Re: [PacketFence-users] Packetfence as "simple" freeradius server

Tue, 11 Nov 2014 05:01:07 -0800 

Here some code in add:

*CISCO ASA:*
ASA-LAB/pri/act(config)# sh run aaa-server PACKETFENCE
aaa-server PACKETFENCE protocol radius
aaa-server PACKETFENCE (inside) host 10.129.187.216
 key *****
 authentication-port 1812
 accounting-port 1813

*LOG CISCO ASA:*
ASA-LAB/pri/act(config)# test aaa-server authentication PACKETFENCE
USername t$
Server IP Address or name: 10.129.187.216
INFO: Attempting Authentication test to IP address <10.129.187.216>
(timeout: 12 seconds)
radius mkreq: 0x80000043
alloc_rip 0xcc683d08
    new request 0x80000043 --> 227 (0xcc683d08)
got user 'test'
got password
add_req 0xcc683d08 session 0x80000043 id 227
RADIUS_REQUEST
radius.c: rad_mkpkt

*RADIUS packet decode (authentication request)*

--------------------------------------
Raw packet data (length = 62).....
01 e3 00 3e 61 8e 8e ba f9 47 db d5 c2 ed f0 15    |  ...>a....G......
71 c2 cf b7 01 06 74 65 73 74 02 12 14 92 60 4d    |  q.....test....`M
2b 39 34 c0 33 f0 11 ed a8 ca 61 af 04 06 0a 81    |  +94.3.....a.....
bb 03 05 06 00 00 01 0a 3d 06 00 00 00 05          |  ........=.....

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 227 (0xE3)
Radius: Length = 62 (0x003E)
Radius: Vector: 618E8EBAF947DBD5C2EDF01571C2CFB7
Radius: Type = 1 (0x01) User-Name
Radius: Length = 6 (0x06)
Radius: Value (String) =
74 65 73 74                                        |  test
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
14 92 60 4d 2b 39 34 c0 33 f0 11 ed a8 ca 61 af    |  ..`M+94.3.....a.
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.129.187.3 (0x0A81BB03)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x10A
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 10.129.187.216/1812
rip 0xcc683d08 state 7 id 227
rad_vrfy() : response message verified
rip 0xcc683d08
 : chall_state ''
 : state 0x7
 : reqauth:
     61 8e 8e ba f9 47 db d5 c2 ed f0 15 71 c2 cf b7
 : info 0xcc683e40
     session_id 0x80000043
     request_id 0xe3
     user 'test'
     response '***'
     app 0
     reason 0
     skey 'cisco'
     sip 10.129.187.216
     type 1

*RADIUS packet decode (response)*

--------------------------------------
Raw packet data (length = 20).....
03 e3 00 14 7e 58 89 e0 be 69 a1 76 6c de 19 24    |  ....~X...i.vl..$
56 bf 24 8b                                        |  V.$.

Parsed packet data.....
Radius: Code = 3 (0x03)
Radius: Identifier = 227 (0xE3)
Radius: Length = 20 (0x0014)
Radius: Vector: 7E5889E0BE69A1766CDE192456BF248B
rad_procpkt: REJECT
RADIUS_DELETE
remove_req 0xcc683d08 session 0x80000043 id 227
free_rip 0xcc683d08
radius: send queue empty
*ERROR: Authentication Rejected: AAA failure*

*PACKETFENCE:*

[10.129.187.3]
RoleMap=N
mode=production
VlanMap=N
AccessListMap=N
description=ASA
*type=Cisco::Catalyst_3560   --> invented... cause cisco ASA doesn't exit.*
VoIPEnabled=N
radiusSecret=cisco
deauthMethod=RADIUS


*LOG PACKETFENCE:*
Tue Nov 11 05:47:40 2014 : Info: Ready to process requests.
Tue Nov 11 05:48:13 2014 : Auth: Login OK: [test] (from client 10.129.187.3
port 266)
Tue Nov 11 05:48:13 2014 : Info: rlm_perl: MAC address is empty or invalid
in this request. It could be normal on certain radius calls



If you need some other information, let me know.

regards

Matteo

2014-11-10 18:31 GMT+01:00 Matteo Pidalà <matteo.pid...@gmail.com>:

> Hallo everybody.
> I used a lot packetfence with registration, isolation vlans (NAC dot1x
> etc..) in big network environment with great satisfaction.
>
> Now, for one another project, I need to install one packetfence
> environment, (the already prepared image OVM one) for one "simple" scenario.
> Packetfence infact, should works as "radius service" with accounting for
> user authentication sending by one Cisco ASA.
>
> Summarize scenario is:
> - Cisco ASA --> Cut-Through --> with aaa-server radius configured pointed
> to Packetfence
> - Packetfence manage the authentication and statistics for radius users
> created statically.
> - I don't wanna use project like "daloradius" or something like this...
> For me is really better packetfence also without NAC implementation... ;-)
>
> Now...I don't know precisely how to build this environment, in
> particularly:
> - Can i create the user directly from the static users menu with the
> attributes about expired data, users limit simultaneous logged, etc..?
> - and the most important thing that I didn't find... In which way can I
> configure the "nas" system for grant the packetfence able to speak with my
> ASA?
>
>
> I will forward some script configuration, (maybe usefully also for other
> users, not so much in internet for now), but from now, for now I need just
> some feedback and information from you.
>
>
> Many regards in advance
>
> Matteo
>

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to