I have another thread going on, but this seems to be another issue entirely.
It may have to do with my hacked Catalyst 4500 module, but from the logs it
does not even seem to be getting that far.
I have two different testing workstations connected through a VOIP phone. Here
are the port configurations:
interface GigabitEthernet4/45
switchport mode access
switchport voice vlan 140
authentication host-mode multi-domain
authentication order mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
spanning-tree portfast
interface GigabitEthernet5/44
switchport mode access
switchport voice vlan 140
authentication host-mode multi-domain
authentication order mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
spanning-tree portfast
end
As you can see, they are identical. The MACs for all of the devices are
registered in packetfence, and the MACs for the phones are identified as VOIP
devices. Which brings up another question. I have the VOIP phones
autoregistering based upon their Vendor MAC prefix. Is it possible to
auto-classify them as VOIP devices as well?
I will refer to the devices as Host_A, Phone_A, Host_B, Phone_B, and replace
the MACs accordingly for the purpose of clarity and security. Host_A is
connected to port Gi5/44, and Host B is connected to Gi4/45.
Host_A and Phone_A work perfectly (other than issues with forcing reauth via
SNMP which I am working on in another thread :))
Phone_B is not working, and keeps bootlooping, which is affecting Host_B's
connectivity.
The error is "Can't call method "NasPortToIfIndex" on an undefined value", as
can be seen below.
Here is what I see in packetfence.log and RADIUS for each phone (I'll give you
the stuff for the hosts if you like, but I don't see anything particularly
interesting):
Phone_A (working):
Mar 24 11:24:05 pf::WebAPI(22979) INFO: handling radius autz request: from
switch_ip => switchip, connection_type => Ethernet-NoEAP mac => phone_a_mac,
port => 50544, username => phoneamac (pf::radius::authorize)
Mar 24 11:24:05 pf::WebAPI(22979) INFO: autoregister a node that is already
registered, do nothing. (pf::node::node_register)
Mar 24 11:24:05 pf::WebAPI(22979) WARN: database query failed with: Column
'port' cannot be null. (errno: 1048), will try again (pf::db::db_query_execute)
Mar 24 11:24:05 pf::WebAPI(22979) WARN: database query failed with: Column
'port' cannot be null. (errno: 1048), will try again (pf::db::db_query_execute)
Mar 24 11:24:05 pf::WebAPI(22979) WARN: database query failed with: Column
'port' cannot be null. (errno: 1048), will try again (pf::db::db_query_execute)
Mar 24 11:24:05 pf::WebAPI(22979) ERROR: Database issue: We tried 3 times to
serve query locationlog_insert_start_with_mac_sql called from
pf::locationlog::locationlog_insert_start and we failed. Is the database
running? (pf::db::db_query_execute)
Mar 24 11:24:05 pf::WebAPI(22979) WARN: Unable to insert a locationlog entry.
(pf::locationlog::locationlog_synchronize)
rad_recv: Access-Request packet from host SwitchIP port 1645, id=36, length=208
User-Name = "phoneamac"
User-Password = "phoneamac"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "xxx"
Calling-Station-Id = "Phone_A_MAC"
Message-Authenticator = 0x89faa8d3a86af57aa0fc6e329213d7e7
Cisco-AVPair = "audit-session-id=0ADB0529000015F71E65F3C4"
NAS-Port-Type = Ethernet
NAS-Port = 50544
NAS-Port-Id = "GigabitEthernet5/44"
NAS-IP-Address = SwitchIP
+- entering group authorize {...}
++[preprocess] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Ethernet
rlm_perl: Added pair Service-Type = Call-Check
rlm_perl: Added pair Calling-Station-Id = Phone_A_MAC
rlm_perl: Added pair Called-Station-Id = xxx
rlm_perl: Added pair Message-Authenticator = 0x89faa8d3a86af57aa0fc6e329213d7e7
rlm_perl: Added pair Cisco-AVPair = audit-session-id=0ADB0529000015F71E65F3C4
rlm_perl: Added pair User-Name = phoneamac
rlm_perl: Added pair User-Password = phoneamac
rlm_perl: Added pair NAS-IP-Address = switchip
rlm_perl: Added pair NAS-Port = 50544
