Menu
▾
▴
Re: [PacketFence-users] help with you do not have permission to register a device with this username
|
From: Helen C. <Hel...@re...> - 2017-03-30 07:35:52
|
Hi Fabrice,
How are you?
I checked the log in pfqueue.log and notice the reason I cannot achieve reassignment is because I was not on a production mode so pf cannot perform deauthentiation. Please see the log below;
Mar 29 21:16:44 pfqueue(2711) INFO: [mac:7c:01:91:25:f9:eb] not in production mode... we won't perform deauthentication (pf::Switch::Cisco::WLC::deauthenticateMacDefault)
Mar 29 21:17:18 pfqueue(2716) INFO: [mac:7c:01:91:25:f9:eb] [7c:01:91:25:f9:eb] DesAssociating mac on switch (10.1.5.50) (pf::api::desAssociate)
Mar 29 21:17:18 pfqueue(2716) INFO: [mac:7c:01:91:25:f9:eb] not in production mode... we won't perform deauthentication (pf::Switch::Cisco::WLC::deauthenticateMacDefault)
So I changed the switch mode to production. However, the captive portal page won't open up saying "hotspot login could not open the page because the server stopped responding". I checked the log info:
Pfqueue.log:
Mar 30 02:30:26 pfqueue(2656) INFO: [mac:7c:01:91:25:f9:eb] deauthenticating (pf::Switch::Cisco::WLC::radiusDisconnect)
Mar 30 02:30:26 pfqueue(2656) INFO: [mac:7c:01:91:25:f9:eb] controllerIp is set, we will use controller 10.1.5.50 to perform deauth (pf::Switch::Cisco::WLC::radiusDisconnect)
Mar 30 02:39:26 pfqueue(2379) ERROR: [mac:7c:01:91:25:f9:eb] Timeout sending on OMAPI socket at /usr/local/pf/lib/pf/OMAPI.pm line 252.
Mar 30 02:39:26 pfqueue(2379) INFO: [mac:7c:01:91:25:f9:eb] Memory configuration is not valid anymore for key interfaces::management_network in local cached_hash (pfconfig::cached::is_valid)
Mar 30 02:39:26 pfqueue(2379) ERROR: [mac:7c:01:91:25:f9:eb] Timeout sending on OMAPI socket at /usr/local/pf/lib/pf/OMAPI.pm line 252.
Mar 30 02:39:26 pfqueue(2379) WARN: [mac:7c:01:91:25:f9:eb] Unable to match MAC address to IP '172.17.0.10' (pf::iplog::ip2mac)
Mar 30 02:48:24 pfqueue(2378) INFO: [mac:7c:01:91:25:f9:eb] Memory configuration is not valid anymore for key config::Pf in local cached_hash (pfconfig::cached::is_valid)
Mar 30 02:48:24 pfqueue(2378) INFO: [mac:7c:01:91:25:f9:eb] Memory configuration is not valid anymore for key interfaces::management_network in local cached_hash (pfconfig::cached::is_valid)
Mar 30 02:48:24 pfqueue(2378) WARN: [mac:7c:01:91:25:f9:eb] Unable to match MAC address to IP '172.17.0.10' (pf::iplog::ip2mac)
Mar 30 02:48:24 pfqueue(2379) INFO: [mac:7c:01:91:25:f9:eb] Memory configuration is not valid anymore for key interfaces::internal_nets in local cached_hash (pfconfig::cached::is_valid)
Mar 30 02:48:24 pfqueue(2380) INFO: [mac:7c:01:91:25:f9:eb] Memory configuration is not valid anymore for key interfaces::internal_nets in local cached_hash (pfconfig::cached::is_valid)
Pf.log:
Mar 30 02:48:20 httpd.aaa(1884) INFO: [mac:7c:01:91:25:f9:eb] handling radius autz request: from switch_ip => (10.1.5.50), connection_type => Wireless-802.11-NoEAP,switch_mac => (5c:83:8f:9f:1b:90), mac => [7c:01:91:25:f9:eb], port => 1, username => "7c:01:91:25:f9:eb", ssid => Guest (pf::radius::authorize)
Mar 30 02:48:20 httpd.aaa(1884) INFO: [mac:7c:01:91:25:f9:eb] Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
Mar 30 02:48:20 httpd.aaa(1884) INFO: [mac:7c:01:91:25:f9:eb] Memory configuration is not valid anymore for key config::Pf in local cached_hash (pfconfig::cached::is_valid)
Mar 30 02:48:20 httpd.aaa(1884) INFO: [mac:7c:01:91:25:f9:eb] is of status unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
Mar 30 02:48:20 httpd.aaa(1884) INFO: [mac:7c:01:91:25:f9:eb] (10.1.5.50) Added role Pre-Auth-For-WebRedirect to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
Mar 30 02:48:20 httpd.aaa(1884) INFO: [mac:7c:01:91:25:f9:eb] Adding web authentication redirection to reply using role: 'Pre-Auth-For-WebRedirect' and URL: 'http://10.1.254.126/Cisco::WLC/sid05f7a1' (pf::Switch::Cisco::WLC::returnRadiusAccessAccept)
