Hi, I'm attempting to setup the FortiGate + 802.1x scenario but I'm running into issues getting the 802.1x to work. This is on a fresh Install of PacketFence 9.1 on CentOS 7.5. I think this is because I'm doing this in a way on the FortiGate that is different than the typical WiFi or switch port methods but rather per mac address authentication of multiple clients connected to a single routed firewall interface. This seems to result in a "Network device does not support this mode of operation" message in the radius log when the FortiGate tries to do 802.1x. Other mailing list messages seem to indicate that this message is related to the NAS-Port-Type missing in the request or PacketFence not liking the value of the NAS-Port-Type for a particular switch. I verified through packet capture that NAS-Port-Type is included in the radius request but it does have a value of 5 (Virtual) that looks uncommon to me. Text of the packet capture that Wireshark generated and radius log messageds below.
Can this NAS-Port-Type/EAP Type be added for the FortiGate switch type?
Thanks,
Jason Tally
Frame 1: 217 bytes on wire (1736 bits), 217 bytes captured (1736 bits)
Ethernet II, Src: Fortinet_09:12:12 (00:09:0f:09:12:12), Dst:
Cisco_ff:fc:c4 (00:08:e3:ff:fc:c4)
Internet Protocol Version 4, Src: 10.53.196.1, Dst: 10.11.252.7
User Datagram Protocol, Src Port: 24556, Dst Port: 1812
RADIUS Protocol
Code: Access-Request (1)
Packet identifier: 0xcb (203)
Length: 175
Authenticator: 1d7c34b6e674f770b93d943cd95bedad
[The response to this request is in frame 2]
Attribute Value Pairs
AVP: t=NAS-Identifier(32) l=20 val=US-Holland-3rd-MIT
AVP: t=User-Name(1) l=19 val=70:ef:00:36:b1:7a
AVP: t=User-Password(2) l=34 val=Encrypted
AVP: t=NAS-IP-Address(4) l=6 val=10.53.196.1
AVP: t=NAS-Port(5) l=6 val=12
AVP: t=NAS-Port-Type(61) l=6 val=Virtual(5)
AVP: t=Called-Station-Id(30) l=13 val=10.53.196.1
AVP: t=Calling-Station-Id(31) l=19 val=70-EF-00-36-B1-7A
AVP: t=Acct-Session-Id(44) l=10 val=7dd6aab0
AVP: t=Connect-Info(77) l=10 val=web-auth
AVP: t=Vendor-Specific(26) l=12 vnd=Fortinet, Inc.(12356)
Frame 2: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
Ethernet II, Src: Cisco_ff:fc:c4 (00:08:e3:ff:fc:c4), Dst:
Fortinet_09:12:12 (00:09:0f:09:12:12)
Internet Protocol Version 4, Src: 10.11.252.7, Dst: 10.53.196.1
User Datagram Protocol, Src Port: 1812, Dst Port: 24556
RADIUS Protocol
Code: Access-Reject (3)
Packet identifier: 0xcb (203)
Length: 20
Authenticator: a8bd1884f67413f1cc6dbfa08db543b4
[This is a response to a request in frame 1]
[Time from request: 1.060000000 seconds]
Oct 3 21:00:06 mitlxnspacketfence auth[1663]: Adding client 10.53.196.1/32
Oct 3 21:00:06 mitlxnspacketfence auth[1663]: rlm_rest (rest):
Closing connection (27): Hit idle_timeout, was idle for 721 seconds
Oct 3 21:00:06 mitlxnspacketfence auth[1663]: rlm_rest (rest):
Closing connection (29): Hit idle_timeout, was idle for 721 seconds
Oct 3 21:00:06 mitlxnspacketfence auth[1663]: rlm_rest (rest):
Closing connection (28): Hit idle_timeout, was idle for 720 seconds
Oct 3 21:00:06 mitlxnspacketfence auth[1663]: rlm_rest (rest):
Closing connection (30): Hit idle_timeout, was idle for 720 seconds
Oct 3 21:00:06 mitlxnspacketfence auth[1663]: rlm_rest (rest):
Opening additional connection (31), 1 of 64 pending slots used
Oct 3 21:00:06 mitlxnspacketfence auth[1663]: (1415) rest: ERROR:
Server returned:
Oct 3 21:00:06 mitlxnspacketfence auth[1663]: (1415) rest: ERROR:
{"Reply-Message":"Network device does not support this mode of
operation","control:PacketFence-Eap-Type":0,"control:PacketFence-Authorization-Status":"allow","control:PacketFence-Mac":"70:ef:00:36:b1:7a","control:PacketFence-Request-Time":1570136406,"control:PacketFence-Switch-Ip-Address":"10.53.196.1","control:PacketFence-IfIndex":"external","control:PacketFence-UserName":"70:ef:00:36:b1:7a","control:PacketFence-Switch-Id":"10.53.196.1"}
Oct 3 21:00:06 mitlxnspacketfence auth[1663]: Need 2 more connections
to reach min connections (3)
Oct 3 21:00:06 mitlxnspacketfence auth[1663]: rlm_rest (rest):
Opening additional connection (32), 1 of 63 pending slots used
Oct 3 21:00:06 mitlxnspacketfence auth[1663]: [mac:70:ef:00:36:b1:7a]
Rejected user: 70:ef:00:36:b1:7a
Oct 3 21:00:06 mitlxnspacketfence auth[1663]: (1415) Rejected in
post-auth: [70:ef:00:36:b1:7a] (from client 10.53.196.1/32 port 12 cli
70:ef:00:36:b1:7a)
Oct 3 21:00:06 mitlxnspacketfence auth[1663]: (1415) Login incorrect
(rest: Server returned:): [70:ef:00:36:b1:7a] (from client
10.53.196.1/32 port 12 cli 70:ef:00:36:b1:7a)
PacketFenceFortiGateRadius.log.pcap
Description: Binary data
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
