Hi Fabrice,
Now I got it. Many thanks for your best effort.
The last one, I have a question about packetfence integrated with
firewall(Fortinet) for SSL VPN authentication.
Scenario:
I would like to create 2 user groups.
- Vendor group from packetfence local user source.
- Employees group from windows AD user group.
is it possible?
If possible, Can you please share the concept for this solution.
Thak you,
Sarayuth
On Wednesday, 28 September 2016, Fabrice Durand <fdur...@inverse.ca> wrote:
> Hi Sarayuth,
>
> this is exactly what you expected, your device match the wiredmacauth and
> because it's unreg then it is forwarded on the vlan 2 (reg vlan i suppose).
>
> So now if you correctly configure packetfence on the vlan 2 then the
> device will hit the portal.
>
> The next step is to be sure that in your null authentication source you
> define the rule catch_all that assign the Guest role and an access duration.
>
> Regards
>
> Fabrice
>
>
>
> Le 2016-09-27 à 23:39, Sarayuth Sarayuth a écrit :
>
> Hi Fabrice,
>
> Yes, So I attempt to uncheck Automatically register device and client show
> unreg status and obtain registration role not get Guest role on NULL
> source. the packetfence.log as below.
>
> Sep 28 10:21:40 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key config::Switch in local
> cached_hash (pfconfig::cached::is_valid)
> Sep 28 10:21:40 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] handling
> radius autz request: from switch_ip => (192.168.1.254), connection_type =>
> WIRED_MAC_AUTH,switch_mac => (24:01:c7:3e:61:85), mac =>
> [70:5a:0f:85:9d:6a], port => 10005, username => "705a0f859d6a"
> (pf::radius::authorize)
> Sep 28 10:21:40 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key FilterEngine::Profile in local
> cached_hash (pfconfig::cached::is_valid)
> Sep 28 10:21:40 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key config::Profiles in local
> cached_hash (pfconfig::cached::is_valid)
> Sep 28 10:21:40 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Instantiate
> profile wiredmacauth (pf::Portal::ProfileFactory::_from_profile)
> Sep 28 10:21:40 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key resource::authentication_sources
> in local cached_hash (pfconfig::cached::is_valid)
> Sep 28 10:21:40 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key config::Pf in local cached_hash
> (pfconfig::cached::is_valid)
> Sep 28 10:21:40 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] is of status
> unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
> Sep 28 10:21:40 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a]
> (192.168.1.254) Added VLAN 2 to the returned RADIUS Access-Accept
> (pf::Switch::returnRadiusAccessAccept)
> Sep 28 10:21:40 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a]
> (192.168.1.254) Added role registration to the returned RADIUS
> Access-Accept (pf::Switch::returnRadiusAccessAccept)
>
> Best Regards,
> Sarayuth
>
> On Wed, Sep 28, 2016 at 6:57 AM, Durand fabrice <fdur...@inverse.ca>
> wrote:
>
> Hi Sarayuth,
>
> did you check Automatically register device on the wiremacauth portal ?
> (if yes uncheck it)
>
> Regards
>
> Fabrice
>
>
>
> Le 2016-09-27 à 16:24, Sarayuth Sarayuth a écrit :
>
> Hi Fabrice,
> Please see the log result as below.
