Hello everybody PacketFence users!
I know that I'm oppressive, and I apologize for that. I quickly summarize
my problem:
I have configured FreeRADIUS module of PacketFence for authentication with
PAP againt the local flat file "users", using port-security, and it works
fine, using Captive-Portal. Now I want to pass at 802.1X, so I have
properly configured a cisco switch 3560G following the guide. I have
configured my Windows 8.1 laptop with the 802.1X authentication, and when I
connect it to a switch port the request is sent.
This is the output from the radiusd -X -d /usr/local/pf/raddb :
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=22,
length=209
User-Name = "e03f4937e5e4"
User-Password = "e03f4937e5e4"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "00-19-E8-34-EE-03"
Calling-Station-Id = "E0-3F-49-37-E5-E4"
Message-Authenticator = 0xb662ecf7a6016cce82f7fc9279666176
Cisco-AVPair = "audit-session-id=C0A801080000001500B93C81"
NAS-Port-Type = Ethernet
NAS-Port = 50003
NAS-Port-Id = "GigabitEthernet0/3"
NAS-IP-Address = 192.168.1.8
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
+group authorize {
[suffix] No '@' in User-Name = "e03f4937e5e4", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++[preprocess] = ok
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++update request {
expand: %{Packet-Src-IP-Address} -> 192.168.1.8
++} # update request = noop
++update control {
++} # update control = noop
rlm_perl: Added pair NAS-Port-Type = Ethernet
rlm_perl: Added pair Service-Type = Call-Check
rlm_perl: Added pair Calling-Station-Id = E0-3F-49-37-E5-E4
rlm_perl: Added pair Called-Station-Id = 00-19-E8-34-EE-03
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.1.8
rlm_perl: Added pair Message-Authenticator =
0xb662ecf7a6016cce82f7fc9279666176
rlm_perl: Added pair Cisco-AVPair =
audit-session-id=C0A801080000001500B93C81
rlm_perl: Added pair User-Name = e03f4937e5e4
rlm_perl: Added pair User-Password = e03f4937e5e4
rlm_perl: Added pair NAS-IP-Address = 192.168.1.8
rlm_perl: Added pair NAS-Port = 50003
rlm_perl: Added pair NAS-Port-Id = GigabitEthernet0/3
rlm_perl: Added pair Framed-MTU = 1500
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair PacketFence-RPC-Port = 7070
++[packetfence] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = ok
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Login incorrect: [e03f4937e5e4] (from client 192.168.1.8 port 50003 cli
E0-3F-49-37-E5-E4)
} # server packetfence
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> e03f4937e5e4
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 22 to 192.168.1.8 port 1645
Waking up in 4.9 seconds.
Cleaning up request 0 ID 22 with timestamp +474
Ready to process requests.
And this is my /usr/local/pf/raddb/sites-enabled/packetfence:
server packetfence {
authorize {
suffix
preprocess
eap {
ok = return
}
files
expiration
logintime
update request {
FreeRADIUS-Client-IP-Address := "%{Packet-Src-IP-Address}"
}
update control {
PacketFence-RPC-Server = ${rpc_host}
PacketFence-RPC-Port = ${rpc_port}
PacketFence-RPC-User = ${rpc_user}
PacketFence-RPC-Pass = ${rpc_pass}
PacketFence-RPC-Proto = ${rpc_proto}
}
packetfence
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
sql
attr_filter.accounting_response
update control {
PacketFence-RPC-Server = ${rpc_host}
PacketFence-RPC-Port = ${rpc_port}
PacketFence-RPC-User = ${rpc_user}
PacketFence-RPC-Pass = ${rpc_pass}
PacketFence-RPC-Proto = ${rpc_proto}
}
packetfence
}
session {
radutmp
}
post-auth {
exec
# skip packetfence if we have already treated it in the inner-tunnel
if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) {
update control {
PacketFence-RPC-Server = ${rpc_host}
PacketFence-RPC-Port = ${rpc_port}
PacketFence-RPC-User = ${rpc_user}
PacketFence-RPC-Pass = ${rpc_pass}
PacketFence-RPC-Proto = ${rpc_proto}
}
packetfence
}
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
}
I sure miss some configuration, where I wrong?
Thanks in advanced for any help,
Kind Regards,
Rosario Ippolito
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