Mar 30 02:59:19 httpd.aaa(1884) INFO: [mac:7c:01:91:25:f9:eb] Updating locationlog from accounting request (pf::api::handle_accounting_metadata)
So to sum it up, I'm able to have the captive portal redirection work and I'm able to pass the authentication after inputting my credentials when I'm in registration mode. However, a blank captive portal page without anything showing will pop up and within 1 minute, it will say the hotspot login could not open the page because the server stopped responding. Per your previous instruction, I disabled role by VLAN, so after the end user pass the authentication, my device will never change of VLAN ID but only the ACL associated to my device will change (in our case, from "Pre-Auth-For-WebRedirect" to "Authorize_any"), am I understand it right?
Would you please shed some lights on what I did wrong? I tried to search the internet but didn't get any useful information.
Thank you so much for your help. I really appreciated your continuously support.
---
Helen
From: Helen Chen [mailto:Hel...@re...]
Sent: Tuesday, March 28, 2017 10:49 AM
To: pac...@li...
Subject: Re: [PacketFence-users] help with you do not have permission to register a device with this username
Hi Fabrice,
Thank you for the suggestion. I removed the rule and just leave the rule catch_all to test. I'm able to pass the the permission to register. However, after I pass it, the error "Your network should be enabled within a minute or two. If it is not reboot your computer". I checked the pf.log, it said the reassignment required. I only enabled registration vlan here as we do want clients have limited access (not able to access production). Do I have to create a normal vlan or if there's something I can do to avoid VLAN change?
In addition, I kept my switch mode to registration instead of production.
Mar 27 22:41:55 httpd.portal(2419) INFO: [mac:unknown] Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
Mar 27 22:41:55 httpd.portal(2419) INFO: [mac:7c:01:91:25:f9:eb] Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
Mar 27 22:41:55 httpd.portal(2419) INFO: [mac:7c:01:91:25:f9:eb] Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
Mar 27 22:41:55 httpd.portal(2419) INFO: [mac:7c:01:91:25:f9:eb] Updating node user_agent with useragent: 'WeChat/6.5.6.37 CFNetwork/808.3 Darwin/16.3.0' (captiveportal::PacketFence::DynamicRouting::Application::process_user_agent)
Mar 27 22:41:55 httpd.portal(2419) INFO: [mac:7c:01:91:25:f9:eb] Static User-Agent lookup data initialized (pf::useragent::_init)
Mar 27 22:41:55 httpd.portal(2419) INFO: [mac:7c:01:91:25:f9:eb] User default has authenticated on the portal. (Class::MOP::Class:::after)
Mar 27 22:41:55 httpd.portal(2419) INFO: [mac:7c:01:91:25:f9:eb] Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
Mar 27 22:41:55 httpd.portal(2419) INFO: [mac:7c:01:91:25:f9:eb] Reevaluating access of device. (captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Mar 27 22:41:55 httpd.portal(2419) INFO: [mac:7c:01:91:25:f9:eb] re-evaluating access (manage_register called) (pf::enforcement::reevaluate_access)
Mar 27 22:41:55 httpd.portal(2419) INFO: [mac:7c:01:91:25:f9:eb] is currentlog connected at (10.1.5.50) ifIndex 1 registration (pf::enforcement::_should_we_reassign_vlan)
Mar 27 22:41:56 httpd.portal(2419) INFO: [mac:7c:01:91:25:f9:eb] Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
Mar 27 22:41:56 httpd.portal(2419) INFO: [mac:7c:01:91:25:f9:eb] Connection type is WIRELESS_MAC_AUTH. Getting role from node_info (pf::role::getRegisteredRole)
Mar 27 22:41:56 httpd.portal(2419) INFO: [mac:7c:01:91:25:f9:eb] Username was defined "7c:01:91:25:f9:eb" - returning role 'RSPEmployee' (pf::role::getRegisteredRole)
