So unfortunately there is not MAC address authentication fallback with these switches..
Looking into this more, I was able to create a Connection Profile for Ethernet-NoEAP connection types (this is how the MAC address is sent). Not sure if there's anything that can be done there?? Here's the logs: Apr 4 20:35:49 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(17117) INFO: [mac:a8:60:b6:09:77:45] Instantiate profile 802.1x (pf::Connection::ProfileFactory::_from_profile) Apr 4 20:35:55 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(17117) INFO: [mac:a8:60:b6:09:77:45] handling radius autz request: from switch_ip => (10.100.64.67), connection_type => Ethernet-NoEAP,switch_mac => (88:f0:77:d9:b2:48), mac => [a8:60:b6:09:77:45], port => 49, username => "a860b6097745" (pf::radius::authorize) Apr 4 20:35:55 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(17117) INFO: [mac:a8:60:b6:09:77:45] Instantiate profile MAB (pf::Connection::ProfileFactory::_from_profile) Apr 4 20:35:55 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(17117) INFO: [mac:a8:60:b6:09:77:45] Connection type is Ethernet-NoEAP. Getting role from node_info (pf::role::getRegisteredRole) Apr 4 20:35:55 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(17117) INFO: [mac:a8:60:b6:09:77:45] Username was defined "a860b6097745" - returning role 'default' (pf::role::getRegisteredRole) Apr 4 20:35:55 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(17117) INFO: [mac:a8:60:b6:09:77:45] PID: "testradius", Status: reg Returned VLAN: (undefined), Role: default (pf::role::fetchRoleForNode) Apr 4 20:35:55 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(17117) INFO: [mac:a8:60:b6:09:77:45] (10.100.64.67) Added VLAN 88 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) I added an authentication source to that connection profile (my AD server) to see if I could 'fail' the connection so it doesn't send any information to the switch, but may be going down a dead end here. On Thu, Apr 4, 2019 at 3:07 PM Stuart Gendron <[email protected]> wrote: > Because it's an SG series Switch it's missing quite a bit of features that > you'd expect in an enterprise grade switch. > > I've opened a ticket with Cisco to see what they say. > > Thanks for your help :-) > > On Thu, Apr 4, 2019 at 3:02 PM Fabrice Durand <[email protected]> wrote: > >> In fact it suppose to be the switch to do that, waiting for 802.1x and >> after a time doing mac-auth. >> >> Are you sure that the switch is correctly configured for 802.1x ? >> Le 19-04-04 à 14 h 29, Stuart Gendron a écrit : >> >> So I poked around some more and I think my issue may be with the way the >> switch is configured. >> >> I'm monitoring the following log */usr/local/pf/logs/packetfence.log* >> >> When I unplug and plug back in my device, it sends the MAC address right >> away: >> >> *Apr 4 18:21:21 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2057) >> INFO: [mac:a8:60:b6:09:77:45] handling radius autz request: from switch_ip >> => (10.100.64.67), connection_type => Ethernet-NoEAP,switch_mac => >> (88:f0:77:d9:b2:48), mac => [a8:60:b6:09:77:45], port => 49, username => >> "a860b6097745" (pf::radius::authorize)* >> >> This then puts that switchport into the Registration VLAN >> >> *Apr 4 18:21:21 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2057) >> INFO: [mac:a8:60:b6:09:77:45] is of status unreg; belongs into registration >> VLAN (pf::role::getRegistrationRole)* >> >> This causes the device to just sit there in that VLAN without the 802.1x >> prompt coming up - which is the prompt I want. >> >> I believe the Cisco SG300 switch that I'm using, with a dumbed down >> version of Cisco IOS, doesn't fully support MAC authentication as the >> fallback (at least all my Googling around isn't bringing anything up). >> >> Ideally I would plug the device into the switchport, and if it's deemed >> not able to do 802.1x authentication, it then fallsback to MAC address >> authentication. This may not be possible with my current setup... >> >> Is there something on the PacketFence side that will wait a bit before >> sending the request to put the switchport in the registration VLAN? >> >> On Thu, Apr 4, 2019 at 2:18 PM Fabrice Durand via PacketFence-users < >> [email protected]> wrote: >> >>> Hello Stuart, >>> >>> >>> Le 19-04-04 à 13 h 38, Stuart Gendron via PacketFence-users a écrit : >>> >>> Just getting started with PacketFence and am struggling with something. >>> >>> So I'm using a Cisco SG300 as my test switch, and it does both 802.1x >>> and MAC address authentication (MAB). >>> >>> I'm finding that once I get authenticated using 802.1x credentials I can >>> then pop around to other switch ports and get through without needing to >>> provide credentials again (I assume because the MAC address is >>> authenticated?). >>> >>> You need to check if when you unplug/plug packetfence receive a new >>> radius request. >>> >>> If it's not the case then it's not normal. >>> >>> Also you need to see what kind of authentication is made each time, is >>> it 802.1x or mac auth ? >>> >>> >>> This is fine, however when I set the device to unauthorized, I don't >>> receive a prompt for username/password again. I believe what happens is the >>> MAC gets sent first, PacketFence then sets the request as Accept, but >>> unregistered so sends it to the appropriate VLAN, and on the switch the >>> state is Authenticated (as PacketFence technically authenticated it?). >>> >>> It depend how you configured packetfence, if you enable autoregistration >>> for 802.1x then probably your device keep the credential and retry with >>> them to authenticate. >>> >>> If fact you need to provide more information about your pf config, like >>> do you register on a portal / do you autoregister, do you have a connection >>> profile per connection type ? >>> >>> If you can resume your config it will help to understand what happen >>> exactly. >>> >>> Thanks >>> >>> Regards >>> >>> Fabrice >>> >>> >>> Not sure if this makes sense. >>> >>> Ideally a device would do 802.1x by default, then fall back to MAB if >>> needed. >>> >>> -- >>> >>> *Stuart Gendron* >>> IT Support Specialist >>> >>> >>> >>> _______________________________________________ >>> PacketFence-users mailing >>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> -- >>> Fabrice [email protected] :: +1.514.447.4918 (x135) :: >>> www.inverse.ca >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>> (http://packetfence.org) >>> >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >> >> >> -- >> >> *Stuart Gendron* >> IT Support Specialist >> >> *You.i Labs* >> 307 Legget Drive, Kanata, ON, K2K 3C8 >> <https://maps.google.com/?q=307+Legget+Drive,+Kanata,+ON,%C2%A0K2K+3C8&entry=gmail&source=g> >> t (613) 228-9107 x258 | c (613) 697-6853 >> >> -- >> Fabrice [email protected] :: +1.514.447.4918 (x135) :: >> www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> > > -- > > *Stuart Gendron* > IT Support Specialist > > *You.i Labs* > 307 Legget Drive, Kanata, ON, K2K 3C8 > <https://maps.google.com/?q=307+Legget+Drive,+Kanata,+ON,%C2%A0K2K+3C8&entry=gmail&source=g> > t (613) 228-9107 x258 | c (613) 697-6853 > -- *Stuart Gendron* IT Support Specialist *You.i Labs* 307 Legget Drive, Kanata, ON, K2K 3C8 <https://maps.google.com/?q=307+Legget+Drive,+Kanata,+ON,%C2%A0K2K+3C8&entry=gmail&source=g> t (613) 228-9107 x258 | c (613) 697-6853
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
