search

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.35k stars 284 forks source link

Access Duration with Dot1X Local Auth doesn't work #6925

Closed haidl1986 closed 2 years ago

haidl1986 commented 2 years ago

Describe the bug I deployed Dot1x Authentication with Local Source. In this case, I also configured Access Duration, but it is not applied to user after authenticating.

To Reproduce Steps to reproduce the behavior:

  1. Create a user with Access Duration xxx minutes
  2. Create Connection Profile to serve Dot1x authenticating traffice
  3. Adjust database password hashing to cleartext
  4. Enable Radius Authentication with local database
  5. Configure Port Access in Cisco 2960 to authenticate user with dot1x
  6. https://docs.pica8.com/pages/viewpage.action?pageId=27264370 -> Follow this link to configure Expected behavior User must be disconnected when Access Duration expired.

Images

  1. Create User image image

  2. After User Authenticaticated image

3.Profile image

4.Radius Log image

haidl1986 commented 2 years ago

Could I know this is really a bug or misconfiguration ? In case misconfiguration, I will research more.

tony3142 commented 2 years ago

Hi guys, I have similar issue after going to PF 11.2 from PF 11.1 - PF 11.1 works fine.

When registering a device, the unregistration time is not set, as shown above in haidl1986 report. The unregistration date and time is not populated during the "Enabling Network access" process" see screen shot. It is all 0000's

I use in-line layer 2 with NAT and all the trimmings, Portal Page etc. Everything uses the built in pages with minor HTML mods for the text display. I do not use 802.1x, just local users within PF The set-up uses "split network" (Registration and production)

I have installed PF 11.1 on Debian 11.1 and Debian 11.2, all works as expected. I have installed PF 11.2 on Debian 11.1 and Debian 11.2, the issue appears with Access Duration

My configuration uses a number of roles, each role has one static user assigned (A room), and the password is a name. I run a registration network and a production network.

As a side note, there was another bug that affected the Access Duration. Once set, it was not possible to change it from the GUI - that has been fixed with a maintenance update.

aNgaP834h1HgEV0U

To replicate.

  1. Install Debian 11.2 and prep it according to install instructions
  2. Install PF 11.2 and set up a VLAN with a basic Portal page with one or two roles and set up a user for each role.
  3. Set up registration and production networks (Split network)
  4. Set up a password for the user
  5. Test by "logging in" through the portal and observe the unregistration time not being set
  6. Check device settings and confirm that the unregistration time field is empty.

My thoughts

The bug where Access Duration could not be changed after being set, may have some relation to this. It is also possible that it is a separate bug or even something that fails to get initialised during installation (Database?)

haidl1986 commented 2 years ago

@tony3142 Can you fix it now ?

nqb commented 2 years ago

I'm able to replicate this issue on devel.

Steps:

=> user account created in DB:

*************************** 2. row ***************************
      tenant_id: 1
            pid: nqb
       password: {bcrypt}$2a$08$DhIDMXFmxkEgr4LLVvMILOCqHPI684XRbPaLAF34RiKKD3dkRt1MW
     valid_from: 2022-03-21 00:00:00
     expiration: 2022-04-21 08:48:55
access_duration: 12h
   access_level: NULL
       category: 2
        sponsor: 0
      unregdate: 0000-00-00 00:00:00
login_remaining: NULL
2 rows in set (0.001 sec)

=> Your device is registered in DB with unregdate: 0000-00-00 00:00:00

Additional context

Issue mentioned by @tony3142 is #6929

I did a test on a 11.1.0 version and I didn't notice any difference with user creation in DB: fields are identical. It seems more an issue on backend.

@jrouzierinverse, could you look into this ?

jrouzierinverse commented 2 years ago

@julsemaan This was caused by aa606f6c1bb28fcd5c58dadf5d41d4735fc47f2b.

What were you trying to accomplish with this commit?

julsemaan commented 2 years ago

That was to fix this: https://github.com/inverse-inc/packetfence/issues/6896

The portal was over-matching rules instead of hitting only the first auth rule

lzammit commented 2 years ago

Fix works.

julsemaan commented 2 years ago

fix works but it's not merged so this needs to stay opened until it's merged

haidl1986 commented 2 years ago

Hi Julsemaan, 

   Thank you for your works. But I am quite new to GitHub, could you please give me instruction how to manually fix this or where can I find documents to read.

Best Regards

nqb commented 2 years ago

Fix is available. You can get it by following these instructions: https://www.packetfence.org/doc/PacketFence_Upgrade_Guide.html#_upgrade_to_a_patch_version_x_y_patch