Ludovic, Thanks for the suggestion. Unfortunately this did not work. I also factory reset the switch to try fresh with your suggestion. When changing the settings on NIC I get attempting to authenticate, but never get a popup box like the install manual states. Is there anything different in Win 10 vs Win 7 citied in the install manual?
From: Ludovic Zammit <[email protected]> Sent: Monday, June 1, 2020 3:17 PM To: Kosta Hontos <[email protected]> Cc: [email protected] Subject: Re: [PacketFence-users] PF initial setup CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hello Kosta, I think your problem lies where you do mac authentication only: switch port config: dot1x port-control mac-based Switch it with : dot1x port-control auto Try it out and let me know. You have to to have the 802.1x supplicant on the windows but also allow it to negotiate at the port level. Thanks, Ludovic Zammit [email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca<http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) On Jun 1, 2020, at 2:43 PM, Kosta Hontos via PacketFence-users <[email protected]<mailto:[email protected]>> wrote: Hello PF community! PacketFence looks like a great fit for one of my clients but I cant seem to get 802.1x working and was hoping the community could help me out. I believe in paid for support on critical items like this, but want to make sure it’s a good working fit before my client puts their money on the table. This is my first time using this mailing list so I hope I am doing this right. Here is where I am at: When I connect a Windows 10 computer to a downlink port, I get no prompt for credentials even though the automatically use login credentials is unchecked. Authentication obviously fails and I see nothing in audit logs or unregistered nodes. When I connect a Win 10 computer to a downlink port that does not have 802.1x configured set to my default employee vlan, the hostname and MAC show up under unregistered nodes. AD testing: It seems like AD and roles are configured properly. When I test the connection profile it authenticates, assigns the right role based on department AD attribute. Here is my edgeswitch config on latest 1.9.1 lite firmware: PF server: 10.10.3.240 (L3 vlan pvid 3) Switch: 10.10.3.14 (same subnet/vlan as PF management interface listed above) Registration: vlan 2005 (L3 vlan, PacketFence DHCP, no ACLs or inter-vlan restrictions during setup) Isoloation: vlan 2006 (L3 vlan, PacketFence DHCP, no ACLS or inter-vlan restrictions during setup) MAC detection: 2007 (L2 vlan) Management VLAN pvid: 3 All the vlans are assigned on the switch group profile which get inherited by the switch (10.10.3.14) in the packetfence config. Auto-VOIP works on 802.1x configured ports \\Global<file://Global> config: vlan database vlan 1 vlan 3 vlan 110 vlan 115 vlan 120 vlan 130 vlan 2005 vlan 2006 vlan 2007 exit configure dot1x system-auth-control aaa authentication dot1x default radius authorization network radius dot1x dynamic-vlan enable voice vlan //note: does not let me specify pvid like it does in the documentation, but the vlan assignment works for phones. Maybe updated cli radius accounting mode radius server host auth "10.10.3.240" name "PacketFence" radius server key auth "10.10.3.240" radius server primary "10.10.3.240" no radius server msgauth "10.10.3.240" radius server attribute 4 10.10.3.14 radius server attribute 32 "EdgeSwitch" radius server host acct "10.10.3.240" name PacketFence-ACCT radius server key acct "10.10.3.240" snmp-server community [censored] ro snmp-server community [censored] rw exit \\uplink<file://uplink> dot1x port-control force-authorized vlan participation include 1,3,110,115,120,130,2005,2006,2007 vlan tagging 1,110,115,120,130,2005,2006,2007 \\downlink<file://downlink> dot1x port-control mac-based dot1x re-authentication dot1x timeout reauth-period 1800 dot1x timeout supp-timeout 10 dot1x timeout guest-vlan-period 3 dot1x timeout server-timeout 1800 dot1x mac-auth-bypass dot1x unauthenticated-vlan 2007 vlan participation include 1,3,110,115,120,130,2005,2006,2007 voice vlan 115 auto-voip protocol-based lldp transmit lldp receive lldp transmit-tlv port-desc lldp transmit-tlv sys-name lldp transmit-tlv sys-desc lldp transmit-tlv sys-cap lldp transmit-mgmt lldp notification lldp med lldp med confignotification exit Please let me know if someone sees an error in my config, or has next troubleshooting steps. Thanks community! Kosta Hontos | Tier III Technical Consultant [https://sondhisolutions.sigstr.net/cf/signature_fields/572b5c775b4b0b0018acd6c6/SondhiSS1584125868.png]<https://www.sondhisolutions.com/> Sondhi Solutions 47 South Pennsylvania St. Suite 400 Indianapolis, IN 46204 317.503.8951 sondhisolutions.com<http://sondhisolutions.com/> [Learn more...]<https://sondhisolutions.sigstr.net/uc/573f61ff825be9151e0d1208/c_5e9091d4a857ae00f685e9de/b_5e909433893135007451b1cb?recipient=cGFja2V0ZmVuY2UtdXNlcnNAbGlzdHMuc291cmNlZm9yZ2UubmV0> [Follow us on LinkedIn!]<https://www.linkedin.com/company/sondhi-solutions> Follow us on LinkedIn!<https://www.linkedin.com/company/sondhi-solutions> [Powered by Sigstr]<https://sondhisolutions.sigstr.net/uc/573f61ff825be9151e0d1208/watermark?&recipient=cGFja2V0ZmVuY2UtdXNlcnNAbGlzdHMuc291cmNlZm9yZ2UubmV0> _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
