Re: [PacketFence-users] VLAN Assignment for MAB clients

Fri, 07 Dec 2018 19:07:05 -0800 

Hello Anton,
as i can see both are doing 802.1x (Ethernet-EAP) but i suspect that the phone is doing eap-md5 and not pap. 


Can you try to add that in the switch interface config:

default mab pap



Also i did some change with a client to have a better support with VoIP 
on the Dell switches (you need to configure snmp to allow PacketFence to 
do some requests):


https://github.com/inverse-inc/packetfence/compare/feature/DELL_lldp.diff


If you want to try you just have to do the following:

cd /usr/local/pf


curl 
https://github.com/inverse-inc/packetfence/compare/feature/DELL_lldp.diff| 
patch -p1 --dry-run


If there is no error:


curl 
https://github.com/inverse-inc/packetfence/compare/feature/DELL_lldp.diff| 
patch -p1



Then restart packetfence.

Regards

Fabrice



Le 18-12-07 à 09 h 29, Anton Castelli via PacketFence-users a écrit :


Fabrice,



I've attached the relevant part of the packetfence.log. Some of the 
information has been masked. The MAC "35:aa" is a laptop with the 
802.1x supplicant configured with a username and password from our 
Active Directory. The MAC "39:46" is a VoIP phone with no 802.1x 
capability that is falling back to MAB authentication.




Ludovic,


In this case it is a Dell N2024P and I'm using the "Dell::N1500" type 
when I added it to Packetfence. I also have a Cisco 2960 that I can 
test with.


Thanks,


--
ANTON CASTELLI
Network Engineer IV

INFORMATION TECHNOLOGY
MAIL CODE 4622
SOUTHERN ILLINOIS UNIVERSITY
625 WHAM DRIVE
CARBONDALE, ILLINOIS 62901

anton.caste...@siu.edu <mailto:ac14...@siu.edu>
P: 618/453-6424
OIT.SIU.EDU <http://oit.siu.edu/networkengineering>
------------------------------------------------------------------------
*From:* Ludovic Zammit <lzam...@inverse.ca>
*Sent:* Friday, December 7, 2018 6:46:07 AM
*To:* Anton Castelli
*Cc:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] VLAN Assignment for MAB clients
Hello Anton,


Which kind of switch / network equipment are you using for the 
authentication ?


Thanks,
Ludovic Zammit
lzam...@inverse.ca  <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918 (x145) ::www.inverse.ca  
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.inverse.ca&d=DwMFAg&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw&s=AfwUE_8XXB6ecZ9iBn_O8K-QsYjZT_qKmorQrFs66es&e=>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu  
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.sogo.nu&d=DwMFAg&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw&s=jP7WC-EZZMrcqkttkFA7Ah8rQlEVsN-7N5AveGbDi4M&e=>)
 and PacketFence (http://packetfence.org  
<https://urldefense.proofpoint.com/v2/url?u=http-3A__packetfence.org&d=DwMFAg&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw&s=0m-A3HXqeSvKmPaXjs16BrLSp4Y4BuX-5x-SXLrrbx4&e=>)





On Dec 6, 2018, at 3:03 PM, Anton Castelli via PacketFence-users 
<packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:



I'm pretty new to Packetfence. I have a demo server set up and 
working. It authenticates 802.1x clients against our Active 
Directory, can assign them a role based on their LDAP group, and can 
assign them a VLAN based on their role.



Non-802.1x devices that fall back to MAB can also authenticate 
once I've manually registered the device. I can also set a role 
manually for the device. However, the VLAN assignment for that role 
is not passed back to the switch.



I've confirmed that the VLAN assignment for that role is working. I 
put a 802.1x client in that role and the VLAN assignment works. A MAB 
client in the same role on the same switch will not have a VLAN 
assignment passed back to the switch.


RADIUS response for 802.1x client:

<8021x.png>

RADIUS response for MAB client:

<mab.png>


Is there a way to configure Packetfence to assign a VLAN on the 
switch for a MAB client?


Thanks,

--
ANTON CASTELLI
Network Engineer IV

INFORMATION TECHNOLOGY
MAIL CODE 4622
SOUTHERN ILLINOIS UNIVERSITY
625 WHAM DRIVE
CARBONDALE, ILLINOIS 62901

anton.caste...@siu.edu <mailto:ac14...@siu.edu>
P:618/453-6424 <tel:618/453-6424>
OIT.SIU.EDU <http://oit.siu.edu/networkengineering>
_______________________________________________
PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers&d=DwMFAg&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw&s=-Lxn4fDJcg2E5fI_p0-u65wEMBwbrTMiQRgV05Hqr2E&e=>




_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to