Hi Abdelghafour, you have to define your switch in packetfence. So in configuration -> Switches -> add a new switch with the ip address : 192.168.0.254
It should be something like that in switches.conf:
....
[192.168.0.254]
description=Cisco 2960
type=Cisco::Catalyst_2960
mode=production
deauthMethod=RADIUS
AccessListMap=N
VoIPEnabled=N
defaultRole=normal
defaultVlan=10
radiusSecret=testing123
SNMPCommunityRead=ciscoRead
SNMPCommunityWrite=ciscoWrite
SNMPVersion=2c
....
Regards
Fabrice
Le 2015-06-15 12:05, Abdelghafour Rakhma a écrit :
> Thank you for your quick response!
> I'm using the latest version of PF (5.1.0), I'll provide here the
> configuration files:
> And That's what I thought Too: there is radius no communication
> between the server and the switch, but still i don't know how to fix that!
>
> Switch configuration (cisco 2960):
> !
> username admin privilege 15 secret 5 $1$OhO3$Ab2iIMl8Bsou6feNobkvK.
> !
> !
> aaa new-model
> !
> !
> aaa group server radius packetfence
> server 192.168.0.1 auth-port 1812 acct-port 1813
> !
> aaa authentication login default local
> aaa authentication dot1x default group packetfence
> aaa authorization network default group packetfence
> !
> !
> aaa server radius dynamic-author
> client 192.168.0.1 server-key testing123
> port 3799
> !
> aaa session-id common
> system mtu routing 1500
> !
> !
> !
> !
> !
> dot1x system-auth-control
> !
> !
> !
> spanning-tree mode pvst
> spanning-tree extend system-id
> !
> !
>
> interface FastEthernet0/1
> switchport mode trunk
>
> !
> !
> interface FastEthernet0/12
> !
> interface FastEthernet0/13
> description NAC_controlled
> switchport mode access
> switchport port-security maximum 2
> switchport port-security maximum 1 vlan access
> switchport port-security
> authentication order mab dot1x
> authentication priority mab dot1x
> authentication port-control auto
> authentication periodic
> authentication timer restart 10800
> authentication timer reauthenticate 10800
> mab
> mls qos trust cos
> no snmp trap link-status
> dot1x pae authenticator
> dot1x timeout quiet-period 2
> dot1x timeout tx-period 3
> spanning-tree portfast
> spanning-tree bpdufilter enable
> spanning-tree bpduguard enable
> spanning-tree guard loop
> !
> !
> !
>
> interface FastEthernet0/14
> description NAC_controlled
> switchport mode access
> switchport port-security maximum 2
> switchport port-security maximum 1 vlan access
> switchport port-security
> authentication order mab
> authentication port-control auto
> mab
> mls qos trust cos
> spanning-tree portfast
> spanning-tree bpdufilter enable
> spanning-tree bpduguard enable
> spanning-tree guard loop
> !
> !
> !
> interface Vlan1
> ip address 192.168.0.254 255.255.255.0
> ip helper-address 192.168.0.1
> !
> interface Vlan2
> ip address 192.168.2.254 255.255.255.0
> ip helper-address 192.168.0.1
> !
> interface Vlan3
> ip address 192.168.3.254 255.255.255.0
> ip helper-address 192.168.0.1
> !
> interface Vlan10
> ip address 192.168.1.254 255.255.255.0
> ip helper-address 192.168.0.1
> !
> ip http server
> ip http secure-server
> snmp-server community ciscoWrite RW
> snmp-server community ciscoRead RO
> radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 timeout 2 key
> testing123
> radius-server key testing123
> radius-server vsa send authentication
> !
> line con 0
> password root
> line vty 5 15
> !
> end
> !
