Switch still fails with getting VLAN. Authentication works on, but no VLAN.
To add more info. PFTEST works as expected.
root@packetfence-14:/usr/local/pf/bin# ./pftest authentication "test01"
"xxxxxxxx" "mydomain-Users"
Testing authentication for "test01"
Authenticating against 'mydomain-Users' in context 'admin'
Authentication SUCCEEDED against mydomain-Users (Authentication successful.)
Matched against mydomain-Users for 'authentication' rule VLAN_111
set_role : VLAN_111
set_access_duration : 1h
Did not match against mydomain-Users for 'administration' rules
Authenticating against 'mydomain-Users' in context 'portal'
Authentication SUCCEEDED against mydomain-Users (Authentication successful.)
Matched against mydomain-Users for 'authentication' rule VLAN_111
set_role : VLAN_111
set_access_duration : 1h
Did not match against mydomain-Users for 'administration' rules
On 16/09/2024 20.12, Rein van ‘t Veer via PacketFence-users wrote:
A few things: check if snmp traffic is working from packetfence to the
switch.
Also check the radius return logs to see if the vlan is returned. This
is easy in the web interface. Under auditing; RADIUS logs you can see
the full return strings from PacketFence
Example:
RADIUS Request
Airespace-Wlan-Id = "1", Called-Station-Id =
"d4:6d:50:e3:ae:e0:Samvaerket-guests", Called-Station-SSID =
"Samvaerket-guests", Calling-Station-Id = "e6:63:3c:fb:8a:dc",
Cisco-AVPair = "service-type=Call Check", Cisco-AVPair =
"audit-session-id=1400330A0004884BFC03D52A", Cisco-AVPair =
"method=mab", Cisco-AVPair = "client-iif-id=1073747193", Cisco-AVPair
= "vlan-id=498", Cisco-AVPair = "cisco-wlan-ssid=Samvaerket-guests",
Cisco-AVPair = "wlan-profile-name=Samvaerket-guests", Event-Timestamp
= "Sep 16 2024 20:06:35 CEST", Framed-MTU = "1485",
FreeRADIUS-Client-IP-Address = "10.51.0.20", Message-Authenticator =
"0xaf1468be12d6bb5e7c6a432fa81225ef", NAS-IP-Address = "10.51.0.20",
NAS-Identifier = "WLC", NAS-Port = "51012", NAS-Port-Id =
"capwap_90000006", NAS-Port-Type = "Wireless-802.11",
PacketFence-KeyBalanced = "c2acf8e4cbb314039e027c04672c5bd4",
PacketFence-Radius-Ip = "10.51.0.11", Realm = "null", Service-Type =
"Call-Check", Stripped-User-Name = "e6633cfb8adc", User-Name =
"e6633cfb8adc", User-Password = "******"
RADIUS Reply
REST-HTTP-Status-Code = "200", Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = "500", Tunnel-Type = "VLAN"
Once you have verified the vlan is returned you can see what the
switch is doing with the request.
Sent from my iPhone
On 16 Sep 2024, at 16.43, Peter Jensen via PacketFence-users
<packetfence-users@lists.sourceforge.net> wrote:
Hello,
I’m currently working on a PacketFence setup and having trouble with
the dynamic VLAN assignment. Authentication is functioning correctly
(verified via logs), and the switch confirms that 802.1X
authentication is successful. However, VLAN assignment is not working
as expected.
Here’s a summary of my setup and the steps I’ve taken:
• I have added the switch and enabled Role Mapping by VLAN ID,
assigning the correct VLAN ID.
• I created an Authentication Source with Authentication Rules
using the memberof condition and the full DN of the LDAP group. This
has been tested with and without any conditions, with the same result.
• The issue persists where no VLAN is assigned after
successful authentication.
Logs
Below are some logs that may help diagnose the issue:
*packetfence.log*
2024-09-16T15:57:44.791790+02:00 packetfence-14
httpd.aaa-docker-wrapper[3036]: httpd.aaa(7) INFO:
[mac:00:e0:4c:68:08:27] Instantiate profile 8021x
(pf::Connection::ProfileFactory::_from_profile)
2024-09-16T15:57:44.809341+02:00 packetfence-14
httpd.aaa-docker-wrapper[3036]: httpd.aaa(7) INFO:
[mac:00:e0:4c:68:08:27] Found authentication source(s) : '' for realm
'null' (pf::config::util::filter_authentication_sources)
2024-09-16T15:57:44.809463+02:00 packetfence-14
httpd.aaa-docker-wrapper[3036]: httpd.aaa(7) INFO:
[mac:00:e0:4c:68:08:27] No rules matches or no category defined for
the node, set it as unreg. (pf::role::getNodeInfoForAutoReg)
2024-09-16T15:57:44.809463+02:00 packetfence-14
httpd.aaa-docker-wrapper[3036]: httpd.aaa(7) WARN:
[mac:00:e0:4c:68:08:27] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
2024-09-16T15:57:44.814522+02:00 packetfence-14
httpd.aaa-docker-wrapper[3036]: httpd.aaa(7) INFO:
[mac:00:e0:4c:68:08:27] Username was NOT defined or unable to match a
role - returning node based role '' (pf::role::getRegisteredRole)
2024-09-16T15:57:44.814864+02:00 packetfence-14
httpd.aaa-docker-wrapper[3036]: httpd.aaa(7) WARN:
[mac:00:e0:4c:68:08:27] No parameter Vlan found in conf/switches.conf
for the switch 192.168.188.212 (pf::Switch::getVlanByName)
*radius.log*
2024-09-16T15:57:44.258471+02:00 packetfence-14 auth[91590]: Adding
client 192.168.188.212/32
2024-09-16T15:57:44.827353+02:00 packetfence-14 auth[91590]: (42)
Login OK: [test01] (from client 192.168.188.212/32 port 50004 cli
00:e0:4c:68:08:27 via TLS tunnel)
2024-09-16T15:57:44.837698+02:00 packetfence-14 auth[91590]: (43)
Login OK: [test01] (from client 192.168.188.212/32 port 50004 cli
00:e0:4c:68:08:27)
What I’ve Tried:
• Confirmed that the authentication source is correctly
configured, using an LDAP group with the full DN in the rule.
• Verified that the switch is properly configured for 802.1X
and dynamic VLAN assignment.
• Examined the PacketFence configuration for role mapping and
VLAN settings, but the VLAN remains undefined after authentication.
Environment:
• PacketFence version: 14
• Switch model and firmware:
vios_l2-ADVENTERPRISEK9-M), Experimental Version 15.2(20200924:215240
C3560 Software (C3560-IPBASE-M),
Version 12.2(35)SE5
• Authentication source: ActiveDirecty
• OS of PacketFence server: Debian 12
Any help or direction on how to resolve this VLAN assignment issue
would be appreciated! Has anyone encountered something similar?
Thanks in advance.
Best regards,
[Your Name]
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
