-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi there,
I'm currently in the process of digging into Packetfence, intending
to use it as a replacement for an ancient NAC system. I'm finding,
however, that I need a bit of help. I've been poking around a bit and
I have some things working, but I'm still having trouble getting the
rest up and running. Below is, I hope, enough information for someone
to assist.
My testing environment is a fairly simple network with a single
switch (Cisco 3750G) and multiple VLANS. The packetfence box is on a
separate network, no VLANs in common. There is a firewall in between
the PF box and the switch, but I am watching logs looking for any
traffic being blocked. So far I have SNMP and RADIUS open.
I'm running Packetfence 3.6.1 on a RHEL 6.4 system, fully patched.
The deployment I'm looking for is all out-of-band, no inline 802.1x.
I have radiusd set up locally, though this may eventually be put on a
remote server. For now, I need to understand the radius configuration
to see if we can use our existing radius servers (also freeradius) or
if these should be separate. Ultimately, authentication should be
against our openLDAP servers with RADIUS merely acting as a go-between.
I've configured the 3750 according to the packetfence network devices
guide, specifically, page 19. I'm using 802.1x with MAB
(MultiDomain). Plugging a macbook into a configured port yields the
expected response of popping up the 802.1x dialog on the OS. So far,
so good. Entering in a username/password, however, fails. Which I
actually expected.
On the PF side, I can see the incoming transaction in the radius logs
for the username. The trouble I'm having seems to be in making
freeradius talk to openldap for the authentication. I'm not entirely
sure where to enable the ldap piece. I have modified the
raddb/modules/ldap file with the appropriate server and login
information for the ldap browser account. I've restarted radiusd and
tried to log in again. My ldap server, however, is showing no
activity from the PF box.
So I dug a bit deeper and saw the references to ldap in the
sites-enabled/default file. uncommented those sections, restarted
radiusd, same result. No LDAP activity.
Monitoring the logs, I can see the attempts from the client, both the
802.1x user and the mac address of the client. The mac address always
results in a Login OK, which is .. odd? Why is that? And the user
login always fails. Here are the relevant entries :
Tue Apr 16 14:19:45 2013 : Auth: Login incorrect: [testuser] (from
client 10.0.0.11 port 50102 cli 00-1F-F3-AB-00-CD via TLS tunnel)
Tue Apr 16 14:19:45 2013 : Auth: Login incorrect: [testuser] (from
client 10.0.0.11 port 50102 cli 00-1F-F3-AB-00-CD)
Tue Apr 16 14:20:07 2013 : Auth: Login OK: [001ff3ab00cd] (from client
10.0.0.11 port 50102 cli 00-1F-F3-AB-00-CD)
I don't see any indication in the logs that ldap is ever tried.
Can someone please fill me in on what I'm missing? I imagine I'm
missing a config option somewhere, but I'm not sure where yet. The
documentation got me this far, but it seems that LDAP is a more
advanced setup that isn't covered? Are there tutorials or other docs
somewhere that I can refer to?
Thanks,
- --
- ---------------------------
Jason Frisvold
[email protected]
- ---------------------------
"Any sufficiently advanced magic is indistinguishable from technology.\"
- - Niven's Inverse of Clarke's Third Law
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlFtsWMACgkQO80o6DJ8UvlCzgCgijuRDuC2rBtFQEyhnhsxa0WK
Cx0AnRkoQo+Jrnm9BL1VYP2bYZ10CtMK
=2qTd
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
