PacketFence - BTS - PacketFence
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0001656PacketFencecaptive portalpublic2013-06-27 06:012015-02-18 11:07
Reportermuhlig 
Assigned Tolmunro 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Versiondevel 
Target VersionFixed in Version 
fixed in git revision
fixed in mtn revision
Summary0001656: node doesn't get registered (Unable to perform RADIUS authentication)
DescriptionSnapshot packetfence-4.0.2-0.20130627.el6.noarch.rpm. After clicking "Login", captive portal writes: "Invalid username/password for all authentication sources".

Steps To Reproduce
Additional InformationHowever user gets 802.1x authentication ok. See radius.log:

Thu Jun 27 11:40:37 2013 : Auth: Login OK: [user@dom.ain] (from client packetfence port 0)

Nevertheless user node isn't registered. See packetfence.log:

Jun 27 11:40:37 register.cgi(0) ERROR: Unable to perform RADIUS authentication on any server: EBADAUTH (pf::Authentication::Source::RADIUSSource::authenticate)

Additionally, there is portal error. See portal_error_log (2 kinds of error message):

Use of uninitialized value in subroutine entry at /usr/local/pf/lib/pf/web/dispatcher.pm line 56.
[Thu Jun 27 11:41:59 2013] -e: Use of uninitialized value in subroutine entry at /usr/local/pf/lib/pf/web/dispatcher.pm line 56.
Use of uninitialized value in subroutine entry at /usr/local/pf/lib/pf/web/dispatcher.pm line 56.

 
TagsNo tags attached.
Relationships
Attached Fileslog radius.log (2,500) 2013-08-07 06:55
https://www.packetfence.org/bugs/file_download.php?file_id=182&type=bug
Issue History
Date ModifiedUsernameFieldChange
2013-06-27 06:01muhligNew Issue
2013-07-31 20:06fdurandNote Added: 0003357
2013-08-01 02:03muhligNote Added: 0003361
2013-08-01 08:21fdurandNote Added: 0003366
2013-08-07 06:55muhligFile Added: radius.log
2013-08-07 07:00muhligNote Added: 0003389
2013-08-07 07:24muhligNote Edited: 0003389
2015-02-18 11:07lmunroNote Added: 0003954
2015-02-18 11:07lmunroStatusnew => closed
2015-02-18 11:07lmunroAssigned To => lmunro
2015-02-18 11:07lmunroResolutionopen => fixed

Notes
(0003357)
fdurand   
2013-07-31 20:06   
Hello,
did you try tcmdump to see radius traffic ?
Also the error Use of uninitialized value in subroutine entry at /usr/local/pf/lib/pf/web/dispatcher.pm line 56 is just a warning that mean there is no referer in the http headers.

Regards
Fabrice
(0003361)
muhlig   
2013-08-01 02:03   
It seems to me radius.log entry "Auth: Login OK" says radius server was found and responded correctly - while register.cgi doesn't see any radius server. And this was inconsistent, wasn't it?

Warning, you say? I found it in portal_error.log and there was no indication of "warning" so I assumed this is an error :-)

However this is rather old issue and the snapshot is outdated already. I'm going to try this once more after 4.0.4 is released.
(0003366)
fdurand   
2013-08-01 08:21   
I think in your setup you added a radius authentication source.
First you receive a radius request from your switch/access point and after on the captive portal packetfence try to check your username and password on your authentication source EBADAUTH.
So the problem is between packetfence and EBADAUTH it why i told you to sniff the radius traffic packetfence end EBADAUTH.

Fabrice
(0003389)
muhlig   
2013-08-07 07:00   
(edited on: 2013-08-07 07:24)
Radius authentication source is there indeed. Communication between packetfence and radius server also is correct. Real problem is packetfence rejecting otherwise previously correctly authenticated user. See attached log excerpt (in Attached Files).

+++[packetfence] returns reject
++- if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)) returns reject

Looks like not-EAP message is invalid here. Any hint?

Best regards,
MU
(0003954)
lmunro   
2015-02-18 11:07   
Not a bug.
Don't use unsuported versions.