Hello all, i hope you can give me a hint of what im doing wrong.
We are evaluating to use PacketFence 7.3.0 Zen to authenticate users connecting
to our lan and wifi infrastructure and to assign them the right vlans. (Guest /
Productive ....)
For Wifi we use a Cisco Wlc and everything works fine.
For LAN Access we use different HP / ARUBA Switches.
One Switch (Aruba 2530-24g) Works fine with SNMP (Link Up Down) unknown users
will be redirected to the portal and after login the right vlan is assigned tot
he switch port.
Now i try to do the same with a HP 5130 Series Switch which is a rebranded H3C
Switch using Comware OS.
I followed the H3C section of the Network Device Configuration Guide to
configure my Switch but i´m not able to get it to work.
If i plug in Network Device i receive the following log Messages:
Switch Console:
%Jan 25 11:23:33:305 2018 Testswitch MACA/6/MACA_LOGIN_FAILURE:
-IfName=GigabitEthernet1/0/1-MACAddr=98e7-f48e-3c2f-VLANId=200-UserName=98e7f48e3c2f-UserNameFormat=MAC
address; The user failed the MAC address authentication.
Packetfence.log:
PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(3450) INFO: [mac:[undef]] User
98e7f48e3c2f tried to login in 172.20.14.66 but authentication failed
(pf::radius::switch_access)
Radius.log:
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_rest (rest): Closing
connection (320): Hit idle_timeout, was idle for 68 seconds
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) rest: ERROR: Server returned:
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) rest: ERROR:
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication
failed on PacketFence"}
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: Need 4 more connections to reach
10 spares
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_rest (rest): Opening
additional connection (324), 1 of 58 pending slots used
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_sql (sql): Closing connection
(322): Hit idle_timeout, was idle for 68 seconds
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: Need 4 more connections to reach
10 spares
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_sql (sql): Opening additional
connection (326), 1 of 58 pending slots used
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: [mac:98-E7-F4-8E-3C-2F] Rejected
user: 98e7f48e3c2f
Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) Rejected in post-auth:
[98e7f48e3c2f] (from client 172.20.14.66 port 16781512 cli 98-E7-F4-8E-3C-2F)
Radius Debug Log: (There is an Error 500 inside regarding REST)
[root@PacketFence-ZEN radius]# raddebug -f /usr/local/pf/var/run/radiusd.sock
-t 300
(76) Thu Jan 25 08:28:15 2018: Debug: Received Access-Request Id 160 from
172.20.14.66:39936 to 172.20.1.230:1812 length 166
(76) Thu Jan 25 08:28:15 2018: Debug: User-Name = "98e7f48e3c2f"
(76) Thu Jan 25 08:28:15 2018: Debug: User-Password = "98e7f48e3c2f"
(76) Thu Jan 25 08:28:15 2018: Debug: Service-Type = Call-Check
(76) Thu Jan 25 08:28:15 2018: Debug: NAS-Identifier = "Testswitch"
(76) Thu Jan 25 08:28:15 2018: Debug: NAS-Port = 16781512
(76) Thu Jan 25 08:28:15 2018: Debug: NAS-Port-Type = Ethernet
(76) Thu Jan 25 08:28:15 2018: Debug: Calling-Station-Id = "98-E7-F4-8E-3C-2F"
(76) Thu Jan 25 08:28:15 2018: Debug: Called-Station-Id = "5C-8A-38-D8-B7-45"
(76) Thu Jan 25 08:28:15 2018: Debug: NAS-Port-Id =
"slot=1;subslot=0;port=1;vlanid=200"
(76) Thu Jan 25 08:28:15 2018: Debug: NAS-IP-Address = 172.20.14.66
(76) Thu Jan 25 08:28:15 2018: Debug: # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
