Hi Antoine I have not the option for the first command on my switch (cisco 2960
12.2 (44)).But for the vlan policy I got this : ot1x Info for
FastEthernet0/3-----------------------------------PAE =
AUTHENTICATORPortControl = AUTOControlDirection =
BothHostMode = MULTI_HOSTViolation Mode =
PROTECTReAuthentication = EnabledQuietPeriod =
60ServerTimeout = 30SuppTimeout = 30ReAuthPeriod
= 3600 (Locally configured)ReAuthMax = 2MaxReq
= 2TxPeriod = 30RateLimitPeriod = 0
Dot1x Authenticator Client List-------------------------------Domain
= DATASupplicant = 0040.d067.d0b1 Auth SM State
= AUTHENTICATED Auth BEND SM State = IDLEPort Status =
AUTHORIZEDReAuthPeriod = 3600ReAuthAction =
ReauthenticateTimeToNextReauth = 2801Authentication Method =
Dot1xAuthorized By = Authentication ServerVlan Policy
= 100show spanning-tree vlan 100 gives this :
VLAN0100 Spanning tree enabled protocol ieee Root ID Priority 32868
Address ec44.7687.f080 This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32868 (priority 32768 sys-id-ext 100)
Address ec44.7687.f080 Hello Time 2 sec Max Age 20 sec
Forward Delay 15 sec Aging Time 300
Interface Role Sts Cost Prio.Nbr Type------------------- ----
--- --------- -------- --------------------------------Fa0/1 Desg
FWD 19 128.1 P2pFa0/3 Desg FWD 19 128.3
P2pAnd the radius debug for the client gives this : ++[ntdomain] =
noop++[preprocess] = ok[eap] EAP packet type response id 10 length 43[eap]
Continuing tunnel setup.++[eap] = ok+} # group authorize = okFound Auth-Type =
EAP# Executing group from file
/usr/local/pf/raddb//sites-enabled/packetfence+group authenticate {[eap]
Request found, released from the list[eap] EAP/peap[eap] processing type
peap[peap] processing EAP-TLS[peap] eaptls_verify returned 7 [peap] Done
initial handshake[peap] eaptls_process returned 7 [peap] EAPTLS_OK[peap]
Session established. Decoding tunneled attributes.[peap] Peap state send tlv
success[peap] Received EAP-TLV response.[peap] Success[peap] Using saved
attributes from the original Access-Accept Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "100" User-Name =
"Anisha.kindo"[eap] Freeing handler++[eap] = ok+} # group authenticate =
okLogin OK: [Anisha.kindo] (from client 192.168.1.5 port 50003 cli
00:40:d0:67:d0:b1)} # server packetfence# Executing section post-auth from file
/usr/local/pf/raddb//sites-enabled/packetfence+group post-auth {++[exec] =
noop++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP))?
Evaluating !(EAP-Type ) -> FALSE?? Evaluating (EAP-Type != EAP-TTLS ) ->
TRUE?? Evaluating (EAP-Type != PEAP) -> FALSE++? if (!EAP-Type || (EAP-Type !=
EAP-TTLS && EAP-Type != PEAP)) -> FALSE+} # group post-auth = noopSending
Access-Accept of id 34 to 192.168.1.5 port 1645 Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "100" User-Name =
"Anisha.kindo" MS-MPPE-Recv-Key =
0x582295297696bc0dd0d4a396c512387285a5e54f58922e3454ae625363e8f1dd
MS-MPPE-Send-Key =
0x34b6a3dd8221574be698bcc88ecbf658c5ccea150dafd5657618d84ec3c1e629 EAP-Message
= 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000Finished
request 32.Going to the next requestWaking up in 4.6 seconds.Cleaning up
request 31 ID 33 with timestamp +590Waking up in 0.3 seconds.Cleaning up
request 32 ID 34 with timestamp +597Ready to process requests.
Really don't know from where came the problem.ThanksRegards Amidou
Le Mercredi 27 avril 2016 22h38, Antoine Amacher <[email protected]> a
écrit :
Hello Amidou,
You should look toward your switch, is your registration VLAN properly applied
to the port and spanned?
What is the result of "show authentication session interface XX" where XX
stands for the interface where your client is connected.