Mar 27 22:41:56 httpd.portal(2419) INFO: [mac:7c:01:91:25:f9:eb] PID: "helen_chen", Status: reg Returned VLAN: (undefined), Role: RSPEmployee (pf::role::fetchRoleForNode)
Mar 27 22:41:56 httpd.portal(2419) WARN: [mac:7c:01:91:25:f9:eb] No parameter RSPEmployeeVlan found in conf/switches.conf for the switch 10.1.5.50 (pf::Switch::getVlanByName)
Mar 27 22:41:56 httpd.portal(2419) INFO: [mac:7c:01:91:25:f9:eb] Reassignment required (current Role = registration but should be in Role RSPEmployee) (pf::enforcement::_should_we_reassign_vlan)
Mar 27 22:41:56 httpd.portal(2419) INFO: [mac:7c:01:91:25:f9:eb] switch port is (10.1.5.50) ifIndex 1 connection type: WiFi MAC Auth (pf::enforcement::_vlan_reevaluation)
Thank you for your help,
---
Helen
From: Durand fabrice [mailto:fd...@in...]
Sent: Tuesday, March 28, 2017 7:18 AM
To: pac...@li...<mailto:pac...@li...>
Subject: Re: [PacketFence-users] help with you do not have permission to register a device with this username
Hello Helen,
there is only one rule:
[RSPEmployee rule RSPEmployee]
description=RSPEmployees
class=authentication
match=all
action0=set_role=RSPEmployee
action1=set_access_duration=5D
condition0=memberOf,equals,CN=wirelessauth,OU=System Function Account,OU=Special Account,DC=DDDDDDD,DC=DDDDDDDD,DC=com
So if the user is not memberOf the group specified then it will have no role.
What you can do first if the user is suppose to match the group is to use pftest cli tool to check if the rule match.
You can also use adsiedit.mmc to check if the useraccount contain the correct group oid.
The last thing, you can create a catch_all rule as last resort. (if no rule match before then use the last one as catch all).
Regards
Fabrice
Le 2017-03-27 à 03:57, Helen Chen a écrit :
Hi Fabrice,
How's your weekend goes?
Please see attached for rules that I set for RSPEmployee source.
In addition, please see the authen.conf file below:
[root@PFZen ~]# cat /usr/local/pf/conf/authentication.conf
[local]
description=Local Users
dynamic_routing_module=AuthModule
type=SQL
[file1]
description=Legacy Source
stripped_user_name=yes
path=/usr/local/pf/conf/admin.conf
dynamic_routing_module=AuthModule
type=Htpasswd
[file1 rule admins]
description=All admins
class=administration
match=all
action0=set_access_level=ALL
[sms]
description=SMS-based registration
sms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,100091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078,100122
dynamic_routing_module=AuthModule
type=SMS
create_local_account=no
[sms rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[email]
description=Email-based registration
dynamic_routing_module=AuthModule
email_activation_timeout=10m
type=Email
create_local_account=no
allow_localdomain=yes
[email rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[sponsor]
description=Sponsor-based registration
dynamic_routing_module=AuthModule
email_activation_timeout=30m
type=SponsorEmail
create_local_account=no
allow_localdomain=yes
[sponsor rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[null]
description=Null Source
dynamic_routing_module=AuthModule
type=Null
email_required=no
[null rule catchall]
description=catchall
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[RSPEmployee]
description=Employee
password=DDDDDD
scope=sub
binddn=CN=wirelessauth,OU=System Function Account,OU=Special Account,DC=DDDDDD,DC=DDDDDDD,DC=com
basedn=dc=DDDDDD,dc=DDDDDDD,dc=com
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=5
stripped_user_name=no
encryption=none
dynamic_routing_module=AuthModule
port=389
type=AD
host=DDDDDDDD
[RSPEmployee rule RSPEmployee]
description=RSPEmployees
class=authentication
match=all
action0=set_role=RSPEmployee
action1=set_access_duration=5D
condition0=memberOf,equals,CN=wirelessauth,OU=System Function Account,OU=Special Account,DC=DDDDDDD,DC=DDDDDDDD,DC=com
[AdminIT]
description=AdminIT
password=DDDDD!
