Sorry for the amount of detail, but we are trying to setup
PacketFence and wanted to include as much info as possible to help diagnose our
issue.
We have PacketFence installed on a server (172.22.0.3). We
have three interfaces defined in PacketFence: Management (172.22.0.3/23),
Isolation (12.22.2.3/23), and Registration (172.22.38.3/23). Those interfaces
are plugged into our core Extreme Networks Summit switch into matching VLANs:
"Internal_Appliances" (172.22.0.1/23), "MAC_Isolation" (172.22.2.1/23), and
"MAC_Registration" (172.22.38.1/23).
That switch is then uplinked to our desktop switch, where we have created a
"MAC_Isolation" (172.22.2.2/23), "MAC_Registration" (172.22.38.2/23), MAC_Temp
(no IP), and "Desktops" (172.22.34.2/23). We want the ports to eventually end
up in the "Desktops" VLAN after authorization.
The steps below were performed on the Extreme switch to which
the desktops are connected, using Port 5:13 as our test.
create vlan MAC_Registration
config vlan "MAC_Registration" tag 369
create vlan MAC_Temp
enable snmp access
configure snmp add trapreceiver 172.22.0.3 community public vr VR-DEFAULT
configure vlan MAC_Registration add ports 5:13 untagged
configure ports 5:13 vlan MAC_Registration lock-learning
disable snmp traps port-up-down ports 5:13
configure radius netlogin primary server 172.22.0.3 1812 client-ip 172.22.32.2
vr VR-Default
configure radius netlogin primary shared-secret (password)
enable radius netlogin
configure netlogin vlan MAC_Temp
enable netlogin mac
configure netlogin dynamic-vlan enable
configure netlogin dynamic-vlan uplink-ports 4:45
configure netlogin mac authentication database-order radius
enable netlogin ports 5:13 mac
configure netlogin ports 5:13 mode port-based-vlans
configure netlogin ports 5:13 no-restart
Now, every 5 minutes, these messages show up in the switch log and the
test desktop in question doesn't show up in the nodes in PacketFence.
07/30/2014 13:47:39.42 <Info:nl.ClientAuthFailure> Slot-1: Authentication
failed for Network Login MAC user 3C970EADB66B Mac 3C:97:0E:AD:B6:6B port 5:13
07/30/2014 13:47:39.42 <Warn:AAA.RADIUS.noServResp> Slot-1: No response from
server 172.22.0.3 trying local.
07/30/2014 13:47:39.42 <Warn:AAA.RADIUS.noServerResp> Slot-1: No servers
responding
07/30/2014 13:47:36.42 <Warn:AAA.RADIUS.resendPkt> Slot-1: Resend request to
Authentication Server address 172.22.0.3 current request count is 2
07/30/2014 13:47:33.41 <Warn:AAA.RADIUS.resendPkt> Slot-1: Resend request to
Authentication Server address 172.22.0.3 current request count is 1
The results of "show netlogin" and "show radius" on the switch returns
the following:
Slot-1 Stack.4 # show netlogin
NetLogin Authentication Mode : web-based DISABLED; 802.1x DISABLED; mac-based
ENABLED
NetLogin VLAN : "MAC_Temp"
NetLogin move-fail-action : Deny
NetLogin Client Aging Time : 5 minutes
Dynamic VLAN Creation : Enabled
Dynamic VLAN Uplink Ports : 4:45
------------------------------------------------
Web-based Mode Global Configuration
------------------------------------------------
Base-URL : network-access.com
Default-Redirect-Page : ENABLED; http://www.extremenetworks.com
Logout-privilege : YES
Netlogin Session-Refresh : ENABLED; 3 minute(s) 0 second(s)
Refresh failures allowed : 0
Reauthenticate on refresh: Disabled
Authentication Database : Radius, Local-User database
Proxy Ports : 80(http),443(https)
------------------------------------------------
------------------------------------------------
802.1x Mode Global Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
EAPOL MPDU version to transmit : v1
Authentication Database : Radius
------------------------------------------------
------------------------------------------------
MAC Mode Global Configuration
------------------------------------------------
MAC Address/Mask Password (encrypted) Port(s)
-------------------- ------------------------------ ------------------------
Default <not configured> any
Re-authentication period : 0 (Re-authentication disabled)
Authentication Database : Radius
------------------------------------------------
Port: 5:13, Vlan: MAC_Registration, State: Enabled, Authentication: mac-based
Guest Vlan <Not Configured>: Disabled
Authentication Failure Vlan <Not Configured>: Disabled
Authentication Service-Unavailable Vlan <Not Configured>: Disabled
MAC IP address Authenticated Type ReAuth-Timer
User
3c:97:0e:ad:b6:6b 0.0.0.0 No MAC 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB
Number of Clients Authenticated : 0
Slot-1 Stack.5 # show radius
Switch Management Radius: disabled
Switch Management Radius server connect time out: 3 seconds
Switch Management Radius Accounting: disabled
Switch Management Radius Accounting server connect time out: 3 seconds
Netlogin Radius: enabled
Netlogin Radius server connect time out: 3 seconds
Netlogin Radius Accounting: disabled
Netlogin Radius Accounting server connect time out: 3 seconds
Primary Netlogin Radius server:
Server name :
IP address : 172.22.0.3
Server IP Port: 1812
Client address: 172.22.38.2 (VR-Default)
Shared secret : 2\q;sJ;@F=8Bjn
Access Requests : 13752 Access Accepts : 0
Access Rejects : 0 Access Challenges : 0
Access Retransmits: 9168 Client timeouts : 4584
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0
________________________________
Information in this e-mail may be confidential. It is intended only for the
addressee(s) identified above. If you are not the addressee(s), or an employee
or agent of the addressee(s), please note that any dissemination, distribution,
or copying of this communication is strictly prohibited. If you have received
this e-mail in error, please notify the sender of the error.
------------------------------------------------------------------------------
_______________________________________________
PacketFence-announce mailing list
PacketFence-announce@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-announce