(76) Thu Jan 25 08:28:15 2018: Debug: authorize {
(76) Thu Jan 25 08:28:15 2018: Debug: update {
(76) Thu Jan 25 08:28:15 2018: Debug: EXPAND %{Packet-Src-IP-Address}
(76) Thu Jan 25 08:28:15 2018: Debug: --> 172.20.14.66
(76) Thu Jan 25 08:28:15 2018: Debug: EXPAND %l
(76) Thu Jan 25 08:28:15 2018: Debug: --> 1516868895
(76) Thu Jan 25 08:28:15 2018: Debug: } # update = noop
(76) Thu Jan 25 08:28:15 2018: Debug: policy rewrite_calling_station_id {
(76) Thu Jan 25 08:28:15 2018: Debug: if (&Calling-Station-Id &&
(&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(76) Thu Jan 25 08:28:15 2018: Debug: if (&Calling-Station-Id &&
(&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> FALSE
(76) Thu Jan 25 08:28:15 2018: Debug: else {
(76) Thu Jan 25 08:28:15 2018: Debug: [noop] = noop
(76) Thu Jan 25 08:28:15 2018: Debug: } # else = noop
(76) Thu Jan 25 08:28:15 2018: Debug: } # policy rewrite_calling_station_id
= noop
(76) Thu Jan 25 08:28:15 2018: Debug: policy rewrite_called_station_id {
(76) Thu Jan 25 08:28:15 2018: Debug: if ((&Called-Station-Id) &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(76) Thu Jan 25 08:28:15 2018: Debug: if ((&Called-Station-Id) &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
-> FALSE
(76) Thu Jan 25 08:28:15 2018: Debug: else {
(76) Thu Jan 25 08:28:15 2018: Debug: [noop] = noop
(76) Thu Jan 25 08:28:15 2018: Debug: } # else = noop
(76) Thu Jan 25 08:28:15 2018: Debug: } # policy rewrite_called_station_id
= noop
(76) Thu Jan 25 08:28:15 2018: Debug: policy filter_username {
(76) Thu Jan 25 08:28:15 2018: Debug: if (&User-Name) {
(76) Thu Jan 25 08:28:15 2018: Debug: if (&User-Name) -> TRUE
(76) Thu Jan 25 08:28:15 2018: Debug: if (&User-Name) {
(76) Thu Jan 25 08:28:15 2018: Debug: if (&User-Name =~ / /) {
(76) Thu Jan 25 08:28:15 2018: Debug: if (&User-Name =~ / /) -> FALSE
(76) Thu Jan 25 08:28:15 2018: Debug: if (&User-Name =~ /@[^@]*@/ ) {
(76) Thu Jan 25 08:28:15 2018: Debug: if (&User-Name =~ /@[^@]*@/ ) ->
FALSE
(76) Thu Jan 25 08:28:15 2018: Debug: if (&User-Name =~ /\.\./ ) {
(76) Thu Jan 25 08:28:15 2018: Debug: if (&User-Name =~ /\.\./ ) ->
FALSE
(76) Thu Jan 25 08:28:15 2018: Debug: if ((&User-Name =~ /@/) &&
(&User-Name !~ /@(.+)\.(.+)$/)) {
(76) Thu Jan 25 08:28:15 2018: Debug: if ((&User-Name =~ /@/) &&
(&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(76) Thu Jan 25 08:28:15 2018: Debug: if (&User-Name =~ /\.$/) {
(76) Thu Jan 25 08:28:15 2018: Debug: if (&User-Name =~ /\.$/) ->
FALSE
(76) Thu Jan 25 08:28:15 2018: Debug: if (&User-Name =~ /@\./) {
(76) Thu Jan 25 08:28:15 2018: Debug: if (&User-Name =~ /@\./) ->
FALSE
(76) Thu Jan 25 08:28:15 2018: Debug: } # if (&User-Name) = noop
(76) Thu Jan 25 08:28:15 2018: Debug: } # policy filter_username = noop
(76) Thu Jan 25 08:28:15 2018: Debug: policy filter_password {
(76) Thu Jan 25 08:28:15 2018: Debug: if (&User-Password &&
(&User-Password != "%{string:User-Password}")) {
(76) Thu Jan 25 08:28:15 2018: Debug: EXPAND %{string:User-Password}
(76) Thu Jan 25 08:28:15 2018: Debug: --> 98e7f48e3c2f
(76) Thu Jan 25 08:28:15 2018: Debug: if (&User-Password &&
(&User-Password != "%{string:User-Password}")) -> FALSE
(76) Thu Jan 25 08:28:15 2018: Debug: } # policy filter_password = noop
(76) Thu Jan 25 08:28:15 2018: Debug: [preprocess] = ok
(76) Thu Jan 25 08:28:15 2018: Debug: suffix: Checking for suffix after "@"
(76) Thu Jan 25 08:28:15 2018: Debug: suffix: No '@' in User-Name =
"98e7f48e3c2f", skipping NULL due to config.
