Re: [Packetfence-users] Radius server ignoring requests from known switch

[Francois Gaudreault]

When you start radius in debug (radiusd -X), do you see something like 
the following at the startup :

rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, 
shortname, type, secret FROM radius_nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Read entry 
nasname=10.0.0.10,shortname=10.0.0.10,secret=a_secret
rlm_sql (sql): Adding client 10.0.0.10 (10.0.0.10, server=<none>) to 
clients list

On 11-12-09 9:01 AM, Morris, Andi wrote:

Yes I do, the radtest in the admin guide works as does the ntlm_auth 
against a user in my active directory.

------------------------------------------------------------------------
*From:* Francois Gaudreault [fgaudrea...@inverse.ca]
*Sent:* 09 December 2011 13:53
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [Packetfence-users] Radius server ignoring requests 
from known switch

Andi,

Do you have the packetfence-freeradius2 package installed?  Did you 
change the db credentials in /etc/raddb/sql.conf?

On 11-12-09 8:42 AM, Morris, Andi wrote:

I have configured a Cisco 3550 to connect via dot1x to the 
packetfence server as per the network config guide, which all seemed 
to go well.  However I’m not getting an IP address on a client 
plugged into the switch.

When running radius –X on the packetfence server I see the following:

/Ignoring request to authentication address * port 1812 as server 
packetfence from unknown client 192.168.41.53 port 1645/

/Ready to process requests./

This IP address is the only switch I have defined in my switches.conf 
so I’ve no idea why radius would say it is an unknown client and 
ignore the request.

Relevant parts of the switch config are:

/aaa new-model/

/!/

/!/

/aaa group server radius packetfence/

/server 192.168.52.1 auth-port 1812 acct-port 1813/

/!/

/aaa authentication login default local/

/aaa authentication login MyVTY line/

/aaa authentication login myCon none/

/aaa authentication dot1x default group packetfence/

aaa session-id common

ip subnet-zero

dot1x system-auth-control

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

!

vlan internal allocation policy ascending

interface FastEthernet0/1

switchport access vlan 4

switchport mode access

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer restart 10800

authentication timer reauthenticate 7200

mab

no snmp trap link-status

dot1x pae authenticator

dot1x timeout quiet-period 2

dot1x timeout tx-period 3

spanning-tree portfast

snmp-server community ******** RW

snmp-server community ****** RO

snmp-server location **********

snmp-server contact *******************

*snmp-server host 192.168.1.10 public-uwic  config vlan-membership snmp*

radius-server host 192.168.52.1 auth-port 1812 acct-port 1813 timeout 
2 key 7 044F0E151B284249584B56

radius-server vsa send authentication

The line I have put in bold above I think may be significant 
possibly.  The IP address specified isn’t the IP address of the 
packetfence server, it is a different server that we have here that 
monitors switches via snmp.

Switches.conf is:

