Glad I can help. Have a good day.
Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Feb 1, 2022, at 3:34 PM, Leon Pinto <[email protected]> wrote: > > Hello, > > Thanks for all your help and support… The problem was indeed with the long > samAccountName…After shortening the samaccountname and corresponding > certificates, I finally have it working as I expected and get the correct > VLAN for my users with EAP-TLS… > > Thanks for taking the time and the patience to walk me through this… > > <image004.png> > > <image005.png> > <image011.png> > > <image012.png> > > From: Zammit, Ludovic <[email protected]> > Sent: Tuesday, February 1, 2022 10:29 PM > To: Leon Pinto <[email protected]> > Cc: [email protected] > Subject: Re: [PacketFence-users] Roles not assigned to certain types of users > - EAP TLS > > You can see that it does not match your AD rule. > > I don’t know if it’s a problem because of the long samaccountname. > > Thanks, > > Ludovic Zammit > Product Support Engineer Principal > > Cell: +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: > <https://community.akamai.com/> <http://blogs.akamai.com/> > <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!GlInogB77eKcpH8UfpJhlktX2174mcdzqbWfUcWDI1upmO3nnYTLY075bJEY1w$> > > <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!GlInogB77eKcpH8UfpJhlktX2174mcdzqbWfUcWDI1upmO3nnYTLY04x0nNw5w$> > > <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!GlInogB77eKcpH8UfpJhlktX2174mcdzqbWfUcWDI1upmO3nnYTLY040qFCZUw$> > > <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!GlInogB77eKcpH8UfpJhlktX2174mcdzqbWfUcWDI1upmO3nnYTLY06iDwV1NA$> > > > >> On Feb 1, 2022, at 11:33 AM, Leon Pinto <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hello, >> >> Thanks for your response… Result as below… It seems like it is >> authenticating as “null” source and not the AD I expected it to… Did I miss >> some configuration?... Thanks for all your support… >> >> root@packetfence11:/usr/local/bin# /usr/local/pf/bin/pftest authentication >> SCTL-2D2SS0-G00-COCU02-INT-005 >> Testing authentication for "SCTL-2D2SS0-G00-COCU02-INT-005" >> >> Authenticating against 'local' in context 'admin' >> Authentication FAILED against local (Invalid login or password) >> Did not match against local for 'authentication' rules >> Did not match against local for 'administration' rules >> >> Authenticating against 'local' in context 'portal' >> Authentication FAILED against local (Invalid login or password) >> Did not match against local for 'authentication' rules >> Did not match against local for 'administration' rules >> >> Authenticating against 'file1' in context 'admin' >> Authentication FAILED against file1 (Invalid login or password) >> Did not match against file1 for 'authentication' rules >> Did not match against file1 for 'administration' rules >> >> Authenticating against 'file1' in context 'portal' >> Authentication FAILED against file1 (Invalid login or password) >> Did not match against file1 for 'authentication' rules >> Did not match against file1 for 'administration' rules >> >> Authenticating against 'sms' in context 'admin' >> Authentication FAILED against sms (Invalid login or password) >> Matched against sms for 'authentication' rule catchall >> set_role : guest >> set_access_duration : 1D >> Did not match against sms for 'administration' rules >> >> Authenticating against 'sms' in context 'portal' >> Authentication FAILED against sms (Invalid login or password) >> Matched against sms for 'authentication' rule catchall >> set_role : guest >> set_access_duration : 1D >> Did not match against sms for 'administration' rules >> >> Authenticating against 'email' in context 'admin' >> Authentication SUCCEEDED against email () >> Matched against email for 'authentication' rule catchall >> set_role : guest >> set_access_duration : 1D >> Did not match against email for 'administration' rules >> >> Authenticating against 'email' in context 'portal' >> Authentication SUCCEEDED against email () >> Matched against email for 'authentication' rule catchall >> set_role : guest >> set_access_duration : 1D >> Did not match against email for 'administration' rules >> >> Authenticating against 'sponsor' in context 'admin' >> Authentication SUCCEEDED against sponsor () >> Matched against sponsor for 'authentication' rule catchall >> set_role : guest >> set_access_duration : 1D >> Did not match against sponsor for 'administration' rules >> >> Authenticating against 'sponsor' in context 'portal' >> Authentication SUCCEEDED against sponsor () >> Matched against sponsor for 'authentication' rule catchall >> set_role : guest >> set_access_duration : 1D >> Did not match against sponsor for 'administration' rules >> >> Authenticating against 'null' in context 'admin' >> Authentication SUCCEEDED against null () >> Matched against null for 'authentication' rule catchall >> set_role : guest >> set_access_duration : 1D >> Did not match against null for 'administration' rules >> >> Authenticating against 'null' in context 'portal' >> Authentication SUCCEEDED against null () >> Matched against null for 'authentication' rule catchall >> set_role : guest >> set_access_duration : 1D >> Did not match against null for 'administration' rules >> >> Authenticating against 'msad_vlan_4_2g4_services' in context 'admin' >> Authentication FAILED against msad_vlan_4_2g4_services (Invalid login or >> password) >> Did not match against msad_vlan_4_2g4_services for 'authentication' rules >> Did not match against msad_vlan_4_2g4_services for 'administration' rules >> >> Authenticating against 'msad_vlan_4_2g4_services' in context 'portal' >> Authentication FAILED against msad_vlan_4_2g4_services (Invalid login or >> password) >> Did not match against msad_vlan_4_2g4_services for 'authentication' rules >> Did not match against msad_vlan_4_2g4_services for 'administration' rules >> >> >> >> <image001.png> >> >> From: Zammit, Ludovic <[email protected] <mailto:[email protected]>> >> Sent: Tuesday, February 1, 2022 8:15 PM >> To: Leon Pinto <[email protected] <mailto:[email protected]>> >> Cc: [email protected] >> <mailto:[email protected]> >> Subject: Re: [PacketFence-users] Roles not assigned to certain types of >> users - EAP TLS >> >> Do that command: >> >> /usr/local/bin/pftest authentication SCTL-2D2SS0-G00-COCU02-INT-005 “” >> >> Show me the result. >> >> Thanks, >> >> Ludovic Zammit >> Product Support Engineer Principal >> >> Cell: +1.613.670.8432 >> Akamai Technologies - Inverse >> 145 Broadway >> Cambridge, MA 02142 >> Connect with Us: >> <https://community.akamai.com/> <http://blogs.akamai.com/> >> <https://urldefense.com/v3/__https:/twitter.com/akamai__;!!GjvTz_vk!DlJHXuOTyEELIMFmyQYZWHK45uE5OENSVZ2dJgpIZsTZgeyH0_r0eIUAbLUNeg$> >> >> <https://urldefense.com/v3/__http:/www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!DlJHXuOTyEELIMFmyQYZWHK45uE5OENSVZ2dJgpIZsTZgeyH0_r0eIUpL9Ju_g$> >> >> <https://urldefense.com/v3/__http:/www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!DlJHXuOTyEELIMFmyQYZWHK45uE5OENSVZ2dJgpIZsTZgeyH0_r0eIXFSzeofA$> >> >> <https://urldefense.com/v3/__http:/www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!DlJHXuOTyEELIMFmyQYZWHK45uE5OENSVZ2dJgpIZsTZgeyH0_r0eIV4tHNyyA$> >> >> >> >> >>> On Feb 1, 2022, at 8:50 AM, Leon Pinto <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Hello, >>> >>> Thanks for all your response… Now, after a power failure, I can see that >>> none of the devices are getting the correct role… I suspect that the pf is >>> not able to understand the Username of the device though the username is to >>> be resolved from the CN of the EAP-TLS certificate which is matching with >>> the account in AD… My authentication source is Microsoft AD… The switch is >>> an Alcatel 6450… >>> >>> Possible attributes for the username in my AD are as below in the >>> Authentication sources as below: - >>> >>> <image004.jpg> >>> >>> I am going in circles with what could be the reason why the system is not >>> able to understand the username to assign it the correct role… >>> >>> The logs are as below and I see some warnings… Cant understand what it >>> means by uninitialized values in $Role, etc… >>> >>> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >>> INFO: [mac:00:0c:ab:63:30:86] handling radius autz request: from switch_ip >>> => (10.153.1.249), connection_type => Ethernet-EAP,switch_mac => >>> (e8:e7:32:a6:fd:5e), mac => [00:0c:ab:63:30:86], port => 77, username => >>> "SCTL-2D2SS0-G00-COCU02-INT-005" (pf::radius::authorize) >>> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >>> INFO: [mac:00:0c:ab:63:30:86] Instantiate profile cp_vlan_4_2g4 >>> (pf::Connection::ProfileFactory::_from_profile) >>> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >>> INFO: [mac:00:0c:ab:63:30:86] Found authentication source(s) : '' for realm >>> 'null' (pf::config::util::filter_authentication_sources) >>> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >>> INFO: [mac:00:0c:ab:63:30:86] No rules matches or no category defined for >>> the node, set it as unreg. (pf::role::getNodeInfoForAutoReg) >>> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >>> WARN: [mac:00:0c:ab:63:30:86] No category computed for autoreg >>> (pf::role::getNodeInfoForAutoReg) >>> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >>> INFO: [mac:00:0c:ab:63:30:86] Found authentication source(s) : '' for realm >>> 'null' (pf::config::util::filter_authentication_sources) >>> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >>> INFO: [mac:00:0c:ab:63:30:86] Role has already been computed and we don't >>> want to recompute it. Getting role from node_info >>> (pf::role::getRegisteredRole) >>> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >>> WARN: [mac:00:0c:ab:63:30:86] Use of uninitialized value $role in >>> concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. >>> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >>> INFO: [mac:00:0c:ab:63:30:86] Username was NOT defined or unable to match a >>> role - returning node based role '' (pf::role::getRegisteredRole) >>> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >>> INFO: [mac:00:0c:ab:63:30:86] PID: "default", Status: reg Returned VLAN: >>> (undefined), Role: (undefined) (pf::role::fetchRoleForNode) >>> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >>> WARN: [mac:00:0c:ab:63:30:86] Use of uninitialized value $vlanName in hash >>> element at /usr/local/pf/lib/pf/Switch.pm line 633. >>> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >>> WARN: [mac:00:0c:ab:63:30:86] Use of uninitialized value $name in exists at >>> /usr/local/pf/lib/pf/Switch.pm line 667. >>> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >>> WARN: [mac:00:0c:ab:63:30:86] Use of uninitialized value $vlanName in >>> concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 640. >>> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >>> WARN: [mac:00:0c:ab:63:30:86] No parameter Vlan found in conf/switches.conf >>> for the switch 10.153.1.249 (pf::Switch::getVlanByName) >>> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >>> INFO: [mac:00:0c:ab:63:30:86] security_event 1300003 force-closed for >>> 00:0c:ab:63:30:86 (pf::security_event::security_event_force_close) >>> Feb 1 17:13:52 packetfence11 packetfence_httpd.aaa[1907]: httpd.aaa(1241) >>> INFO: [mac:00:0c:ab:63:30:86] Instantiate profile cp_vlan_4_2g4 >>> (pf::Connection::ProfileFactory::_from_profile) >>> >>> As far as I can see, the role is correctly configured and so is the switch… >>> >>> Roles >>> >>> <image018.jpg> >>> >>> <image020.jpg> >>> >>> Authentication Rule >>> >>> <image021.jpg> >>> Radius response shows the correct user name as far as I can see… >>> >>> <image022.jpg> >>> >>> <image024.jpg> >>> >>> User definition in AD >>> >>> <image025.jpg> <image026.jpg> >>> >>> “switches.conf” too seems to have the correct entries of vlans… >>> >>> <image031.jpg> >>> Sincerely appreciate if someone can help in where I could be going wrong >>> with this… At this moment, I am lost as to what I might be missing out on…. >>> >>> Thanks for all your support… >>> >>> <image036.png> >>> >>> From: Leon Pinto via PacketFence-users >>> <[email protected] >>> <mailto:[email protected]>> >>> Sent: Monday, January 31, 2022 11:21 PM >>> To: 