subject:"\[PacketFence\-users\] Switch authentication grants access \*with any password\* as long as the username is correct \(10.3\)"

Re: [PacketFence-users] Switch authentication grants access with any password as long as the username is correct (10.3)

2021-04-28 Thread Cristian Mammoli via PacketFence-users


Great, thanks for the quick patch

Il 28/04/2021 04:25, Fabrice Durand via PacketFence-users ha scritto:

Hello Cristian,

thanks for the raport.
On my side i was able to replicate the issue and i pushed a fix in the 
maintenance branch.
So you can run /usr/local/pf/addons/pf-main.pl  and 
restart httpd.aaa service.


Regards
Fabrice


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Switch authentication grants access with any password as long as the username is correct (10.3)

2021-04-27 Thread Fabrice Durand via PacketFence-users

Hello Cristian,

thanks for the raport.
On my side i was able to replicate the issue and i pushed a fix in the
maintenance branch.
So you can run /usr/local/pf/addons/pf-main.pl and restart httpd.aaa
service.

Regards
Fabrice


Le mar. 27 avr. 2021 à 11:00, Cristian Mammoli via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi, I noticed that after the upgrade to 10.3 I can authenticate to the
> devices cli with any password ()
> I reverted to 10.2 and it works correctly:
>
> auth.conf:
> [apra-user-auth-dc01]
> cache_match=0
> realms=apra,apra.it,default,null
> basedn=dc=apra,dc=it
> password=
> set_access_level_action=
> scope=sub
> email_attribute=mail
> usernameattribute=sAMAccountName
> connection_timeout=5
> binddn=cn=packetfence,cn=Users,dc=apra,dc=it
> encryption=starttls
> port=389
> description=Apra User authentication
> host=192.168.0.7,192.168.0.76
> type=AD
> read_timeout=10
> write_timeout=5
> monitor=1
> dynamic_routing_module=AuthModule
> shuffle=1
> searchattributes=
> set_access_durations_action=
>
> [apra-user-auth-dc01 rule Administrator]
> action0=set_access_level=ALL
> condition0=memberOf,equals,CN=Apra Admins,OU=Admins,OU=Utenti,DC=apra,DC=it
> status=enabled
> match=any
> condition1=sAMAccountName,equals,nms
> class=administration
> action1=mark_as_sponsor=1
>
> [group switch_jesi_accesso]
> description=Switch Jesi Accesso
> VoIPEnabled=Y
> registrationVlan=112
> SNMPCommunityWrite=
> guestVlan=99
> deauthMethod=RADIUS
> type=Cisco::Catalyst_2960
> employeesVlan=24
> isolationVlan=113
> radiusSecret=
> SNMPVersion=2c
> consultantsVlan=24
> voiceVlan=14
> machineauthVlan=24
> defaultVlan=1
> staff_itVlan=24
> printersVlan=1
> ap_managementVlan=-1
> videosorveglianzaVlan=21
> always_trigger=1
> cliAccess=Y
> adiacentVlan=17
> uplink_dynamic=0
>
>
> As long as a user is member of the "CN=Apra
> Admins,OU=Admins,OU=Utenti,DC=apra,DC=it" any password is accepted, on any
> type of switch.
>
> This is a log from 10.3 (with wrong password):
> Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) WARN:
> [mac:58:03:fb:51:bc:35] Trying to match IP address with an invalid MAC
> address 'undef' (pf::ip4log::mac2ip)
> Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
> [mac:58:03:fb:51:bc:35] Instantiate profile default
> (pf::Connection::ProfileFactory::_from_profile)
> Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
> [mac:58:03:fb:51:bc:35] Found authentication source(s) :
> 'local,apra-machine-auth-dc01,apra-user-auth-dc01' for realm 'null'
> (pf::config::util::filter_authentication_sources)
> Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
> [mac:58:03:fb:51:bc:35] Using sources local, apra-machine-auth-dc01,
> apra-user-auth-dc01 for matching (pf::authentication::match2)
> Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) WARN:
> [mac:58:03:fb:51:bc:35] [apra-user-auth-dc01 Administrator] Searching for
> (&(sAMAccountName=c.mammoli.adm)(|(memberOf=CN=Apra
> Admins,OU=Admins,OU=Utenti,DC=apra,DC=it)(sAMAccountName=nms))), from
> dc=apra,dc=it, with scope sub
> (pf::Authentication::Source::LDAPSource::match_in_subclass)
> Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
> [mac:58:03:fb:51:bc:35] LDAP testing connection (pf::LDAP::expire_if)
> Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
> [mac:58:03:fb:51:bc:35] Matched rule (Administrator) in source
> apra-user-auth-dc01, returning actions.
> (pf::Authentication::Source::match_rule)
> Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
> [mac:58:03:fb:51:bc:35] Matched rule (Administrator) in source
> apra-user-auth-dc01, returning actions. (pf::Authentication::Source::match)
> Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO:
> [mac:58:03:fb:51:bc:35] User c.mammoli.adm logged in 192.168.16.48 with
> write access (pf::Switch::Cisco::returnAuthorizeWrite)
>
> 10.2 (wrong password):
> Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN:
> [mac:d0:22:be:5f:2c:35] Trying to match IP address with an invalid MAC
> address 'undef' (pf::ip4log::mac2ip)
> Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
> [mac:d0:22:be:5f:2c:35] Found authentication source(s) :
> 'local,apra-machine-auth-dc01,apra-user-auth-dc01' for realm 'null'
> (pf::config::util::filter_authentication_sources)
> Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN:
> [mac:d0:22:be:5f:2c:35] Use of uninitialized value in numeric ne (!=) at
> /usr/local/pf/lib/pf/radius.pm line 921.
> Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN:
> [mac:d0:22:be:5f:2c:35] Use of uninitialized value in numeric ne (!=) at
> /usr/local/pf/lib/pf/radius.pm line 921.
> Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO:
> [mac:d0:22:be:5f:2c:35] LDAP testing connection (pf::LDAP::expire_if)
>

