Re: [PacketFence-users] Problem getting Radius MacAuth to work.

Thu, 25 Jan 2018 06:33:22 -0800 


Le 2018-01-25 à 05:41, Schenkelberg, Martin via PacketFence-users a écrit :
>
> Hello all, i hope you can give me a hint of what im doing wrong.
>
>  
>
> We are evaluating to use PacketFence 7.3.0 Zen to authenticate users
> connecting to our lan and wifi infrastructure and to assign them the
> right vlans. (Guest / Productive ….)
>
>  
>
> For Wifi we use a Cisco Wlc and everything works fine.
>
>  
>
> For LAN Access we use different HP / ARUBA Switches.
>
>  
>
> One Switch (Aruba 2530-24g) Works fine with SNMP (Link Up Down)
> unknown users will be redirected to the portal and after login the
> right vlan is assigned tot he switch port.
>
You should use 802.1x/mac auth.
>
>  
>
> Now i try to do the same with a HP 5130 Series Switch which is a
> rebranded H3C Switch using Comware OS.
>
>  
>
> I followed the  H3C section of the Network Device Configuration Guide
> to configure my Switch but i´m not able to get it to work.
>
>  
>
> If i plug in Network Device i receive the following log Messages:
>
>  
>
> *Switch Console: *
>
> %Jan 25 11:23:33:305 2018 Testswitch MACA/6/MACA_LOGIN_FAILURE:
> -IfName=GigabitEthernet1/0/1-MACAddr=98e7-f48e-3c2f-VLANId=200-UserName=98e7f48e3c2f-UserNameFormat=MAC
> address; The user failed the MAC address authentication.
>
>  
>
> *Packetfence.log:*
>
> PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(3450) INFO:
> [mac:[undef]] User 98e7f48e3c2f tried to login in 172.20.14.66 but
> authentication failed (pf::radius::switch_access)
>
>  
>
>  
>
> *Radius.log:*
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_rest (rest): Closing
> connection (320): Hit idle_timeout, was idle for 68 seconds
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) rest: ERROR: Server
> returned:
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) rest: ERROR:
> {"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication
> failed on PacketFence"}
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: Need 4 more connections
> to reach 10 spares
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_rest (rest): Opening
> additional connection (324), 1 of 58 pending slots used
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_sql (sql): Closing
> connection (322): Hit idle_timeout, was idle for 68 seconds
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: Need 4 more connections
> to reach 10 spares
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: rlm_sql (sql): Opening
> additional connection (326), 1 of 58 pending slots used
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: [mac:98-E7-F4-8E-3C-2F]
> Rejected user: 98e7f48e3c2f
>
> Jan 25 10:26:18 PacketFence-ZEN auth[23436]: (316) Rejected in
> post-auth: [98e7f48e3c2f] (from client 172.20.14.66 port 16781512 cli
> 98-E7-F4-8E-3C-2F)
>
>  
>
>  
>
> *Radius Debug Log: (There is an Error 500 inside regarding REST)*
>
> * *
>
> [root@PacketFence-ZEN radius]# raddebug -f
> /usr/local/pf/var/run/radiusd.sock -t 300
>
> (76) Thu Jan 25 08:28:15 2018: Debug: Received Access-Request Id 160
> from 172.20.14.66:39936 to 172.20.1.230:1812 length 166
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   User-Name = "98e7f48e3c2f"
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   User-Password = "98e7f48e3c2f"
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   Service-Type = Call-Check
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Identifier = "Testswitch"
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Port = 16781512
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Port-Type = Ethernet
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   Calling-Station-Id =
> "98-E7-F4-8E-3C-2F"
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   Called-Station-Id =
> "5C-8A-38-D8-B7-45"
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   NAS-Port-Id =
> "slot=1;subslot=0;port=1;vlanid=200"
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   NAS-IP-Address = 172.20.14.66
>
> (76) Thu Jan 25 08:28:15 2018: Debug: # Executing section authorize
> from file /usr/local/pf/raddb/sites-enabled/packetfence
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   authorize {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     update {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       EXPAND
> %{Packet-Src-IP-Address}
>
> (76) Thu Jan 25 08:28:15 2018: Debug:          --> 172.20.14.66
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       EXPAND %l
>
> (76) Thu Jan 25 08:28:15 2018: Debug:          --> 1516868895
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     } # update = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     policy
> rewrite_calling_station_id {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       if (&Calling-Station-Id &&
> (&Calling-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       if (&Calling-Station-Id &&
> (&Calling-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>  
> -> FALSE
>
This is not normal, the regexp is supposed to match !! do you gave a
pcap file of the radius request ?
