Hi Mark, just had another look at the repository. Looks like the naming of the modules is a bit misleading. The “Aruba Networks” module is only for the wireless controllers. There are some new modules in the repository which are missing at least in my installation. Even though I recently upgraded to PF13. There is now “ArubaOS_CX_10_x” and “ArubaOS_Switch_16_x”. Tried to manually add them into my installation but failed. Would be nice to know how to do that correctly.
Regarding your problem: Really seems to be some network issue. Please report how your test went. Regards Johannes Von: Mark Okuno [mailto:mark.ok...@ucsb.edu] Gesendet: Samstag, 16. Dezember 2023 00:13 An: Mudrich, J. <j.mudr...@altmark-klinikum.de> Cc: packetfence-users@lists.sourceforge.net Betreff: Re: [PacketFence-users] Compatibility with PacketFence v9.0.0 and Aruba 6300M CX-OS Thank you Johannes, I'd like to give a shout-out to a former member of the packetfence-users group who also offered their configurations and thoughts, Jeremy Plumley. The configuration commands from the GitHub site look to be for some other platform of Aruba switches. I don't think they work for CX-OS. I did try the configurations that you've provided, and I still cannot get RADIUS communication to push to PacketFence v9.0. I enabled tracking on the RADIUS server configuration, and you can see that the switch claims it to be unreachable. sw-5543-aruba-6300m(config)# show radius-server detail ******* Global RADIUS Configuration ******* Shared-Secret: None Timeout: 5 Auth-Type: pap Retries: 1 Initial TLS Connection Timeout: 30 TLS Timeout: 5 Tracking Time Interval (seconds): 60 Tracking Retries: 1 Tracking User-name: radius-tracking-user Tracking Password: None Status-Server Time Interval (seconds): 300 Number of Servers: 1 AAA Server Status Trap: Disabled ****** RADIUS Server Information ****** Server-Name : ************* Auth-Port : 1812 Accounting-Port : 1813 VRF : default TLS Enabled : No Shared-Secret : AQBapel/kzL87c0/Q30ElPeMbbHcRJed2vrDm1zZ68ViM0+SEgAAAP3GZAevEUCGnQWsACTGTIOOJA== Timeout : 5 Retries : 1 Auth-Type : chap Server-Group : packetfence Group-Priority : 1 ClearPass-Username : ClearPass-Password : None Tracking : enabled Tracking-Mode : any Reachability-Status : unreachable, Since Fri Dec 15 13:21:38 PST 2023 Tracking-Last-Attempted : Fri Dec 15 14:53:44 PST 2023 Next-Tracking-Request : 25 seconds sw-5543-aruba-6300m(config)# I've tried both CHAP and PAP protocols. What's interesting is that in the logs, I can see that the switch resolves the route to the IP address of the PacketFence server. 2023-12-15T13:18:14.701289-08:00 sw-5543-aruba-6300m radius-srv-trkd[4423]: Event|2306|LOG_INFO|CDTR|1|Route is "resolved" for RADIUS Server with Address:**.**.**.**, VRF_ID:0 However, the switch fails to reach the RADIUS service on PacketFence over the default authport 1812, which almost suggests an issue at layer 4 somewhere in the communication pipe. 2023-12-15T13:21:38.603197-08:00 sw-5543-aruba-6300m radius-srv-trkd[4423]: Event|2304|LOG_INFO|CDTR|1|RADIUS Server with Address:**.**.**.**, Authport:1812, VRF_ID:0 is "unreachable" What's also curious to me is that, even though I've associated AAA authentication for dot1x and mac-auth with the packetfence server-group, when I execute a show aaa authentication, I only see the local group associated. The following are the configs I mention. aaa authentication port-access dot1x authenticator radius server-group packetfence enable aaa authentication port-access mac-auth radius server-group packetfence enable Here is the output of a show aaa authentication. sw-5543-aruba-6300m(config)# show aaa authentication AAA Authentication: Fail-through : Enabled Limit Login Attempts : Not set Lockout Time : 300 Console Login Attempts : Not set Console Lockout Time : 300 Authentication for default channel: Johannes Mudrich Mitarbeiter Verwaltung, IT Altmark-Klinikum gGmbH Ernst-von-Bergmann-Straße 22 39638 Gardelegen Tel.: 03907 791229 Fax.: 03907 791248 Mail: j.mudr...@altmark-klinikum.de -------------------------------------------------------------------------------------------------------------------------------------------- GROUP NAME | GROUP PRIORITY -------------------------------------------------------------------------------------------------------------------------------------------- local | 0 -------------------------------------------------------------------------------------------------------------------------------------------- sw-5543-aruba-6300m(config)# I've also tried using Aruba Networks and Aruba Switches in the PacketFence switch configuration module as well. Thank you for the suggestions Jeremy and Johannes! My next step may be trying to build a test environment of the latest version of PacketFence and see if that works. Happy Holidays! Best, Mark Okuno UCSB Library, IT Operations University of California, Santa Barbara On Tue, Dec 12, 2023 at 11:32 PM Mudrich, J. <j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de>> wrote: Hi Again, I just had a look into the Github repository and found something: packetfence/docs/network/networkdevice/aruba_switchs.asciidoc at devel · inverse-inc/packetfence · GitHub<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fgithub.com%2finverse%2dinc%2fpacketfence%2fblob%2fdevel%2fdocs%2fnetwork%2fnetworkdevice%2faruba%5fswitchs.asciidoc&umid=1BE6A4E5-0C94-8A06-91CB-D0E8D29775F0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-5dad526cbb70661e7086d85a97d9d986880738f6> Maybe this helps. Going to test this myself. Kind regards Johannes Johannes Mudrich Mitarbeiter Verwaltung, IT Altmark-Klinikum gGmbH Ernst-von-Bergmann-Straße 22 39638 Gardelegen Tel.: 03907 791229 Fax.: 03907 791248 Mail: j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de> Von: Mudrich, J. Gesendet: Mittwoch, 13. Dezember 2023 08:19 An: 'packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>' <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> Cc: Mark Okuno <mark.ok...@ucsb.edu<mailto:mark.ok...@ucsb.edu>> Betreff: AW: [PacketFence-users] Compatibility with PacketFence v9.0.0 and Aruba 6300M CX-OS Hi Mark, I was also testing Aruba CX switches some month ago. I used PF12 and the “Aruba Networks” type in my test environment. So I’m not sure if this applies to you. That’s what I did: (config)# radius-server host [Radius IP] key [Radius PW] (config)# radius dyn-authorization enable (config)# aaa authentication allow-fail-through ## SNMPV1 / not using traps (config)# snmp-server community [SNMP-Community] (config-community)# access-level rw ## Mac-Auth (config)# Interface [Ports/Port-Range] (config-if) # aaa authentication port-access mac-auth (config-if-macauth)# enable (config)# aaa authentication port-access mac-auth enable ## 802.1x (config)# Interface [Ports/Port-Range] (config-if)# aaa authentication port-access dot1x authenticator (config-if)# cached-reauth (config-if)# cached-reauth-period 60 (config-if)# max-eapol-requests 1 (config-if)# max-retries 1 (config-if)# quiet-period 5 (config-if)# discovery-period 10 (config-if)# enable (config)# aaa authentication port-access dot1x authenticator enable At least authentication was working. CoA did not work, SNMP did not work. Meaning even manual port resetting in the GUI did not work. I had to physically disconnect the Port for reauthentication. I put this project on hold since I could not find any more documentation. kind regards Johannes Von: Mark Okuno via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net] Gesendet: Montag, 11. Dezember 2023 22:38 An: packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Cc: Mark Okuno <mark.ok...@ucsb.edu<mailto:mark.ok...@ucsb.edu>> Betreff: [PacketFence-users] Compatibility with PacketFence v9.0.0 and Aruba 6300M CX-OS Hello packetfence-users, I am looking to replace a fleet of HP Procurve and Cisco Catalyst switches with Aruba CX-OS switches. I was wondering if anyone can confirm whether they have successfully configured RADIUS communication between an Aruba CX-OS switch and PacketFence version 9.0.0 (I'm attempting to configure MAC Authentication Bypass). I do see SNMP traffic with the switch in the /usr/local/pf/logs logs, but I do not see any RADIUS communication traffic. I know I'm on a significantly older version of PF, and there does not seem to be any Aruba CX-OS option to choose from