Menu
▾
▴
Re: [PacketFence-users] R: R: R: R: AD authentication issue
|
From: Fabrice D. <fd...@in...> - 2017-10-18 15:25:54
|
Hello Luca, Ok so it's probably because it doesn't match with a rule. In you AD source create a rule catch_all without any filter and assign a role and an access duration. Also don't forget to assign the vlan id in the corresponding role in the switch config (in pf side : Vlan by role) Last thing, check the file packetfence.log, it explain what happen. Regards Fabrice Le 2017-10-18 à 11:13, Luca Messori a écrit : > > Hi Fabrice, > > this is a screenshot of a captured access accept: > > > > > > Kind regards > > > > */Luca Messori/* > > _________________________ > > > > Descrizione: mead > > > > > > *Mead Informatica Srl* > *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia > Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306 > Tel. +39 049 8702540 Fax +39 049 8706249 > > > > http://www.meadinformatica.it <http://www.meadinformatica.it/> > > ----------------------------------------------------------------------- > > > > Questo messaggio puo' contenere informazioni di carattere riservato e > confidenziale. Qualora non foste i destinatari, vi preghiamo di > notificarcelo > e di provvedere ad eliminare il messaggio, con gli eventuali allegati, > senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del > contenuto > di questo mesaggio espone il responsabile alle conseguenze civili e > penali. > > > > This message may contain information which is confidential or > privileged. if you are not the intended recipient, please immediately > notify us > and destroy this message and any attachments without retaining a copy. > Any unauthorized use of this message can expose the responsabile party > to civil and/or criminal penalties. > > > > Descrizione: Descrizione: cid:696372015@22072008-1A64 > > > > > > *Da:*Fabrice Durand [mailto:fd...@in...] > *Inviato:* mercoledì 18 ottobre 2017 17:08 > *A:* Luca Messori <l.m...@me...>; > pac...@li... > *Oggetto:* Re: R: R: R: [PacketFence-users] AD authentication issue > > > > What are the attributes returned by PacketFence ? > > > > Le 2017-10-18 à 10:02, Luca Messori a écrit : > > Hi Fabrice, > > I’m sorry but now I cannot see vlan VSA attributes in access > accept packets from Radius server. > > > > Kind regards > > > > */Luca Messori/* > > _________________________ > > > > Descrizione: mead > > > > > > *Mead Informatica Srl* > *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia > Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306 > Tel. +39 049 8702540 Fax +39 049 8706249 > > > > http://www.meadinformatica.it <http://www.meadinformatica.it/> > > ----------------------------------------------------------------------- > > > > Questo messaggio puo' contenere informazioni di carattere > riservato e confidenziale. Qualora non foste i destinatari, vi > preghiamo di notificarcelo > e di provvedere ad eliminare il messaggio, con gli eventuali > allegati, senza trattenerne copia. Qualsivoglia utilizzo non > autorizzato del contenuto > di questo mesaggio espone il responsabile alle conseguenze civili > e penali. > > > > This message may contain information which is confidential or > privileged. if you are not the intended recipient, please > immediately notify us > and destroy this message and any attachments without retaining a > copy. Any unauthorized use of this message can expose the > responsabile party > to civil and/or criminal penalties. > > > > Descrizione: Descrizione: cid:696372015@22072008-1A64 > > > > > > *Da:*Fabrice Durand [mailto:fd...@in...] > *Inviato:* mercoledì 18 ottobre 2017 15:06 > *A:* Luca Messori <l.m...@me...> > <mailto:l.m...@me...>; > pac...@li... > <mailto:pac...@li...> > *Oggetto:* Re: R: R: [PacketFence-users] AD authentication issue > > > > Hello Lucas, > > my assumption is that you want to autoregister device if the > 802.1x authentication was successful. > > What you can do is to create a Connection Profile (WireSecure) , > add a filter (Connection Type: Ethernet-EAP), enable > "Automatically register devices" and in Sources add you AD source. > > Regards > > Fabrice > > > > > > Le 2017-10-18 à 04:07, Luca Messori a écrit : > > Hi Fabrice, > > You are right. > > This morning I done some new test using good credential and > wrong credential (same username but wrong password) and I have > the correct reply from Radius server. > > > > So, I haven’t an authentication problem but an authorization > problem to investigate. > > Radius server is sending to the switch a vlanid set to 442 but > for me this is the registration vlan. > > I would like that it will send vlanid=20 (my working vlan for > enterprise users) > > > > Can you help me? > > How can I sent you to resolve this issue? > > > > Have a nice day > > > > > > */Luca Messori/* > > _________________________ > > > > Descrizione: mead > > > > > > *Mead Informatica Srl* > *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia > Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 > 0522 393306 > Tel. +39 049 8702540 Fax +39 049 8706249 > > > > http://www.meadinformatica.it <http://www.meadinformatica.it/> > > ----------------------------------------------------------------------- > > > > Questo messaggio puo' contenere informazioni di carattere > riservato e confidenziale. Qualora non foste i destinatari, vi > preghiamo di notificarcelo > e di provvedere ad eliminare il messaggio, con gli eventuali > allegati, senza trattenerne copia. Qualsivoglia utilizzo non > autorizzato del contenuto > di questo mesaggio espone il responsabile alle conseguenze > civili e penali. > > > > This message may contain information which is confidential or > privileged. if you are not the intended recipient, please > immediately notify us > and destroy this message and any attachments without retaining > a copy. Any unauthorized use of this message can expose the > responsabile party > to civil and/or criminal penalties. > > > > Descrizione: Descrizione: cid:696372015@22072008-1A64 > > > > > > *Da:*Fabrice Durand [mailto:fd...@in...] > *Inviato:* martedì 17 ottobre 2017 18:48 > *A:* Luca Messori <l.m...@me...> > <mailto:l.m...@me...>; > pac...@li... > <mailto:pac...@li...> > *Oggetto:* Re: R: [PacketFence-users] AD authentication issue > > > > it worked !! > > > > Le 2017-10-17 à 12:44, Luca Messori a écrit : > > I have attached the log file using this command: > > > > /usr/sbin/radiusd -d /usr/local/pf/raddb -n auth -fm –X > > > > Is this good for you? > > > > Kind regards > > > > */Luca Messori/* > > _________________________ > > > > Descrizione: mead > > > > > > *Mead Informatica Srl* > *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia > Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 > 0522 393306 > Tel. +39 049 8702540 Fax +39 049 8706249 > > > > http://www.meadinformatica.it > <http://www.meadinformatica.it/> > > ----------------------------------------------------------------------- > > > > Questo messaggio puo' contenere informazioni di carattere > riservato e confidenziale. Qualora non foste i > destinatari, vi preghiamo di notificarcelo > e di provvedere ad eliminare il messaggio, con gli > eventuali allegati, senza trattenerne copia. Qualsivoglia > utilizzo non autorizzato del contenuto > di questo mesaggio espone il responsabile alle conseguenze > civili e penali. > > > > This message may contain information which is confidential > or privileged. if you are not the intended recipient, > please immediately notify us > and destroy this message and any attachments without > retaining a copy. Any unauthorized use of this message can > expose the responsabile party > to civil and/or criminal penalties. > > > > Descrizione: Descrizione: cid:696372015@22072008-1A64 > > > > > > *Da:*Fabrice Durand via PacketFence-users > [mailto:pac...