Yes I do, the radtest in the admin guide works as does the ntlm_auth against a
user in my active directory.
________________________________
From: Francois Gaudreault [[email protected]]
Sent: 09 December 2011 13:53
To: [email protected]
Subject: Re: [Packetfence-users] Radius server ignoring requests from known
switch
Andi,
Do you have the packetfence-freeradius2 package installed? Did you change the
db credentials in /etc/raddb/sql.conf?
On 11-12-09 8:42 AM, Morris, Andi wrote:
I have configured a Cisco 3550 to connect via dot1x to the packetfence server
as per the network config guide, which all seemed to go well. However I’m not
getting an IP address on a client plugged into the switch.
When running radius –X on the packetfence server I see the following:
Ignoring request to authentication address * port 1812 as server packetfence
from unknown client 192.168.41.53 port 1645
Ready to process requests.
This IP address is the only switch I have defined in my switches.conf so I’ve
no idea why radius would say it is an unknown client and ignore the request.
Relevant parts of the switch config are:
aaa new-model
!
!
aaa group server radius packetfence
server 192.168.52.1 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication login MyVTY line
aaa authentication login myCon none
aaa authentication dot1x default group packetfence
aaa session-id common
ip subnet-zero
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
interface FastEthernet0/1
switchport access vlan 4
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 7200
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
spanning-tree portfast
snmp-server community ******** RW
snmp-server community ****** RO
snmp-server location **********
snmp-server contact *******************
snmp-server host 192.168.1.10 public-uwic config vlan-membership snmp
radius-server host 192.168.52.1 auth-port 1812 acct-port 1813 timeout 2 key 7
044F0E151B284249584B56
radius-server vsa send authentication
The line I have put in bold above I think may be significant possibly. The IP
address specified isn’t the IP address of the packetfence server, it is a
different server that we have here that monitors switches via snmp.
Switches.conf is:
#
# Copyright 2006-2008 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[default]
vlans=4,301,308,309
normalVlan=301
registrationVlan=308
isolationVlan=309
macDetectionVlan=4
guestVlan=
customVlan1=
customVlan2=
customVlan3=
customVlan4=
customVlan5=
VoIPEnabled=no
voiceVlan=
mode=testing
macSearchesMaxNb=30
macSearchesSleepInterval=2
uplink=dynamic
#
# Command Line Interface
#
# cliTransport could be: Telnet, SSH or Serial
cliTransport=Telnet
cliUser=
cliPwd=
cliEnablePwd=
#
# SNMP section
#
# PacketFence -> Switch
SNMPVersion=2c
SNMPCommunityRead=*****
SNMPCommunityWrite=***********
#SNMPEngineID = 0000000000000
#SNMPUserNameRead = readUser
#SNMPAuthProtocolRead = MD5
#SNMPAuthPasswordRead = authpwdread
#SNMPPrivProtocolRead = DES
#SNMPPrivPasswordRead = privpwdread
#SNMPUserNameWrite = writeUser
#SNMPAuthProtocolWrite = MD5
#SNMPAuthPasswordWrite = authpwdwrite
#SNMPPrivProtocolWrite = DES
#SNMPPrivPasswordWrite = privpwdwrite
# Switch -> PacketFence
SNMPVersionTrap=2c
SNMPCommunityTrap=allegro
#SNMPAuthProtocolTrap = MD5
#SNMPAuthPasswordTrap = authpwdread
#SNMPPrivProtocolTrap = DES
#SNMPPrivPasswordTrap = privpwdread
#
# Web Services Interface
#
# wsTransport could be: http or https
wsTransport=http
wsUser=
wsPwd=
#
# RADIUS NAS Client config
#
# RADIUS shared secret with switch
radiusSecret=testing123
type=
controllerIp=192.168.52.1
SNMPUserNameTrap=
SNMPAuthProtocolTrap=
SNMPAuthPasswordTrap=
SNMPPrivProtocolTrap=
SNMPPrivPasswordTrap=
SNMPEngineID=
SNMPUserNameRead=
SNMPAuthProtocolRead=
SNMPAuthPasswordRead=
SNMPPrivProtocolRead=
SNMPPrivPasswordRead=
SNMPUserNameWrite=
SNMPAuthProtocolWrite=
SNMPAuthPasswordWrite=
SNMPPrivProtocolWrite=
SNMPPrivPasswordWrite=
[127.0.0.1]
type=PacketFence
mode=production
uplink=dynamic
[192.168.41.53]
type=Cisco::Catalyst_3550
radiusSecret=testing123
controllerIp=192.168.52.1
SNMPVersion=2c
#SNMPVersion = 3
#SNMPEngineID = 0000000000000
#SNMPUserNameRead = readUser
#SNMPAuthProtocolRead = MD5
#SNMPAuthPasswordRead = authpwdread
#SNMPPrivProtocolRead = DES
#SNMPPrivPasswordRead = privpwdread
#SNMPUserNameWrite = writeUser
#SNMPAuthProtocolWrite = MD5
#SNMPAuthPasswordWrite = authpwdwrite
#SNMPPrivProtocolWrite = DES
#SNMPPrivPasswordWrite = privpwdwrite
#SNMPVersionTrap = 3
#SNMPUserNameTrap = readUser
#SNMPAuthProtocolTrap = MD5
#SNMPAuthPasswordTrap = authpwdread
#SNMPPrivProtocolTrap = DES
#SNMPPrivPasswordTrap = privpwdread
Can anyone help as to why the radius requests are reaching the PF server, but
being ignored?
---------------------------------------------------------------
Andi Morris
Technical Security Analyst
Systems and Communications Services
Information Services Division
UWIC
Cardiff
Wales
CF5 2YB
02920 205720
--------------------------------------------------------------
________________________________
>From 1st November 2011 UWIC changed its title to Cardiff Metropolitan
>University. From the 6th December, as part of this change, all email addresses
>which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent
>from Cardiff Metropolitan University will now be sent from the new
>@cardiffmet.ac.uk address. Please could you ensure that all of your contact
>records and databases are updated to reflect this change. Further information
>can be found on the website
>here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected]<mailto:[email protected]> :: +1.514.447.4918
(x130) :: www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