scope=sub
binddn=CN=wirelessauth,OU=System Function Account,OU=Special Account,DC=DDDDDDDDD,DC=DDDDDDD,DC=com
basedn=OU=IT,OU=Special Account,DC=resourcepro0,DC=resourcepro,DC=com
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=5
stripped_user_name=no
encryption=none
dynamic_routing_module=AuthModule
port=389
type=AD
host=1DDDDDD
[AdminIT rule AdminLogin]
description=
class=administration
match=all
action0=mark_as_sponsor=1
condition0=memberOf,equals,CN=wirelessauth,OU=System Function Account,OU=Special Account,DC=DDDDDDDDD,DC=DDDDDDDDD,DC=com
[RSPVisitors]
description=RSPVisitors
dynamic_routing_module=AuthModule
sponsorship_cc=helen_chen@XXXXXXX
email_activation_timeout=30m
type=SponsorEmail
create_local_account=yes
allow_localdomain=yes
[RSPVisitors rule RSPVisitors]
description=Visitors
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
---
Helen
From: Durand fabrice [mailto:fd...@in...]
Sent: Saturday, March 25, 2017 9:17 AM
To: pac...@li...<mailto:pac...@li...>
Subject: Re: [PacketFence-users] help with you do not have permission to register a device with this username
Hi Helen,
sorry for the late reply.
Did you defines any rules in the RSPEmployee source ?
Also can you post your authentication.conf file (without sensible info)
Regards
Fabrice
Le 2017-03-24 à 05:59, Helen Chen a écrit :
Hi Fabrice,
Just an update.
WLC: I enabled MAC filter and I did change the NAC to ISE NAC.
PF: I changed the radius secret to PF default value, of course I did the change on WLC side accordingly as well.
I set the switch rule from production to registration.
Then I get the captive portal up. However, I still get the You do not have permission to register a device with this username. PF.log please see below:
Mar 24 05:50:28 httpd.portal(2435) INFO: [mac:unknown] Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
Mar 24 05:50:28 httpd.portal(2435) INFO: [mac:7c:01:91:25:f9:eb] Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
Mar 24 05:50:28 httpd.portal(2435) INFO: [mac:7c:01:91:25:f9:eb] Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
Mar 24 05:50:29 httpd.portal(2435) INFO: [mac:7c:01:91:25:f9:eb] Authenticating user using sources : RSPEmployee,AdminIT (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Mar 24 05:50:30 httpd.portal(2435) INFO: [mac:7c:01:91:25:f9:eb] [RSPEmployee] Authentication successful for helen_chen (pf::Authentication::Source::LDAPSource::authenticate)
Mar 24 05:50:30 httpd.portal(2435) INFO: [mac:7c:01:91:25:f9:eb] Authentication successful for 'helen_chen' in source RSPEmployee (AD) (pf::authentication::authenticate)
Mar 24 05:50:30 httpd.portal(2435) INFO: [mac:7c:01:91:25:f9:eb] User helen_chen has authenticated on the portal. (Class::MOP::Class:::after)
Mar 24 05:50:30 httpd.portal(2435) INFO: [mac:7c:01:91:25:f9:eb] Found source RSPEmployee in session. (Class::MOP::Class:::around)
Mar 24 05:50:30 httpd.portal(2435) INFO: [mac:7c:01:91:25:f9:eb] Found source RSPEmployee in session. (Class::MOP::Class:::around)
Mar 24 05:50:30 httpd.portal(2435) INFO: [mac:7c:01:91:25:f9:eb] Successfully authenticated helen_chen (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Mar 24 05:50:30 httpd.portal(2435) INFO: [mac:7c:01:91:25:f9:eb] Found source RSPEmployee in session. (Class::MOP::Class:::around)
Mar 24 05:50:30 httpd.portal(2435) INFO: [mac:7c:01:91:25:f9:eb] Found source RSPEmployee in session. (Class::MOP::Class:::around)
Mar 24 05:50:31 httpd.portal(2435) INFO: [mac:7c:01:91:25:f9:eb] Found source RSPEmployee in session. (Class::MOP::Class:::around)
Mar 24 05:50:31 httpd.portal(2435) INFO: [mac:7c:01:91:25:f9:eb] User helen_chen has authenticated on the portal. (Class::MOP::Class:::after)
