Hi Reeyon,
with the command: "raddebug -f /usr/local/pf/var/run/radiusd.sock -t
3600" you will see what happen with the authentication process.
If you want to use -X then use this command:
/usr/sbin/radiusd -d /usr/local/pf/raddb/ -n auth -X
Le 2016-01-25 20:27, Reeyon Lim a écrit :
Hi Ludovic,
For the radius debug try : raddebug -f
/usr/local/pf/var/run/radiusd.sock -t 3600
*Ans: Where can I look for upon the above command? If i run "radiusd
-X -d /usr/local/pf/raddb, I got the error for the last two lines*
*
radiusd: #### Opening IP addresses and Ports ####
The server is not configured to listen on any ports. Cannot start.
*
Are you trying to do a 802.1x authentication ?
*Ans: Yes, I would like to do a wired 802.1x, and captive portal login
as failover. For example, if domain PC connected to the network, they
will authenticate against AD, otherwise it will pop up the captive
portal page. Guest will need to input the username/password which
stored in /usr/local/pf/raddb/users file. (in this case for example,
by default is "demouser/demouser")*
So you want to do autoreg on 802.1x and mac auth for guest access but
instead of using /usr/local/pf/raddb/users for guest create a local user.
*
*
*_New problem arise:_*
*My wired 802.1x authentication against AD is successful, however PF
will never assign the port to default vlan(118), but instead assign to
Registration Vlan(2)*
Below is my switchport configuration from Cisco
interface GigabitEthernet0/33
switchport access vlan 118
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
spanning-tree portfast
end
*_Switch log:_*
.Jan 26 09:22:54.696 SG: %DOT1X-5-SUCCESS: Authentication successful
for client (d4be.d939.37c6) on Interface Gi0/33 AuditSessionID
.Jan 26 09:22:54.696 SG: %AUTHMGR-7-RESULT: Authentication result
'success' from 'dot1x' for client (d4be.d939.37c6) on Interface Gi0/33
AuditSessionID 0AB876FB0000007714341E60
.Jan 26 09:22:54.705 SG: %AUTHMGR-5-VLANASSIGN: VLAN 2 assigned to
Interface Gi0/33 AuditSessionID 0AB876FB0000007714341E60
.Jan 26 09:22:55.753 SG: %AUTHMGR-5-SUCCESS: Authorization succeeded
for client (d4be.d939.37c6) on Interface Gi0/33 AuditSessionID
0AB876FB0000007714341E60
Make sure that :
- Your user exist on the local/external source --*I have included
Radius for Internal, because the method I use is Radius*
Wrong, don't use packetfence itself as a authentication source.
- That you put the correct source on your portal profile (try ton
create one with your SSID/ Switch IP) - *Done*
- Use bin/pftest authentication username password to see which source
you match -
*Ans: the command i run: pftest authenticate demouser demouser cdppl,
the output is*
* Authentication FAILED against cdppl (Unable to validate credentials
at the moment)*
* Did not match against cdppl*
* Did not match against cdppl*
Hope to hear from you, thank you !
Ok so what you will have to do:
Create 2 portal profiles:
One for wire 802.1x (name wire-secure):
Filter: Connection type => Ethernet-EAP
Authentication source => AD
...
one for mac-auth (name wire-open):
Filter: Connection Type => WIRED_MAC_AUTH
Authentication source => Local
...
So if your connection is 802.1x then it will use the wire-secure portal
with AD source and if your connection is mac-auth it will use the
wire-open portal with local source (Local is the person tab in packetfence).
Next you have to autoregister wire 802.1x connection, so you will use
vlan filters.
Let's create vlan_filters rules:
[EthernetEAP]
filter = connection_type
operator = is
value = Ethernet-EAP
[5:EthernetEAP&EAPTLS]
scope = AutoRegister
role = default
I hope it will help.
Also update to pf 5.6.1
Regards
Fabrice
Regards,
Reeyon
On Mon, Jan 25, 2016 at 10:08 PM, Ludovic Zammit <[email protected]
<mailto:[email protected]>> wrote:
Hi Reeyon,
For the radius debug try : raddebug -f
/usr/local/pf/var/run/radiusd.sock -t 3600
Are you trying to do a 802.1x authentication ?
Make sure that :
- Your user exist on the local/external source
- That you put the correct source on your portal profile (try ton
create one with your SSID/ Switch IP)
- Use bin/pftest authentication username password to see which
source you match
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]> ::+1.514.447.4918
<tel:%2B1.514.447.4918> (x145) ::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
Le 24 janv. 2016 à 21:05, Reeyon Lim <[email protected]
<mailto:[email protected]>> a écrit :
Hi All,
I have successfully setup a lab using ZEN 5.5 version on ESXi.
Everything is working fine such as VLAN enforcement and the
captive portal page for registration.
I did followed
http://www.packetfence.org/downloads/PacketFence/doc/PacketFence_Out-of-Band_Deployment_Quick_Guide_ZEN-5.6.0.pdf
manual guide, when the landing page pop up and I key in the
default "demouser/demouser", it shows unable to validate
credentials at the moment.
So, going in to shell and run radiusd -X -d /usr/local/pf/raddb/
The output at the last two line is:
/
/
/radiusd: #### Opening IP addresses and Ports ####/
/The server is not configured to listen on any ports. Cannot start./
I run radtest command and it didn't work as well
Please help!
Regards,
Reeyon
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application
Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