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       else {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         [noop] = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       } # else = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     } # policy
> rewrite_calling_station_id = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     policy
> rewrite_called_station_id {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       if ((&Called-Station-Id)
> && (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
> {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       if ((&Called-Station-Id)
> && (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
>  
> -> FALSE
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       else {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         [noop] = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       } # else = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     } # policy
> rewrite_called_station_id = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     policy filter_username {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       if (&User-Name) {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       if (&User-Name)  -> TRUE
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       if (&User-Name)  {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         if (&User-Name =~ / /) {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         if (&User-Name =~ / /) 
> -> FALSE
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         if (&User-Name =~
> /@[^@]*@/ ) {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         if (&User-Name =~
> /@[^@]*@/ )  -> FALSE
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         if (&User-Name =~ /\.\./ ) {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         if (&User-Name =~ /\.\./
> )  -> FALSE
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         if ((&User-Name =~ /@/)
> && (&User-Name !~ /@(.+)\.(.+)$/))  {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         if ((&User-Name =~ /@/)
> && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         if (&User-Name =~ /\.$/)  {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         if (&User-Name =~
> /\.$/)   -> FALSE
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         if (&User-Name =~ /@\./)  {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         if (&User-Name =~
> /@\./)   -> FALSE
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       } # if (&User-Name)  = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     } # policy filter_username =
> noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     policy filter_password {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       if (&User-Password
> &&          (&User-Password != "%{string:User-Password}")) {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       EXPAND %{string:User-Password}
>
> (76) Thu Jan 25 08:28:15 2018: Debug:          --> 98e7f48e3c2f
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       if (&User-Password &&
>          (&User-Password != "%{string:User-Password}"))  -> FALSE
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     } # policy filter_password =
> noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     [preprocess] = ok
>
> (76) Thu Jan 25 08:28:15 2018: Debug: suffix: Checking for suffix
> after "@"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: suffix: No '@' in User-Name =
> "98e7f48e3c2f", skipping NULL due to config.
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     [suffix] = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug: ntdomain: Checking for prefix
> before "\"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: ntdomain: No '\' in User-Name =
> "98e7f48e3c2f", looking up realm NULL
>
> (76) Thu Jan 25 08:28:15 2018: Debug: ntdomain: Found realm "null"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: ntdomain: Adding
> Stripped-User-Name = "98e7f48e3c2f"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: ntdomain: Adding Realm = "null"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: ntdomain: Authentication realm
> is LOCAL
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     [ntdomain] = ok
>
> (76) Thu Jan 25 08:28:15 2018: Debug: eap: No EAP-Message, not doing EAP
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     [eap] = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     if ( !EAP-Message ) {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     if ( !EAP-Message )  -> TRUE
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     if ( !EAP-Message )  {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       update {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       } # update = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     } # if ( !EAP-Message )  = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     policy
> packetfence-eap-mac-policy {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       if ( &EAP-Type ) {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       if ( &EAP-Type )  -> FALSE
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       [noop] = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     } # policy
> packetfence-eap-mac-policy = noop
>
> (76) Thu Jan 25 08:28:15 2018: WARNING: pap:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> (76) Thu Jan 25 08:28:15 2018: WARNING: pap: !!! Ignoring
> control:User-Password.  Update your        !!!
>
> (76) Thu Jan 25 08:28:15 2018: WARNING: pap: !!! configuration so that
> the "known good" clear text !!!
>
> (76) Thu Jan 25 08:28:15 2018: WARNING: pap: !!! password is in
> Cleartext-Password and NOT in        !!!
