Hello Louis, You are great! That debug mode helped me. Really dumb mistake, it was a radius passhrase mismatch.
Now the switchport went to Registration vlan, but I don't know understand why. I defined a Portal profile with the following conditions: 1. switch - switchIp Source: A defined ADauthentication (is user in a group) Provisioners: accept It is set that any of the conditions are met. In the switchconfig, there is: Role mapping by vlan ID, and I set up registration, isolation and a production vlan. How do I know why is that port set to the registration vlan? I don't understand the decision logic of packet fence. I've read the admin guide a few times, but I just don't get the point. I really understood it with your words :) Gábor Barócsi Network and System Engineer From: Louis Munro [mailto:lmu...@inverse.ca] Sent: 2016. február 24. 20:29 To: packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] freeradius issue with 802.1x On Feb 24, 2016, at 10:47 , BARÓCSI Gábor <gabor.baro...@qualysoft.com> wrote: Hello, Please help me with an issue. I've just installed packetfence and integrated to a windows AD domain. I can do AD queries. I use a cisco sg300 switch which sends the EAP requests to packetfence. I see with tcpdump that requests are coming to packetfence, but there is no response to the switch. RADIUS, Access Request (1), id: 0x8b length: 137 Please post the actual tcpdump output. Run it like this: # tcpdump -iany -nnl port 1812 Then, and at the same time if possible, run FreeRADIUS in debug mode: pkill radiusd; radiusd -d /usr/local/pf/raddb -n auth -Xx I tried to do a query with this actual command (I don't have a user like that): radtest dd9999 Abcd1234 localhost:18120 12 testing123 Sending Access-Request of id 189 to 127.0.0.1 port 18120 User-Name = "dd9999" User-Password = "Abcd1234" NAS-IP-Address = 127.0.1.1 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 18120, id=189, length=20 That does not prove much of anything. Your switch is not sending packets to that host and port anyway. Anything that I can check? The problem is that the switch is not getting an EAP Radius-Access-Chellange response message and the VLAN can not be set. Also please confirm if I understand it correct: switch uses 802.1x auth wih freeradius, packetfence is checking the AD, and if user or machine is in the AD it is setting the correct VLAN. Maybe some other checks are also made like firewall is on, etc. PacketFence will check whatever authorization sources you have configured based on the portal profile that matches the connection. It will then apply the rules that you have defined and select a role based on those. The role will correspond to a VLAN based on the configuration of the switch in PacketFence. You did configure the switch in PacketFence, right (in the GUI)? If the switch is not in the PacketFence configuration, FreeRADIUS will drop any packets coming from it. Regards, -- Louis Munro lmu...@inverse.ca :: www.inverse.ca +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