@li...] > *Inviato:* martedì 17 ottobre 2017 18:20 > *A:* pac...@li... > <mailto:pac...@li...> > *Cc:* Fabrice Durand <fd...@in...> > <mailto:fd...@in...> > *Oggetto:* Re: [PacketFence-users] AD authentication issue > > > > Hello Luca, > > pftest will use ldap bind to authenticate but freeradius > will use ntlm_auth. > > Can you do this on your server: > > raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000 > > And try to authenticate, you will be able to see why it > failed to authenticate. (you can paste the result). > > Regards > > Fabrice > > > > > > Le 2017-10-17 à 11:41, Luca Messori via PacketFence-users > a écrit : > > Hi all, > > I’m trying to configure authentication against Active > Directory on my company network. > > I have already joined the PF virtual machine to my domain. > > I think that I have correctly configured > authentication because the pftest command return a > successful authentication: > > /usr/local/pf/bin/pftest authentication l.messori <my > password> > > Testing authentication for "l.messori" > > > > Authenticating against Mead-AD > > Authentication SUCCEEDED against Mead-AD > (Authentication successful.) > > Matched against Mead-AD for 'authentication' rules > > set_role : default > > set_access_duration : 12h > > Did not match against Mead-AD for 'administration' rules > > > > Despite that, sniffing traffic from PF, I cannot see > traffic to port 389. > > In the following output: > > 10.33.33.251 is my test switch > > 10.33.33.50 is the PF virtual machine > > [root@PacketFence-ZEN conf]# tcpdump -i eth0 -nn > "host 10.33.33.251 or port 389" > > tcpdump: verbose output suppressed, use -v or -vv for > full protocol decode > > listening on eth0, link-type EN10MB (Ethernet), > capture size 65535 bytes > > 15:26:19.782510 IP 10.33.33.251.32769 > > 10.33.33.50.1812: RADIUS, Access Request (1), id: 0x82 > length: 138 > > 15:26:19.864640 IP 10.33.33.50.1812 > > 10.33.33.251.32769: RADIUS, Access Accept (2), id: > 0x82 length: 37 > > 15:26:20.130792 IP 10.33.33.251.32769 > > 10.33.33.50.1812: RADIUS, Access Request (1), id: 0x83 > length: 183 > > 15:26:20.134381 IP 10.33.33.50.1812 > > 10.33.33.251.32769: RADIUS, Access Challenge (11), id: > 0x83 length: 64 > > 15:26:20.160915 IP 10.33.33.251.32769 > > 10.33.33.50.1812: RADIUS, Access Request (1), id: 0x84 > length: 297 > > 15:26:20.172822 IP 10.33.33.50.1812 > > 10.33.33.251.32769: RADIUS, Access Challenge (11), id: > 0x84 length: 1090 > > 15:26:20.186698 IP 10.33.33.251.32769 > > 10.33.33.50.1812: RADIUS, Access Request (1), id: 0x85 > length: 177 > > 15:26:20.191446 IP 10.33.33.50.1812 > > 10.33.33.251.32769: RADIUS, Access Challenge (11), id: > 0x85 length: 1086 > > 15:26:20.214413 IP 10.33.33.251.32769 > > 10.33.33.50.1812: RADIUS, Access Request (1), id: 0x86 > length: 177 > > 15:26:20.217368 IP 10.33.33.50.1812 > > 10.33.33.251.32769: RADIUS, Access Challenge (11), id: > 0x86 length: 711 > > 15:26:20.244856 IP 10.33.33.251.32769 > > 10.33.33.50.1812: RADIUS, Access Request (1), id: 0x87 > length: 315 > > 15:26:20.247276 IP 10.33.33.50.1812 > > 10.33.33.251.32769: RADIUS, Access Challenge (11), id: > 0x87 length: 123 > > 15:26:20.260349 IP 10.33.33.251.32769 > > 10.33.33.50.1812: RADIUS, Access Request (1), id: 0x88 > length: 177 > > 15:26:20.269760 IP 10.33.33.50.1812 > > 10.33.33.251.32769: RADIUS, Access Challenge (11), id: > 0x88 length: 101 > > 15:26:20.293628 IP 10.33.33.251.32769 > > 10.33.33.50.1812: RADIUS, Access Request (1), id: 0x89 > length: 230 > > 15:26:20.348960 IP 10.33.33.50.1812 > > 10.33.33.251.32769: RADIUS, Access Challenge (11), id: > 0x89 length: 