>
> (76) Thu Jan 25 08:28:15 2018: WARNING: pap: !!!
> User-Password.                                      !!!
>
> (76) Thu Jan 25 08:28:15 2018: WARNING: pap:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> (76) Thu Jan 25 08:28:15 2018: WARNING: pap: Auth-Type already set. 
> Not setting to PAP
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     [pap] = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   } # authorize = ok
>
> (76) Thu Jan 25 08:28:15 2018: Debug: Found Auth-Type = Accept
>
> (76) Thu Jan 25 08:28:15 2018: Debug: Auth-Type = Accept, accepting
> the user
>
> (76) Thu Jan 25 08:28:15 2018: Debug: # Executing section post-auth
> from file /usr/local/pf/raddb/sites-enabled/packetfence
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   post-auth {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     update {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       EXPAND
> %{Packet-Src-IP-Address}
>
> (76) Thu Jan 25 08:28:15 2018: Debug:          --> 172.20.14.66
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     } # update = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     if (! EAP-Type || (EAP-Type
> != TTLS  && EAP-Type != PEAP) ) {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     if (! EAP-Type || (EAP-Type
> != TTLS  && EAP-Type != PEAP) )  -> TRUE
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     if (! EAP-Type || (EAP-Type
> != TTLS  && EAP-Type != PEAP) )  {
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: Expanding URI components
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: EXPAND http://127.0.0.1:7070
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest:    --> http://127.0.0.1:7070
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: EXPAND //radius/rest/authorize
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest:    --> //radius/rest/authorize
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: Sending HTTP POST to
> "http://127.0.0.1:7070//radius/rest/authorize";
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute "User-Name"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute
> "User-Password"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute
> "NAS-IP-Address"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute "NAS-Port"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute
> "Service-Type"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute
> "Called-Station-Id"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute
> "Calling-Station-Id"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute
> "NAS-Identifier"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute
> "NAS-Port-Type"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute
> "Event-Timestamp"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute
> "NAS-Port-Id"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute
> "Stripped-User-Name"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute "Realm"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: Encoding attribute
> "FreeRADIUS-Client-IP-Address"
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest: Processing response header
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest:   Status : 500 (Internal
> Server Error)
>
> (76) Thu Jan 25 08:28:15 2018: Debug: rest:   Type   : json
> (application/json)
>
> (76) Thu Jan 25 08:28:15 2018: ERROR: rest: Server returned:
>
> (76) Thu Jan 25 08:28:15 2018: ERROR: rest:
> {"error":{"detail":null,"message":"Can't use string (\"\") as an ARRAY
> ref while \"strict refs\" in use at
> /usr/local/pf/lib/pf/radius/rest.pm line 33.\n"}}
>

I think it failed because the radius request is a little bit bogus, a
pcap file will help.


> (76) Thu Jan 25 08:28:15 2018: Debug:       [rest] = fail
