First: Putting back the list in CC. Please keep answering the list, not my
personnal email.
Second: The device is put in VLAN 700 on the controller side ? Do you already
had this setup (assigning VLAN by name to your Cisco) by the past ? If so, what
was the VSA used to pass the dvz-user-11 parameter ?
Derek
--
Derek Wuelfrath
[email protected] :: +1.514.447.4918 (x110) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
On 2013-08-21, at 4:01 AM, Manfred Kruse <[email protected]> wrote:
> I'm sorry for the missing information...
>
> As far as I can see, the problem is that the radius offers
> "Tunnel-Private-Group-Id:0" two times. First with VLAN 700 and the second
> with "dvz-user-11".
>
> My radius authenticates users through ldap and assigns the VLAN by name. In
> this case "dvz-user-11" will assign VLAN 120.
> Here are some configs and logs. If you need other information, please tell me
> which one.
>
> Interface config:
> interface GigabitEthernet2/1
> description Test_packetfence1
> switchport access vlan 2
> switchport mode access
> authentication host-mode multi-domain
> authentication order dot1x mab
> authentication priority dot1x mab
> authentication port-control auto
> authentication periodic
> authentication timer restart 10800
> authentication timer reauthenticate 10800
> mab
> no snmp trap link-status
> dot1x pae authenticator
> dot1x timeout quiet-period 2
> dot1x timeout tx-period 3
>
> switches.conf:
> [10.11.251.199]
> mode=production
> guestVlan=
> triggerInline=
> deauthMethod=RADIUS
> type=Cisco::Catalyst_4500
> macDetectionVlan=2
> isolationVlan=701
> radiusSecret=password
> uplink=dynamic
> registrationVlan=700
> inlineVlan=703
>
>
> packetfence-tunnel:
> server packetfence-tunnel {
>
> authorize {
> ldap
> suffix
> ntdomain
> eap {
> ok = return
> }
> files
> expiration
> logintime
> packetfence
> }
>
> authenticate {
> Auth-Type MS-CHAP {
> mschap
> }
> eap
> }
>
> session {
> radutmp
> }
>
> post-auth {
> exec
> packetfence
> Post-Auth-Type REJECT {
> attr_filter.access_reject
> }
> }
>
> pre-proxy {
> }
>
> post-proxy {
> eap
> }
> } # packetfence-tunnel server block
>
>
> Cisco Switch:
> Aug 21 10:12:06 CEST: %AUTHMGR-5-START: Starting 'dot1x' for client
> (0023.ae85.cce8) on Interface Gi2/1 AuditSessionID 0A0BFBC700000B8EE255179A
> Aug 21 10:12:07 CEST: %DOT1X-5-SUCCESS: Authentication successful for client
> (0023.ae85.cce8) on Interface Gi2/1 AuditSessionID 0A0BFBC700000B8EE255179A
> Aug 21 10:12:07 CEST: %AUTHMGR-7-RESULT: Authentication result 'success' from
> 'dot1x' for client (0023.ae85.cce8) on Interface Gi2/1 AuditSessionID
> 0A0BFBC700000B8EE255179A
> Aug 21 10:12:07 CEST: %AUTHMGR-5-VLANASSIGN: VLAN 120 assigned to Interface
> Gi2/1 AuditSessionID 0A0BFBC700000B8EE255179A
> Aug 21 10:12:08 CEST: %AUTHMGR-5-SUCCESS: Authorization succeeded for client
> (0023.ae85.cce8) on Interface Gi2/1 AuditSessionID 0A0BFBC700000B8EE255179A
> Aug 21 10:12:08 CEST: %LINK-3-UPDOWN: Interface GigabitEthernet2/1, changed
> state to up
> Aug 21 10:12:09 CEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> GigabitEthernet2/1, changed state to up
>
>
> packetfence.log:
> Aug 21 09:12:07 pf::WebAPI(11569) INFO: handling radius autz request: from
> switch_ip => 10.11.251.199, connection_type => Ethernet-EAP mac =>
> 00:23:ae:85:cc:e8, port => 50201, username => fhms250288
> (pf::radius::authorize)
> Aug 21 09:12:07 pf::WebAPI(11569) INFO: MAC: 00:23:ae:85:cc:e8 is of status
> unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
> Aug 21 09:12:07 pf::WebAPI(11569) WARN: Role-based Network Access Control is
> not supported on network device type pf::SNMP::Cisco::Catalyst_4500.
> (pf::SNMP::supportsRoleBasedEnforcement)
>
>
> Radius log:
> rlm_perl: Returning vlan 700 to request from 00:23:ae:85:cc:e8 port 50201
> rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK)
> rlm_perl: Added pair NAS-Port-Type = Ethernet
> rlm_perl: Added pair Service-Type = Framed-User
> rlm_perl: Added pair State = 0x25b4bf4424bca58d40aa891c80b9057d
> rlm_perl: Added pair Called-Station-Id = E8-B7-48-6D-77-40
> rlm_perl: Added pair Calling-Station-Id = 00-23-AE-85-CC-E8
> rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
> rlm_perl: Added pair Cisco-AVPair = audit-session-id=0A0BFBC700000B8EE255179A
> rlm_perl: Added pair User-Name = fhms250288
> rlm_perl: Added pair EAP-Message = 0x020800061a03
> rlm_perl: Added pair NAS-Port = 50201
> rlm_perl: Added pair NAS-IP-Address = 10.11.251.199
> rlm_perl: Added pair EAP-Type = MS-CHAP-V2
> rlm_perl: Added pair Framed-MTU = 1500
> rlm_perl: Added pair NAS-Port-Id = GigabitEthernet2/1
> rlm_perl: Added pair MS-MPPE-Send-Key = 0x8e62b829d4be00146a4c4e81aad73271
> rlm_perl: Added pair MS-MPPE-Encryption-Types = 0x00000006
> rlm_perl: Added pair Tunnel-Type = 13
> rlm_perl: Added pair Tunnel-Medium-Type = 6
> rlm_perl: Added pair MS-MPPE-Encryption-Policy = 0x00000001
> rlm_perl: Added pair Message-Authenticator =
> 0x00000000000000000000000000000000
> rlm_perl: Added pair Tunnel-Private-Group-ID = 700
> rlm_perl: Added pair User-Name = fhms250288
> rlm_perl: Added pair MS-MPPE-Recv-Key = 0x17a462a2f0aff05b03c2b03032fcd564
> rlm_perl: Added pair EAP-Message = 0x03080004
> rlm_perl: Added pair Tunnel-Private-Group-Id = dvz-user-11
> rlm_perl: Added pair NT-Password =
> 0x4245434543414342453043313544374143343643303538354132393444373230
> rlm_perl: Added pair LM-Password =
> 0x4233344345353232433345344338373734313745414635304346414332394333
> rlm_perl: Added pair Password-With-Header =
> {SSHA}E36341idst8rYvurwLO3G3guGAl47tlB
> rlm_perl: Added pair Ldap-UserDn =
> uid=fhms250288,ou=people,dc=fh-muenster,dc=de
> rlm_perl: Added pair Auth-Type = EAP
> ++[packetfence] returns ok
> } # server packetfence-tunnel
> [peap] Got tunneled reply code 2
> MS-MPPE-Send-Key = 0x8e62b829d4be00146a4c4e81aad73271
> MS-MPPE-Encryption-Types = 0x00000006
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> MS-MPPE-Encryption-Policy = 0x00000001
> Message-Authenticator = 0x00000000000000000000000000000000
> Tunnel-Private-Group-Id:0 = "700"
> User-Name = "fhms250288"
> MS-MPPE-Recv-Key = 0x17a462a2f0aff05b03c2b03032fcd564
> EAP-Message = 0x03080004
> Tunnel-Private-Group-Id:0 = "dvz-user-11"
> [peap] Got tunneled reply RADIUS code 2
> MS-MPPE-Send-Key = 0x8e62b829d4be00146a4c4e81aad73271
> MS-MPPE-Encryption-Types = 0x00000006
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> MS-MPPE-Encryption-Policy = 0x00000001
> Message-Authenticator = 0x00000000000000000000000000000000
> Tunnel-Private-Group-Id:0 = "700"
> User-Name = "fhms250288"
> MS-MPPE-Recv-Key = 0x17a462a2f0aff05b03c2b03032fcd564
> EAP-Message = 0x03080004
> Tunnel-Private-Group-Id:0 = "dvz-user-11"
> [peap] Tunneled authentication was successful.
