Re: [PacketFence-users] 802.1x & first time register

Fri, 30 Aug 2013 03:24:13 -0700 

I tried do fix it on my own, but I have no ideas anymore.
Anyone else?

Am 21.08.2013 15:49, schrieb Derek Wuelfrath:
First: Putting back the list in CC. Please keep answering the list, not my personnal email.
Second: The device is put in VLAN 700 on the controller side ? Do you already had this setup (assigning VLAN by name to your Cisco) by the past ? If so, what was the VSA used to pass the dvz-user-11 parameter ? 

Derek

--
Derek Wuelfrath
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x110) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and PacketFence (www.packetfence.org <http://www.packetfence.org/>)
On 2013-08-21, at 4:01 AM, Manfred Kruse <[email protected] <mailto:[email protected]>> wrote: 


I'm sorry for the missing information...
As far as I can see, the problem is that the radius offers "Tunnel-Private-Group-Id:0" two times. First with VLAN 700 and the second with "dvz-user-11".
My radius authenticates users through ldap and assigns the VLAN by name. In this case "dvz-user-11" will assign VLAN 120. Here are some configs and logs. If you need other information, please tell me which one. 

*Interface config:*
interface GigabitEthernet2/1
 description Test_packetfence1
 switchport access vlan 2
 switchport mode access
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer restart 10800
 authentication timer reauthenticate 10800
 mab
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout quiet-period 2
 dot1x timeout tx-period 3

*switches.conf:*
[10.11.251.199]
mode=production
guestVlan=
triggerInline=
deauthMethod=RADIUS
type=Cisco::Catalyst_4500
macDetectionVlan=2
isolationVlan=701
radiusSecret=password
uplink=dynamic
registrationVlan=700
inlineVlan=703


*packetfence-tunnel:*
server packetfence-tunnel {

authorize {
        ldap
        suffix
        ntdomain
        eap {
                ok = return
        }
        files
        expiration
        logintime
        packetfence
}

authenticate {
        Auth-Type MS-CHAP {
                mschap
        }
        eap
}

session {
        radutmp
}

post-auth {
        exec
        packetfence
        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
}

pre-proxy {
}

post-proxy {
        eap
}
} # packetfence-tunnel server block


*Cisco Switch:*
Aug 21 10:12:06 CEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0023.ae85.cce8) on Interface Gi2/1 AuditSessionID 0A0BFBC700000B8EE255179A Aug 21 10:12:07 CEST: %DOT1X-5-SUCCESS: Authentication successful for client (0023.ae85.cce8) on Interface Gi2/1 AuditSessionID 0A0BFBC700000B8EE255179A Aug 21 10:12:07 CEST: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0023.ae85.cce8) on Interface Gi2/1 AuditSessionID 0A0BFBC700000B8EE255179A Aug 21 10:12:07 CEST: %AUTHMGR-5-VLANASSIGN: VLAN 120 assigned to Interface Gi2/1 AuditSessionID 0A0BFBC700000B8EE255179A Aug 21 10:12:08 CEST: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0023.ae85.cce8) on Interface Gi2/1 AuditSessionID 0A0BFBC700000B8EE255179A Aug 21 10:12:08 CEST: %LINK-3-UPDOWN: Interface GigabitEthernet2/1, changed state to up Aug 21 10:12:09 CEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/1, changed state to up 


*packetfence.log:*
Aug 21 09:12:07 pf::WebAPI(11569) INFO: handling radius autz request: from switch_ip => 10.11.251.199, connection_type => Ethernet-EAP mac => 00:23:ae:85:cc:e8, port => 50201, username => fhms250288 (pf::radius::authorize) Aug 21 09:12:07 pf::WebAPI(11569) INFO: MAC: 00:23:ae:85:cc:e8 is of status unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan) Aug 21 09:12:07 pf::WebAPI(11569) WARN: Role-based Network Access Control is not supported on network device type pf::SNMP::Cisco::Catalyst_4500. (pf::SNMP::supportsRoleBasedEnforcement) 


