nqb
commented
3 years ago Hello @bbs2web,
Could you provide exact steps to replicate ?
Closed bbs2web closed 3 years ago
nqb
commented
3 years ago Hello @bbs2web,
Could you provide exact steps to replicate ?
bbs2web
commented
3 years ago I have an AD domain configured:
We have internal sources configured, one for workstation authentication prior to login and another as a user identity source:
The user identity source has the following authentication and administration roles:
If I then go to 'Users' and delete my 'davidh' account, then delete the node for my device and finally connect to the WiFi network I am correctly placed in the registration VLAN. I accept the agreement and then select username/password authentication after which I receive the above error.
At this I can work around the problem by manually creating a 'davidh' user and then edit the node PF recreated to set the owner thereof. Then I can connect...
My understanding of the above logs is that PF is unable to retrieve the PID from AD although logs show authentication for 'davidh' succeeding...
bbs2web
commented
3 years ago Just to clarify, users and devices that were created prior to us upgrading PF 10.2 to 10.3 continue to work. Guests can register without a problem (although guests generally get 'your computer was not found in the PF database. Please reboot to solve the issue' until they refresh a couple of second later, this is a completely different issue though).
Any new staff member since upgrading to PF 10.3 has problems registering as it can't create the user object on PF.
bbs2web
commented
3 years ago Herewith the relevant scrubbed content of the authentication.conf file:
[companyad_users]
password=**********************
write_timeout=5
description=Redacted AD - Users
scope=sub
realms=null,REDACTED,ad.redacted.local
type=AD
connection_timeout=1
binddn=auth-packetfence@ad.redacted.local
read_timeout=10
cache_match=0
host=ad.redacted.local
port=636
searchattributes=
monitor=1
shuffle=0
email_attribute=mail
encryption=ssl
basedn=ou=Users,ou=Company,dc=ad,dc=redacted,dc=local
usernameattribute=sAMAccountName
dynamic_routing_module=AuthModule
dead_duration=60
set_access_durations_action=
[companyad_users rule pf_admin]
condition0=memberOf,is member of,cn=packetfence-admin,ou=3rd Party,ou=Security Groups,ou=Company,dc=ad,dc=redacted,dc=local
status=enabled
match=all
description=Member of 'packetfence-admin' AD security group
class=administration
action0=set_access_level=ALL
[companyad_users rule pf_reviewer]
match=all
description=Member of 'packetfence_reviewer' AD security group
status=enabled
condition0=memberOf,is member of,cn=packetfence-reviewer,ou=3rd Party,ou=Security Groups,ou=Company,dc=ad,dc=redacted,dc=local
action0=set_access_level=Reviewer
class=administration
[companyad_users rule staff]
class=authentication
action0=set_role=staff
match=all
description=Member of 'Company' AD security group
status=enabled
action1=set_access_duration=1M
condition0=memberOf,is member of,cn=Company,ou=Company,ou=Security Groups,ou=Company,dc=ad,dc=redacted,dc=local
Could you provide profiles.conf ?
bbs2web
commented
3 years ago Absolute, herewith the content of /usr/local/pf/conf/profiles.conf
[Wireless_802.1x]
advanced_filter=
description=Wireless 802.1x
sources=companyad_computers,companyad_users
locale=
filter=connection_type:Wireless-802.11-EAP
reuse_dot1x_credentials=enabled
[Wireless_MAC]
filter=connection_type:Wireless-802.11-NoEAP
locale=
advanced_filter=
description=Wireless MAC Authentication
sources=sms,email,companyad_usersJust re-reading my correspondence and the following is out of context: I accept the agreement and then select username/password authentication after which I receive the above error.
Should have read something along the lines of: If I connect to the 802.1X SSID I am prompted to accept the agreement after which the error about not being able to lookup the pid appears in the diagnostic logs. If I connect to the MAC authentication SSID I accept the agreement and then select the username/password login option. When I enter valid credentials the same error about not being able to lookup the pid appears in the logs.
Applicable log entries:
INFO: Instantiate profile Wireless_802.1x (pf::Connection::ProfileFactory::_from_profile)
INFO: Authenticating user using sources : companyad_computers,companyad_users (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
INFO: Reusing 802.1x credentials with username 'davidh' and realm 'null' (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
INFO: Using sources companyad_users for matching (pf::authentication::match)
WARN: [companyad_users staff] Searching for (sAMAccountName=davidh), from ou=Users,ou=Company,dc=redacted, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
INFO: Matched rule (staff) in source companyad_users, returning actions. (pf::Authentication::Source::match_rule)
INFO: Matched rule (staff) in source companyad_users, returning actions. (pf::Authentication::Source::match)
INFO: Found source companyad_users in session. (Class::MOP::Class:::around)
INFO: User davidh has authenticated on the portal. (Class::MOP::Class:::after)
INFO: Found source companyad_users in session. (Class::MOP::Class:::around)
INFO: Found source companyad_users in session. (Class::MOP::Class:::around)
ERROR: Trying to save a NULL value in a non nullable field person.pid (pf::dal::validate_field)Hello,
According to profiles.conf, if you have same issue on Wireless_802.1x and Wireless_MAC when using companyad_users source, I think reuse_dot1x_credentials setting is not responsible.
