[PacketFence-users] Multiple LDAP Souce and 802.1x Authentication

[evren korkmaz via PacketFence-users]

Hi,

I try to use second ldap source on packetfence v10.01 .

I think I have completed the necessary configurations completely. While
testing, web authentication worked without problems, but 802.1x did not
authenticate. While trying to fix the problem i noticed that it is asking
only AD for 802.1x authentication not ldap source.

Then, i just added the ldap source i just created to the connect profile.
Queries should be directed to the ldap source i created based on these
settings.But even with these settings it just use AD. If the user is not in
AD, the request is still not being sent to LDAP.

How can i do 802.1x authentication to the ldap source i am trying to add?
I will be glad if you help.
Regards.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Pcketfence 10 MS-Chap does not working

[evren korkmaz via PacketFence-users]

Hi all.

If you remember, i wrote you about this issue.
Fabrice helped me about this issue for pf v9.3

Solution:

*cd /usr/local/pf*

*curl https://github.com/inverse-inc/packetfence/compare/feature/vpn_mschap.diff
 |
patch -p1*

This solution does not work for packetfence 10.

When i try this solution, radius services dosent work.

Can you find a similar solution for packetfence 10 ?

Thanks in advance.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Packetfence 10 Cluster - haproxy-admin.service does not start

[evren korkmaz via PacketFence-users]

Hi all.

I try to make cluster for packetfence 10.
I have completed the steps in the "packetfence cluster guide"
When i reboot the servers, all services started and mariadb  synced  but
since haproxy service does not work, i cannot access the web interface.

service packetfence-haproxy-admin status:
Apr 27 14:49:48 pfserver-a systemd[1]: packetfence-haproxy-admin.service:
Main process exited, code=exited, status=1/FAILURE
Apr 27 14:49:48 pfserver-a systemd[1]: Failed to start PacketFence HAProxy
Load Balancer for the Admin GUI.
Apr 27 14:49:48 pfserver-a systemd[1]: packetfence-haproxy-admin.service:
Unit entered failed state.
Apr 27 14:49:48 pfserver-a systemd[1]: packetfence-haproxy-admin.service:
Failed with result 'exit-code'.
Apr 27 14:49:48 pfserver-a systemd[1]: packetfence-haproxy-admin.service:
Service hold-off time over, scheduling restart.
Apr 27 14:49:48 pfserver-a systemd[1]: Stopped PacketFence HAProxy Load
Balancer for the Admin GUI.
Apr 27 14:49:48 pfserver-a systemd[1]: packetfence-haproxy-admin.service:
Start request repeated too quickly.
Apr 27 14:49:48 pfserver-a systemd[1]: Failed to start PacketFence HAProxy
Load Balancer for the Admin GUI.
Apr 27 14:49:48 pfserver-a systemd[1]: packetfence-haproxy-admin.service:
Unit entered failed state.
Apr 27 14:49:48 pfserver-a systemd[1]: packetfence-haproxy-admin.service:
Failed with result 'exit-code'.

I would appreciate if you help.
Thanks.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Ms-Chap Authentication Not Working and "Mac is Empty" issue

[evren korkmaz via PacketFence-users]

Hi,
I am trying to use packetfence for mikrotik device cli access. I want to
access with my MS Active Directory users.
Mikrotik devices use mschap for cli connections.
In my Packetfence->Radius Configuration, mschapv2 feature is enabled but i
have some problems when i access to devices.
First i will use default radius config for cli access, packetfence try to
bind to active directory server.
I tested my Active Directory connection with other devices(without mschap).
In normally these connections it work but when i try mikrotik devices,it
give this issue on packetfence.log:

*Mar 16 14:52:23 debian packetfence_httpd.aaa: httpd.aaa(3306) WARN:
[mac:30:23:03:8e:50:c2] [AD-source] User
CN=evren,CN=Users,DC=evrenkorkmaz,DC=xyz cannot bind from
CN=Users,DC=evrenkorkmaz,DC=xyz on 192.168.56.102:389

(pf::Authentication::Source::LDAPSource::authenticate)Mar 16 14:52:23
debian packetfence_httpd.aaa: httpd.aaa(3306) INFO: [mac:30:23:03:8e:50:c2]
User evren tried to login in 192.168.30.6 but authentication failed
(pf::radius::switch_access)*

When i analyze the raddebug outputs, user is rejected in the rest module:












*(22) Mon Mar 16 14:53:21 2020: Debug: rest: Encoding attribute
"FreeRADIUS-Client-IP-Address"(22) Mon Mar 16 14:53:21 2020: Debug: rest:
Encoding attribute "PacketFence-KeyBalanced"(22) Mon Mar 16 14:53:21 2020:
Debug: rest: Encoding attribute "PacketFence-Radius-Ip"(22) Mon Mar 16
14:53:21 2020: Debug: rest: Processing response header(22) Mon Mar 16
14:53:21 2020: Debug: rest:   Status : 401 (Unauthorized)(22) Mon Mar 16
14:53:21 2020: Debug: rest:   Type   : json (application/json)(22) Mon Mar
16 14:53:21 2020: ERROR: rest: Server returned:(22) Mon Mar 16 14:53:21
2020: ERROR: rest: {"Reply-Message":"Authentication failed on
PacketFence","control:PacketFence-Authorization-Status":"allow"}(22) Mon
Mar 16 14:53:21 2020: Debug:   [rest] = invalid(22) Mon Mar 16 14:53:21
2020: Debug: } # if (! EAP-Type || (EAP-Type != TTLS  && EAP-Type !=
PEAP) )  = invalid(22) Mon Mar 16 14:53:21 2020: Debug:   } # post-auth =
invalid(22) Mon Mar 16 14:53:21 2020: Debug: Using Post-Auth-Type Reject*