> Sep 28 02:38:14 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Connection
> type is WIRED_MAC_AUTH. Getting role from node_info
> (pf::role::getRegisteredRole)
> Sep 28 02:38:14 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Username was
> NOT defined or unable to match a role - returning node based role ''
> (pf::role::getRegisteredRole)
> Sep 28 02:38:14 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] PID:
> "default", Status: reg Returned VLAN: (undefined), Role:
> (pf::role::fetchRoleForNode)
> Sep 28 02:38:14 httpd.aaa(6031) WARN: [mac:70:5a:0f:85:9d:6a] No parameter
> Vlan found in conf/switches.conf for the switch 192.168.1.254
> (pf::Switch::getVlanByName)
> Sep 28 02:38:15 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Updating
> locationlog from accounting request (pf::api::handle_accounting_metadata)
> Sep 28 02:42:49 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key config::Pf in local cached_hash
> (pfconfig::cached::is_valid)
> Sep 28 02:42:49 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key resource::stats_levels in local
> cached_hash (pfconfig::cached::is_valid)
> Sep 28 02:42:49 packetfence.pm(7715) INFO: Memory configuration is not
> valid anymore for key resource::stats_levels in local cached_hash
> (pfconfig::cached::is_valid)
> Sep 28 02:47:30 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key resource::stats_levels in local
> cached_hash (pfconfig::cached::is_valid)
> Sep 28 02:47:30 packetfence.pm(7715) INFO: Memory configuration is not
> valid anymore for key resource::stats_levels in local cached_hash
> (pfconfig::cached::is_valid)
> Sep 28 02:52:15 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key config::Pf in local cached_hash
> (pfconfig::cached::is_valid)
> Sep 28 02:52:15 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key resource::stats_levels in local
> cached_hash (pfconfig::cached::is_valid)
> Sep 28 02:52:15 packetfence.pm(7715) INFO: Memory configuration is not
> valid anymore for key resource::stats_levels in local cached_hash
> (pfconfig::cached::is_valid)
> Sep 28 02:53:16 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key resource::stats_levels in local
> cached_hash (pfconfig::cached::is_valid)
> Sep 28 02:53:16 packetfence.pm(7715) INFO: Memory configuration is not
> valid anymore for key resource::stats_levels in local cached_hash
> (pfconfig::cached::is_valid)
> Sep 28 02:53:49 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key resource::stats_levels in local
> cached_hash (pfconfig::cached::is_valid)
> Sep 28 02:53:49 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] handling
> radius autz request: from switch_ip => (192.168.1.254), connection_type =>
> WIRED_MAC_AUTH,switch_mac => (24:01:c7:3e:61:83), mac =>
> [70:5a:0f:85:9d:6a], port => 10003, username => "705a0f859d6a"
> (pf::radius::authorize)
> Sep 28 02:53:49 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key FilterEngine::Profile in local
> cached_hash (pfconfig::cached::is_valid)
> Sep 28 02:53:49 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key config::Profiles in local
> cached_hash (pfconfig::cached::is_valid)
> Sep 28 02:53:49 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Instantiate
> profile wiredmacauth (pf::Portal::ProfileFactory::_from_profile)
> Sep 28 02:53:49 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] autoregister
> a node that is already registered, do nothing. (pf::node::node_register)
> Sep 28 02:53:49 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key config::Pf in local cached_hash
> (pfconfig::cached::is_valid)
> Sep 28 02:53:49 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Connection
> type is WIRED_MAC_AUTH. Getting role from node_info
> (pf::role::getRegisteredRole)
> Sep 28 02:53:49 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Username was
> NOT defined or unable to match a role - returning node based role ''
> (pf::role::getRegisteredRole)
> Sep 28 02:53:49 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] PID:
> "default", Status: reg Returned VLAN: (undefined), Role:
> (pf::role::fetchRoleForNode)
> Sep 28 02:53:49 httpd.aaa(6031) WARN: [mac:70:5a:0f:85:9d:6a] No parameter
> Vlan found in conf/switches.conf for the switch 192.168.1.254
> (pf::Switch::getVlanByName)
> Sep 28 02:53:49 packetfence.pm(7732) INFO: Memory configuration is not
> valid anymore for key resource::stats_levels in local cached_hash
> (pfconfig::cached::is_valid)
> Sep 28 02:53:50 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Updating
> locationlog from accounting request (pf::api::handle_accounting_metadata)
> Sep 28 02:53:50 packetfence.pm(7715) INFO: Memory configuration is not
> valid anymore for key resource::stats_levels in local cached_hash
> (pfconfig::cached::is_valid)
> Sep 28 02:53:50 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key resource::stats_levels in local
> cached_hash (pfconfig::cached::is_valid)