> [peap] SUCCESS
> [peap] Saving tunneled attributes for later
> ++[eap] returns handled
> } # server packetfence
> Sending Access-Challenge of id 211 to 10.11.251.199 port 1645
> EAP-Message =
> 0x0109002b19001703010020d7ead58cadb36c1522054afcf75f9fdf2aea742625ac3ad7ef65521e8310a13c
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x400b87c947029ed7a3d8631e2047bbf1
> Finished request 16.
> Going to the next request
> Waking up in 4.6 seconds.
> rad_recv: Access-Request packet from host 10.11.251.199 port 1645, id=212,
> length=252
> User-Name = "fhms250288"
> Service-Type = Framed-User
> Framed-MTU = 1500
> Called-Station-Id = "E8-B7-48-6D-77-40"
> Calling-Station-Id = "00-23-AE-85-CC-E8"
> EAP-Message =
> 0x0209002b190017030100206cd1de9ebd4e2268d0973c653e05fe89f1e022fe3a155399dc3510b9390ef53b
> Message-Authenticator = 0x5e29cb7c3146bebddc8a7ddfa1007779
> Cisco-AVPair = "audit-session-id=0A0BFBC700000B8EE255179A"
> NAS-Port-Type = Ethernet
> NAS-Port = 50201
> NAS-Port-Id = "GigabitEthernet2/1"
> State = 0x400b87c947029ed7a3d8631e2047bbf1
> NAS-IP-Address = 10.11.251.199
> server packetfence {
> # Executing section authorize from file
> /usr/local/pf/raddb//sites-enabled/packetfence
> +- entering group authorize {...}
> [suffix] No '@' in User-Name = "fhms250288", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[preprocess] returns ok
> [eap] EAP packet type response id 9 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Peap state send tlv success
> [peap] Received EAP-TLV response.
> [peap] Success
> [peap] Using saved attributes from the original Access-Accept
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "700"
> User-Name = "fhms250288"
> Tunnel-Private-Group-Id:0 = "dvz-user-11"
> [eap] Freeing handler
> ++[eap] returns ok
> Login OK: [fhms250288] (from client 10.11.251.199 port 50201 cli
> 00-23-AE-85-CC-E8)
> # Executing section post-auth from file
> /usr/local/pf/raddb//sites-enabled/packetfence
> +- entering group post-auth {...}
> ++[exec] returns noop
> ++? if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25))
> ? Evaluating !(EAP-Type ) -> FALSE
> ?? Evaluating (EAP-Type != 21 ) -> TRUE
> ?? Evaluating (EAP-Type != 25) -> FALSE
> ++? if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)) -> FALSE
> } # server packetfence
> Sending Access-Accept of id 212 to 10.11.251.199 port 1645
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "700"
> User-Name = "fhms250288"
> Tunnel-Private-Group-Id:0 = "dvz-user-11"
> MS-MPPE-Recv-Key =
> 0xc51a61abd244b11b786e44ce28da6873249f78c428013ddaa49141a1b8200cb3
> MS-MPPE-Send-Key =
> 0x67e0b005a8a668a0d04b9b00abf8a71b389a7268836d36b733db16bda718d1b1
> EAP-Message = 0x03090004
> Message-Authenticator = 0x00000000000000000000000000000000
> Finished request 17.
>
> Greetings!
> Manfred Kruse
> --
> Herr Manfred Kruse
> Netzwerkadministrator
> Datenverarbeitungszentrale
> Netzwerk-Infrastruktur, Netzwerkdienste
> Fachhochschule Münster
> – University of Applied Sciences –
> Corrensstr. 25
> D-48149 Münster
> Fon: (49)0251 / 83 - 64942
> Fax: (49)0251 / 83 - 64910
> mail: [email protected]
> www.fh-muenster.de/dvz/index.php
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
