' rule catchall > set_role : Staff > set_access_duration : 1D > Did not match against CorporaterootAuth for 'administration' rules > > Authenticating against 'RHDHV-Guest' in context 'admin' > Authentication FAILED against RHDHV-Guest (Invalid login or password) > Matched against RHDHV-Guest for 'authentication' rule catchall > set_role : guest > set_access_duration : 1h > Did not match against RHDHV-Guest for 'administration' rules > > Authenticating against 'RHDHV-Guest' in context 'portal' > Authentication FAILED against RHDHV-Guest (Invalid login or password) > Matched against RHDHV-Guest for 'authentication' rule catchall > set_role : guest > set_access_duration : 1h > Did not match against RHDHV-Guest for 'administration' rules > > Authenticating against 'corporateroot-TLS' in context 'admin' > Authentication FAILED against corporateroot-TLS (Invalid login or password) > Matched against corporateroot-TLS for 'authentication' rule Catchall > set_role : User > set_access_duration : 1D > Did not match against corporateroot-TLS for 'administration' rules > > Authenticating against 'corporateroot-TLS' in context 'portal' > Authentication FAILED against corporateroot-TLS (Invalid login or password) > Matched against corporateroot-TLS for 'authentication' rule Catchall > set_role : User > set_access_duration : 1D > Did not match against corporateroot-TLS for 'administration' rules > > Authenticating against 'file1' in context 'admin' > Authentication FAILED against file1 (Invalid login or password) > Did not match against file1 for 'authentication' rules > Did not match against file1 for 'administration' rules > > Authenticating against 'file1' in context 'portal' > Authentication FAILED against file1 (Invalid login or password) > Did not match against file1 for 'authentication' rules > Did not match against file1 for 'administration' rules > > Authenticating against 'AzureAD_Corporateroot_OpenID' in context 'admin' > Authentication FAILED against AzureAD_Corporateroot_OpenID (Invalid login > or password) > Did not match against AzureAD_Corporateroot_OpenID for 'authentication' > rules > Did not match against AzureAD_Corporateroot_OpenID for 'administration' > rules > > Authenticating against 'AzureAD_Corporateroot_OpenID' in context 'portal' > Authentication FAILED against AzureAD_Corporateroot_OpenID (Invalid login > or password) > Did not match against AzureAD_Corporateroot_OpenID for 'authentication' > rules > Did not match against AzureAD_Corporateroot_OpenID for 'administration' > rules > > > Royal HaskoningDHV - Internal Use Only > From: Simon Sutcliffe via PacketFence-users > <packetfence-users@lists.sourceforge.net > <mailto:packetfence-users@lists.sourceforge.net>> > Sent: 01 February 2022 16:52 > To: Zammit, Ludovic <luza...@akamai.com <mailto:luza...@akamai.com>>; > packetfence-users@lists.sourceforge.net > <mailto:packetfence-users@lists.sourceforge.net> > Cc: Simon Sutcliffe <simon.sutcli...@rhdhv.com > <mailto:simon.sutcli...@rhdhv.com>>; Mahesh Veerappa > <mahesh.veera...@rhdhv.com <mailto:mahesh.veera...@rhdhv.com>>; Raghuram > Kuricheti <raghuram.kurich...@rhdhv.com <mailto:raghuram.kurich...@rhdhv.com>> > Subject: Re: [PacketFence-users] Understanding Status Page Authentication > Problem - First logon works, subsequent attempts fail > > This message was sent from an e-mail domain unknown to Royal HaskoningDHV. > Please be cautious. > > Thanks for the quick reply Ludovic, > > However let me quickly summarises the information below. > > AD connection. Working fine. > > First logon works using the UPN simon.sutcli...@rhdhv.com > <mailto:simon.sutcli...@rhdhv.com> and we see the PF query the DC > PF created a user simon.sutcli...@rhdhv.com <mailto:simon.sutcli...@rhdhv.com> > Second logon fails and PF does not query the DC > > If I then use the SamAccountName 301...@corporateroot.net > <mailto:301...@corporateroot.net> of the usersimon.sutcli...@rhdhv.com > <mailto:simon.sutcli...@rhdhv.com> logons on successfully and we see PF query > the DC (The PF strips the @corporateroot.net) > PF creates the user 301...@corporateroot.net <mailto:301...@corporateroot.net> > Second attempt to logon with 301...@corporateroot.net > <mailto:301...@corporateroot.net> fails and PF does not query the DC. > > If I then use 301571 this actual SamAccountName of the user the logon works > and we see the PF query the DC > PF Creates a user 301571 > Second logon with 301571 fails and PF does not query the DC > > Hope that helps all the text below is just give you the settings we have in > the various places we feel might have an impact. > > Seen the issue before, we cannot believe this is a bug but just something we > are missing. > > Kind Regards > > Simon > > Simon Sutcliffe > IT Architect, Workplace Solutions > > T +44 1733 336600 | M +44 7775 823368 | E simon.sutcli...