> Sep 28 03:03:10 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key resource::stats_levels in local
> cached_hash (pfconfig::cached::is_valid)
> Sep 28 03:09:36 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key resource::stats_levels in local
> cached_hash (pfconfig::cached::is_valid)
> Sep 28 03:09:36 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] handling
> radius autz request: from switch_ip => (192.168.1.254), connection_type =>
> WIRED_MAC_AUTH,switch_mac => (24:01:c7:3e:61:83), mac =>
> [70:5a:0f:85:9d:6a], port => 10003, username => "705a0f859d6a"
> (pf::radius::authorize)
> Sep 28 03:09:36 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Instantiate
> profile wiredmacauth (pf::Portal::ProfileFactory::_from_profile)
> Sep 28 03:09:36 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] autoregister
> a node that is already registered, do nothing. (pf::node::node_register)
> Sep 28 03:09:36 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Connection
> type is WIRED_MAC_AUTH. Getting role from node_info
> (pf::role::getRegisteredRole)
> Sep 28 03:09:36 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Username was
> NOT defined or unable to match a role - returning node based role ''
> (pf::role::getRegisteredRole)
> Sep 28 03:09:36 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] PID:
> "default", Status: reg Returned VLAN: (undefined), Role:
> (pf::role::fetchRoleForNode)
> Sep 28 03:09:36 httpd.aaa(6031) WARN: [mac:70:5a:0f:85:9d:6a] No parameter
> Vlan found in conf/switches.conf for the switch 192.168.1.254
> (pf::Switch::getVlanByName)
> Sep 28 03:09:36 packetfence.pm(7732) INFO: Memory configuration is not
> valid anymore for key resource::stats_levels in local cached_hash
> (pfconfig::cached::is_valid)
> Sep 28 03:09:37 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Updating
> locationlog from accounting request (pf::api::handle_accounting_metadata)
> Sep 28 03:09:37 httpd.aaa(6031) INFO: [mac:70:5a:0f:85:9d:6a] Memory
> configuration is not valid anymore for key resource::stats_levels in local
> cached_hash (pfconfig::cached::is_valid)
>
>
> Thank you,
> Sarayuth
>
> On Wed, Sep 28, 2016 at 3:06 AM, Fabrice Durand <fdur...@inverse.ca>
> wrote:
>
> Hi Sarayuth,
>
> can you paste the log when you try to connect ? (packetfence.log)
>
> Regards
>
> Fabrice
>
>
>
> Le 2016-09-27 à 15:58, Sarayuth Sarayuth a écrit :
>
> Dear Fabrice,
>
> For your advised can solved the 802.1X issue with AD user auth. The
> machine can obtain the proper vlan as user group but MAB I has tried to
> configure as your suggest but no luck.
> The auth log shown Profile,Role and source is N/A. Btw I also changed the
> connection type to wired_mac_auth but as the same.
> Do you have any idea?
>
> Thank you,
> Sarayuth
>
> On Tuesday, 27 September 2016, Fabrice Durand <fdur...@inverse.ca> wrote:
>
> Hello Sarayuth,
>
> in your AD source configuration make sure that you check "use stripped
> username".
>
> Also what you can do is to create 2 portal profiles, one for the 802.1x
> and the other one for MAB.
>
> So first create a profile (wiresecure) and add a filter connection type =
> Ethernet-EAP and add the AD source and check Automatically register device.
>
> Then create another one (wiremacauth) and add filter connection type =
> Ethernet-NoEAP and add null source.
>
> So when you will connect with 802.1x your device will match the wiresecure
> portal and use the AD source to compute the role.
>
> When your device will use MAB then it will match the wiremacauth portal
> and you will see the nul authentication.
>
> Btw in the null source create a catch all and assign the role guest and an
> access duration (1d).
>
>
> Regards
>
> Fabrice
>
>
>
> Le 2016-09-27 à 00:08, Sarayuth Sarayuth a écrit :
>
> Hi Fabrice,
>
> Thank you for your prompt reply.
> I has add other realm that your suggest and can login both Doman/user and
> user format.
> But i have facing the new issue the user cannot obtain the role. I have
> configure Portal Profiles->default : Check box Automatically register
> device. Device can show registered status but not change to vlan that I has
> applied in Role(AD source and created rule by groupmember on AD)
> And I need the MAB device obtain guest VLAN. is it possible?
>
> Best Regards,
> Sarayuth Saetung
>
> On Mon, Sep 26, 2016 at 10:34 AM, Sarayuth Sarayuth <sarayut...@zeabix.com
> > wrote:
>
> Hi All,
>
> I have facing the issue about wired 802.1X with PEAP authen fail. I has
> joined pf to windows 2012R2 active directory by command line successful and
> see on domain computer but join on the GUI has fail "Test join fail". The
> PF able to ping FQDN server name. The user on AD can authenticate via
> registration portal.
> The reason of authen fail show "Reading winbind reply failed".
> I make sure that winbindd service has started and I has changed privilege
> to wbpriv.
>
> From the debug radius shown as below.
