Re: [PacketFence-users] autoregister device - pf thinks it is coming from a secure connection and unregisters it.
Wpa2-psk isn't "secure". Wpa2 802.1x is. What it means is if a device was previously auto registered (like via dot1x), then unregister it when connecting to a Mac based ssid. Probably better to do it with a null authentication source/portal profile. Might be other ways to do it, though. Sent from my iPhone > On Apr 9, 2016, at 5:04 PM, forumswrote: > > > I have setup a clean install of pf 5.7.0. The only thing I have added > is my wlc to the switches and a auto-register config I have placed in > vlan_filters.conf. It is below the logfile. > > It appears that it is working, however pf believes that the device is > coming from a secured connection and then unregisters it. > I am not sure what is triggering that. I do have a wpa-psk wlan on the > controller, however I have not updated the wlan config to use pf. I > only have a guest ssid that is doing mac auth to the packetfence box. > The device I tested with was not on the secure ssid as I have not added > the wireless key to it. > > pf.conf is pretty bare outside of the interfaces, database password, > e-mail address and hostname. > > Am I just missing the "unreg it if..." option somewhere? > > Thank you > Sean > > > INFO: [mac:ac:5f:3e:a8:62:67] handling radius autz request: from > switch_ip => (172.18.252.50), connection_type => > Wireless-802.11-NoEAP,switch_mac => (00:1c:0e:24:09:80), mac => > [ac:5f:3e:a8:62:67], port => 29, username => "ac5f3ea86267", ssid => > Guest (pf::radius::authorize) > INFO: [mac:ac:5f:3e:a8:62:67] does not yet exist in database. Adding it > now (pf::radius::authorize) > INFO: [mac:ac:5f:3e:a8:62:67] Match rule 1:guestwifi > (pf::access_filter::test) > INFO: [mac:ac:5f:3e:a8:62:67] Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > INFO: [mac:ac:5f:3e:a8:62:67] Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > INFO: [mac:ac:5f:3e:a8:62:67] autoregister a node that is already > registered, do nothing. (pf::node::node_register) > INFO: [mac:ac:5f:3e:a8:62:67] Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > INFO: [mac:ac:5f:3e:a8:62:67] Connection type is WIRELESS_MAC_AUTH. > Getting role from node_info (pf::role::getRegisteredRole) > INFO: [mac:ac:5f:3e:a8:62:67] Device is comming from a secure connection > and has been auto registered, we unreg it and forward it to the > portal(pf::role::getRegisteredRole) > INFO: [mac:ac:5f:3e:a8:62:67] Username was defined "ac5f3ea86267" - > returning role 'registration' (pf::role::getRegisteredRole) > INFO: [mac:ac:5f:3e:a8:62:67] PID: "default", Status: reg Returned VLAN: > (undefined), Role: registration (pf::role::fetchRoleForNode) > INFO: [mac:ac:5f:3e:a8:62:67] (172.18.252.50) Added VLAN 100 to the > returned RADIUS reply (pf::Switch::returnRadiusAccessAccept) > INFO: [mac:ac:5f:3e:a8:62:67] (172.18.252.50) Added role registration to > the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) > INFO: [mac:ac:5f:3e:a8:62:67] (172.18.252.50) Returning ACCEPT with VLAN > 100 and role registration (pf::Switch::returnRadiusAccessAccept) > > > vlan_filters.conf > > [guestwifi] > filter = ssid > operator = is > value = Guest > > # Must autoreg every time > [1:guestwifi] > scope = AutoRegister > role = guest > action = register_node > action_param = mac = $mac, category = guest, pid = admin, status = > registered, unregdate = 2016-11-0123:59:59 > > [2:guestwifi] > scope = NormalVlan > role = guest > > > > > -- > Find and fix application performance issues faster with Applications Manager > Applications Manager provides deep performance insights into multiple tiers of > your business applications. It resolves application problems quickly and > reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/ > gampad/clk?id=1444514301=/ca-pub-7940484522588532 > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/ gampad/clk?id=1444514301=/ca-pub-7940484522588532 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] autoregister device - pf thinks it is coming from a secure connection and unregisters it.
