Re: [PacketFence-users] CLI ACCESS TO SWITCH - FAILED

Ezeh Victor via PacketFence-users Tue, 08 Jun 2021 22:30:02 -0700

Hi Ludovic,

I am not sure I understand how this command is used.


Kindly find what u tried below;
[image: image.png]
[image: image.png]

Your guidance will be appreciated.

On Mon, 7 Jun 2021 at 17:09, Zammit, Ludovic <luza...@akamai.com> wrote:

> Did you re-add your switch without the /32?
>
> Give me the output of:
>
> mysql -p -upf pf -e "select nasname from radius_nas”
>
> Thanks,
>
> *Ludovic Zammit*
> *Product Support Engineer Principal*
> *Cell:* +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us: <https://community.akamai.com> <http://blogs.akamai.com>
> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies>
> <http://www.linkedin.com/company/akamai-technologies>
> <http://www.youtube.com/user/akamaitechnologies?feature=results_main>
>
> On Jun 7, 2021, at 11:08 AM, Ezeh Victor <vickeyzed...@gmail.com> wrote:
>
> Hi Ludovic,
>
> Is there something else I should check to verify what the issue might be?
>
> On Thu, 3 Jun 2021 at 23:50, Ezeh Victor <vickeyzed...@gmail.com> wrote:
>
>> Hi Ludovic,
>>
>> The switch was not added with /32 as seen below;
>> <image.png>
>> <image.png>
>>
>> Or what exactly is being referred to?
>>
>> On Thu, 3 Jun 2021 at 21:08, Zammit, Ludovic <luza...@akamai.com> wrote:
>>
>>> Don’t add your switch with /32, clone it and remove /32 and try again.
>>>
>>> Thanks,
>>>
>>> *Ludovic Zammit*
>>> *Product Support Engineer Principal*
>>> *Cell:* +1.613.670.8432
>>> Akamai Technologies - Inverse
>>> 145 Broadway
>>> Cambridge, MA 02142
>>> Connect with Us: <https://community.akamai.com/>
>>> <http://blogs.akamai.com/>
>>> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!Ab7bS5waU-yBD_81an-f5r1xInpdK81FU-On9Tk_uGVV_mSENMBXgZA4OAeoUg$>
>>> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!Ab7bS5waU-yBD_81an-f5r1xInpdK81FU-On9Tk_uGVV_mSENMBXgZCIgejhbw$>
>>> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!Ab7bS5waU-yBD_81an-f5r1xInpdK81FU-On9Tk_uGVV_mSENMBXgZBu520SBw$>
>>> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!Ab7bS5waU-yBD_81an-f5r1xInpdK81FU-On9Tk_uGVV_mSENMBXgZBlQ9xcPw$>
>>>
>>> On Jun 3, 2021, at 12:16 PM, Ezeh Victor <vickeyzed...@gmail.com> wrote:
>>>
>>> Hi Ludovic,
>>>
>>> That feature is now turned on as seen below;
>>> <image.png>
>>>
>>> httpd.aaa and radiusd-auth services were restarted after this
>>>
>>> But the error still persists but with a different log message:
>>>
>>>
>>> *Jun  3 17:10:55 IKJDC-PRD-PKF01 auth[12075]: [mac:] Rejected user:
>>> ciscopiJun  3 17:10:55 IKJDC-PRD-PKF01 auth[12075]: (1290157) Rejected in
>>> post-auth: [ciscopi] (from client 172.29.1.16/32
>>> <https://urldefense.com/v3/__http://172.29.1.16/32__;!!GjvTz_vk!ABP6xJ_ORORRZQcQvDk11-8j2qlOKG3QFWJKt0PrunEwkdA2J6CnVWhKfD_IBw$>
>>> port 1)Jun  3 17:10:55 IKJDC-PRD-PKF01 auth[12075]: (1290157) Login
>>> incorrect (rest: Server returned:): [ciscopi] (from client 172.29.1.16/32