(76) Thu Jan 25 08:28:15 2018: Debug: [suffix] = noop
(76) Thu Jan 25 08:28:15 2018: Debug: ntdomain: Checking for prefix before "\"
(76) Thu Jan 25 08:28:15 2018: Debug: ntdomain: No '\' in User-Name =
"98e7f48e3c2f", looking up realm NULL
(76) Thu Jan 25 08:28:15 2018: Debug: ntdomain: Found realm "null"
(76) Thu Jan 25 08:28:15 2018: Debug: ntdomain: Adding Stripped-User-Name =
"98e7f48e3c2f"
(76) Thu Jan 25 08:28:15 2018: Debug: ntdomain: Adding Realm = "null"
(76) Thu Jan 25 08:28:15 2018: Debug: ntdomain: Authentication realm is LOCAL
(76) Thu Jan 25 08:28:15 2018: Debug: [ntdomain] = ok
(76) Thu Jan 25 08:28:15 2018: Debug: eap: No EAP-Message, not doing EAP
(76) Thu Jan 25 08:28:15 2018: Debug: [eap] = noop
(76) Thu Jan 25 08:28:15 2018: Debug: if ( !EAP-Message ) {
(76) Thu Jan 25 08:28:15 2018: Debug: if ( !EAP-Message ) -> TRUE
(76) Thu Jan 25 08:28:15 2018: Debug: if ( !EAP-Message ) {
(76) Thu Jan 25 08:28:15 2018: Debug: update {
(76) Thu Jan 25 08:28:15 2018: Debug: } # update = noop
(76) Thu Jan 25 08:28:15 2018: Debug: } # if ( !EAP-Message ) = noop
(76) Thu Jan 25 08:28:15 2018: Debug: policy packetfence-eap-mac-policy {
(76) Thu Jan 25 08:28:15 2018: Debug: if ( &EAP-Type ) {
(76) Thu Jan 25 08:28:15 2018: Debug: if ( &EAP-Type ) -> FALSE
(76) Thu Jan 25 08:28:15 2018: Debug: [noop] = noop
(76) Thu Jan 25 08:28:15 2018: Debug: } # policy packetfence-eap-mac-policy
= noop
(76) Thu Jan 25 08:28:15 2018: WARNING: pap:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(76) Thu Jan 25 08:28:15 2018: WARNING: pap: !!! Ignoring
control:User-Password. Update your !!!
(76) Thu Jan 25 08:28:15 2018: WARNING: pap: !!! configuration so that the
"known good" clear text !!!
(76) Thu Jan 25 08:28:15 2018: WARNING: pap: !!! password is in
Cleartext-Password and NOT in !!!
(76) Thu Jan 25 08:28:15 2018: WARNING: pap: !!! User-Password.
!!!
