Menu
▾
▴
Re: [PacketFence-users] No role computed by any sources
|
From: Adrian D. <adr...@no...> - 2021-02-23 08:20:53
|
Hello Fabrice, How could I miss that... It work better now. Thanks you ! De: "packetfence-users" <pac...@li...> À: "packetfence-users" <pac...@li...> Cc: "Durand fabrice" <fd...@in...> Envoyé: Vendredi 19 Février 2021 02:43:55 Objet: Re: [PacketFence-users] No role computed by any sources Hello Adrian, your issue is just because you use sAMAccountName as user attribute and it should be servicePrincipalName. Regards Fabrice Le 21-02-17 à 03 h 59, Adrian Dessaigne via PacketFence-users a écrit : Hello Fabrice, Here is a log for one host. It does repeat with the same infos for other hosts on later authentication : Feb 17 08:34:44 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) INFO: [mac:f8:b4:6a:ae:4a:3d] handling radius autz request: from switch_ip => (@switchIP), connection_type => Ethernet-EAP,switch_mac => (50:06:ab:89:d0:08), mac => [f8:b4:6a:ae:4a:3d], port => 50308, username => "host/PC191102.domain.local" (pf::radius::authorize) Feb 17 08:34:44 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) INFO: [mac:f8:b4:6a:ae:4a:3d] is doing machine auth with account 'host/PC191102.domain.local'. (pf::radius::authorize) Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) INFO: [mac:f8:b4:6a:ae:4a:3d] Instantiate profile 802.1X (pf::Connection::ProfileFactory::_from_profile) Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) INFO: [mac:f8:b4:6a:ae:4a:3d] Found authentication source(s) : 'SourceAD1' for realm 'domain.local' (pf::config::util::filter_authentication_sources) Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) INFO: [mac:f8:b4:6a:ae:4a:3d] Using sources SourceAD1 for matching (pf::authentication::match2) Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) WARN: [mac:f8:b4:6a:ae:4a:3d] [SourceAD1 CatchAll] Searching for (sAMAccountName=host/PC191102.domain.local), from OU=BRESTAIM-Utilisateurs,DC=sopab,DC=fr, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) INFO: [mac:f8:b4:6a:ae:4a:3d] LDAP testing connection (pf::LDAP::expire_if) Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) ERROR: [mac:f8:b4:6a:ae:4a:3d] Error binding: 'Connexion ré-initialisée par le correspondant' (pf::LDAP::log_error_msg) Feb 17 08:34:45 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) WARN: [mac:f8:b4:6a:ae:4a:3d] LDAP connection expired (pf::LDAP::expire_if) Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) ERROR: [mac:f8:b4:6a:ae:4a:3d] Error connecting to domain.local:389 using encryption none (pf::LDAP::compute_connection) Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) WARN: [mac:f8:b4:6a:ae:4a:3d] [SourceAD1] Unable to connect to domain.local (pf::Authentication::Source::LDAPSource::_connect) Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) ERROR: [mac:f8:b4:6a:ae:4a:3d] [SourceAD1] Unable to connect to any LDAP server (pf::Authentication::Source::LDAPSource::_connect) Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) INFO: [mac:f8:b4:6a:ae:4a:3d] No rules matches or no category defined for the node, set it as unreg. (pf::role::getNodeInfoForAutoReg) Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) WARN: [mac:f8:b4:6a:ae:4a:3d] No category computed for autoreg (pf::role::getNodeInfoForAutoReg) Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) INFO: [mac:f8:b4:6a:ae:4a:3d] Found authentication source(s) : 'SourceAD1' for realm 'domain.local' (pf::config::util::filter_authentication_sources) Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) INFO: [mac:f8:b4:6a:ae:4a:3d] Role has already been computed and we don't want to recompute it. Getting role from node_info (pf::role::getRegisteredRole) Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) INFO: [mac:f8:b4:6a:ae:4a:3d] Username was defined "host/PC191102.domain.local" - returning role 'default' (pf::role::getRegisteredRole) Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) INFO: [mac:f8:b4:6a:ae:4a:3d] PID: "host/PC191102.domain.local", Status: reg Returned VLAN: (undefined), Role: default (pf::role::fetchRoleForNode) Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) WARN: [mac:f8:b4:6a:ae:4a:3d] No parameter defaultVlan found in conf/switches.conf for the switch @switchIP (pf::Switch::getVlanByName) Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) INFO: [mac:f8:b4:6a:ae:4a:3d] security_event 1300003 force-closed for f8:b4:6a:ae:4a:3d (pf::security_event::security_event_force_close) Feb 17 08:34:46 SVPACKETFENCE packetfence_httpd.aaa: httpd.aaa(2122) INFO: [mac:f8:b4:6a:ae:4a:3d] Instantiate profile 802.1X (pf::Connection::ProfileFactory::_from_profile) Look like I have AD issues ... However, when looking in the AD logs, I see the creditential validation for the computer " PC191102.domain.local" and all PacketFence related queries are in "Success". We do have multiple DC under the DN, should I use an IP address instead in my configuration ? Regards, Adrian. De: "packetfence-users" [ mailto:pac...@li... | <pac...@li...> ] À: "packetfence-users" [ mailto:pac...@li... | <pac...@li...> ] Cc: "Durand fabrice" [ mailto:fd...@in... | <fd...@in...> ] Envoyé: Mercredi 17 Février 2021 03:42:02 Objet: Re: [PacketFence-users] No role computed by any sources Hello Andrian, can you share the packetfence.log file when you try to connect ? Regards Fabrice Le 21-02-16 à 11 h 12, Adrian Dessaigne via PacketFence-users a écrit : BQ_BEGIN Hi everyone, I'm slowly integrating PacketFence on a new infrastrucutre. I've configured everything as shown in the documentation and with my personnal experience. However, I'm facing a small issues and it look random. I have an authentication source pointing on the "Computer OU" to do computer auth. Some connect without any issues, the device get auto registered, get the good role etc etc. But some computer won't connect at all, it get rejected with the Reply-Message = "no role computed by any sources" I got one case, I just had to shut and no shut the port on the switch : Between these two frames, the hosts was trying to authenticate via MAB. The weird thing is, it's the same authentication source and all computers are in the same OU. Domain is joined, REALMs are configured with the only domain available. Connexion profil filters : Any Connexion type : Ethernet-EAP Sources : Devices Source Authentication sources config : Base DN : OU=Computer,DC=domain,DC=fr Attribute : servicePrincipalName Filter : Any No conditions Action : Role : default Access duration : 12h I've also tryed with "Role On Not Found, I have the same issue". Any tough on that ? Thanks for your help, Adrian. Enregistrer Enregistrer _______________________________________________ PacketFence-users mailing list [ mailto:Pac...@li... | Pac...@li... ] [ https://lists.sourceforge.net/lists/listinfo/packetfence-users | https://lists.sourceforge.net/lists/listinfo/packetfence-users ] _______________________________________________ PacketFence-users mailing list [ mailto:Pac...@li... | Pac...@li... ] [ https://lists.sourceforge.net/lists/listinfo/packetfence-users | https://lists.sourceforge.net/lists/listinfo/packetfence-users ] _______________________________________________ PacketFence-users mailing list [ mailto:Pac...@li... | Pac...@li... ] [ https://lists.sourceforge.net/lists/listinfo/packetfence-users | https://lists.sourceforge.net/lists/listinfo/packetfence-users ] BQ_END _______________________________________________ PacketFence-users mailing list Pac...@li... https://lists.sourceforge.net/lists/listinfo/packetfence-users |