Mar 24 05:50:31 httpd.portal(2435) WARN: [mac:7c:01:91:25:f9:eb] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match)
Mar 24 05:50:31 httpd.portal(2435) INFO: [mac:7c:01:91:25:f9:eb] Using sources RSPEmployee for matching (pf::authentication::match)
Mar 24 05:50:31 httpd.portal(2435) INFO: [mac:7c:01:91:25:f9:eb] Found source RSPEmployee in session. (Class::MOP::Class:::around)
Mar 24 05:50:31 httpd.portal(2435) INFO: [mac:7c:01:91:25:f9:eb] User helen_chen has authenticated on the portal. (Class::MOP::Class:::after)
Mar 24 05:50:31 httpd.portal(2435) WARN: [mac:7c:01:91:25:f9:eb] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match)
Mar 24 05:50:31 httpd.portal(2435) INFO: [mac:7c:01:91:25:f9:eb] Using sources RSPEmployee for matching (pf::authentication::match)
Mar 24 05:50:31 httpd.portal(2435) WARN: [mac:7c:01:91:25:f9:eb] Use of uninitialized value in concatenation (.) or string at /usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Authentication.pm line 139.
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::execute_actions)
Mar 24 05:50:31 httpd.portal(2435) WARN: [mac:7c:01:91:25:f9:eb] Use of uninitialized value in concatenation (.) or string at /usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Authentication.pm line 139.
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::execute_actions)
Mar 24 05:50:31 httpd.portal(2435) WARN: [mac:7c:01:91:25:f9:eb] Cannot find unregdate () or role() for user. (captiveportal::PacketFence::DynamicRouting::Module::Authentication::execute_actions)
Mar 24 05:50:31 httpd.portal(2435) WARN: [mac:7c:01:91:25:f9:eb] Execute actions of module default_policy+default_registration_policy+default_login_policy did not succeed. (captiveportal::PacketFence::DynamicRouting::Module::done)
Mar 24 05:50:34 httpd.portal(2437) INFO: [mac:unknown] Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
Mar 24 05:50:34 httpd.portal(2437) INFO: [mac:7c:01:91:25:f9:eb] Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
Mar 24 05:50:34 httpd.portal(2437) INFO: [mac:7c:01:91:25:f9:eb] Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
If I don't keep the mode production, then the WLC will shown the client status as "WEBAUTH_REQ", and I got the captive.apple.com page pop up automatically but without anything showing and then it will display some kind of error.
Would you please shed some lights what I need to check next?
Wish you a happy weekend. Thank you so much for the help.
---
Helen
From: Helen Chen [mailto:Hel...@re...]
Sent: Wednesday, March 22, 2017 3:38 PM
To: pac...@li...<mailto:pac...@li...>
Subject: Re: [PacketFence-users] help with you do not have permission to register a device with this username
Hi Fabrice,
I'd like to share more information with you.
I tried to add one local MAC filter on WLC side and then I'm able to get the ip address and have captive portal shown up. So, which means the the controller mac filter function should be fine. Can you shed some lights on if there's anything I can check on PF MAC authen?
Thank you for your help.
---
Helen
From: Helen Chen
Sent: Wednesday, March 22, 2017 10:25 AM
To: pac...@li...<mailto:pac...@li...>
Subject: RE: [PacketFence-users] help with you do not have permission to register a device with this username
Hi Fabrice,
Sorry, just found out all your questions. Please see my answers below.
Are you using flexconnect in your setup ? if it's the case then you have to define the acl as a flex connect acl. - We didn't use flexconnect on our current test AP.
Also can you take a capture of the advance tab off your ssid ?
