Hi everyone, I also found the following in packetfence.log , corresponding to the failed login attempt
Jun 6 08:40:05 pktf01 packetfence_httpd.aaa: httpd.aaa(2887) WARN: [mac:unknown] Trying to match IP address with an invalid MAC address 'undef' (pf::ip4log::mac2ip) Jun 6 08:40:05 pktf01 packetfence_httpd.aaa: httpd.aaa(2887) INFO: [mac:unknown] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Jun 6 08:40:05 pktf01 packetfence_httpd.aaa: httpd.aaa(2887) INFO: [mac:unknown] Found authentication source(s) : 'local,file1' for realm 'null' (pf::config::util::filter_authentication_sources) Jun 6 08:40:05 pktf01 packetfence_httpd.aaa: httpd.aaa(2887) INFO: [mac:unknown] Using sources local, file1 for matching (pf::authentication::match2) Jun 6 08:40:05 pktf01 packetfence_httpd.aaa: httpd.aaa(2887) INFO: [mac:unknown] User userid1 has *no role (Switches CLI - Read or Switches CLI - Write) *to permit to login in A.B.C.D *(pf::radius::switch_access)* *where would I setup this role and and these values to enable this access ??* thanks On Mon, Jun 6, 2022 at 11:48 AM Christian Vo <[email protected]> wrote: > Hi everyone, > > > ssh login into the same Cisco switch works with a locally configured user > account --> > I see "Switch enable access granted by PacketFence" (I'm not sure > how/where this is configured) > but trying to use an AD-authenticated userID is failing. > > I'm seeing the following errors in radius log when I try to configure a > Cisco 2900 switch for basic RADIUS authentication (CLI access) > Jun 6 08:40:05 pktf01 auth[50767]: (48) rest: ERROR: > {"control:PacketFence-Authorization-Status":"allow","Reply-Message":"User > has no role defined in PacketFence to allow switch login (SWITCH_LOGIN_READ > or SWITCH_LOGIN_WRITE)"} > Jun 6 08:40:05 pktf01 auth[50767]: [mac:] Rejected user: useridXXXXX > Jun 6 08:40:05 -pktf01 auth[50767]: (48) Rejected in post-auth: [a > useridXXXXX ] (from client A.B.C.D/32 port 2) > Jun 6 08:40:05 pktf01 auth[50767]: (48) Login incorrect (rest: Server > returned:): [ useridXXXXX ] (from client A.B.C.D/32 port 2) > > > > > > I can confirm now via pftest that the account does authenticate via LDAP > and matches authentication rule for context admin & portal: > > Authenticating against 'AD-IT-Network' in context 'admin' > Authentication SUCCEEDED against AD-IT-Network (Authentication > successful.) > Matched against IT-Network for 'authentication' rule > IT-Network-Admins-Authentication > set_role : Corp-User > set_access_duration : 3h > Matched against AD-IT-Network for 'administration' rule > IT-Network-Admins-Authorization > set_access_level : ALL > > Authenticating against 'AD-IT-Network' in context 'portal' > Authentication SUCCEEDED against AD-IT-Network (Authentication > successful.) > Matched against AD-IT-Network for 'authentication' rule > IT-Network-Admins-Authentication > set_role : Corp-User > set_access_duration : 3h > Matched against AD-IT-Network for 'administration' rule > IT-Network-Admins-Authorization > set_access_level : ALL > > > pls help -- the documentation is really unclear on this, or I'm not > finding the right section =( > >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