As i understand, packetfence must to use packetfence-tunnel for mschap
authentication. So i enabled
*this feature on "Packetfence->System Config.->Radius Config" but nothing
change. *
*Lastly, i enabled packetfence auhorize feature on "Packetfence->System
Config.->Radius Config" . Now packetfence give "Mac is empty" error and i
cant resolve this problem.*
*radius.log:*







*Mar 16 15:05:59 debian auth[25164]: Need 7 more connections to reach 10
sparesMar 16 15:05:59 debian auth[25164]: rlm_sql (sql): Opening additional
connection (5), 1 of 61 pending slots usedMar 16 15:05:59 debian
auth[25164]: Need 1 more connections to reach min connections (3)Mar 16
15:05:59 debian auth[25164]: rlm_rest (rest): Opening additional connection
(2), 1 of 62 pending slots usedMar 16 15:05:59 debian auth[25164]: (13)
Invalid user: [evren] (from client 192.168.30.6/32 
port 0 cli 192.168.30.1)Mar 16 15:05:59 debian auth[25164]:
[mac:192.168.30.1] Rejected user: evrenMar 16 15:05:59 debian auth[25164]:
(13) Login incorrect: [evren] (from client 192.168.30.6/32
 port 0 cli 192.168.30.1)*

*packetfence.log is empty.*


*raddebug: *



















*(24) Mon Mar 16 15:07:23 2020: Debug: rest: Encoding attribute
"MS-CHAP2-Response"(24) Mon Mar 16 15:07:23 2020: Debug: rest: Encoding
attribute "SQL-User-Name"(24) Mon Mar 16 15:07:23 2020: Debug: rest:
Encoding attribute "FreeRADIUS-Client-IP-Address"(24) Mon Mar 16 15:07:23
2020: Debug: rest: Encoding attribute "PacketFence-KeyBalanced"(24) Mon Mar
16 15:07:23 2020: Debug: rest: Processing response header(24) Mon Mar 16
15:07:23 2020: Debug: rest:   Status : 401 (Unauthorized)(24) Mon Mar 16
15:07:23 2020: Debug: rest:   Type   : json (application/json)(24) Mon Mar
16 15:07:23 2020: Debug: rest: Parsing attribute
"control:PacketFence-Authorization-Status"(24) Mon Mar 16 15:07:23 2020:
Debug: rest: EXPAND allow(24) Mon Mar 16 15:07:23 2020: Debug: rest:-->
allow(24) Mon Mar 16 15:07:23 2020: Debug: rest:
PacketFence-Authorization-Status := "allow"(24) Mon Mar 16 15:07:23 2020:
Debug: rest: Parsing attribute "Reply-Message"(24) Mon Mar 16 15:07:23
2020: Debug: rest: EXPAND Mac is empty(24) Mon Mar 16 15:07:23 2020: Debug:
rest:--> Mac is empty(24) Mon Mar 16 15:07:23 2020: Debug: rest:
Reply-Message := "Mac is empty"(24) Mon Mar 16 15:07:23 2020: Debug:
[rest] = reject(24) Mon Mar 16 15:07:23 2020: Debug: } # if (
!EAP-Message )  = reject(24) Mon Mar 16 15:07:23 2020: Debug:   } #
authorize = reject(24) Mon Mar 16 15:07:23 2020: Debug: Using
Post-Auth-Type Reject*

Later i realized that issue. User is rejected before the password section.
I couldn't solve these problems. Please help me.

All logs:


(24) Mon Mar 16 15:07:23 2020: Debug: Received Access-Request Id 94 from
192.168.30.6:35889 to 

[PacketFence-users] Mikrotik routerboard cli/winbox access via Packetfence

[evren korkmaz via PacketFence-users]

Hi,
I try to  use packetfence for mikrotik device cli access. I want to access
with my MS Active Directory users.
First i try with freeradius via ldap connection. It's working but when i
try with packetfence, it doesn't work.
To my understanding, mikrotik try to  ldap connection but packetfence
connect to Active Directory with NTLM.
(Cisco devices working successfully)
It is possible to solve this problem.
packetfence.log:









