Hello Andrey, Alright.
Have a nice weekend. Thanks, Ludovic Zammit Product Support Engineer Principal Lead Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Feb 15, 2024, at 10:26 AM, Andrey Chernyakov <[email protected]> > wrote: > > Hello again, > > I’ve found the solution, after log analysis it was so obvious: enable Dot1x > recompute role from portal parameter in connection profile. > > Thank you, Ludovic, I’m beginner in PacketFence world, I wasn’t aware of > packetfence.log file content. No questions anymore, highly appreciate your > help! > > -- > Andrey Chernyakov > Senior Network and Security Engineer > > email: [email protected] <mailto:[email protected]> > > NPS Consult S.A. > L-5687, Dalheim > Luxembourg > On 15 Feb 2024 at 16:05 +0100, Andrey Chernyakov <[email protected]>, > wrote: >> Sure, here it is (at the bottom of email, I modified a search request just >> to ignore outdated logs). >> >> According to the logs, EAPTLS authentication source was matched, but host >> wasn’t assigned to the role because it was already computed (but I have no >> idea when, before authentication I deleted MAC address from nodes list, and >> it’s auto registered host according to the relevant parameter of connection >> profile). >> >> My goal is to assign all hosts (with known and registered MAC addresses and >> with unknown and first time see MAC addresses) once they've been >> authenticated via EAPTLS into specific roles. >> >> root@packetfence:~# tail -f /usr/local/pf/logs/packetfence.log | grep >> 02:7a:87:11:54:dd >> >> Feb 15 15:54:06 packetfence pfperl-api-docker-wrapper[193686]: >> pfperl-api(10) INFO: [mac:[undef]] Request to >> /api/v1/dhcp/mac/02:7a:87:11:54:dd is unauthorized, will perform a login >> (pf::api::unifiedapiclient::call) >> Feb 15 15:54:07 packetfence pfqueue[221285]: pfqueue(221285) INFO: >> [mac:02:7a:87:11:54:dd] Trying generic MIB to force 802.1x port >> re-authentication. Your mileage may vary. If it doesn't work open a bug >> report with your hardware type. (pf::Switch::_dot1xPortReauthenticate) >> Feb 15 15:54:07 packetfence pfqueue[221285]: pfqueue(221285) ERROR: >> [mac:02:7a:87:11:54:dd] error creating SNMP v3 write connection to >> 192.168.100.2: An empty authProtocol was specified >> (pf::Switch::connectWriteTo) >> Feb 15 15:54:33 packetfence pfqueue[219798]: pfqueue(219798) WARN: >> [mac:unknown] Warning: 1062: Duplicate entry '02:7a:87:11:54:dd' for key >> 'PRIMARY' (pf::dal::db_execute) >> Feb 15 15:54:33 packetfence pfqueue[219798]: pfqueue(219798) INFO: >> [mac:unknown] DHCPACK from 192.168.100.254 (00:0c:29:35:5f:47) to host >> 02:7a:87:11:54:dd (192.168.22.102) for 691200 seconds >> (pf::dhcp::processor_v4::parse_dhcp_ack) >> Feb 15 15:54:33 packetfence pfqueue[219894]: pfqueue(219894) INFO: >> [mac:unknown] DHCPREQUEST from 02:7a:87:11:54:dd (192.168.22.102) >> (pf::dhcp::processor_v4::parse_dhcp_request) >> Feb 15 15:54:33 packetfence pfqueue[219894]: pfqueue(219894) INFO: >> [mac:02:7a:87:11:54:dd] Sending a firewall SSO 'Update' request for MAC >> '02:7a:87:11:54:dd' and IP '192.168.22.102' (pf::firewallsso::do_sso) >> Feb 15 15:54:33 packetfence pfqueue[221313]: pfqueue(221313) INFO: >> [mac:02:7a:87:11:54:dd] Instantiate profile dot1x_wired_profile >> (pf::Connection::ProfileFactory::_from_profile) >> Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) >> ERROR: [mac:02:7a:87:11:54:dd] error creating SNMP v3 read connection to >> 192.168.100.2: An empty privProtocol was specified (pf::Switch::connectRead) >> Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) >> INFO: [mac:02:7a:87:11:54:dd] handling radius autz request: from switch_ip >> => (192.168.100.2), connection_type => Ethernet-EAP,switch_mac => >> (00:04:96:9b:0a:db), mac => [02:7a:87:11:54:dd], port => 1017, username => >> "[email protected] >> <https://urldefense.com/v3/__https://mailto:[email protected]__;!!GjvTz_vk!Vu98QXN1vdAUQtLiNx1GBB_Q0wHi0guoxW1vg0hzFsU7yovZB02Tnv35JZL92m82xTTmiHM7ee8ZapzKlT7VYA$>" >> (pf::radius::authorize) >> Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) >> INFO: [mac:02:7a:87:11:54:dd] Instantiate profile dot1x_wired_profile >> (pf::Connection::ProfileFactory::_from_profile) >> Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) >> INFO: [mac:02:7a:87:11:54:dd] Found authentication source(s) : >> 'Machine_auth' for realm 'ad.nps.local' >> (pf::config::util::filter_authentication_sources) >> Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) >> INFO: [mac:02:7a:87:11:54:dd] Role has already been computed and we don't >> want to recompute it. (pf::role::getNodeInfoForAutoReg) >> Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) >> WARN: [mac:02:7a:87:11:54:dd] No category computed for autoreg >> (pf::role::getNodeInfoForAutoReg) >> Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) >> INFO: [mac:02:7a:87:11:54:dd] Found authentication source(s) : >> 'Machine_auth' for realm 'ad.nps.local' >> (pf::config::util::filter_authentication_sources) >> Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) >> INFO: [mac:02:7a:87:11:54:dd] Role has already been computed and we don't >> want to recompute it. Getting role from node_info >> (pf::role::getRegisteredRole) >> Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) >> WARN: [mac:02:7a:87:11:54:dd] Use of uninitialized value $role in >> concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. >> Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) >> INFO: [mac:02:7a:87:11:54:dd] Username was NOT defined or unable to match a >> role - returning node based role '' (pf::role::getRegisteredRole) >> Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) >> INFO: [mac:02:7a:87:11:54:dd] PID: "default", Status: reg Returned VLAN: >> (undefined), Role: (undefined) (pf::role::fetchRoleForNode) >> Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) >> INFO: [mac:02:7a:87:11:54:dd] security_event 1300003 force-closed for >> 02:7a:87:11:54:dd (pf::security_event::security_event_force_close) >> Feb 15 15:54:33 packetfence httpd.aaa-docker-wrapper[171281]: httpd.aaa(9) >> INFO: [mac:02:7a:87:11:54:dd] Instantiate profile dot1x_wired_profile >> (pf::Connection::ProfileFactory::_from_profile) >> Feb 15 15:54:43 packetfence pfqueue[219984]: pfqueue(219984) INFO: >> [mac:02:7a:87:11:54:dd] Database >> /usr/local/fingerbank/db/fingerbank_Local.db was changed or handles weren't >> initialized. Creating handle. (fingerbank::DB::SQLite::build_handle) >> Feb 15 15:54:43 packetfence pfqueue[219984]: pfqueue(219984) INFO: >> [mac:02:7a:87:11:54:dd] Database >> /usr/local/fingerbank/db/fingerbank_Upstream.db was changed or handles >> weren't initialized. Creating handle. (fingerbank::DB::SQLite::build_handle) >> Feb 15 15:54:43 packetfence pfqueue[219984]: pfqueue(219984) INFO: >> [mac:02:7a:87:11:54:dd] Searching for 'Device' entries in schema(s) returned >> an empty set (fingerbank::Base::CRUD::search) >> Feb 15 15:54:43 packetfence pfqueue[219984]: pfqueue(219984) WARN: >> [mac:02:7a:87:11:54:dd] Unable to pull accounting history for device >> 02:7a:87:11:54:dd. The history set doesn't exist yet. >> (pf::accounting_events_history::latest_mac_history) >> ^C >> root@packetfence:~# >> >> -- >> Andrey Chernyakov >> Senior Network and Security Engineer >> >> email: [email protected] <mailto:[email protected]> >> >> NPS Consult S.A. >> L-5687, Dalheim >> Luxembourg >> On 15 Feb 2024 at 15:51 +0100, Zammit, Ludovic <[email protected]>, wrote: >>> Please do that: >>> >>> grep MAC-ADDRESS /usr/local/pf/logs/packetfence.log >>> >>> Show the output please. >>> >>> Thanks, >>> >>> Ludovic Zammit >>> Product Support Engineer Principal Lead >>> >>> Cell: +1.613.670.8432 >>> Akamai Technologies - Inverse >>> 145 Broadway >>> Cambridge, MA 02142 >>> Connect with Us: <https://community.akamai.com/> >>> <http://blogs.akamai.com/> >>> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!Vu98QXN1vdAUQtLiNx1GBB_Q0wHi0guoxW1vg0hzFsU7yovZB02Tnv35JZL92m82xTTmiHM7ee8ZapybfbCYDQ$> >>> >>> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!Vu98QXN1vdAUQtLiNx1GBB_Q0wHi0guoxW1vg0hzFsU7yovZB02Tnv35JZL92m82xTTmiHM7ee8ZapxBYB_iSA$> >>> >>> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!Vu98QXN1vdAUQtLiNx1GBB_Q0wHi0guoxW1vg0hzFsU7yovZB02Tnv35JZL92m82xTTmiHM7ee8ZapyZ_wda9Q$> >>> >>> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!Vu98QXN1vdAUQtLiNx1GBB_Q0wHi0guoxW1vg0hzFsU7yovZB02Tnv35JZL92m82xTTmiHM7ee8Zapw8kBl2BQ$> >>> >>>> On