Looks like (based on the FreeRADIUS debug output) that your switch is unable to
communicate with the PacketFence server…
If it was, you'd see at least an entry in the debug output...
Cheers!
dw.
--
[email protected] :: +1.514.447.4918 (x110) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
On 2013-06-20, at 11:30 AM, forbmsyn <[email protected]> wrote:
> Hi Fabrice,
>
> I kill the old radius process and ran the following command on the PF box.
> /usr/sbin/radiusd -d /usr/local/pf/raddb/ -X
>
> Below is the last part of the output :
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> type = "auth"
> virtual_server = "packetfence"
> ipaddr = 192.168.1.5
> port = 0
> }
> listen {
> type = "acct"
> virtual_server = "packetfence"
> ipaddr = 192.168.1.5
> port = 0
> }
> listen {
> type = "control"
> listen {
> socket = "/usr/local/pf/var/run/radiusd.sock"
> mode = "rw"
> }
> }
> listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 18120
> }
> ... adding new socket proxy address * port 37338
> Listening on authentication address 192.168.1.5 port 1812 as server
> packetfence
> Listening on accounting address 192.168.1.5 port 1813 as server packetfence
> Listening on command file /usr/local/pf/var/run/radiusd.sock
> Listening on authentication address 127.0.0.1 port 18120 as server
> inner-tunnel
> Listening on proxy address 192.168.1.5 port 1814
> Ready to process requests.
>
> Looks like radius is listening on 1812 so I change the port to 1812 on the
> switch. Then I unplugged/plugged the laptop and got the same output from the
> switch as I posted before.
>
> But on the PF box, I did not see any output any more. Looks like Radius did
> not see any request from the switch. Why?
>
> Regards,
> Jacky
>
>
>
> On Thu, Jun 20, 2013 at 11:07 AM, Fabrice DURAND <[email protected]> wrote:
> Hi,
> run radius in debug to see what happen.
>
> radius -d /usr/local/pf/raddb/ -X
>
> Regards
> Fabrice
>
> Le 2013-06-20 10:58, forbmsyn a écrit :
>> Hi,
>>
>> I installed PF 4.0.1 on CentOS 6.4. I am now testing the PF with a Cisco
>> 3560 switch. I followed the Guide "PacketFence_Administration_Guide-4.0.1"
>> to do the configuration on the PF box and the switch. After that I plugged
>> a notebook into the switch port but it failed to authorize.
>>
>> Below is the output from the switch.
>> *Mar 1 17:06:01.131: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed
>> state to up
>> *Mar 1 17:06:02.138: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>> FastEthernet0/3, changed state to up
>> *Mar 1 17:06:08.304: %AUTHMGR-5-START: Starting 'dot1x' for client
>> (dc0e.a18a.d48f) on Interface Fa0/3 AuditSessionID C0A8010C0000000503AB5161
>> *Mar 1 17:06:08.396: %DOT1X-5-FAIL: Authentication failed for client
>> (dc0e.a18a.d48f) on Interface Fa0/3 AuditSessionID
>> *
>> Mar 1 17:06:08.396: %AUTHMGR-7-RESULT: Authentication result 'no-response'
>> from 'dot1x' for client (dc0e.a18a.d48f) on Interface Fa0/3 AuditSessionID
>> C0A8010C0000000503AB5161
>> *Mar 1 17:06:08.396: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for
>> client (dc0e.a18a.d48f) on Interface Fa0/3 AuditSessionID
>> C0A8010C0000000503AB5161
>> *Mar 1 17:06:08.396: %AUTHMGR-5-START: Starting 'mab' for client
>> (dc0e.a18a.d48f) on Interface Fa0/3 AuditSessionID C0A8010C0000000503AB5161
>> *Mar 1 17:06:08.396: %MAB-5-FAIL: Authentication failed for client
>> (dc0e.a18a.d48f) on Interface Fa0/3 AuditSessionID C0A8010C0000000503AB5161
>> *Mar 1 17:06:08.396: %AUTHMGR-7-RESULT: Authentication result 'server dead'
>> from 'mab' for client (dc0e.a18a.d48f) on Interface Fa0/3 AuditSessionID
>> C0A8010C0000000503AB5161
>> *Mar 1 17:06:08.396: %AUTHMGR-5-FAIL: Authorization failed for client
>> (dc0e.a18a.d48f) on Interface Fa0/3 AuditSessionID C0A8010C0000000503AB5161
>>
>>
>>
>> Below is the configuration of the switch:
>> Building configuration...