[cid:image001.jpg@01D2A967.3FCF46C0]
[cid:image002.png@01D2A967.3FCF46C0]
>From the vlan 51 are you able to reach the portal ip ? - I put the VLAN 51 gateway on our layer 3 switch (172.17.0.1). While my PF management /portal IP is in VLAN 254, which is our production VLAN. I'm able to ping portal IP.
Why don't you have a dhcp server defined in the interface guest ? - I use the ip-helper on the layer 3 switch to point the DHCP to 172.17.254.254(PF registration interface). Do I still need to do this?
Do you have another choice in Nac State like radius NAC ? - SNMP NAC\ISE NAC\None
What happen if you remove the radius config for this ssid and try to connect - Do you mean I disable the AAA Server and try? I can try that and get back to you. But I did try to disable MAC filter, then I'm able to get the IP address and captive portal redirection.
---
Helen Chen
From: Durand fabrice [mailto:fd...@in...]
Sent: Wednesday, March 22, 2017 9:35 AM
To: pac...@li...<mailto:pac...@li...>
Subject: Re: [PacketFence-users] help with you do not have permission to register a device with this username
Hello Helen,
i ask you some questions multiples times about your issue but you never answered, so first answer the questions.
Also you need mac filter.
Fabrice
Le 2017-03-21 à 04:34, Helen Chen a écrit :
Hi,
I disabled mac filter on WLC2500 and finally have my endpoint gained ip address from PF and redirected to the registration page. Can we do user authentication? I added AD in the source. However, it shown "You do not have permission to register a device with this username" after I input my domain credentials. Please see the pf.log , profile. Conf and authentication.conf below.
PF Log:
Mar 21 03:54:53 httpd.portal(3466) INFO: [mac:unknown] Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
Mar 21 03:54:53 httpd.portal(3466) INFO: [mac:7c:01:91:25:f9:eb] Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
Mar 21 03:54:53 httpd.portal(3466) INFO: [mac:7c:01:91:25:f9:eb] Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
Mar 21 03:54:53 httpd.portal(3466) INFO: [mac:7c:01:91:25:f9:eb] Authenticating user using sources : RSPEmployee,AdminIT (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Mar 21 03:54:53 httpd.portal(3466) INFO: [mac:7c:01:91:25:f9:eb] [RSPEmployee] Authentication successful for helen_chen (pf::Authentication::Source::LDAPSource::authenticate)
Mar 21 03:54:53 httpd.portal(3466) INFO: [mac:7c:01:91:25:f9:eb] Authentication successful for 'helen_chen' in source RSPEmployee (AD) (pf::authentication::authenticate)
Mar 21 03:54:53 httpd.portal(3466) INFO: [mac:7c:01:91:25:f9:eb] User helen_chen has authenticated on the portal. (Class::MOP::Class:::after)
Mar 21 03:54:53 httpd.portal(3466) INFO: [mac:7c:01:91:25:f9:eb] Found source RSPEmployee in session. (Class::MOP::Class:::around)
Mar 21 03:54:53 httpd.portal(3466) INFO: [mac:7c:01:91:25:f9:eb] Found source RSPEmployee in session. (Class::MOP::Class:::around)
Mar 21 03:54:53 httpd.portal(3466) INFO: [mac:7c:01:91:25:f9:eb] Successfully authenticated helen_chen (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Mar 21 03:54:53 httpd.portal(3466) INFO: [mac:7c:01:91:25:f9:eb] Found source RSPEmployee in session. (Class::MOP::Class:::around)
Mar 21 03:54:53 httpd.portal(3466) INFO: [mac:7c:01:91:25:f9:eb] Found source RSPEmployee in session. (Class::MOP::Class:::around)
Mar 21 03:54:53 httpd.portal(3466) INFO: [mac:7c:01:91:25:f9:eb] Found source RSPEmployee in session. (Class::MOP::Class:::around)
Mar 21 03:54:53 httpd.portal(3466) INFO: [mac:7c:01:91:25:f9:eb] User helen_chen has authenticated on the portal. (Class::MOP::Class:::after)
Mar 21 03:54:53 httpd.portal(3466) WARN: [mac:7c:01:91:25:f9:eb] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match)
Mar 21 03:54:53 httpd.portal(3466) INFO: [mac:7c:01:91:25:f9:eb] Using sources RSPEmployee for matching (pf::authentication::match)
Mar 21 03:54:53 httpd.portal(3466) INFO: [mac:7c:01:91:25:f9:eb] Found source RSPEmployee in session. (Class::MOP::Class:::around)
Mar 21 03:54:53 httpd.portal(3466) INFO: [mac:7c:01:91:25:f9:eb] User helen_chen has authenticated on the portal. (Class::MOP::Class:::after)
Mar 21 03:54:53 httpd.portal(3466) WARN: [mac:7c:01:91:25:f9:eb] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match)
Mar 21 03:54:53 httpd.portal(3466) INFO: [mac:7c:01:91:25:f9:eb] Using sources RSPEmployee for matching (pf::authentication::match)
Mar 21 03:54:53 httpd.portal(3466) WARN: [mac:7c:01:91:25:f9:eb] Use of uninitialized value in concatenation (.) or string at /usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Authentication.pm line 139.