when selecting the switch type when configuring the network switch in PF. I've selected the general option of Aruba Switches. I also do not see any documentation for an Aruba CX-OS configuration setup in PacketFence documentation. There is an Aruba section, however it looks like these configurations are for the older Aruba OS syntax. Network Devices Configuration Guide (packetfence.org)<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.packetfence.org%2fdoc%2fPacketFence%5fNetwork%5fDevices%5fConfiguration%5fGuide.html&umid=1BE6A4E5-0C94-8A06-91CB-D0E8D29775F0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-bfe448912ef9ccff8f6c57135fe5ec303d2d0258> In case anyone else is using Aruba CX-OS and can point out where I've gone wrong, the following are my general RADIUS and SNMP configurations. radius-server host <PacketFence IP Address> key ciphertext ********************** aaa group server radius packetfence server <PacketFence IP Address> aaa accounting all-mgmt default start-stop group radius packetfence aaa accounting port-access start-stop group packetfence radius dyn-authorization enable aaa authentication port-access dot1x authenticator radius server-group packetfence enable aaa authentication port-access mac-auth radius server-group packetfence enable snmp-server community *************************** access-level rw snmp-server community *************** snmp-server host <PacketFence IP Address> inform version v2c snmp-server host <PacketFence IP Address> trap version v2c The following is the interface configuration. The access VLAN specified is a blackhole VLAN, and is not tagged across trunk interfaces. interface 1/1/48 no shutdown no routing vlan access 666 aaa authentication port-access auth-precedence mac-auth dot1x aaa authentication port-access dot1x authenticator reauth reauth-period 14400 enable aaa authentication port-access mac-auth reauth reauth-period 14400 enable Thank you packetfence-users! Best, Mark Okuno UCSB Library, IT Operations University of California, Santa Barbara [cid:image001.png@01DA3183.465CE1E0]<https://www.salusaltmarkholding.de/> Salus Altmark Holding gGmbH Tel.: +49 39325700 Sitz der Gesellschaft: Seepark 5 | 39116 Magdeburg www.salusaltmarkholding.de<https://www.salusaltmarkholding.de> [cid:image003.png@01DA3183.465CE1E0]<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.instagram.com%2fsalusaltmarkholding%2f&umid=1BE6A4E5-0C94-8A06-91CB-D0E8D29775F0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-b915fe837bce1b5067684c4328db584022e64ed4> [cid:image005.png@01DA3183.465CE1E0] <https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.facebook.com%2fSalusAltmarkHolding&umid=1BE6A4E5-0C94-8A06-91CB-D0E8D29775F0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-f843d307e4045345a6d916f8493e25d1e84407ba> [cid:image007.png@01DA3183.465CE1E0] <https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fde.linkedin.com%2fcompany%2fsalus%2dggmbh&umid=1BE6A4E5-0C94-8A06-91CB-D0E8D29775F0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-1315f54e6a8bcee1edde00afafc5d4e1308e227e> [cid:image009.png@01DA3183.465CE1E0] <https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.xing.com%2fpages%2fsalusaltmarkholdingggmbh&umid=1BE6A4E5-0C94-8A06-91CB-D0E8D29775F0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-d2fbe245b25c7f157c07b52a344575f971969b1b> [cid:image011.png@01DA3183.465CE1E0] <https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.youtube.com%2fuser%2fSALUSgGmbH&umid=1BE6A4E5-0C94-8A06-91CB-D0E8D29775F0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-1613ad1f244bb12af5ad08fa667a336e1e42d974> Registergericht: AG Stendal: HRB 112594 Geschäftsführer: Jürgen Richter Aufsichtsratsvorsitz: Wolfgang Beck Gemäß Art. 13 DSGVO informieren wir darüber, dass Ihre Daten elektronisch gespeichert werden. Nähere Informationen: www.salusaltmarkholding.de/datenschutz<https://www.salusaltmarkholding.de/datenschutz> Ab Januar 2022 nehmen wir keine Mails mit doc-, xls- und ppt-Anhängen mehr an. Bitte verwenden Sie die aktuellen Office-Formate docx, xlsx, pptx oder pdf. [Finanziert von der Europäischen Union]
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
