Re: [PacketFence-users] MAC Authentication Rejected
Hmm. Pretty sure I had it disabled but I will test it again to make sure. Thanks! -Ryan This e-mail message together with any attachments or reply should not be considered private or confidential because it may be archived and subject to public disclosure under certain circumstances, such as requests made pursuant to Wisconsin public records law. The message is intended solely for the use of the individual or entity to which they are addressed. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Please note that the views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the School District of Hartford Jt. #1. Any unauthorized use, distribution, copying or disclosure by you or to any other person is prohibited. >>> Durand fabrice via PacketFence-users 1/5/2020 3:14 PM >>> Hello Ryan, it looks that you enabled autoregister on the connection profile. Disable it and retry. Regards Fabrice Le 19-12-25 à 10 h 08, Ryan Radschlag via PacketFence-users a écrit : We're trying to get down to having one open ssid, having people be dumped into the registration vlan by default, sending them to the captive portal if not yet registered, and then having packetfence put people in the correct vlans after registering their node. So I have unrouted isolation and registration vlans directly attached to packetfence/wlan controller and then the other vlans are only attached to the wlan controller. I have a mac blacklist enabled on the wlan controller to force it to do a RADIUS request to packetfence for authentication. If I disable that I'm directed to the portal (no RADIUS requests though, which is as it should be) so I know I'm on the correct vlan and the nodes can see the packetfence server. So, I connect to the wireless network. And I see the wlan controller send the radius request with the mac address of the machine as the username and the mac address as the password. But then I see packetfence send a reject message to the wlan controller. When I look in the web interface under the RADIUS audit log. All of the requests from nodes that are supposed to be mac based authentication don't have anything in the mac address field or the Calling-Station-Id field and you see the [mac:[undef]] in the packetfence.log. My question is, should the fields be populated by the mac address when doing mac auth or am I looking in the wrong direction? Is packetfence parsing the RADIUS request incorrectly? Is there a way to do a rewrite and graft the username into the mac address/calling-station-id field if that is the case? If I do 802.1x auth, the mac address and calling-station-id fields are populated correctly. I've included the packetfence and radius logs below. RADIUS.LOG: Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 383 seconds Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 383 seconds Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 383 seconds Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Opening additional connection (3), 1 of 64 pending slots used Dec 24 10:37:42 hsd-pf-1 auth[12979]: Need 2 more connections to reach min connections (3) Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Opening additional connection (4), 1 of 63 pending slots used Dec 24 10:37:42 hsd-pf-1 auth[12979]: Adding client *REDACTED* Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Closing connection (0): Hit idle_timeout, was idle for 383 seconds Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Closing connection (1): Hit idle_timeout, was idle for 383 seconds Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Opening additional connection (2), 1 of 64 pend ing slots used Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) rest: ERROR: Server returned: Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) rest: ERROR:{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication failed on PacketFence"} Dec 24 10:37:42 hsd-pf-1 auth[12979]: Need 2 more connections to reach min connections (3) Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Opening additional connection (3), 1 of 63 pending slots used Dec 24 10:37:42 hsd-pf-1 auth[12979]: [mac:] Rejected user: a8:1d:16:7d:c8:11 Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) Rejected in post-auth: [a8:1d:16:7d:c8:11] (from client *REDACTED* port 0) Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) Login incorrect (rest: Server returned:): [a8:1d:16:7d:c8:11] (from client *REDACTED* port 0) PACKETFENCE.LOG Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) WARN: [mac:[undef]] Trying to match IP address with an invalid MAC address 'undef' (pf::ip4log::mac2ip) Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) INFO: [mac:[undef]] I
Re: [PacketFence-users] MAC Authentication Rejected
Hello Ryan, it looks that you enabled autoregister on the connection profile. Disable it and retry. Regards Fabrice Le 19-12-25 à 10 h 08, Ryan Radschlag via PacketFence-users a écrit : We're trying to get down to having one open ssid, having people be dumped into the registration vlan by default, sending them to the captive portal if not yet registered, and then having packetfence put people in the correct vlans after registering their node. So I have unrouted isolation and registration vlans directly attached to packetfence/wlan controller and then the other vlans are only attached to the wlan controller. I have a mac blacklist enabled on the wlan controller to force it to do a RADIUS request to packetfence for authentication. If I disable that I'm directed to the portal (no RADIUS requests though, which is as it should be) so I know I'm on the correct vlan and the nodes can see the packetfence server. So, I connect to the wireless network. And I see the wlan controller send the radius request with the mac address of the machine as the username and the mac address as the password. But then I see packetfence send a reject message to the wlan controller. When I look in the web interface under the RADIUS audit log. All of the requests from nodes that are supposed to be mac based authentication don't have anything in the mac address field or the Calling-Station-Id field and you see the [mac:[undef]] in the packetfence.log. My question is, should the fields be populated by the mac address when doing mac auth or am I looking in the wrong direction? Is packetfence parsing the RADIUS request incorrectly? Is there a way to do a rewrite and graft the username into the mac address/calling-station-id field if that is the case? If I do 802.1x auth, the mac address and calling-station-id fields are populated correctly. I've included the packetfence and radius logs below. RADIUS.LOG: Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 383 seconds Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 383 seconds Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 383 seconds Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Opening additional connection (3), 1 of 64 pending slots used