'Zammit, Ludovic' <[email protected] <mailto:[email protected]>>; >>> [email protected] >>> <mailto:[email protected]> >>> Cc: Leon Pinto <[email protected] <mailto:[email protected]>> >>> Subject: Re: [PacketFence-users] Roles not assigned to certain types of >>> users - EAP TLS >>> >>> Hello, >>> >>> Thanks a lot for your response… >>> >>> All our screenshots are in attached docs… logs etc… >>> >>> Also, as below… >>> >>> SCTL-2D2SS0-P02-HVR-OS15-026 à The case for which no vlan/role is assigned. >>> >>> SCTL-2D2SS0-G00-COCU02-INT-005 à The case for which correct vlan/role is >>> assigned. >>> >>> <image037.png> >>> >>> >>> SCTL-2D2SS0-P02-HVR-OS15-026 à The case for which no vlan/role is assigned >>> (Radius Response) >>> >>> <image038.png> >>> >>> <image039.jpg> >>> >>> SCTL-2D2SS0-G00-COCU02-INT-005 à The case for which correct vlan/role is >>> assigned (Radius Response) >>> >>> <image043.png> >>> <image044.png> >>> >>> <image045.png> >>> >>> From: Zammit, Ludovic <[email protected] <mailto:[email protected]>> >>> Sent: Monday, January 31, 2022 10:45 PM >>> To: [email protected] >>> <mailto:[email protected]> >>> Cc: Leon Pinto <[email protected] <mailto:[email protected]>> >>> Subject: Re: [PacketFence-users] Roles not assigned to certain types of >>> users - EAP TLS >>> >>> Hello Leon, >>> >>> What’s the radius reply in the Auditing tab in Packetfence Web page for >>> those two authentications ? >>> >>> Thanks, >>> >>> Ludovic Zammit >>> Product Support Engineer Principal >>> >>> Cell: +1.613.670.8432 >>> Akamai Technologies - Inverse >>> 145 Broadway >>> Cambridge, MA 02142 >>> Connect with Us: >>> <https://community.akamai.com/> <http://blogs.akamai.com/> >>> <https://urldefense.com/v3/__https:/twitter.com/akamai__;!!GjvTz_vk!AJJV6ysqGuNRXj_9ybSO-_EE1qqsN2tFYfrg2jynvU__lVlyNAcHBjIetTi_wA$> >>> >>> <https://urldefense.com/v3/__http:/www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!AJJV6ysqGuNRXj_9ybSO-_EE1qqsN2tFYfrg2jynvU__lVlyNAcHBjICPzGHSg$> >>> >>> <https://urldefense.com/v3/__http:/www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!AJJV6ysqGuNRXj_9ybSO-_EE1qqsN2tFYfrg2jynvU__lVlyNAcHBjI656SUUA$> >>> >>> <https://urldefense.com/v3/__http:/www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!AJJV6ysqGuNRXj_9ybSO-_EE1qqsN2tFYfrg2jynvU__lVlyNAcHBjKIQxAuYw$> >>> >>> >>> >>>> On Jan 31, 2022, at 10:33 AM, Leon Pinto via PacketFence-users >>>> <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> Hello community, >>>> >>>> We have a packet-fence installation where the Authentication source is an >>>> Active Directory setup for Telephony 802.1x authentication based on >>>> EAP-TLS… >>>> >>>> Version is 11.1 with Alcatel 6450 switch for 802.1x… >>>> >>>> Problem description >>>> In our scenario, the Packet-fence is used to assign a proper VLAN to >>>> authenticated/registered phones and this works fine for one type of >>>> devices with certificates from the local PKI… Another type of devices >>>> from the same PKI are authenticated and registered but they don’t get the >>>> correct Role as expected… >>>> >>>> Refer the end result as below: - >>>> >>>> <image002.png> >>>> >>>> The 01/26 gets the correct VLAN (vlan 4) as configured in the Role. >>>> The 01/28 does not gets the correct VLAN (vlan 4) as configured in the >>>> Role. >>>> >>>> <image004.png> >>>> >>>> I tried using other attributes like SPN, UPN etc. but we still have the >>>> same issue as above… >>>> >>>> All configuration screenshots, logs, radius response etc. are in the >>>> attached file… Any help is welcome… >>>> >>>> <image005.png> >>>> >>>> <Packet Fence - Problem >>>> scenario.docx>_______________________________________________ >>>> PacketFence-users mailing list >>>> [email protected] >>>> <mailto:[email protected]> >>>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!D8zDtlI5jQ3y2JHK5aobEcrKViu5KSTg4CuTDP16zH3q1ySAjWpn4RwSGwto7NP6$ >>>> >>>> <https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!D8zDtlI5jQ3y2JHK5aobEcrKViu5KSTg4CuTDP16zH3q1ySAjWpn4RwSGwto7NP6$>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
