In fact it suppose to be the switch to do that, waiting for 802.1x and
after a time doing mac-auth.
Are you sure that the switch is correctly configured for 802.1x ?
Le 19-04-04 à 14 h 29, Stuart Gendron a écrit :
So I poked around some more and I think my issue may be with the way
the switch is configured.
I'm monitoring the following log */usr/local/pf/logs/packetfence.log*
When I unplug and plug back in my device, it sends the MAC address
right away:
*Apr 4 18:21:21 PacketFence-ZEN packetfence_httpd.aaa:
httpd.aaa(2057) INFO: [mac:a8:60:b6:09:77:45] handling radius autz
request: from switch_ip => (10.100.64.67), connection_type =>
Ethernet-NoEAP,switch_mac => (88:f0:77:d9:b2:48), mac =>
[a8:60:b6:09:77:45], port => 49, username => "a860b6097745"
(pf::radius::authorize)*
This then puts that switchport into the Registration VLAN
*Apr 4 18:21:21 PacketFence-ZEN packetfence_httpd.aaa:
httpd.aaa(2057) INFO: [mac:a8:60:b6:09:77:45] is of status unreg;
belongs into registration VLAN (pf::role::getRegistrationRole)*
This causes the device to just sit there in that VLAN without the
802.1x prompt coming up - which is the prompt I want.
I believe the Cisco SG300 switch that I'm using, with a dumbed down
version of Cisco IOS, doesn't fully support MAC authentication as the
fallback (at least all my Googling around isn't bringing anything up).
Ideally I would plug the device into the switchport, and if it's
deemed not able to do 802.1x authentication, it then fallsback to MAC
address authentication. This may not be possible with my current setup...
Is there something on the PacketFence side that will wait a bit before
sending the request to put the switchport in the registration VLAN?
On Thu, Apr 4, 2019 at 2:18 PM Fabrice Durand via PacketFence-users
<[email protected]
<mailto:[email protected]>> wrote:
Hello Stuart,
Le 19-04-04 à 13 h 38, Stuart Gendron via PacketFence-users a écrit :
Just getting started with PacketFence and am struggling with
something.
So I'm using a Cisco SG300 as my test switch, and it does both
802.1x and MAC address authentication (MAB).
I'm finding that once I get authenticated using 802.1x
credentials I can then pop around to other switch ports and get
through without needing to provide credentials again (I assume
because the MAC address is authenticated?).
You need to check if when you unplug/plug packetfence receive a
new radius request.
If it's not the case then it's not normal.
Also you need to see what kind of authentication is made each
time, is it 802.1x or mac auth ?
This is fine, however when I set the device to unauthorized, I
don't receive a prompt for username/password again. I believe
what happens is the MAC gets sent first, PacketFence then sets
the request as Accept, but unregistered so sends it to the
appropriate VLAN, and on the switch the state is Authenticated
(as PacketFence technically authenticated it?).
It depend how you configured packetfence, if you enable
autoregistration for 802.1x then probably your device keep the
credential and retry with them to authenticate.
If fact you need to provide more information about your pf config,
like do you register on a portal / do you autoregister, do you
have a connection profile per connection type ?
If you can resume your config it will help to understand what
happen exactly.
Thanks
Regards
Fabrice
Not sure if this makes sense.
Ideally a device would do 802.1x by default, then fall back to
MAB if needed.
--
*Stuart Gendron*
IT Support Specialist
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
*Stuart Gendron*
IT Support Specialist
*You.i Labs*
307 Legget Drive, Kanata, ON, K2K 3C8
<https://maps.google.com/?q=307+Legget+Drive,+Kanata,+ON,%C2%A0K2K+3C8&entry=gmail&source=g>
t (613) 228-9107 x258 | c (613) 697-6853
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