However, I see this error in log:
May 15 12:46:54 packetfence2 packetfence_httpd.portal: httpd.portal(2865) ERROR: [mac:00:11:22:33:44:55] [companyad_users] Missing parameters to construct LDAP filter (pf::Authentication::Source::LDAPSource::match_in_subclass)
and I suspect this error to be responsible to next ones.
Could you replace your LDAP conditions memberOf:
condition0=memberOf,is member of,cn=Company,ou=Company,ou=Security Groups,ou=Company,dc=ad,dc=redacted,dc=local
by
condition0=memberOf,equals,cn=Company,ou=Company,ou=Security Groups,ou=Company,dc=ad,dc=redacted,dc=local
and check if you still see errors in packetfence.log when you are doing registration using captive portal.
bbs2web
commented
3 years ago Hi Nicolas,
I changed condition0 to replace 'is member of' with 'equals':
[companyad_users rule staff]
class=authentication
action0=set_role=staff
match=all
description=Member of 'Company' AD security group
status=enabled
action1=set_access_duration=1M
condition0=memberOf,equals,cn=Company,ou=Company,ou=Security Groups,ou=Company,dc=ad,dc=redacted,dc=localI then deleted the node and user account, issued a /usr/local/pf/bin/pfcmd configreload hard before restarting the whole system. Thereafter I attempted to connect to the Pre-Shared Key (PSK) SSID which correctly directs me to the registration portal where I enter credentials via the username/password form. The end result is unfortunately no better, although the 'Missing parameters to construct LDAP filter' reference no longer appears:
May 27 07:08:06 packetfence2 pfqueue: pfqueue(5075) WARN: [mac:00:11:22:33:44:55] Unable to match MAC address to IP '192.168.10.53' (pf::ip4log::ip2mac)
May 27 07:08:06 packetfence2 pfqueue: pfqueue(5270) WARN: [mac:00:11:22:33:44:55] Unable to match MAC address to IP '192.168.10.53' (pf::ip4log::ip2mac)
May 27 07:08:06 packetfence2 pfqueue: pfqueue(5270) INFO: [mac:00:11:22:33:44:55] oldip (192.168.10.234) and newip (192.168.10.53) are different for 00:11:22:33:44:55 - closing ip4log entry (pf::api::update_ip4log)
May 27 07:08:06 packetfence2 pfqueue: pfqueue(5075) INFO: [mac:00:11:22:33:44:55] oldip (192.168.10.234) and newip (192.168.10.53) are different for 00:11:22:33:44:55 - closing ip4log entry (pf::api::update_ip4log)
May 27 07:08:06 packetfence2 pfqueue: pfqueue(5075) WARN: [mac:00:11:22:33:44:55] Unable to match MAC address to IP '192.168.10.53' (pf::ip4log::ip2mac)
May 27 07:08:06 packetfence2 pfqueue: pfqueue(5270) WARN: [mac:00:11:22:33:44:55] Unable to match MAC address to IP '192.168.10.53' (pf::ip4log::ip2mac)
May 27 07:08:06 packetfence2 pfqueue: pfqueue(5270) INFO: [mac:00:11:22:33:44:55] oldip (192.168.10.234) and newip (192.168.10.53) are different for 00:11:22:33:44:55 - closing ip4log entry (pf::api::update_ip4log)
May 27 07:08:06 packetfence2 pfqueue: pfqueue(5075) INFO: [mac:00:11:22:33:44:55] oldip (192.168.10.234) and newip (192.168.10.53) are different for 00:11:22:33:44:55 - closing ip4log entry (pf::api::update_ip4log)
May 27 07:08:07 packetfence2 pfqueue: pfqueue(5194) WARN: [mac:unknown] Unable to perform a Fingerbank lookup for device with MAC address '00:11:22:33:44:55' (pf::fingerbank::process)
May 27 07:08:07 packetfence2 pfqueue: pfqueue(5194) WARN: [mac:unknown] Unable to perform a Fingerbank lookup for device with MAC address '00:11:22:33:44:55' (pf::fingerbank::process)
May 27 07:08:10 packetfence2 packetfence_httpd.portal: httpd.portal(2657) INFO: [mac:00:11:22:33:44:55] Instantiate profile Wireless_MAC (pf::Connection::ProfileFactory::_from_profile)
May 27 07:08:10 packetfence2 packetfence_httpd.portal: httpd.portal(2657) INFO: [mac:00:11:22:33:44:55] Instantiate profile Wireless_MAC (pf::Connection::ProfileFactory::_from_profile)
May 27 07:08:18 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Instantiate profile Wireless_MAC (pf::Connection::ProfileFactory::_from_profile)
May 27 07:08:18 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Instantiate profile Wireless_MAC (pf::Connection::ProfileFactory::_from_profile)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Found authentication source(s) : 'companyad_users' for realm 'null' (pf::config::util::filter_authentication_sources)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Authenticating user using sources : companyad_users (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] [companyad_users] Authentication successful for davidh (pf::Authentication::Source::LDAPSource::authenticate)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Authentication successful for davidh in source companyad_users (AD) (pf::authentication::authenticate)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] User davidh has authenticated on the portal. (Class::MOP::Class:::after)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] person davidh added (pf::person::person_add)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Found source companyad_users in session. (Class::MOP::Class:::around)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Found source companyad_users in session. (Class::MOP::Class:::around)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Successfully authenticated davidh (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] User davidh has authenticated on the portal. (Class::MOP::Class:::after)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Found source companyad_users in session. (Class::MOP::Class:::around)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Found source companyad_users in session. (Class::MOP::Class:::around)
May 27 07:08:19 packetfence2 pfqueue: pfqueue(5231) INFO: [mac:unknown] Already did a person lookup for davidh (pf::lookup::person::lookup_person)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Found source companyad_users in session. (Class::MOP::Class:::around)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] User davidh has authenticated on the portal. (Class::MOP::Class:::after)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) WARN: [mac:00:11:22:33:44:55] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Using sources companyad_users for matching (pf::authentication::match)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) WARN: [mac:00:11:22:33:44:55] [companyad_users staff] Searching for (&(sAMAccountName=davidh)(memberOf=cn=Company,ou=Company,ou=Security Groups,ou=Company,dc=ad,dc=redacted,dc=local)), from ou=Users,ou=Company,dc=ad,dc=redacted,dc=local, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Found source companyad_users in session. (Class::MOP::Class:::around)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] User davidh has authenticated on the portal. (Class::MOP::Class:::after)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) WARN: [mac:00:11:22:33:44:55] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Using sources companyad_users for matching (pf::authentication::match)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Found source companyad_users in session. (Class::MOP::Class:::around)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] User davidh has authenticated on the portal. (Class::MOP::Class:::after)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) WARN: [mac:00:11:22:33:44:55] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Using sources companyad_users for matching (pf::authentication::match)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) WARN: [mac:00:11:22:33:44:55] [companyad_users staff] Searching for (&(sAMAccountName=davidh)(memberOf=cn=Company,ou=Company,ou=Security Groups,ou=Company,dc=ad,dc=redacted,dc=local)), from ou=Users,ou=Company,dc=ad,dc=redacted,dc=local, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Found source companyad_users in session. (Class::MOP::Class:::around)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] User davidh has authenticated on the portal. (Class::MOP::Class:::after)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) WARN: [mac:00:11:22:33:44:55] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Using sources companyad_users for matching (pf::authentication::match)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) WARN: [mac:00:11:22:33:44:55] Execute actions of module default_policy+default_registration_policy+default_login_policy did not succeed. (captiveportal::PacketFence::DynamicRouting::Module::done)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2658) INFO: [mac:00:11:22:33:44:55] Instantiate profile Wireless_MAC (pf::Connection::ProfileFactory::_from_profile)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Found authentication source(s) : 'companyad_users' for realm 'null' (pf::config::util::filter_authentication_sources)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Authenticating user using sources : companyad_users (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] [companyad_users] Authentication successful for davidh (pf::Authentication::Source::LDAPSource::authenticate)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Authentication successful for davidh in source companyad_users (AD) (pf::authentication::authenticate)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] User davidh has authenticated on the portal. (Class::MOP::Class:::after)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] person davidh added (pf::person::person_add)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Found source companyad_users in session. (Class::MOP::Class:::around)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Found source companyad_users in session. (Class::MOP::Class:::around)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Successfully authenticated davidh (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] User davidh has authenticated on the portal. (Class::MOP::Class:::after)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Found source companyad_users in session. (Class::MOP::Class:::around)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Found source companyad_users in session. (Class::MOP::Class:::around)