>>> <https://urldefense.com/v3/__http://172.29.1.16/32__;!!GjvTz_vk!ABP6xJ_ORORRZQcQvDk11-8j2qlOKG3QFWJKt0PrunEwkdA2J6CnVWhKfD_IBw$>
>>> port 1)*
>>>
>>>
>>> On Thu, 3 Jun 2021 at 17:03, Zammit, Ludovic <luza...@akamai.com> wrote:
>>>
>>>> It says that the CLI Radius login is not permitted, did you check the
>>>> box on the switch config in PF ?
>>>>
>>>> <PastedGraphic-4.tiff>
>>>>
>>>> Thanks,
>>>>
>>>> *Ludovic Zammit*
>>>> *Product Support Engineer Principal*
>>>> *Cell:* +1.613.670.8432
>>>> Akamai Technologies - Inverse
>>>> 145 Broadway
>>>> Cambridge, MA 02142
>>>> Connect with Us: <https://community.akamai.com/>
>>>> <http://blogs.akamai.com/>
>>>> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!ABP6xJ_ORORRZQcQvDk11-8j2qlOKG3QFWJKt0PrunEwkdA2J6CnVWhRP_okcg$>
>>>> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!ABP6xJ_ORORRZQcQvDk11-8j2qlOKG3QFWJKt0PrunEwkdA2J6CnVWgD_Sro-w$>
>>>> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!ABP6xJ_ORORRZQcQvDk11-8j2qlOKG3QFWJKt0PrunEwkdA2J6CnVWgkxfneBA$>
>>>> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!ABP6xJ_ORORRZQcQvDk11-8j2qlOKG3QFWJKt0PrunEwkdA2J6CnVWgMOOHD4w$>
>>>>
>>>> On Jun 3, 2021, at 11:27 AM, Ezeh Victor <vickeyzed...@gmail.com>
>>>> wrote:
>>>>
>>>> Hi Ludovic,
>>>>
>>>> Kindly find errors below;
>>>>
>>>> Packetfence.log: *packetfence_httpd.aaa: httpd.aaa(10470) WARN:
>>>> [mac:a8:51:5b:c8:3f:67] CLI Access is not permit on this switch 172.29.1.16
>>>> (pf::radius::switch_access)*
>>>> <image.png>
>>>>
>>>> Radius.log:
>>>> *Jun  3 16:11:56 IKJDC-PRD-PKF01 auth[12075]: (1286075) rest: ERROR:
>>>> Server returned:*
>>>>
>>>>
>>>>
>>>> *Jun  3 16:11:56 IKJDC-PRD-PKF01 auth[12075]: (1286075) rest: ERROR:
>>>> {"control:PacketFence-Authorization-Status":"allow","Reply-Message":"CLI or
>>>> VPN Access is not allowed by PacketFence on this switch"}Jun  3 16:11:56
>>>> IKJDC-PRD-PKF01 auth[12075]: [mac:] Rejected user: ciscopiJun  3 16:11:56
>>>> IKJDC-PRD-PKF01 auth[12075]: (1286075) Rejected in post-auth: [ciscopi]
>>>> (from client 172.29.1.16/32
>>>> <https://urldefense.com/v3/__http://172.29.1.16/32__;!!GjvTz_vk!GSKYmLR2pndwTcTNvoM4939F7-2D21WD6V-lOVsf2R1oqIU8cT7Qr3fWyaHsMg$>
>>>> port 1)*
>>>> <image.png>
>>>>
>>>>
>>>> From the radius logs, it seems the switch is not accepting access via
>>>> CLI and it needs to be enabled from Packetfence.
>>>>
>>>> I have reviewed the configuration on the switch section in PacketFence
>>>> and also added the credentials for login to the CLI tab and yet I receive
>>>> the same error message.
>>>>
>>>> On Wed, 2 Jun 2021 at 19:07, Zammit, Ludovic <luza...@akamai.com>
>>>> wrote:
>>>>
>>>>> Hello Victor,
>>>>>
>>>>> It’s probably an authentication issue, check in the radius.log and
>>>>> packetfence.log for errors.
>>>>>
>>>>> The password need to be sent in clear from the switch to PF.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> *Ludovic Zammit*
>>>>> *Product Support Engineer Principal*