Dec 24 10:37:42 hsd-pf-1 auth[12979]: Need 2 more connections to reach min connections (3) Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Opening additional connection (4), 1 of 63 pending slots used Dec 24 10:37:42 hsd-pf-1 auth[12979]: Adding client *REDACTED* Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Closing connection (0): Hit idle_timeout, was idle for 383 seconds Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Closing connection (1): Hit idle_timeout, was idle for 383 seconds Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Opening additional connection (2), 1 of 64 pending slots used Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) rest: ERROR: Server returned: Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) rest: ERROR: {"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication failed on PacketFence"} Dec 24 10:37:42 hsd-pf-1 auth[12979]: Need 2 more connections to reach min connections (3) Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Opening additional connection (3), 1 of 63 pending slots used Dec 24 10:37:42 hsd-pf-1 auth[12979]: [mac:] Rejected user: a8:1d:16:7d:c8:11 Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) Rejected in post-auth: [a8:1d:16:7d:c8:11] (from client *REDACTED* port 0) Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) Login incorrect (rest: Server returned:): [a8:1d:16:7d:c8:11] (from client *REDACTED* port 0) PACKETFENCE.LOG Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) WARN: [mac:[undef]] Trying to match IP address with an invalid MAC address 'undef' (pf::ip4log::mac2ip) Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) INFO: [mac:[undef]] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) INFO: [mac:[undef]] Found authentication source(s) : 'local,file1,LDAP-1' for realm 'null' (pf::config::util::filter_authentication_sources) Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) INFO: [mac:[undef]] LDAP testing connection (pf::LDAP::expire_if) Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) WARN: [mac:[undef]] [LDAP-1] No entries found (0) with filter (cn=a8:1d:16:7d:c8:11) from o=*REDACTED* on *REDACTED*:636 (pf::Authentication::Source::LDAPSource::authenticate) Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) INFO: [mac:[undef]] User a8:1d:16:7d:c8:11 tried to login in 00:50:56:8f:b0:a6 but authentication failed (pf::radius::switch_access) Any pointers would be app
Re: [PacketFence-users] MAC Authentication Rejected
Looks like my WLC isn't even sending the Calling-Station-Id. I just added to the rewrite rule to correct the issue when no calling-station-id is present. if (!&Calling-Station-Id){ update request { &Calling-Station-Id := "%{User-Name}" } updated } That should at least help for now. -Ryan This e-mail message together with any attachments or reply should not be considered private or confidential because it may be archived and subject to public disclosure under certain circumstances, such as requests made pursuant to Wisconsin public records law. The message is intended solely for the use of the individual or entity to which they are addressed. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Please note that the views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the School District of Hartford Jt. #1. Any unauthorized use, distribution, copying or disclosure by you or to any other person is prohibited. >>> Ryan Radschlag via PacketFence-users >>> 12/25/2019 9:08 AM >>> We're trying to get down to having one open ssid, having people be dumped into the registration vlan by default, sending them to the captive portal if not yet registered, and then having packetfence put people in the correct vlans after registering their node. So I have unrouted isolation and registration vlans directly attached to packetfence/wlan controller and then the other vlans are only attached to the wlan controller. I have a mac blacklist enabled on the wlan controller to force it to do a RADIUS request to packetfence for authentication. If I disable that I'm directed to the portal (no RADIUS requests though, which is as it should be) so I know I'm on the correct vlan and the nodes can see the packetfence server. So, I connect to the wireless network. And I see the wlan controller send the radius request with the mac address of the machine as the username and the mac address as the password. But then I see packetfence send a reject message to the wlan controller. When I look in the web interface under the RADIUS audit log. All of the requests from nodes that are supposed to be mac based authentication don't have anything in the mac address field or the Calling-Station-Id field and you see the [mac:[undef]] in the packetfence.log. My question is, should the fields be populated by the mac address when doing mac auth or am I looking in the wrong direction? Is packetfence parsing the RADIUS request incorrectly? Is there a way to do a rewrite and graft the username into the mac address/calling-station-id field if that is the case? If I do 802.1x auth, the mac address and calling-station-id fields are populated correctly. I've included the packetfence and radius logs below. RADIUS.LOG: Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 383 seconds Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 383 seconds Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 383 seconds Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Opening additional connection (3), 1 of 64 pending slots used Dec 24 10:37:42 hsd-pf-1 auth[12979]: Need 2 more connections to reach min connections (3) Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Opening additional connection (4), 1 of 63 pending slots used Dec 24 10:37:42 hsd-pf-1 auth[12979]: Adding client *REDACTED* Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Closing connection (0): Hit idle_timeout, was idle for 383 seconds Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Closing connection (1): Hit idle_timeout, was idle for 383 seconds Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Opening additional connection (2), 1 of 64 pending slots used Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) rest: ERROR: Server returned: Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) rest: ERROR: {"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication failed on PacketFence"} Dec 24 10:37:42 hsd-pf-1 auth[12979]: Need 2 more connections to reach min connections (3) Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Opening additional connection (3), 1 of 63 pending slots used Dec 24 10:37:42 hsd-pf-1 auth[12979]: [mac:] Rejected user: a8:1d:16:7d:c8:11 Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) Rejected in post-auth: [a8:1d:16:7d:c8:11] (from client *REDACTED* port 0) Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) Login incorrect (rest: Server returned:): [a8:1d:16:7d:c8:11] (from client *REDACTED* port 0) PACKETFENCE.LOG Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: