Hello Alessandro,
retry by removing this line:
$radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by
PacketFence";
and also try with this line:
$radius_reply_ref->{'Zyxel-Privilege-AVPair'} = 'shell:priv-lvl=14';
cf:
https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=011559&lang=EN
Regards
Fabrice
Le 2017-11-17 à 04:39, Alessandro Canella a écrit :
>
> Hi,
>
>
>
>
>
> I’ve tested with Cisco 2960, same error.
>
>
>
> I’ve found some difference in log:
>
>
>
> correct auth credentials
>
> 1 Nov 17 10:03:37 NO authentication: SSH authentication failure
> [username: newuser, IP address = 153.47.30.125]
>
> 2 Nov 17 10:03:37 WA authentication: Invalid Service Type: USER
> [ newuser]
>
>
>
>
>
> wrong auth credentials
>
> 1 Nov 17 10:04:44 NO authentication: SSH authentication failure
> [username: root, IP address = 153.47.30.125]
>
>
>
>
>
> I’ve find another thing : in a conf, switch is still listed as nastype
> “other” corrected, no change. I’ve checked also for Typo or Uppercase.
>
>
>
>
>
>
>
>
>
> *Da:*Fabrice Durand [mailto:fdur...@inverse.ca]
> *Inviato:* lunedì 13 novembre 2017 14.37
> *A:* Alessandro Canella <alessandro.cane...@itcare.it>;
> packetfence-users@lists.sourceforge.net
> *Oggetto:* Re: R: [PacketFence-users] R: R: Switch Compatibility
>
>
>
> Hello Alessandro,
>
> i saw that cisco attributes are also compatible with the Zyxel switches.
>
> So if you choose Cisco_2960 as switch type to make a test.
>
> Regards
>
> Fabrice
>
>
>
>
>
> Le 2017-11-13 à 07:06, Alessandro Canella a écrit :
>
> Hello All,
>
>
>
> I’ ve created new switch under PF\ folder.
>
>
>
> All seems fine, but no cli login.
>
>
>
> Switch Log reports
>
>
>
> 1 Nov 13 12:44:23 NO authentication: SSH authentication failure
> [username: newuser, IP address = 153.47.30.125]
>
> 2 Nov 13 12:44:23 WA authentication: Invalid Service Type: USER
> [ newuser]
>
>
>
> PF GUI Reports
>
>
>
>
>
> RADIUS Request
>
>
>
> User-Name = "newuser"
>
> User-Password = "******"
>
> NAS-IP-Address = 10.206.1.136
>
> NAS-Identifier = "K873MUXSW1"
>
> Event-Timestamp = "Nov 13 2017 11:45:37 UTC"
>
> Stripped-User-Name = "newuser"
>
> Realm = "null"
>
> FreeRADIUS-Client-IP-Address = 10.206.1.136
>
> SQL-User-Name = "newuser"
>
> RADIUS Reply
>
>
>
> Reply-Message = "Switch enable access granted by PacketFence"
>
> Zyxel-Privilege-AVPair = "shell:priv-lvl=15"
>
>
>
> PF LOG respond :
>
>
>
> Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2712) INFO: [mac:[undef]] Authentication successful for
> newuser in source file1 (Htpasswd) (pf::authentication::authenticate)
>
> Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2712) INFO: [mac:[undef]] Using sources file1 for
> matching (pf::authentication::match2)
>
> Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2712) INFO: [mac:[undef]] Matched rule (admins) in
> source file1, returning actions. (pf::Authentication::Source::match)
>
> Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2712) INFO: [mac:[undef]] User newuser logged in
> 10.206.1.136 with write access
> (pf::Switch::Zyxel::returnAuthorizeWrite)
>
> Nov 13 11:44:21 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2712) INFO: [mac:[undef]] Authentication successful for
> newuser in source file1 (Htpasswd) (pf::authentication::authenticate)
>
> * *
>
> *Da:*Alessandro Canella via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* domenica 12 novembre 2017 23.26
> *A:* Durand fabrice <fdur...@inverse.ca>
> <mailto:fdur...@inverse.ca>;
> packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Alessandro Canella <alessandro.cane...@itcare.it>
> <mailto:alessandro.cane...@itcare.it>
> *Oggetto:* [PacketFence-users] R: R: Switch Compatibility
>
>
>
> I will try tomorrow.
>
>
>
> Don’t sure where is file, I will check documentation.
