Hello Carlos,
when you do the request, can you capture the traffic on lo on the port
7070, like that:
tshark -i lo -f "port 7070" -w /tmp/rest.pcap
And if you can send me the file.
Regards
Fabrice
Le 19-02-15 à 02 h 48, Carlos Wetli via PacketFence-users a écrit :
Hello Fabrice,
Many thanks for your reply. I changed the radius filter accordingly
but it doesn't seems to be sent to the switch yet.
The reason to send back Framed-MTU to the switch is because we can see
the following messages on the PacketFence Server:
in PacketFence.log:
- Feb 15 08:30:12 srv2064 auth[27852]: Need 1 more connections to
reach min connections (3)
Feb 15 08:30:12 srv2064 auth[27852]: rlm_sql (sql): Opening additional
connection (13), 1 of 62 pending slots used
Feb 15 08:30:12 srv2064 auth[27852]: (42) rest: ERROR: Server returned:
Feb 15 08:30:12 srv2064 auth[27852]: (42) rest: ERROR:
{"error":{"detail":"malformed JSON string, neither tag, array, object,
number, string or atom, at character offset 704 (before \"(end of
string)\") at /usr/local/pf/lib/pf/WebAPI/REST.pm line
43.\n","message":"Cannot parse request"}}
Feb 15 08:30:12 srv2064 auth[27852]: Need 1 more connections to reach
min connections (3)
Feb 15 08:30:12 srv2064 auth[27852]: rlm_rest (rest): Opening
additional connection (12), 1 of 62 pending slots used
Feb 15 08:30:12 srv2064 auth[27852]: (42) Invalid user (rest: AVP
exceeds buffer length or chunk): [host/M-18-155.ad.cwe.local] (from
client 172.29.180.68 port 50101 cli 80:ce:62:a1:2e:75)
Feb 15 08:30:12 srv2064 auth[27852]: [mac:80:ce:62:a1:2e:75] Rejected
user: host/M-18-155.ad.cwe.local
Feb 15 08:30:12 srv2064 auth[27852]: (42) Login incorrect (rest: AVP
exceeds buffer length or chunk): [host/M-18-155.ad.cwe.local] (from
client 172.29.180.68 port 50101 cli 80:ce:62:a1:2e:75)
in tcpdump:
EAP-Message Attribute (79), length: 229 (bogus, goes past end of
packet)
We had the issue on our first test server and as we couldn't fix it,
we decided to install a brand new PF 8.3.0 on RHEL. We joined the
newly configured server to the domain and did basic configuration. At
that stage I could authenticate a PC based on the machine certificate.
I was then trying to authenticate the machine against the AD, which
was not working successfully. As the authentication based on the
machine certificate was working fine but not the AD Authentication, we
decided to restart within the WEB admin GUI, all the services. After
the restart of the services, the machine authentication was not
working any longer and we could see the same message in tcpdump and
packetfence.log on the new PF server.
Have you aware about this kind of issue ? Is this a known issue ?
Many thanks in advance for your support.
Regards,
carlos
Am Do., 14. Feb. 2019 um 03:18 Uhr schrieb Durand fabrice via
PacketFence-users <[email protected]
<mailto:[email protected]>>:
Hello Carlos,
sorry for the late reply.
So yes you can add Framed-MTU in the radius reply.
Use the radius filter for that , something like that should work:
[eap]
filter = connection_type
operator = is
value = Ethernet-EAP
[1:eap]
scope = returnRadiusAccessAccept
merge_answer = yes
answer1 = Framed-MTU => 1500
Regards
Fabrice
Le 19-02-10 à 04 h 26, Carlos Wetli via PacketFence-users a écrit :
Hello,
We are currently configuring dot1x on our older cisco devices
which migt be replaced this year or early next year. We are
running PacketFence 8,3 as authentication server and windows 10
clients. A PKI is available and the certificates have been
deployed on the clients and servers.
We have the issue that the Cisco 2960 is fragmenting the EAP
Packet correctly but not adding them correctly within the Radius
packets, which means that a large Radius Packet (1750 Bytes) is
then fragmented when put on the wire and therefore put an EAP
fragment on two different UDP Frames.This means that only a part
of the 255 bytes EAP fragment is on the first UDP frame while the
rest of the EAP fragment is then sent by the next fragmented UDP
frame. My understanding is that this should not occur as a EAP
fragment should not further been fragmented on two different
Radius packets.
I can also see that the Switch is sending Framed-MTU 1500, while
PacketFence have a EAP fragement-size of 1024 configured but not
sending out Framed-MTU. Would it help to send a Framed-MTU
smaller that 1500 from PacketFence ? How/where can that be done ?
As alternative is there a possibility to configure the Windows
Client to send smaller EAP packets `?
Thanks in advance,
Regards,
Carlos
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
