Hello, I am trying to create kind of an isolation Network. The authentication takes place with EAP-TLS. The idea is that i build an authentication source with a catchall rule at the end of the list. But after doing so, the phones which authenticated earlier successfully with the voice source, now falling into the catchall rule. Here are the logs:
Aug 21 07:15:27 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:00:1a:e8:6d:9f:82] handling radius autz request: from switch_ip => (10.86.15.58), connection_type => Ethernet-EAP,switch_mac => (6c:99:89:94:69:2d), mac => [00:1a:e8:6d:9f:82], port => 11145, username => "Telefon" (pf::radius::authorize) Aug 21 07:15:27 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:00:1a:e8:6d:9f:82] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Aug 21 07:15:27 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:00:1a:e8:6d:9f:82] Found authentication source(s) : 'local,Printer,VoIP,Computer,Isolation' for realm 'null' (pf::config::util::filter_authentication_sources) Aug 21 07:15:27 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) WARN: [mac:00:1a:e8:6d:9f:82] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match2) Aug 21 07:15:27 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:00:1a:e8:6d:9f:82] Using sources local, Printer, VoIP, Computer, Isolation for matching (pf::authentication::match2) Aug 21 07:15:27 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:00:1a:e8:6d:9f:82] Matched rule (catchall) in source Isolation, returning actions. (pf::Authentication::Source::match_rule) Aug 21 07:15:27 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:00:1a:e8:6d:9f:82] Matched rule (catchall) in source Isolation, returning actions. (pf::Authentication::Source::match) Aug 21 07:15:27 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:00:1a:e8:6d:9f:82] violation 1300003 force-closed for 00:1a:e8:6d:9f:82 (pf::violation::violation_force_close) Aug 21 07:15:27 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:00:1a:e8:6d:9f:82] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Additionally i removed the certificate on a client to test the isolation source. But the client is still getting the computer_role. The logs for the client: Aug 21 07:07:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:98:e7:f4:35:c9:ab] handling radius autz request: from switch_ip => (10.86.15.58), connection_type => WIRED_MAC_AUTH,switch_mac => (6c:99:89:bc:4f:10), mac => [98:e7:f4:35:c9:ab], port => 10116, username => "98e7f435c9ab" (pf::radius::authorize) Aug 21 07:07:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:98:e7:f4:35:c9:ab] Unable to lookup LLDP port from IfIndex. LLDP VoIP detection will not work. Is LLDP enabled? (pf::Switch::Cisco::Catalyst_2950::getPhonesLLDPAtIfIndex) Aug 21 07:07:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:98:e7:f4:35:c9:ab] Could not find any IP phones through discovery protocols for ifIndex 10116 (pf::Switch::getPhonesDPAtIfIndex) Aug 21 07:07:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:98:e7:f4:35:c9:ab] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Aug 21 07:07:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:98:e7:f4:35:c9:ab] Connection type is WIRED_MAC_AUTH. Getting role from node_info (pf::role::getRegisteredRole) Aug 21 07:07:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:98:e7:f4:35:c9:ab] Username was defined "98e7f435c9ab" - returning role 'computer_role' (pf::role::getRegisteredRole) Aug 21 07:07:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:98:e7:f4:35:c9:ab] PID: "default", Status: reg Returned VLAN: (undefined), Role: computer_role (pf::role::fetchRoleForNode) Aug 21 07:07:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:98:e7:f4:35:c9:ab] (10.86.15.58) Added VLAN 202 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Aug 21 07:07:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:98:e7:f4:35:c9:ab] External portal enforcement either not supported '1' or not configured 'N' on network equipment '10.86.15.58' (pf::Switch::externalPortalEnforcement) Aug 21 07:07:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:98:e7:f4:35:c9:ab] violation 1300003 force-closed for 98:e7:f4:35:c9:ab (pf::violation::violation_force_close) Aug 21 07:07:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2059) INFO: [mac:98:e7:f4:35:c9:ab] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Has anyone an idea what is going on? Thank you very much.
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
