Hey Ben,
you're right... after re-checking everything on our side, looks like
there's an error in the Catalist_3750.pm module... ( file:
/usr/local/pf/lib/pf/SNMP/Cisco/Catalyst_3750.pm )
here's a quick fix that you can try, keep me posted... ( at line 26...
after the use Net::SNMP declaration... add the lines between START /
END... )
M-A
(...)
use Log::Log4perl;
use Net::SNMP;
### PATCH START HERE... ###
# importing switch constants - marcus test - may 06, 2011
use pf::SNMP::constants;
use pf::util;
use pf::config;
# CAPABILITIES
# access technology supported - marcus test - may 06, 2011
sub supportsWiredMacAuth { return $TRUE; }
sub supportsWiredDot1x { return $TRUE; }
### PATCH END HERE... ###
use base ('pf::SNMP::Cisco::Catalyst_2950');
=head1 AUTHOR
(...)
M-A
Le 11-05-05 18:35, Marc-André Jutras a écrit :
> Config are ok... it should work...
> IOS version maybe ? can you try to update your switch ??
>
> M-A
>
>
> Le 11-05-05 14:39, Willis, Ben a écrit :
>> Is anyone out there using Cisco 3750's with mac authentication? They are
>> listed in the table on the website as being supported....
>>
>> Thanks,
>> Ben
>>
>> ________________________________________
>> From: Willis, Ben [[email protected]]
>> Sent: Tuesday, May 03, 2011 2:22 PM
>> To: '[email protected]'
>> Subject: Re: [Packetfence-users] Radius Problems
>>
>> I got it "working" by changing my switch config to this instead of what is
>> detailed in the network device config guide. It actually istn working
>> because I get the message:
>>
>>
>> pf::WebAPI(3433) ERROR: Wired MAC Authentication (Wired Access Authorization
>> through RADIUS) is not supported on switch type
>> pf::SNMP::Cisco::Catalyst_3750. Please let us know what hardware you are
>> using. (pf::SNMP::supportsWiredMacAuth)
>>
>>
>>
>> I thought that I could use this config with Cisco 3750's? Am I only able to
>> use port security?
>>
>>
>>
>>
>> ---Cisco 3750 radius config-
>> aaa authentication login default local
>> aaa authentication dot1x default group radius
>> aaa authorization network default group radius
>>
>> radius-server host 10.10.80.203 auth-port 1812 acct-port 1813 key ######
>>
>>
>> ---Cisco 3750 port config (802.1x with MAC Authentication bypass
>> (MultiDomain) )-
>> interface FastEthernet1/0/38
>> switchport access vlan 100
>> switchport mode access
>> switchport voice vlan 15
>> authentication host-mode multi-domain
>> authentication order dot1x mab
>> authentication priority dot1x mab
>> authentication port-control auto
>> authentication periodic
>> authentication timer restart 10800
>> authentication timer reauthenticate 10800
>> mab
>> no snmp trap link-status
>> dot1x pae authenticator
>> dot1x timeout quiet-period 2
>> dot1x timeout tx-period 3
>> end
>>
>>
>> Thanks,
>> Ben
>> _______________________
>> There is no place like 127.0.0.1
>>
>> http://lmgtfy.com/?q=Anderson+School+District+Five
>>
>>
>> -----Original Message-----
>> From: Marc-André Jutras [mailto:[email protected]]
>> Sent: Tuesday, May 03, 2011 2:01 PM
>> To: [email protected]
>> Subject: Re: [Packetfence-users] Radius Problems
>>
>> Ben,
>>
>> your radiusd.conf file seems to be ok...
>>
>> - Any access-list on your switch who can block these requests ?
>> - try to re-enter your radius password in your switch... make sure this one
>> is matching your radiusd.conf...
>> - what's the ip address of your switch ? IOS version ? send me your swich
>> config, I'll validate it...
>>
>> M-A
>> Le 11-05-03 13:38, Willis, Ben a écrit :
>>> Marc,
>>>
>>> I disabled iptables and I still don't get a connection from my switch. I
>>> have my switches configured in clients.conf and since radius works locally
>>> I dont know what else to confirm.
>>>
>>>
>>>
>>> client localhost {
>>> ipaddr = 127.0.0.1
>>> secret = testing123
>>> require_message_authenticator = no
>>> nastype = other # localhost isn't usually a NAS...
