<snip>
Sending Access-Accept of id 212 to 10.11.251.199 port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "700"
User-Name = "fhms250288"
Tunnel-Private-Group-Id:0 = "dvz-user-11"
MS-MPPE-Recv-Key =
0xc51a61abd244b11b786e44ce28da6873249f78c428013ddaa49141a1b8200cb3
MS-MPPE-Send-Key =
0x67e0b005a8a668a0d04b9b00abf8a71b389a7268836d36b733db16bda718d1b1
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 17.
</snip>Yes, I used this setup - with assigning VLAN by name - before. I used the "radius-server send authentication" command at my Cisco and added these reply items in /raddb/ldap.attrmap:
<snip> replyItem Tunnel-Type radiusTunnelType replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId </snip> Manfred Am 21.08.2013 15:49, schrieb Derek Wuelfrath:
First: Putting back the list in CC. Please keep answering the list, not my personnal email.Second: The device is put in VLAN 700 on the controller side ? Do you already had this setup (assigning VLAN by name to your Cisco) by the past ? If so, what was the VSA used to pass the dvz-user-11 parameter ?Derek -- Derek Wuelfrath[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x110) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and PacketFence (www.packetfence.org <http://www.packetfence.org/>)On 2013-08-21, at 4:01 AM, Manfred Kruse <[email protected] <mailto:[email protected]>> wrote:I'm sorry for the missing information...As far as I can see, the problem is that the radius offers "Tunnel-Private-Group-Id:0" two times. First with VLAN 700 and the second with "dvz-user-11".My radius authenticates users through ldap and assigns the VLAN by name. In this case "dvz-user-11" will assign VLAN 120. Here are some configs and logs. If you need other information, please tell me which one.*Interface config:* interface GigabitEthernet2/1 description Test_packetfence1 switchport access vlan 2 switchport mode access authentication host-mode multi-domain authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer restart 10800 authentication timer reauthenticate 10800 mab no snmp trap link-status dot1x pae authenticator dot1x timeout quiet-period 2 dot1x timeout tx-period 3 *switches.conf:* [10.11.251.199] mode=production guestVlan= triggerInline= deauthMethod=RADIUS type=Cisco::Catalyst_4500 macDetectionVlan=2 isolationVlan=701 radiusSecret=password uplink=dynamic registrationVlan=700 inlineVlan=703 *packetfence-tunnel:* server packetfence-tunnel { authorize { ldap suffix ntdomain eap { ok = return } files expiration logintime packetfence } authenticate { Auth-Type MS-CHAP { mschap } eap } session { radutmp } post-auth { exec packetfence Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } } # packetfence-tunnel server block *Cisco Switch:*Aug 21 10:12:06 CEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0023.ae85.cce8) on Interface Gi2/1 AuditSessionID 0A0BFBC700000B8EE255179A Aug 21 10:12:07 CEST: %DOT1X-5-SUCCESS: Authentication successful for client (0023.ae85.cce8) on Interface Gi2/1 AuditSessionID 0A0BFBC700000B8EE255179A Aug 21 10:12:07 CEST: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0023.ae85.cce8) on Interface Gi2/1 AuditSessionID 0A0BFBC700000B8EE255179A Aug 21 10:12:07 CEST: %AUTHMGR-5-VLANASSIGN: VLAN 120 assigned to Interface Gi2/1 AuditSessionID 0A0BFBC700000B8EE255179A Aug 21 10:12:08 CEST: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0023.ae85.cce8) on Interface Gi2/1 AuditSessionID 0A0BFBC700000B8EE255179A Aug 21 10:12:08 CEST: %LINK-3-UPDOWN: Interface GigabitEthernet2/1, changed state to up Aug 21 10:12:09 CEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/1, changed state to up*packetfence.log:*Aug 21 09:12:07 pf::WebAPI(11569) INFO: handling radius autz request: from switch_ip => 10.11.251.199, connection_type => Ethernet-EAP mac => 00:23:ae:85:cc:e8, port => 50201, username => fhms250288 (pf::radius::authorize) Aug 21 09:12:07 pf::WebAPI(11569) INFO: MAC: 00:23:ae:85:cc:e8 is of status unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan) Aug 21 09:12:07 pf::WebAPI(11569) WARN: Role-based Network Access Control is not supported on network device type pf::SNMP::Cisco::Catalyst_4500. (pf::SNMP::supportsRoleBasedEnforcement)*Radius log:* rlm_perl: Returning vlan 700 to request from 00:23:ae:85:cc:e8 port 50201 rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK) rlm_perl: Added pair NAS-Port-Type = Ethernet rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair State = 0x25b4bf4424bca58d40aa891c80b9057d rlm_perl: Added pair Called-Station-Id = E8-B7-48-6D-77-40 rlm_perl: Added pair Calling-Station-Id = 00-23-AE-85-CC-E8 rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1rlm_perl: Added pair Cisco-AVPair = audit-session-id=0A0BFBC700000B8EE255179Arlm_perl: Added pair User-Name = fhms250288 rlm_perl: Added pair EAP-Message = 0x020800061a03 rlm_perl: Added pair NAS-Port = 50201 rlm_perl: Added pair NAS-IP-Address = 10.11.251.199 rlm_perl: Added pair EAP-Type = MS-CHAP-V2 rlm_perl: Added pair Framed-MTU = 1500 rlm_perl: Added pair NAS-Port-Id = GigabitEthernet2/1rlm_perl: Added pair MS-MPPE-Send-Key = 0x8e62b829d4be00146a4c4e81aad73271rlm_perl: Added pair MS-MPPE-Encryption-Types = 0x00000006 rlm_perl: Added pair Tunnel-Type = 13 rlm_perl: Added pair Tunnel-Medium-Type = 6 rlm_perl: Added pair MS-MPPE-Encryption-Policy = 0x00000001rlm_perl: Added pair Message-Authenticator = 0x00000000000000000000000000000000rlm_perl: Added pair Tunnel-Private-Group-ID = 700 rlm_perl: Added pair User-Name = fhms250288rlm_perl: Added pair MS-MPPE-Recv-Key = 0x17a462a2f0aff05b03c2b03032fcd564rlm_perl: Added pair EAP-Message = 0x03080004 rlm_perl: Added pair Tunnel-Private-Group-Id = dvz-user-11rlm_perl: Added pair NT-Password = 0x4245434543414342453043313544374143343643303538354132393444373230 rlm_perl: Added pair LM-Password = 0x4233344345353232433345344338373734313745414635304346414332394333 rlm_perl: Added pair Password-With-Header = {SSHA}E36341idst8rYvurwLO3G3guGAl47tlB rlm_perl: Added pair Ldap-UserDn = uid=fhms250288,ou=people,dc=fh-muenster,dc=derlm_perl: Added pair Auth-Type = EAP ++[packetfence] returns ok } # server packetfence-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Send-Key = 0x8e62b829d4be00146a4c4e81aad73271 MS-MPPE-Encryption-Types = 0x00000006 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 MS-MPPE-Encryption-Policy = 0x00000001 Message-Authenticator = 0x00000000000000000000000000000000 Tunnel-Private-Group-Id:0 = "700" User-Name = "fhms250288" MS-MPPE-Recv-Key = 0x17a462a2f0aff05b03c2b03032fcd564 EAP-Message = 0x03080004 Tunnel-Private-Group-Id:0 = "dvz-user-11" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Send-Key = 0x8e62b829d4be00146a4c4e81aad73271 MS-MPPE-Encryption-Types = 0x00000006 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 MS-MPPE-Encryption-Policy = 0x00000001 Message-Authenticator = 0x00000000000000000000000000000000 Tunnel-Private-Group-Id:0 = "700" User-Name = "fhms250288" MS-MPPE-Recv-Key = 0x17a462a2f0aff05b03c2b03032fcd564 EAP-Message = 0x03080004 Tunnel-Private-Group-Id:0 = "dvz-user-11" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 211 to 10.11.251.199 port 1645EAP-Message = 0x0109002b19001703010020d7ead58cadb36c1522054afcf75f9fdf2aea742625ac3ad7ef65521e8310a13cMessage-Authenticator = 0x00000000000000000000000000000000 State = 0x400b87c947029ed7a3d8631e2047bbf1 Finished request 16. Going to the next request Waking up in 4.6 seconds.rad_recv: Access-Request packet from host 10.11.251.199 port 1645, id=212, length=252User-Name = "fhms250288" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "E8-B7-48-6D-77-40" Calling-Station-Id = "00-23-AE-85-CC-E8"EAP-Message = 0x0209002b190017030100206cd1de9ebd4e2268d0973c653e05fe89f1e022fe3a155399dc3510b9390ef53bMessage-Authenticator = 0x5e29cb7c3146bebddc8a7ddfa1007779 Cisco-AVPair = "audit-session-id=0A0BFBC700000B8EE255179A" NAS-Port-Type = Ethernet NAS-Port = 50201 NAS-Port-Id = "GigabitEthernet2/1" State = 0x400b87c947029ed7a3d8631e2047bbf1 NAS-IP-Address = 10.11.251.199 server packetfence {# Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence+- entering group authorize {...} [suffix] No '@' in User-Name = "fhms250288", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence+- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "700" User-Name = "fhms250288" Tunnel-Private-Group-Id:0 = "dvz-user-11" [eap] Freeing handler ++[eap] returns okLogin OK: [fhms250288] (from client 10.11.251.199 port 50201 cli 00-23-AE-85-CC-E8) # Executing section post-auth from file /usr/local/pf/raddb//sites-enabled/packetfence+- entering group post-auth {...} ++[exec] returns noop ++? if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)) ? Evaluating !(EAP-Type ) -> FALSE ?? Evaluating (EAP-Type != 21 ) -> TRUE ?? Evaluating (EAP-Type != 25) -> FALSE ++? if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)) -> FALSE } # server packetfence Sending Access-Accept of id 212 to 10.11.251.199 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "700" User-Name = "fhms250288" Tunnel-Private-Group-Id:0 = "dvz-user-11"MS-MPPE-Recv-Key = 0xc51a61abd244b11b786e44ce28da6873249f78c428013ddaa49141a1b8200cb3 MS-MPPE-Send-Key = 0x67e0b005a8a668a0d04b9b00abf8a71b389a7268836d36b733db16bda718d1b1EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 17. Greetings! Manfred Kruse -- Herr Manfred Kruse Netzwerkadministrator Datenverarbeitungszentrale Netzwerk-Infrastruktur, Netzwerkdienste Fachhochschule Münster – University of Applied Sciences – Corrensstr. 25 D-48149 Münster Fon: (49)0251 / 83 - 64942 Fax: (49)0251 / 83 - 64910 mail:[email protected] www.fh-muenster.de/dvz/index.php
-- Herr Manfred Kruse Netzwerkadministrator Datenverarbeitungszentrale Netzwerk-Infrastruktur, Netzwerkdienste Fachhochschule Münster – University of Applied Sciences – Corrensstr. 25 D-48149 Münster Fon: (49)0251 / 83 - 64942 Fax: (49)0251 / 83 - 64910 mail: [email protected] www.fh-muenster.de/dvz/index.php
smime.p7s
Description: S/MIME Kryptografische Unterschrift
------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