I have setup a clean install of pf 5.7.0. The only thing I have added is my wlc to the switches and a auto-register config I have placed in vlan_filters.conf. It is below the logfile. It appears that it is working, however pf believes that the device is coming from a secured connection and then unregisters it. I am not sure what is triggering that. I do have a wpa-psk wlan on the controller, however I have not updated the wlan config to use pf. I only have a guest ssid that is doing mac auth to the packetfence box. The device I tested with was not on the secure ssid as I have not added the wireless key to it. pf.conf is pretty bare outside of the interfaces, database password, e-mail address and hostname. Am I just missing the "unreg it if..." option somewhere? Thank you Sean INFO: [mac:ac:5f:3e:a8:62:67] handling radius autz request: from switch_ip => (172.18.252.50), connection_type => Wireless-802.11-NoEAP,switch_mac => (00:1c:0e:24:09:80), mac => [ac:5f:3e:a8:62:67], port => 29, username => "ac5f3ea86267", ssid => Guest (pf::radius::authorize) INFO: [mac:ac:5f:3e:a8:62:67] does not yet exist in database. Adding it now (pf::radius::authorize) INFO: [mac:ac:5f:3e:a8:62:67] Match rule 1:guestwifi (pf::access_filter::test) INFO: [mac:ac:5f:3e:a8:62:67] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) INFO: [mac:ac:5f:3e:a8:62:67] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) INFO: [mac:ac:5f:3e:a8:62:67] autoregister a node that is already registered, do nothing. (pf::node::node_register) INFO: [mac:ac:5f:3e:a8:62:67] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) INFO: [mac:ac:5f:3e:a8:62:67] Connection type is WIRELESS_MAC_AUTH. Getting role from node_info (pf::role::getRegisteredRole) INFO: [mac:ac:5f:3e:a8:62:67] Device is comming from a secure connection and has been auto registered, we unreg it and forward it to the portal(pf::role::getRegisteredRole) INFO: [mac:ac:5f:3e:a8:62:67] Username was defined "ac5f3ea86267" - returning role 'registration' (pf::role::getRegisteredRole) INFO: [mac:ac:5f:3e:a8:62:67] PID: "default", Status: reg Returned VLAN: (undefined), Role: registration (pf::role::fetchRoleForNode) INFO: [mac:ac:5f:3e:a8:62:67] (172.18.252.50) Added VLAN 100 to the returned RADIUS reply (pf::Switch::returnRadiusAccessAccept) INFO: [mac:ac:5f:3e:a8:62:67] (172.18.252.50) Added role registration to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) INFO: [mac:ac:5f:3e:a8:62:67] (172.18.252.50) Returning ACCEPT with VLAN 100 and role registration (pf::Switch::returnRadiusAccessAccept) vlan_filters.conf [guestwifi] filter = ssid operator = is value = Guest # Must autoreg every time [1:guestwifi] scope = AutoRegister role = guest action = register_node action_param = mac = $mac, category = guest, pid = admin, status = registered, unregdate = 2016-11-0123:59:59 [2:guestwifi] scope = NormalVlan role = guest -- Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/ gampad/clk?id=1444514301=/ca-pub-7940484522588532 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Unable to authenticate the Active Directory User
Hi, Can you try to use the same credential on the laptop ? Since Administrateur works on cli check if it works with radius. Fabrice Le 2016-04-09 10:58, TOURE Amidou Florian a écrit : Hi all I have the same problem when trying to authenticate an AD user on Packetfence I proceed like this : Typing this command : raddebug -f /usr/local/pf/var/run/radiusd.sock and enabled radius and aaa debug on my switch. ntlm_auth test gives me this : [root@localhost toure]# ntlm_auth --request-nt-key --domain=HEH.BE --username=Administrateur --password Amidou=_1992 NT_STATUS_OK: Success (0x0) [root@localhost toure]# But on radiusd.log I have the same error : Sat Apr 9 07:49:57 2016 : Auth: Login incorrect (mschap: External script says Logon failure (0xc06d)): [Prof-PC\\$ Sat Apr 9 07:49:57 2016 : Auth: Login incorrect: [Prof-PC\\Prof] (from client 192.168.1.5/255.255.255.0 port 50002 cl$ Sat Apr 9 07:51:23 2016 : Info: ... adding new socket command file /usr/local/pf/var/run/radiusd.sock Sat Apr 9 07:51:23 2016 : Info: ... adding new socket command file /usr/local/pf/var/run/radiusd.sock Sat Apr 9 07:51:23 2016 : Info: ... adding new socket command file /usr/local/pf/var/run/radiusd.sock Sat Apr 9 07:51:23 2016 : Info: ... adding new socket command file /usr/local/pf/var/run/radiusd.sock I have also started radius in debug mode. Now I really don't know what I can resolv this. Need help Thanks -- Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/ gampad/clk?id=1444514301=/ca-pub-7940484522588532 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/ gampad/clk?id=1444514301=/ca-pub-7940484522588532___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Unable to authenticate the Active Directory User
Hi all I have the same problem when trying to authenticate an AD user on PacketfenceI proceed like this : Typing this command : raddebug -f /usr/local/pf/var/run/radiusd.sock and enabled radius and aaa debug on my switch. ntlm_auth test gives me this :[root@localhost toure]# ntlm_auth --request-nt-key --domain=HEH.BE --username=Administrateur --password Amidou=_1992NT_STATUS_OK: Success (0x0)[root@localhost toure]# But on radiusd.log I have the same error : Sat Apr 9 07:49:57 2016 : Auth: Login incorrect (mschap: External script says Logon failure (0xc06d)): [Prof-PC\\$Sat Apr 9 07:49:57 2016 : Auth: Login incorrect: [Prof-PC\\Prof] (from client 192.168.1.5/255.255.255.0 port 50002 cl$Sat Apr 9 07:51:23 2016 : Info: ... adding new socket command file /usr/local/pf/var/run/radiusd.sockSat Apr 9 07:51:23 2016 : Info: ... adding new socket command file /usr/local/pf/var/run/radiusd.sockSat Apr 9 07:51:23 2016 : Info: ... adding new socket command file /usr/local/pf/var/run/radiusd.sockSat Apr 9 07:51:23 2016 : Info: ... adding new socket command file /usr/local/pf/var/run/radiusd.sockI have also started radius in debug mode.Now I really don't know what I can resolv this. Need help Thanks -- Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/ gampad/clk?id=1444514301=/ca-pub-7940484522588532___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users