PacketFence - BTS - PacketFence
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0001649PacketFence802.1xpublic2013-06-05 10:152013-07-31 20:06
Reporterdgreer 
Assigned Tofdurand 
PrioritynormalSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Versiondevel 
Target VersionFixed in Version 
fixed in git revision
fixed in mtn revision
Summary0001649: Problems returning role information from pf::authentication::match
DescriptionThere are actually several things going on here (I think).

First, in logging, there is a logic error in an if statement. Here's the diff:

--- authentication.pm.orig 2013-06-05 07:43:17.390616523 -0500
+++ authentication.pm 2013-06-05 07:43:34.957616501 -0500
@@ -465,7 +465,7 @@
         return undef;
     }

- if (defined $action) {
+ if (! defined $action) {
         $logger->debug("No source matches action $action");
     } else {
         $logger->debug("Returning actions ".join(', ', map { $_->type." = ".$_->value } @$actions ));


Once that was found and fixed, I was able to see that I was getting matches but no returns. Have been staring at the code for quite a while, and can't figure this out. I added a debugging logging entry in the "foreach my $condition..." in Authentication/Source.pm so I could see what was being looked at, and I can see that all my conditions are being hit, but even when I've set one to specifically to match it fails to to return any actions (or, apparently to match).

Here's the log entries:

Jun 05 08:56:07 pf::WebAPI(24234) WARN: switch = pf::SNMP::Motorola::RFS=HASH(0x7fa24f9d9340), ifIndex = 1, mac = 00:22:fb:56:9d:3c, node_info = HASH(0x7fa24f9ddb00), conne
ction_type = Wireless-802.11-EAP, user_name = DPTLABS_NT\\dgreer, ssid = BasicEmployees (pf::vlan::getNormalVlan)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Trying to determine VLAN from role. (pf::vlan::getNormalVlan)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Match called with parameters SSID => BasicEmployees, connection_type => Wireless-802.11-EAP, username => DPTLABS_NT\\dgreer (pf::au
thentication::match)
Jun 05 08:56:07 pf::WebAPI(24234) WARN: Match called with parameters SSID => BasicEmployees, connection_type => Wireless-802.11-EAP, username => DPTLABS_NT\\dgreer (pf::authentication::match)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Matching rules for action set_role in source local (SQL) (pf::authentication::match)
Jun 05 08:56:07 pf::WebAPI(24234) WARN: Matching rules for action set_role in source local (SQL) (pf::authentication::match)
Jun 05 08:56:07 pf::WebAPI(24234) TRACE: attempt #0 to run query temporary_password_view_sql from module temporary_password (pf::db::db_query_execute)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Database statements not prepared, preparing... (pf::db::db_query_execute)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Preparing pf::temporary_password database queries (pf::temporary_password::temporary_password_db_prepare)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Matching rules for action set_role in source file1 (Htpasswd) (pf::authentication::match)
Jun 05 08:56:07 pf::WebAPI(24234) WARN: Matching rules for action set_role in source file1 (Htpasswd) (pf::authentication::match)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Checking condition username equals admin (pf::Authentication::Source::match)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Matching rules for action set_role in source ad1 (AD) (pf::authentication::match)
Jun 05 08:56:07 pf::WebAPI(24234) WARN: Matching rules for action set_role in source ad1 (AD) (pf::authentication::match)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Checking condition sAMAccountName equals DPTLABS_NT\\dgreer (pf::Authentication::Source::match)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Matching rules in LDAP source. (pf::Authentication::Source::LDAPSource::match_in_subclass)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: LDAP filter: (&(sAMAccountName=DPTLABS_NT\\dgreer)(sAMAccountName=DPTLABS_NT\\dgreer)) (pf::Authentication::Source::LDAPSource::match_in_subclass)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Searching for (&(sAMAccountName=DPTLABS_NT\\dgreer)(sAMAccountName=DPTLABS_NT\\dgreer)), from DC=dpt,DC=DFB,DC=NET, with scope one (pf::Authentication::Source::LDAPSource::match_in_subclass)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Returning actions (pf::authentication::match)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Username was defined (DPTLABS_NT\\dgreer) - got role ARRAY(0x7fa24f9f3bd0) (pf::vlan::getNormalVlan)
Jun 05 08:56:07 pf::WebAPI(24234) WARN: vlanName = ARRAY(0x7fa24f9f3bd0) (pf::SNMP::getVlanByName)
Jun 05 08:56:07 pf::WebAPI(24234) WARN: No parameter ARRAY(0x7fa24f9f3bd0)Vlan found in conf/switches.conf for the switch 192.168.99.3 (pf::SNMP::getVlanByName)
Jun 05 08:56:07 pf::WebAPI(24234) WARN: Resolved VLAN for node is not properly defined: Replacing with macDetectionVlan (pf::vlan::fetchVlanForNode)
Jun 05 08:56:07 pf::WebAPI(24234) WARN: vlanName = macDetection (pf::SNMP::getVlanByName)
Jun 05 08:56:07 pf::WebAPI(24234) INFO: MAC: 00:22:fb:56:9d:3c, PID: dgreer, Status: reg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode)

Using CentOS 6.4 with updates.
Using packetfence-4.0.2-0.20130529.el6.noarch.rpm (and friends)
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2013-06-05 10:15dgreerNew Issue
2013-06-05 10:32fdurandNote Added: 0003315
2013-06-05 10:38francisNote Added: 0003316
2013-06-05 12:04dgreerNote Added: 0003317
2013-06-05 12:13dgreerNote Added: 0003318
2013-06-05 12:53dgreerNote Added: 0003319
2013-06-14 14:26dgreerNote Added: 0003326
2013-07-31 20:06fdurandStatusnew => resolved
2013-07-31 20:06fdurandResolutionopen => fixed
2013-07-31 20:06fdurandAssigned To => fdurand

Notes
(0003315)
fdurand   
2013-06-05 10:32   
I fact your username doesn´t match with the sAMAccountName of your active directory (i suppose) it should be something like that dgreer and not DPTLABS_NT\\dgreer.
So to fix this issue, just have a look there:
https://github.com/inverse-inc/packetfence/blob/devel/raddb/sites-available/packetfence-tunnel [^]
In the post section we rewrite the User-Name attribute to match with AD.
(0003316)
francis   
2013-06-05 10:38   
@dgreer: Your patch is incorrect. There's no error in the logic to print the debugging information.
(0003317)
dgreer   
2013-06-05 12:04   
Thanks. I'll take a look at the patch (and roll back my change :^).
(0003318)
dgreer   
2013-06-05 12:13   
Ok, made those changes. I'm getting a return now, but it's returning an array where (I think) an string is required.

Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: Matching rules for action set_role in source ad1 (AD) (pf::authentication::match)
Jun 05 11:06:39 pf::WebAPI(24235) WARN: Matching rules for action set_role in source ad1 (AD) (pf::authentication::match)
Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: Checking condition sAMAccountName equals dgreer (pf::Authentication::Source::match)
Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: Matching rules in LDAP source. (pf::Authentication::Source::LDAPSource::match_in_subclass)
Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: LDAP filter: (&(sAMAccountName=DPTLABS_NT\\dgreer)(sAMAccountName=dgreer)) (pf::Authentication::Source::LDAPSource::match_in_subcla
ss)
Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: Searching for (&(sAMAccountName=DPTLABS_NT\\dgreer)(sAMAccountName=dgreer)), from DC=dpt,DC=DFB,DC=NET, with scope one (pf::Authent
ication::Source::LDAPSource::match_in_subclass)
Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: Returning actions (pf::authentication::match)
Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: Username was defined (DPTLABS_NT\\dgreer) - got role ARRAY(0x7fa24f9f3b00) (pf::vlan::getNormalVlan)
Jun 05 11:06:39 pf::WebAPI(24235) WARN: vlanName = ARRAY(0x7fa24f9f3b00) (pf::SNMP::getVlanByName)
Jun 05 11:06:39 pf::WebAPI(24235) WARN: No parameter ARRAY(0x7fa24f9f3b00)Vlan found in conf/switches.conf for the switch 192.168.99.3 (pf::SNMP::getVlanByName)
Jun 05 11:06:39 pf::WebAPI(24235) WARN: Resolved VLAN for node is not properly defined: Replacing with macDetectionVlan (pf::vlan::fetchVlanForNode)
Jun 05 11:06:39 pf::WebAPI(24235) WARN: vlanName = macDetection (pf::SNMP::getVlanByName)


The actsion are:
Set role : default
Set unregistration date : 2020-01-01
(0003319)
dgreer   
2013-06-05 12:53   
Ok, looks like I forgot to restart PF after undoing the change to authentication.pm.

The ARRAY thing goes away once I stop being stupid, but I'm getting "No source matches action set_role" when I have such an entry.
(0003326)
dgreer   
2013-06-14 14:26   
This was a problem with my configuration: I had an incorrect SNMP config on the device I was using to test the wireless auth stuff. Derek caught this.

You can close this ticket.