You should see "Vlan Policy: YOUR_REGISTRATION_VLAN".
Also look for "show spanning-tree vlan YOUR_REGISTRATION_VLAN"
You should see your interface where your device is plugged.
Thank you
On 04/26/2016 03:08 PM, TOURE Amidou Florian wrote:
Hi,I have a problem running with my packetfence. Now I have configure it to
work with a cisco 2960 swicth and the server is running on a wmware worksation
machine.When packetfence put the device on the registration vlan the client
doesn't get an IP address and a static ip address on this same client doesn't
permit to ping packetfence server or to ping the switch. eth0 interface seems
to be running. The output of radius debug shows this [suffix] No '@' in
User-Name = "Administrateur", skipping NULL due to config. ++[suffix] = noop
[ntdomain] No '\' in User-Name = "Administrateur", looking up realm NULL
[ntdomain] No such realm "NULL" ++[ntdomain] = noop ++[preprocess] = ok [eap]
EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap]
= ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from
file /usr/local/pf/raddb//sites-enabled/packetfence +group authenticate { [eap]
Request found, released from the list [eap] EAP/peap [eap] processing type peap
[peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial
handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session
established. Decoding tunneled attributes. [peap] Peap state send tlv success
[peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes
from the original Access-Accept Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0
= VLAN Tunnel-Private-Group-Id:0 = "100" User-Name = "Administrateur" [eap]
Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK:
[Administrateur] (from client 192.168.1.5 port 50003 cli 00:40:d0:67:d0:b1) } #
server packetfence # Executing section post-auth from file
/usr/local/pf/raddb//sites-enabled/packetfence +group post-auth { ++[exec] =
noop ++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) ?
Evaluating !(EAP-Type ) -> FALSE ?? Evaluating (EAP-Type != EAP-TTLS ) -> TRUE
?? Evaluating (EAP-Type != PEAP) -> FALSE ++? if (!EAP-Type || (EAP-Type !=
EAP-TTLS && EAP-Type != PEAP)) -> FALSE +} # group post-auth = noop Sending
Access-Accept of id 42 to 192.168.1.5 port 1645 Tunnel-Medium-Type:0 =
IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "100" User-Name =
"Administrateur" MS-MPPE-Recv-Key =
0xf68acbdf500d49b410cdfc7e55f80616b05cc4b2ef2ca466d212317af86838ff
MS-MPPE-Send-Key =
0x127d4a339e47839cd271f86f062913e861408355d02e43364597daba13d2108e EAP-Message
= 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000
Finished request 16. Going to the next request Waking up in 4.9 seconds.
Cleaning up request 15 ID 41 with timestamp +45 Cleaning up request 16 ID 42
with timestamp +49 Ready to process requests. Now the output of
packetfence.log and pfdhcplistener.log
Apr 26 11:49:51 httpd.aaa(50960) INFO: [mac:00:40:d0:67:d0:b1] is of status
unreg; belongs into registration VLAN (pf::role::getRegistrationRole) Apr 26
11:49:51 httpd.aaa(50960) INFO: [mac:00:40:d0:67:d0:b1] (192.168.1.5) Added
VLAN 100 to the returned RADIUS reply (pf::Switch::returnRadiusAccessAccept)
Apr 26 11:49:51 httpd.aaa(50960) INFO: [mac:00:40:d0:67:d0:b1] (192.168.1.5)
Returning ACCEPT with VLAN 100 (pf::Switch::returnRadiusAccessAccept) Apr 26
11:49:51 httpd.aaa(50960) INFO: [mac:00:40:d0:67:d0:b1] (192.168.1.5) No access
lists defined for this role registration
(pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)
Apr 26 11:16:26 pfdhcplistener(51054) WARN: Unable to open VLAN proc
description for eth0: No such file or directory (pf::util::get_vlan_from_int)
Apr 26 11:16:26 pfdhcplistener(51054) INFO: DHCP detector on eth0 enabled
(main::) Apr 26 11:16:26 pfdhcplistener(51054) INFO: Reload configuration on
eth0 with status 0 (main::reload_config)
Why a static IP on the host can't reach the server or can ping the switch?All
the firewalls have been stopped. Can I have a help? thanks
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] :: +1.514.447.4918 *130 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