@rhdhv.com > <mailto:simon.sutcli...@rhdhv.com> | W www.royalhaskoningdhv.com > <https://urldefense.com/v3/__http://www.royalhaskoningdhv.com/__;!!GjvTz_vk!GLVQw9g5xCqjcZI9BpsAnLqOQ8CK0DZcfSfJ94hIb0V9Ejb6enqpvSeWZ6XWMQ$> > HaskoningDHV UK Ltd., a company of Royal HaskoningDHV | Rightwell House, > Bretton, Peterborough PE3 8DW, United Kingdom > > <image001.jpg> > > > > > Royal HaskoningDHV - Internal Use Only > From: Zammit, Ludovic <luza...@akamai.com <mailto:luza...@akamai.com>> > Sent: 01 February 2022 16:32 > To: packetfence-users@lists.sourceforge.net > <mailto:packetfence-users@lists.sourceforge.net> > Cc: Simon Sutcliffe <simon.sutcli...@rhdhv.com > <mailto:simon.sutcli...@rhdhv.com>>; Mahesh Veerappa > <mahesh.veera...@rhdhv.com <mailto:mahesh.veera...@rhdhv.com>>; Raghuram > Kuricheti <raghuram.kurich...@rhdhv.com <mailto:raghuram.kurich...@rhdhv.com>> > Subject: Re: [PacketFence-users] Understanding Status Page Authentication > Problem - First logon works, subsequent attempts fail > > Hello Simon, > > Quickly it looks like a mismatch on the usernames. > > bob is different from b...@domain.com <mailto:b...@domain.com> > > My guess is that when you login on the status page it splits your name and > you have no device under the user “simon” > > Thanks, > > Ludovic Zammit > Product Support Engineer Principal > > Cell: +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: > <https://community.akamai.com/> <http://blogs.akamai.com/> > <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!GLVQw9g5xCqjcZI9BpsAnLqOQ8CK0DZcfSfJ94hIb0V9Ejb6enqpvScn0EasLw$> > > <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!GLVQw9g5xCqjcZI9BpsAnLqOQ8CK0DZcfSfJ94hIb0V9Ejb6enqpvSd2amfm6w$> > > <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!GLVQw9g5xCqjcZI9BpsAnLqOQ8CK0DZcfSfJ94hIb0V9Ejb6enqpvSfV96u8Jg$> > > <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!GLVQw9g5xCqjcZI9BpsAnLqOQ8CK0DZcfSfJ94hIb0V9Ejb6enqpvSc6wQYHnA$> > > > > On Feb 1, 2022, at 11:06 AM, Simon Sutcliffe via PacketFence-users > <packetfence-users@lists.sourceforge.net > <mailto:packetfence-users@lists.sourceforge.net>> wrote: > > Hi PF Team > > Does anyone have any ideas to the below issue please? > > As much as a team was are becoming to love and understand PacketFence there > seems to be times (most days) when we just cannot understand what is > happening any why. Today is one of those days 😊 > > We have got to the point of most of our use cases working with your great > support on this mailing list and we feel a little embarrassed to even write > this one as we know we are just doing something stupid. > > Problem – First logon works, subsequent attempts fail. > > This is our setup for background. > > Authentication Source - Active Directory (Interesting parts) > > Identifier > > <image002.png> > > Search Criteria > <image003.png> > > No cache enabled > > <image010.png> > > Assigned Realms > <image015.png> > Testing Connection to AD works without issues > <image016.png> > > Connection Profile – Defined so it does not fall blindly into the “default > profile” > > <image017.png> > > Access to the connection profile controlled by this filter > > <image018.png> > > Authentication Sources Applied. > > <image019.png> > > Only connection profile provided with the Self Service Policy > > <image020.png> > > Logon Workflow. > > Logon with UPN of an account in the AD > > https://nac-test.corporateroot.net/status > <https://urldefense.com/v3/__https:/nac-test.corporateroot.net/status__;!!GjvTz_vk!AWS1RWAcdqOHDI8q5TRlb3Xayll1mEtIqPH1kny8qa1fnjO0MxvPEwgvD-ZjOnii$> > > <image021.png> > > Successful logon > > <image022.png> > > Packetfence Log Info > > Jan 28 16:02:36 packetfence packetfence_httpd.portal[2104085]: > httpd.portal(2104085) INFO: [mac:0] Realm source is part of the connection > profile sources. Using it as the only auth source. > (captiveportal::PacketFence::Controller::Authenticate::getSources) > Jan 28 16:02:36 packetfence packetfence_httpd.portal[2104085]: > httpd.portal(2104085) INFO: [mac:0] [CorporaterootAuth] Authentication > successful for simon.sutcli...@rhdhv.com > <mailto:simon.sutcli...