Feb 15, 2024, at 9:49 AM, Andrey Chernyakov <[email protected]> >>>> wrote: >>>> >>>> Hello Ludovic, >>>> >>>> Thanks for your reply. >>>> >>>> It’s clear, there are no connections to domain controllers, RADIUS is >>>> signed with valid certificate from Microsoft PKI and EAPTLS authentication >>>> works well. >>>> But Authentication source defined to use EAPTLS is just ignored by >>>> authentication process, machines aren’t getting the role defined in >>>> authentication rule (even with no conditions, catch-all rule), they always >>>> get registration role. >>>> >>>> -- >>>> Andrey Chernyakov >>>> Senior Network and Security Engineer >>>> >>>> email: [email protected] <mailto:[email protected]> >>>> >>>> NPS Consult S.A. >>>> L-5687, Dalheim >>>> Luxembourg >>>> On 15 Feb 2024 at 15:11 +0100, Zammit, Ludovic <[email protected]>, wrote: >>>>> Hello Andrey, >>>>> >>>>> For EAP TLS you don’t need to join the PF servers to your domain. >>>>> >>>>> You will need to add the Root CA that signed the user/computer certs >>>>> under Configuration > System Configuration > SSL Certificates > RADIUS > >>>>> RADIUS Certification Authority Certificate(s). >>>>> >>>>> Thanks, >>>>> >>>>> >>>>> >>>>> Ludovic Zammit >>>>> Product Support Engineer Principal Lead >>>>> >>>>> Cell: +1.613.670.8432 >>>>> Akamai Technologies - Inverse >>>>> 145 Broadway >>>>> Cambridge, MA 02142 >>>>> Connect with Us: <https://community.akamai.com/> >>>>> <http://blogs.akamai.com/> >>>>> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!V4Q1ky41dYg78z1GC_G4IPZSgG7f107g8VT6janIuP-KRH6_Qga6cyXxfAeVsN-a6anSRRTMKB0AlBUHg9LTKQ$> >>>>> >>>>> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!V4Q1ky41dYg78z1GC_G4IPZSgG7f107g8VT6janIuP-KRH6_Qga6cyXxfAeVsN-a6anSRRTMKB0AlBXfVKXWbA$> >>>>> >>>>> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!V4Q1ky41dYg78z1GC_G4IPZSgG7f107g8VT6janIuP-KRH6_Qga6cyXxfAeVsN-a6anSRRTMKB0AlBVXKDnHPg$> >>>>> >>>>> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!V4Q1ky41dYg78z1GC_G4IPZSgG7f107g8VT6janIuP-KRH6_Qga6cyXxfAeVsN-a6anSRRTMKB0AlBXi_MZTOw$> >>>>> >>>>>> On Feb 14, 2024, at 8:22 AM, Andrey Chernyakov via PacketFence-users >>>>>> <[email protected]> wrote: >>>>>> >>>>>> Hi, PacketFence community, >>>>>> >>>>>> Currently I’m evaluating EAPTLS authentication with machine certificates >>>>>> in my lab for wired network, but Authentication Source with EAPTLS >>>>>> doesn’t seem to be working. >>>>>> >>>>>> From my perspective, the configuration is good, EAP profile prefers TLS >>>>>> authentication, RADIUS has valid certificate signed by the same CA as >>>>>> machine certificates with I use for EAPTLS authentication. Connection >>>>>> profile allows auto-registration of devices. Authentication source >>>>>> should catch-all authentication attempts and assign devices to role >>>>>> (gaming, for example). >>>>>> >>>>>> The problem with such configuration is - devices are authenticated and >>>>>> auto-registered, but they aren’t matched with authentication source >>>>>> rules (last screenshot with log can prove it), and they are respectively >>>>>> registered with no role. But I need role in order to be able to assign >>>>>> devices with relevant profile. Below you can find screenshots from my >>>>>> lab, any ideas how to fix it? >>>>>> >>>>>> Appreciate your help in advance! >>>>>> >>>>>> <Screenshot 2024-02-12 at 16.04.15.png> >>>>>> <Screenshot 2024-02-12 at 16.04.48.png> >>>>>> <Screenshot 2024-02-12 at 16.05.35.png> >>>>>> <Attachment.png> >>>>>> >>>>>> -- >>>>>> Andrey Chernyakov >>>>>> Senior Network and Security Engineer >>>>>> >>>>>> email: [email protected] <mailto:[email protected]> >>>>>> >>>>>> NPS Consult S.A. >>>>>> L-5687, Dalheim >>>>>> Luxembourg >>>>>> _______________________________________________ >>>>>> PacketFence-users mailing list >>>>>> [email protected] >>>>>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!V0y-cm6QtbaX3LNvCqTm9ryY2N_3aGEiu4ikb0nOrYFq0feBL78xaFufS1HdtCJqH2S1thqJ0SJep9YaqRkOwJLp6aDXvcSB4ve5CA$ >>>>> >>>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
