Hello,
I've deployed Packetfence 3.6.1 with Cisco 3560 flawlessly (dot1x and mab
auth's).
I also have set periodic authentication and all works fine.
But the problem begins when I enable accounting on Cisco. Once the switch
try to perform the reauth against the client machine, packetfence says the
following:
radius.log:
Fri Dec 14 17:36:36 2012 : Auth: Login OK: [domain/I005466] (from client
192.168.72.254 port 50006 cli 54-04-A6-F4-84-A1 via TLS tunnel)
Fri Dec 14 17:36:36 2012 : Info: rlm_perl: MAC address is empty or invalid
in this request. It could be normal on certain radius calls
Fri Dec 14 17:36:36 2012 : Auth: Login OK: [domain/I005466] (from client
192.168.72.254 port 50006 cli 54-04-A6-F4-84-A1)
packetfence.log:
Dec 14 17:36:30 pf::WebAPI(3493) INFO: handling radius autz request: from
switch_ip => 192.168.72.254, connection_type => Ethernet-EAP mac =>
54:04:a6:f4:84:a1, port => 50006,
username => host/I005466.cartoons.com (pf::radius::authorize)
Dec 14 17:36:30 pf::WebAPI(3493) INFO: MAC: 54:04:a6:f4:84:a1, PID: 1,
Status: reg. Returned VLAN: 800 (pf::vlan::fetchVlanForNode)
Dec 14 17:36:30 pf::WebAPI(3493) WARN: Role-based Network Access Control is
not supported on network device type pf::SNMP::Cisco::Catalyst_3560.
(pf::SNMP::supportsRoleBasedEn
forcement)
even the packetfence log says that a vlan is returned, cisco don't get it,
and obviously, the client gets disconnected because no vlan is returned
from packetfence to the switch.
It only happens when the periodic reauthentication is enabled, because, on
a "clean" authentication (computer startup), the cisco sends correctly all
the accounting data to radius and I can see it on the PF node information.
Here some of Cisco config:
!
!
aaa group server radius packetfence
server 192.168.72.253 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
!
aaa session-id common
system mtu routing 1500
vtp mode transparent
authentication mac-move permit
!
!
...
!
interface FastEthernet0/6
switchport mode access
switchport voice vlan 120
ip access-group 100 in
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 1800
mab
mls qos trust device cisco-phone
mls qos trust cos
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
no mdix auto
mac access-group DG in
spanning-tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!
Thanks in advance!
Alex
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