@rhdhv.com>(pf::Authentication::Source::LDAPSource::authenticate) > Jan 28 16:02:36 packetfence packetfence_httpd.portal[2104085]: > httpd.portal(2104085) INFO: [mac:0] Authentication successful for > simon.sutcli...@rhdhv.com <mailto:simon.sutcli...@rhdhv.com> in source > CorporaterootAuth (AD) (pf::authentication::authenticate) > Jan 28 16:02:36 packetfence packetfence_httpd.portal[2104085]: > httpd.portal(2104085) INFO: [mac:0] person simon.sutcli...@rhdhv.com > <mailto:simon.sutcli...@rhdhv.com> added (pf::person::person_add) > Jan 28 16:02:36 packetfence packetfence_httpd.portal[2104085]: > httpd.portal(2104085) INFO: [mac:0] Successfully authenticated > simon.sutcli...@rhdhv.com/10.251.41.29/0 > <mailto:simon.sutcli...@rhdhv.com/10.251.41.29/0>(captiveportal::PacketFence::Controller::Authenticate::authenticationLogin) > > > User account created within users > > <image023.png> > > Press Logout, and attempt to logon again. > > <image024.png> > > Logon Fails. > > Packetfence log info > > Jan 28 16:04:11 packetfence packetfence_httpd.portal[2103908]: > httpd.portal(2103908) INFO: [mac:0] Realm source is part of the connection > profile sources. Using it as the only auth source. > (captiveportal::PacketFence::Controller::Authenticate::getSources) > > Additional Information > > If we now logon as the SamAccountName name of the account above this will > allow us to logon once, cerates an account and then never again. Hence every > unique named account can access successfully once, the account appears in the > users list. On the domain controller we only see the first authentication > request but never another for the account. Deleting the account in the users > list allows the account to logon again once. > > We initially thought this was because the users was being used as a > authentication source and the password was “Blank”. We create an account > directly within the users list using the create button and provide a password > but found these accounts can also not logon to the status portal (however > could logon to the admin portal if we gave them the required permissions). > > We have a feature request in place in GitHub to allow OpenID logon for the > status page as we want to remove username and passwords from our > orginisation. But to get though the lab for now we cannot even get this bit > to work. > > Help please, can you guide us to the thing we have missed our misconfigured \ > misunderstood as this is also driving us mad. If you require more > information then please let me know. > > Kind Regards > > Simon > > > Simon Sutcliffe > IT Architect, Workplace Solutions > > T +44 1733 336600 | M +44 7775 823368 | E simon.sutcli...@rhdhv.com > <mailto:simon.sutcli...@rhdhv.com> | W www.royalhaskoningdhv.com > <https://urldefense.com/v3/__http:/www.royalhaskoningdhv.com/__;!!GjvTz_vk!AWS1RWAcdqOHDI8q5TRlb3Xayll1mEtIqPH1kny8qa1fnjO0MxvPEwgvD4ixfDST$> > HaskoningDHV UK Ltd., a company of Royal HaskoningDHV > > <image025.jpg> > > > Royal HaskoningDHV - Internal Use Only > This email and any attachments are intended solely for the use of the > addressee(s); disclosure or copying by others than the intended person(s) is > strictly prohibited. If you have received this email in error, please treat > this email as confidential, notify the sender and delete all copies of the > email immediately > This email and any attachments are intended solely for the use of the > addressee(s); disclosure or copying by others than the intended person(s) is > strictly prohibited. If you have received this email in error, please treat > this email as confidential, notify the sender and delete all copies of the > email immediately _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!AWS1RWAcdqOHDI8q5TRlb3Xayll1mEtIqPH1kny8qa1fnjO0MxvPEwgvD_gj2aed$ > > <https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!AWS1RWAcdqOHDI8q5TRlb3Xayll1mEtIqPH1kny8qa1fnjO0MxvPEwgvD_gj2aed$> > > This email and any attachments are intended solely for the use of the > addressee(s); disclosure or copying by others than the intended person(s) is > strictly prohibited. If you have received this email in error, please treat > this email as confidential, notify the sender and delete all copies of the > email immediately > This email and any attachments are intended solely for the use of the > addressee(s); disclosure or copying by others than the intended person(s) is > strictly prohibited. If you have received this email in error, please treat > this email as confidential, notify the sender and delete all copies of the > email immediately
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users