rlm_perl: Added pair NAS-Port-Id = GigabitEthernet5/44
rlm_perl: Added pair Framed-MTU = 1500
rlm_perl: Added pair Auth-Type = Accept
++[perl] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
+- entering group post-auth {...}
rlm_perl: PacketFence NO RESULT VLAN
rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK)
rlm_perl: Added pair NAS-Port-Type = Ethernet
rlm_perl: Added pair Service-Type = Call-Check
rlm_perl: Added pair Called-Station-Id = xxx
rlm_perl: Added pair Calling-Station-Id = Phone_A_MAC
rlm_perl: Added pair Message-Authenticator = 0x89faa8d3a86af57aa0fc6e329213d7e7
rlm_perl: Added pair Cisco-AVPair = audit-session-id=0ADB0529000015F71E65F3C4
rlm_perl: Added pair User-Name = phoneamac
rlm_perl: Added pair User-Password = phoneamac
rlm_perl: Added pair NAS-Port = 50544
rlm_perl: Added pair NAS-IP-Address = SwitchIP
rlm_perl: Added pair Framed-MTU = 1500
rlm_perl: Added pair NAS-Port-Id = GigabitEthernet5/44
rlm_perl: Added pair Cisco-AVPair = device-traffic-class=voice
rlm_perl: Added pair Auth-Type = Accept
++[perl] returns ok
Sending Access-Accept of id 36 to SwitchIP port 1645
Cisco-AVPair = "device-traffic-class=voice"
Phone_B (not working):
Mar 24 11:36:50 pf::WebAPI(22970) INFO: handling radius autz request: from
switch_ip => SwitchIP, connection_type => Ethernet-NoEAP mac => Phone_B_MAC,
port => 50445, username => phonebmac (pf::radius::authorize)
Mar 24 11:36:50 pf::WebAPI(22970) INFO: autoregister a node that is already
registered, do nothing. (pf::node::node_register)
Mar 24 11:36:50 pf::WebAPI(22970) FATAL: radius authorize failed with error:
Can't call method "NasPortToIfIndex" on an undefined value at
/usr/local/pf/lib/pf/radius.pm line 395. (PFAPI::radius_authorize)
rad_recv: Access-Request packet from host SwitchIP port 1645, id=78, length=208
User-Name = "phonebmac"
User-Password = "phonebmac"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "xxx"
Calling-Station-Id = "Phone_B_MAC"
Message-Authenticator = 0x9359256e93c78bf21df81da2505bc42c
Cisco-AVPair = "audit-session-id=0ADB0529000016211E6F2A08"
NAS-Port-Type = Ethernet
NAS-Port = 50445
NAS-Port-Id = "GigabitEthernet4/45"
NAS-IP-Address = SwitchIP
+- entering group authorize {...}
++[preprocess] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Ethernet
rlm_perl: Added pair Service-Type = Call-Check
rlm_perl: Added pair Calling-Station-Id = Phone_B_MAC
rlm_perl: Added pair Called-Station-Id = xxx
rlm_perl: Added pair Message-Authenticator = 0x9359256e93c78bf21df81da2505bc42c
rlm_perl: Added pair Cisco-AVPair = audit-session-id=0ADB0529000016211E6F2A08
rlm_perl: Added pair User-Name = phonebmac
rlm_perl: Added pair User-Password = phonebmac
rlm_perl: Added pair NAS-IP-Address = SwitchIP
rlm_perl: Added pair NAS-Port = 50445
rlm_perl: Added pair NAS-Port-Id = GigabitEthernet4/45
rlm_perl: Added pair Framed-MTU = 1500
rlm_perl: Added pair Auth-Type = Accept
++[perl] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
+- entering group post-auth {...}
rlm_perl: PacketFence DENIED CONNECTION because of SOAP error see syslog for
details.
rlm_perl: Added pair NAS-Port-Type = Ethernet
rlm_perl: Added pair Service-Type = Call-Check
rlm_perl: Added pair Called-Station-Id = xxx
rlm_perl: Added pair Calling-Station-Id = Phone_B_MAC
rlm_perl: Added pair Message-Authenticator = 0x9359256e93c78bf21df81da2505bc42c
rlm_perl: Added pair Cisco-AVPair = audit-session-id=0ADB0529000016211E6F2A08
rlm_perl: Added pair User-Name = phonebmac
rlm_perl: Added pair User-Password = phonebmac
rlm_perl: Added pair NAS-Port = 50445
rlm_perl: Added pair NAS-IP-Address = SwitchIP
rlm_perl: Added pair Framed-MTU = 1500
rlm_perl: Added pair NAS-Port-Id = GigabitEthernet4/45
rlm_perl: Added pair Auth-Type = Accept
++[perl] returns fail
Sorry if I have sent excessive information, but trying to be as complete as
possible. Let me know what else might be needed.
Thanks,
Brent
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