/#/

/# Copyright 2006-2008 Inverse inc./

/#/

/# See the enclosed file COPYING for license information (GPL)./

/# If you did not receive this file, see/

/# http://www.fsf.org/licensing/licenses/gpl.html/

/[default]/

/vlans=4,301,308,309/

/normalVlan=301/

/registrationVlan=308/

/isolationVlan=309/

/macDetectionVlan=4/

/guestVlan=/

/customVlan1=/

/customVlan2=/

/customVlan3=/

/customVlan4=/

/customVlan5=/

/VoIPEnabled=no/

/voiceVlan=/

/mode=testing/

/macSearchesMaxNb=30/

/macSearchesSleepInterval=2/

/uplink=dynamic/

/#/

/# Command Line Interface/

/#/

/# cliTransport could be: Telnet, SSH or Serial/

/cliTransport=Telnet/

/cliUser=/

/cliPwd=/

/cliEnablePwd=/

/#/

/# SNMP section/

/#/

/# PacketFence -> Switch/

/SNMPVersion=2c/

/SNMPCommunityRead=*****/

/SNMPCommunityWrite=***********/

/#SNMPEngineID = 0000000000000/

/#SNMPUserNameRead = readUser/

/#SNMPAuthProtocolRead = MD5/

/#SNMPAuthPasswordRead = authpwdread/

/#SNMPPrivProtocolRead = DES/

/#SNMPPrivPasswordRead = privpwdread/

/#SNMPUserNameWrite = writeUser/

/#SNMPAuthProtocolWrite = MD5/

/#SNMPAuthPasswordWrite = authpwdwrite/

/#SNMPPrivProtocolWrite = DES/

/#SNMPPrivPasswordWrite = privpwdwrite/

/# Switch -> PacketFence/

/SNMPVersionTrap=2c/

/SNMPCommunityTrap=allegro/

/#SNMPAuthProtocolTrap = MD5/

/#SNMPAuthPasswordTrap = authpwdread/

/#SNMPPrivProtocolTrap = DES/

/#SNMPPrivPasswordTrap = privpwdread/

/#/

/# Web Services Interface/

/#/

/# wsTransport could be: http or https/

/wsTransport=http/

/wsUser=/

/wsPwd=/

/#/

/# RADIUS NAS Client config/

/#/

/# RADIUS shared secret with switch/

/radiusSecret=testing123/

/type=/

/controllerIp=192.168.52.1/

/SNMPUserNameTrap=/

/SNMPAuthProtocolTrap=/

/SNMPAuthPasswordTrap=/

/SNMPPrivProtocolTrap=/

/SNMPPrivPasswordTrap=/

/SNMPEngineID=/

/SNMPUserNameRead=/

/SNMPAuthProtocolRead=/

/SNMPAuthPasswordRead=/

/SNMPPrivProtocolRead=/

/SNMPPrivPasswordRead=/

/SNMPUserNameWrite=/

/SNMPAuthProtocolWrite=/

/SNMPAuthPasswordWrite=/

/SNMPPrivProtocolWrite=/

/SNMPPrivPasswordWrite=/

/[127.0.0.1]/

/type=PacketFence/

/mode=production/

/uplink=dynamic/

/[192.168.41.53]/

/type=Cisco::Catalyst_3550/

/radiusSecret=testing123/

/controllerIp=192.168.52.1/

/SNMPVersion=2c/

/#SNMPVersion = 3/

/#SNMPEngineID = 0000000000000/

/#SNMPUserNameRead = readUser/

/#SNMPAuthProtocolRead = MD5/

/#SNMPAuthPasswordRead = authpwdread/

/#SNMPPrivProtocolRead = DES/

/#SNMPPrivPasswordRead = privpwdread/

/#SNMPUserNameWrite = writeUser/

/#SNMPAuthProtocolWrite = MD5/

/#SNMPAuthPasswordWrite = authpwdwrite/

/#SNMPPrivProtocolWrite = DES/

/#SNMPPrivPasswordWrite = privpwdwrite/

/#SNMPVersionTrap = 3/

/#SNMPUserNameTrap = readUser/

/#SNMPAuthProtocolTrap = MD5/

/#SNMPAuthPasswordTrap = authpwdread/

/#SNMPPrivProtocolTrap = DES/

/#SNMPPrivPasswordTrap = privpwdread/

Can anyone help as to why the radius requests are reaching the PF 
server, but being ignored?

---------------------------------------------------------------
Andi Morris
Technical Security Analyst

Systems and Communications Services
Information Services Division
UWIC
Cardiff
Wales
CF5 2YB

02920 205720

--------------------------------------------------------------

------------------------------------------------------------------------

>From 1st November 2011 UWIC changed its title to Cardiff 
Metropolitan University. From the 6th December, as part of this 
change, all email addresses which included @uwic.ac.uk have changed 
to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan 
University will now be sent from the new @cardiffmet.ac.uk address. 
*Please could you ensure that all of your contact records and 
databases are updated to reflect this change.* Further information 
can be found on the website here. 
<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>


------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/


_______________________________________________
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca   ::  +1.514.447.4918 (x130) ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/


_______________________________________________
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of 
discussion for anyone considering optimizing the pricing and packaging model 
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/_______________________________________________
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users