search

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.38k stars 290 forks source link

Error auto register packetfence 9.3 Zen #5202

Open wagnerhitss opened 4 years ago

wagnerhitss commented 4 years ago

Good afternoon dear,

I have the following problem: In my organization we have deployed packetfence version 8 and we want to upgrade to version 9.3 Zen. However, we are unable to approve it due to a BUG in the self registration of the computers' mac address. Below is a part of the log:

No role specified or found for pid ANA \ pereira (MAC d0: 94: 66: db: ee: 7d); assumes maximum number of registered nodes is reached (pf :: node :: is_max_reg_nodes_reached) plpcktfpdin01 packetfence_httpd.aaa: httpd.aaa (9837) ERROR: [mac: d0: 94: 66: db: ee: 7d] max nodes per pid met or exceeded - registration of d0: 94: 66: db: ae: 7d to ANA \ pereira failed (pf :: registration :: setup_node_for_registration)  plpcktfpdin01 packetfence_httpd.aaa: httpd.aaa (9837) ERROR: [mac: d0: 94: 66: db: ee: 7d] auto-registration of node failed max nodes per pid met or exceeded (pf :: radius :: authorize)  plpcktfpdin01 packetfence_httpd.aaa: httpd.aaa (9837) ERROR: [mac: d0: 94: 66: db: ee: 7d] Database query failed with non retryable error: Cannot add or update a child row: a foreign key constraint fails (pf.node, CONSTRAINT0_57 FOREIGN KEY (tenant_id,pid) REFERENCES person (tenant_id, pid) ON DELETE CASCADE ON UPDATE CASCADE) (errno: 1452) [ INSERT INTO node (autoreg,bandwidth_balance, bypass_role_id,bypass_vlan, category_id,computername, detect_date,device_class, device_manufacturer,device_score, device_type,  device_version,dhcp6_enterprise, dhcp6_fingerprint,dhcp_fingerprint, dhcp_vendor,last_arp, last_dhcp,last_seen, lastskip,mac, machine_account,notes ,  regdate, sessionid,status, tenant_id,time_balance, unregdate,user_agent, voip) VALUES (?,?,?,?,?,?,?,?, ?,?,?,?,?,?,?,?,?,?, NOW (),?,?,?,?,?,?,?,?,?,?,?,?,?)  ON DUPLICATE KEY UPDATEautoreg=?, Last_seen= NOW (),pid=?, Status=?,Tenant_id` =?] {Yes, NULL, NULL, NULL, NULL, NULL, 2020 -03-13 19:08:50, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,  0000-00-00 00:00:00, 0000-00-00 00:00:00, 0000-00-00 00:00:00, d0: 94: 66: db: ae: 7d, NULL, NULL, ANA \ pereira, 0000-00-00 00:00:00, NULL, reg, 1, NULL, 0000-00-00 00:00:00, NULL, no, yes, ANATEL \ pereira, reg, 1}  (pf :: dal :: db_execute)

Note: Authentication is aimed at the AD server, We have a rule, and function for the vlans of each Switch and even so it is not possible to register automatically by 802.1x.

Sincerely,

Wagner Morais Network analyst

julsemaan commented 4 years ago

Good morning dear,

This is happening because the authentication rule isn't matching so no role is being assigned to the node.

This isn't a bug in PacketFence but the fact that it shows a scary SQL error isn't good since it gives a false impression of a bug.

@jrouzierinverse, could you check to get this caught because it spits out this error and provide a better logging statement (like 'no role has been found for the device')

@wagnerhitss, please use the mailing list to get your actual issue fixed as this is a configuration issue and not an actual bug

Dearest regards

wagnerhitss commented 4 years ago

Ok Julien,

Thanks for the feedback, I will use the mailing list.

graciously

nqb commented 4 years ago

Solution: Try to make person_add before we create node in DB. Need to check if it works in read-only mode.