>
>
>
>
>
> *Da:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Inviato:* sabato 11 novembre 2017 13.51
> *A:* Alessandro Canella <alessandro.cane...@itcare.it
> <mailto:alessandro.cane...@itcare.it>>;
> packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Oggetto:* Re: R: [PacketFence-users] Switch Compatibility
>
>
>
> Hello Alessandro,
>
>
>
> you will need to edit the switch module and add this:
>
> =item returnAuthorizeWrite
> Return radius attributes to allow write access
> =cut
>
> sub returnAuthorizeWrite {
> my ($self, $args) = @_;
> my $logger = $self->logger;
> my $radius_reply_ref;
> my $status;
> $radius_reply_ref->{'Zyxel-Privilege-AVPair'} =
> 'shell:priv-lvl=15';
> $radius_reply_ref->{'Reply-Message'} = "Switch enable access
> granted by PacketFence";
> $logger->info("User $args->{'user_name'} logged in
> $args->{'switch'}{'_id'} with write access");
> my $filter = pf::access_filter::radius->new;
> my $rule = $filter->test('returnAuthorizeWrite', $args);
> ($radius_reply_ref, $status) =
> $filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
> return [$status, %$radius_reply_ref];
>
> }
>
> =item returnAuthorizeRead
> Return radius attributes to allow read access
> =cut
>
> sub returnAuthorizeRead {
> my ($self, $args) = @_;
> my $logger = $self->logger;
> my $radius_reply_ref;
> my $status;
> $radius_reply_ref->{'Zyxel-Privilege-AVPair'} =
> 'shell:priv-lvl=3';
> $radius_reply_ref->{'Reply-Message'} = "Switch read access
> granted by PacketFence";
> $logger->info("User $args->{'user_name'} logged in
> $args->{'switch'}{'_id'} with read access");
> my $filter = pf::access_filter::radius->new;
> my $rule = $filter->test('returnAuthorizeRead', $args);
> ($radius_reply_ref, $status) =
> $filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
> return [$status, %$radius_reply_ref];
> }
>
> Then restart PacketFence.
>
> Let me know if it works.
>
> Regards
>
> Fabrice
>
>
>
>
>
> Le 2017-11-11 à 02:41, Alessandro Canella a écrit :
>
> Zyxel GS 2210.
>
>
>
> I need only AAA for switch login (if you remember I use
> captive portal for wifi in inline mode)
>
>
>
> Zyxel provide
>
> https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=009451&lang=EN
>
> <https://kb.zyxel.com/KB/searchArticle%21gwsViewDetail.action?articleOid=009451&lang=EN>
>
>
>
> I’ve done all as wrote in this doc (dictionary and so on)
>
>
>
> *Da:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* venerdì 10 novembre 2017 21.35
> *A:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Cc:* Fabrice Durand <fdur...@inverse.ca>
> <mailto:fdur...@inverse.ca>
> *Oggetto:* Re: [PacketFence-users] Switch Compatibility
>
>
>
> Hello Alessandro,
>
> what is the type of the switch ?
>
> Regards
>
> Fabrice
>
>
>
>
>
> Le 2017-11-10 à 09:44, Alessandro Canella via
> PacketFence-users a écrit :
>
> Hello all,
>
>
>
> I solved everything (thanks to all..) ando now I0m
> investigating about this:
>
>
>
>
>
>
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2711) INFO: [mac:[undef]] Authentication
> successful for newuser in source file1 (Htpasswd)
> (pf::authentication::authenticate)
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2711) INFO: [mac:[undef]] Using sources file1
> for matching (pf::authentication::match2)
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2711) INFO: [mac:[undef]] Matched rule (admins)
> in source file1, returning actions.
> (pf::Authentication::Source::match)
>
> Nov 10 13:37:03 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2711) INFO: [mac:[undef]] PacketFence does not
> support this switch for read/write access login
> (pf::Switch::returnAuthorizeWrite)
>
>
>
>
>
> I’ve configured switch according to brand guidelines
> (based on freeradius) and I’m trying to enable PF Radius
> for CLI / HTTPS login.
>
>
>
>
>
> Switch is configured in PF Switch webpage, I’ve configured
> SNMP and SSH too
>
>
>
> *Alessandro Canella*
>
> Descrizione: Descrizione: Descrizione: Descrizione: Cattura*/
> /* Via Gurzone 77 – 45030
> Occhiobello (RO) – Italy
> t. ++39 0532 1916333
> f. ++34 0532 1911433
> * m. ++39 348 <tel:%2B%2B39%20342%203804635>**4433733*
>
> * email : alessandro.cane...@itcare.it
> <mailto:alessandro.cane...@itcare.it>
> skype : alessandro.canella *
>
> /P// //please consider the environment before printing
> this email/
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
>
> Check out the vibrant tech community on one of the world's
> most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
>
>
>
> _______________________________________________
>
> PacketFence-users mailing list
>
> PacketFence-users@lists.sourceforge.net
> <mailto:PacketFence-users@lists.sourceforge.net>
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
>
> --
>
> Fabrice Durand
>
> fdur...@inverse.ca <mailto:fdur...@inverse.ca>::
> +1.514.447.4918 (x135) :: www.inverse.ca <http://www.inverse.ca>
>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
> PacketFence (http://packetfence.org)
>
>
>
>
>
> --
> Fabrice Durand
> fdur...@inverse.ca <mailto:fdur...@inverse.ca>:: +1.514.447.4918
> (x135) :: www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
> PacketFence (http://packetfence.org)
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