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     } # if (! EAP-Type ||
> (EAP-Type != TTLS  && EAP-Type != PEAP) )  = fail
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   } # post-auth = fail
>
> (76) Thu Jan 25 08:28:15 2018: Debug: Using Post-Auth-Type Reject
>
> (76) Thu Jan 25 08:28:15 2018: Debug: # Executing group from file
> /usr/local/pf/raddb/sites-enabled/packetfence
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   Post-Auth-Type REJECT {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     update {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     } # update = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     if (! EAP-Type || (EAP-Type
> != TTLS  && EAP-Type != PEAP) ) {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     if (! EAP-Type || (EAP-Type
> != TTLS  && EAP-Type != PEAP) )  -> TRUE
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     if (! EAP-Type || (EAP-Type
> != TTLS  && EAP-Type != PEAP) )  {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       policy
> packetfence-audit-log-reject {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         if (&User-Name != "dummy") {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         if (&User-Name !=
> "dummy")  -> TRUE
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         if (&User-Name !=
> "dummy")  {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:           policy request-timing {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:             if
> (control:PacketFence-Request-Time != 0) {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:             if
> (control:PacketFence-Request-Time != 0)  -> FALSE
>
> (76) Thu Jan 25 08:28:15 2018: Debug:           } # policy
> request-timing = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: EXPAND type.reject.query
>
> (76) Thu Jan 25 08:28:15 2018: Debug: sql_reject:    --> type.reject.query
>
> (76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: Using query template
> 'query'
>
> (76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: EXPAND %{User-Name}
>
> (76) Thu Jan 25 08:28:15 2018: Debug: sql_reject:    --> 98e7f48e3c2f
>
> (76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: SQL-User-Name set to
> '98e7f48e3c2f'
>
> (76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: EXPAND INSERT INTO
> radius_audit_log               ( mac, ip, computer_name,
> user_name,                stripped_user_name,  realm,
> event_type,                switch_id, switch_mac,
> switch_ip_address,                radius_source_ip_address,
> called_station_id, calling_station_id,                nas_port_type,
> ssid, nas_port_id,                ifindex, nas_port,
> connection_type,                nas_ip_address, nas_identifier,
> auth_status,                reason, auth_type,
> eap_type,                role, node_status, profile,               
> source, auto_reg, is_phone,                pf_domain, uuid,
> radius_request,                radius_reply,
> request_time)              VALUES               (
> '%{request:Calling-Station-Id}', '%{request:Framed-IP-Address}',
> '%{%{control:PacketFence-Computer-Name}:-N/A}',
> '%{request:User-Name}',              
>  '%{request:Stripped-User-Name}', '%{request:Realm}',
> 'Radius-Access-Request',               
> '%{%{control:PacketFence-Switch-Id}:-N/A}',
> '%{%{control:PacketFence-Switch-Mac}:-N/A}',
> '%{%{control:PacketFence-Switch-Ip-Address}:-N/A}',               
> '%{Packet-Src-IP-Address}', '%{request:Called-Station-Id}',
> '%{request:Calling-Station-Id}',               
> '%{request:NAS-Port-Type}', '%{request:Called-Station-SSID}',
> '%{request:NAS-Port-Id}',               
> '%{%{control:PacketFence-IfIndex}:-N/A}', '%{request:NAS-Port}',