(76) Thu Jan 25 08:28:15 2018: WARNING: pap:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(76) Thu Jan 25 08:28:15 2018: WARNING: pap: Auth-Type already set. Not
setting to PAP
(76) Thu Jan 25 08:28:15 2018: Debug: [pap] = noop
(76) Thu Jan 25 08:28:15 2018: Debug: } # authorize = ok
(76) Thu Jan 25 08:28:15 2018: Debug: Found Auth-Type = Accept
(76) Thu Jan 25 08:28:15 2018: Debug: Auth-Type = Accept, accepting the user
(76) Thu Jan 25 08:28:15 2018: Debug: # Executing section post-auth from file
/usr/local/pf/raddb/sites-enabled/packetfence
(76) Thu Jan 25 08:28:15 2018: Debug: post-auth {
(76) Thu Jan 25 08:28:15 2018: Debug: update {
(76) Thu Jan 25 08:28:15 2018: Debug: EXPAND %{Packet-Src-IP-Address}
(76) Thu Jan 25 08:28:15 2018: Debug: --> 172.20.14.66
(76) Thu Jan 25 08:28:15 2018: Debug: } # update = noop
(76) Thu Jan 25 08:28:15 2018: Debug: if (! EAP-Type || (EAP-Type != TTLS
&& EAP-Type != PEAP) ) {
(76) Thu Jan 25 08:28:15 2018: Debug: if (! EAP-Type || (EAP-Type != TTLS
&& EAP-Type != PEAP) ) -> TRUE
(76) Thu Jan 25 08:28:15 2018: Debug: if (! EAP-Type || (EAP-Type != TTLS
&& EAP-Type != PEAP) ) {
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Expanding URI components
(76) Thu Jan 25 08:28:15 2018: Debug: rest: EXPAND http://127.0.0.1:7070
(76) Thu Jan 25 08:28:15 2018: Debug: rest: --> http://127.0.0.1:7070
(76) Thu Jan 25 08:28:15 2018: Debug: rest: EXPAND //radius/rest/authorize
(76) Thu Jan 25 08:28:15 2018: Debug: rest: --> //radius/rest/authorize
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Sending HTTP POST to
"http://127.0.0.1:7070//radius/rest/authorize";
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute "User-Name"
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute "User-Password"
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute "NAS-IP-Address"
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute "NAS-Port"
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute "Service-Type"
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute
"Called-Station-Id"
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute
"Calling-Station-Id"
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute "NAS-Identifier"
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute "NAS-Port-Type"
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute "Event-Timestamp"
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute "NAS-Port-Id"
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute
"Stripped-User-Name"
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute "Realm"
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute
"FreeRADIUS-Client-IP-Address"
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Processing response header
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Status : 500 (Internal Server
Error)
(76) Thu Jan 25 08:28:15 2018: Debug: rest: Type : json (application/json)
(76) Thu Jan 25 08:28:15 2018: ERROR: rest: Server returned:
(76) Thu Jan 25 08:28:15 2018: ERROR: rest:
{"error":{"detail":null,"message":"Can't use string (\"\") as an ARRAY ref
while \"strict refs\" in use at /usr/local/pf/lib/pf/radius/rest.pm line
