Hello Oscar,
what happen if you configure a switch port in the vlan 3 and you plug a
device in, does it receive an ip address ?
Regards
Fabrice
Le 18-10-24 à 05 h 58, Oscar Nogales via PacketFence-users a écrit :
Hi !
anyone with this switch model that has a working 802.1x+MAB with
packetfence ?
I have a 5 floor building with this model and I need to make it work.
Thanks.
--
Oscar Nogales
Especialista en Comunicaciones y Seguridad
El mié., 17 oct. 2018 a las 17:25, Oscar Nogales (<[email protected]
<mailto:[email protected]>>) escribió:
Hi everyone,
I'm working on a NAC deployment with Packetfence in offline mode.
I have working the 802.1x authentication, but I want to do the MAC
address authentication failover in case no 802.1x agent is
connected to the switch.
All my switches are HPE V1910-48G Switch with Software Version
Release 1519P03 (last version on HP website).
Apparently all is working: the switch send to the packetfence the
mac address as username and password, the radius authenticates it
correctly and send back the response with the correct attributes:
Tunnel-Type = VLAN
Tunnel-Private-Group-Id = "3"
Tunnel-Medium-Type = IEEE-802
The switch register on its log that the user is authenticated and
the vlan is 3. But the pc has no connection, doesn't get any IP by
DHCP (there is dhcp on vlan 3) or if I configure a static ip
address, I cannot reach any other IP on the vlan (is like if the
switch blocks my packets).
This is the configuration of the HP Switch:
#
port-security enable
#
dot1x timer tx-period 10
dot1x timer supp-timeout 10
dot1x authentication-method eap
#
#
mac-authentication domain macauth.local
mac-authentication user-name-format mac-address with-hyphen
#
domain macauth.local
authentication default radius-scheme radiusnac
authentication lan-access radius-scheme radiusnac
authorization lan-access radius-scheme radiusnac
access-limit disable
state active
idle-cut disable
self-service-url disable
#
domain mydomain
authentication lan-access radius-scheme radiusnac
authorization lan-access radius-scheme radiusnac
access-limit disable
state active
idle-cut disable
self-service-url disable
#
radius scheme radiusnac
primary authentication 10.0.10.220
key authentication cipher
$c$3$ZFDWjqDlNi7UGtNNLnrRiL+w/7MTioLgW3p0Ds1617Xc
security-policy-server 10.0.10.220
user-name-format keep-original
nas-ip 172.18.1.19
#
#
interface GigabitEthernet1/0/16
port link-type hybrid
port hybrid vlan 1 3 117 untagged
port hybrid pvid vlan 117
mac-vlan enable
stp edged-port enable
mac-authentication max-user 2
mac-authentication host-mode multi-vlan
port-security port-mode userlogin-secure-or-mac
dot1x re-authenticate
dot1x guest-vlan 117
undo dot1x handshake
undo dot1x multicast-trigger
#
snmp-agent community read myreadcommunity
snmp-agent community write mywritecommunity mib-view All
snmp-agent target-host trap address udp-domain 10.0.10.220 params
securityname NAC v2c
#
And this is the configuration on packetfence:
[172.18.1.19]
description=sw19_test
group=RoverMotta-HP
deauthMethod=SNMP
GR_NAC_Rmotta_vlan20Vlan=20
GR_NAC_Rmotta_vlan3Vlan=3
type=H3C::S5120
cliPwd=supersecurepass
cliUser=admin
cliEnablePwd=megasecurepass
useCoA=N
[group RoverMotta-HP]
description=1910
SNMPCommunityRead=myreadcommunity
SNMPCommunityWrite=mywritecommunity
isolationVlan=118
radiusSecret=RadiusPassword
SNMPVersion=2c
registrationVlan=117
defaultVlan=3
And I show you the logs that shows that the MAB is working:
[radius.log]
Oct 17 15:54:00 censvnac auth[12460]: [mac:f0:de:f1:3c:7b:c3]
Accepted user: and returned VLAN 3
Oct 17 15:54:00 censvnac auth[12460]: (854) Login OK:
[[email protected]] (from client 172.18.1.19 port
16842869 cli f0:de:f1:3c:7b:c3)
[packetfence.log]
Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262)
INFO: [mac:f0:de:f1:3c:7b:c3] handling radius autz request: from
switch_ip => (172.18.1.19), connection_type =>
WIRED_MAC_AUTH,switch_mac => (Unknown), mac =>
[f0:de:f1:3c:7b:c3], port => 16, username =>
"[email protected]" (pf::radius::authorize)
Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262)
INFO: [mac:f0:de:f1:3c:7b:c3] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262)
INFO: [mac:f0:de:f1:3c:7b:c3] Connection type is WIRED_MAC_AUTH.
