I set up a test account, and that worked; however, I’d prefer to use this with
Microsoft Authenticator. When I use that, I get these pertinent entries in the
log:
Mar 22 11:30:17 cuvpfzen auth[2488]: (10) rest: ERROR: Server returned:
Mar 22 11:30:17 cuvpfzen auth[2488]: (10) rest: ERROR:
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Multi-Factor
Authentication failed or triggered"}
Mar 22 11:30:17 cuvpfzen auth[2488]: [mac:] Rejected user: xxxxxxx
Mar 22 11:30:17 cuvpfzen auth[2488]: (10) Rejected in post-auth: [xxxxxxx]
(from client 10.200.1.201/32 port 1)
Mar 22 11:30:17 cuvpfzen auth[2488]: (10) Login incorrect (rest: Server
returned:): [xxxxxxx] (from client 10.200.1.201/32 port 1)
Mar 22 11:30:16 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO:
[mac:[undef]] handling radius autz request: from switch_ip => (10.200.1.201),
connection_type => CLI-Access,switch_mac => (Unknown), mac => [0], port => 1,
username => "xxxxxxx" (pf::radius::switch_access)
Mar 22 11:30:16 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) WARN:
[mac:[undef]] Trying to match IP address with an invalid MAC address 'undef'
(pf::ip4log::mac2ip)
Mar 22 11:30:16 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO:
[mac:[undef]] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
Mar 22 11:30:16 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO:
[mac:[undef]] Found authentication source(s) : 'local,file1,CU_Employees' for
realm 'null' (pf::config::util::filter_authentication_sources)
Mar 22 11:30:16 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO:
[mac:[undef]] MFA Pre Authentication (pf::radius::mfa_pre_auth)
Mar 22 11:30:16 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO:
[mac:[undef]] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
Mar 22 11:30:16 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO:
[mac:[undef]] Found authentication source(s) : 'local,file1,CU_Employees' for
realm 'null' (pf::config::util::filter_authentication_sources)
Mar 22 11:30:16 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO:
[mac:[undef]] Using sources local, file1, CU_Employees for matching
(pf::authentication::match2)
Mar 22 11:30:16 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) WARN:
[mac:[undef]] [CU_Employees MFA] Searching for
(&(sAMAccountName=xxxxxxx)(memberOf=CN=<obscured group
name>,CN=Users,DC=campbellsville,DC=edu)), from dc=campbellsville,dc=edu, with
scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO:
[mac:[undef]] Matched rule (MFA) in source CU_Employees, returning actions.
(pf::Authentication::Source::match_rule)
Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO:
[mac:[undef]] Matched rule (MFA) in source CU_Employees, returning actions.
(pf::Authentication::Source::match)
Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) ERROR:
[mac:[undef]] unable to read password file '/usr/local/pf/conf/admin.conf'
(pf::Authentication::Source::HtpasswdSource::authenticate)
Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO:
[mac:[undef]] [CU_Employees] Authentication successful for xxxxxxx
(pf::Authentication::Source::LDAPSource::authenticate)
Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO:
[mac:[undef]] Authentication successful for xxxxxxx in source CU_Employees (AD)
(pf::authentication::authenticate)
Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO:
[mac:[undef]] MFA Post Authentication (pf::radius::mfa_post_auth)
Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO:
[mac:[undef]] Using sources CU_Employees for matching
(pf::authentication::match2)
Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) WARN:
[mac:[undef]] [CU_Employees MFA] Searching for
(&(sAMAccountName=xxxxxxx)(memberOf=CN=<obscured group
name>,CN=Users,DC=campbellsville,DC=edu)), from dc=campbellsville,dc=edu, with
scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO:
[mac:[undef]] Matched rule (MFA) in source CU_Employees, returning actions.
(pf::Authentication::Source::match_rule)
Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) INFO:
[mac:[undef]] Matched rule (MFA) in source CU_Employees, returning actions.
(pf::Authentication::Source::match)
Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) WARN:
[mac:[undef]] Use of uninitialized value $otp in pattern match (m//) at
/usr/local/pf/lib/pf/mfa/TOTP.pm line 54.
(pf::mfa::TOTP::check_user)
Mar 22 11:30:17 cuvpfzen packetfence_httpd.aaa[2919]: httpd.aaa(1353) WARN:
[mac:[undef]] Method not supported (pf::mfa::TOTP::check_user)
From: Zammit, Ludovic <[email protected]>
Sent: Tuesday, March 22, 2022 4:27 PM
To: [email protected]
Cc: Gibbs, Christopher <[email protected]>
Subject: Re: [PacketFence-users] Configuring 11.x for use with Microsoft
Authenticator
Hello Christopher,
Do you have a valid Akamai MFA account ?
Thanks,
Ludovic Zammit
Product Support Engineer Principal
[https://www.akamai.com/us/en/multimedia/images/custom/2019/logo-no-tag-93x45.png]
Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:
[https://www.akamai.com/us/en/multimedia/images/custom/community.jpg]<https://community.akamai.com>[https://www.akamai.com/us/en/multimedia/images/custom/rss.png]<http://blogs.akamai.com>[https://www.akamai.com/us/en/multimedia/images/custom/twitter.png]<https://twitter.com/akamai>[https://www.akamai.com/us/en/multimedia/images/custom/fb.png]<http://www.facebook.com/AkamaiTechnologies>[https://www.akamai.com/us/en/multimedia/images/custom/in.png]<http://www.linkedin.com/company/akamai-technologies>[https://www.akamai.com/us/en/multimedia/images/custom/youtube.png]<http://www.youtube.com/user/akamaitechnologies?feature=results_main>
On Mar 22, 2022, at 10:19 AM, Gibbs, Christopher via PacketFence-users
<[email protected]<mailto:[email protected]>>
wrote:
Has anyone successfully done this? I’ve gone through the setup documentation
athttps://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_mfa_integration,
but I think I must be missing something. My RADIUS login works fine, but even
though I have defined the actions as specified in the documentation, the MFA
process does not appear to be triggered correctly. I’m sure I’ve missed
something. Any ideas?
Chris Gibbs
Information Technology Infrastructure Manager
Campbellsville University
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HkcRnok3X7YzkrikiZMpRXxzK4QIc8KFPhMlvxortwmlA5RU-fo-jTIakVULO-b_$<https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HkcRnok3X7YzkrikiZMpRXxzK4QIc8KFPhMlvxortwmlA5RU-fo-jTIakVULO-b_$>
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