133 > > 15:26:20.373341 IP 10.33.33.251.32769 > > 10.33.33.50.1812: RADIUS, Access Request (1), id: 0x8a > length: 294 > > 15:26:21.409974 IP 10.33.33.50.1812 > > 10.33.33.251.32769: RADIUS, Access Challenge (11), id: > 0x8a length: 149 > > 15:26:21.421321 IP 10.33.33.251.32769 > > 10.33.33.50.1812: RADIUS, Access Request (1), id: 0x8b > length: 214 > > 15:26:21.571988 IP 10.33.33.50.1812 > > 10.33.33.251.32769: RADIUS, Access Challenge (11), id: > 0x8b length: 101 > > 15:26:21.586364 IP 10.33.33.251.32769 > > 10.33.33.50.1812: RADIUS, Access Request (1), id: 0x8c > length: 214 > > 15:26:21.593453 IP 10.33.33.50.1812 > > 10.33.33.251.32769: RADIUS, Access Accept (2), id: > 0x8c length: 177 > > > > And my switch log shows authentication failure: > > 10/17/2017 17:12:16.90 <Info:nl.ClientAuthFailure> > <Info:nl.ClientAuthFailure>Authentication failed for > Network Login 802.1x user MEADINFORMATICA\l.messori > Mac 50:3F:56:01:1C:09 port 3 > > 10/17/2017 17:12:15.12 <Info:nl.ClientAuthFailure> > <Info:nl.ClientAuthFailure>Authentication failed for > Network Login MAC user 503F56011C09 Mac > 50:3F:56:01:1C:09 port 3 > > 10/17/2017 17:12:14.86 > <Info:vlan.msgs.portLinkStateUp> > <Info:vlan.msgs.portLinkStateUp>Port 3 link UP at > speed 100 Mbps and full-duplex > > > > Can you help me? > > I think that PF never ask AD for users authentication > > > > Kind regards > > > > */Luca Messori/* > > _________________________ > > > > Descrizione: mead > > > > > > *Mead Informatica Srl* > *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia > Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax > +39 0522 393306 > Tel. +39 049 8702540 Fax +39 049 8706249 > > > > http://www.mead informatica.it > <http://www.meadinformatica.it/> > > ----------------------------------------------------------------------- > > > > Questo messaggio puo' contenere informazioni di > carattere riservato e confidenziale. Qualora non foste > i destinatari, vi preghiamo di notificarcelo > e di provvedere ad eliminare il messaggio, con gli > eventuali allegati, senza trattenerne copia. > Qualsivoglia utilizzo non autorizzato del contenuto > di questo mesaggio espone il responsabile alle > conseguenze civili e penali. > > > > This message may contain information which is > confidential or privileged. if you are not the > intended recipient, please immediately notify us > and destroy this message and any attachments without > retaining a copy. Any unauthorized use of this message > can expose the responsabile party > to civil and/or criminal penalties. > > > > Descrizione: Descrizione: cid:696372015@22072008-1A64 > > > > > > > > > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the > world's most > > engaging tech sites, Slashdot.org! > http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > PacketFence-users mailing list > > Pac...@li... > <mailto:Pac...@li...> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > > -- > > Fabrice Durand > > fd...@in... <mailto:fd...@in...>:: > +1.514.447.4918 (x135) :: www.inverse.ca > <http://www.inverse.ca> > > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) > and PacketFence (http://packetfence.org) > > > > > > -- > > Fabrice Durand > > fd...@in... <mailto:fd...@in...> :: +1.514.447.4918 (x135) :: www.inverse.ca <http://www.inverse.ca> > > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) > > > > > -- > > Fabrice Durand > > fd...@in... <mailto:fd...@in...> :: +1.514.447.4918 (x135) :: www.inverse.ca <http://www.inverse.ca> > > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) > > > > -- > Fabrice Durand > fd...@in... <mailto:fd...@in...> :: +1.514.447.4918 (x135) :: www.inverse.ca <http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) -- Fabrice Durand fd...@in... :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) |