Hi Fabrice,
I kill the old radius process and ran the following command on the PF box.
/usr/sbin/radiusd -d /usr/local/pf/raddb/ -X
*Below is the last part of the output :*
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
virtual_server = "packetfence"
ipaddr = 192.168.1.5
port = 0
}
listen {
type = "acct"
virtual_server = "packetfence"
ipaddr = 192.168.1.5
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/pf/var/run/radiusd.sock"
mode = "rw"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 37338
Listening on authentication address 192.168.1.5 port 1812 as server
packetfence
Listening on accounting address 192.168.1.5 port 1813 as server packetfence
Listening on command file /usr/local/pf/var/run/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address 192.168.1.5 port 1814
Ready to process requests.
Looks like radius is listening on 1812 so I change the port to 1812 on the
switch. Then I unplugged/plugged the laptop and got the same output from
the switch as I posted before.
But on the PF box, I did not see any output any more. Looks like Radius did
not see any request from the switch. Why?
Regards,
Jacky
On Thu, Jun 20, 2013 at 11:07 AM, Fabrice DURAND <[email protected]> wrote:
> Hi,
> run radius in debug to see what happen.
>
> radius -d /usr/local/pf/raddb/ -X
>
> Regards
> Fabrice
>
> Le 2013-06-20 10:58, forbmsyn a écrit :
>
> Hi,
>
> I installed PF 4.0.1 on CentOS 6.4. I am now testing the PF with a
> Cisco 3560 switch. I followed the Guide
> "PacketFence_Administration_Guide-4.0.1" to do the configuration on the PF
> box and the switch. After that I plugged a notebook into the switch port
> but it failed to authorize.
>
> *Below is the output from the switch. *
> *Mar 1 17:06:01.131: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed
> state to up
> *Mar 1 17:06:02.138: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> FastEthernet0/3, changed state to up
> *Mar 1 17:06:08.304: %AUTHMGR-5-START: Starting 'dot1x' for client
> (dc0e.a18a.d48f) on Interface Fa0/3 AuditSessionID C0A8010C0000000503AB5161
> *Mar 1 17:06:08.396: %DOT1X-5-FAIL: Authentication failed for client
> (dc0e.a18a.d48f) on Interface Fa0/3 AuditSessionID
> *
> Mar 1 17:06:08.396: %AUTHMGR-7-RESULT: Authentication result
> 'no-response' from 'dot1x' for client (dc0e.a18a.d48f) on Interface Fa0/3
> AuditSessionID C0A8010C0000000503AB5161
> *Mar 1 17:06:08.396: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for
> client (dc0e.a18a.d48f) on Interface Fa0/3 AuditSessionID
> C0A8010C0000000503AB5161
> *Mar 1 17:06:08.396: %AUTHMGR-5-START: Starting 'mab' for client
> (dc0e.a18a.d48f) on Interface Fa0/3 AuditSessionID C0A8010C0000000503AB5161
> *Mar 1 17:06:08.396: %MAB-5-FAIL: Authentication failed for client
> (dc0e.a18a.d48f) on Interface Fa0/3 AuditSessionID C0A8010C0000000503AB5161
> *Mar 1 17:06:08.396: %AUTHMGR-7-RESULT: Authentication result 'server
> dead' from 'mab' for client (dc0e.a18a.d48f) on Interface Fa0/3
> AuditSessionID C0A8010C0000000503AB5161
> *Mar 1 17:06:08.396: %AUTHMGR-5-FAIL: Authorization failed for client
> (dc0e.a18a.d48f) on Interface Fa0/3 AuditSessionID C0A8010C0000000503AB5161
>
>
>
> *Below is the configuration of the switch:*
> Building configuration...
>
> Current configuration : 6184 bytes
> !
> version 12.2
> no service pad
> service timestamps debug datetime msec
> service timestamps log datetime msec
> service password-encryption
> !
> hostname pfsw1
> !
> boot-start-marker
> boot-end-marker
> !
> enable secret 5 $1$C350$YhFHNRVPjyV5wfZO5wPW3/
> !
> username admin password 7 1218011A1B05
> !
> !
> aaa new-model
> !
> !
> aaa group server radius packtfence
> server 192.168.1.5 auth-port 18120 acct-port 1813
> !
> aaa authentication login default local
> aaa authentication dot1x default group packetfence
> aaa authorization network default group packetfence
> !
> !
> !
> aaa session-id common
> system mtu routing 1500
> !
> !
> !
> !
> crypto pki trustpoint TP-self-signed-2374957568
> enrollment selfsigned
> subject-name cn=IOS-Self-Signed-Certificate-2374957568
> revocation-check none
> rsakeypair TP-self-signed-2374957568
> !
> !
> crypto pki certificate chain TP-self-signed-2374957568
> certificate self-signed 01
> 3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
> 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
> 69666963 6174652D 32333734 39353735 3638301E 170D3933 30333031 30303030
> 35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
> 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33373439
> 35373536 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
> 8100C368 D504DCD0 D587EB9B FF256DA7 631E1879 204F27BF FA294DA5 58832222
> C32956E0 4D8BBCC4 E4072D18 965E4A93 B3477098 96B6BC9E 66E7EFE0 AE61719B
> FE5E3C15 D587C593 A2C2AAF4 BC7F5DD0 DA44C32F 8107DC6A 61431478 A7AFD7CE
> 8AA173C8 390A4C49 34FC3AB0 2C7EE213 0DB98B37 433C74C7 1E3F1F20 9F7142A5
> 64390203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
> 551D1104 0A300882 06706673 77312E30 1F060355 1D230418 30168014 85FFF74D
> 618F8A7C 5B679D32 2A438916 62A64B79 301D0603 551D0E04 16041485 FFF74D61
> 8F8A7C5B 679D322A 43891662 A64B7930 0D06092A 864886F7 0D010104 05000381
> 81006126 9256F05C 4AC78A8A 2C31EC5D 6442888C 15375001 327B51A3 CA79A23F
> 6BDD151F 2F561C6A 5CE9A0DA 798CE348 21E17D75 FE1E8246 3A28BCD8 077B42AB
> 49AB123B DE476444 057BB2E0 D1A4905F EEB8C677 9C3E69B0 B315EB30 DC56C7E1
> 60F2CBEB B4C36153 33F1FD99 9F09E609 65728AFA 3716D77F 739F7C84 4B7B03DE
> DCCA
> quit
> dot1x system-auth-control
> !