>>
>> Current configuration : 6184 bytes
>> !
>> version 12.2
>> no service pad
>> service timestamps debug datetime msec
>> service timestamps log datetime msec
>> service password-encryption
>> !
>> hostname pfsw1
>> !
>> boot-start-marker
>> boot-end-marker
>> !
>> enable secret 5 $1$C350$YhFHNRVPjyV5wfZO5wPW3/
>> !
>> username admin password 7 1218011A1B05
>> !
>> !
>> aaa new-model
>> !
>> !
>> aaa group server radius packtfence
>> server 192.168.1.5 auth-port 18120 acct-port 1813
>> !
>> aaa authentication login default local
>> aaa authentication dot1x default group packetfence
>> aaa authorization network default group packetfence
>> !
>> !
>> !
>> aaa session-id common
>> system mtu routing 1500
>> !
>> !
>> !
>> !
>> crypto pki trustpoint TP-self-signed-2374957568
>> enrollment selfsigned
>> subject-name cn=IOS-Self-Signed-Certificate-2374957568
>> revocation-check none
>> rsakeypair TP-self-signed-2374957568
>> !
>> !
>> crypto pki certificate chain TP-self-signed-2374957568
>> certificate self-signed 01
>> 3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
>> 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
>> 69666963 6174652D 32333734 39353735 3638301E 170D3933 30333031 30303030
>> 35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
>> 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33373439
>> 35373536 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
>> 8100C368 D504DCD0 D587EB9B FF256DA7 631E1879 204F27BF FA294DA5 58832222
>> C32956E0 4D8BBCC4 E4072D18 965E4A93 B3477098 96B6BC9E 66E7EFE0 AE61719B
>> FE5E3C15 D587C593 A2C2AAF4 BC7F5DD0 DA44C32F 8107DC6A 61431478 A7AFD7CE
>> 8AA173C8 390A4C49 34FC3AB0 2C7EE213 0DB98B37 433C74C7 1E3F1F20 9F7142A5
>> 64390203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
>> 551D1104 0A300882 06706673 77312E30 1F060355 1D230418 30168014 85FFF74D
>> 618F8A7C 5B679D32 2A438916 62A64B79 301D0603 551D0E04 16041485 FFF74D61
>> 8F8A7C5B 679D322A 43891662 A64B7930 0D06092A 864886F7 0D010104 05000381
>> 81006126 9256F05C 4AC78A8A 2C31EC5D 6442888C 15375001 327B51A3 CA79A23F
>> 6BDD151F 2F561C6A 5CE9A0DA 798CE348 21E17D75 FE1E8246 3A28BCD8 077B42AB
>> 49AB123B DE476444 057BB2E0 D1A4905F EEB8C677 9C3E69B0 B315EB30 DC56C7E1
>> 60F2CBEB B4C36153 33F1FD99 9F09E609 65728AFA 3716D77F 739F7C84 4B7B03DE
>> DCCA
>> quit
>> dot1x system-auth-control
>> !
>> !
>> !
>> spanning-tree mode pvst
>> spanning-tree extend system-id
>> !
>> vlan internal allocation policy ascending
>> !
>> !
>> !
>> interface FastEthernet0/1
>> switchport access vlan 4
>> switchport mode access
>> switchport voice vlan 100
>> switchport port-security maximum 1 vlan access
>> switchport port-security
>> switchport port-security violation restrict
>> switchport port-security mac-address 0200.0001.0001 vlan access
>> authentication host-mode multi-domain
>> authentication order dot1x mab
>> authentication priority dot1x mab
>> authentication port-control auto
>> authentication periodic
>> authentication timer restart 10800
>> authentication timer reauthenticate 10800
>> mab
>> no snmp trap link-status
>> dot1x pae authenticator
>> dot1x timeout quiet-period 2
>> dot1x timeout tx-period 3
>> spanning-tree portfast
>> !
