Good afternoon everyone,
I'm working on a replacement PacketFence installation to replace our VERY, VERY
old PacketFence 3.5.0. In doing so, we're looking to increase our security from
MAC Based Security to EAP and NEAP.
We have a manufacture homogeneous environment in which we use only
Avaya/Nortel/Extreme switches of the 3500, 4800, 5500, 5600 and 5900 Series
switches. I've been able to get the 4800s and 5900s working using both EAP and
NEAP. However, I'm having a terrible time getting NEAP to work on the 5600s and
5500s
Below is a working NEAP and EAP connection on an ERS4800 complete with RADIUS
printouts and logs from the server.
*** 4850 ***
*** NEAP ***
httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] handling radius autz request:
from switch_ip => (172.16.75.48), connection_type => Ethernet-NoEAP,switch_mac
=> (SWITCH), mac => [a8:20:66:29:95:85], port => 29, username =>
"a8:20:66:29:95:85" (pf::radius::authorize)
httpd.aaa(52738) WARN: [mac:a8:20:66:29:95:85] Switch type
'pf::Switch::Avaya::ERS5000_6x' does not support Cdp
(pf::SwitchSupports::__ANON__)
httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] Could not find any IP phones
through discovery protocols for ifIndex 29 (pf::Switch::getPhonesDPAtIfIndex)
httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
httpd.aaa(52738) WARN: [mac:a8:20:66:29:95:85] Switch type
'pf::Switch::Avaya::ERS5000_6x' does not support MABFloatingDevices
(pf::SwitchSupports::__ANON__)
httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] Found authentication source(s) :
'UNBDOMAIN' for realm 'null' (pf::config::util::filter_authentication_sources)
httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] Connection type is MAC-AUTH.
Getting role from Authorization source (pf::role::getRegisteredRole)
httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] Username was defined
"a8:20:66:29:95:85" - returning role 'BuildingNet' (pf::role::getRegisteredRole)
httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] PID: "g018r", Status: reg
Returned VLAN: (undefined), Role: BuildingNet (pf::role::fetchRoleForNode)
httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] (172.16.75.48) Added VLAN 75 to
the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] Match rule 1:all&vlan_75
(pf::access_filter::radius::test)
RADIUS Request
User-Name = "a8:20:66:29:95:85"
User-Password = "******"
NAS-IP-Address = 172.16.75.48
NAS-Port = 29
Service-Type = Login-User
Called-Station-Id = "SWITCH"
Calling-Station-Id = "a8:20:66:29:95:85"
NAS-Port-Type = Ethernet
Event-Timestamp = "Feb 18 2020 14:53:11 AST"
NAS-Port-Id = "0/29"
Stripped-User-Name = "a8:20:66:29:95:85"
Realm = "null"
FreeRADIUS-Client-IP-Address = 172.16.75.48
PacketFence-KeyBalanced = "27976f2388778312dd4908cee7499d95"
PacketFence-Radius-Ip = "10.5.13.25"
Attr-26.562.180 = 0x00000000
SQL-User-Name = "a8:20:66:29:95:85"
RADIUS Reply
Reply-Message = "Request processed by PacketFence"
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = "75"
Egress-VLANID = 838860875
Tunnel-Type = VLAN
*** EAP ***
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] handling radius autz request:
from switch_ip => (172.16.75.48), connection_type => Ethernet-EAP,switch_mac =>
(SWITCH), mac => [24:b6:fd:fc:39:ed], port => 23, username =>
"host/FR-ITS-28381.ad.unb.ca" (pf::radius::authorize)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] is doing machine auth with
account 'host/FR-ITS-28381.ad.unb.ca'. (pf::radius::authorize)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Instantiate profile
DomainMachines (pf::Connection::ProfileFactory::_from_profile)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Found authentication source(s) :
'UNBDOMAIN-Machines' for realm 'ad.unb.ca'
(pf::config::util::filter_authentication_sources)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Using sources UNBDOMAIN-Machines
for matching (pf::authentication::match2)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Matched rule (Everyone) in
source UNBDOMAIN-Machines, returning actions.
(pf::Authentication::Source::match_rule)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Matched rule (Everyone) in
source UNBDOMAIN-Machines, returning actions.