> !
> !
> spanning-tree mode pvst
> spanning-tree extend system-id
> !
> vlan internal allocation policy ascending
> !
> !
> !
> interface FastEthernet0/1
> switchport access vlan 4
> switchport mode access
> switchport voice vlan 100
> switchport port-security maximum 1 vlan access
> switchport port-security
> switchport port-security violation restrict
> switchport port-security mac-address 0200.0001.0001 vlan access
> authentication host-mode multi-domain
> authentication order dot1x mab
> authentication priority dot1x mab
> authentication port-control auto
> authentication periodic
> authentication timer restart 10800
> authentication timer reauthenticate 10800
> mab
> no snmp trap link-status
> dot1x pae authenticator
> dot1x timeout quiet-period 2
> dot1x timeout tx-period 3
> spanning-tree portfast
> !
> interface FastEthernet0/2
> switchport access vlan 4
> switchport mode access
> switchport voice vlan 100
> switchport port-security maximum 1 vlan access
> switchport port-security
> switchport port-security violation restrict
> switchport port-security mac-address 0200.0001.0002 vlan access
> authentication host-mode multi-domain
> authentication order dot1x mab
> authentication priority dot1x mab
> authentication port-control auto
> authentication periodic
> authentication timer restart 10800
> authentication timer reauthenticate 10800
> mab
> no snmp trap link-status
> dot1x pae authenticator
> dot1x timeout quiet-period 2
> dot1x timeout tx-period 3
> spanning-tree portfast
> !
> interface FastEthernet0/3
> switchport access vlan 4
> switchport mode access
> switchport voice vlan 100
> switchport port-security maximum 1 vlan access
> switchport port-security violation restrict
> switchport port-security mac-address 0200.0001.0003 vlan access
> authentication host-mode multi-domain
> authentication order dot1x mab
> authentication priority dot1x mab
> authentication port-control auto
> authentication periodic
> authentication timer restart 10800
> authentication timer reauthenticate 10800
> mab
> no snmp trap link-status
> dot1x pae authenticator
> dot1x timeout quiet-period 2
> dot1x timeout tx-period 3
> spanning-tree portfast
> !
> interface FastEthernet0/4
> switchport access vlan 4
> switchport mode access
> switchport voice vlan 100
> switchport port-security maximum 1 vlan access
> switchport port-security
> switchport port-security violation restrict
> switchport port-security mac-address 0200.0001.0004 vlan access
> authentication host-mode multi-domain
> authentication order dot1x mab
> authentication priority dot1x mab
> authentication port-control auto
> authentication periodic
> authentication timer restart 10800
> authentication timer reauthenticate 10800
> mab
> no snmp trap link-status
> dot1x pae authenticator
> dot1x timeout quiet-period 2
> dot1x timeout tx-period 3
> spanning-tree portfast
> !
> interface FastEthernet0/5
> !
> interface FastEthernet0/6
> !
> interface FastEthernet0/7
> !
> interface FastEthernet0/8
> !
> interface FastEthernet0/9
> !
> interface FastEthernet0/10
> !
> interface FastEthernet0/11
> !
> interface FastEthernet0/12
> !
> interface FastEthernet0/13
> !
> interface FastEthernet0/14
> !
> interface FastEthernet0/15
> !
> interface FastEthernet0/16
> !
> interface FastEthernet0/17
> !
> interface FastEthernet0/18
> !
> interface FastEthernet0/19
> !
> interface FastEthernet0/20
> !
> interface FastEthernet0/21
> !
> interface FastEthernet0/22
> !
> interface FastEthernet0/23
> !
> interface FastEthernet0/24
> switchport trunk encapsulation dot1q
> switchport mode trunk
> !
> interface GigabitEthernet0/1
> !
> interface GigabitEthernet0/2
> !
> interface Vlan1
> ip address 192.168.1.12 255.255.255.0
> !
> ip classless
> ip http server
> ip http secure-server
> !
> ip sla enable reaction-alerts
> snmp-server enable traps port-security
> snmp-server enable traps port-security trap-rate 1
> snmp-server host 192.168.1.5 public port-security
> radius-server host 192.168.1.5 auth-port 18120 acct-port 1813 timeout 2
> key 7 15071809373E392B26343030200215110442
> radius-server vsa send authentication
> !
> !
> line con 0
> line vty 5 15
> !
> end
>
>
> *Radius is listening on port 18120 so I configured 18120 on the switch. *
> [root@qlpfp logs]# netstat -a | grep 1812
> udp 0 0 localhost:18120 *:*
> [root@qlpfp logs]#
>
>
>
> *I can ping the IP 192.168.1.5 of PF from the switch. *
>
> Can anyone please let me know what else I need to do to get it worked?
> Thank you!
>
> Regards,
> Jacky
>
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
> http://p.sf.net/sfu/windows-dev2dev
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Fabrice [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
