Hello David,
can you check in /usr/local/pf/raddb if there is no file with rpmnew ?
Regards
Fabrice
Le 2014-07-20 14:40, David a écrit :
I can see the difference between the initial successful request and
the failing re-authentication. There is a duplicate value passed in
the radius request which must be tripping up packet fence.
Failed:
rad_recv: Access-Request packet from host 192.168.8.76 port 1645,
id=221, length=250
User-Name = "888717fe5e33"
User-Password = "888717fe5e33"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "00-1F-CA-87-B9-2F"
Calling-Station-Id = "88-87-17-FE-5E-33"
Message-Authenticator = 0x576988befca242c99efca217dd9f1d9d
Cisco-AVPair = "audit-session-id=AC1F084C000001590236E1F7"
NAS-Port-Type = Ethernet
NAS-Port = 50247
NAS-Port-Id = "GigabitEthernet2/0/47"
Called-Station-Id = "00-1F-CA-87-B9-2F"
Calling-Station-Id = "88-87-17-FE-5E-33"
NAS-IP-Address = 192.168.8.76
Success:
rad_recv: Access-Request packet from host 192.168.8.76 port 1645,
id=89, length=212
User-Name = "888717fe5e33"
User-Password = "888717fe5e33"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "00-1F-CA-87-B9-2F"
Calling-Station-Id = "88-87-17-FE-5E-33"
Message-Authenticator = 0x3c2a07147f5884f32d3f0ebc5c708c40
Cisco-AVPair = "audit-session-id=AC1F084C0000015B023E8A61"
NAS-Port-Type = Ethernet
NAS-Port = 50247
NAS-Port-Id = "GigabitEthernet2/0/47"
NAS-IP-Address = 192.168.8.76
On Sun, Jul 20, 2014 at 7:05 PM, David <[email protected]
<mailto:[email protected]>> wrote:
Hey Guys,
So we have recently upgraded our Cisco IOS to Version 12.2(55)SE9
and we are using stacked Catalyst 3750E. This config was working
before so something in this version is causing the issue. I have
also upgraded to latest packet fence version 4.0.3.
It seem that when MAB kicks in for non 802.1x clients it
authenticates fine the first time and gets the correct VLAN. The
re-authentication does not work. It seems that it can't get the
MAC address from the radius attempt even though you can see the
MAC in the request.
*PacketFence.log*
Jul 20 18:59:03 httpd.webservices(9665) INFO: Unable to extract
MAC from Called-Station-Id: ARRAY(0x7f1e8c5ffab0)
(pf::radius::extractApMacFromRadiusRequest)
Jul 20 18:59:03 httpd.webservices(9665) INFO: handling radius autz
request: from switch_ip => 192.168.8.76, connection_type =>
WIRED_MAC_AUTH,switch_mac => , mac => 0, port => 10647, username
=> 888717fe5e33 (pf::radius::authorize)
Jul 20 18:59:03 httpd.webservices(9665) INFO: node 0 does not yet
exist in database. Adding it now (pf::radius::authorize)
Jul 20 18:59:04 httpd.webservices(9665) INFO: Could not find any
IP phones through discovery protocols for ifIndex 10647
(pf::Switch::getPhonesDPAtIfIndex)
Jul 20 18:59:04 httpd.webservices(9665) INFO: MAC: 0 doesn't have
a node entry; belongs into registration VLAN
(pf::vlan::getRegistrationVlan)
Jul 20 18:59:04 httpd.webservices(9665) WARN: Role-based Network
Access Control is not supported on network device type
pf::Switch::Cisco::Catalyst_3750.
(pf::Switch::supportsRoleBasedEnforcement)
Jul 20 18:59:04 httpd.webservices(9665) INFO: [192.168.8.76]
Returning ACCEPT with VLAN 900 and role
(pf::Switch::returnRadiusAccessAccept)
*Radiusd.log*
Sun Jul 20 19:03:11 2014 : Auth: Login OK: [888717fe5e33] (from
client 172.31.8.76 port 50247 cli 88-87-17-FE-5E-33)
Sun Jul 20 19:03:11 2014 : Auth: rlm_perl: Returning vlan 900 to
request from 88:87:17:fe:5e:33 port 50247
*Port Config:*
interface GigabitEthernet2/0/48
description PacketFence NAC
switchport access vlan 80
switchport mode access
switchport voice vlan 10
authentication host-mode multi-host
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
spanning-tree portfast
end
Any help would be great.
Thanks
David
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