[PacketFence-users] Switch authentication grants access with any password as long as the username is correct (10.3)

2021-04-27 Thread Cristian Mammoli via PacketFence-users

Hi, I noticed that after the upgrade to 10.3 I can authenticate to the 
devices cli with any password ()

I reverted to 10.2 and it works correctly:

auth.conf:
[apra-user-auth-dc01]
cache_match=0
realms=apra,apra.it,default,null
basedn=dc=apra,dc=it
password=
set_access_level_action=
scope=sub
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=5
binddn=cn=packetfence,cn=Users,dc=apra,dc=it
encryption=starttls
port=389
description=Apra User authentication
host=192.168.0.7,192.168.0.76
type=AD
read_timeout=10
write_timeout=5
monitor=1
dynamic_routing_module=AuthModule
shuffle=1
searchattributes=
set_access_durations_action=

[apra-user-auth-dc01 rule Administrator]
action0=set_access_level=ALL
condition0=memberOf,equals,CN=Apra Admins,OU=Admins,OU=Utenti,DC=apra,DC=it
status=enabled
match=any
condition1=sAMAccountName,equals,nms
class=administration
action1=mark_as_sponsor=1

[group switch_jesi_accesso]
description=Switch Jesi Accesso
VoIPEnabled=Y
registrationVlan=112
SNMPCommunityWrite=
guestVlan=99
deauthMethod=RADIUS
type=Cisco::Catalyst_2960
employeesVlan=24
isolationVlan=113
radiusSecret=
SNMPVersion=2c
consultantsVlan=24
voiceVlan=14
machineauthVlan=24
defaultVlan=1
staff_itVlan=24
printersVlan=1
ap_managementVlan=-1
videosorveglianzaVlan=21
always_trigger=1
cliAccess=Y
adiacentVlan=17
uplink_dynamic=0


As long as a user is member of the "CN=Apra 
Admins,OU=Admins,OU=Utenti,DC=apra,DC=it" any password is accepted, on 
any type of switch.