>
> (9) Mon Sep 26 01:01:27 2016: Debug: Received Access-Request Id 84 from
> 192.168.1.254:1645 to 192.168.1.101:1812 length 203
> (9) Mon Sep 26 01:01:27 2016: Debug: User-Name = "sarayuth.s"
> (9) Mon Sep 26 01:01:27 2016: Debug: Service-Type = Framed-User
> (9) Mon Sep 26 01:01:27 2016: Debug: Framed-MTU = 1500
> (9) Mon Sep 26 01:01:27 2016: Debug: Called-Station-Id =
> "24-01-C7-3E-61-83"
> (9) Mon Sep 26 01:01:27 2016: Debug: Calling-Station-Id =
> "70-5A-0F-85-9D-6A"
> (9) Mon Sep 26 01:01:27 2016: Debug: EAP-Message =
> 0x0201000f0173617261797574682e73
> (9) Mon Sep 26 01:01:27 2016: Debug: Message-Authenticator =
> 0x5e96766ef742153ba7a50fc9667c8686
> (9) Mon Sep 26 01:01:27 2016: Debug: Cisco-AVPair = "audit-session-id=
> C0A801FE0000005306A59C51"
> (9) Mon Sep 26 01:01:27 2016: Debug: NAS-Port-Type = Ethernet
> (9) Mon Sep 26 01:01:27 2016: Debug: NAS-Port = 50003
> (9) Mon Sep 26 01:01:27 2016: Debug: NAS-Port-Id = "FastEthernet0/3"
> (9) Mon Sep 26 01:01:27 2016: Debug: NAS-IP-Address = 192.168.1.254
> (9) Mon Sep 26 01:01:27 2016: Debug: # Executing section authorize from
> file raddb//sites-enabled/packetfence
> (9) Mon Sep 26 01:01:27 2016: Debug: authorize {
> (9) Mon Sep 26 01:01:27 2016: Debug: update {
> (9) Mon Sep 26 01:01:27 2016: Debug: EXPAND %{Packet-Src-IP-Address}
> (9) Mon Sep 26 01:01:27 2016: Debug: --> 192.168.1.254
> (9) Mon Sep 26 01:01:27 2016: Debug: EXPAND %l
> (9) Mon Sep 26 01:01:27 2016: Debug: --> 1474826487
> (9) Mon Sep 26 01:01:27 2016: Debug: } # update = noop
> (9) Mon Sep 26 01:01:27 2016: Debug: policy rewrite_calling_station_id
> {
> (9) Mon Sep 26 01:01:27 2016: Debug: if (&Calling-Station-Id &&
> (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-
> 9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-
> 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
> (9) Mon Sep 26 01:01:27 2016: Debug: if (&Calling-Station-Id &&
> (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-
> 9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-
> 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
> (9) Mon Sep 26 01:01:27 2016: Debug: if (&Calling-Station-Id &&
> (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-
> 9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-
> 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
> (9) Mon Sep 26 01:01:27 2016: Debug: update request {
> (9) Mon Sep 26 01:01:27 2016: Debug: EXPAND
> %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
> (9) Mon Sep 26 01:01:27 2016: Debug: --> 70:5a:0f:85:9d:6a
> (9) Mon Sep 26 01:01:27 2016: Debug: } # update request = noop
> (9) Mon Sep 26 01:01:27 2016: Debug: [updated] = updated
> (9) Mon Sep 26 01:01:27 2016: Debug: } # if (&Calling-Station-Id &&
> (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-
> 9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-
> 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
> (9) Mon Sep 26 01:01:27 2016: Debug: ... skipping else for request
> 9: Preceding "if" was taken
> (9) Mon Sep 26 01:01:27 2016: Debug: } # policy
> rewrite_calling_station_id = updated
> (9) Mon Sep 26 01:01:27 2016: Debug: policy rewrite_called_station_id {
> (9) Mon Sep 26 01:01:27 2016: Debug: if ((&Called-Station-Id) &&
> (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-
> 9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-
> 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) {
> (9) Mon Sep 26 01:01:27 2016: Debug: if ((&Called-Station-Id) &&
> (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-
> 9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-
> 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) -> TRUE
> (9) Mon Sep 26 01:01:27 2016: Debug: if ((&Called-Station-Id) &&
> (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-
> 9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-
