Re: [PacketFence-users] Can't link PacketFence with AD Server.

Durand fabrice via PacketFence-users Thu, 07 Feb 2019 17:56:18 -0800

Hello Adrian,

if the switch send two Calling-Station-Id then it's a bug on the switchside.

But i made a patch in order to test if there is multiple attributes andtest if one of them is a mac address.


So go in /usr/local/pf

patch -p1 --dry-run < ./mulpiples_attributes.diff

if there is no error:

patch -p1 < ./mulpiples_attributes.diff

Let me know if it helps.

Regards

Fabrice


Le 19-02-07 à 06 h 05, Adrian Dessaigne via PacketFence-users a écrit :

Hello Fabrice,
In case, I have reset my switch configuration and reconfigure it has shown in 
the Network Device Configuration Guide, Part 4.8.2 2950

Here, the running-config of my switch:

Current configuration : 2467 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
aaa new-model
aaa group server radius packetfence
server 192.168.1.112 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
enable password ade
!
username ade privilege 15 password 0 ade
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
dot1x system-auth-control
!
!
interface FastEthernet0/1
!
...
!
interface FastEthernet0/17
switchport mode access
dot1x port-control auto
dot1x host-mode multi-host
dot1x reauthentication
spanning-tree portfast
!
interface FastEthernet0/18
!
...
!
interface Vlan1
ip address 192.168.1.201 255.255.255.0
no ip route-cache
!
ip http server
!
radius-server host 192.168.1.112 auth-port 1812 acct-port 1812 key pf-ade
radius-server retransmit 3
radius-server vsa send authentication
!
line con 0
line vty 0 4
password ade
line vty 5 15
!
end

I've tried to edit the configuration file in site-enable, but all change get 
lost on the restart of the service.

To be sure my switch is working correctly, I've installed and configured 
Freeradius on a fresh debian8 system. After some change on the switch 
configuration, I have an EAP-Success:

Current configuration : 2236 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
enable password ade
!
username ade privilege 15 password 0 ade
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
dot1x system-auth-control
!
!
...
!
interface FastEthernet0/16
!
interface FastEthernet0/17
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
...
!
Interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.1.201 255.255.255.0
no ip route-cache
!
ip http server
!
radius-server host 192.168.1.112 auth-port 1812 acct-port 1812 key pf-ade
radius-server retransmit 3
!
line con 0
line vty 0 4
password ade
line vty 5 15
!
end

So I switched back to my system with PF on it and keeped this switch 
configuration. I tested it, failure.

By checking back the log, I still have to Calling-Station-ID. If it work on a 
basic FreeRadius configuration, does it mean the issue is with my PF FreeRadius 
?

Best Regard

Adrian

----- Mail original -----
De: "packetfence-users" <[email protected]>
À: "packetfence-users" <[email protected]>
Cc: "Durand fabrice" <[email protected]>
Envoyé: Jeudi 7 Février 2019 00:26:02
Objet: Re: [PacketFence-users] Can't link PacketFence with AD Server.



Hello Adrian,

your issue looks to be because you have 2 Calling-Station-Id attributes in the 
request.

(33) Wed Feb 6 11:08:00 2019: Debug: Calling-Station-Id = "4\227\366\024I\344"
(33) Wed Feb 6 11:08:00 2019: Debug: Service-Type = Framed-User
(33) Wed Feb 6 11:08:00 2019: Debug: Framed-MTU = 1500
(33) Wed Feb 6 11:08:00 2019: Debug: Calling-Station-Id = "34-97-f6-14-49-e4"

Check the switch config to see if there a configuration parameter that add it.

Also you will be able to remove it with the freeradius configuration 
(raddb/sites-enable/packetfence)

Regards

Fabrice



_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

diff --git a/lib/pf/Switch.pm b/lib/pf/Switch.pm
index 8e94e5642e..ce3989f07b 100644
--- a/lib/pf/Switch.pm
+++ b/lib/pf/Switch.pm
@@ -3035,9 +3035,16 @@ User-Name
 sub parseRequest {
     my ( $self, $radius_request ) = @_;
 
-    my $client_mac      = ref($radius_request->{'Calling-Station-Id'}) eq 'ARRAY'
-                           ? clean_mac($radius_request->{'Calling-Station-Id'}[0])
-                           : clean_mac($radius_request->{'Calling-Station-Id'});
+    my $client_mac;
+    if (ref($radius_request->{'Calling-Station-Id'}) eq 'ARRAY') {
+        foreach my $callingStationId (@{$radius_request->{'Calling-Station-Id'}}) {
+            if (valid_mac($callingStationId)) {
+                $client_mac = clean_mac($callingStationId);
+            }
+        }
+    } else {
+        $client_mac = clean_mac($radius_request->{'Calling-Station-Id'});
+    }
     my $user_name       = $radius_request->{'TLS-Client-Cert-Subject-Alt-Name-Upn'} || $radius_request->{'TLS-Client-Cert-Common-Name'} || $radius_request->{'User-Name'};
     my $nas_port_type   = ( defined($radius_request->{'NAS-Port-Type'}) ? $radius_request->{'NAS-Port-Type'} : ( defined($radius_request->{'Called-Station-SSID'}) ? "Wireless-802.11" : undef ) );
     my $port            = $radius_request->{'NAS-Port'};
diff --git a/lib/pf/api.pm b/lib/pf/api.pm
index 2e5686c5a1..8099ae21a7 100644
--- a/lib/pf/api.pm
+++ b/lib/pf/api.pm
@@ -1294,7 +1294,13 @@ sub radius_rest_authorize :Public :RestPath(/radius/rest/authorize) {
 
     my $return;
 
-    if (pf::util::valid_mac($remapped_radius_request{'Calling-Station-Id'})) {
+    if (ref($remapped_radius_request{'Calling-Station-Id'})) eq 'ARRAY') {
+        foreach my $callingStationId (@{$remapped_radius_request{'Calling-Station-Id'}}) {
+            if (pf::util::valid_mac($callingStationId)) {
+                $return = $class->radius_authorize(%remapped_radius_request);
+            }
+        }
+    } elsif (pf::util::valid_mac($remapped_radius_request{'Calling-Station-Id'})) {
         $return = $class->radius_authorize(%remapped_radius_request);
     } else {
         $return = $class->radius_switch_access(%remapped_radius_request);
diff --git a/lib/pf/radius/rest.pm b/lib/pf/radius/rest.pm
index a81a2e3cc5..0b6216aea3 100644
--- a/lib/pf/radius/rest.pm
+++ b/lib/pf/radius/rest.pm
@@ -67,7 +67,7 @@ sub format_request {
     my ($request) = @_;
     # transform the request according to what radius_authorize expects
     my %remapped_radius_request = map {
-        $_ => $request->{$_}->{value}->[0];
+        (@{$request->{$_}->{value}} > 1) ? ($_ => $request->{$_}->{value}) : ($_ => $request->{$_}->{value}[0]);
     } keys %{$request};
     return \%remapped_radius_request;
 }

_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Can't link PacketFence with AD Server.

Reply via email to