33.\n"}}
(76) Thu Jan 25 08:28:15 2018: Debug: [rest] = fail
(76) Thu Jan 25 08:28:15 2018: Debug: } # if (! EAP-Type || (EAP-Type !=
TTLS && EAP-Type != PEAP) ) = fail
(76) Thu Jan 25 08:28:15 2018: Debug: } # post-auth = fail
(76) Thu Jan 25 08:28:15 2018: Debug: Using Post-Auth-Type Reject
(76) Thu Jan 25 08:28:15 2018: Debug: # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(76) Thu Jan 25 08:28:15 2018: Debug: Post-Auth-Type REJECT {
(76) Thu Jan 25 08:28:15 2018: Debug: update {
(76) Thu Jan 25 08:28:15 2018: Debug: } # update = noop
(76) Thu Jan 25 08:28:15 2018: Debug: if (! EAP-Type || (EAP-Type != TTLS
&& EAP-Type != PEAP) ) {
(76) Thu Jan 25 08:28:15 2018: Debug: if (! EAP-Type || (EAP-Type != TTLS
&& EAP-Type != PEAP) ) -> TRUE
(76) Thu Jan 25 08:28:15 2018: Debug: if (! EAP-Type || (EAP-Type != TTLS
&& EAP-Type != PEAP) ) {
(76) Thu Jan 25 08:28:15 2018: Debug: policy packetfence-audit-log-reject
{
(76) Thu Jan 25 08:28:15 2018: Debug: if (&User-Name != "dummy") {
(76) Thu Jan 25 08:28:15 2018: Debug: if (&User-Name != "dummy") ->
TRUE
(76) Thu Jan 25 08:28:15 2018: Debug: if (&User-Name != "dummy") {
(76) Thu Jan 25 08:28:15 2018: Debug: policy request-timing {
(76) Thu Jan 25 08:28:15 2018: Debug: if
(control:PacketFence-Request-Time != 0) {
(76) Thu Jan 25 08:28:15 2018: Debug: if
(control:PacketFence-Request-Time != 0) -> FALSE
(76) Thu Jan 25 08:28:15 2018: Debug: } # policy request-timing = noop
(76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: EXPAND type.reject.query
(76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: --> type.reject.query
(76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: Using query template 'query'
(76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: EXPAND %{User-Name}
(76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: --> 98e7f48e3c2f
(76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: SQL-User-Name set to
'98e7f48e3c2f'
(76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: EXPAND INSERT INTO
radius_audit_log ( mac, ip, computer_name, user_name,
stripped_user_name, realm, event_type, switch_id,
switch_mac, switch_ip_address, radius_source_ip_address,
called_station_id, calling_station_id, nas_port_type, ssid,
nas_port_id, ifindex, nas_port, connection_type,
nas_ip_address, nas_identifier, auth_status, reason, auth_type,
eap_type, role, node_status, profile, source,
auto_reg, is_phone, pf_domain, uuid, radius_request,
radius_reply, request_time) VALUES (
'%{request:Calling-Station-Id}', '%{request:Framed-IP-Address}',
'%{%{control:PacketFence-Computer-Name}:-N/A}', '%{request:User-Name}',
'%{request:Stripped-User-Name}', '%{request:Realm}',
'Radius-Access-Request',
'%{%{control:PacketFence-Switch-Id}:-N/A}',
'%{%{control:PacketFence-Switch-Mac}:-N/A}',
'%{%{control:PacketFence-Switch-Ip-Address}:-N/A}',
'%{Packet-Src-IP-Address}', '%{request:Called-Station-Id}',
'%{request:Calling-Station-Id}', '%{request:NAS-Port-Type}',
'%{request:Called-Station-SSID}', '%{request:NAS-Port-Id}',
'%{%{control:PacketFence-IfIndex}:-N/A}', '%{request:NAS-Port}',
'%{%{control:PacketFence-Connection-Type}:-N/A}',
