*Hi everybody!
My colleagues and I are trying to setup 802.1x (Ethernet-EAP) with our
newly purchased Mikrotik-Devices
(Router OS 6.47), so that users have to type in AD-username and
domainpassword to obtain access.
We are currently using PacketFence 9.3.0 with a config that WORKS for
our HP, Juniper and Cisco-Switches.
But we are not able to setup the new devices. Here are the the logs
(only "mikrotik-sections") for a first clance:
radius.log:
...
Jun 9 16:25:03 ippf auth[1644]: Adding client 10.1.99.21/32
Jun 9 16:25:03 ippf auth[1644]: rlm_rest (rest): Closing connection
(20): Hit idle_timeout, was idle for 461123 seconds
Jun 9 16:25:03 ippf auth[1644]: rlm_rest (rest): Closing connection
(21): Hit idle_timeout, was idle for 461123 seconds
Jun 9 16:25:03 ippf auth[1644]: rlm_rest (rest): Opening additional
connection (22), 1 of 64 pending slots used
Jun 9 16:25:03 ippf auth[1644]: (99880) rest: ERROR: Server returned:
Jun 9 16:25:03 ippf auth[1644]: (99880) rest: ERROR:
{"control:PacketFence-Switch-Id":"10.1.99.21","control:PacketFence-Request-Time":1591712703,"Reply-Message":"Network
device does not support this mode of
operation","control:PacketFence-Switch-Mac":"74:4d:28:b2:e4:1b","control:PacketFence-Mac":"5c:9a:d8:66:68:75","control:PacketFence-Switch-Ip-Address":"10.1.99.21","control:PacketFence-Eap-Type":26,"control:PacketFence-Authorization-Status":"allow","control:PacketFence-Connection-Type":"Ethernet-EAP","control:PacketFence-UserName":"sv"}
Jun 9 16:25:03 ippf auth[1644]: Need 2 more connections to reach min
connections (3)
Jun 9 16:25:03 ippf auth[1644]: rlm_rest (rest): Opening additional
connection (23), 1 of 63 pending slots used
Jun 9 16:25:03 ippf auth[1644]: (99880) Rejected in post-auth: [sv]
(from client 10.1.99.21/32 port 0 cli 5c:9a:d8:66:68:75 via TLS tunnel)
Jun 9 16:25:03 ippf auth[1644]: (99880) Login incorrect (rest: Server
returned:): [sv] (from client 10.1.99.21/32 port 0 cli 5c:9a:d8:66:68:75
via TLS tunnel)
Jun 9 16:25:03 ippf auth[1644]: [mac:5c:9a:d8:66:68:75] Rejected user: sv
Jun 9 16:25:03 ippf auth[1644]: (99881) Login incorrect (eap_peap: The
users session was previously rejected: returning reject (again.)): [sv]
(from client 10.1.99.21/32 port 0 cli 5c:9a:d8:66:68:75)
Jun 9 16:25:03 ippf auth[1644]: rlm_rest (rest): Closing connection
(20): Hit idle_timeout, was idle for 461123 seconds
Jun 9 16:25:03 ippf auth[1644]: rlm_rest (rest): Closing connection
(21): Hit idle_timeout, was idle for 461123 seconds
...
And packetfence.log:
...
Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) WARN:
[mac:5c:9a:d8:66:68:75] Use of uninitialized value $nas_port in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 2375.
(pf::Switch::NasPortToIfIndex)
Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) WARN:
[mac:5c:9a:d8:66:68:75] Use of uninitialized value $port in
concatenation (.) or string at /usr/local/pf/lib/pf/radius.pm line 185.
(pf::radius::authorize)
Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) INFO:
[mac:5c:9a:d8:66:68:75] handling radius autz request: from switch_ip =>
(10.1.99.21), connection_type => Ethernet-EAP,switch_mac =>
(74:4d:28:b2:e4:1b), mac => [5c:9a:d8:66:68:75], port => , username =>
"sv" (pf::radius::authorize)
Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) WARN:
[mac:5c:9a:d8:66:68:75] Switch type 'pf::Switch::Mikrotik' does not
support WiredDot1x (pf::SwitchSupports::__ANON__)
Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) WARN:
[mac:5c:9a:d8:66:68:75] (10.1.99.21) Sending REJECT since switch is
unsupported (pf::radius::_switchUnsupportedReply)
Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) WARN:
[mac:5c:9a:d8:66:68:75] Use of uninitialized value $nas_port in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 2375.
(pf::Switch::NasPortToIfIndex)
Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) WARN:
[mac:5c:9a:d8:66:68:75] Use of uninitialized value $port in
concatenation (.) or string at /usr/local/pf/lib/pf/radius.pm line 185.
(pf::radius::authorize)
Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) INFO:
[mac:5c:9a:d8:66:68:75] handling radius autz request: from switch_ip =>
(10.1.99.21), connection_type => Ethernet-EAP,switch_mac =>
(74:4d:28:b2:e4:1b), mac => [5c:9a:d8:66:68:75], port => , username =>
"sv" (pf::radius::authorize)
Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) WARN:
[mac:5c:9a:d8:66:68:75] Switch type 'pf::Switch::Mikrotik' does not
support WiredDot1x (pf::SwitchSupports::__ANON__)
Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) WARN:
[mac:5c:9a:d8:66:68:75] (10.1.99.21) Sending REJECT since switch is
unsupported (pf::radius::_switchUnsupportedReply)
...
Since our other switches work with PF and 802.1x it looks like Mikrotik
is the culprit, but our Mikrotik-reseller has
a working 802.1x-solution with their own Windows-based RADIUS-server. So
my question is: has anyone got mikrotik-switches to work with
Packetfence? Or at least some hints what to try? Our first configuration
steps
were according to PFs 'Network Devices Configuration Guide' but with
mentioned no luck...
regards
Chris
*
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
