I’ve been watching this as we are starting to use Juniper EX series switches
and I hope this will also solve the same issues I’ve encountered with EX3300
switches on 5.3.1.
-- Robin Kundert
Sr. Network Analyst/Administrator
Seattle Pacific University
From: Dustin Berube [mailto:[email protected]]
Sent: Wednesday, May 11, 2016 14:06
To: [email protected]
Subject: Re: [PacketFence-users] SSH not passing interface enable/disable
commands
Using the value of the acctsessionid column in the radacct table worked.
Here's the attributes I used.
User-Name=0021ccbea13f
Acct-Session-ID=8O2.1x819e0122000d26f7
Output of radclient:
[root@PacketFence-ZEN-6-0-0 ~]# cat radcl | radclient -c1 -r1 -x
172.22.0.201:3799<http://172.22.0.201:3799> disconnect <redacted>
Sent Disconnect-Request Id 236 from 0.0.0.0:35766<http://0.0.0.0:35766> to
172.22.0.201:3799<http://172.22.0.201:3799> length 58
User-Name = "0021ccbea13f"
Acct-Session-Id = "8O2.1x819e0122000d26f7"
Received Disconnect-ACK Id 236 from 172.22.0.201:3799<http://172.22.0.201:3799>
to 0.0.0.0:0<http://0.0.0.0:0> length 20
Output of radsniff:
[root@PacketFence-ZEN-6-0-0 ~]# radsniff -x -f 'host 172.22.0.201 and port 3799'
Logging all events
Defaulting to capture on all interfaces
Sniffing on (eth0 eth0.97 eth0.98 fcc-radius-b lo)
2016-05-11 16:55:16.415405 (1) Disconnect-Request Id 94
eth0:172.30.40.10:47301<http://172.30.40.10:47301> ->
172.22.0.201:3799<http://172.22.0.201:3799> +0.000
User-Name = "0021ccbea13f"
Acct-Session-Id = "8O2.1x819e011f000f153a"
Authenticator-Field = 0x406c6d6f4cf316df00401cce3f728990
2016-05-11 16:55:16.454810 (2) Disconnect-ACK Id 94
eth0:172.30.40.10:47301<http://172.30.40.10:47301> <-
172.22.0.201:3799<http://172.22.0.201:3799> +0.039 +0.039
Authenticator-Field = 0xfc1ca69d92808dd0ac29bb28cd303799
2016-05-11 16:55:21.654810 (1) Cleaning up request packet ID 94
Successfully removed the port from the vlan and reset the auth status on the
switch.
root# run show dot1x interface ge-0/0/2.0
802.1X Information:
Interface Role State MAC address User
ge-0/0/2.0 Authenticator Connecting
Thanks for the help Louis. Let me know if you need anymore information to
create the patch.
-dustin
On Wed, May 11, 2016 at 4:33 PM, Louis Munro
<[email protected]<mailto:[email protected]>> wrote:
On May 11, 2016, at 16:10 , Dustin Berube
<[email protected]<mailto:[email protected]>> wrote:
[root@PacketFence-ZEN-6-0-0 ~]# radsniff -x -f 'host 172.22.0.201 and port 3799'
Logging all events
Defaulting to capture on all interfaces
Sniffing on (eth0 eth0.97 eth0.98 fcc-radius-b lo)
2016-05-11 16:03:58.379930 (1) Disconnect-Request Id 78
eth0:172.30.40.10:34211<http://172.30.40.10:34211/> ->
172.22.0.201:3799<http://172.22.0.201:3799/> +0.000
NAS-IP-Address = 172.22.0.201
Calling-Station-Id = "00:21:cc:be:a1:3f"
Authenticator-Field = 0xff41af5cfacbac548dfd8b5455700340
2016-05-11 16:03:58.396590 (2) Disconnect-NAK Id 78
eth0:172.30.40.10:34211<http://172.30.40.10:34211/> <-
172.22.0.201:3799<http://172.22.0.201:3799/> +0.001 +0.001
Error-Cause = Missing-Attribute
Authenticator-Field = 0x372a2a7088936bad8ace3669bc09cbcc
2016-05-11 16:04:03.239659 (1) Cleaning up request packet ID 78
So the switch rejects (NAKs) our disconnect request.
We need to find which attribute to send it to ask it to disconnect you.
This is where it gets “fun”.
Each vendor seems to have it’s own idea about that.
If I read this correctly, we need the session id:
http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/aaa-radius-coa-overview.html
You would find that in the accounting tables of the database.
Look in the “radacct” table, under acctsessionid using the mac address of the
device (lowercase and without any delimiter).
Then what you can do as a proof of concept is to manually send a disconnect
request using radclient.
Save the attributes and values to send into a file, like this:
User-Name=$USER-NAME
Acct-Session-ID=$sessionid
and then pipe the file into radclient:
# cat file | radclient -c1 -r1 -x 172.22.0.201 disconnect $RADIUS_SHARED_SECRET
If you can get it to disconnect, I can get you a patch that would fix the
EX4220, probably tomorrow.
--
Louis Munro
[email protected]<mailto:[email protected]> ::
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125<tel:%2B1.514.447.4918%20x125> :: +1 (866) 353-6153
x125<tel:%2B1%20%28866%29%20353-6153%20x125>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
