As a follow-up, the deauth issue is resolved. The resolution required a patch.
https://github.com/inverse-inc/packetfence/issues/5203 - My post https://github.com/inverse-inc/packetfence/issues/5074 - A related issue I'll open a separate email chain regarding the SSH issue. *Nicholas P. Pier* Network Architect CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 On Fri, Mar 13, 2020 at 5:02 PM Zacharry Williams <[email protected]> wrote: > Module may have not been built at all. I'd open an issue ticket just to > get it on the list. Might have been something either overlooked, or that > someone tested and it didn't work. Either way you'll get an answer faster. > > On Fri, Mar 13, 2020 at 1:53 PM Nicholas Pier <[email protected]> wrote: > >> Some updates... >> >> Packetfence version is 9.3. >> packetfence-9.3.0-20200113144930.108928498.0007.el7.x86_64 >> >> So for Radius DeAuth/CoA I get the following errors with different >> templates in packetfence.log: >> >> Juniper EX2200v15: >> Mar 13 20:27:32 packetfence packetfence: INFO pfperl-api(2998): >> re-evaluating access (admin_modify called) >> (pf::enforcement::reevaluate_access) >> Mar 13 20:27:32 packetfence packetfence: INFO pfperl-api(2998): >> Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) >> Mar 13 20:27:32 packetfence packetfence: INFO pfperl-api(2998): VLAN >> reassignment is forced. (pf::enforcement::_should_we_reassign_vlan) >> Mar 13 20:27:32 packetfence packetfence: INFO pfperl-api(2998): switch >> port is (10.2.0.140) ifIndex 580connection type: Wired MAC Auth >> (pf::enforcement::_vlan_reevaluation) >> Mar 13 20:27:33 packetfence pfqueue: pfqueue(21379) ERROR: >> [mac:28:d2:44:b1:86:9b] Error handling ReAssignVlan : Can't locate object >> method "wiredeauthTechniques" via package "pf::Switch::Juniper::EX2200_v15" >> at /usr/local/pf/lib/pf/api.pm line 360. >> (pf::api::can_fork::notify) >> >> Juniper EX2200: >> Mar 13 20:30:07 packetfence packetfence: INFO pfperl-api(2998): >> re-evaluating access (admin_modify called) >> (pf::enforcement::reevaluate_access) >> Mar 13 20:30:07 packetfence packetfence: INFO pfperl-api(2998): >> Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) >> Mar 13 20:30:07 packetfence packetfence: INFO pfperl-api(2998): VLAN >> reassignment is forced. (pf::enforcement::_should_we_reassign_vlan) >> Mar 13 20:30:07 packetfence packetfence: INFO pfperl-api(2998): switch >> port is (10.2.0.140) ifIndex 580connection type: Wired MAC Auth >> (pf::enforcement::_vlan_reevaluation) >> Mar 13 20:30:08 packetfence pfqueue: pfqueue(21666) ERROR: >> [mac:28:d2:44:b1:86:9b] Error handling ReAssignVlan : Can't locate object >> method "wiredeauthTechniques" via package "pf::Switch::Juniper::EX2200" at >> /usr/local/pf/lib/pf/api.pm line 360. >> >> I also don't see the method/function it's looking for inside the perl >> files. This returns nothing: >> root@packetfence Switch]# grep wiredauthTechniques >> /usr/local/pf/lib/pf/Switch/Juniper/*.pm >> /usr/local/pf/lib/pf/Switch/Juniper.pm >> >> >> SSH, which is the prescribed solution for the older firmwares in the >> Network Device Configuration Guide, doesn't work. I get the following error >> in packetfence.log: >> >> Juniper (base profile) >> Mar 13 20:32:42 packetfence packetfence: ERROR pfperl-api(2998): Unable >> to connect to 10.2.0.140 using SSH. Failed with Login failed to remote host >> at /usr/local/pf/lib/pf/Switch/Juniper.pm line 135. >> (pf::Switch::Juniper::setAdminStatus) >> >> Credentials are correct and I can ssh from the packetfence server to the >> switch without issue. I don't know how to test the specific perl ssh module >> that's being used though. Of course, I would prefer to not do this for >> phones, and other cases where multiple devices may be behind a port. So, >> I'd prefer to see if there's something behind why the 2200 and 2200v15 >> profiles don't work. >> >> Anyone else think it might be time for a ticket on the github page? I'm >> reluctant to immediately assume my issues are code related. >> >> *Nicholas P. Pier* >> Network Architect >> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >> >> >> On Fri, Mar 13, 2020 at 2:16 PM Zacharry Williams <[email protected]> >> wrote: >> >>> Not a problem. No change Friday has me a little board this week. As for >>> the restart port fewture it works. I use it all the time. Not sure what >>> snmp version your using but I'm using v3 and haven't had an issue. It may >>> be a mib that's not loaded. >>> >>> I have some old ex's laying around somewhere. If I get some time I'll >>> add em and see what I can figure out. >>> >>> What you might try is the filter engines and sending a custom answer in >>> the radius message. Good luck! >>> >>> On Fri, Mar 13, 2020, 11:04 AM Nicholas Pier <[email protected]> wrote: >>> >>>> Hey Zacharry, >>>> >>>> Thanks for making time for the back and forth. >>>> >>>> I've used all templates (EX, EX2200, EX2200 v15, EX2300) and a mix of >>>> auth methods with each. I've tried to be pretty thorough without luck. If >>>> someone who's using Juniper switches chimes in and tells me a combo that's >>>> working it would really help me to narrow my troubleshooting. >>>> >>>> *Nicholas P. Pier* >>>> Network Architect >>>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>>> >>>> >>>> On Fri, Mar 13, 2020 at 1:47 PM Zacharry Williams <[email protected]> >>>> wrote: >>>> >>>>> I wonder if it's like the Aruba 2930s where it supports half of 3576 >>>>> (COA) only. For device type are you using EX series? Or one of the >>>>> others? >>>>> You may have to change the device type and play with it a bit >>>>> >>>>> On Fri, Mar 13, 2020, 10:40 AM Nicholas Pier <[email protected]> >>>>> wrote: >>>>> >>>>>> I'm seeing conflicting information there. The switch lets me >>>>>> configure an alternate CoA port. It's clearly an option in the CLI. >>>>>> >>>>>> However, the official documentation doesn't list the EX4200s as >>>>>> supporting changes to authorization. They're an end of support device. >>>>>> So, >>>>>> it could just be that the documentation doesn't cover legacy devices. >>>>>> >>>>>> https://www.juniper.net/documentation/en_US/junos/topics/topic-map/802-1x-authentication-switching-devices.html >>>>>> >>>>>> Also, I never see packetfence send a deauth message in a packet >>>>>> capture. So, I don't know if this is a compatibility issue with hardware >>>>>> or >>>>>> server side configuration issue. >>>>>> >>>>>> My hope was to find someone in this user group who's successfully >>>>>> using them - which profile - which deauth method - etc... >>>>>> >>>>>> >>>>>> *Nicholas P. Pier* >>>>>> Network Architect >>>>>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>>>>> >>>>>> >>>>>> On Fri, Mar 13, 2020 at 1:27 PM Zacharry Williams < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Lol whoops! I was working on a couple firewalls and totally mixed up >>>>>>> my rfcs! 3576 is the one I meant. >>>>>>> >>>>>>> On Fri, Mar 13, 2020, 8:49 AM Nicholas Pier <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> **accidentally sent too soon*** >>>>>>>> >>>>>>>> >>>>>>>> https://www.juniper.net/documentation/en_US/junos/topics/reference/standards/ospf.html >>>>>>>> Click on "Platform and Release Support" for details. >>>>>>>> >>>>>>>> >>>>>>>> *Nicholas P. Pier* >>>>>>>> Network Architect >>>>>>>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Mar 13, 2020 at 11:48 AM Nicholas Pier <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi Zachary, >>>>>>>>> >>>>>>>>> How does OSPF help in the scenario? Is that the right RFC? >>>>>>>>> >>>>>>>>> To answer your question, the OSPF VPN feature is not supported >>>>>>>>> until later hardware (according to the following link). >>>>>>>>> >>>>>>>>> *Nicholas P. Pier* >>>>>>>>> Network Architect >>>>>>>>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>>>>>>>> >>>>>>>>> >>>>>>>>> On Fri, Mar 13, 2020 at 11:21 AM Zacharry Williams < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Do those switches support rfc 4576? >>>>>>>>>> >>>>>>>>>> On Thu, Mar 12, 2020, 5:42 PM Nicholas Pier via PacketFence-users >>>>>>>>>> <[email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> The Juniper switches are properly placing nodes on vlans based >>>>>>>>>>> on roles if there's an up/down port event. The problem is that, I >>>>>>>>>>> can't >>>>>>>>>>> seem to get de-authentication devices to change their VLAN without >>>>>>>>>>> an >>>>>>>>>>> up/down event. We have an important workflow where a user changes >>>>>>>>>>> role >>>>>>>>>>> after logging into a captive portal page. But, the role won't >>>>>>>>>>> change unless >>>>>>>>>>> they disconnect/connect or reboot. I also did a packet capture using >>>>>>>>>>> tcpdump on the packetefence server and never see it send a >>>>>>>>>>> CoA/Radius >>>>>>>>>>> message to the switch to deauth the port when a role changes. >>>>>>>>>>> >>>>>>>>>>> Also, packetfence's feature to restart the port doesn't seem to >>>>>>>>>>> be working. >>>>>>>>>>> >>>>>>>>>>> I have an existing Packetfence environment with Cisco switches >>>>>>>>>>> and am trying to introduce some older Juniper switches (EX4200s >>>>>>>>>>> with 15.1 >>>>>>>>>>> firmware). Cisco devices transition VLANs without the need to >>>>>>>>>>> restart the >>>>>>>>>>> port manually. >>>>>>>>>>> >>>>>>>>>>> Can anyone offer some guidance? >>>>>>>>>>> >>>>>>>>>>> Packetfence version is 9.3. >>>>>>>>>>> packetfence-9.3.0-20200113144930.108928498.0007.el7.x86_64 >>>>>>>>>>> CentOS 7.7 - 3.10.0-1062.12.1.el7.x86_64 >>>>>>>>>>> I'm using the Juniper::EX2200_v15 template. >>>>>>>>>>> Switches affected are EX4200s with JUNOS 15.1R7.9 firmware >>>>>>>>>>> >>>>>>>>>>> I can provide switch configurations if need-be. >>>>>>>>>>> >>>>>>>>>>> *Nicholas P. Pier* >>>>>>>>>>> Network Architect >>>>>>>>>>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> PacketFence-users mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>>> >>>>>>>>>>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