'%{request:NAS-IP-Address}', '%{request:NAS-Identifier}', 'Reject',
'%{request:Module-Failure-Message}', '%{control:Auth-Type}',
'%{request:EAP-Type}', '%{%{control:PacketFence-Role}:-N/A}',
'%{%{control:PacketFence-Status}:-N/A}',
'%{%{control:PacketFence-Profile}:-N/A}',
'%{%{control:PacketFence-Source}:-N/A}',
'%{%{control:PacketFence-AutoReg}:-N/A}',
'%{%{control:PacketFence-IsPhone}:-N/A}',
'%{request:PacketFence-Domain}', '',
'%{pairs:&request:[*]}','%{pairs:&reply:[*]}',
'%{%{control:PacketFence-Request-Time}:-N/A}')
(76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: --> INSERT INTO
radius_audit_log ( mac, ip, computer_name, user_name,
stripped_user_name, realm, event_type, switch_id,
switch_mac, switch_ip_address, radius_source_ip_address,
called_station_id, calling_station_id, nas_port_type, ssid,
nas_port_id, ifindex, nas_port, connection_type,
nas_ip_address, nas_identifier, auth_status, reason, auth_type,
eap_type, role, node_status, profile, source,
auto_reg, is_phone, pf_domain, uuid, radius_request,
radius_reply, request_time) VALUES (
'98-E7-F4-8E-3C-2F', '', 'N/A', '98e7f48e3c2f', '98e7f48e3c2f',
'null', 'Radius-Access-Request', 'N/A', 'N/A', 'N/A',
'172.20.14.66', '5C-8A-38-D8-B7-45', '98-E7-F4-8E-3C-2F',
'Ethernet', '', 'slot=3D1=3Bsubslot=3D0=3Bport=3D1=3Bvlanid=3D200',
'N/A', '16781512', 'N/A', '172.20.14.66', 'Testswitch',
'Reject', 'rest: Server returned:', 'Accept', '',
'N/A', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A', '',
'', 'User-Name =3D =2298e7f48e3c2f=22=2C User-Password =3D
=22=2A=2A=2A=2A=2A=2A=22=2C NAS-IP-Address =3D 172.20.14.66=2C NAS-Port =3D
16781512=2C Service-Type =3D Call-Check=2C Called-Station-Id =3D
=225C-8A-38-D8-B7-45=22=2C Calling-Station-Id =3D =2298-E7-F4-8E-3C-2F=22=2C
NAS-Identifier =3D =22Testswitch=22=2C NAS-Port-Type =3D Ethernet=2C
Event-Timestamp =3D =22Jan 25 2018 08:28:15 UTC=22=2C NAS-Port-Id =3D
=22slot=3D1=3Bsubslot=3D0=3Bport=3D1=3Bvlanid=3D200=22=2C Stripped-User-Name
=3D =2298e7f48e3c2f=22=2C Realm =3D =22null=22=2C FreeRADIUS-Client-IP-Address
=3D 172.20.14.66=2C Module-Failure-Message =3D =22rest: Server returned:=22=2C
Module-Failure-Message =3D =22rest:
=7B=5C=22error=5C=22:=7B=5C=22detail=5C=22:null=2C=5C=22message=5C=22:=5C=22Can=27t
use string =28=5C=5C=5C=22=5C=5C=5C=22=29 as an ARRAY ref while
=5C=5C=5C=22strict refs=5C=5C=5C=22 in use at
/usr/local/pf/lib/pf/radius/rest.pm line 33.=5C=5Cn=5C=22=7D=7D=22=2C
SQL-User-Name =3D =2298e7f48e3c2f=22','', '0')
(76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: Executing query: INSERT INTO
radius_audit_log ( mac, ip, computer_name, user_name,
stripped_user_name, realm, event_type, switch_id,
switch_mac, switch_ip_address, radius_source_ip_address,
called_station_id, calling_station_id, nas_port_type, ssid,
nas_port_id, ifindex, nas_port, connection_type,
nas_ip_address, nas_identifier, auth_status, reason, auth_type,
eap_type, role, node_status, profile, source,
auto_reg, is_phone, pf_domain, uuid, radius_request,
radius_reply, request_time) VALUES (
'98-E7-F4-8E-3C-2F', '', 'N/A', '98e7f48e3c2f', '98e7f48e3c2f',
'null', 'Radius-Access-Request', 'N/A', 'N/A', 'N/A',