This is a log from 10.3 (with wrong password):
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) WARN: 
[mac:58:03:fb:51:bc:35] Trying to match IP address with an invalid MAC 
address 'undef' (pf::ip4log::mac2ip)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: 
[mac:58:03:fb:51:bc:35] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: 
[mac:58:03:fb:51:bc:35] Found authentication source(s) : 
'local,apra-machine-auth-dc01,apra-user-auth-dc01' for realm 'null' 
(pf::config::util::filter_authentication_sources)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: 
[mac:58:03:fb:51:bc:35] Using sources local, apra-machine-auth-dc01, 
apra-user-auth-dc01 for matching (pf::authentication::match2)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) WARN: 
[mac:58:03:fb:51:bc:35] [apra-user-auth-dc01 Administrator] Searching 
for (&(sAMAccountName=c.mammoli.adm)(|(memberOf=CN=Apra 
Admins,OU=Admins,OU=Utenti,DC=apra,DC=it)(sAMAccountName=nms))), from 
dc=apra,dc=it, with scope sub 
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: 
[mac:58:03:fb:51:bc:35] LDAP testing connection (pf::LDAP::expire_if)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: 
[mac:58:03:fb:51:bc:35] Matched rule (Administrator) in source 
apra-user-auth-dc01, returning actions. 
(pf::Authentication::Source::match_rule)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: 
[mac:58:03:fb:51:bc:35] Matched rule (Administrator) in source 
apra-user-auth-dc01, returning actions. (pf::Authentication::Source::match)
Apr 27 16:44:22 srvpf packetfence_httpd.aaa: httpd.aaa(2540) INFO: 
[mac:58:03:fb:51:bc:35] User c.mammoli.adm logged in 192.168.16.48 with 
write access (pf::Switch::Cisco::returnAuthorizeWrite)


10.2 (wrong password):
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: 
[mac:d0:22:be:5f:2c:35] Trying to match IP address with an invalid MAC 
address 'undef' (pf::ip4log::mac2ip)
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: 
[mac:d0:22:be:5f:2c:35] Found authentication source(s) : 
'local,apra-machine-auth-dc01,apra-user-auth-dc01' for realm 'null' 
(pf::config::util::filter_authentication_sources)
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: 
[mac:d0:22:be:5f:2c:35] Use of uninitialized value in numeric ne (!=) at 
/usr/local/pf/lib/pf/radius.pm line 921.
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: 
[mac:d0:22:be:5f:2c:35] Use of uninitialized value in numeric ne (!=) at 
/usr/local/pf/lib/pf/radius.pm line 921.
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: 
[mac:d0:22:be:5f:2c:35] LDAP testing connection (pf::LDAP::expire_if)
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: 
[mac:d0:22:be:5f:2c:35] [apra-machine-auth-dc01] No entries found (0) 
with filter (servicePrincipalName=c.mammoli.adm) from dc=apra,dc=it on 
192.168.0.7:389 (pf::Authentication::Source::LDAPSource::authenticate)
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) INFO: 
[mac:d0:22:be:5f:2c:35] LDAP testing connection (pf::LDAP::expire_if)
Apr 27 16:51:55 srvpf packetfence_httpd.aaa: httpd.aaa(2555) WARN: 
[mac:d0:22:be:5f:2c:35] [apra-user-auth-dc01] User

Re: [PacketFence-users] Switch authentication grants access with any password as long as the username is correct (10.3)

Re: [PacketFence-users] Switch authentication grants access with any password as long as the username is correct (10.3)

[PacketFence-users] Switch authentication grants access with any password as long as the username is correct (10.3)

3 matches

Site Navigation

Mail list logo

Footer information

Re: [PacketFence-users] Switch authentication grants access *with any password* as long as the username is correct (10.3)

Re: [PacketFence-users] Switch authentication grants access *with any password* as long as the username is correct (10.3)

[PacketFence-users] Switch authentication grants access *with any password* as long as the username is correct (10.3)

3 matches

Mail list logo

Re: [PacketFence-users] Switch authentication grants access with any password as long as the username is correct (10.3)

Re: [PacketFence-users] Switch authentication grants access with any password as long as the username is correct (10.3)

[PacketFence-users] Switch authentication grants access with any password as long as the username is correct (10.3)