> 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) {
> (9) Mon Sep 26 01:01:27 2016: Debug: update request {
> (9) Mon Sep 26 01:01:27 2016: Debug: EXPAND
> %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
> (9) Mon Sep 26 01:01:27 2016: Debug: --> 24:01:c7:3e:61:83
> (9) Mon Sep 26 01:01:27 2016: Debug: } # update request = noop
> (9) Mon Sep 26 01:01:27 2016: Debug: if ("%{8}") {
> (9) Mon Sep 26 01:01:27 2016: Debug: EXPAND %{8}
> (9) Mon Sep 26 01:01:27 2016: Debug: -->
> (9) Mon Sep 26 01:01:27 2016: Debug: if ("%{8}") -> FALSE
> (9) Mon Sep 26 01:01:27 2016: Debug: elsif ( (Colubris-AVPair) &&
> "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) {
> (9) Mon Sep 26 01:01:27 2016: Debug: elsif ( (Colubris-AVPair) &&
> "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE
> (9) Mon Sep 26 01:01:27 2016: Debug: elsif (Aruba-Essid-Name) {
> (9) Mon Sep 26 01:01:27 2016: Debug: elsif (Aruba-Essid-Name) ->
> FALSE
> (9) Mon Sep 26 01:01:27 2016: Debug: elsif ( (Cisco-AVPair) &&
> "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) {
> (9) Mon Sep 26 01:01:27 2016: Debug: EXPAND %{Cisco-AVPair}
> (9) Mon Sep 26 01:01:27 2016: Debug: --> audit-session-id=
> C0A801FE0000005306A59C51
> (9) Mon Sep 26 01:01:27 2016: Debug: elsif ( (Cisco-AVPair) &&
> "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE
> (9) Mon Sep 26 01:01:27 2016: Debug: [updated] = updated
> (9) Mon Sep 26 01:01:27 2016: Debug: } # if ((&Called-Station-Id) &&
> (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-
> 9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-
> 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) = updated
> (9) Mon Sep 26 01:01:27 2016: Debug: ... skipping else for request
> 9: Preceding "if" was taken
> (9) Mon Sep 26 01:01:27 2016: Debug: } # policy
> rewrite_called_station_id = updated
> (9) Mon Sep 26 01:01:27 2016: Debug: policy filter_username {
> (9) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name) {
> (9) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name) -> TRUE
> (9) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name) {
> (9) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ / /) {
> (9) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ / /) ->
> FALSE
> (9) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ /@[^@]*@/ )
> {
> (9) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ /@[^@]*@/ )
> -> FALSE
> (9) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ /\.\./ ) {
> (9) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ /\.\./ )
> -> FALSE
> (9) Mon Sep 26 01:01:27 2016: Debug: if ((&User-Name =~ /@/) &&
> (&User-Name !~ /@(.+)\.(.+)$/)) {
> (9) Mon Sep 26 01:01:27 2016: Debug: if ((&User-Name =~ /@/) &&
> (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (9) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ /\.$/) {
> (9) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ /\.$/) ->
> FALSE
> (9) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ /@\./) {
> (9) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ /@\./) ->
> FALSE
> (9) Mon Sep 26 01:01:27 2016: Debug: } # if (&User-Name) = updated
> (9) Mon Sep 26 01:01:27 2016: Debug: } # policy filter_username =
> updated
> (9) Mon Sep 26 01:01:27 2016: Debug: policy filter_password {
> (9) Mon Sep 26 01:01:27 2016: Debug: if (&User-Password &&
> (&User-Password != "%{string:User-Password}")) {
> (9) Mon Sep 26 01:01:27 2016: Debug: if (&User-Password &&
> (&User-Password != "%{string:User-Password}")) -> FALSE
> (9) Mon Sep 26 01:01:27 2016: Debug: } # policy filter_password =
> updated
> (9) Mon Sep 26 01:01:27 2016: Debug: [preprocess] = ok
> (9) Mon Sep 26 01:01:27 2016: Debug: suffix: Checking for suffix after "@"
> (9) Mon Sep 26 01:01:27 2016: Debug: suffix: No '@' in User-Name =
> "sarayuth.s", skipping NULL due to config.
