Hello Fabrice,
Many thanks for your reply. I changed the radius filter accordingly but it
doesn't seems to be sent to the switch yet.
The reason to send back Framed-MTU to the switch is because we can see the
following messages on the PacketFence Server:
in PacketFence.log:
- Feb 15 08:30:12 srv2064 auth[27852]: Need 1 more connections to reach min
connections (3)
Feb 15 08:30:12 srv2064 auth[27852]: rlm_sql (sql): Opening additional
connection (13), 1 of 62 pending slots used
Feb 15 08:30:12 srv2064 auth[27852]: (42) rest: ERROR: Server returned:
Feb 15 08:30:12 srv2064 auth[27852]: (42) rest: ERROR:
{"error":{"detail":"malformed JSON string, neither tag, array, object,
number, string or atom, at character offset 704 (before \"(end of
string)\") at /usr/local/pf/lib/pf/WebAPI/REST.pm line
43.\n","message":"Cannot parse request"}}
Feb 15 08:30:12 srv2064 auth[27852]: Need 1 more connections to reach min
connections (3)
Feb 15 08:30:12 srv2064 auth[27852]: rlm_rest (rest): Opening additional
connection (12), 1 of 62 pending slots used
Feb 15 08:30:12 srv2064 auth[27852]: (42) Invalid user (rest: AVP exceeds
buffer length or chunk): [host/M-18-155.ad.cwe.local] (from client
172.29.180.68 port 50101 cli 80:ce:62:a1:2e:75)
Feb 15 08:30:12 srv2064 auth[27852]: [mac:80:ce:62:a1:2e:75] Rejected user:
host/M-18-155.ad.cwe.local
Feb 15 08:30:12 srv2064 auth[27852]: (42) Login incorrect (rest: AVP
exceeds buffer length or chunk): [host/M-18-155.ad.cwe.local] (from client
172.29.180.68 port 50101 cli 80:ce:62:a1:2e:75)
in tcpdump:
EAP-Message Attribute (79), length: 229 (bogus, goes past end of
packet)
We had the issue on our first test server and as we couldn't fix it, we
decided to install a brand new PF 8.3.0 on RHEL. We joined the newly
configured server to the domain and did basic configuration. At that stage
I could authenticate a PC based on the machine certificate. I was then
trying to authenticate the machine against the AD, which was not working
successfully. As the authentication based on the machine certificate was
working fine but not the AD Authentication, we decided to restart within
the WEB admin GUI, all the services. After the restart of the services, the
machine authentication was not working any longer and we could see the same
message in tcpdump and packetfence.log on the new PF server.
Have you aware about this kind of issue ? Is this a known issue ?
Many thanks in advance for your support.
Regards,
carlos
Am Do., 14. Feb. 2019 um 03:18 Uhr schrieb Durand fabrice via
PacketFence-users <[email protected]>:
> Hello Carlos,
>
> sorry for the late reply.
>
> So yes you can add Framed-MTU in the radius reply.
>
> Use the radius filter for that , something like that should work:
>
> [eap]
> filter = connection_type
> operator = is
> value = Ethernet-EAP
>
>
> [1:eap]
> scope = returnRadiusAccessAccept
> merge_answer = yes
> answer1 = Framed-MTU => 1500
>
>
> Regards
>
> Fabrice
>
>
>
> Le 19-02-10 à 04 h 26, Carlos Wetli via PacketFence-users a écrit :
>
> Hello,
>
> We are currently configuring dot1x on our older cisco devices which migt
> be replaced this year or early next year. We are running PacketFence 8,3 as
> authentication server and windows 10 clients. A PKI is available and the
> certificates have been deployed on the clients and servers.
>
> We have the issue that the Cisco 2960 is fragmenting the EAP Packet
> correctly but not adding them correctly within the Radius packets, which
> means that a large Radius Packet (1750 Bytes) is then fragmented when put
> on the wire and therefore put an EAP fragment on two different UDP
> Frames.This means that only a part of the 255 bytes EAP fragment is on the
> first UDP frame while the rest of the EAP fragment is then sent by the next
> fragmented UDP frame. My understanding is that this should not occur as a
> EAP fragment should not further been fragmented on two different Radius
> packets.
>
> I can also see that the Switch is sending Framed-MTU 1500, while
> PacketFence have a EAP fragement-size of 1024 configured but not sending
> out Framed-MTU. Would it help to send a Framed-MTU smaller that 1500 from
> PacketFence ? How/where can that be done ?
>
> As alternative is there a possibility to configure the Windows Client to
> send smaller EAP packets `?
>
> Thanks in advance,
> Regards,
> Carlos
>
>
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
