On 06.03.2024 17:22, Zammit, Ludovic wrote:
Correct, I’m referring to the computer authentication mode on the
windows supplicant setup.
All authentication interaction would logged into the
/usr/local/pf/logs/packetfence.log you do the following:
grep MAC-ADDRESS /usr/local/pf/logs/packetfence.log
Hello Ludovic,
thank you for pointing out the logfile, but unfortunately I don't know
what to look for (although I could be missing the obvious here). AFAIK
the hostname has to follow the form host/hostname or hostname$ to
signify a machine name to AD, but I don't know why packetfence would
treat it as a username or how to identify the mismatch in the logfile.
To me the line "modify of non-existent person host\myhost..." and
"Already did a person lookup for host/myhost..." in the packetfence.log
look suspicious, but I can't see a reason for switching to person/user.
I also include excerpts from the raddebug log and would be glad if you
(or someone) could tell me where to look for clues (or if maybe the
relevant part is missing).
I also tried to employ EXAMPLE_eap-tls-preProcess to set the name to
myhost$, but while the rule is matched (according to packetfence.log), I
can see noc changes and moreover I'm not sure which parameter exactly to
set. TLS-Stripped-Username, as well as some others, didn't seem to have
any effect, the log output at least stays the same.
Radius filter:
[eap-tls-preProcess-MachineAuth]
status=disabled
top_op=and
description=Preprocess attribute for EAP-TLS
merge_answer=no
condition=connection_type =~ "Ethernet-EAP" &&
(contains(radius_request.User-Name, "host/") ||
contains(radius_request.username, "host/") || contains(username, "host/"))
scopes=preProcess
answer.0=TLS-Stripped-UserName =
${BuildFromMatch($radius_request.TLS-Client-Cert-Subject-Alt-Name,"^[^.]+","$0"."$")}
from packetfence.log:
is doing machine auth with account 'host/myhost.my.domain'.
(pf::radius::_machine_auth_detection)
Instantiate profile cProfile-8021x-machine-auth
(pf::Connection::ProfileFactory::_from_profile)
Found authentication source(s) : 'AuthSource-machine' for realm
'my.domain' (pf::config::util::filter_authentication_sources)
Using sources AuthSource-machine for matching (pf::authentication::match2)
Matched rule (rule-vlan5) in source AuthSource-machine, returning
actions. (pf::Authentication::Source::match)
modify of non-existent person host/myhost.my.domain attempted - person
added (pf::person::person_modify)
Found authentication source(s) : 'AuthSource-machine' for realm
'my.domain' (pf::config::util::filter_authentication_sources)
Role has already been computed and we don't want to recompute it.
Getting role from node_info (pf::role::getRegisteredRole)
Username was defined "host/myhost.my.domain" - returning role
'role-vlan5' (pf::role::getRegisteredRole)
PID: "host/myhost.my.domain", Status: reg Returned VLAN: (undefined),
Role: role-vlan5 (pf::role::fetchRoleForNode)
Already did a person lookup for host/myhost.my.domain
(pf::lookup::person::lookup_person)
(10.1.1.1) Added VLAN 5 to the returned RADIUS Access-Accept
(pf::Switch::Template::returnRadiusAccessAccept)
from raddebug -f
(222) Debug: Received Access-Request Id 198 from 10.1.1.1:1645 to
10.1.1.10:1812 length 264
(222) Debug: User-Name = "host/myhost.my.domain"
(222) Debug: authorize {
(222) Debug: policy packetfence-set-realm-if-machine {
(222) Debug: if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) {
(222) Debug: if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) -> TRUE
(222) Debug: if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) {
(222) Debug: update {
(222) Debug: EXPAND %{2}
(222) Debug: --> my.domain
(222) Debug: } # update = noop
(222) Debug: } # if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i)
= noop
(222) Debug: } # policy packetfence-set-realm-if-machine = noop
...
(222) Debug: policy filter_username {
(222) Debug: if (&User-Name) {
(222) Debug: if (&User-Name) -> TRUE
(222) Debug: if (&User-Name) {
(222) Debug: if (&User-Name =~ / /) {
(222) Debug: if (&User-Name =~ / /) -> FALSE
(222) Debug: if (&User-Name =~ /@[^@]*@/ ) {
(222) Debug: if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(222) Debug: if (&User-Name =~ /\.\./ ) {
(222) Debug: if (&User-Name =~ /\.\./ ) -> FALSE
(222) Debug: if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) {
(222) Debug: if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(222) Debug: if (&User-Name =~ /\.$/) {
(222) Debug: if (&User-Name =~ /\.$/) -> FALSE
(222) Debug: if (&User-Name =~ /@\./) {
(222) Debug: if (&User-Name =~ /@\./) -> FALSE
(222) Debug: } # if (&User-Name) = updated
(222) Debug: } # policy filter_username = updated
...
(222) Debug: if (Realm =~ /my.domain$/) {
(222) Debug: if (Realm =~ /my.domain$/) -> TRUE
(222) Debug: if (Realm =~ /my.domain$/) {
(222) Debug: default-EAP-TLS: Peer sent EAP Response (code 2) ID 3 length 6
(222) Debug: default-EAP-TLS: No EAP Start, assuming it's an on-going
EAP conversation
(222) Debug: [default-EAP-TLS] = updated
(222) Debug: } # if (Realm =~ /my.domain$/) = updated
(222) Debug: ... skipping elsif: Preceding "if" was taken
(222) Debug: ... skipping else: Preceding "if" was taken
(222) Debug: if ( !EAP-Message &&
"%{%{Control:Auth-type}:-No-MS_CHAP}" != "MS-CHAP") {
(222) Debug: if ( !EAP-Message &&
"%{%{Control:Auth-type}:-No-MS_CHAP}" != "MS-CHAP") -> FALSE
(222) Debug: if ("%{%{Control:Auth-type}:-No-MS_CHAP}" == "MS-CHAP") {
(222) Debug: EXPAND %{%{Control:Auth-type}:-No-MS_CHAP}
(222) Debug: --> default-EAP-TLS
(222) Debug: if ("%{%{Control:Auth-type}:-No-MS_CHAP}" == "MS-CHAP")
-> FALSE
...
...
(228) Debug: # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
(228) Debug: authorize {
(228) Debug: policy packetfence-set-realm-if-machine {
(228) Debug: if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) {
(228) Debug: if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) -> TRUE
(228) Debug: if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) {
(228) Debug: update {
(228) Debug: EXPAND %{2}
(228) Debug: --> my.domain
(228) Debug: } # update = noop
(228) Debug: } # if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i)
= noop
(228) Debug: } # policy packetfence-set-realm-if-machine = noop
...
(228) Debug: default-EAP-TLS: Calling submodule eap_tls to process data
...
(228) Debug: eap_tls: (TLS) Creating attributes from client certificate
...
(228) Debug: eap_tls: TLS-Client-Cert-Common-Name := "myhost.my.domain"
(228) Debug: eap_tls: TLS-Client-Cert-Subject-Alt-Name-Upn :=
"myhost$@my.domain"
(228) Debug: eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns :=
"myhost.my.domain"
...
(229) Debug: Received Access-Request Id 205 from 10.1.1.1:1645 to
10.1.1.10:1812 length 264
(229) Debug: User-Name = "host/myhost.my.domain"
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