(pf::Authentication::Source::match)
httpd.aaa(52738) WARN: [mac:24:b6:fd:fc:39:ed] Switch type
'pf::Switch::Avaya::ERS5000_6x' does not support MABFloatingDevices
(pf::SwitchSupports::__ANON__)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Found authentication source(s) :
'UNBDOMAIN-Machines' for realm 'ad.unb.ca'
(pf::config::util::filter_authentication_sources)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Role has already been computed
and we don't want to recompute it. Getting role from node_info
(pf::role::getRegisteredRole)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Username was defined
"host/FR-ITS-28381.ad.unb.ca" - returning role 'BuildingNet'
(pf::role::getRegisteredRole)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] PID:
"host/FR-ITS-28381.ad.unb.ca", Status: reg Returned VLAN: (undefined), Role:
BuildingNet (pf::role::fetchRoleForNode)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] (172.16.75.48) Added VLAN 75 to
the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
pfqueue(104870) INFO: [mac:unknown] Already did a person lookup for
host/FR-ITS-28381.ad.unb.ca (pf::lookup::person::lookup_person)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Match rule 1:all&vlan_75
(pf::access_filter::radius::test)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] security_event 1300003
force-closed for 24:b6:fd:fc:39:ed
(pf::security_event::security_event_force_close)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Instantiate profile
DomainMachines (pf::Connection::ProfileFactory::_from_profile)
RADIUS Request
User-Name = "host/FR-ITS-28381.ad.unb.ca"
NAS-IP-Address = 172.16.75.48
NAS-Port = 23
Service-Type = Framed-User
Framed-MTU = 1490
State = 0x25920796249b1d65694ece287ebe464c
Called-Station-Id = "SWITCH"
Calling-Station-Id = "24b6fdfc39ed"
NAS-Port-Type = Ethernet
Event-Timestamp = "Feb 18 2020 14:17:28 AST"
EAP-Message = 0x020900061a03
NAS-Port-Id = "0/23"
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
Realm = "ad.unb.ca"
PacketFence-Domain = "UNBDOMAIN"
PacketFence-KeyBalanced = "911d2640025aa742fc8890e3c5a50b6e"
PacketFence-Radius-Ip = "10.5.13.25"
PacketFence-NTLMv2-Only = ""
Attr-26.562.180 = 0x00000000
Attr-26.562.183 = 0x00000000
User-Password = "******"
SQL-User-Name = "host/FR-ITS-28381.ad.unb.ca"
RADIUS Reply
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4
MS-MPPE-Send-Key = 0x504e36e78a213b69bb8a1c570a21ee13
MS-MPPE-Recv-Key = 0x1202abbe75113721a5e78f6620d117cd
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "host/FR-ITS-28381.ad.unb.ca"
Reply-Message = "Request processed by PacketFence"
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = "75"
Egress-VLANID = 838860875
Tunnel-Type = VLAN
The 4850's configuration for EAP is as follows:
eapol multihost allow-non-eap-enable
eapol multihost radius-non-eap-enable
eapol multihost use-radius-assigned-vlan
eapol multihost non-eap-use-radius-assigned-vlan
eapol multihost eap-packet-mode unicast
eapol multihost multivlan enable
eapol multihost non-eap-reauthentication-enable
interface Ethernet ALL
eapol multihost port 1-47 enable eap-mac-max 3 non-eap-mac-max 3
radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-a
ssigned-vlan eap-packet-mode unicast mac-max 3
exit
interface Ethernet ALL
eapol port 1-47 status auto re-authentication enable
re-authentication-period 3300
exit
eapol multihost voip-vlan 1 enable vid 2075
! eapol enable
*** 5650 ***
*** NEAP ***
httpd.aaa(52738) WARN: [mac:a8:20:66:29:95:85] Switch type
'pf::Switch::Avaya::ERS5000_6x' does not support VPN
(pf::SwitchSupports::__ANON__)
httpd.aaa(52738) WARN: [mac:a8:20:66:29:95:85] CLI Access is not permit on this
switch 172.16.75.56 (pf::radius::switch_access)
RADIUS Request
User-Name = "a82066299585"
User-Password = "******"
NAS-IP-Address = 172.16.75.56
NAS-Port = 19
Service-Type = Login-User
NAS-Port-Type = Ethernet
Event-Timestamp = "Feb 19 2020 14:57:39 AST"
Stripped-User-Name = "a82066299585"
Realm = "null"
FreeRADIUS-Client-IP-Address = 172.16.75.56
PacketFence-KeyBalanced = "e8ef48faa82ab19678f69f55f5f8a242"
PacketFence-Radius-Ip = "10.5.13.25"
Attr-26.562.180 = 0x00000000
Module-Failure-Message = "rest: Server returned:"
Module-Failure-Message = "rest:
{\"control:PacketFence-Authorization-Status\":\"allow\",\"Reply-Message\":\"CLI
or VPN Access is not allowed by PacketFence on this switch\"}"
SQL-User-Name = "a82066299585"
RADIUS Reply
NIL
*** EAP ***
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] handling radius autz request:
from switch_ip => (172.16.75.56), connection_type => Ethernet-EAP,switch_mac =>
(Unknown), mac => [24:b6:fd:fc:39:ed], port => 27, username =>
"host/FR-ITS-28381.ad.unb.ca" (pf::radius::authorize)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] is doing machine auth with
account 'host/FR-ITS-28381.ad.unb.ca'. (pf::radius::authorize)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Instantiate profile
DomainMachines (pf::Connection::ProfileFactory::_from_profile)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Found authentication source(s) :
'UNBDOMAIN-Machines' for realm 'ad.unb.ca'
(pf::config::util::filter_authentication_sources)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Using sources UNBDOMAIN-Machines
for matching (pf::authentication::match2)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Matched rule (Everyone) in
source UNBDOMAIN-Machines, returning actions.
(pf::Authentication::Source::match_rule)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Matched rule (Everyone) in
source UNBDOMAIN-Machines, returning actions.
(pf::Authentication::Source::match)
httpd.aaa(52738) WARN: [mac:24:b6:fd:fc:39:ed] Switch type
'pf::Switch::Avaya::ERS5000_6x' does not support MABFloatingDevices
(pf::SwitchSupports::__ANON__)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Found authentication source(s) :
'UNBDOMAIN-Machines' for realm 'ad.unb.ca'
(pf::config::util::filter_authentication_sources)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Role has already been computed
and we don't want to recompute it. Getting role from node_info
(pf::role::getRegisteredRole)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Username was defined
"host/FR-ITS-28381.ad.unb.ca" - returning role 'BuildingNet'
(pf::role::getRegisteredRole)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] PID:
"host/FR-ITS-28381.ad.unb.ca", Status: reg Returned VLAN: (undefined), Role:
BuildingNet (pf::role::fetchRoleForNode)
pfqueue(104870) INFO: [mac:unknown] Already did a person lookup for
host/FR-ITS-28381.ad.unb.ca (pf::lookup::person::lookup_person)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] (172.16.75.56) Added VLAN 75 to
the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Match rule 1:all&vlan_75
(pf::access_filter::radius::test)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] security_event 1300003
force-closed for 24:b6:fd:fc:39:ed
(pf::security_event::security_event_force_close)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Instantiate profile
DomainMachines (pf::Connection::ProfileFactory::_from_profile)
RADIUS Request
User-Name = "host/FR-ITS-28381.ad.unb.ca"
NAS-IP-Address = 172.16.75.56
NAS-Port = 27
Service-Type = Framed-User
Framed-MTU = 1490
State = 0x0f6e5adf0e674092fcd27d9f3dcc219d
Calling-Station-Id = "24:b6:fd:fc:39:ed"
NAS-Port-Type = Ethernet
Event-Timestamp = "Feb 19 2020 15:00:15 AST"
EAP-Message = 0x020900061a03
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
Realm = "ad.unb.ca"
PacketFence-Domain = "UNBDOMAIN"
PacketFence-KeyBalanced = "911d2640025aa742fc8890e3c5a50b6e"
PacketFence-Radius-Ip = "10.5.13.25"
PacketFence-NTLMv2-Only = ""
Attr-26.562.180 = 0x00000000
User-Password = "******"
SQL-User-Name = "host/FR-ITS-28381.ad.unb.ca"
RADIUS Reply
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4
MS-MPPE-Send-Key = 0xf22767034318ab508c8f1147408aecfd
MS-MPPE-Recv-Key = 0x6101d7aca23e0af2f49dd04a85e1aecd
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "host/FR-ITS-28381.ad.unb.ca"
Reply-Message = "Request processed by PacketFence"
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = "75"
Egress-VLANID = 838860875
Tunnel-Type = VLAN
The 5698's configuration for EAP is as follows:
eapol multihost allow-non-eap-enable
eapol multihost radius-non-eap-enable
eapol multihost use-radius-assigned-vlan
eapol multihost non-eap-use-radius-assigned-vlan
eapol multihost eap-packet-mode unicast
eapol multihost multivlan enable
eapol multihost non-eap-reauthentication-enable
interface Ethernet ALL
eapol multihost port 1-47 enable eap-mac-max 3 non-eap-mac-max 3
radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-a
ssigned-vlan eap-packet-mode unicast mac-max 3
eapol multihost port 48-98 mac-max 2
exit
interface Ethernet ALL
eapol port 1-47 status auto re-authentication enable
re-authentication-period 3300
exit
eapol multihost voip-vlan 1 enable vid 2075
! eapol enable
If I had to guess, the 5600 series switches are either not sending the
Calling-Station-ID, which it should be for both EAP and NEAP. Anyone have any
guesses where to go from here? Anyone have any ideas? A working installation
that uses both NEAP and EAP on Avaya/Nortel/Extreme 5500 and 5600 series
switches?
To make matters more interesting, I have a working switch that used the Avaya
IDE for both NEAP and EAP, and it works great. Copying the configuration from
one to the other does not work.
Any information would be helpful.
Cheers,
CHRIS CRAWFORD
Network Analyst * Information Technology Services
T 506 453-4695 C 506 260-8795
[University of New Brunswick]
[Facebook]/uofnb<https://www.facebook.com/uofnb> [Twitter]
@unb<https://twitter.com/UNB> [Instagram]
@discoverunb<https://instagram.com/discoverunb/> UNB.ca<http://www.unb.ca/>
Confidentiality Note: This email and the information contained in it is
confidential, may be privileged and is intended for the exclusive use of the
addressee(s). Any other person is strictly prohibited from using, disclosing,
distributing or reproducing it. If you have received this communication in
error, please reply by email to the sender and delete or destroy all copies of
this message.
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