> '%{%{control:PacketFence-Connection-Type}:-N/A}',               
> '%{request:NAS-IP-Address}', '%{request:NAS-Identifier}', 
> 'Reject',                 '%{request:Module-Failure-Message}',
> '%{control:Auth-Type}', '%{request:EAP-Type}',        
>        '%{%{control:PacketFence-Role}:-N/A}',
> '%{%{control:PacketFence-Status}:-N/A}',
> '%{%{control:PacketFence-Profile}:-N/A}',               
> '%{%{control:PacketFence-Source}:-N/A}',
> '%{%{control:PacketFence-AutoReg}:-N/A}',
> '%{%{control:PacketFence-IsPhone}:-N/A}',               
> '%{request:PacketFence-Domain}', '',
> '%{pairs:&request:[*]}','%{pairs:&reply:[*]}',
> '%{%{control:PacketFence-Request-Time}:-N/A}')
>
> (76) Thu Jan 25 08:28:15 2018: Debug: sql_reject:    --> INSERT INTO
> radius_audit_log               ( mac, ip, computer_name,
> user_name,                stripped_user_name,  realm,
> event_type,                switch_id, switch_mac,
> switch_ip_address,                radius_source_ip_address,
> called_station_id, calling_station_id,                nas_port_type,
> ssid, nas_port_id,                ifindex, nas_port,
> connection_type,                nas_ip_address, nas_identifier,
> auth_status,                reason, auth_type,
> eap_type,                role, node_status, profile,               
> source, auto_reg, is_phone,                pf_domain, uuid,
> radius_request,                radius_reply,
> request_time)              VALUES               ( '98-E7-F4-8E-3C-2F',
> '', 'N/A', '98e7f48e3c2f',                '98e7f48e3c2f', 'null',
> 'Radius-Access-Request',                'N/A', 'N/A',
> 'N/A',                '172.20.14.66', '5C-8A-38-D8-B7-45',
> '98-E7-F4-8E-3C-2F',                'Ethernet', '',
> 'slot=3D1=3Bsubslot=3D0=3Bport=3D1=3Bvlanid=3D200',               
> 'N/A', '16781512', 'N/A',                '172.20.14.66',
> 'Testswitch',  'Reject',                 'rest: Server returned:',
> 'Accept', '',                'N/A', 'N/A', 'N/A',               
> 'N/A', 'N/A', 'N/A',                '', '', 'User-Name =3D
> =2298e7f48e3c2f=22=2C User-Password =3D =22=2A=2A=2A=2A=2A=2A=22=2C
> NAS-IP-Address =3D 172.20.14.66=2C NAS-Port =3D 16781512=2C
> Service-Type =3D Call-Check=2C Called-Station-Id =3D
> =225C-8A-38-D8-B7-45=22=2C Calling-Station-Id =3D
> =2298-E7-F4-8E-3C-2F=22=2C NAS-Identifier =3D =22Testswitch=22=2C
> NAS-Port-Type =3D Ethernet=2C Event-Timestamp =3D =22Jan 25 2018
> 08:28:15 UTC=22=2C NAS-Port-Id =3D
> =22slot=3D1=3Bsubslot=3D0=3Bport=3D1=3Bvlanid=3D200=22=2C
> Stripped-User-Name =3D =2298e7f48e3c2f=22=2C Realm =3D =22null=22=2C
> FreeRADIUS-Client-IP-Address =3D 172.20.14.66=2C
> Module-Failure-Message =3D =22rest: Server returned:=22=2C
> Module-Failure-Message =3D =22rest:
> =7B=5C=22error=5C=22:=7B=5C=22detail=5C=22:null=2C=5C=22message=5C=22:=5C=22Can=27t
> use string =28=5C=5C=5C=22=5C=5C=5C=22=29 as an ARRAY ref while
> =5C=5C=5C=22strict refs=5C=5C=5C=22 in use at
> /usr/local/pf/lib/pf/radius/rest.pm line 33.=5C=5Cn=5C=22=7D=7D=22=2C
> SQL-User-Name =3D =2298e7f48e3c2f=22','', '0')
>
> (76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: Executing query:
> INSERT INTO radius_audit_log               ( mac, ip, computer_name,
> user_name,                stripped_user_name,  realm,
> event_type,                switch_id, switch_mac,
> switch_ip_address,                radius_source_ip_address,
> called_station_id, calling_station_id,                nas_port_type,
> ssid, nas_port_id,                ifindex, nas_port,
> connection_type,                nas_ip_address, nas_identifier,
> auth_status,                reason, auth_type,
> eap_type,                role, node_status, profile,               
> source, auto_reg, is_phone,                pf_domain, uuid,
> radius_request,                radius_reply,
