Hi ! anyone with this switch model that has a working 802.1x+MAB with packetfence ?
I have a 5 floor building with this model and I need to make it work. Thanks. -- Oscar Nogales Especialista en Comunicaciones y Seguridad El mié., 17 oct. 2018 a las 17:25, Oscar Nogales (<[email protected]>) escribió: > Hi everyone, > > I'm working on a NAC deployment with Packetfence in offline mode. I have > working the 802.1x authentication, but I want to do the MAC address > authentication failover in case no 802.1x agent is connected to the switch. > > All my switches are HPE V1910-48G Switch with Software Version Release > 1519P03 (last version on HP website). > > Apparently all is working: the switch send to the packetfence the mac > address as username and password, the radius authenticates it correctly and > send back the response with the correct attributes: > Tunnel-Type = VLAN > Tunnel-Private-Group-Id = "3" > Tunnel-Medium-Type = IEEE-802 > > The switch register on its log that the user is authenticated and the vlan > is 3. But the pc has no connection, doesn't get any IP by DHCP (there is > dhcp on vlan 3) or if I configure a static ip address, I cannot reach any > other IP on the vlan (is like if the switch blocks my packets). > > This is the configuration of the HP Switch: > > # > > port-security enable > > # > > dot1x timer tx-period 10 > > dot1x timer supp-timeout 10 > > dot1x authentication-method eap > > # > > # > > mac-authentication domain macauth.local > > mac-authentication user-name-format mac-address with-hyphen > > # > > domain macauth.local > > authentication default radius-scheme radiusnac > > authentication lan-access radius-scheme radiusnac > > authorization lan-access radius-scheme radiusnac > > access-limit disable > > state active > > idle-cut disable > > self-service-url disable > > # > > domain mydomain > > authentication lan-access radius-scheme radiusnac > > authorization lan-access radius-scheme radiusnac > > access-limit disable > > state active > > idle-cut disable > > self-service-url disable > > # > > radius scheme radiusnac > > primary authentication 10.0.10.220 > > key authentication cipher > $c$3$ZFDWjqDlNi7UGtNNLnrRiL+w/7MTioLgW3p0Ds1617Xc > > security-policy-server 10.0.10.220 > > user-name-format keep-original > > nas-ip 172.18.1.19 > > # > > # > > interface GigabitEthernet1/0/16 > > port link-type hybrid > > port hybrid vlan 1 3 117 untagged > > port hybrid pvid vlan 117 > > mac-vlan enable > > stp edged-port enable > > mac-authentication max-user 2 > > mac-authentication host-mode multi-vlan > > port-security port-mode userlogin-secure-or-mac > > dot1x re-authenticate > > dot1x guest-vlan 117 > > undo dot1x handshake > > undo dot1x multicast-trigger > > # > > snmp-agent community read myreadcommunity > > snmp-agent community write mywritecommunity mib-view All > > snmp-agent target-host trap address udp-domain 10.0.10.220 params > securityname NAC v2c > > # > > > And this is the configuration on packetfence: > > > [172.18.1.19] > > description=sw19_test > > group=RoverMotta-HP > > deauthMethod=SNMP > > GR_NAC_Rmotta_vlan20Vlan=20 > > GR_NAC_Rmotta_vlan3Vlan=3 > > type=H3C::S5120 > > cliPwd=supersecurepass > > cliUser=admin > > cliEnablePwd=megasecurepass > > useCoA=N > > > [group RoverMotta-HP] > > description=1910 > > SNMPCommunityRead=myreadcommunity > > SNMPCommunityWrite=mywritecommunity > > isolationVlan=118 > > radiusSecret=RadiusPassword > > SNMPVersion=2c > > registrationVlan=117 > > defaultVlan=3 > > > And I show you the logs that shows that the MAB is working: > > > [radius.log] > > Oct 17 15:54:00 censvnac auth[12460]: [mac:f0:de:f1:3c:7b:c3] Accepted > user: and returned VLAN 