PacketFence - BTS - PacketFence
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0001677PacketFence802.1xpublic2013-08-01 18:242015-02-18 11:03
Reportervictor 
Assigned Tolmunro 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionwon't fix 
PlatformOSOS Version
Product Version4.0.1 
Target VersionFixed in Version 
fixed in git revision
fixed in mtn revision
Summary0001677: No VLAN name can be found when doing EAP
Descriptionver 4.0.3

Packetfence can't find vlan number for a node after successful EAP-PEAP authentication.


Aug 01 15:55:48 pf::WebAPI(10383) INFO: handling radius autz request: from switch_ip => 10.8.254.18, connection_type => Wireless-802.11-EAP mac => 64:80:99:6e:68:c0, port => 650, username => victor.shustov (pf::radius::authorize)
Aug 01 15:55:48 pf::WebAPI(10383) WARN: Unable to extract SSID for module pf::SNMP::Cisco::Aironet_1130. SSID-based VLAN assignments won't work. Make sure you enable Vendor Specific Attributes (VSA) on the AP if you want them to work. (pf::SNMP::Cisco::Aironet::extractSsid)
Aug 01 15:55:48 pf::WebAPI(10383) WARN: No parameter Vlan found in conf/switches.conf for the switch 10.8.254.18 (pf::SNMP::getVlanByName)
Aug 01 15:55:48 pf::WebAPI(10383) WARN: Resolved VLAN for node is not properly defined: Replacing with macDetectionVlan (pf::vlan::fetchVlanForNode)
Aug 01 15:55:48 pf::WebAPI(10383) INFO: MAC: 64:80:99:6e:68:c0, PID: victor.shustov@comtech.ca, Status: reg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode)
Aug 01 15:55:48 pf::WebAPI(10383) WARN: Role-based Network Access Control is not supported on network device type pf::SNMP::Cisco::Aironet_1130. (pf::SNMP::supportsRoleBasedEnforcement)


But for the same node it pulls correct vlan when authentication type is noEAP mac-based

Aug 01 16:02:31 pf::WebAPI(10382) INFO: handling radius autz request: from switch_ip => 10.8.254.18, connection_type => Wireless-802.11-NoEAP mac => 64:80:99:6e:68:c0, port => 683, username => 6480996e68c0 (pf::radius::authorize)
Aug 01 16:02:31 pf::WebAPI(10382) WARN: Unable to extract SSID for module pf::SNMP::Cisco::Aironet_1130. SSID-based VLAN assignments won't work. Make sure you enable Vendor Specific Attributes (VSA) on the AP if you want them to work. (pf::SNMP::Cisco::Aironet::extractSsid)
Aug 01 16:02:31 pf::WebAPI(10382) INFO: MAC: 64:80:99:6e:68:c0, PID: victor.shustov@comtech.ca, Status: reg. Returned VLAN: 84 (pf::vlan::fetchVlanForNode)
Aug 01 16:02:31 pf::WebAPI(10382) WARN: Role-based Network Access Control is not supported on network device type pf::SNMP::Cisco::Aironet_1130. (pf::SNMP::supportsRoleBasedEnforcement
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2013-08-01 18:24victorNew Issue
2013-08-01 21:05fdurandNote Added: 0003372
2013-08-02 11:41victorNote Added: 0003379
2013-08-02 12:21fdurandNote Added: 0003381
2013-08-02 12:26victorNote Added: 0003382
2013-08-02 14:03victorNote Added: 0003383
2015-02-18 11:03lmunroNote Added: 0003953
2015-02-18 11:03lmunroStatusnew => closed
2015-02-18 11:03lmunroAssigned To => lmunro
2015-02-18 11:03lmunroResolutionopen => won't fix

Notes
(0003372)
fdurand   
2013-08-01 21:05   
Hello Victor,
it's normal and i will explain why.
In packetfence your probably set an active directory authentication source with the user attribute cn.
When you do mac authentication the username is victor.shustov@comtech.ca and match with an ldap search.
But when you do dot1x the user attribute is victor.shustov so it miss @comtech.ca and it doesn't match with the cn.
What you have to do is in the packetfence-tunnel file to change the post-auth section with something like that:

post-auth {
        exec
        if ( User-Name =~ /^[^\\]+[\\]+([^\\]+)/ ) {
                update request {
                    User-Name := "%{1}";
            }
        }
        update request {
            User-Name := "%{User-Name}@comtech.ca";
        packetfence
        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
}
 
Fabrice
(0003379)
victor   
2013-08-02 11:41   
Gotcha! Thanks Fabrice.

I added username victor.shustov with appropriate role to the Users list to test and it works now.

Aug 02 09:19:16 pf::WebAPI(10390) INFO: MAC: 64:80:99:6e:68:c0, PID: asd@test.com, Status: reg. Returned VLAN: 84 (pf::vlan::fetchVlanForNode)

But that brings me to another problem I planned to deal with later: broken LDAP username lookup

Aug 01 11:48:44 register.cgi(0) WARN: Unexpected number of entries found (Net::LDAP::Search=HASH(0xba7ec694)->count) with filter (sAMAccountName=victor.shustov) from ou=Comtech,dc=comtech on 10.X.X.X:389 (pf::Authentication::Source::LDAPSource::authenticate)

I will keep digging into it but if you know a solution off top of your head please tell me ;-)
(0003381)
fdurand   
2013-08-02 12:21   
But should it be sAMAccountName=victor.shustov@comtech.ca ?
(0003382)
victor   
2013-08-02 12:26   
No

 ldapsearch -h X.X.X.X -p 389 -D "CN=***,OU=***,OU=Comtech,DC=comtech" -b "OU=Comtech,DC=comtech" -w *** -x sAMAccountName=victor.shustov sAMAccountName


# extended LDIF
#
# LDAPv3
# base <OU=Comtech,DC=comtech> with scope subtree
# filter: sAMAccountName=victor.shustov
# requesting: sAMAccountName
#

# Victor Shustov, IT, Comtech, comtech
dn: CN=Victor Shustov,OU=IT,OU=Comtech,DC=comtech
sAMAccountName: victor.shustov

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
(0003383)
victor   
2013-08-02 14:03   
Never mind. My bad. Should have set LDAP scope to subtree. Now it's all good
(0003953)
lmunro   
2015-02-18 11:03   
Not a bug.