'172.20.14.66', '5C-8A-38-D8-B7-45', '98-E7-F4-8E-3C-2F',
'Ethernet', '', 'slot=3D1=3Bsubslot=3D0=3Bport=3D1=3Bvlanid=3D200',
'N/A', '16781512', 'N/A', '172.20.14.66', 'Testswitch',
'Reject', 'rest: Server returned:', 'Accept', '',
'N/A', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A', '',
'', 'User-Name =3D =2298e7f48e3c2f=22=2C User-Password =3D
=22=2A=2A=2A=2A=2A=2A=22=2C NAS-IP-Address =3D 172.20.14.66=2C NAS-Port =3D
16781512=2C Service-Type =3D Call-Check=2C Called-Station-Id =3D
=225C-8A-38-D8-B7-45=22=2C Calling-Station-Id =3D =2298-E7-F4-8E-3C-2F=22=2C
NAS-Identifier =3D =22Testswitch=22=2C NAS-Port-Type =3D Ethernet=2C
Event-Timestamp =3D =22Jan 25 2018 08:28:15 UTC=22=2C NAS-Port-Id =3D
=22slot=3D1=3Bsubslot=3D0=3Bport=3D1=3Bvlanid=3D200=22=2C Stripped-User-Name
=3D =2298e7f48e3c2f=22=2C Realm =3D =22null=22=2C FreeRADIUS-Client-IP-Address
=3D 172.20.14.66=2C Module-Failure-Message =3D =22rest: Server returned:=22=2C
Module-Failure-Message =3D =22rest:
=7B=5C=22error=5C=22:=7B=5C=22detail=5C=22:null=2C=5C=22message=5C=22:=5C=22Can=27t
use string =28=5C=5C=5C=22=5C=5C=5C=22=29 as an ARRAY ref while
=5C=5C=5C=22strict refs=5C=5C=5C=22 in use at
/usr/local/pf/lib/pf/radius/rest.pm line 33.=5C=5Cn=5C=22=7D=7D=22=2C
SQL-User-Name =3D =2298e7f48e3c2f=22','', '0')
(76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: SQL query returned: success
(76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: 1 record(s) updated
(76) Thu Jan 25 08:28:15 2018: Debug: [sql_reject] = ok
(76) Thu Jan 25 08:28:15 2018: Debug: } # if (&User-Name != "dummy") =
ok
(76) Thu Jan 25 08:28:15 2018: Debug: } # policy
packetfence-audit-log-reject = ok
(76) Thu Jan 25 08:28:15 2018: Debug: } # if (! EAP-Type || (EAP-Type !=
TTLS && EAP-Type != PEAP) ) = ok
(76) Thu Jan 25 08:28:15 2018: Debug: attr_filter.access_reject: EXPAND
%{User-Name}
(76) Thu Jan 25 08:28:15 2018: Debug: attr_filter.access_reject: -->
98e7f48e3c2f
(76) Thu Jan 25 08:28:15 2018: Debug: attr_filter.access_reject: Matched entry
DEFAULT at line 11
(76) Thu Jan 25 08:28:15 2018: Debug: [attr_filter.access_reject] = updated
(76) Thu Jan 25 08:28:15 2018: Debug: attr_filter.packetfence_post_auth: EXPAND
%{User-Name}
(76) Thu Jan 25 08:28:15 2018: Debug: attr_filter.packetfence_post_auth: -->
98e7f48e3c2f
(76) Thu Jan 25 08:28:15 2018: Debug: attr_filter.packetfence_post_auth:
Matched entry DEFAULT at line 10
(76) Thu Jan 25 08:28:15 2018: Debug: [attr_filter.packetfence_post_auth] =
updated
(76) Thu Jan 25 08:28:15 2018: Debug: [eap] = noop
(76) Thu Jan 25 08:28:15 2018: Debug: policy remove_reply_message_if_eap {
(76) Thu Jan 25 08:28:15 2018: Debug: if (&reply:EAP-Message &&
&reply:Reply-Message) {
(76) Thu Jan 25 08:28:15 2018: Debug: if (&reply:EAP-Message &&
&reply:Reply-Message) -> FALSE
(76) Thu Jan 25 08:28:15 2018: Debug: else {
(76) Thu Jan 25 08:28:15 2018: Debug: [noop] = noop
(76) Thu Jan 25 08:28:15 2018: Debug: } # else = noop
(76) Thu Jan 25 08:28:15 2018: Debug: } # policy
remove_reply_message_if_eap = noop
(76) Thu Jan 25 08:28:15 2018: Debug: linelog: EXPAND
messages.%{%{reply:Packet-Type}:-default}
