Re: [PacketFence-users] SSH not passing interface enable/disable commands

[Durand fabrice]

Quick question, did you tried with this module ( Juniper EX 2200 Series) 
because the CoA is there:

https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Juniper/EX2200.pm#L137
Regards
Fabrice


Le 2016-05-11 18:09, Kundert, Robin a écrit :

I’ve been watching this as we are starting to use Juniper EX series 
switches and I hope this will also solve the same issues I’ve 
encountered with EX3300 switches on 5.3.1.

/-- Robin Kundert/
   Sr. Network Analyst/Administrator
   Seattle Pacific University//

*From:*Dustin Berube [mailto:dustin.ber...@gmail.com]
*Sent:* Wednesday, May 11, 2016 14:06
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] SSH not passing interface 
enable/disable commands

Using the value of the acctsessionid column in the radacct table worked.

Here's the attributes I used.

User-Name=0021ccbea13f

Acct-Session-ID=8O2.1x819e0122000d26f7

Output of radclient:

[root@PacketFence-ZEN-6-0-0 ~]# cat radcl | radclient -c1 -r1 -x 
172.22.0.201:3799 <http://172.22.0.201:3799> disconnect <redacted>

Sent Disconnect-Request Id 236 from 0.0.0.0:35766 
<http://0.0.0.0:35766> to 172.22.0.201:3799 <http://172.22.0.201:3799> 
length 58

        User-Name = "0021ccbea13f"

        Acct-Session-Id = "8O2.1x819e0122000d26f7"

Received Disconnect-ACK Id 236 from 172.22.0.201:3799 
<http://172.22.0.201:3799> to 0.0.0.0:0 <http://0.0.0.0:0> length 20

Output of radsniff:

[root@PacketFence-ZEN-6-0-0 ~]# radsniff -x -f 'host 172.22.0.201 and 
port 3799'

Logging all events

Defaulting to capture on all interfaces

Sniffing on (eth0 eth0.97 eth0.98 fcc-radius-b lo)

2016-05-11 16:55:16.415405 (1) Disconnect-Request Id 94 
eth0:172.30.40.10:47301 <http://172.30.40.10:47301> -> 
172.22.0.201:3799 <http://172.22.0.201:3799> +0.000

        User-Name = "0021ccbea13f"

        Acct-Session-Id = "8O2.1x819e011f000f153a"

        Authenticator-Field = 0x406c6d6f4cf316df00401cce3f728990

2016-05-11 16:55:16.454810 (2) Disconnect-ACK Id 94 
eth0:172.30.40.10:47301 <http://172.30.40.10:47301> <- 
172.22.0.201:3799 <http://172.22.0.201:3799> +0.039 +0.039

        Authenticator-Field = 0xfc1ca69d92808dd0ac29bb28cd303799

2016-05-11 16:55:21.654810 (1) Cleaning up request packet ID 94

Successfully removed the port from the vlan and reset the auth status 
on the switch.

root# run show dot1x interface ge-0/0/2.0

802.1X Information:

Interface     Role           State         MAC address          User

ge-0/0/2.0    Authenticator  Connecting

Thanks for the help Louis. Let me know if you need anymore information 
to create the patch.

-dustin

On Wed, May 11, 2016 at 4:33 PM, Louis Munro <lmu...@inverse.ca 
<mailto:lmu...@inverse.ca>> wrote:

        On May 11, 2016, at 16:10 , Dustin Berube
        <dustin.ber...@gmail.com <mailto:dustin.ber...@gmail.com>> wrote:

        [root@PacketFence-ZEN-6-0-0 ~]# radsniff -x -f 'host
        172.22.0.201 and port 3799'

        Logging all events

        Defaulting to capture on all interfaces

        Sniffing on (eth0 eth0.97 eth0.98 fcc-radius-b lo)

        2016-05-11 16:03:58.379930 (1) Disconnect-Request Id 78
        eth0:172.30.40.10:34211 <http://172.30.40.10:34211/> ->
        172.22.0.201:3799 <http://172.22.0.201:3799/> +0.000

              NAS-IP-Address = 172.22.0.201

              Calling-Station-Id = "00:21:cc:be:a1:3f"

              Authenticator-Field = 0xff41af5cfacbac548dfd8b5455700340

        2016-05-11 16:03:58.396590 (2) Disconnect-NAK Id 78
        eth0:172.30.40.10:34211 <http://172.30.40.10:34211/> <-
        172.22.0.201:3799 <http://172.22.0.201:3799/> +0.001 +0.001

              Error-Cause = Missing-Attribute

              Authenticator-Field = 0x372a2a7088936bad8ace3669bc09cbcc

        2016-05-11 16:04:03.239659 (1) Cleaning up request packet ID 78

    So the switch rejects (NAKs) our disconnect request.

    We need to find which attribute to send it to ask it to disconnect
    you.

    This is where it gets “fun”.

    Each vendor seems to have it’s own idea about that.

    If I read this correctly, we need the session id:

    
http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/aaa-radius-coa-overview.html

    You would find that in the accounting tables of the database.

    Look in the “radacct” table, under acctsessionid using the mac
    address of the device (lowercase and without any delimiter).

    Then what you can do as a proof of concept is to manually send a
    disconnect request using radclient.

    Save the attributes and values to send into a file, like this:

    User-Name=$USER-NAME

    Acct-Session-ID=$sessionid

    and then pipe the file into radclient:

    # cat file | radclient -c1 -r1 -x  172.22.0.201 disconnect
    $RADIUS_SHARED_SECRET

    If you can get it to disconnect, I can get you a patch that would
    fix the EX4220, probably tomorrow.


    --
    Louis Munro
    lmu...@inverse.ca <mailto:lmu...@inverse.ca>  :: www.inverse.ca
    <http://www.inverse.ca>
    +1.514.447.4918 x125 <tel:%2B1.514.447.4918%20x125>  :: +1 (866)
    353-6153 x125 <tel:%2B1%20%28866%29%20353-6153%20x125>
    Inverse inc. :: Leaders behind SOGo (www.sogo.nu
    <http://www.sogo.nu>) and PacketFence (www.packetfence.org
    <http://www.packetfence.org>)


    
------------------------------------------------------------------------------
    Mobile security can be enabling, not merely restricting. Employees who
    bring their own devices (BYOD) to work are irked by the imposition
    of MDM
    restrictions. Mobile Device Manager Plus allows you to control
    only the
    apps on BYO-devices by containerizing them, leaving personal data
    untouched!
    https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
    _______________________________________________
    PacketFence-users mailing list
    PacketFence-users@lists.sourceforge.net
    <mailto:PacketFence-users@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/packetfence-users



------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j


_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users