Hi Fabrice, yes, if I configure directly the vlan 3 on the port, I receive ip address.
Yesterday finally I found the problem, it was the: "mac-vlan enable" attribute on the interface. This configuration makes exactly the opposite, if it is enabled, the switch does not assign the vlan to the port. I just remove this configuration, and the MAB start to works. So the correct configuration by interface is: interface GigabitEthernet1/0/16 port link-type hybrid port hybrid vlan 1 3 117 untagged port hybrid pvid vlan 117 stp edged-port enable mac-authentication max-user 2 mac-authentication host-mode multi-vlan port-security port-mode userlogin-secure-or-mac dot1x re-authenticate dot1x guest-vlan 117 undo dot1x handshake undo dot1x multicast-trigger So now I have a full 802.1x and MAC authentication failover working perfectly on HP1920 switches. I hope that my configuration will help others with the same problem. Regards. -- Oscar Nogales Especialista en Comunicaciones y Seguridad Gestión de Infraestructuras Brújula Tel. 971.433.909 – Fax. 971.433.910 Twitter: @brujula_talk <http://www.facebook.com/brujula.es> www.facebook.com/brujula.es www.brujula.es _____________________________________ En el corazón de su negocio Antes de imprimir este mensaje, por favor, compruebe que es verdaderamente necesario. El medio ambiente es cosa de todos. Aviso Legal: La información contenida en este mensaje es confidencial. Consulte las políticas de confidencialidad, privacidad y protección de datos. <http://www.brujula.es/lopd/> El vie., 26 oct. 2018 a las 3:27, Durand fabrice via PacketFence-users (< [email protected]>) escribió: > Hello Oscar, > > what happen if you configure a switch port in the vlan 3 and you plug a > device in, does it receive an ip address ? > > Regards > > Fabrice > > > Le 18-10-24 à 05 h 58, Oscar Nogales via PacketFence-users a écrit : > > Hi ! > > anyone with this switch model that has a working 802.1x+MAB with > packetfence ? > > I have a 5 floor building with this model and I need to make it work. > > Thanks. > > -- > Oscar Nogales > Especialista en Comunicaciones y Seguridad > > > El mié., 17 oct. 2018 a las 17:25, Oscar Nogales (<[email protected]>) > escribió: > >> Hi everyone, >> >> I'm working on a NAC deployment with Packetfence in offline mode. I have >> working the 802.1x authentication, but I want to do the MAC address >> authentication failover in case no 802.1x agent is connected to the switch. >> >> All my switches are HPE V1910-48G Switch with Software Version Release >> 1519P03 (last version on HP website). >> >> Apparently all is working: the switch send to the packetfence the mac >> address as username and password, the radius authenticates it correctly and >> send back the response with the correct attributes: >> Tunnel-Type = VLAN >> Tunnel-Private-Group-Id = "3" >> Tunnel-Medium-Type = IEEE-802 >> >> The switch register on its log that the user is authenticated and the >> vlan is 3. But the pc has no connection, doesn't get any IP by DHCP (there >> is dhcp on vlan 3) or if I configure a static ip address, I cannot reach >> any other IP on the vlan (is like if the switch blocks my packets). >> >> This is the configuration of the HP Switch: >> >> # >> >> port-security enable >> >> # >> >> dot1x timer tx-period 10 >> >> dot1x timer supp-timeout 10 >> >> dot1x authentication-method eap >> >> # >> >> # >> >> mac-authentication domain macauth.local >> >> mac-authentication user-name-format mac-address with-hyphen >> >> # >> >> domain macauth.local >> >> authentication default radius-scheme radiusnac >> >> authentication lan-access radius-scheme radiusnac >> >> authorization lan-access radius-scheme radiusnac >> >> access-limit disable >> >> state active >> >> idle-cut disable >> >> self-service-url disable >> >> # >> >> domain mydomain >> >> authentication lan-access radius-scheme radiusnac >> >> authorization lan-access radius-scheme radiusnac >> >> access-limit disable >> >> state active >> >> idle-cut disable >> >> self-service-url disable >> >> # >> >> radius scheme radiusnac >> >> primary authentication 10.0.10.220 >> >> key authentication cipher >> $c$3$ZFDWjqDlNi7UGtNNLnrRiL+w/7MTioLgW3p0Ds1617Xc >> >> security-policy-server 10.0.10.220 >> >> user-name-format keep-original >> >> nas-ip 172.18.1.19 >> >> # >> >> # >> >> interface GigabitEthernet1/0/16 >> >> port link-type hybrid >> >> port hybrid vlan 1 3 117 untagged >> >> port hybrid pvid vlan 117 >> >> mac-vlan enable >> >> stp edged-port enable >> >> mac-authentication max-user 2 >> >> mac-authentication host-mode multi-vlan >> >> port-security port-mode userlogin-secure-or-mac >> >> dot1x re-authenticate >> >> dot1x guest-vlan 117 >> >> undo dot1x handshake >> >> undo dot1x multicast-trigger >> >> # >> >> snmp-agent community read myreadcommunity >> >> snmp-agent community