Re: [PacketFence-users] VLAN Assignment for MAB clients

[Anton Castelli via PacketFence-users]

Fabrice,


I've attached the relevant part of the packetfence.log. Some of the information 
has been masked. The MAC "35:aa" is a laptop with the 802.1x supplicant 
configured with a username and password from our Active Directory. The MAC 
"39:46" is a VoIP phone with no 802.1x capability that is falling back to MAB 
authentication.


Ludovic,

In this case it is a Dell N2024P and I'm using the "Dell::N1500" type when I 
added it to Packetfence. I also have a Cisco 2960 that I can test with.

Thanks,


--
ANTON CASTELLI
Network Engineer IV

INFORMATION TECHNOLOGY
MAIL CODE 4622
SOUTHERN ILLINOIS UNIVERSITY
625 WHAM DRIVE
CARBONDALE, ILLINOIS 62901

anton.caste...@siu.edu<mailto:ac14...@siu.edu>
P: 618/453-6424
OIT.SIU.EDU<http://oit.siu.edu/networkengineering>
________________________________
From: Ludovic Zammit <lzam...@inverse.ca>
Sent: Friday, December 7, 2018 6:46:07 AM
To: Anton Castelli
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] VLAN Assignment for MAB clients

Hello Anton,

Which kind of switch / network equipment are you using for the authentication ?

Thanks,

Ludovic Zammit
lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.inverse.ca&d=DwMFAg&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw&s=AfwUE_8XXB6ecZ9iBn_O8K-QsYjZT_qKmorQrFs66es&e=>
Inverse inc. :: Leaders behind SOGo 
(http://www.sogo.nu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.sogo.nu&d=DwMFAg&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw&s=jP7WC-EZZMrcqkttkFA7Ah8rQlEVsN-7N5AveGbDi4M&e=>)
 and PacketFence 
(http://packetfence.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__packetfence.org&d=DwMFAg&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw&s=0m-A3HXqeSvKmPaXjs16BrLSp4Y4BuX-5x-SXLrrbx4&e=>)




On Dec 6, 2018, at 3:03 PM, Anton Castelli via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 wrote:

I'm pretty new to Packetfence. I have a demo server set up and working. It 
authenticates 802.1x clients against our Active Directory, can assign them a 
role based on their LDAP group, and can assign them a VLAN based on their role.

Non-802.1x devices that fall back to MAB can also authenticate once I've 
manually registered the device. I can also set a role manually for the device. 
However, the VLAN assignment for that role is not passed back to the switch.

I've confirmed that the VLAN assignment for that role is working. I put a 
802.1x client in that role and the VLAN assignment works. A MAB client in the 
same role on the same switch will not have a VLAN assignment passed back to the 
switch.

RADIUS response for 802.1x client:

<8021x.png>

RADIUS response for MAB client:

<mab.png>

Is there a way to configure Packetfence to assign a VLAN on the switch for a 
MAB client?

Thanks,

--
ANTON CASTELLI
Network Engineer IV

INFORMATION TECHNOLOGY
MAIL CODE 4622
SOUTHERN ILLINOIS UNIVERSITY
625 WHAM DRIVE
CARBONDALE, ILLINOIS 62901

anton.caste...@siu.edu<mailto:ac14...@siu.edu>
P: 618/453-6424<tel:618/453-6424>
OIT.SIU.EDU<http://oit.siu.edu/networkengineering>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers&d=DwMFAg&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw&s=-Lxn4fDJcg2E5fI_p0-u65wEMBwbrTMiQRgV05Hqr2E&e=>


