[prev in list] [next in list] [prev in thread] [next in thread]
List: packetfence-users
Subject: [PacketFence-users] Weird role assignments
From: Christian Sudec via PacketFence-users <packetfence-users () lists ! sourceforge ! net>
Date: 2020-10-22 12:50:52
Message-ID: 7fd734b3-f6c5-3159-812a-90547c49efaa () htlwrn ! ac ! at
[Download RAW message or body]
Hi!
I'm currently investigating problems with role assignments in
packetfence. Here are the specs:
Packetfence 10.1.0 on Debian 9.13 attached via one ethernet interface
~20 Ubiquiti Access Points (managed by one Unifi-Controller)
The ssid uses radius assigned VLANs, from ID 771 (default) to 775
Packetfence is configured according to documentation for 802.1x with the
difference, that the filter in the profile (named 802.1x)
is set to 'any' with Connection Type (1) Ethernet-EAP and (2)
Wireless-802.11-EAP to support wired and wireless Auths in our network.
Also we have 2 internal sources: (1) HTL_AD (our Active Directory) and
(2) file1 (currently unused). And the default external null Source.
Our AD Source has two authentication rules:
(1) Teachers with matches any
member of equals cn=Teachers,OU=...
member of euqals cn=Staff,OU=...
with Action Role = Teacher
Access Duration 1day
(2) Pupils with matches all
member of equals cn=pupils,OU=...
with Action Role = Pupil
Access Duration 12 hours
In our Switches-Section of Packetfence, we created an Identifier for
every AP and set 'Role mapping by VLAN-ID',
where we entered the different VLAN-IDs. Therefore role Teacher should
get 772 and Pupil 773. The other IDs
are not currently used yet. All identifiers were cloned from the first
one, so no differences in configuration.
The problem: it's not working and I can't debug it. Here are the details
so far:
If User X (member of group Teachers) logs in from his mobile device, he
is often put in VLAN 771, sometimes in 772
IF User Y (member of group pupils) logs in from his mobile device, he is
often put in VLAN 771, sometimes in 773 and sometimes also 772.
Ok, so i did take a look in Auditing for both users:
When Node Information displays the Profile 802.1x the entry Role shows
the given Rolename (Reason is empty) and the RADIUS reply is with
the correct Tunnel-Private-Group-ID (= the VLAN-ID)
When it's not working, the Profile is shown as n/a and Role is empty and
therefore Tunnel-Private-Group-ID too.
And I can't pinpoint the source of the problem, because:
- it's seems not to be user related (1500 identical, bulk-deployed
useraccounts, some work sometimes, some don't)
- it's not access point related (same configuration via unfii-controller)
- it seems time related (User X gets the correct VLAN at 10:00, but
not at 14:30, User Y gets correct VLAN on monday, but not the rest of
the week)
- debugging Packetfence is contradictory, because in Web-GUI/Auditing
User Y gets Role Teacher, but a "pftest authentication UserY pwd" a few
seconds later in the shell results in role pupil...
************************ The Packetfence.log of an successful user:
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:34:e1:2d:4b:xx:47] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:34:e1:2d:4b:xx:47] handling radius autz request: from switch_ip =>
(10.71.100.144), connection_type => Wireless-802.11-EAP,switch_mac =>
(76:83:c2:c8:xx:79), mac => [34:e1:2d:4b:xx:47], port => 0, username =>
"USER_Y", ssid => htl-ui-ad (pf::radius::authorize)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:34:e1:2d:4b:xx:47] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:34:e1:2d:4b:xx:47] Found authentication source(s) : 'HTL_AD' for
realm 'null' (pf::config::util::filter_authentication_sources)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:34:e1:2d:4b:xx:47] Role has already been computed and we don't want
to recompute it. (pf::role::getNodeInfoForAutoReg)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) WARN:
[mac:34:e1:2d:4b:xx:47] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:34:e1:2d:4b:xx:47] Found authentication source(s) : 'HTL_AD' for
realm 'null' (pf::config::util::filter_authentication_sources)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:34:e1:2d:4b:xx:47] Role has already been computed and we don't want
to recompute it. Getting role from node_info (pf::role::getRegisteredRole)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:34:e1:2d:4b:xx:47] Username was defined "USER_Y" - returning role
'Pupil' (pf::role::getRegisteredRole)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:34:e1:2d:4b:xx:47] PID: "USER_Y", Status: reg Returned VLAN:
(undefined), Role: Pupil (pf::role::fetchRoleForNode)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:34:e1:2d:4b:xx:47] (10.71.100.144) Added VLAN 773 to the returned
RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:34:e1:2d:4b:xx:47] security_event 1300003 force-closed for
34:e1:2d:4b:xx:47 (pf::security_event::security_event_force_close)
Oct 22 13:29:37 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:34:e1:2d:4b:xx:47] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Oct 22 13:29:38 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:34:e1:2d:4b:xx:47] Updating locationlog from accounting request
(pf::api::handle_accounting_metadata)
Oct 22 13:29:38 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:34:e1:2d:4b:xx:47] Updating locationlog from accounting request
(pf::api::handle_accounting_metadata)
********************* This is, when Role-Assignment is unsuccessful:
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:0e:73:54:81:xx:98] handling radius autz request: from switch_ip =>
(10.71.100.112), connection_type => Wireless-802.11-EAP,switch_mac =>
(e2:63:da:65:xx:29), mac => [0e:73:54:81:xx:98], port => 0, username =>
"USER_X", ssid => htl-ui-ad (pf::radius::authorize)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:0e:73:54:81:xx:98] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:0e:73:54:81:xx:98] Found authentication source(s) : 'HTL_AD' for
realm 'null' (pf::config::util::filter_authentication_sources)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:0e:73:54:81:xx:98] Role has already been computed and we don't want
to recompute it. (pf::role::getNodeInfoForAutoReg)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) WARN:
[mac:0e:73:54:81:xx:98] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:0e:73:54:81:xx:98] Found authentication source(s) : 'HTL_AD' for
realm 'null' (pf::config::util::filter_authentication_sources)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:0e:73:54:81:xx:98] Role has already been computed and we don't want
to recompute it. Getting role from node_info (pf::role::getRegisteredRole)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) WARN:
[mac:0e:73:54:81:xx:98] Use of uninitialized value $role in
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489.
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:0e:73:54:81:xx:98] Username was NOT defined or unable to match a
role - returning node based role '' (pf::role::getRegisteredRole)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:0e:73:54:81:xx:98] PID: "default", Status: reg Returned VLAN:
(undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) WARN:
[mac:0e:73:54:81:xx:98] Use of uninitialized value $vlanName in hash
element at /usr/local/pf/lib/pf/Switch.pm line 608.
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) WARN:
[mac:0e:73:54:81:xx:98] Use of uninitialized value $vlanName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611.
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) WARN:
[mac:0e:73:54:81:xx:98] No parameter Vlan found in conf/switches.conf
for the switch 10.71.100.112 (pf::Switch::getVlanByName)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:0e:73:54:81:xx:98] security_event 1300003 force-closed for
0e:73:54:81:xx:98 (pf::security_event::security_event_force_close)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:0e:73:54:81:xx:98] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Oct 22 12:21:17 ippf packetfence_httpd.aaa: httpd.aaa(1089) INFO:
[mac:0e:73:54:81:xx:98] Updating locationlog from accounting request
(pf::api::handle_accounting_metadata)
I hope someone can help me. Just ask if you need any more logs or
information.
regards
Chris
P.S.: MAC-addresses were obfuscated in the log!
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic