Because it's an SG series Switch it's missing quite a bit of features that you'd expect in an enterprise grade switch.
I've opened a ticket with Cisco to see what they say. Thanks for your help :-) On Thu, Apr 4, 2019 at 3:02 PM Fabrice Durand <[email protected]> wrote: > In fact it suppose to be the switch to do that, waiting for 802.1x and > after a time doing mac-auth. > > Are you sure that the switch is correctly configured for 802.1x ? > Le 19-04-04 à 14 h 29, Stuart Gendron a écrit : > > So I poked around some more and I think my issue may be with the way the > switch is configured. > > I'm monitoring the following log */usr/local/pf/logs/packetfence.log* > > When I unplug and plug back in my device, it sends the MAC address right > away: > > *Apr 4 18:21:21 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2057) > INFO: [mac:a8:60:b6:09:77:45] handling radius autz request: from switch_ip > => (10.100.64.67), connection_type => Ethernet-NoEAP,switch_mac => > (88:f0:77:d9:b2:48), mac => [a8:60:b6:09:77:45], port => 49, username => > "a860b6097745" (pf::radius::authorize)* > > This then puts that switchport into the Registration VLAN > > *Apr 4 18:21:21 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2057) > INFO: [mac:a8:60:b6:09:77:45] is of status unreg; belongs into registration > VLAN (pf::role::getRegistrationRole)* > > This causes the device to just sit there in that VLAN without the 802.1x > prompt coming up - which is the prompt I want. > > I believe the Cisco SG300 switch that I'm using, with a dumbed down > version of Cisco IOS, doesn't fully support MAC authentication as the > fallback (at least all my Googling around isn't bringing anything up). > > Ideally I would plug the device into the switchport, and if it's deemed > not able to do 802.1x authentication, it then fallsback to MAC address > authentication. This may not be possible with my current setup... > > Is there something on the PacketFence side that will wait a bit before > sending the request to put the switchport in the registration VLAN? > > On Thu, Apr 4, 2019 at 2:18 PM Fabrice Durand via PacketFence-users < > [email protected]> wrote: > >> Hello Stuart, >> >> >> Le 19-04-04 à 13 h 38, Stuart Gendron via PacketFence-users a écrit : >> >> Just getting started with PacketFence and am struggling with something. >> >> So I'm using a Cisco SG300 as my test switch, and it does both 802.1x and >> MAC address authentication (MAB). >> >> I'm finding that once I get authenticated using 802.1x credentials I can >> then pop around to other switch ports and get through without needing to >> provide credentials again (I assume because the MAC address is >> authenticated?). >> >> You need to check if when you unplug/plug packetfence receive a new >> radius request. >> >> If it's not the case then it's not normal. >> >> Also you need to see what kind of authentication is made each time, is it >> 802.1x or mac auth ? >> >> >> This is fine, however when I set the device to unauthorized, I don't >> receive a prompt for username/password again. I believe what happens is the >> MAC gets sent first, PacketFence then sets the request as Accept, but >> unregistered so sends it to the appropriate VLAN, and on the switch the >> state is Authenticated (as PacketFence technically authenticated it?). >> >> It depend how you configured packetfence, if you enable autoregistration >> for 802.1x then probably your device keep the credential and retry with >> them to authenticate. >> >> If fact you need to provide more information about your pf config, like >> do you register on a portal / do you autoregister, do you have a connection >> profile per connection type ? >> >> If you can resume your config it will help to understand what happen >> exactly. >> >> Thanks >> >> Regards >> >> Fabrice >> >> >> Not sure if this makes sense. >> >> Ideally a device would do 802.1x by default, then fall back to MAB if >> needed. >> >> -- >> >> *Stuart Gendron* >> IT Support Specialist >> >> >> >> _______________________________________________ >> PacketFence-users mailing >> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> -- >> Fabrice [email protected] :: +1.514.447.4918 (x135) :: >> www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > > > -- > > *Stuart Gendron* > IT Support Specialist > > *You.i Labs* > 307 Legget Drive, Kanata, ON, K2K 3C8 > <https://maps.google.com/?q=307+Legget+Drive,+Kanata,+ON,%C2%A0K2K+3C8&entry=gmail&source=g> > t (613) 228-9107 x258 | c (613) 697-6853 > > -- > Fabrice [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > -- *Stuart Gendron* IT Support Specialist *You.i Labs* 307 Legget Drive, Kanata, ON, K2K 3C8 <https://maps.google.com/?q=307+Legget+Drive,+Kanata,+ON,%C2%A0K2K+3C8&entry=gmail&source=g> t (613) 228-9107 x258 | c (613) 697-6853
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
