PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
Describe the bug
We use Packetfence for MAB and User authentifcation (NTLM password hashes for EAP-PEAP-MSCHAPv2) for 802.1x. System is working on production with Packetfence 9. Now in progress for updates to Packetfence 12.2 on a test server, we encountered the problem that the User authentification isn't working anymore. MAB is working fine.
Auditing shows following reason for that failure:
mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'
... and that's all we know about the winbind* processes:
$ ps faux | grep winbind -C 1
root 2612 0.0 0.1 1393964 28484 ? Ssl 14:42 0:00 /usr/local/pf/sbin/pfhttpd -conf /usr/local/pf/conf/caddy-services/pfipset.conf -log-name=pfipset
root 2824 0.5 1.3 241592 225512 ? Ss 14:42 0:03 winbindd-wrapper
root 3122 0.0 0.0 6964 3340 ? Ss 14:42 0:00 /bin/bash /usr/local/pf/sbin/haproxy-portal-docker-wrapper
$ systemctl status packetfence-winbindd.service
● packetfence-winbindd.service - PacketFence SAMBA winbind Service
Loaded: loaded (/lib/systemd/system/packetfence-winbindd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2023-06-16 14:54:11 CEST; 4s ago
Process: 13376 ExecStartPre=/usr/local/pf/bin/pfcmd service winbindd generateconfig (code=exited, status=0/SUCCESS)
Main PID: 13382 (winbindd-wrappe)
Status: "Ready"
Tasks: 1 (limit: 19152)
Memory: 204.4M
CPU: 6.183s
CGroup: /packetfence.slice/packetfence-winbindd.service
└─13382 winbindd-wrapper
Jun 16 14:54:08 pft pfcmd[13376]: service|command
Jun 16 14:54:08 pft packetfence[13376]: pfcmd.pl(13376) INFO: Hard expiring resource : config::Domain() (pfconfig::manager::expire)
Jun 16 14:54:08 pft packetfence[13376]: pfcmd.pl(13376) INFO: Connecting to MySQL database (pfconfig::backend::mysql::_get_db)
Jun 16 14:54:08 pft packetfence[13376]: pfcmd.pl(13376) INFO: Expiring child resource resource::domain_dns_servers. Master resource is config::Domain() (pfconfig::manager::expire)
Jun 16 14:54:08 pft packetfence[13376]: pfcmd.pl(13376) INFO: Hard expiring resource : resource::domain_dns_servers() (pfconfig::manager::expire)
Jun 16 14:54:08 pft sudo[13380]: root : PWD=/ ; USER=root ; COMMAND=/sbin/ip netns list
Jun 16 14:54:08 pft sudo[13380]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jun 16 14:54:08 pft sudo[13380]: pam_unix(sudo:session): session closed for user root
Jun 16 14:54:08 pft pfcmd[13376]: winbindd|config generated
Jun 16 14:54:11 pft systemd[1]: Started PacketFence SAMBA winbind Service.
To Reproduce
Steps to reproduce the behavior:
use NTLM hashes
setup 802.1x with EAP-PEAP-MSCHAPv2
populate users
setup switches
try 802.1x authentification from a client
view tried registration in the RADIUS Audit Logs
Screenshots
Audit:
... and:
the radius.log contains following about this try:
Jun 15 15:24:59 pft auth[5450]: Adding client 10.10.1.224/32
Jun 15 15:24:59 pft auth[5450]: (9) mschap: ERROR: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'
Jun 15 15:24:59 pft auth[5450]: (9) Login incorrect (mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'): [U482ae32967f8] (from client 10.10.1.224/32 port 44962 cli 48:2a:e3:29:67:f8 via TLS tunnel)
Jun 15 15:24:59 pft auth[5450]: (10) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [U482ae32967f8] (from client 10.10.1.224/32 port 44962 cli 48:2a:e3:29:67:f8)
Expected behavior
User authentification works with NTLM hashes and MSCHAPv2. No AD is required.
Desktop (please complete the following information):
OS: [e.g. iOS] Ubuntu Xfce
Browser [e.g. chrome, safari] Firefox
Version [e.g. 22] 102.6.0esr
Smartphone (please complete the following information):
n/a
Additional context
As winbindd ist mysteriouly involved, it looks like to have connection to an AD/Samba setup or similar. We don't use an AD for NAC/no AD is involved and it worked on previous versions. In Packetfence, the configuration section of "Domains" (AD Domains and Realms) is as default.
Describe the bug We use Packetfence for MAB and User authentifcation (NTLM password hashes for EAP-PEAP-MSCHAPv2) for 802.1x. System is working on production with Packetfence 9. Now in progress for updates to Packetfence 12.2 on a test server, we encountered the problem that the User authentification isn't working anymore. MAB is working fine.
Auditing shows following reason for that failure:
... and that's all we know about the winbind* processes:
To Reproduce Steps to reproduce the behavior:
Screenshots Audit:
... and:
the radius.log contains following about this try:
Expected behavior User authentification works with NTLM hashes and MSCHAPv2. No AD is required.
Desktop (please complete the following information):
Smartphone (please complete the following information): n/a
Additional context As winbindd ist mysteriouly involved, it looks like to have connection to an AD/Samba setup or similar. We don't use an AD for NAC/no AD is involved and it worked on previous versions. In Packetfence, the configuration section of "Domains" (AD Domains and Realms) is as default.
We're using Packetfence on Debian.