Module may have not been built at all. I'd open an issue ticket just to get it on the list. Might have been something either overlooked, or that someone tested and it didn't work. Either way you'll get an answer faster.
On Fri, Mar 13, 2020 at 1:53 PM Nicholas Pier <[email protected]> wrote: > Some updates... > > Packetfence version is 9.3. > packetfence-9.3.0-20200113144930.108928498.0007.el7.x86_64 > > So for Radius DeAuth/CoA I get the following errors with different > templates in packetfence.log: > > Juniper EX2200v15: > Mar 13 20:27:32 packetfence packetfence: INFO pfperl-api(2998): > re-evaluating access (admin_modify called) > (pf::enforcement::reevaluate_access) > Mar 13 20:27:32 packetfence packetfence: INFO pfperl-api(2998): > Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) > Mar 13 20:27:32 packetfence packetfence: INFO pfperl-api(2998): VLAN > reassignment is forced. (pf::enforcement::_should_we_reassign_vlan) > Mar 13 20:27:32 packetfence packetfence: INFO pfperl-api(2998): switch > port is (10.2.0.140) ifIndex 580connection type: Wired MAC Auth > (pf::enforcement::_vlan_reevaluation) > Mar 13 20:27:33 packetfence pfqueue: pfqueue(21379) ERROR: > [mac:28:d2:44:b1:86:9b] Error handling ReAssignVlan : Can't locate object > method "wiredeauthTechniques" via package "pf::Switch::Juniper::EX2200_v15" > at /usr/local/pf/lib/pf/api.pm line 360. > (pf::api::can_fork::notify) > > Juniper EX2200: > Mar 13 20:30:07 packetfence packetfence: INFO pfperl-api(2998): > re-evaluating access (admin_modify called) > (pf::enforcement::reevaluate_access) > Mar 13 20:30:07 packetfence packetfence: INFO pfperl-api(2998): > Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) > Mar 13 20:30:07 packetfence packetfence: INFO pfperl-api(2998): VLAN > reassignment is forced. (pf::enforcement::_should_we_reassign_vlan) > Mar 13 20:30:07 packetfence packetfence: INFO pfperl-api(2998): switch > port is (10.2.0.140) ifIndex 580connection type: Wired MAC Auth > (pf::enforcement::_vlan_reevaluation) > Mar 13 20:30:08 packetfence pfqueue: pfqueue(21666) ERROR: > [mac:28:d2:44:b1:86:9b] Error handling ReAssignVlan : Can't locate object > method "wiredeauthTechniques" via package "pf::Switch::Juniper::EX2200" at > /usr/local/pf/lib/pf/api.pm line 360. > > I also don't see the method/function it's looking for inside the perl > files. This returns nothing: > root@packetfence Switch]# grep wiredauthTechniques > /usr/local/pf/lib/pf/Switch/Juniper/*.pm > /usr/local/pf/lib/pf/Switch/Juniper.pm > > > SSH, which is the prescribed solution for the older firmwares in the > Network Device Configuration Guide, doesn't work. I get the following error > in packetfence.log: > > Juniper (base profile) > Mar 13 20:32:42 packetfence packetfence: ERROR pfperl-api(2998): Unable to > connect to 10.2.0.140 using SSH. Failed with Login failed to remote host at > /usr/local/pf/lib/pf/Switch/Juniper.pm line 135. > (pf::Switch::Juniper::setAdminStatus) > > Credentials are correct and I can ssh from the packetfence server to the > switch without issue. I don't know how to test the specific perl ssh module > that's being used though. Of course, I would prefer to not do this for > phones, and other cases where multiple devices may be behind a port. So, > I'd prefer to see if there's something behind why the 2200 and 2200v15 > profiles don't work. > > Anyone else think it might be time for a ticket on the github page? I'm > reluctant to immediately assume my issues are code related. > > *Nicholas P. Pier* > Network Architect > CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 > > > On Fri, Mar 13, 2020 at 2:16 PM Zacharry Williams <[email protected]> > wrote: > >> Not a problem. No change Friday has me a little board this week. As for >> the restart port fewture it works. I use it all the time. Not sure what >> snmp version your using but I'm using v3 and haven't had an issue. It may >> be a mib that's not loaded. >> >> I have some old ex's laying around somewhere. If I get some time I'll add >> em and see what I can figure out. >> >> What you might try is the filter engines and sending a custom answer in >> the radius message. Good luck! >> >> On Fri, Mar 13, 2020, 11:04 AM Nicholas Pier <[email protected]> wrote: >> >>> Hey Zacharry, >>> >>> Thanks for making time for the back and forth. >>> >>> I've used all templates (EX, EX2200, EX2200 v15, EX2300) and a mix of >>> auth methods with each. I've tried to be pretty thorough without luck. If >>> someone who's using Juniper switches chimes in and tells me a combo that's >>> working it would really help me to narrow my troubleshooting. >>> >>> *Nicholas P. Pier* >>> Network Architect >>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>> >>> >>> On Fri, Mar 13, 2020 at 1:47 PM Zacharry Williams <[email protected]> >>> wrote: >>> >>>> I wonder if it's like the Aruba 2930s where it supports half of 3576 >>>> (COA) only. For device type are you using EX series? Or one of the others? >>>> You may have to change the device type and play with it a bit >>>> >>>> On Fri, Mar 13, 2020, 10:40 AM Nicholas Pier <[email protected]> wrote: >>>> >>>>> I'm seeing conflicting information there. The switch lets me configure >>>>> an alternate CoA port. It's clearly an option in the CLI. >>>>> >>>>> However, the official documentation doesn't list the EX4200s as >>>>> supporting changes to authorization. They're an end of support device. >>>>> So, >>>>> it could just be that the documentation doesn't cover legacy devices. >>>>> >>>>> https://www.juniper.net/documentation/en_US/junos/topics/topic-map/802-1x-authentication-switching-devices.html >>>>> >>>>> Also, I never see packetfence send a deauth message in a packet >>>>> capture. So, I don't know if this is a compatibility issue with hardware >>>>> or >>>>> server side configuration issue. >>>>> >>>>> My hope was to find someone in this user group who's successfully >>>>> using them - which profile - which deauth method - etc... >>>>> >>>>> >>>>> *Nicholas P. Pier* >>>>> Network Architect >>>>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>>>> >>>>> >>>>> On Fri, Mar 13, 2020 at 1:27 PM Zacharry Williams <[email protected]> >>>>> wrote: >>>>> >>>>>> Lol whoops! I was working on a couple firewalls and totally mixed up >>>>>> my rfcs! 3576 is the one I meant. >>>>>> >>>>>> On Fri, Mar 13, 2020, 8:49 AM Nicholas Pier <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> **accidentally sent too soon*** >>>>>>> >>>>>>> >>>>>>> https://www.juniper.net/documentation/en_US/junos/topics/reference/standards/ospf.html >>>>>>> Click on "Platform and Release Support" for details. >>>>>>> >>>>>>> >>>>>>> *Nicholas P. Pier* >>>>>>> Network Architect >>>>>>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>>>>>> >>>>>>> >>>>>>> On Fri, Mar 13, 2020 at 11:48 AM Nicholas Pier <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Zachary, >>>>>>>> >>>>>>>> How does OSPF help in the scenario? Is that the right RFC? >>>>>>>> >>>>>>>> To answer your question, the OSPF VPN feature is not supported >>>>>>>> until later hardware (according to the following link). >>>>>>>> >>>>>>>> *Nicholas P. Pier* >>>>>>>> Network Architect >>>>>>>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Mar 13, 2020 at 11:21 AM Zacharry Williams < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Do those switches support rfc 4576? >>>>>>>>> >>>>>>>>> On Thu, Mar 12, 2020, 5:42 PM Nicholas Pier via PacketFence-users < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> The Juniper switches are properly placing nodes on vlans based on >>>>>>>>>> roles if there's an up/down port event. The problem is that, I can't >>>>>>>>>> seem >>>>>>>>>> to get de-authentication devices to change their VLAN without an >>>>>>>>>> up/down >>>>>>>>>> event. We have an important workflow where a user changes role after >>>>>>>>>> logging into a captive portal page. But, the role won't change >>>>>>>>>> unless they >>>>>>>>>> disconnect/connect or reboot. I also did a packet capture using >>>>>>>>>> tcpdump on >>>>>>>>>> the packetefence server and never see it send a CoA/Radius message >>>>>>>>>> to the >>>>>>>>>> switch to deauth the port when a role changes. >>>>>>>>>> >>>>>>>>>> Also, packetfence's feature to restart the port doesn't seem to >>>>>>>>>> be working. >>>>>>>>>> >>>>>>>>>> I have an existing Packetfence environment with Cisco switches >>>>>>>>>> and am trying to introduce some older Juniper switches (EX4200s with >>>>>>>>>> 15.1 >>>>>>>>>> firmware). Cisco devices transition VLANs without the need to >>>>>>>>>> restart the >>>>>>>>>> port manually. >>>>>>>>>> >>>>>>>>>> Can anyone offer some guidance? >>>>>>>>>> >>>>>>>>>> Packetfence version is 9.3. >>>>>>>>>> packetfence-9.3.0-20200113144930.108928498.0007.el7.x86_64 >>>>>>>>>> CentOS 7.7 - 3.10.0-1062.12.1.el7.x86_64 >>>>>>>>>> I'm using the Juniper::EX2200_v15 template. >>>>>>>>>> Switches affected are EX4200s with JUNOS 15.1R7.9 firmware >>>>>>>>>> >>>>>>>>>> I can provide switch configurations if need-be. >>>>>>>>>> >>>>>>>>>> *Nicholas P. Pier* >>>>>>>>>> Network Architect >>>>>>>>>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>>>>>>>>> _______________________________________________ >>>>>>>>>> PacketFence-users mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>> >>>>>>>>>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
