Everything is working here now. The problem was that I hadn’t associated the *null* and *default* realms with the authentication source I created. I had only associated the *domain.local* realm.
Em qua., 17 de set. de 2025 às 10:05, Alípio Luiz <[email protected]> escreveu: > I'm trying to enable user authentication in AD with 802.1x. I've > configured the switches and PacketFence. When I restart the computer, > before user authentication, PacketFence successfully authorizes the > computer (machine authentication) and places it in the correct production > VLAN. However, when the user logs into Windows, the user authentication > fails and PacketFence moves it back to the isolation VLAN. I'm having > issues with this RADIUS configuration. > > radius.log > 2025-09-17T09:49:49.802869-04:00 nac auth[896559]: (467) mschap: ERROR: > Program returned code (5) and output '' > 2025-09-17T09:49:49.803507-04:00 nac auth[896559]: (467) Login incorrect > (mschap: Program returned code (5) and output ''): [DOMAIN\username] (from > client XXX.XXX.XXX <https://xxx.xxx.xxx/>.XXX/32 port 6 cli > XX:XX:XX:XX:XX:XX via TLS tunnel) > 2025-09-17T09:49:49.816518-04:00 nac auth[896559]: VERIFY returned 7 > 2025-09-17T09:49:49.816747-04:00 nac auth[896559]: (468) Login incorrect > (eap_peap: The users session was previously rejected: returning reject > (again.)): [DOMAIN\username] (from client XXX.XXX.XXX > <https://xxx.xxx.xxx/>.XXX/32 port 6 cli XX:XX:XX:XX:XX:XX) > > > In the RADIUS audit (RADIUS Request) from PacketFence, the following > appears (I noticed that the username is in the format DOMAINusername, > instead of DOMAIN\username or just username): > > Called-Station-Id = "XX:XX:XX:XX:XX:XX", > Calling-Station-Id = "XX:XX:XX:XX:XX:XX", > EAP-Message = > "0x025200471a0252004231f7f7d8548ffcee6607d4e2be50cee0d80000000000000000f8b8fe3c8265136f88d02471c1b0e88eb31bd021a1b83f3200534543454c5c616c6970696f", > EAP-Type = "MSCHAPv2", > Event-Timestamp = "Sep 17 2025 09:49:49 -04", > FreeRADIUS-Proxied-To = "127.0.0.1", > MS-CHAP-Challenge = "0xf64e8a99c5c77dfc64062816ec53a059", > MS-CHAP-User-Name = "DOMAINusername", > MS-CHAP2-Response = > "0x5245f7f7d8548ffcee6607d4e2be50cee0d80000000000000000f8b8fe3c8265136f88d02471c1b0e88eb31bd021a1b83f32", > Module-Failure-Message = "mschap: Program returned code (5) and output ''", > Module-Failure-Message = "mschap: External script says: ", > Module-Failure-Message = "mschap: MS-CHAP2-Response is incorrect", > NAS-IP-Address = "XXX.XXX.XXX <https://xxx.xxx.xxx/>.XXX", > NAS-Identifier = "SWITCHE-ARUBA-6100", > NAS-Port = "6", > NAS-Port-Id = "1/1/6", > NAS-Port-Type = "Ethernet", > PacketFence-KeyBalanced = "eb1405b1ec04752f2316b848fe4fd2ff", > PacketFence-NTLM-Auth-Host = "", > PacketFence-NTLM-Auth-Port = "", > PacketFence-Outer-User = "DOMAINusername", > PacketFence-Radius-Ip = "XXX.XXX.XXX.XXX", > Realm = "default", > Service-Type = "Framed-User", > State = "0xbf89ddc3bfdbc7a4db01df45deca9adf", > Stripped-User-Name = "username", > User-Name = "DOMAINusername", > User-Password = "******" > > > Any tips on how to fix this? >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