3 > > Oct 17 15:54:00 censvnac auth[12460]: (854) Login OK: > [[email protected]] (from client 172.18.1.19 port 16842869 > cli f0:de:f1:3c:7b:c3) > > > [packetfence.log] > > Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO: > [mac:f0:de:f1:3c:7b:c3] handling radius autz request: from switch_ip => > (172.18.1.19), connection_type => WIRED_MAC_AUTH,switch_mac => (Unknown), > mac => [f0:de:f1:3c:7b:c3], port => 16, username => > "[email protected]" (pf::radius::authorize) > > Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO: > [mac:f0:de:f1:3c:7b:c3] Instantiate profile 802.1x > (pf::Connection::ProfileFactory::_from_profile) > > Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO: > [mac:f0:de:f1:3c:7b:c3] Connection type is WIRED_MAC_AUTH. Getting role > from node_info (pf::role::getRegisteredRole) > > Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO: > [mac:f0:de:f1:3c:7b:c3] Username was defined > "[email protected]" - returning role 'GR_NAC_Rmotta_vlan3' > (pf::role::getRegisteredRole) > > Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO: > [mac:f0:de:f1:3c:7b:c3] PID: "default", Status: reg Returned VLAN: > (undefined), Role: GR_NAC_Rmotta_vlan3 (pf::role::fetchRoleForNode) > > Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO: > [mac:f0:de:f1:3c:7b:c3] (172.18.1.19) Added VLAN 3 to the returned RADIUS > Access-Accept (pf::Switch::returnRadiusAccessAccept) > > Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO: > [mac:f0:de:f1:3c:7b:c3] violation 1300003 force-closed for > f0:de:f1:3c:7b:c3 (pf::violation::violation_force_close) > > Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO: > [mac:f0:de:f1:3c:7b:c3] Instantiate profile 802.1x > (pf::Connection::ProfileFactory::_from_profile) > > Oct 17 15:54:09 censvnac pfqueue: pfqueue(29881) WARN: > [mac:34:e6:ad:81:f7:a4] Unable to perform a Fingerbank lookup for device > with MAC address '34:e6:ad:81:f7:a4' (pf::fingerbank::process) > > [tcpdump on packetfence with the radius response] > Frame 6: 77 bytes on wire (616 bits), 77 bytes captured (616 bits) > Ethernet II, Src: Vmware_1d:6e:98 (00:0c:29:1d:6e:98), Dst: > Tecnomen_11:08:e6 (00:e0:20:11:08:e6) > Internet Protocol Version 4, Src: 10.0.10.220, Dst: 172.18.1.19 > User Datagram Protocol, Src Port: 1812, Dst Port: 2413 > Source Port: 1812 > Destination Port: 2413 > Length: 43 > Checksum: 0xc23d [unverified] > [Checksum Status: Unverified] > [Stream index: 0] > RADIUS Protocol > Code: Access-Accept (2) > Packet identifier: 0x0 (0) > Length: 35 > Authenticator: ef9458c3f62b4a81321c148d229cfa24 > [This is a response to a request in frame 1] > [Time from request: 0.232739000 seconds] > Attribute Value Pairs > AVP: t=Tunnel-Type(64) l=6 Tag=0x00 val=VLAN(13) > AVP: t=Tunnel-Private-Group-Id(81) l=3 val=3 > AVP: t=Tunnel-Medium-Type(65) l=6 Tag=0x00 val=IEEE-802(6) > > [HP 1920 syslog] > Apr 26 16:01:27:374 2000 PORTSEC Information PORTSEC_MACAUTH_LOGIN_SUCC > -IfName=GigabitEthernet1/0/16-MACAddr=F0:DE:F1:3C:7B:C3-VlanId=3-UserName=f0-de-f1-3c-7b-c3-UserNameFormat=MAC > address; The user passed MAC address authentication and got online > successfully. > > Apr 26 16:01:25:903 2000 MSTP Information MSTP_FORWARDING Instance 0's > port GigabitEthernet1/0/16 has been set to forwarding state. > > Has anybody a working configuration with HP1920 switch and 802.1x + mac > authentication ? With the above information provided has any of you any > clue about what is going on ? > > Thanks in advance. I will continue doing test and I'll update If I have > any news. > > Regards. > > -- > Oscar Nogales > Especialista en Comunicaciones y Seguridad > >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
