Some updates... Packetfence version is 9.3. packetfence-9.3.0-20200113144930.108928498.0007.el7.x86_64
So for Radius DeAuth/CoA I get the following errors with different templates in packetfence.log: Juniper EX2200v15: Mar 13 20:27:32 packetfence packetfence: INFO pfperl-api(2998): re-evaluating access (admin_modify called) (pf::enforcement::reevaluate_access) Mar 13 20:27:32 packetfence packetfence: INFO pfperl-api(2998): Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Mar 13 20:27:32 packetfence packetfence: INFO pfperl-api(2998): VLAN reassignment is forced. (pf::enforcement::_should_we_reassign_vlan) Mar 13 20:27:32 packetfence packetfence: INFO pfperl-api(2998): switch port is (10.2.0.140) ifIndex 580connection type: Wired MAC Auth (pf::enforcement::_vlan_reevaluation) Mar 13 20:27:33 packetfence pfqueue: pfqueue(21379) ERROR: [mac:28:d2:44:b1:86:9b] Error handling ReAssignVlan : Can't locate object method "wiredeauthTechniques" via package "pf::Switch::Juniper::EX2200_v15" at /usr/local/pf/lib/pf/api.pm line 360. (pf::api::can_fork::notify) Juniper EX2200: Mar 13 20:30:07 packetfence packetfence: INFO pfperl-api(2998): re-evaluating access (admin_modify called) (pf::enforcement::reevaluate_access) Mar 13 20:30:07 packetfence packetfence: INFO pfperl-api(2998): Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Mar 13 20:30:07 packetfence packetfence: INFO pfperl-api(2998): VLAN reassignment is forced. (pf::enforcement::_should_we_reassign_vlan) Mar 13 20:30:07 packetfence packetfence: INFO pfperl-api(2998): switch port is (10.2.0.140) ifIndex 580connection type: Wired MAC Auth (pf::enforcement::_vlan_reevaluation) Mar 13 20:30:08 packetfence pfqueue: pfqueue(21666) ERROR: [mac:28:d2:44:b1:86:9b] Error handling ReAssignVlan : Can't locate object method "wiredeauthTechniques" via package "pf::Switch::Juniper::EX2200" at /usr/local/pf/lib/pf/api.pm line 360. I also don't see the method/function it's looking for inside the perl files. This returns nothing: root@packetfence Switch]# grep wiredauthTechniques /usr/local/pf/lib/pf/Switch/Juniper/*.pm /usr/local/pf/lib/pf/Switch/Juniper.pm SSH, which is the prescribed solution for the older firmwares in the Network Device Configuration Guide, doesn't work. I get the following error in packetfence.log: Juniper (base profile) Mar 13 20:32:42 packetfence packetfence: ERROR pfperl-api(2998): Unable to connect to 10.2.0.140 using SSH. Failed with Login failed to remote host at /usr/local/pf/lib/pf/Switch/Juniper.pm line 135. (pf::Switch::Juniper::setAdminStatus) Credentials are correct and I can ssh from the packetfence server to the switch without issue. I don't know how to test the specific perl ssh module that's being used though. Of course, I would prefer to not do this for phones, and other cases where multiple devices may be behind a port. So, I'd prefer to see if there's something behind why the 2200 and 2200v15 profiles don't work. Anyone else think it might be time for a ticket on the github page? I'm reluctant to immediately assume my issues are code related. *Nicholas P. Pier* Network Architect CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 On Fri, Mar 13, 2020 at 2:16 PM Zacharry Williams <[email protected]> wrote: > Not a problem. No change Friday has me a little board this week. As for > the restart port fewture it works. I use it all the time. Not sure what > snmp version your using but I'm using v3 and haven't had an issue. It may > be a mib that's not loaded. > > I have some old ex's laying around somewhere. If I get some time I'll add > em and see what I can figure out. > > What you might try is the filter engines and sending a custom answer in > the radius message. Good luck! > > On Fri, Mar 13, 2020, 11:04 AM Nicholas Pier <[email protected]> wrote: > >> Hey Zacharry, >> >> Thanks for making time for the back and forth. >> >> I've used all templates (EX, EX2200, EX2200 v15, EX2300) and a mix of >> auth methods with each. I've tried to be pretty thorough without luck. If >> someone who's using Juniper switches chimes in and tells me a combo that's >> working it would really help me to narrow my troubleshooting. >> >> *Nicholas P. Pier* >> Network Architect >> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >> >> >> On Fri, Mar 13, 2020 at 1:47 PM Zacharry Williams <[email protected]> >> wrote: >> >>> I wonder if it's like the Aruba 2930s where it supports half of 3576 >>> (COA) only. For device type are you using EX series? Or one of the others? >>> You may have to change the device type and play with it a bit >>> >>> On Fri, Mar 13, 2020, 10:40 AM Nicholas Pier <[email protected]> wrote: >>> >>>> I'm seeing conflicting information there. The switch lets me configure >>>> an alternate CoA port. It's clearly an option in the CLI. >>>> >>>> However, the official documentation doesn't list the EX4200s as >>>> supporting changes to authorization. They're an end of support device. So, >>>> it could just be that the documentation doesn't cover legacy devices. >>>> >>>> https://www.juniper.net/documentation/en_US/junos/topics/topic-map/802-1x-authentication-switching-devices.html >>>> >>>> Also, I never see packetfence send a deauth message in a packet >>>> capture. So, I don't know if this is a compatibility issue with hardware or >>>> server side configuration issue. >>>> >>>> My hope was to find someone in this user group who's successfully using >>>> them - which profile - which deauth method - etc... >>>> >>>> >>>> *Nicholas P. Pier* >>>> Network Architect >>>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>>> >>>> >>>> On Fri, Mar 13, 2020 at 1:27 PM Zacharry Williams <[email protected]> >>>> wrote: >>>> >>>>> Lol whoops! I was working on a couple firewalls and totally mixed up >>>>> my rfcs! 3576 is the one I meant. >>>>> >>>>> On Fri, Mar 13, 2020, 8:49 AM Nicholas Pier <[email protected]> wrote: >>>>> >>>>>> **accidentally sent too soon*** >>>>>> >>>>>> >>>>>> https://www.juniper.net/documentation/en_US/junos/topics/reference/standards/ospf.html >>>>>> Click on "Platform and Release Support" for details. >>>>>> >>>>>> >>>>>> *Nicholas P. Pier* >>>>>> Network Architect >>>>>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>>>>> >>>>>> >>>>>> On Fri, Mar 13, 2020 at 11:48 AM Nicholas Pier <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Zachary, >>>>>>> >>>>>>> How does OSPF help in the scenario? Is that the right RFC? >>>>>>> >>>>>>> To answer your question, the OSPF VPN feature is not supported until >>>>>>> later hardware (according to the following link). >>>>>>> >>>>>>> *Nicholas P. Pier* >>>>>>> Network Architect >>>>>>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>>>>>> >>>>>>> >>>>>>> On Fri, Mar 13, 2020 at 11:21 AM Zacharry Williams < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Do those switches support rfc 4576? >>>>>>>> >>>>>>>> On Thu, Mar 12, 2020, 5:42 PM Nicholas Pier via PacketFence-users < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> The Juniper switches are properly placing nodes on vlans based on >>>>>>>>> roles if there's an up/down port event. The problem is that, I can't >>>>>>>>> seem >>>>>>>>> to get de-authentication devices to change their VLAN without an >>>>>>>>> up/down >>>>>>>>> event. We have an important workflow where a user changes role after >>>>>>>>> logging into a captive portal page. But, the role won't change unless >>>>>>>>> they >>>>>>>>> disconnect/connect or reboot. I also did a packet capture using >>>>>>>>> tcpdump on >>>>>>>>> the packetefence server and never see it send a CoA/Radius message to >>>>>>>>> the >>>>>>>>> switch to deauth the port when a role changes. >>>>>>>>> >>>>>>>>> Also, packetfence's feature to restart the port doesn't seem to be >>>>>>>>> working. >>>>>>>>> >>>>>>>>> I have an existing Packetfence environment with Cisco switches and >>>>>>>>> am trying to introduce some older Juniper switches (EX4200s with 15.1 >>>>>>>>> firmware). Cisco devices transition VLANs without the need to restart >>>>>>>>> the >>>>>>>>> port manually. >>>>>>>>> >>>>>>>>> Can anyone offer some guidance? >>>>>>>>> >>>>>>>>> Packetfence version is 9.3. >>>>>>>>> packetfence-9.3.0-20200113144930.108928498.0007.el7.x86_64 >>>>>>>>> CentOS 7.7 - 3.10.0-1062.12.1.el7.x86_64 >>>>>>>>> I'm using the Juniper::EX2200_v15 template. >>>>>>>>> Switches affected are EX4200s with JUNOS 15.1R7.9 firmware >>>>>>>>> >>>>>>>>> I can provide switch configurations if need-be. >>>>>>>>> >>>>>>>>> *Nicholas P. Pier* >>>>>>>>> Network Architect >>>>>>>>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>>>>>>>> _______________________________________________ >>>>>>>>> PacketFence-users mailing list >>>>>>>>> [email protected] >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>> >>>>>>>>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
