Menu
▾
▴
Re: [PacketFence-users] No role computed by any sources
|
From: Durand f. <fd...@in...> - 2021-02-19 01:44:11
|
Hello Adrian, your issue is just because you use sAMAccountName as user attribute and it should be servicePrincipalName. Regards Fabrice Le 21-02-17 à 03 h 59, Adrian Dessaigne via PacketFence-users a écrit : > Hello Fabrice, > > Here is a log for one host. It does repeat with the same infos for > other hosts on later authentication : > > Feb 17 08:34:44 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > INFO: [mac:f8:b4:6a:ae:4a:3d] handling radius autz request: from > switch_ip => (@switchIP), connection_type => Ethernet-EAP,switch_mac > => (50:06:ab:89:d0:08), mac => [f8:b4:6a:ae:4a:3d], port => 50308, > username => "host/PC191102.domain.local" (pf::radius::authorize) > Feb 17 08:34:44 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > INFO: [mac:f8:b4:6a:ae:4a:3d] is doing machine auth with account > 'host/PC191102.domain.local'. (pf::radius::authorize) > Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > INFO: [mac:f8:b4:6a:ae:4a:3d] Instantiate profile 802.1X > (pf::Connection::ProfileFactory::_from_profile) > Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > INFO: [mac:f8:b4:6a:ae:4a:3d] Found authentication source(s) : > 'SourceAD1' for realm 'domain.local' > (pf::config::util::filter_authentication_sources) > Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > INFO: [mac:f8:b4:6a:ae:4a:3d] Using sources SourceAD1 for matching > (pf::authentication::match2) > Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > WARN: [mac:f8:b4:6a:ae:4a:3d] [SourceAD1 CatchAll] Searching for > (sAMAccountName=host/PC191102.domain.local), from > OU=BRESTAIM-Utilisateurs,DC=sopab,DC=fr, with scope sub > (pf::Authentication::Source::LDAPSource::match_in_subclass) > Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > INFO: [mac:f8:b4:6a:ae:4a:3d] LDAP testing connection > (pf::LDAP::expire_if) > Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > ERROR: [mac:f8:b4:6a:ae:4a:3d] Error binding: 'Connexion > ré-initialisée par le correspondant' (pf::LDAP::log_error_msg) > Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > WARN: [mac:f8:b4:6a:ae:4a:3d] LDAP connection expired > (pf::LDAP::expire_if) > Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > ERROR: [mac:f8:b4:6a:ae:4a:3d] Error connecting to domain.local:389 > using encryption none (pf::LDAP::compute_connection) > Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > WARN: [mac:f8:b4:6a:ae:4a:3d] [SourceAD1] Unable to connect to > domain.local (pf::Authentication::Source::LDAPSource::_connect) > Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > ERROR: [mac:f8:b4:6a:ae:4a:3d] [SourceAD1] Unable to connect to any > LDAP server (pf::Authentication::Source::LDAPSource::_connect) > Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > INFO: [mac:f8:b4:6a:ae:4a:3d] No rules matches or no category defined > for the node, set it as unreg. (pf::role::getNodeInfoForAutoReg) > Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > WARN: [mac:f8:b4:6a:ae:4a:3d] No category computed for autoreg > (pf::role::getNodeInfoForAutoReg) > > Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > INFO: [mac:f8:b4:6a:ae:4a:3d] Found authentication source(s) : > 'SourceAD1' for realm 'domain.local' > (pf::config::util::filter_authentication_sources) > Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > INFO: [mac:f8:b4:6a:ae:4a:3d] Role has already been computed and we > don't want to recompute it. Getting role from node_info > (pf::role::getRegisteredRole) > Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > INFO: [mac:f8:b4:6a:ae:4a:3d] Username was defined > "host/PC191102.domain.local" - returning role 'default' > (pf::role::getRegisteredRole) > Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > INFO: [mac:f8:b4:6a:ae:4a:3d] PID: "host/PC191102.domain.local", > Status: reg Returned VLAN: (undefined), Role: default > (pf::role::fetchRoleForNode) > Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > WARN: [mac:f8:b4:6a:ae:4a:3d] No parameter defaultVlan found in > conf/switches.conf for the switch @switchIP (pf::Switch::getVlanByName) > Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > INFO: [mac:f8:b4:6a:ae:4a:3d] security_event 1300003 force-closed for > f8:b4:6a:ae:4a:3d (pf::security_event::security_event_force_close) > Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) > INFO: [mac:f8:b4:6a:ae:4a:3d] Instantiate profile 802.1X > (pf::Connection::ProfileFactory::_from_profile) > > Look like I have AD issues ... > However, when looking in the AD logs, I see the creditential > validation for the computer " PC191102.domain.local" and all > PacketFence related queries are in "Success". > We do have multiple DC under the DN, should I use an IP address > instead in my configuration ? > > Regards, > Adrian. > > ------------------------------------------------------------------------ > *De: *"packetfence-users" <pac...@li...> > *À: *"packetfence-users" <pac...@li...> > *Cc: *"Durand fabrice" <fd...@in...> > *Envoyé: *Mercredi 17 Février 2021 03:42:02 > *Objet: *Re: [PacketFence-users] No role computed by any sources > > Hello Andrian, > > can you share the packetfence.log file when you try to connect ? > > Regards > > Fabrice > > > Le 21-02-16 à 11 h 12, Adrian Dessaigne via PacketFence-users a écrit : > > Hi everyone, > > I'm slowly integrating PacketFence on a new infrastrucutre. I've > configured everything as shown in the documentation and with my > personnal experience. > However, I'm facing a small issues and it look random. > > I have an authentication source pointing on the "Computer OU" to > do computer auth. > Some connect without any issues, the device get auto registered, > get the good role etc etc. > But some computer won't connect at all, it get rejected with the > Reply-Message = "no role computed by any sources" > I got one case, I just had to shut and no shut the port on the > switch : > Between these two frames, the hosts was trying to authenticate via > MAB. > > The weird thing is, it's the same authentication source and all > computers are in the same OU. > > Domain is joined, REALMs are configured with the only domain > available. > Connexion profil filters : > Any > Connexion type : Ethernet-EAP > Sources : Devices Source > > Authentication sources config : > Base DN : OU=Computer,DC=domain,DC=fr > Attribute : servicePrincipalName > Filter : > Any > No conditions > Action : Role : default > Access duration : 12h > > I've also tryed with "Role On Not Found, I have the same issue". > > Any tough on that ? > > Thanks for your help, > Adrian. > // > EnregistrerEnregistrer > > > _______________________________________________ > PacketFence-users mailing list > Pac...@li... > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > _______________________________________________ > PacketFence-users mailing list > Pac...@li... > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > _______________________________________________ > PacketFence-users mailing list > Pac...@li... > https://lists.sourceforge.net/lists/listinfo/packetfence-users |