> request_time)              VALUES               ( '98-E7-F4-8E-3C-2F',
> '', 'N/A', '98e7f48e3c2f',                '98e7f48e3c2f', 'null',
> 'Radius-Access-Request',                'N/A', 'N/A',
> 'N/A',                '172.20.14.66', '5C-8A-38-D8-B7-45',
> '98-E7-F4-8E-3C-2F',                'Ethernet', '',
> 'slot=3D1=3Bsubslot=3D0=3Bport=3D1=3Bvlanid=3D200',               
> 'N/A', '16781512', 'N/A',                '172.20.14.66',
> 'Testswitch',  'Reject',                 'rest: Server returned:',
> 'Accept', '',                'N/A', 'N/A', 'N/A',               
> 'N/A', 'N/A', 'N/A',                '', '', 'User-Name =3D
> =2298e7f48e3c2f=22=2C User-Password =3D =22=2A=2A=2A=2A=2A=2A=22=2C
> NAS-IP-Address =3D 172.20.14.66=2C NAS-Port =3D 16781512=2C
> Service-Type =3D Call-Check=2C Called-Station-Id =3D
> =225C-8A-38-D8-B7-45=22=2C Calling-Station-Id =3D
> =2298-E7-F4-8E-3C-2F=22=2C NAS-Identifier =3D =22Testswitch=22=2C
> NAS-Port-Type =3D Ethernet=2C Event-Timestamp =3D =22Jan 25 2018
> 08:28:15 UTC=22=2C NAS-Port-Id =3D
> =22slot=3D1=3Bsubslot=3D0=3Bport=3D1=3Bvlanid=3D200=22=2C
> Stripped-User-Name =3D =2298e7f48e3c2f=22=2C Realm =3D =22null=22=2C
> FreeRADIUS-Client-IP-Address =3D 172.20.14.66=2C
> Module-Failure-Message =3D =22rest: Server returned:=22=2C
> Module-Failure-Message =3D =22rest:
> =7B=5C=22error=5C=22:=7B=5C=22detail=5C=22:null=2C=5C=22message=5C=22:=5C=22Can=27t
> use string =28=5C=5C=5C=22=5C=5C=5C=22=29 as an ARRAY ref while
> =5C=5C=5C=22strict refs=5C=5C=5C=22 in use at
> /usr/local/pf/lib/pf/radius/rest.pm line 33.=5C=5Cn=5C=22=7D=7D=22=2C
> SQL-User-Name =3D =2298e7f48e3c2f=22','', '0')
>
> (76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: SQL query returned:
> success
>
> (76) Thu Jan 25 08:28:15 2018: Debug: sql_reject: 1 record(s) updated
>
> (76) Thu Jan 25 08:28:15 2018: Debug:           [sql_reject] = ok
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         } # if (&User-Name !=
> "dummy")  = ok
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       } # policy
> packetfence-audit-log-reject = ok
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     } # if (! EAP-Type ||
> (EAP-Type != TTLS  && EAP-Type != PEAP) )  = ok
>
> (76) Thu Jan 25 08:28:15 2018: Debug: attr_filter.access_reject:
> EXPAND %{User-Name}
>
> (76) Thu Jan 25 08:28:15 2018: Debug: attr_filter.access_reject:   
> --> 98e7f48e3c2f
>
> (76) Thu Jan 25 08:28:15 2018: Debug: attr_filter.access_reject:
> Matched entry DEFAULT at line 11
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     [attr_filter.access_reject]
> = updated
>
> (76) Thu Jan 25 08:28:15 2018: Debug:
> attr_filter.packetfence_post_auth: EXPAND %{User-Name}
>
> (76) Thu Jan 25 08:28:15 2018: Debug:
> attr_filter.packetfence_post_auth:    --> 98e7f48e3c2f
>
> (76) Thu Jan 25 08:28:15 2018: Debug:
> attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
>
> (76) Thu Jan 25 08:28:15 2018: Debug:    
> [attr_filter.packetfence_post_auth] = updated
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     [eap] = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     policy
> remove_reply_message_if_eap {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       if (&reply:EAP-Message &&
> &reply:Reply-Message) {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       if (&reply:EAP-Message &&
> &reply:Reply-Message)  -> FALSE
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       else {
>
> (76) Thu Jan 25 08:28:15 2018: Debug:         [noop] = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:       } # else = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     } # policy
> remove_reply_message_if_eap = noop
>
> (76) Thu Jan 25 08:28:15 2018: Debug: linelog: EXPAND
> messages.%{%{reply:Packet-Type}:-default}