>>> }
>>>
>>> client Cisco3750x {
>>> secret = cisco
>>> ipaddr = 10.85.10.1
>>> }
>>>
>>> client RAMS.MC.SW01 {
>>> secret = cisco
>>> ipaddr = 172.20.85.1
>>> }
>>>
>>> client 172.20.95.1 {
>>> secret = cisco
>>> ipaddr = 172.20.95.1
>>> nastype = cisco
>>> }
>>>
>>> client 10.95.0.0/16 {
>>> secret = cisco
>>> shortname = GVMS
>>> }
>>>
>>>
>>>
>>> Thanks,
>>> Ben
>>> _______________________
>>> There is no place like 127.0.0.1
>>>
>>> http://lmgtfy.com/?q=Anderson+School+District+Five
>>>
>>>
>>> -----Original Message-----
>>> From: Marc-André Jutras [mailto:[email protected]]
>>> Sent: Tuesday, May 03, 2011 1:11 PM
>>> To: [email protected]
>>> Subject: Re: [Packetfence-users] Radius Problems
>>>
>>> Hi again ! :)
>>>
>>> 1- to test your radius setup, de-activate your iptables ( iptables -F ) and
>>> try to authenticate... if this is not working, validate your radius
>>> config...
>>>
>>> 2- if your radius server is working, reload iptables and try to activate
>>> some log foryour traffic... ( example :
>>> http://www.techbytes.ca/techbyte136.html )
>>>
>>> 3- radiusd[3363]: segfault at 0000000000000000 rip 00002b4adba035db
>>> rsp
>>> 00007ffffa992bb0 error 4
>>> no issue there : this is what's happening every time you restart PF...
>>> ( PF will kill -9 radiusd at every restart ... )
>>>
>>> M-A
>>> Le 11-05-03 12:49, Willis, Ben a écrit :
>>>> Me again...
>>>>
>>>> I have PF working now with port security but my switches refuse to
>>>> work (Cisco 3750 (V2 and X's) with any 802.1x mac auth configurations.
>>>> The switch states:
>>>>
>>>> %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for
>>>> client (Unknown MAC) on Interface Fa1/0/46
>>>>
>>>> %AUTHMGR-5-FAIL: Authorization failed for client (Unknown MAC) on
>>>> Interface Fa1/0/46
>>>>
>>>> %AUTHMGR-5-START: Starting 'mab' for client (0025.6444.6aaa) on
>>>> Interface Fa1/0/46
>>>>
>>>> It seems like radius is not answering but radius does work for the
>>>> registration portal. I have verified iptables:
>>>>
>>>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 1812 -d 10.10.80.203 -i
>>>> eth0.10 -j ACCEPT
>>>>
>>>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 1813 -d 10.10.80.203 -i
>>>> eth0.10 -j ACCEPT
>>>>
>>>> This is the radius server config on my switches (straight out of the
>>>> guides):
>>>>
>>>> aaa new-model
>>>>
>>>> aaa group server radius packtfence
>>>>
>>>> server 10.10.80.203 auth-port 1812 acct-port 1813
>>>>
>>>> aaa authentication login default local
>>>>
>>>> aaa authentication dot1x default group packetfence
>>>>
>>>> aaa authorization network default group packetfence
>>>>
>>>> radius-server host 10.10.80.203 auth-port 1812 acct-port 1813 timeout
>>>> 2 key ######
>>>>
>>>> radius-server vsa send authentication
>>>>
>>>> I did notice this error while monitoring /var/log/messages:
>>>>
>>>> A5DO-NAC kernel: radiusd[3363]: segfault at 0000000000000000 rip
>>>> 00002b4adba035db rsp 00007ffffa992bb0 error 4
>>>>
>>>> Hoping that someone can point me in the right direction......
>>>>
>>>> Thanks for the help so far,
>>>>
>>>> Ben in SC
>>>>
>>>> *//*
>>>>
>> ANDERSON SCHOOL DISTRICT FIVE NOTICE: This email may contain business
>> related information that is
>> PERSONAL AND CONFIDENTIAL. If you have received this email in error, this
>> does not
>> constitute permission to examine, copy or distribute the accompanying
>> material.
>> If you receive this message in error, please notify the sender immediately
>> or call 864-260-5000.
>>
>> ------------------------------------------------------------------------------
>> WhatsUp Gold - Download Free Network Management Software
>> The most intuitive, comprehensive, and cost-effective network
>> management toolset available today. Delivers lowest initial
>> acquisition cost and overall TCO of any competing solution.
>> http://p.sf.net/sfu/whatsupgold-sd
>> _______________________________________________
>> Packetfence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
Marc-Andre Jutras, Project manager - Inverse inc.
[email protected] :: +1.514.447.4918 (x110) :: http://www.inverse.ca
Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