(76) Thu Jan 25 08:28:15 2018: Debug: linelog: --> messages.Access-Reject
(76) Thu Jan 25 08:28:15 2018: Debug: linelog: EXPAND
[mac:%{Calling-Station-Id}] Rejected user: %{User-Name}
(76) Thu Jan 25 08:28:15 2018: Debug: linelog: --> [mac:98-E7-F4-8E-3C-2F]
Rejected user: 98e7f48e3c2f
(76) Thu Jan 25 08:28:15 2018: Debug: [linelog] = ok
(76) Thu Jan 25 08:28:15 2018: Debug: } # Post-Auth-Type REJECT = updated
(76) Thu Jan 25 08:28:15 2018: Debug: Delaying response for 1.000000 seconds
(76) Thu Jan 25 08:28:16 2018: Debug: Sending delayed response
(76) Thu Jan 25 08:28:16 2018: Debug: Sent Access-Reject Id 160 from
172.20.1.230:1812 to 172.20.14.66:39936 length 20
(76) Thu Jan 25 08:28:20 2018: Debug: Cleaning up request packet ID 160 with
timestamp +4089
>From Switches.conf:
[172.20.14.66]
description=Comware Test
group=H3C_Switches
useCoA=Y
uplink_dynamic=0
uplink=46,47,48
[group H3C_Switches]
useCoA=N
VoIPCDPDetect=N
VoIPDHCPDetect=N
deauthMethod=RADIUS
description=Alle H&G H3C Switche
type=H3C::S5120
VoIPLLDPDetect=N
cliPwd=********** (removed before mailed)
cliEnablePwd=********** (removed before mailed)
SNMPCommunityRead=********** (removed before mailed)
SNMPCommunityWrite=********** (removed before mailed)
SNMPCommunityTrap=********** (removed before mailed)
cliUser=admin
cliAccess=Y
>From Switch Configuration:
Global:
vlan 10
description Registration
#
vlan 11
description Isolation
#
vlan 12
description Portal
#
vlan 13
description Mac Detect
#
vlan 200
description Guest Network
#
mac-authentication domain packetfence
port-security enable
#
snmp-agent
snmp-agent local-engineid ********** (removed before mailed)
snmp-agent community write cipher ********** (removed before mailed)
snmp-agent community read cipher ********** (removed before mailed)
snmp-agent sys-info version v2c v3
radius scheme packetfence
primary authentication 172.20.1.230 key cipher ********** (removed before
mailed)
primary accounting 172.20.1.230 key cipher ********** (removed before mailed)
user-name-format without-domain
domain packetfence
authentication lan-access radius-scheme packetfence
authorization lan-access radius-scheme packetfence
authentication default radius-scheme packetfence
Port Config:
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid vlan 1 200 untagged
port hybrid pvid vlan 200
mac-vlan enable
stp edged-port
mac-authentication guest-vlan 200
port-security intrusion-mode blockmac
port-security max-mac-count 1
port-security port-mode mac-authentication
I hope someone can help me to find a solution because all of our productive
switches are H3C Comware based models.
Best regards / Mit freundlichen Grüßen
Martin Schenkelberg
IT
H&G Hansen & Gieraths
EDV Vertriebsgesellschaft mbH
Bornheimer Straße 42-52
D-53111 Bonn
Email martin.schenkelb...@hug.de<mailto:martin.schenkelb...@hug.de>
Webseite http://www.hug.de<http://www.hug.de/>
H&G Hansen & Gieraths EDV Vertriebsgesellschaft mbH,
Postfach 1605, 53006 Bonn
USt.IdNr. DE122121252
Geschäftsführer: Dr. H. Hellmuth Hansen
Sitz der Gesellschaft: Bonn, Amtsgericht Bonn HR B 4027
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