>> interface FastEthernet0/2
>> switchport access vlan 4
>> switchport mode access
>> switchport voice vlan 100
>> switchport port-security maximum 1 vlan access
>> switchport port-security
>> switchport port-security violation restrict
>> switchport port-security mac-address 0200.0001.0002 vlan access
>> authentication host-mode multi-domain
>> authentication order dot1x mab
>> authentication priority dot1x mab
>> authentication port-control auto
>> authentication periodic
>> authentication timer restart 10800
>> authentication timer reauthenticate 10800
>> mab
>> no snmp trap link-status
>> dot1x pae authenticator
>> dot1x timeout quiet-period 2
>> dot1x timeout tx-period 3
>> spanning-tree portfast
>> !
>> interface FastEthernet0/3
>> switchport access vlan 4
>> switchport mode access
>> switchport voice vlan 100
>> switchport port-security maximum 1 vlan access
>> switchport port-security violation restrict
>> switchport port-security mac-address 0200.0001.0003 vlan access
>> authentication host-mode multi-domain
>> authentication order dot1x mab
>> authentication priority dot1x mab
>> authentication port-control auto
>> authentication periodic
>> authentication timer restart 10800
>> authentication timer reauthenticate 10800
>> mab
>> no snmp trap link-status
>> dot1x pae authenticator
>> dot1x timeout quiet-period 2
>> dot1x timeout tx-period 3
>> spanning-tree portfast
>> !
>> interface FastEthernet0/4
>> switchport access vlan 4
>> switchport mode access
>> switchport voice vlan 100
>> switchport port-security maximum 1 vlan access
>> switchport port-security
>> switchport port-security violation restrict
>> switchport port-security mac-address 0200.0001.0004 vlan access
>> authentication host-mode multi-domain
>> authentication order dot1x mab
>> authentication priority dot1x mab
>> authentication port-control auto
>> authentication periodic
>> authentication timer restart 10800
>> authentication timer reauthenticate 10800
>> mab
>> no snmp trap link-status
>> dot1x pae authenticator
>> dot1x timeout quiet-period 2
>> dot1x timeout tx-period 3
>> spanning-tree portfast
>> !
>> interface FastEthernet0/5
>> !
>> interface FastEthernet0/6
>> !
>> interface FastEthernet0/7
>> !
>> interface FastEthernet0/8
>> !
>> interface FastEthernet0/9
>> !
>> interface FastEthernet0/10
>> !
>> interface FastEthernet0/11
>> !
>> interface FastEthernet0/12
>> !
>> interface FastEthernet0/13
>> !
>> interface FastEthernet0/14
>> !
>> interface FastEthernet0/15
>> !
>> interface FastEthernet0/16
>> !
>> interface FastEthernet0/17
>> !
>> interface FastEthernet0/18
>> !
>> interface FastEthernet0/19
>> !
>> interface FastEthernet0/20
>> !
>> interface FastEthernet0/21
>> !
>> interface FastEthernet0/22
>> !
>> interface FastEthernet0/23
>> !
>> interface FastEthernet0/24
>> switchport trunk encapsulation dot1q
>> switchport mode trunk
>> !
>> interface GigabitEthernet0/1
>> !
>> interface GigabitEthernet0/2
>> !
>> interface Vlan1
>> ip address 192.168.1.12 255.255.255.0
>> !
>> ip classless
>> ip http server
>> ip http secure-server
>> !
>> ip sla enable reaction-alerts
>> snmp-server enable traps port-security
>> snmp-server enable traps port-security trap-rate 1
>> snmp-server host 192.168.1.5 public port-security
>> radius-server host 192.168.1.5 auth-port 18120 acct-port 1813 timeout 2 key
>> 7 15071809373E392B26343030200215110442
>> radius-server vsa send authentication
>> !
>> !
>> line con 0
>> line vty 5 15
>> !
>> end
>>
>>
>> Radius is listening on port 18120 so I configured 18120 on the switch.
>> [root@qlpfp logs]# netstat -a | grep 1812
>> udp 0 0 localhost:18120 *:*
>> [root@qlpfp logs]#
>>
>>
>>
>> I can ping the IP 192.168.1.5 of PF from the switch.
>>
>> Can anyone please let me know what else I need to do to get it worked?
>> Thank you!
>>
>> Regards,
>> Jacky
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>>
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice Durand
> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