> (9) Mon Sep 26 01:01:27 2016: Debug: [suffix] = noop
> (9) Mon Sep 26 01:01:27 2016: Debug: ntdomain: Checking for prefix before
> "\"
> (9) Mon Sep 26 01:01:27 2016: Debug: ntdomain: No '\' in User-Name =
> "sarayuth.s", looking up realm NULL
> (9) Mon Sep 26 01:01:27 2016: Debug: ntdomain: No such realm "NULL"
> (9) Mon Sep 26 01:01:27 2016: Debug: [ntdomain] = noop
> (9) Mon Sep 26 01:01:27 2016: Debug: eap: Peer sent EAP Response (code 2)
> ID 1 length 15
> (9) Mon Sep 26 01:01:27 2016: Debug: eap: EAP-Identity reply, returning
> 'ok' so we can short-circuit the rest of authorize
> (9) Mon Sep 26 01:01:27 2016: Debug: [eap] = ok
> (9) Mon Sep 26 01:01:27 2016: Debug: } # authorize = ok
> (9) Mon Sep 26 01:01:27 2016: Debug: Found Auth-Type = eap
> (9) Mon Sep 26 01:01:27 2016: Debug: # Executing group from file
> raddb//sites-enabled/packetfence
> (9) Mon Sep 26 01:01:27 2016: Debug: authenticate {
> (9) Mon Sep 26 01:01:27 2016: Debug: eap: Peer sent packet with method EAP
> Identity (1)
> (9) Mon Sep 26 01:01:27 2016: Debug: eap: Calling submodule eap_peap to
> process data
> (9) Mon Sep 26 01:01:27 2016: Debug: eap_peap: Initiating new EAP-TLS
> session
> (9) Mon Sep 26 01:01:27 2016: Debug: eap_peap: [eaptls start] = request
> (9) Mon Sep 26 01:01:27 2016: Debug: eap: Sending EAP Request (code 1) ID
> 2 length 6
> (9) Mon Sep 26 01:01:27 2016: Debug: eap: EAP session adding &reply:State
> = 0x5c98901d5c9a89d4
> (9) Mon Sep 26 01:01:27 2016: Debug: [eap] = handled
> (9) Mon Sep 26 01:01:27 2016: Debug: } # authenticate = handled
> (9) Mon Sep 26 01:01:27 2016: Debug: Using Post-Auth-Type Challenge
> (9) Mon Sep 26 01:01:27 2016: Debug: Post-Auth-Type sub-section not
> found. Ignoring.
> (9) Mon Sep 26 01:01:27 2016: Debug: # Executing group from file
> raddb//sites-enabled/packetfence
> (9) Mon Sep 26 01:01:27 2016: Debug: Sent Access-Challenge Id 84 from
> 192.168.1.101:1812 to 192.168.1.254:1645 length 0
> (9) Mon Sep 26 01:01:27 2016: Debug: EAP-Message = 0x010200061920
> (9) Mon Sep 26 01:01:27 2016: Debug: Message-Authenticator =
> 0x00000000000000000000000000000000
> (9) Mon Sep 26 01:01:27 2016: Debug: State =
> 0x5c98901d5c9a89d4f51f3748fbc97797
> (9) Mon Sep 26 01:01:27 2016: Debug: Finished request
> (10) Mon Sep 26 01:01:27 2016: Debug: Received Access-Request Id 85 from
> 192.168.1.254:1645 to 192.168.1.101:1812 length 325
> (10) Mon Sep 26 01:01:27 2016: Debug: User-Name = "sarayuth.s"
> (10) Mon Sep 26 01:01:27 2016: Debug: Service-Type = Framed-User
> (10) Mon Sep 26 01:01:27 2016: Debug: Framed-MTU = 1500
> (10) Mon Sep 26 01:01:27 2016: Debug: Called-Station-Id =
> "24-01-C7-3E-61-83"
> (10) Mon Sep 26 01:01:27 2016: Debug: Calling-Station-Id =
> "70-5A-0F-85-9D-6A"
> (10) Mon Sep 26 01:01:27 2016: Debug: EAP-Message =
> 0x0202007719800000006d160301006801000064030157e810ea73468be2
> 0e807da08b631f759f01c87217e018ac2b7bef8201cf2877000018002f00
> 350005000ac013c014c009c00a0032003800130004010000230000000f00
> 0d00000a73617261797574682e73000a0006000400170018000b00020100
> (10) Mon Sep 26 01:01:27 2016: Debug: Message-Authenticator =
> 0x8ffddd2e3586a0e0e764ea2a72965d64
> (10) Mon Sep 26 01:01:27 2016: Debug: Cisco-AVPair = "audit-session-id=
> C0A801FE0000005306A59C51"
> (10) Mon Sep 26 01:01:27 2016: Debug: NAS-Port-Type = Ethernet
> (10) Mon Sep 26 01:01:27 2016: Debug: NAS-Port = 50003
> (10) Mon Sep 26 01:01:27 2016: Debug: NAS-Port-Id = "FastEthernet0/3"
> (10) Mon Sep 26 01:01:27 2016: Debug: State =
> 0x5c98901d5c9a89d4f51f3748fbc97797
> (10) Mon Sep 26 01:01:27 2016: Debug: NAS-IP-Address = 192.168.1.254
> (10) Mon Sep 26 01:01:27 2016: Debug: session-state: No cached attributes
> (10) Mon Sep 26 01:01:27 2016: Debug: # Executing section authorize from
> file raddb//sites-enabled/packetfence
> (10) Mon Sep 26 01:01:27 2016: Debug: authorize {
> (10) Mon Sep 26 01:01:27 2016: Debug: update {
> (10) Mon Sep 26 01:01:27 2016: Debug: EXPAND %{Packet-Src-IP-Address}
> (10) Mon Sep 26 01:01:27 2016: Debug: --> 192.168.1.254
> (10) Mon Sep 26 01:01:27 2016: Debug: EXPAND %l
> (10) Mon Sep 26 01:01:27 2016: Debug: --> 1474826487
> (10) Mon Sep 26 01:01:27 2016: Debug: } # update = noop
> (10) Mon Sep 26 01:01:27 2016: Debug: policy
> rewrite_calling_station_id {
> (10) Mon Sep 26 01:01:27 2016: Debug: if (&Calling-Station-Id &&
> (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-
> 9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-
> 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
> (10) Mon Sep 26 01:01:27 2016: Debug: if (&Calling-Station-Id &&
> (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-
> 9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-
> 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
> (10) Mon Sep 26 01:01:27 2016: Debug: if (&Calling-Station-Id &&
> (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-
> 9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-
> 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
> (10) Mon Sep 26 01:01:27 2016: Debug: update request {
> (10) Mon Sep 26 01:01:27 2016: Debug: EXPAND
> %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
> (10) Mon Sep 26 01:01:27 2016: Debug: --> 70:5a:0f:85:9d:6a
> (10) Mon Sep 26 01:01:27 2016: Debug: } # update request = noop
> (10) Mon Sep 26 01:01:27 2016: Debug: [updated] = updated
> (10) Mon Sep 26 01:01:27 2016: Debug: } # if (&Calling-Station-Id &&
> (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-
> 9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-
> 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
> (10) Mon Sep 26 01:01:27 2016: Debug: ... skipping else for request
> 10: Preceding "if" was taken
> (10) Mon Sep 26 01:01:27 2016: Debug: } # policy
> rewrite_calling_station_id = updated
> (10) Mon Sep 26 01:01:27 2016: Debug: policy rewrite_called_station_id
> {
> (10) Mon Sep 26 01:01:27 2016: Debug: if ((&Called-Station-Id) &&
> (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-
> 9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-
> 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) {
> (10) Mon Sep 26 01:01:27 2016: Debug: if ((&Called-Station-Id) &&
> (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-
> 9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-
> 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) -> TRUE
> (10) Mon Sep 26 01:01:27 2016: Debug: if ((&Called-Station-Id) &&
> (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-
> 9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-
> 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) {
> (10) Mon Sep 26 01:01:27 2016: Debug: update request {
> (10) Mon Sep 26 01:01:27 2016: Debug: EXPAND
> %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
> (10) Mon Sep 26 01:01:27 2016: Debug: --> 24:01:c7:3e:61:83
> (10) Mon Sep 26 01:01:27 2016: Debug: } # update request = noop
> (10) Mon Sep 26 01:01:27 2016: Debug: if ("%{8}") {
> (10) Mon Sep 26 01:01:27 2016: Debug: EXPAND %{8}
> (10) Mon Sep 26 01:01:27 2016: Debug: -->
> (10) Mon Sep 26 01:01:27 2016: Debug: if ("%{8}") -> FALSE
> (10) Mon Sep 26 01:01:27 2016: Debug: elsif ( (Colubris-AVPair) &&
> "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) {
> (10) Mon Sep 26 01:01:27 2016: Debug: elsif ( (Colubris-AVPair) &&
> "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE
> (10) Mon Sep 26 01:01:27 2016: Debug: elsif (Aruba-Essid-Name) {
> (10) Mon Sep 26 01:01:27 2016: Debug: elsif (Aruba-Essid-Name) ->
> FALSE
> (10) Mon Sep 26 01:01:27 2016: Debug: elsif ( (Cisco-AVPair) &&
> "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) {
> (10) Mon Sep 26 01:01:27 2016: Debug: EXPAND %{Cisco-AVPair}
> (10) Mon Sep 26 01:01:27 2016: Debug: --> audit-session-id=
> C0A801FE0000005306A59C51
> (10) Mon Sep 26 01:01:27 2016: Debug: elsif ( (Cisco-AVPair) &&
