Hi Ludovic, Yes with the pf test utility I can test the right user name syntax and I have recreated the catch all rule. The radius request is accepted now!
Thanks! Best regards, Albert Yung On Tue, 14 Dec 2021 at 10:17 PM, Zammit, Ludovic <[email protected]> wrote: > Hello Albert, > > As the logs say: > > Dec 13 20:02:21 packetfence packetfence_httpd.aaa[25866]: httpd.aaa(16362) > INFO: [mac:00:1c:42:59:98:e3] No rules matches or no category defined for > the node, set it as unreg. > > It looks like that your username does not match anything. > > I might know why. Where is located your AD account ? Because you search > only one level down from “etad” OU. > > You can test the rules with that command: > > /usr/local/pf/bin/pftest authentication USERNAME “" > > Yu could give me the full log as well: > > grep 00:1c:42:59:98:e3 /usr/local/pf/logs/packetence.log > > Thanks, > > *Ludovic Zammit* > *Product Support Engineer Principal* > *Cell:* +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > <https://www.google.com/maps/search/145+Broadway+Cambridge,+MA+02142?entry=gmail&source=g> > Cambridge, MA 02142 > <https://www.google.com/maps/search/145+Broadway+Cambridge,+MA+02142?entry=gmail&source=g> > Connect with Us: <https://community.akamai.com> <http://blogs.akamai.com> > <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> > <http://www.linkedin.com/company/akamai-technologies> > <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > > On Dec 13, 2021, at 5:23 PM, Albert Yung via PacketFence-users < > [email protected]> wrote: > > Hi All, > > I am using PF 11.0.0 and got an error while trying to authenticate against > the AD server, the message was in the packetfence.log file: > > Dec 13 20:02:20 packetfence packetfence_httpd.aaa[25866]: httpd.aaa(16362) > WARN: [mac:00:1c:42:59:98:e3] [etad-auth catchall] Searching for > (sAMAccountName=etad\albert), from CN=Users,DC=etad,DC=tw,DC=lab, with > scope base (pf::Authentication::Source::LDAPSource::match_in_subclass) > Dec 13 20:02:21 packetfence packetfence_httpd.aaa[25866]: httpd.aaa(16362) > INFO: [mac:00:1c:42:59:98:e3] No rules matches or no category defined for > the node, set it as unreg. (pf::role::getNodeInfoForAutoReg) > Dec 13 20:02:21 packetfence packetfence_httpd.aaa[25866]: httpd.aaa(16362) > WARN: [mac:00:1c:42:59:98:e3] No category computed for autoreg > (pf::role::getNodeInfoForAutoReg) > Dec 13 20:02:21 packetfence packetfence_httpd.aaa[25866]: httpd.aaa(16362) > WARN: [mac:00:1c:42:59:98:e3] No role specified or found for pid > etad\albert (MAC 00:1c:42:59:98:e3); assume maximum number of registered > nodes is reached (pf::node::is_max_reg_nodes_reached) > Dec 13 20:02:21 packetfence packetfence_httpd.aaa[25866]: httpd.aaa(16362) > ERROR: [mac:00:1c:42:59:98:e3] no role computed by any sources - > registration of 00:1c:42:59:98:e3 to etad\albert failed > (pf::registration::setup_node_for_registration) > Dec 13 20:02:21 packetfence packetfence_httpd.aaa[25866]: httpd.aaa(16362) > ERROR: [mac:00:1c:42:59:98:e3] auto-registration of node failed no role > computed by any sources (pf::radius::authorize) > Dec 13 20:02:21 packetfence packetfence_httpd.aaa[25866]: httpd.aaa(16362) > ERROR: [mac:00:1c:42:59:98:e3] Database query failed with non retryable > error: Cannot add or update a child row: a foreign key constraint fails > (`pf`.`node`, CONSTRAINT `0_57` FOREIGN KEY (`tenant_id`, `pid`) REFERENCES > `person` (`tenant_id`, `pid`) ON DELETE CASCADE ON UPDATE CASCADE) (errno: > 1452) [INSERT INTO `node` ( `autoreg`, `bandwidth_balance`, > `bypass_role_id`, `bypass_vlan`, `category_id`, `computername`, > `detect_date`, `device_class`, `device_manufacturer`, `device_score`, > `device_type`, `device_version`, `dhcp6_enterprise`, `dhcp6_fingerprint`, > `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, `last_dhcp`, `last_seen`, > `lastskip`, `mac`, `machine_account`, `notes`, `pid`, `regdate`, > `sessionid`, `status`, `tenant_id`, `time_balance`, `unregdate`, > `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, > ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE KEY UPDATE > `autoreg` = ?, `last_seen` = ?, `pid` = ?, `tenant_id` = ?]{yes, NULL, > NULL, , NULL, WinDev2110Eval, 2021-12-08 17:06:46, NULL, NULL, NULL, NULL, > NULL, NULL, NULL, 1,3,6,15,31,33,43,44,46,47,119,121,249,252, MSFT 5.0, > 0000-00-00 00:00:00, 2021-12-11 15:06:10, 2021-12-13 20:02:20, 0000-00-00 > 00:00:00, 00:1c:42:59:98:e3, NULL, , etad\albert, 0000-00-00 00:00:00, , > unreg, 1, NULL, 0000-00-00 00:00:00, , no, yes, 2021-12-13 20:02:20, > etad\albert, 1} (pf::dal::db_execute) > Dec 13 20:02:21 packetfence packetfence_httpd.aaa[25866]: httpd.aaa(16362) > ERROR: [mac:00:1c:42:59:98:e3] Cannot save 00:1c:42:59:98:e3 error (500) > (pf::radius::authorize) > Dec 13 20:02:22 packetfence pfqueue[31315]: pfqueue(31315) INFO: > [mac:unknown] Inserting 'NTHASH:etad01:albert' => > '68813ac50cec72b1b0ae5c43a5beceec' (pf::api::insert_user_in_redis_cache) > Dec 13 20:02:22 packetfence pfqueue[31323]: pfqueue(31323) INFO: > [mac:unknown] Cached user albert for domain etad01 > (pf::domain::ntlm_cache::cache_user) > > I have tried another user account such as administrator but the result is > the same > > Auth source configuration: > <image.png> > > > Bind AD Test is successful > Authentication Rule: > > > <image.png> > Radius audit log: > <image.png> > > > It seems that no role can be obtained for the new user and I > couldn't figure out why. > > > > Thanks! > > Best regards, > Albert > _______________________________________________ > PacketFence-users mailing list > [email protected] > > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!FLMuNwvsI6LbCOX7b1XBkoNJRTJbor_t95cGBVJUxrBWnVJjN3yybCqIadWS_Gkb$ > > >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