write mywritecommunity mib-view All >> >> snmp-agent target-host trap address udp-domain 10.0.10.220 params >> securityname NAC v2c >> >> # >> >> >> And this is the configuration on packetfence: >> >> >> [172.18.1.19] >> >> description=sw19_test >> >> group=RoverMotta-HP >> >> deauthMethod=SNMP >> >> GR_NAC_Rmotta_vlan20Vlan=20 >> >> GR_NAC_Rmotta_vlan3Vlan=3 >> >> type=H3C::S5120 >> >> cliPwd=supersecurepass >> >> cliUser=admin >> >> cliEnablePwd=megasecurepass >> >> useCoA=N >> >> >> [group RoverMotta-HP] >> >> description=1910 >> >> SNMPCommunityRead=myreadcommunity >> >> SNMPCommunityWrite=mywritecommunity >> >> isolationVlan=118 >> >> radiusSecret=RadiusPassword >> >> SNMPVersion=2c >> >> registrationVlan=117 >> >> defaultVlan=3 >> >> >> And I show you the logs that shows that the MAB is working: >> >> >> [radius.log] >> >> Oct 17 15:54:00 censvnac auth[12460]: [mac:f0:de:f1:3c:7b:c3] Accepted >> user: and returned VLAN 3 >> >> Oct 17 15:54:00 censvnac auth[12460]: (854) Login OK: [ >> [email protected]] (from client 172.18.1.19 port 16842869 >> cli f0:de:f1:3c:7b:c3) >> >> >> [packetfence.log] >> >> Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO: >> [mac:f0:de:f1:3c:7b:c3] handling radius autz request: from switch_ip => >> (172.18.1.19), connection_type => WIRED_MAC_AUTH,switch_mac => (Unknown), >> mac => [f0:de:f1:3c:7b:c3], port => 16, username => >> "[email protected]" <[email protected]> >> (pf::radius::authorize) >> >> Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO: >> [mac:f0:de:f1:3c:7b:c3] Instantiate profile 802.1x >> (pf::Connection::ProfileFactory::_from_profile) >> >> Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO: >> [mac:f0:de:f1:3c:7b:c3] Connection type is WIRED_MAC_AUTH. Getting role >> from node_info (pf::role::getRegisteredRole) >> >> Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO: >> [mac:f0:de:f1:3c:7b:c3] Username was defined >> "[email protected]" <[email protected]> - >> returning role 'GR_NAC_Rmotta_vlan3' (pf::role::getRegisteredRole) >> >> Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO: >> [mac:f0:de:f1:3c:7b:c3] PID: "default", Status: reg Returned VLAN: >> (undefined), Role: GR_NAC_Rmotta_vlan3 (pf::role::fetchRoleForNode) >> >> Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO: >> [mac:f0:de:f1:3c:7b:c3] (172.18.1.19) Added VLAN 3 to the returned RADIUS >> Access-Accept (pf::Switch::returnRadiusAccessAccept) >> >> Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO: >> [mac:f0:de:f1:3c:7b:c3] violation 1300003 force-closed for >> f0:de:f1:3c:7b:c3 (pf::violation::violation_force_close) >> >> Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO: >> [mac:f0:de:f1:3c:7b:c3] Instantiate profile 802.1x >> (pf::Connection::ProfileFactory::_from_profile) >> >> Oct 17 15:54:09 censvnac pfqueue: pfqueue(29881) WARN: >> [mac:34:e6:ad:81:f7:a4] Unable to perform a Fingerbank lookup for device >> with MAC address '34:e6:ad:81:f7:a4' (pf::fingerbank::process) >> >> [tcpdump on packetfence with the radius response] >> Frame 6: 77 bytes on wire (616 bits), 77 bytes captured (616 bits) >> Ethernet II, Src: Vmware_1d:6e:98 (00:0c:29:1d:6e:98), Dst: >> Tecnomen_11:08:e6 (00:e0:20:11:08:e6) >> Internet Protocol Version 4, Src: 10.0.10.220, Dst: 172.18.1.19 >> User Datagram Protocol, Src Port: 1812, Dst Port: 2413 >> Source Port: 1812 >> Destination Port: 2413 >> Length: 43 >> Checksum: 0xc23d [unverified] >> [Checksum Status: Unverified] >> [Stream index: 0] >> RADIUS Protocol >> Code: Access-Accept (2) >> Packet identifier: 0x0 (0) >> Length: 35 >> Authenticator: ef9458c3f62b4a81321c148d229cfa24 >> [This is a response to a request in frame 1] >> [Time from request: 0.232739000 seconds] >> Attribute Value Pairs >> AVP: t=Tunnel-Type(64) l=6 Tag=0x00 val=VLAN(13) >> AVP: t=Tunnel-Private-Group-Id(81) l=3 val=3 >> AVP: t=Tunnel-Medium-Type(65) l=6 Tag=0x00 val=IEEE-802(6) >> >> [HP 1920 syslog] >> Apr 26 16:01:27:374 2000 PORTSEC Information PORTSEC_MACAUTH_LOGIN_SUCC >> -IfName=GigabitEthernet1/0/16-MACAddr=F0:DE:F1:3C:7B:C3-VlanId=3-UserName=f0-de-f1-3c-7b-c3-UserNameFormat=MAC >> address; The user passed MAC address authentication and got online >> successfully. >> >> Apr 26 16:01:25:903 2000 MSTP Information MSTP_FORWARDING Instance 0's >> port GigabitEthernet1/0/16 has been set to forwarding state. >> >> Has anybody a working configuration with HP1920 switch and 802.1x + mac >> authentication ? With the above information provided has any of you any >> clue about what is going on ? >> >> Thanks in advance. I will continue doing test and I'll update If I have >> any news. >> >> Regards. >> >> -- >> Oscar Nogales >> Especialista en Comunicaciones y Seguridad >> >> > > _______________________________________________ > PacketFence-users mailing > [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
