Hi Fabrice
We tried the EX2200 module this afternoon which finally gave me a
disocnnect-nak during the radius disconnect. After working back and forth
with Louis this afternoon it looks like a patch might be required to fully
support the EX4200.
I have an EX2200 in the lab I am going to test tomorrow as well.
Robin - what version of Junos are you running on the EX3300? I don't have a
3300 available to me but I can match versions and test against the base
software.
-dustin
On Wed, May 11, 2016 at 8:05 PM Durand fabrice <[email protected]> wrote:
> Quick question, did you tried with this module ( Juniper EX 2200 Series)
> because the CoA is there:
>
>
> https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Juniper/EX2200.pm#L137
>
> Regards
>
> Fabrice
>
>
>
> Le 2016-05-11 18:09, Kundert, Robin a écrit :
>
> I’ve been watching this as we are starting to use Juniper EX series
> switches and I hope this will also solve the same issues I’ve encountered
> with EX3300 switches on 5.3.1.
>
>
>
> *-- Robin Kundert*
> Sr. Network Analyst/Administrator
> Seattle Pacific University
>
>
>
>
>
> *From:* Dustin Berube [mailto:[email protected]
> <[email protected]>]
> *Sent:* Wednesday, May 11, 2016 14:06
> *To:* [email protected]
> *Subject:* Re: [PacketFence-users] SSH not passing interface
> enable/disable commands
>
>
>
> Using the value of the acctsessionid column in the radacct table worked.
>
>
>
> Here's the attributes I used.
>
> User-Name=0021ccbea13f
>
> Acct-Session-ID=8O2.1x819e0122000d26f7
>
>
>
> Output of radclient:
>
>
>
> [root@PacketFence-ZEN-6-0-0 ~]# cat radcl | radclient -c1 -r1 -x
> 172.22.0.201:3799 disconnect <redacted>
>
> Sent Disconnect-Request Id 236 from 0.0.0.0:35766 to 172.22.0.201:3799
> length 58
>
> User-Name = "0021ccbea13f"
>
> Acct-Session-Id = "8O2.1x819e0122000d26f7"
>
> Received Disconnect-ACK Id 236 from 172.22.0.201:3799 to 0.0.0.0:0 length
> 20
>
>
>
>
>
> Output of radsniff:
>
>
>
> [root@PacketFence-ZEN-6-0-0 ~]# radsniff -x -f 'host 172.22.0.201 and
> port 3799'
>
> Logging all events
>
> Defaulting to capture on all interfaces
>
> Sniffing on (eth0 eth0.97 eth0.98 fcc-radius-b lo)
>
> 2016-05-11 16:55:16.415405 (1) Disconnect-Request Id 94 eth0:
> 172.30.40.10:47301 -> 172.22.0.201:3799 +0.000
>
> User-Name = "0021ccbea13f"
>
> Acct-Session-Id = "8O2.1x819e011f000f153a"
>
> Authenticator-Field = 0x406c6d6f4cf316df00401cce3f728990
>
> 2016-05-11 16:55:16.454810 (2) Disconnect-ACK Id 94 eth0:
> 172.30.40.10:47301 <- 172.22.0.201:3799 +0.039 +0.039
>
> Authenticator-Field = 0xfc1ca69d92808dd0ac29bb28cd303799
>
> 2016-05-11 16:55:21.654810 (1) Cleaning up request packet ID 94
>
>
>
>
>
> Successfully removed the port from the vlan and reset the auth status on
> the switch.
>
>
>
> root# run show dot1x interface ge-0/0/2.0
>
> 802.1X Information:
>
> Interface Role State MAC address User
>
> ge-0/0/2.0 Authenticator Connecting
>
>
>
> Thanks for the help Louis. Let me know if you need anymore information to
> create the patch.
>
> -dustin
>
>
>
> On Wed, May 11, 2016 at 4:33 PM, Louis Munro <[email protected]> wrote:
>
>
>
>
>
> On May 11, 2016, at 16:10 , Dustin Berube <[email protected]> wrote:
>
>
>
> [root@PacketFence-ZEN-6-0-0 ~]# radsniff -x -f 'host 172.22.0.201 and
> port 3799'
>
> Logging all events
>
> Defaulting to capture on all interfaces
>
> Sniffing on (eth0 eth0.97 eth0.98 fcc-radius-b lo)
>
> 2016-05-11 16:03:58.379930 (1) Disconnect-Request Id 78 eth0:
> 172.30.40.10:34211 -> 172.22.0.201:3799 +0.000
>
> NAS-IP-Address = 172.22.0.201
>
> Calling-Station-Id = "00:21:cc:be:a1:3f"
>
> Authenticator-Field = 0xff41af5cfacbac548dfd8b5455700340
>
> 2016-05-11 16:03:58.396590 (2) Disconnect-NAK Id 78 eth0:
> 172.30.40.10:34211 <- 172.22.0.201:3799 +0.001 +0.001
>
> Error-Cause = Missing-Attribute
>
> Authenticator-Field = 0x372a2a7088936bad8ace3669bc09cbcc
>
> 2016-05-11 16:04:03.239659 (1) Cleaning up request packet ID 78
>
>
>
> So the switch rejects (NAKs) our disconnect request.
>
>
>
> We need to find which attribute to send it to ask it to disconnect you.
>
> This is where it gets “fun”.
>
> Each vendor seems to have it’s own idea about that.
>
>
>
> If I read this correctly, we need the session id:
>
>
> http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/aaa-radius-coa-overview.html
>
>
>
> You would find that in the accounting tables of the database.
>
> Look in the “radacct” table, under acctsessionid using the mac address of
> the device (lowercase and without any delimiter).
>
>
>
> Then what you can do as a proof of concept is to manually send a
> disconnect request using radclient.
>
>
>
> Save the attributes and values to send into a file, like this:
>
>
>
> User-Name=$USER-NAME
>
> Acct-Session-ID=$sessionid
>
>
>
> and then pipe the file into radclient:
>
>
>
> # cat file | radclient -c1 -r1 -x 172.22.0.201 disconnect
> $RADIUS_SHARED_SECRET
>
>
>
> If you can get it to disconnect, I can get you a patch that would fix the
> EX4220, probably tomorrow.
>
>
> --
> Louis Munro
> [email protected] :: www.inverse.ca
> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
