Anonymous | Login | 2024-11-22 23:37 EST |
Main | My View | View Issues | Change Log | Roadmap |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
ID | Project | Category | View Status | Date Submitted | Last Update | |||
0001677 | PacketFence | 802.1x | public | 2013-08-01 18:24 | 2015-02-18 11:03 | |||
Reporter | victor | |||||||
Assigned To | lmunro | |||||||
Priority | normal | Severity | major | Reproducibility | always | |||
Status | closed | Resolution | won't fix | |||||
Platform | OS | OS Version | ||||||
Product Version | 4.0.1 | |||||||
Target Version | Fixed in Version | |||||||
Summary | 0001677: No VLAN name can be found when doing EAP | |||||||
Description | ver 4.0.3 Packetfence can't find vlan number for a node after successful EAP-PEAP authentication. Aug 01 15:55:48 pf::WebAPI(10383) INFO: handling radius autz request: from switch_ip => 10.8.254.18, connection_type => Wireless-802.11-EAP mac => 64:80:99:6e:68:c0, port => 650, username => victor.shustov (pf::radius::authorize) Aug 01 15:55:48 pf::WebAPI(10383) WARN: Unable to extract SSID for module pf::SNMP::Cisco::Aironet_1130. SSID-based VLAN assignments won't work. Make sure you enable Vendor Specific Attributes (VSA) on the AP if you want them to work. (pf::SNMP::Cisco::Aironet::extractSsid) Aug 01 15:55:48 pf::WebAPI(10383) WARN: No parameter Vlan found in conf/switches.conf for the switch 10.8.254.18 (pf::SNMP::getVlanByName) Aug 01 15:55:48 pf::WebAPI(10383) WARN: Resolved VLAN for node is not properly defined: Replacing with macDetectionVlan (pf::vlan::fetchVlanForNode) Aug 01 15:55:48 pf::WebAPI(10383) INFO: MAC: 64:80:99:6e:68:c0, PID: victor.shustov@comtech.ca, Status: reg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode) Aug 01 15:55:48 pf::WebAPI(10383) WARN: Role-based Network Access Control is not supported on network device type pf::SNMP::Cisco::Aironet_1130. (pf::SNMP::supportsRoleBasedEnforcement) But for the same node it pulls correct vlan when authentication type is noEAP mac-based Aug 01 16:02:31 pf::WebAPI(10382) INFO: handling radius autz request: from switch_ip => 10.8.254.18, connection_type => Wireless-802.11-NoEAP mac => 64:80:99:6e:68:c0, port => 683, username => 6480996e68c0 (pf::radius::authorize) Aug 01 16:02:31 pf::WebAPI(10382) WARN: Unable to extract SSID for module pf::SNMP::Cisco::Aironet_1130. SSID-based VLAN assignments won't work. Make sure you enable Vendor Specific Attributes (VSA) on the AP if you want them to work. (pf::SNMP::Cisco::Aironet::extractSsid) Aug 01 16:02:31 pf::WebAPI(10382) INFO: MAC: 64:80:99:6e:68:c0, PID: victor.shustov@comtech.ca, Status: reg. Returned VLAN: 84 (pf::vlan::fetchVlanForNode) Aug 01 16:02:31 pf::WebAPI(10382) WARN: Role-based Network Access Control is not supported on network device type pf::SNMP::Cisco::Aironet_1130. (pf::SNMP::supportsRoleBasedEnforcement | |||||||
Tags | No tags attached. | |||||||
fixed in git revision | ||||||||
fixed in mtn revision | ||||||||
Attached Files | ||||||||
Notes | |
(0003372) fdurand (administrator) 2013-08-01 21:05 |
Hello Victor, it's normal and i will explain why. In packetfence your probably set an active directory authentication source with the user attribute cn. When you do mac authentication the username is victor.shustov@comtech.ca and match with an ldap search. But when you do dot1x the user attribute is victor.shustov so it miss @comtech.ca and it doesn't match with the cn. What you have to do is in the packetfence-tunnel file to change the post-auth section with something like that: post-auth { exec if ( User-Name =~ /^[^\\]+[\\]+([^\\]+)/ ) { update request { User-Name := "%{1}"; } } update request { User-Name := "%{User-Name}@comtech.ca"; packetfence Post-Auth-Type REJECT { attr_filter.access_reject } } Fabrice |
(0003379) victor (reporter) 2013-08-02 11:41 |
Gotcha! Thanks Fabrice. I added username victor.shustov with appropriate role to the Users list to test and it works now. Aug 02 09:19:16 pf::WebAPI(10390) INFO: MAC: 64:80:99:6e:68:c0, PID: asd@test.com, Status: reg. Returned VLAN: 84 (pf::vlan::fetchVlanForNode) But that brings me to another problem I planned to deal with later: broken LDAP username lookup Aug 01 11:48:44 register.cgi(0) WARN: Unexpected number of entries found (Net::LDAP::Search=HASH(0xba7ec694)->count) with filter (sAMAccountName=victor.shustov) from ou=Comtech,dc=comtech on 10.X.X.X:389 (pf::Authentication::Source::LDAPSource::authenticate) I will keep digging into it but if you know a solution off top of your head please tell me ;-) |
(0003381) fdurand (administrator) 2013-08-02 12:21 |
But should it be sAMAccountName=victor.shustov@comtech.ca ? |
(0003382) victor (reporter) 2013-08-02 12:26 |
No ldapsearch -h X.X.X.X -p 389 -D "CN=***,OU=***,OU=Comtech,DC=comtech" -b "OU=Comtech,DC=comtech" -w *** -x sAMAccountName=victor.shustov sAMAccountName # extended LDIF # # LDAPv3 # base <OU=Comtech,DC=comtech> with scope subtree # filter: sAMAccountName=victor.shustov # requesting: sAMAccountName # # Victor Shustov, IT, Comtech, comtech dn: CN=Victor Shustov,OU=IT,OU=Comtech,DC=comtech sAMAccountName: victor.shustov # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 |
(0003383) victor (reporter) 2013-08-02 14:03 |
Never mind. My bad. Should have set LDAP scope to subtree. Now it's all good |
(0003953) lmunro (administrator) 2015-02-18 11:03 |
Not a bug. |
Issue History | |||
Date Modified | Username | Field | Change |
2013-08-01 18:24 | victor | New Issue | |
2013-08-01 21:05 | fdurand | Note Added: 0003372 | |
2013-08-02 11:41 | victor | Note Added: 0003379 | |
2013-08-02 12:21 | fdurand | Note Added: 0003381 | |
2013-08-02 12:26 | victor | Note Added: 0003382 | |
2013-08-02 14:03 | victor | Note Added: 0003383 | |
2015-02-18 11:03 | lmunro | Note Added: 0003953 | |
2015-02-18 11:03 | lmunro | Status | new => closed |
2015-02-18 11:03 | lmunro | Assigned To | => lmunro |
2015-02-18 11:03 | lmunro | Resolution | open => won't fix |
Copyright © 2000 - 2012 MantisBT Group |