*Radius log:*
rlm_perl: Returning vlan 700 to request from 00:23:ae:85:cc:e8 port 50201
rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK)
rlm_perl: Added pair NAS-Port-Type = Ethernet
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair State = 0x25b4bf4424bca58d40aa891c80b9057d
rlm_perl: Added pair Called-Station-Id = E8-B7-48-6D-77-40
rlm_perl: Added pair Calling-Station-Id = 00-23-AE-85-CC-E8
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Cisco-AVPair = audit-session-id=0A0BFBC700000B8EE255179A 
rlm_perl: Added pair User-Name = fhms250288
rlm_perl: Added pair EAP-Message = 0x020800061a03
rlm_perl: Added pair NAS-Port = 50201
rlm_perl: Added pair NAS-IP-Address = 10.11.251.199
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
rlm_perl: Added pair Framed-MTU = 1500
rlm_perl: Added pair NAS-Port-Id = GigabitEthernet2/1
rlm_perl: Added pair MS-MPPE-Send-Key = 0x8e62b829d4be00146a4c4e81aad73271 
rlm_perl: Added pair MS-MPPE-Encryption-Types = 0x00000006
rlm_perl: Added pair Tunnel-Type = 13
rlm_perl: Added pair Tunnel-Medium-Type = 6
rlm_perl: Added pair MS-MPPE-Encryption-Policy = 0x00000001
rlm_perl: Added pair Message-Authenticator = 0x00000000000000000000000000000000 
rlm_perl: Added pair Tunnel-Private-Group-ID = 700
rlm_perl: Added pair User-Name = fhms250288
rlm_perl: Added pair MS-MPPE-Recv-Key = 0x17a462a2f0aff05b03c2b03032fcd564 
rlm_perl: Added pair EAP-Message = 0x03080004
rlm_perl: Added pair Tunnel-Private-Group-Id = dvz-user-11
rlm_perl: Added pair NT-Password = 0x4245434543414342453043313544374143343643303538354132393444373230 rlm_perl: Added pair LM-Password = 0x4233344345353232433345344338373734313745414635304346414332394333 rlm_perl: Added pair Password-With-Header = {SSHA}E36341idst8rYvurwLO3G3guGAl47tlB rlm_perl: Added pair Ldap-UserDn = uid=fhms250288,ou=people,dc=fh-muenster,dc=de 
rlm_perl: Added pair Auth-Type = EAP
++[packetfence] returns ok
} # server packetfence-tunnel
[peap] Got tunneled reply code 2
        MS-MPPE-Send-Key = 0x8e62b829d4be00146a4c4e81aad73271
        MS-MPPE-Encryption-Types = 0x00000006
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        MS-MPPE-Encryption-Policy = 0x00000001
        Message-Authenticator = 0x00000000000000000000000000000000
        Tunnel-Private-Group-Id:0 = "700"
        User-Name = "fhms250288"
        MS-MPPE-Recv-Key = 0x17a462a2f0aff05b03c2b03032fcd564
        EAP-Message = 0x03080004
        Tunnel-Private-Group-Id:0 = "dvz-user-11"
[peap] Got tunneled reply RADIUS code 2
        MS-MPPE-Send-Key = 0x8e62b829d4be00146a4c4e81aad73271
        MS-MPPE-Encryption-Types = 0x00000006
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        MS-MPPE-Encryption-Policy = 0x00000001
        Message-Authenticator = 0x00000000000000000000000000000000
        Tunnel-Private-Group-Id:0 = "700"
        User-Name = "fhms250288"
        MS-MPPE-Recv-Key = 0x17a462a2f0aff05b03c2b03032fcd564
        EAP-Message = 0x03080004
        Tunnel-Private-Group-Id:0 = "dvz-user-11"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 211 to 10.11.251.199 port 1645
EAP-Message = 0x0109002b19001703010020d7ead58cadb36c1522054afcf75f9fdf2aea742625ac3ad7ef65521e8310a13c 
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x400b87c947029ed7a3d8631e2047bbf1
Finished request 16.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 10.11.251.199 port 1645, id=212, length=252 
        User-Name = "fhms250288"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "E8-B7-48-6D-77-40"
        Calling-Station-Id = "00-23-AE-85-CC-E8"
EAP-Message = 0x0209002b190017030100206cd1de9ebd4e2268d0973c653e05fe89f1e022fe3a155399dc3510b9390ef53b 
        Message-Authenticator = 0x5e29cb7c3146bebddc8a7ddfa1007779
        Cisco-AVPair = "audit-session-id=0A0BFBC700000B8EE255179A"
        NAS-Port-Type = Ethernet
        NAS-Port = 50201
        NAS-Port-Id = "GigabitEthernet2/1"
        State = 0x400b87c947029ed7a3d8631e2047bbf1
        NAS-IP-Address = 10.11.251.199
server packetfence {
# Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence 
+- entering group authorize {...}
[suffix] No '@' in User-Name = "fhms250288", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence 
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "700"
        User-Name = "fhms250288"
        Tunnel-Private-Group-Id:0 = "dvz-user-11"
[eap] Freeing handler
++[eap] returns ok
Login OK: [fhms250288] (from client 10.11.251.199 port 50201 cli 00-23-AE-85-CC-E8) # Executing section post-auth from file /usr/local/pf/raddb//sites-enabled/packetfence 
+- entering group post-auth {...}
++[exec] returns noop
++? if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25))
? Evaluating !(EAP-Type ) -> FALSE
?? Evaluating (EAP-Type != 21 ) -> TRUE
?? Evaluating (EAP-Type != 25) -> FALSE
++? if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)) -> FALSE
} # server packetfence
Sending Access-Accept of id 212 to 10.11.251.199 port 1645
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "700"
        User-Name = "fhms250288"
        Tunnel-Private-Group-Id:0 = "dvz-user-11"
MS-MPPE-Recv-Key = 0xc51a61abd244b11b786e44ce28da6873249f78c428013ddaa49141a1b8200cb3 MS-MPPE-Send-Key = 0x67e0b005a8a668a0d04b9b00abf8a71b389a7268836d36b733db16bda718d1b1 
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
Finished request 17.

Greetings!
Manfred Kruse
--
Herr Manfred Kruse
Netzwerkadministrator
Datenverarbeitungszentrale
Netzwerk-Infrastruktur, Netzwerkdienste
Fachhochschule Münster
– University of Applied Sciences –
Corrensstr. 25
D-48149 Münster
Fon: (49)0251 / 83 - 64942
Fax: (49)0251 / 83 - 64910
mail:[email protected]
www.fh-muenster.de/dvz/index.php




--
Herr Manfred Kruse
Netzwerkadministrator
Datenverarbeitungszentrale
Netzwerk-Infrastruktur, Netzwerkdienste
Fachhochschule Münster
– University of Applied Sciences –
Corrensstr. 25
D-48149 Münster
Fon: (49)0251 / 83 - 64942
Fax: (49)0251 / 83 - 64910
mail: [email protected]
www.fh-muenster.de/dvz/index.php

Attachment: smime.p7s
Description: S/MIME Kryptografische Unterschrift

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to