I set up a test account, and that worked; however, I’d prefer to use this with Microsoft Authenticator. When I use that, I get these pertinent entries in the log:
Mar 22 11:30:17 cuvpfzen auth[2488]: (10) rest: ERROR: Server returned: Mar 22 11:30:17 cuvpfzen auth[2488]: (10) rest: ERROR: {"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Multi-Factor Authentication failed or triggered"} Mar 22 11:30:17 cuvpfzen auth[2488]: [mac:] Rejected user: xxxxxxx Mar 22 11:30:17 cuvpfzen auth[2488]: (10) Rejected in post-auth: [xxxxxxx] (from client 10.200.1.201/32 port 1) Mar 22 11:30:17 cuvpfzen auth[2488]: (10) Login incorrect (rest: Server returned:): [xxxxxxx] (from client 10.200.1.201/32 port 1) Mar 22 11:30:16 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO: [mac:[undef]] handling radius autz request: from switch_ip => (10.200.1.201), connection_type => CLI-Access,switch_mac => (Unknown), mac => [0], port => 1, username => "xxxxxxx" (pf::radius::switch_access) Mar 22 11:30:16 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) WARN: [mac:[undef]] Trying to match IP address with an invalid MAC address 'undef' (pf::ip4log::mac2ip) Mar 22 11:30:16 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO: [mac:[undef]] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Mar 22 11:30:16 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO: [mac:[undef]] Found authentication source(s) : 'local,file1,CU_Employees' for realm 'null' (pf::config::util::filter_authentication_sources) Mar 22 11:30:16 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO: [mac:[undef]] MFA Pre Authentication (pf::radius::mfa_pre_auth) Mar 22 11:30:16 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO: [mac:[undef]] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Mar 22 11:30:16 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO: [mac:[undef]] Found authentication source(s) : 'local,file1,CU_Employees' for realm 'null' (pf::config::util::filter_authentication_sources) Mar 22 11:30:16 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO: [mac:[undef]] Using sources local, file1, CU_Employees for matching (pf::authentication::match2) Mar 22 11:30:16 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) WARN: [mac:[undef]] [CU_Employees MFA] Searching for (&(sAMAccountName=xxxxxxx)(memberOf=CN=<obscured group name>,CN=Users,DC=campbellsville,DC=edu)), from dc=campbellsville,dc=edu, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO: [mac:[undef]] Matched rule (MFA) in source CU_Employees, returning actions. (pf::Authentication::Source::match_rule) Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO: [mac:[undef]] Matched rule (MFA) in source CU_Employees, returning actions. (pf::Authentication::Source::match) Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) ERROR: [mac:[undef]] unable to read password file '/usr/local/pf/conf/admin.conf' (pf::Authentication::Source::HtpasswdSource::authenticate) Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO: [mac:[undef]] [CU_Employees] Authentication successful for xxxxxxx (pf::Authentication::Source::LDAPSource::authenticate) Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO: [mac:[undef]] Authentication successful for xxxxxxx in source CU_Employees (AD) (pf::authentication::authenticate) Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO: [mac:[undef]] MFA Post Authentication (pf::radius::mfa_post_auth) Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO: [mac:[undef]] Using sources CU_Employees for matching (pf::authentication::match2) Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) WARN: [mac:[undef]] [CU_Employees MFA] Searching for (&(sAMAccountName=xxxxxxx)(memberOf=CN=<obscured group name>,CN=Users,DC=campbellsville,DC=edu)), from dc=campbellsville,dc=edu, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO: [mac:[undef]] Matched rule (MFA) in source CU_Employees, returning actions. (pf::Authentication::Source::match_rule) Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO: [mac:[undef]] Matched rule (MFA) in source CU_Employees, returning actions. (pf::Authentication::Source::match) Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) WARN: [mac:[undef]] Use of uninitialized value $otp in pattern match (m//) at /usr/local/pf/lib/pf/mfa/TOTP.pm line 54. (pf::mfa::TOTP::check_user) Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) WARN: [mac:[undef]] Method not supported (pf::mfa::TOTP::check_user) From: Zammit, Ludovic <luza...@akamai.com> Sent: Tuesday, March 22, 2022 4:27 PM To: packetfence-users@lists.sourceforge.net Cc: Gibbs, Christopher <cmgi...@campbellsville.edu> Subject: Re: [PacketFence-users] Configuring 11.x for use with Microsoft Authenticator Hello Christopher, Do you have a valid Akamai MFA account ? Thanks, Ludovic Zammit Product Support Engineer Principal [https://www.akamai.com/us/en/multimedia/images/custom/2019/logo-no-tag-93x45.png] Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: [https://www.akamai.com/us/en/multimedia/images/custom/community.jpg]<https://community.akamai.com>[https://www.akamai.com/us/en/multimedia/images/custom/rss.png]<http://blogs.akamai.com>[https://www.akamai.com/us/en/multimedia/images/custom/twitter.png]<https://twitter.com/akamai>[https://www.akamai.com/us/en/multimedia/images/custom/fb.png]<http://www.facebook.com/AkamaiTechnologies>[https://www.akamai.com/us/en/multimedia/images/custom/in.png]<http://www.linkedin.com/company/akamai-technologies>[https://www.akamai.com/us/en/multimedia/images/custom/youtube.png]<http://www.youtube.com/user/akamaitechnologies?feature=results_main> On Mar 22, 2022, at 10:19 AM, Gibbs, Christopher via PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> wrote: Has anyone successfully done this? I’ve gone through the setup documentation athttps://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_mfa_integration, but I think I must be missing something. My RADIUS login works fine, but even though I have defined the actions as specified in the documentation, the MFA process does not appear to be triggered correctly. I’m sure I’ve missed something. Any ideas? Chris Gibbs Information Technology Infrastructure Manager Campbellsville University _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HkcRnok3X7YzkrikiZMpRXxzK4QIc8KFPhMlvxortwmlA5RU-fo-jTIakVULO-b_$<https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HkcRnok3X7YzkrikiZMpRXxzK4QIc8KFPhMlvxortwmlA5RU-fo-jTIakVULO-b_$>
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users