Hello,
Le 2016-12-06 à 22:45, [email protected] a écrit :
Thanks Fabrice.
I configured per instruction (see below) but had no better luck. Any
further thoughts?
1. I created a new admin role via: /admin/configuration#config/adminroles
2. set the action to "Switches CLI - Write"
3. Saved the new role
4. Created a new source (internal radius) via:
admin/configuration#config/authentication
Hum not sure it will work like that, let's create instead a user in
packetfence (user tab) assign a password and assign the access level to
the one you created before.
1. Added a new set the ip to 127.0.0.1 and port 18120
2. set secret to packet
3. added rule
4. set class to administration
5. add action to access level and selected the radius role i created
in step 1-3
6. created another source (same as 4-9) with ip set to management
interface and port 1812
7. verified that cliAccess=Y
8. restart all services
radtest on localhost fails auth with:
radtest -t mschap -x test2 packet localhost:18120 12 testing123
Sent Access-Request Id 107 from 0.0.0.0:58720 to 127.0.0.1:18120
length 131
User-Name = "test2"
MS-CHAP-Password = "packet"
NAS-IP-Address = 192.168.14.60
NAS-Port = 12
Message-Authenticator = 0x00
Cleartext-Password = "packet"
MS-CHAP-Challenge = 0xd9fdad2e36fdd618
MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000007678409312f6c2d67f0671bf77b643cf60d6e7cc5583e533
Received Access-Reject Id 107 from 127.0.0.1:18120 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
packetfence.log
Dec 06 22:34:04 httpd.aaa(3965) WARN: [mac:[undef]] CLI Access is not
permit on this switch 192.168.14.60 (pf::radius::switch_access)
radtest on management interface times/retry out
radtest on management interface times/retry out from remote client.
On 12/06/2016 07:25 PM, Durand fabrice wrote:
Hello,
can you check in packetfence.log to see what wrong ?
Also here what you have to do:
in configuration -> Admin access, create a new admin access with
Switch CLI - Write
In Configuration source -> A internal source -> assign an
administration rule and set access level (the admin access you
created before).
Then enable cli access on the switch.(cliAccess=Y)
Now when PacketFence will receive a radius request for cli access, it
will test the username and password on the internal source and if it
succeeded and if it match the rule then the access will be allowed.
Regards
Fabrice
Le 2016-12-06 à 12:13, [email protected] a écrit :
When I attempt to test FreeRadius with a test user in
/usr/local/pf/raddb/users I get a failure that states "CLI Access is
not permit on this switch". I have "cliAccess=Y" in switches.conf.
Is there somewhere else I need to enable CLI access?
Thanks
packetfence.log:
Dec 06 12:04:36 httpd.aaa(24559) WARN: [mac:[undef]] CLI Access is not permit
on this switch 192.168.14.60 (pf::radius::switch_access)
This occurs as a repsonse to:
radtest -t mschap -x test2 packet localhost:18120 12 testing123
radtest responds with:
Sent Access-Request Id 224 from 0.0.0.0:50101 to 127.0.0.1:18120 length 131
User-Name = "test2"
MS-CHAP-Password = "packet"
NAS-IP-Address = 192.168.14.60
NAS-Port = 12
Message-Authenticator = 0x00
Cleartext-Password = "packet"
MS-CHAP-Challenge = 0x7d970590bf9b3c20
MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000001d61ecc9a3fc6222a13bccde625540a3048270707271bf1c
Received Access-Reject Id 224 from 127.0.0.1:18120 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
I have the following entry in |/usr/local/pf/raddb/users
|||
test2 Cleartext-Password := "packet"
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