>>>>> *Cell:* +1.613.670.8432
>>>>> Akamai Technologies - Inverse
>>>>> 145 Broadway
>>>>> Cambridge, MA 02142
>>>>> Connect with Us: <https://community.akamai.com/>
>>>>> <http://blogs.akamai.com/>
>>>>> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!GSKYmLR2pndwTcTNvoM4939F7-2D21WD6V-lOVsf2R1oqIU8cT7Qr3cZeoA23A$>
>>>>> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!GSKYmLR2pndwTcTNvoM4939F7-2D21WD6V-lOVsf2R1oqIU8cT7Qr3dO9Maypw$>
>>>>> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!GSKYmLR2pndwTcTNvoM4939F7-2D21WD6V-lOVsf2R1oqIU8cT7Qr3dguSc2cg$>
>>>>> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!GSKYmLR2pndwTcTNvoM4939F7-2D21WD6V-lOVsf2R1oqIU8cT7Qr3dItV6Kog$>
>>>>>
>>>>> On Jun 2, 2021, at 11:50 AM, Ezeh Victor <vickeyzed...@gmail.com>
>>>>> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> Thank you for your email.
>>>>>
>>>>> I tried out that command and retried access but this is the error I
>>>>> received;
>>>>>
>>>>> <image.png>
>>>>>
>>>>> The ciscopi account is a locally created account on PacketFence with
>>>>> an action set to Admin Role *CLI Switches* that was created within
>>>>> Admin Access - (CLI Read and CLI Write).
>>>>>
>>>>> Does the software image running on the switch also affect this funtion?
>>>>>
>>>>> On Wed, 2 Jun 2021 at 11:46, Quiniou-Briand, Nicolas <
>>>>> nquin...@akamai.com> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>>
>>>>>>
>>>>>> Could you try to add following commands in switch configuration:
>>>>>>
>>>>>>
>>>>>>
>>>>>> #v+
>>>>>>
>>>>>> conf t
>>>>>>
>>>>>> aaa authorization exec default group packetfence local
>>>>>>
>>>>>> #v-
>>>>>>
>>>>>>
>>>>>>
>>>>>> I recently worked with Cisco IOS XE Software, Version 16.09.05 and
>>>>>> this step was mandatory.
>>>>>>
>>>>>> Without this line, it was possible to connect to switch but user get
>>>>>> privilege 1. If you try to use “enable”, it doesn’t work.
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Nicolas Quiniou-Briand*
>>>>>> *Product Support Engineer*
>>>>>>
>>>>>> <image001.png>
>>>>>>
>>>>>> *Office:* +33156696210
>>>>>>
>>>>>> Akamai Technologies
>>>>>> 145 Broadway
>>>>>> Cambridge, MA 02142
>>>>>>
>>>>>> Connect with Us:
>>>>>>
>>>>>> <image002.jpg> <https://community.akamai.com/> <image003.png>
>>>>>> <http://blogs.akamai.com/> <image004.png>
>>>>>> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!Gma_IAPl6qJeAvlr8GwY3vxTjN3I4UloaBaougPxCIcekFdN-OhAMsonEWpNFQ$>
>>>>>>  <image005.png>
>>>>>> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!Gma_IAPl6qJeAvlr8GwY3vxTjN3I4UloaBaougPxCIcekFdN-OhAMsoPTpAoDA$>
>>>>>>  <image006.png>
>>>>>> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!Gma_IAPl6qJeAvlr8GwY3vxTjN3I4UloaBaougPxCIcekFdN-OhAMsqZZ_gRXg$>
>>>>>>  <image007.png>
>>>>>> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!Gma_IAPl6qJeAvlr8GwY3vxTjN3I4UloaBaougPxCIcekFdN-OhAMsrplQlfuA$>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] CLI ACCESS TO SWITCH - FAILED

Reply via email to