Getting role from node_info (pf::role::getRegisteredRole)
Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262)
INFO: [mac:f0:de:f1:3c:7b:c3] Username was defined
"[email protected]" - returning role
'GR_NAC_Rmotta_vlan3' (pf::role::getRegisteredRole)
Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262)
INFO: [mac:f0:de:f1:3c:7b:c3] PID: "default", Status: reg Returned
VLAN: (undefined), Role: GR_NAC_Rmotta_vlan3
(pf::role::fetchRoleForNode)
Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262)
INFO: [mac:f0:de:f1:3c:7b:c3] (172.18.1.19) Added VLAN 3 to the
returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262)
INFO: [mac:f0:de:f1:3c:7b:c3] violation 1300003 force-closed for
f0:de:f1:3c:7b:c3 (pf::violation::violation_force_close)
Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262)
INFO: [mac:f0:de:f1:3c:7b:c3] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)
Oct 17 15:54:09 censvnac pfqueue: pfqueue(29881) WARN:
[mac:34:e6:ad:81:f7:a4] Unable to perform a Fingerbank lookup for
device with MAC address '34:e6:ad:81:f7:a4' (pf::fingerbank::process)
[tcpdump on packetfence with the radius response]
Frame 6: 77 bytes on wire (616 bits), 77 bytes captured (616 bits)
Ethernet II, Src: Vmware_1d:6e:98 (00:0c:29:1d:6e:98), Dst:
Tecnomen_11:08:e6 (00:e0:20:11:08:e6)
Internet Protocol Version 4, Src: 10.0.10.220, Dst: 172.18.1.19
User Datagram Protocol, Src Port: 1812, Dst Port: 2413
Source Port: 1812
Destination Port: 2413
Length: 43
Checksum: 0xc23d [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
RADIUS Protocol
Code: Access-Accept (2)
Packet identifier: 0x0 (0)
Length: 35
Authenticator: ef9458c3f62b4a81321c148d229cfa24
[This is a response to a request in frame 1]
[Time from request: 0.232739000 seconds]
Attribute Value Pairs
AVP: t=Tunnel-Type(64) l=6 Tag=0x00 val=VLAN(13)
AVP: t=Tunnel-Private-Group-Id(81) l=3 val=3
AVP: t=Tunnel-Medium-Type(65) l=6 Tag=0x00 val=IEEE-802(6)
[HP 1920 syslog]
Apr 26 16:01:27:374
2000PORTSECInformationPORTSEC_MACAUTH_LOGIN_SUCC-IfName=GigabitEthernet1/0/16-MACAddr=F0:DE:F1:3C:7B:C3-VlanId=3-UserName=f0-de-f1-3c-7b-c3-UserNameFormat=MAC
address; The user passed MAC address authentication and got online
successfully.
Apr 26 16:01:25:903 2000MSTPInformationMSTP_FORWARDINGInstance 0's
port GigabitEthernet1/0/16 has been set to forwarding state.
Has anybody a working configuration with HP1920 switch and
802.1x + mac authentication ? With the above information provided
has any of you any clue about what is going on ?
Thanks in advance. I will continue doing test and I'll update If I
have any news.
Regards.
--
Oscar Nogales
Especialista en Comunicaciones y Seguridad
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
