OK, the plot thickens. When I do the same debug on a Cisco 2950 switch I see the access-accept packet being passed back to the switch, but I see:
RADIUS: no appropriate authorization type for user. Could it be that my users are passing authentication, but then for some reason failing authorization? This would explain why I'm seeing multiple dot1x bubbles popping up and asking for credentials, but I'm not sure why it would suddenly start occurring across different switches. Perhaps it is something to do with Packetfence/Radius afterall?? Thanks to anybody that can help. Cheers, Andi -----Original Message----- From: Morris, Andi [mailto:[email protected]] Sent: 04 December 2013 11:15 To: '[email protected]' Subject: Re: [PacketFence-users] dot1x being denied on wired clients Ah I see what you're saying now. We're not using port security, just dot1x (unless dot1x invokes port security somehow). However, we're seeing the issue on several other switches, a mix of 2950 and 2960, and it all seemed to happen at exactly the same time, which is why I was wondering whether there was a full table on the core. Cheers, Andi -----Original Message----- From: Francois Gaudreault [mailto:[email protected]] Sent: 03 December 2013 17:10 To: [email protected] Subject: Re: [PacketFence-users] dot1x being denied on wired clients Not on the core, on your actual 2960. If the TCAM/Mac address table is still having space, is it possible this mac is a secure mac address on another port using port-security on the same switch? Francois On 12/3/2013, 11:29 AM, Morris, Andi wrote: > Do you mean on our core switch? Running a show counters on the tcam suggests > that they're fine: > > cyhr1#sh tcam counts > Used Free Percent Used Reserved > ---- ---- ------------ -------- > Labels: 4 508 0 > > ACL_TCAM > Masks: 16 4080 0 0 > Entries: 49 32719 0 0 > > QOS_TCAM > Masks: 0 4096 0 0 > Entries: 0 32768 0 0 > > LOU: 0 64 0 > ANDOR: 0 16 0 > ORAND: 0 16 0 > ADJ: 0 1024 0 > > Wouldn't this also affect wireless clients if the tcam table was full? > > Cheers, > Andi > > > -----Original Message----- > From: Francois Gaudreault [mailto:[email protected]] > Sent: 26 November 2013 15:29 > To: [email protected] > Subject: Re: [PacketFence-users] dot1x being denied on wired clients > > Clear the TCAM and retry. > > FG > > On 11/22/2013, 10:36 AM, Morris, Andi wrote: >> Hi all, >> >> Firstly, can I apologise in advance, I don't think this is actually a >> packetfence issue, however other users of packetfence may have come >> across this and might be able to help me resolve it. >> >> Since yesterday we are seeing our wired devices on our packetfence >> controlled network being prompted for credentials each time they are >> plugged in/turned on/rebooted, and often the credentials are being >> rejected. >> >> Radius debug logs show that Access-Accept is being sent to the >> device, but the device is not ever getting onto the network. >> >> Enabling debug on my Cisco 2960 test switch I can see the error below: >> >> %DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address >> >> I'm not 100% convinced that this is the same error that we're seeing >> on our user switches, I'm waiting for some hits on other switches >> I've enabled debugging on to confirm this. >> >> The reason I don't think that this is a packetfence/radius issue is >> that we're not having any issues with wireless clients. >> >> I don't know yet whether it is affecting just Windows users or >> everyone, I'm waiting for confirmation on this. >> >> We are not forcing devices to validate radius certificates (yet). >> >> Has anyone seen this before? >> >> Cheers, >> >> Andi >> >> ------------------------------------- >> >> Andi Morris >> >> IT Security Officer >> Cardiff Metropolitan University >> >> T: 02920 205720 >> E: [email protected] <mailto:[email protected]> >> >> -------------------------------------- >> >> >> >> --------------------------------------------------------------------- >> - >> -------- Shape the Mobile Experience: Free Subscription Software >> experts and developers: Be at the forefront of tech innovation. >> Intel(R) Software Adrenaline delivers strategic insight and >> game-changing conversations that shape the rapidly evolving mobile >> landscape. Sign up now. >> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg. >> c >> lktrk >> >> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > -- > Francois Gaudreault > Architecte de Solution Cloud | Cloud Solutions Architect > [email protected] > 514-629-6775 > - - - > CloudOps > 420 rue Guy > Montréal QC H3J 1S6 > www.cloudops.com > @CloudOps_ > > > ---------------------------------------------------------------------- > -------- Rapidly troubleshoot problems before they affect your > business. Most IT organizations don't have a clear picture of how > application performance affects their revenue. With AppDynamics, you > get 100% visibility into your Java,.NET, & PHP application. Start your > 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.c > lktrk _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ---------------------------------------------------------------------- > -------- Rapidly troubleshoot problems before they affect your > business. Most IT organizations don't have a clear picture of how > application performance affects their revenue. With AppDynamics, you > get 100% visibility into your Java,.NET, & PHP application. Start your > 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.c > lktrk _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- Francois Gaudreault Architecte de Solution Cloud | Cloud Solutions Architect [email protected] 514-629-6775 - - - CloudOps 420 rue Guy Montréal QC H3J 1S6 www.cloudops.com @CloudOps_ ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