May 27 07:08:19 packetfence2 pfqueue: pfqueue(5231) INFO: [mac:unknown] Already did a person lookup for davidh (pf::lookup::person::lookup_person)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Found source companyad_users in session. (Class::MOP::Class:::around)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] User davidh has authenticated on the portal. (Class::MOP::Class:::after)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) WARN: [mac:00:11:22:33:44:55] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Using sources companyad_users for matching (pf::authentication::match)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) WARN: [mac:00:11:22:33:44:55] [companyad_users staff] Searching for (&(sAMAccountName=davidh)(memberOf=cn=Company,ou=Company,ou=Security Groups,ou=Company,dc=ad,dc=redacted,dc=local)), from ou=Users,ou=Company,dc=ad,dc=redacted,dc=local, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Found source companyad_users in session. (Class::MOP::Class:::around)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] User davidh has authenticated on the portal. (Class::MOP::Class:::after)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) WARN: [mac:00:11:22:33:44:55] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Using sources companyad_users for matching (pf::authentication::match)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Found source companyad_users in session. (Class::MOP::Class:::around)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] User davidh has authenticated on the portal. (Class::MOP::Class:::after)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) WARN: [mac:00:11:22:33:44:55] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Using sources companyad_users for matching (pf::authentication::match)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) WARN: [mac:00:11:22:33:44:55] [companyad_users staff] Searching for (&(sAMAccountName=davidh)(memberOf=cn=Company,ou=Company,ou=Security Groups,ou=Company,dc=ad,dc=redacted,dc=local)), from ou=Users,ou=Company,dc=ad,dc=redacted,dc=local, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Found source companyad_users in session. (Class::MOP::Class:::around)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] User davidh has authenticated on the portal. (Class::MOP::Class:::after)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) WARN: [mac:00:11:22:33:44:55] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) INFO: [mac:00:11:22:33:44:55] Using sources companyad_users for matching (pf::authentication::match)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2659) WARN: [mac:00:11:22:33:44:55] Execute actions of module default_policy+default_registration_policy+default_login_policy did not succeed. (captiveportal::PacketFence::DynamicRouting::Module::done)
May 27 07:08:19 packetfence2 packetfence_httpd.portal: httpd.portal(2658) INFO: [mac:00:11:22:33:44:55] Instantiate profile Wireless_MAC (pf::Connection::ProfileFactory::_from_profile)Hello @bbs2web,
I don't see any errors message in your latest comment.
Thanks.
bbs2web
commented
3 years ago Hi,
With PF 10.2 the configuration shown above would end up registering the device for the authenticating user. With PF 10.3 the node and user are created but not associated with each other.
Device receives the message 'Your do not have permission to register a device with this username', which appears to match the output in the logs above (Execute actions of module default_policy+default_registration_policy+default_login_policy did not succeed. (captiveportal::PacketFence::DynamicRouting::Module::done)).
PF creates an entry for the user, although required fields are empty. Herewith an example where I registered with an account called 'exam':
Node information:
roles.conf:
[staff]
max_nodes_per_pid=0
notes=Member of 'company' security group
inherit_web_auth_url=disabled
inherit_role=disabled
inherit_vlan=disabled
fingerbank_dynamic_access_list=disabledHello,
I tried to replicate your issue on Debian 9 with PF 10.3 and all maintenance patches without success.
What I did:
=> My user is correctly created in database => My node is correctly registered => Both are linked
Do you use a specific portal module ?
In your profiles.conf, I don't see any change so I assume you used default portal module on connection profile.
Could you show us your portal_modules.conf ?
bbs2web
commented
3 years ago Hi,
Many thanks for your help, I applied the latest available patches, issued a hard config reload and it's working perfectly now. I presume the issue may simply have been switching out the 'is member of' with 'equals' to overcome the LDAP filter construction error; unless something else getting fixed somewhere remediated something else...
Many thanks, wishing you a good weekend!
bbs2web
commented
3 years ago PS: portal_modules.conf is blank, using the defaults in portal_modules.conf.defaults
We recently upgraded from PF 10.2 to 10.3 running on Debian 9. Registered nodes work without any problems but new registrations are broken by the user account not being created.
My understanding of the following logs are that AD authentication and identity sources are correctly granting access to the RADIUS request and then placing the system in the registration network. When the user accepts the agreement the process of creating the local reference account fails as it doesn't retrieve the uid or set the uid as sAMAccountName.
When new user / node association attempts to occur:
RADIUS PEAP-MSCHAPv2 is successful: