search

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.35k stars 286 forks source link

NTLM / EAP-PEAP-MSCHAPv2 not working anymore #7717

Closed Matze1224 closed 1 year ago

Matze1224 commented 1 year ago

Describe the bug We use Packetfence for MAB and User authentifcation (NTLM password hashes for EAP-PEAP-MSCHAPv2) for 802.1x. System is working on production with Packetfence 9. Now in progress for updates to Packetfence 12.2 on a test server, we encountered the problem that the User authentification isn't working anymore. MAB is working fine.

Auditing shows following reason for that failure:

mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'

... and that's all we know about the winbind* processes:

$ ps faux | grep winbind -C 1
root        2612  0.0  0.1 1393964 28484 ?       Ssl  14:42   0:00 /usr/local/pf/sbin/pfhttpd -conf /usr/local/pf/conf/caddy-services/pfipset.conf -log-name=pfipset
root        2824  0.5  1.3 241592 225512 ?       Ss   14:42   0:03 winbindd-wrapper
root        3122  0.0  0.0   6964  3340 ?        Ss   14:42   0:00 /bin/bash /usr/local/pf/sbin/haproxy-portal-docker-wrapper

$ systemctl status packetfence-winbindd.service 
● packetfence-winbindd.service - PacketFence SAMBA winbind Service
     Loaded: loaded (/lib/systemd/system/packetfence-winbindd.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2023-06-16 14:54:11 CEST; 4s ago
    Process: 13376 ExecStartPre=/usr/local/pf/bin/pfcmd service winbindd generateconfig (code=exited, status=0/SUCCESS)
   Main PID: 13382 (winbindd-wrappe)
     Status: "Ready"
      Tasks: 1 (limit: 19152)
     Memory: 204.4M
        CPU: 6.183s
     CGroup: /packetfence.slice/packetfence-winbindd.service
             └─13382 winbindd-wrapper

Jun 16 14:54:08 pft pfcmd[13376]: service|command
Jun 16 14:54:08 pft packetfence[13376]: pfcmd.pl(13376) INFO: Hard expiring resource : config::Domain() (pfconfig::manager::expire)
Jun 16 14:54:08 pft packetfence[13376]: pfcmd.pl(13376) INFO: Connecting to MySQL database (pfconfig::backend::mysql::_get_db)
Jun 16 14:54:08 pft packetfence[13376]: pfcmd.pl(13376) INFO: Expiring child resource resource::domain_dns_servers. Master resource is config::Domain() (pfconfig::manager::expire)
Jun 16 14:54:08 pft packetfence[13376]: pfcmd.pl(13376) INFO: Hard expiring resource : resource::domain_dns_servers() (pfconfig::manager::expire)
Jun 16 14:54:08 pft sudo[13380]:     root : PWD=/ ; USER=root ; COMMAND=/sbin/ip netns list
Jun 16 14:54:08 pft sudo[13380]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jun 16 14:54:08 pft sudo[13380]: pam_unix(sudo:session): session closed for user root
Jun 16 14:54:08 pft pfcmd[13376]: winbindd|config generated
Jun 16 14:54:11 pft systemd[1]: Started PacketFence SAMBA winbind Service.

To Reproduce Steps to reproduce the behavior:

  1. use NTLM hashes
  2. setup 802.1x with EAP-PEAP-MSCHAPv2
  3. populate users
  4. setup switches
  5. try 802.1x authentification from a client
  6. view tried registration in the RADIUS Audit Logs

Screenshots Audit: audit log

... and: audit details

the radius.log contains following about this try:

Jun 15 15:24:59 pft auth[5450]: Adding client 10.10.1.224/32
Jun 15 15:24:59 pft auth[5450]: (9) mschap: ERROR: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'
Jun 15 15:24:59 pft auth[5450]: (9)   Login incorrect (mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'): [U482ae32967f8] (from client 10.10.1.224/32 port 44962 cli 48:2a:e3:29:67:f8 via TLS tunnel)
Jun 15 15:24:59 pft auth[5450]: (10) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [U482ae32967f8] (from client 10.10.1.224/32 port 44962 cli 48:2a:e3:29:67:f8)

Expected behavior User authentification works with NTLM hashes and MSCHAPv2. No AD is required.

Desktop (please complete the following information):

Smartphone (please complete the following information): n/a

Additional context As winbindd ist mysteriouly involved, it looks like to have connection to an AD/Samba setup or similar. We don't use an AD for NAC/no AD is involved and it worked on previous versions. In Packetfence, the configuration section of "Domains" (AD Domains and Realms) is as default.

We're using Packetfence on Debian.

nqb commented 1 year ago

Is it not just this:

https://www.packetfence.org/doc/PacketFence_Upgrade_Guide.html#_support_of_local_authentication_for_802_1x_in_web_admin

Please use mailing list for this kind of request.

Matze1224 commented 1 year ago

Thanks, didn't knew it was just a configuration issue.