Dec  6 11:53:24 devpf packetfence_httpd.aaa: httpd.aaa(17323) INFO: [mac:00:00:00:00:35:aa] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile)
Dec  6 11:53:24 devpf packetfence_httpd.aaa: httpd.aaa(21301) INFO: [mac:00:00:00:00:39:46] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile)
Dec  6 11:54:00 devpf packetfence_httpd.aaa: httpd.aaa(17322) INFO: [mac:00:00:00:00:35:aa] handling radius autz request: from switch_ip => (X.X.X.X), connection_type => Ethernet-EAP,switch_mac => (00:00:00:00:91:d2), mac => [00:00:00:00:35:aa], port => 23, username => "AD_USER" (pf::radius::authorize)
Dec  6 11:54:00 devpf packetfence_httpd.aaa: httpd.aaa(17322) INFO: [mac:00:00:00:00:35:aa] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile)
Dec  6 11:54:00 devpf packetfence_httpd.aaa: httpd.aaa(17322) INFO: [mac:00:00:00:00:35:aa] Found authentication source(s) : 'local,neteng-ad,default_AD' for realm 'ad' (pf::config::util::filter_authentication_sources)
Dec  6 11:54:00 devpf packetfence_httpd.aaa: httpd.aaa(17322) WARN: [mac:00:00:00:00:35:aa] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match2)
Dec  6 11:54:00 devpf packetfence_httpd.aaa: httpd.aaa(17322) INFO: [mac:00:00:00:00:35:aa] Using sources local, neteng-ad, default_AD for matching (pf::authentication::match2)
Dec  6 11:54:00 devpf packetfence_httpd.aaa: httpd.aaa(17322) INFO: [mac:00:00:00:00:35:aa] Matched rule (neteng) in source neteng-ad, returning actions. (pf::Authentication::Source::match_rule)
Dec  6 11:54:00 devpf packetfence_httpd.aaa: httpd.aaa(17322) INFO: [mac:00:00:00:00:35:aa] Matched rule (neteng) in source neteng-ad, returning actions. (pf::Authentication::Source::match)
Dec  6 11:54:00 devpf packetfence_httpd.aaa: httpd.aaa(17322) INFO: [mac:00:00:00:00:35:aa] Role has already been computed and we don't want to recompute it. Getting role from node_info (pf::role::getRegisteredRole)
Dec  6 11:54:00 devpf packetfence_httpd.aaa: httpd.aaa(17322) INFO: [mac:00:00:00:00:35:aa] Username was defined "AD_USER" - returning role 'neteng' (pf::role::getRegisteredRole)
Dec  6 11:54:00 devpf packetfence_httpd.aaa: httpd.aaa(17322) INFO: [mac:00:00:00:00:35:aa] PID: "AD_USER", Status: reg Returned VLAN: (undefined), Role: neteng (pf::role::fetchRoleForNode)
Dec  6 11:54:00 devpf packetfence_httpd.aaa: httpd.aaa(17322) INFO: [mac:00:00:00:00:35:aa] (X.X.X.X) Added VLAN 57 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
Dec  6 11:54:00 devpf packetfence_httpd.aaa: httpd.aaa(17322) INFO: [mac:00:00:00:00:35:aa] violation 1300003 force-closed for 00:00:00:00:35:aa (pf::violation::violation_force_close)
Dec  6 11:54:00 devpf packetfence_httpd.aaa: httpd.aaa(17322) INFO: [mac:00:00:00:00:35:aa] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile)
Dec  6 11:54:00 devpf pfqueue: pfqueue(11129) INFO: [mac:unknown] Already did a person lookup for AD_USER (pf::lookup::person::lookup_person)
Dec  6 11:54:00 devpf packetfence_httpd.aaa: httpd.aaa(21342) INFO: [mac:00:00:00:00:39:46] Updating locationlog from accounting request (pf::api::handle_accounting_metadata)
Dec  6 11:54:35 devpf packetfence_httpd.aaa: httpd.aaa(21301) INFO: [mac:00:00:00:00:39:46] handling radius autz request: from switch_ip => (X.X.X.X), connection_type => Ethernet-EAP,switch_mac => (00:00:00:00:91:d2), mac => [00:00:00:00:39:46], port => 23, username => "00:00:00:00:39:46" (pf::radius::authorize)
Dec  6 11:54:35 devpf packetfence_httpd.aaa: httpd.aaa(21301) INFO: [mac:00:00:00:00:39:46] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile)
Dec  6 11:54:35 devpf packetfence_httpd.aaa: httpd.aaa(21301) INFO: [mac:00:00:00:00:39:46] Found authentication source(s) : 'local,neteng-ad,default_AD' for realm 'null' (pf::config::util::filter_authentication_sources)
Dec  6 11:54:35 devpf packetfence_httpd.aaa: httpd.aaa(21301) WARN: [mac:00:00:00:00:39:46] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match2)
Dec  6 11:54:35 devpf packetfence_httpd.aaa: httpd.aaa(21301) INFO: [mac:00:00:00:00:39:46] Using sources local, neteng-ad, default_AD for matching (pf::authentication::match2)
Dec  6 11:54:36 devpf packetfence_httpd.aaa: httpd.aaa(21301) INFO: [mac:00:00:00:00:39:46] LDAP testing connection (pf::LDAP::expire_if)
Dec  6 11:54:36 devpf packetfence_httpd.aaa: httpd.aaa(21301) INFO: [mac:00:00:00:00:39:46] violation 1300003 force-closed for 00:00:00:00:39:46 (pf::violation::violation_force_close)
Dec  6 11:54:36 devpf packetfence_httpd.aaa: httpd.aaa(21301) INFO: [mac:00:00:00:00:39:46] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile)
Dec  6 11:54:36 devpf pfqueue: pfqueue(11036) INFO: [mac:unknown] undefined source id provided (pf::lookup::person::lookup_person)
Dec  6 11:54:36 devpf packetfence_httpd.aaa: httpd.aaa(17320) INFO: [mac:00:00:00:00:35:aa] Updating locationlog from accounting request (pf::api::handle_accounting_metadata)


_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users