[PacketFence-users] No roles assignment and no rules matching in the authentication source

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

There's another challenge in the endless string of them.

My PEAP connection from Windows based supplicant lands on the connection
profile and wheels start rotating, i.e. the profile uses the authentication
source

The connection and authentication completes but there's no role assignment
and I see that my conditions are not matched.

Here's an extract from packetfence.log

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] handling radius autz request: from switch_ip =>
(172.19.254.2), connection_type => Wireless-802.11-EAP,switch_mac => (

24:a4:3c:5e:c1:00), mac => [70:1a:04:2c:52:ff], port => 0, username =>
"OPTIONS\test", ssid => SecStaff (pf::radius::authorize)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653)
ERROR: [mac:70:1a:04:2c:52:ff] Can't bind : IO::Socket::INET: connect:
Connection refused

(pf::ip4log::_get_lease_from_omapi)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Instantiate profile Staff-connection-profile
(pf::Connection::ProfileFactory::_from_profile)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Found authentication source(s) : 'OPTIONS-AD-SOURCE'
for realm 'default' (pf::config::util::filter_authentication_sour

ces)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) WARN:
[mac:70:1a:04:2c:52:ff] Calling match with empty/invalid rule class.
Defaulting to 'authentication' (pf::authentication::match2)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Using sources OPTIONS-AD-SOURCE for matching
(pf::authentication::match2)

Mar  5 07:43:32 PacketFence-ZEN pfqueue: pfqueue(16161) INFO: [mac:unknown]
undefined source id provided (pf::lookup::person::lookup_person)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) WARN:
[mac:70:1a:04:2c:52:ff] Can't find provisioner for 70:1a:04:2c:52:ff since
we don't have it's OS (pf::Connection::Profile::findProvisioner)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) WARN:
[mac:70:1a:04:2c:52:ff] Use of uninitialized value in string eq at
/usr/local/pf/lib/pf/role.pm line 728.

(pf::role::_check_bypass)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Connection type is WIRELESS_MAC_AUTH. Getting role
from node_info (pf::role::getRegisteredRole)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) WARN:
[mac:70:1a:04:2c:52:ff] Use of uninitialized value $role in concatenation
(.) or string at /usr/local/pf/lib/pf/role.pm line 476.

(pf::role::getRegisteredRole)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Username was NOT defined or unable to match a role -
returning node based role '' (pf::role::getRegisteredRole)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] PID: "OPTIONS\test", Status: reg Returned VLAN:
(undefined), Role: (undefined) (pf::role::fetchRoleForNode)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] violation 1300003 force-closed for 70:1a:04:2c:52:ff
(pf::violation::violation_force_close)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653)
ERROR: [mac:70:1a:04:2c:52:ff] Can't bind : IO::Socket::INET: connect:
Connection refused

(pf::ip4log::_get_lease_from_omapi)

Mar  5 07:43:32 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(1653) INFO:
[mac:70:1a:04:2c:52:ff] Instantiate profile Staff-connection-profile
(pf::Connection::ProfileFactory::_from_profile)

Mar  5 07:43:33 PacketFence-ZEN pfqueue: pfqueue(16150) ERROR:
[mac:34:17:eb:de:f0:b4] Can't bind : IO::Socket::INET: connect: Connection
refused

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++

Why do I see all those errors? Why do I see the connection is refused, e.g.
Can't bind : IO::Socket::INET: connect: Connection refused

Why there's no matching, e.g. Calling match with empty/invalid rule class

Here's an extract from authentication.conf file

[OPTIONS-AD-SOURCE]

cache_match=0

read_timeout=10

realms=default

password=IloveU#007

scope=base

binddn=CN=ADintegrator,CN=Users,DC=options,DC=bc,DC=ca

port=389

description=Options-AD-Source

write_timeout=5

type=AD

basedn=CN=Users,DC=options,DC=bc,DC=ca

set_access_level_action=

usernameattribute=sAMAccountName

connection_timeout=5

stripped_user_name=no

encryption=none

host=adserver.options.bc.ca

email_attribute=mail

[OPTIONS-AD-SOURCE rule Staff-WiFi]

action0=set_role=Staff

condition0=memberOf,equals,CN=Staff-WiFi,CN=Users,DC=options,DC=bc,DC=ca

match=any

class=authentication

action1=set_unreg_date=2019-12-31

description=Evaluates Staff-WiFi AD group membership

Eugene