So I poked around some more and I think my issue may be with the way the switch is configured.
I'm monitoring the following log */usr/local/pf/logs/packetfence.log* When I unplug and plug back in my device, it sends the MAC address right away: *Apr 4 18:21:21 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2057) INFO: [mac:a8:60:b6:09:77:45] handling radius autz request: from switch_ip => (10.100.64.67), connection_type => Ethernet-NoEAP,switch_mac => (88:f0:77:d9:b2:48), mac => [a8:60:b6:09:77:45], port => 49, username => "a860b6097745" (pf::radius::authorize)* This then puts that switchport into the Registration VLAN *Apr 4 18:21:21 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2057) INFO: [mac:a8:60:b6:09:77:45] is of status unreg; belongs into registration VLAN (pf::role::getRegistrationRole)* This causes the device to just sit there in that VLAN without the 802.1x prompt coming up - which is the prompt I want. I believe the Cisco SG300 switch that I'm using, with a dumbed down version of Cisco IOS, doesn't fully support MAC authentication as the fallback (at least all my Googling around isn't bringing anything up). Ideally I would plug the device into the switchport, and if it's deemed not able to do 802.1x authentication, it then fallsback to MAC address authentication. This may not be possible with my current setup... Is there something on the PacketFence side that will wait a bit before sending the request to put the switchport in the registration VLAN? On Thu, Apr 4, 2019 at 2:18 PM Fabrice Durand via PacketFence-users < [email protected]> wrote: > Hello Stuart, > > > Le 19-04-04 à 13 h 38, Stuart Gendron via PacketFence-users a écrit : > > Just getting started with PacketFence and am struggling with something. > > So I'm using a Cisco SG300 as my test switch, and it does both 802.1x and > MAC address authentication (MAB). > > I'm finding that once I get authenticated using 802.1x credentials I can > then pop around to other switch ports and get through without needing to > provide credentials again (I assume because the MAC address is > authenticated?). > > You need to check if when you unplug/plug packetfence receive a new radius > request. > > If it's not the case then it's not normal. > > Also you need to see what kind of authentication is made each time, is it > 802.1x or mac auth ? > > > This is fine, however when I set the device to unauthorized, I don't > receive a prompt for username/password again. I believe what happens is the > MAC gets sent first, PacketFence then sets the request as Accept, but > unregistered so sends it to the appropriate VLAN, and on the switch the > state is Authenticated (as PacketFence technically authenticated it?). > > It depend how you configured packetfence, if you enable autoregistration > for 802.1x then probably your device keep the credential and retry with > them to authenticate. > > If fact you need to provide more information about your pf config, like do > you register on a portal / do you autoregister, do you have a connection > profile per connection type ? > > If you can resume your config it will help to understand what happen > exactly. > > Thanks > > Regards > > Fabrice > > > Not sure if this makes sense. > > Ideally a device would do 802.1x by default, then fall back to MAB if > needed. > > -- > > *Stuart Gendron* > IT Support Specialist > > > > _______________________________________________ > PacketFence-users mailing > [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users > > -- > Fabrice [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- *Stuart Gendron* IT Support Specialist *You.i Labs* 307 Legget Drive, Kanata, ON, K2K 3C8 <https://maps.google.com/?q=307+Legget+Drive,+Kanata,+ON,%C2%A0K2K+3C8&entry=gmail&source=g> t (613) 228-9107 x258 | c (613) 697-6853
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