>
> (76) Thu Jan 25 08:28:15 2018: Debug: linelog:    -->
> messages.Access-Reject
>
> (76) Thu Jan 25 08:28:15 2018: Debug: linelog: EXPAND
> [mac:%{Calling-Station-Id}] Rejected user: %{User-Name}
>
> (76) Thu Jan 25 08:28:15 2018: Debug: linelog:    -->
> [mac:98-E7-F4-8E-3C-2F] Rejected user: 98e7f48e3c2f
>
> (76) Thu Jan 25 08:28:15 2018: Debug:     [linelog] = ok
>
> (76) Thu Jan 25 08:28:15 2018: Debug:   } # Post-Auth-Type REJECT =
> updated
>
> (76) Thu Jan 25 08:28:15 2018: Debug: Delaying response for 1.000000
> seconds
>
> (76) Thu Jan 25 08:28:16 2018: Debug: Sending delayed response
>
> (76) Thu Jan 25 08:28:16 2018: Debug: Sent Access-Reject Id 160 from
> 172.20.1.230:1812 to 172.20.14.66:39936 length 20
>
> (76) Thu Jan 25 08:28:20 2018: Debug: Cleaning up request packet ID
> 160 with timestamp +4089
>
>  
>
>  
>
> *From Switches.conf:*
>
> * *
>
> [172.20.14.66]
>
> description=Comware Test
>
> group=H3C_Switches
>
> useCoA=Y
>
> uplink_dynamic=0
>
> uplink=46,47,48
>
>  
>
> [group H3C_Switches]
>
> useCoA=N
>
> VoIPCDPDetect=N
>
> VoIPDHCPDetect=N
>
> deauthMethod=RADIUS
>
> description=Alle H&G H3C Switche
>
> type=H3C::S5120
>
> VoIPLLDPDetect=N
>
> cliPwd=********** (removed before mailed)
>
> cliEnablePwd=********** (removed before mailed)
>
> SNMPCommunityRead=********** (removed before mailed)
>
> SNMPCommunityWrite=********** (removed before mailed)
>
> SNMPCommunityTrap=********** (removed before mailed)
>
> cliUser=admin
>
> cliAccess=Y
>
>  
>
> *From Switch Configuration:*
>
>  
>
> *Global: *
>
>  
>
> vlan 10
>
> description Registration
>
> #
>
> vlan 11
>
> description Isolation
>
> #
>
> vlan 12
>
> description Portal
>
> #
>
> vlan 13
>
> description Mac Detect
>
> #
>
> vlan 200
>
> description Guest Network
>
> #
>
>  
>
> mac-authentication domain packetfence
>
> port-security enable
>
>  
>
> #
>
> snmp-agent
>
> snmp-agent local-engineid ********** (removed before mailed)
>
> snmp-agent community write cipher ********** (removed before mailed)
>
> snmp-agent community read cipher ********** (removed before mailed)
>
> snmp-agent sys-info version v2c v3
>
>  
>
> radius scheme packetfence
>
> primary authentication 172.20.1.230 key cipher ********** (removed
> before mailed)
>
> primary accounting 172.20.1.230 key cipher ********** (removed before
> mailed)
>
> user-name-format without-domain
>
>  
>
> domain packetfence
>
> authentication lan-access radius-scheme packetfence
>
> authorization lan-access radius-scheme packetfence
>
> authentication default radius-scheme packetfence
>
>  
>
>  
>
> *Port Config:*
>
>  
>
> interface GigabitEthernet1/0/1
>
> port link-type hybrid
>
> port hybrid vlan 1 200 untagged
>
> port hybrid pvid vlan 200
>
> mac-vlan enable
>
> stp edged-port
>
> mac-authentication guest-vlan 200
>
> port-security intrusion-mode blockmac
>
> port-security max-mac-count 1
>
> port-security port-mode mac-authentication
>
>  
>
>  
>
>  
>
> I hope someone can help me to find a solution because all of our
> productive switches are H3C Comware based models.
>
>  
>
>  
>
> Best regards / Mit freundlichen Grüßen
>
>  
>
> Martin Schenkelberg
>
> IT
>
>  
>
> H&G Hansen & Gieraths
>
> EDV Vertriebsgesellschaft mbH
>
> Bornheimer Straße 42-52
>
> D-53111 Bonn
>
>  
>
> Email    martin.schenkelb...@hug.de <mailto:martin.schenkelb...@hug.de>
>
> Webseite http://www.hug.de <http://www.hug.de/>
>
>  
>
> H&G Hansen & Gieraths EDV Vertriebsgesellschaft mbH,
>
> Postfach 1605, 53006 Bonn
>
> USt.IdNr. DE122121252
>
> Geschäftsführer: Dr. H. Hellmuth Hansen
>
> Sitz der Gesellschaft: Bonn, Amtsgericht Bonn HR B 4027
>
>  
>
>  
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
Regards
Fabrice

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to