*Mar  9 18:08:12 debian packetfence_httpd.aaa: httpd.aaa(2089) WARN:
[mac:[undef]] Trying to match IP address with an invalid MAC address
'undef' (pf::ip4log::mac2ip)Mar  9 18:08:12 debian packetfence_httpd.aaa:
httpd.aaa(2089) WARN: [mac:[undef]] Trying to match IP address with an
invalid MAC address 'undef' (pf::ip4log::mac2ip)Mar  9 18:08:13 debian
packetfence_httpd.aaa: httpd.aaa(2089) INFO: [mac:[undef]] Instantiate
profile 8021x (pf::Connection::ProfileFactory::_from_profile)Mar  9
18:08:13 debian packetfence_httpd.aaa: httpd.aaa(2089) INFO: [mac:[undef]]
Found authentication source(s) : 'AD-source' for realm 'null'
(pf::config::util::filter_authentication_sources)Mar  9 18:08:13 debian
packetfence_httpd.aaa: httpd.aaa(2089) INFO: [mac:[undef]] Instantiate
profile 8021x (pf::Connection::ProfileFactory::_from_profile)Mar  9
18:08:13 debian packetfence_httpd.aaa: httpd.aaa(2089) INFO: [mac:[undef]]
Found authentication source(s) : 'AD-source' for realm 'null'
(pf::config::util::filter_authentication_sources)Mar  9 18:08:13 debian
packetfence_httpd.aaa: httpd.aaa(2089) WARN: [mac:[undef]] [AD-source] User
CN=net-admin,CN=Users,DC=evrenkorkmaz,DC=xyz cannot bind from
CN=Users,DC=evrenkorkmaz,DC=xyz on 192.168.56.102:389

(pf::Authentication::Source::LDAPSource::authenticate)Mar  9 18:08:13
debian packetfence_httpd.aaa: httpd.aaa(2089) INFO: [mac:[undef]] User
net-admin tried to login in 192.168.30.6 but authentication failed
(pf::radius::switch_access)Mar  9 18:08:13 debian packetfence_httpd.aaa:
httpd.aaa(2089) WARN: [mac:[undef]] [AD-source] User
CN=net-admin,CN=Users,DC=evrenkorkmaz,DC=xyz cannot bind from
CN=Users,DC=evrenkorkmaz,DC=xyz on 192.168.56.102:389

(pf::Authentication::Source::LDAPSource::authenticate)Mar  9 18:08:13
debian packetfence_httpd.aaa: httpd.aaa(2089) INFO: [mac:[undef]] User
net-admin tried to login in 192.168.30.6 but authentication failed
(pf::radius::switch_access)*

radius.log:


























*Mar  9 18:05:36 debian auth[5605]: Need 6 more connections to reach 10
sparesMar  9 18:05:36 debian auth[5605]: rlm_sql (sql): Opening additional
connection (4), 1 of 60 pending slots usedMar  9 18:05:36 debian
auth[5605]: Need 6 more connections to reach 10 sparesMar  9 18:05:36
debian auth[5605]: rlm_sql (sql): Opening additional connection (4), 1 of
60 pending slots usedMar  9 18:05:37 debian auth[5605]: (3) Ignoring
duplicate packet from client 192.168.30.6/32  port
47498 - ID: 10 due to unfinished request in component post-auth module
restMar  9 18:05:37 debian auth[5605]: (3) Ignoring duplicate packet from
client 192.168.30.6/32  port 47498 - ID: 10 due to
unfinished request in component post-auth module restMar  9 18:05:37 debian
auth[5605]: (3) Ignoring duplicate packet from client 192.168.30.6/32
 port 47498 - ID: 10 due to unfinished request in
component post-auth module restMar  9 18:05:37 debian auth[5605]: (3)
Ignoring duplicate packet from client 192.168.30.6/32
 port 47498 - ID: 10 due to unfinished request in
component post-auth module restMar  9 18:05:38 debian auth[5605]: (3) rest:
ERROR: Server returned:Mar  9 18:05:38 debian auth[5605]: (3) rest: ERROR:
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication
failed on PacketFence"}Mar  9 18:05:38 debian auth[5605]: Need 1 more
connections to reach min connections (3)Mar  9 18:05:38 debian auth[5605]:
rlm_rest (rest): Opening additional connection (2), 1 of 62 pending slots
usedMar  9 18:05:38 debian auth[5605]: Need 5 more connections to reach 10
sparesMar  9 18:05:38 debian auth[5605]: rlm_sql (sql): Opening additional
connection (5), 1 of 59 pending slots usedMar  9 18:05:38 debian
auth[5605]: (3) rest: ERROR: Server returned:Mar  9 18:05:38 debian
auth[5605]: (3) rest: ERROR:
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication
failed on PacketFence"}Mar  9 18:05:38 debian auth[5605]: Need 1 more
connections to reach min connections (3)Mar  9 18:05:38 debian auth[5605]:
rlm_rest (rest): Opening additional connection (2), 1 of 62 pending slots
usedMar  9 18:05:38 debian auth[5605]: Need 5 more connections to reach 10
sparesMar  9 18:05:38 debian auth[5605]: rlm_sql (sql): Opening additional
connection (5), 1 of 59 pending slots usedMar  9 18:05:38 debian
auth[5605]: [mac:192.168.30.2] Rejected user: net-adminMar  9 18:05:38
debian auth[5605]: (3) Rejected in post-auth: