Nice! Glad there was a patch ready for it. On Fri, Mar 13, 2020 at 8:24 PM Nicholas Pier <[email protected]> wrote:
> As a follow-up, the deauth issue is resolved. The resolution required a > patch. > > https://github.com/inverse-inc/packetfence/issues/5203 - My post > https://github.com/inverse-inc/packetfence/issues/5074 - A related issue > > I'll open a separate email chain regarding the SSH issue. > > *Nicholas P. Pier* > Network Architect > CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 > > > On Fri, Mar 13, 2020 at 5:02 PM Zacharry Williams <[email protected]> > wrote: > >> Module may have not been built at all. I'd open an issue ticket just to >> get it on the list. Might have been something either overlooked, or that >> someone tested and it didn't work. Either way you'll get an answer faster. >> >> On Fri, Mar 13, 2020 at 1:53 PM Nicholas Pier <[email protected]> wrote: >> >>> Some updates... >>> >>> Packetfence version is 9.3. >>> packetfence-9.3.0-20200113144930.108928498.0007.el7.x86_64 >>> >>> So for Radius DeAuth/CoA I get the following errors with different >>> templates in packetfence.log: >>> >>> Juniper EX2200v15: >>> Mar 13 20:27:32 packetfence packetfence: INFO pfperl-api(2998): >>> re-evaluating access (admin_modify called) >>> (pf::enforcement::reevaluate_access) >>> Mar 13 20:27:32 packetfence packetfence: INFO pfperl-api(2998): >>> Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) >>> Mar 13 20:27:32 packetfence packetfence: INFO pfperl-api(2998): VLAN >>> reassignment is forced. (pf::enforcement::_should_we_reassign_vlan) >>> Mar 13 20:27:32 packetfence packetfence: INFO pfperl-api(2998): switch >>> port is (10.2.0.140) ifIndex 580connection type: Wired MAC Auth >>> (pf::enforcement::_vlan_reevaluation) >>> Mar 13 20:27:33 packetfence pfqueue: pfqueue(21379) ERROR: >>> [mac:28:d2:44:b1:86:9b] Error handling ReAssignVlan : Can't locate object >>> method "wiredeauthTechniques" via package "pf::Switch::Juniper::EX2200_v15" >>> at /usr/local/pf/lib/pf/api.pm line 360. >>> (pf::api::can_fork::notify) >>> >>> Juniper EX2200: >>> Mar 13 20:30:07 packetfence packetfence: INFO pfperl-api(2998): >>> re-evaluating access (admin_modify called) >>> (pf::enforcement::reevaluate_access) >>> Mar 13 20:30:07 packetfence packetfence: INFO pfperl-api(2998): >>> Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) >>> Mar 13 20:30:07 packetfence packetfence: INFO pfperl-api(2998): VLAN >>> reassignment is forced. (pf::enforcement::_should_we_reassign_vlan) >>> Mar 13 20:30:07 packetfence packetfence: INFO pfperl-api(2998): switch >>> port is (10.2.0.140) ifIndex 580connection type: Wired MAC Auth >>> (pf::enforcement::_vlan_reevaluation) >>> Mar 13 20:30:08 packetfence pfqueue: pfqueue(21666) ERROR: >>> [mac:28:d2:44:b1:86:9b] Error handling ReAssignVlan : Can't locate object >>> method "wiredeauthTechniques" via package "pf::Switch::Juniper::EX2200" at >>> /usr/local/pf/lib/pf/api.pm line 360. >>> >>> I also don't see the method/function it's looking for inside the perl >>> files. This returns nothing: >>> root@packetfence Switch]# grep wiredauthTechniques >>> /usr/local/pf/lib/pf/Switch/Juniper/*.pm >>> /usr/local/pf/lib/pf/Switch/Juniper.pm >>> >>> >>> SSH, which is the prescribed solution for the older firmwares in the >>> Network Device Configuration Guide, doesn't work. I get the following error >>> in packetfence.log: >>> >>> Juniper (base profile) >>> Mar 13 20:32:42 packetfence packetfence: ERROR pfperl-api(2998): Unable >>> to connect to 10.2.0.140 using SSH. Failed with Login failed to remote host >>> at /usr/local/pf/lib/pf/Switch/Juniper.pm line 135. >>> (pf::Switch::Juniper::setAdminStatus) >>> >>> Credentials are correct and I can ssh from the packetfence server to the >>> switch without issue. I don't know how to test the specific perl ssh module >>> that's being used though. Of course, I would prefer to not do this for >>> phones, and other cases where multiple devices may be behind a port. So, >>> I'd prefer to see if there's something behind why the 2200 and 2200v15 >>> profiles don't work. >>> >>> Anyone else think it might be time for a ticket on the github page? I'm >>> reluctant to immediately assume my issues are code related. >>> >>> *Nicholas P. Pier* >>> Network Architect >>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>> >>> >>> On Fri, Mar 13, 2020 at 2:16 PM Zacharry Williams <[email protected]> >>> wrote: >>> >>>> Not a problem. No change Friday has me a little board this week. As >>>> for the restart port fewture it works. I use it all the time. Not sure what >>>> snmp version your using but I'm using v3 and haven't had an issue. It may >>>> be a mib that's not loaded. >>>> >>>> I have some old ex's laying around somewhere. If I get some time I'll >>>> add em and see what I can figure out. >>>> >>>> What you might try is the filter engines and sending a custom answer in >>>> the radius message. Good luck! >>>> >>>> On Fri, Mar 13, 2020, 11:04 AM Nicholas Pier <[email protected]> wrote: >>>> >>>>> Hey Zacharry, >>>>> >>>>> Thanks for making time for the back and forth. >>>>> >>>>> I've used all templates (EX, EX2200, EX2200 v15, EX2300) and a mix of >>>>> auth methods with each. I've tried to be pretty thorough without luck. If >>>>> someone who's using Juniper switches chimes in and tells me a combo that's >>>>> working it would really help me to narrow my troubleshooting. >>>>> >>>>> *Nicholas P. Pier* >>>>> Network Architect >>>>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>>>> >>>>> >>>>> On Fri, Mar 13, 2020 at 1:47 PM Zacharry Williams <[email protected]> >>>>> wrote: >>>>> >>>>>> I wonder if it's like the Aruba 2930s where it supports half of 3576 >>>>>> (COA) only. For device type are you using EX series? Or one of the >>>>>> others? >>>>>> You may have to change the device type and play with it a bit >>>>>> >>>>>> On Fri, Mar 13, 2020, 10:40 AM Nicholas Pier <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> I'm seeing conflicting information there. The switch lets me >>>>>>> configure an alternate CoA port. It's clearly an option in the CLI. >>>>>>> >>>>>>> However, the official documentation doesn't list the EX4200s as >>>>>>> supporting changes to authorization. They're an end of support device. >>>>>>> So, >>>>>>> it could just be that the documentation doesn't cover legacy devices. >>>>>>> >>>>>>> https://www.juniper.net/documentation/en_US/junos/topics/topic-map/802-1x-authentication-switching-devices.html >>>>>>> >>>>>>> Also, I never see packetfence send a deauth message in a packet >>>>>>> capture. So, I don't know if this is a compatibility issue with >>>>>>> hardware or >>>>>>> server side configuration issue. >>>>>>> >>>>>>> My hope was to find someone in this user group who's successfully >>>>>>> using them - which profile - which deauth method - etc... >>>>>>> >>>>>>> >>>>>>> *Nicholas P. Pier* >>>>>>> Network Architect >>>>>>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>>>>>> >>>>>>> >>>>>>> On Fri, Mar 13, 2020 at 1:27 PM Zacharry Williams < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Lol whoops! I was working on a couple firewalls and totally mixed >>>>>>>> up my rfcs! 3576 is the one I meant. >>>>>>>> >>>>>>>> On Fri, Mar 13, 2020, 8:49 AM Nicholas Pier <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> **accidentally sent too soon*** >>>>>>>>> >>>>>>>>> >>>>>>>>> https://www.juniper.net/documentation/en_US/junos/topics/reference/standards/ospf.html >>>>>>>>> Click on "Platform and Release Support" for details. >>>>>>>>> >>>>>>>>> >>>>>>>>> *Nicholas P. Pier* >>>>>>>>> Network Architect >>>>>>>>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>>>>>>>> >>>>>>>>> >>>>>>>>> On Fri, Mar 13, 2020 at 11:48 AM Nicholas Pier <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hi Zachary, >>>>>>>>>> >>>>>>>>>> How does OSPF help in the scenario? Is that the right RFC? >>>>>>>>>> >>>>>>>>>> To answer your question, the OSPF VPN feature is not supported >>>>>>>>>> until later hardware (according to the following link). >>>>>>>>>> >>>>>>>>>> *Nicholas P. Pier* >>>>>>>>>> Network Architect >>>>>>>>>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Fri, Mar 13, 2020 at 11:21 AM Zacharry Williams < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Do those switches support rfc 4576? >>>>>>>>>>> >>>>>>>>>>> On Thu, Mar 12, 2020, 5:42 PM Nicholas Pier via >>>>>>>>>>> PacketFence-users <[email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hello, >>>>>>>>>>>> >>>>>>>>>>>> The Juniper switches are properly placing nodes on vlans based >>>>>>>>>>>> on roles if there's an up/down port event. The problem is that, I >>>>>>>>>>>> can't >>>>>>>>>>>> seem to get de-authentication devices to change their VLAN without >>>>>>>>>>>> an >>>>>>>>>>>> up/down event. We have an important workflow where a user changes >>>>>>>>>>>> role >>>>>>>>>>>> after logging into a captive portal page. But, the role won't >>>>>>>>>>>> change unless >>>>>>>>>>>> they disconnect/connect or reboot. I also did a packet capture >>>>>>>>>>>> using >>>>>>>>>>>> tcpdump on the packetefence server and never see it send a >>>>>>>>>>>> CoA/Radius >>>>>>>>>>>> message to the switch to deauth the port when a role changes. >>>>>>>>>>>> >>>>>>>>>>>> Also, packetfence's feature to restart the port doesn't seem to >>>>>>>>>>>> be working. >>>>>>>>>>>> >>>>>>>>>>>> I have an existing Packetfence environment with Cisco switches >>>>>>>>>>>> and am trying to introduce some older Juniper switches (EX4200s >>>>>>>>>>>> with 15.1 >>>>>>>>>>>> firmware). Cisco devices transition VLANs without the need to >>>>>>>>>>>> restart the >>>>>>>>>>>> port manually. >>>>>>>>>>>> >>>>>>>>>>>> Can anyone offer some guidance? >>>>>>>>>>>> >>>>>>>>>>>> Packetfence version is 9.3. >>>>>>>>>>>> packetfence-9.3.0-20200113144930.108928498.0007.el7.x86_64 >>>>>>>>>>>> CentOS 7.7 - 3.10.0-1062.12.1.el7.x86_64 >>>>>>>>>>>> I'm using the Juniper::EX2200_v15 template. >>>>>>>>>>>> Switches affected are EX4200s with JUNOS 15.1R7.9 firmware >>>>>>>>>>>> >>>>>>>>>>>> I can provide switch configurations if need-be. >>>>>>>>>>>> >>>>>>>>>>>> *Nicholas P. Pier* >>>>>>>>>>>> Network Architect >>>>>>>>>>>> CCNP R&S, PCNSE, VCIX6-DCV, VCIX6-NV, RHCE, CEHv10 >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> PacketFence-users mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>>>> >>>>>>>>>>>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