> "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE
> (10) Mon Sep 26 01:01:27 2016: Debug: [updated] = updated
> (10) Mon Sep 26 01:01:27 2016: Debug: } # if ((&Called-Station-Id)
> && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-
> 9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-
> 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) = updated
> (10) Mon Sep 26 01:01:27 2016: Debug: ... skipping else for request
> 10: Preceding "if" was taken
> (10) Mon Sep 26 01:01:27 2016: Debug: } # policy
> rewrite_called_station_id = updated
> (10) Mon Sep 26 01:01:27 2016: Debug: policy filter_username {
> (10) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name) {
> (10) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name) -> TRUE
> (10) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name) {
> (10) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ / /) {
> (10) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ / /) ->
> FALSE
> (10) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ /@[^@]*@/
> ) {
> (10) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ /@[^@]*@/
> ) -> FALSE
> (10) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ /\.\./ ) {
> (10) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ /\.\./ )
> -> FALSE
> (10) Mon Sep 26 01:01:27 2016: Debug: if ((&User-Name =~ /@/) &&
> (&User-Name !~ /@(.+)\.(.+)$/)) {
> (10) Mon Sep 26 01:01:27 2016: Debug: if ((&User-Name =~ /@/) &&
> (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (10) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ /\.$/) {
> (10) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ /\.$/)
> -> FALSE
> (10) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ /@\./) {
> (10) Mon Sep 26 01:01:27 2016: Debug: if (&User-Name =~ /@\./)
> -> FALSE
> (10) Mon Sep 26 01:01:27 2016: Debug: } # if (&User-Name) = updated
> (10) Mon Sep 26 01:01:27 2016: Debug: } # policy filter_username =
> updated
> (10) Mon Sep 26 01:01:27 2016: Debug: policy filter_password {
> (10) Mon Sep 26 01:01:27 2016: Debug: if (&User-Password &&
> (&User-Password != "%{string:User-Password}")) {
> (10) Mon Sep 26 01:01:27 2016: Debug: if (&User-Password &&
> (&User-Password != "%{string:User-Password}")) -> FALSE
> (10) Mon Sep 26 01:01:27 2016: Debug: } # policy filter_password =
> updated
> (10) Mon Sep 26 01:01:27 2016: Debug: [preprocess] = ok
> (10) Mon Sep 26 01:01:27 2016: Debug: suffix: Checking for suffix after "@"
> (10) Mon Sep 26 01:01:27 2016: Debug: suffix: No '@' in User-Name =
> "sarayuth.s", skipping NULL due to config.
> (10) Mon Sep 26 01:01:27 2016: Debug: [suffix] = noop
> (10) Mon Sep 26 01:01:27 2016: Debug: ntdomain: Checking for prefix before
> "\"
> (10) Mon Sep 26 01:01:27 2016: Debug: ntdomain: No '\' in User-Name =
> "sarayuth.s", looking up realm NULL
> (10) Mon Sep 26 01:01:27 2016: Debug: ntdomain: No such realm "NULL"
> (10) Mon Sep 26 01:01:27 2016: Debug: [ntdomain] = noop
> (10) Mon Sep 26 01:01:27 2016: Debug: eap: Peer sent EAP Response (code 2)
> ID 2 length 119
> (10) Mon Sep 26 01:01:27 2016: Debug: eap: Continuing tunnel setup
> (10) Mon Sep 26 01:01:27 2016: Debug: [eap] = ok
> (10) Mon Sep 26 01:01:27 2016: Debug: } # authorize = ok
> (10) Mon Sep 26 01:01:27 2016: Debug: Found Auth-Type = eap
> (10) Mon Sep 26 01:01:27 2016: Debug: # Executing group from file
> raddb//sites-enabled/packetfence
> (10) Mon Sep 26 01:01:27 2016: Debug: authenticate {
> (10) Mon Sep 26 01:01:27 2016: Debug: eap: Expiring EAP session with state
> 0x5c98901d5c9a89d4
> (10) Mon Sep 26 01:01:27 2016: Debug: eap: Finished EAP session with state
> 0x5c98901d5c9a89d4
> (10) Mon Sep 26 01:01:27 2016: Debug: eap: Previous EAP request found for
> state 0x5c98901d5c9a89d4, released from the list
> (10) Mon Sep 26 01:01:27 2016: Debug: eap: Peer sent packet
>
>
--
Best Regards,
Sarayuth Saetung
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