> ========================================================================================
> Switches.conf looks like that:
> [default]
> description=Switches Default Values
> vlans=1,2,3,4,5
> normalVlan=1
> registrationVlan=2
> isolationVlan=3
> macDetectionVlan=4
> voiceVlan=5
> inlineVlan=6
> inlineTrigger=
> normalRole=normal
> registrationRole=registration
> isolationRole=isolation
> macDetectionRole=macDetection
> voiceRole=voice
> inlineRole=inline
> VoIPEnabled=no
> VlanMap=Y
> RoleMap=Y
> mode=testing
> macSearchesMaxNb=30
> macSearchesSleepInterval=2
> uplink=dynamic
>
> SNMPVersion=1
> SNMPCommunityRead=public
> SNMPCommunityWrite=private
>
> SNMPVersionTrap=1
> SNMPCommunityTrap=public
> radiusSecret=testing123
>
> [192.168.0.1]
> description=Cisco 2960
> type=Cisco::Catalyst_2960
> mode=production
> deauthMethod=RADIUS
> AccessListMap=N
> VoIPEnabled=N
> defaultRole=normal
> defaultVlan=10
> radiusSecret=testing123
> SNMPCommunityRead=ciscoRead
> SNMPCommunityWrite=ciscoWrite
> SNMPVersion=2c
> ================================================================
> pf.config :
>
> [general]
> domain=fssm.local
> hostname=pf.fssm.local
>
> [database]
> pass=root
>
> [omapi]
> key_base64=Zop2OvYAwVao7hTz+kBx/w==
>
> [interface eth0.2]
> enforcement=vlan
> ip=192.168.2.1
> type=internal
> mask=255.255.255.0
>
> [interface eth0.3]
> enforcement=vlan
> ip=192.168.3.1
> type=internal
> mask=255.255.255.0
>
> [interface eth0]
> ip=192.168.0.1
> type=management,high-availability
> mask=255.255.255.0
>
> ===========================================================
> And radius.conf in /raddb/radius/radius.conf :
> prefix = /usr
> exec_prefix = /usr
> sysconfdir = /etc
> localstatedir = /usr/local/pf/var
> sbindir = /usr/sbin
> logdir = /usr/local/pf/logs
> raddbdir = /usr/local/pf/var/radiusd
> radacctdir = /usr/local/pf/logs/radacct
>
> name = radiusd
>
> confdir = ${raddbdir}
> run_dir = ${localstatedir}/run
>
> db_dir = ${raddbdir}
>
> libdir = /usr/lib/freeradius
> pidfile = ${run_dir}/${name}.pid
>
> rpc_user = ''
> rpc_pass = ''
> rpc_port = 7070
> rpc_host = 127.0.0.1
> rpc_proto = http
>
>
> user = pf
> group = pf
>
> max_request_time = 10
> cleanup_delay = 5
> max_requests = 20000
>
> listen {
> type = auth
> ipaddr = 192.168.0.1
> port = 0
> virtual_server = packetfence
> }
>
> listen {
> ipaddr = 192.168.0.1
> port = 0
> type = acct
> virtual_server = packetfence
> }
>
> hostname_lookups = no
> allow_core_dumps = no
>
> regular_expressions = yes
> extended_expressions = yes
>
> log {
> destination = files
> file = ${logdir}/radius.log
> syslog_facility = daemon
> stripped_names = no
> auth = yes
> auth_badpass = no
> auth_goodpass = no
> }
>
> checkrad = ${sbindir}/checkrad
>
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = yes
> # On Centos, even if the openssl lib has been patched,
> freeradius refuse to start. Make sure you update openssl.
> allow_vulnerable_openssl = yes
> }
>
> proxy_requests = yes
> $INCLUDE proxy.conf
> $INCLUDE clients.conf
>
> thread pool {
> start_servers = 5
> max_servers = 64
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
> }
>
> modules {
> $INCLUDE ${confdir}/modules/
> $INCLUDE eap.conf
> $INCLUDE sql.conf
> }
>
> instantiate {
> exec
> expr
> expiration
> logintime
> sql
> raw
> }
>
> $INCLUDE policy.conf
> $INCLUDE sites-enabled/
>
>
>
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