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::execute_actions)
Mar 21 03:54:53 httpd.portal(3466) WARN: [mac:7c:01:91:25:f9:eb] Use of uninitialized value in concatenation (.) or string at /usr/local/pf/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Authentication.pm line 139.
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::execute_actions)
Mar 21 03:54:53 httpd.portal(3466) WARN: [mac:7c:01:91:25:f9:eb] Cannot find unregdate () or role() for user. (captiveportal::PacketFence::DynamicRouting::Module::Authentication::execute_actions)
Mar 21 03:54:53 httpd.portal(3466) WARN: [mac:7c:01:91:25:f9:eb] Execute actions of module default_policy+default_registration_policy+default_login_policy did not succeed. (captiveportal::PacketFence::DynamicRouting::Module::done)
Mar 21 03:54:53 httpd.portal(3444) INFO: [mac:unknown] Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
Mar 21 03:54:53 httpd.portal(3444) INFO: [mac:7c:01:91:25:f9:eb] Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
Mar 21 03:54:53 httpd.portal(3444) INFO: [mac:7c:01:91:25:f9:eb] Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
Authentication role:
[Employee]
description=Employee
password=XXXX
scope=sub
binddn=CN=wirelessauth,OU=System Function Account,OU=Special Account,DC=xxxxx0,DC=xxxxx,DC=com
basedn=dc=xxxx0,dc=xxxx,dc=com
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=5
stripped_user_name=no
encryption=none
dynamic_routing_module=AuthModule
port=389
type=AD
host=x.x.x.x
[Employee rule Employee]
description=RSPEmployees
class=authentication
match=all
action0=set_role=Employee
action1=set_access_duration=5D
condition0=memberOf,equals,CN=wirelessauth,OU=System Function Account,OU=Special Account,DC=xxxxxxxx,DC=xxxxxxxx,DC=com
[AdminIT]
description=AdminIT
password=xxxxx
scope=sub
binddn=CN=wirelessauth,OU=System Function Account,OU= Special Account,DC=xxxxxxxx,DC=xxxxxxxx,DC=com
basedn=OU=IT,OU=Special Account,DC=xxxxx0,DC=xxxxxx,DC=com
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=5
stripped_user_name=no
encryption=none
dynamic_routing_module=AuthModule
port=389
type=AD
host=x.x.x.x
[AdminIT rule AdminLogin]
description=
class=administration
match=all
action0=mark_as_sponsor=1
[Visitors]
description=Visitors
dynamic_routing_module=AuthModule
spo...@xx...<mailto:spo...@xx...>
email_activation_timeout=30m
type=SponsorEmail
create_local_account=yes
allow_localdomain=yes
[Visitors rule Visitors]
description=Visitors
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
Profile.conf
[RSP]
dot1x_recompute_role_from_portal=0
filter=connection_type:Wireless-802.11-NoEAP,connection_type:Wireless-802.11-EAP
description=RSP_Global
sources=Employee,AdminIT,Visitors
#
# Copyright (C) 2005-2017 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
Would you please help with this?
Thank you,
---
Helen
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
Pac...@li...<mailto:Pac...@li...>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
Pac...@li...<mailto:Pac...@li...>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
Pac...@li...<mailto:Pac...@li...>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
|
