Hello Regimantas,
alright, sorry for the delayed response.
So let's follow these steps and see what happens on the switch.
First edit this file (/usr/local/pf/raddb/mods-config/files/authorize) and
add at the end (replace 02-00-00-00-00-00-00 by the mac address of the
device you are testing with):
02-00-00-00-00-00 Auth-Type := Local, User-Password == 02-00-00-00-00-00
Nas-FILTER-Rule = "permit in tcp from any to host 10.10.10.101",
Nas-FILTER-Rule += "deny in tcp from any to any"
Then edit /usr/local/pf/conf/radiusd/packetfence and uncomment #files (line
104 on my side)
[% authorize_eap_choice %]
#
# Read the 'users' file. In v3, this is located in
# raddb/mods-config/files/authorize
files
# Accept any non-eap request and send it to the packetfence
module for authorization
if ( !EAP-Message && "%{%{Control:Auth-type}:-No-MS_CHAP}"
!= "MS-CHAP") {
update {
&control:Auth-Type := Accept
}
}
Next you have to restart radiusd:
/usr/local/pf/bin/pfcmd service radiusd restart
Then connect your device on the switch port (mac auth and not 802.1x) and
you should be able to see the Nas-Filter-Rule attributes in the reply.
(0) Mon Oct 24 13:20:48 2022: Debug: Sent Access-Accept Id 85 from
172.105.98.135:1812 to 172.105.98.135:45454 length 108
(0) Mon Oct 24 13:20:48 2022: Debug: NAS-Filter-Rule = "permit in tcp
from any to host 10.10.10.101"
(0) Mon Oct 24 13:20:48 2022: Debug: NAS-Filter-Rule = "deny in tcp from
any to any"
(0) Mon Oct 24 13:20:48 2022: Debug: Tunnel-Type = VLAN
(0) Mon Oct 24 13:20:48 2022: Debug: Tunnel-Private-Group-Id = "2"
(0) Mon Oct 24 13:20:48 2022: Debug: Tunnel-Medium-Type = IEEE-802
(0) Mon Oct 24 13:20:48 2022: Debug: Finished request
And check on the switch side if they apply correctly.
Let me know if it works, because as you can see there is no difference
between what packetfence returns and what we have in the reply from the
user file.
Regards
Fabrice
Le mar. 18 oct. 2022 à 08:42, Fabrice Durand <oeufd...@gmail.com> a écrit :
> Let me prepare on my side the config and i will share with you what needs
> to be done in the freeradius config.
> I will be back to you shortly.
>
>
> Le mar. 18 oct. 2022 à 08:38, Regimantas Pabrėža <
> regimantas.pabr...@limedika.lt> a écrit :
>
>> Sure I would like to get it resolved.
>>
>>
>>
>> 802.1X authentication is a new thing to me and I‘m currently testing it
>> so any help setting up FreeRADIUS is more than welcome 😊
>>
>>
>>
>> Pagarbiai,
>>
>> Regimantas Pabrėža
>> IT Administratorius
>>
>> Mob. +370 675 02148
>>
>>
>>
>> *From:* Fabrice Durand <oeufd...@gmail.com>
>> *Sent:* Tuesday, October 18, 2022 3:20 PM
>> *To:* packetfence-users@lists.sourceforge.net
>> *Cc:* Regimantas Pabrėža <regimantas.pabr...@limedika.lt>
>> *Subject:* Re: [PacketFence-users] Multiple ACLs and Aruba 6300M
>>
>>
>>
>> Hello Regimantas,
>>
>>
>>
>> i would like to see this fixed since it´s a issue we saw a lot of time on
>> the mailing list.
>>
>> Since i don´t have a aruba switch on my side, is it possible to configure
>> freeradius to use the file to answer the radius request and see the result
>> with raddebug ?
>>
>> With that we will be able to compare and see exactly what happen.
>>
>>
>>
>> Btw += is unlang and is a way to append values in attributes (like an
>> array) and this is what we do internally in PacketFence.
>>
>>
>>
>> Let me know if you need help to setup the freeradius with the file.
>>
>>
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>>
>>
>> Le lun. 17 oct. 2022 à 08:38, Regimantas Pabrėža via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> a écrit :
>>
>> Hello,
>>
>>
>>
>> I‘m trying to push multiple ACLs from packetfence to aruba 6300m but only
>> the first line appears on the switch side
>>
>>
>>
>> Configuration on packetfence: Configuratoin -> Policies and Access
>> Control -> Switches -> Roles
>>
>>
>>
>> Radius reply on packetfence: Auditing -> RADIUS Audit Logs -> RADIUS
>>
>>
>>
>> Switch configuration:
>>
>>
>>
>>
>>
>> Does anyone managed to push multiple lines to Aruba 6300M ?
>>
>>
>>
>> Checking examples in documentation on hpe site I see one strange thing.
>> The first NAS-FILTER-Rule command has = (equal sign) and other
>> NAS-FILTER-Rule commands has += (plus and equal sign)
>>
>>
>>
>>
>>
>> Packetfence RADIUS reply shows both command with = (equal sign)
>>
>>
>>
>> Maybe that‘s the case but I don‘t know how to change it on packetfence
>>
>>
>>
>> Pagarbiai,
>>
>> Regimantas Pabrėža
>> IT Administratorius
>> UAB „Limedika“
>> Erdvės g. 51, Ramučiai, LT – 52114, Kauno raj*. *Lietuva
>> Mob. +370 675 02148
>>
>>
>>
>> Šis laiškas ir jo priedai skirtas tik nurodytam asmeniui, nes jame ir jo
>> prieduose esanti informacija yra konfidenciali ar riboto naudojimo. Jeigu
>> šis pranešimas arba jame esanti informacija yra skirta ne Jums, ją naudoti,
>> spausdinti, dauginti, siųsti kitiems arba kitaip platinti yra griežtai
>> draudžiama. Apie ne jums skirto laiško gavimą prašome informuoti siuntėją
>> ir ištrinti laišką iš savo kompiuterio.
>>
>>
>>
>> CAUTION - This message and its attachments are intended for the addressee
>> named above only and contain privileged or confidential information. If you
>> are not the intended recipient of this message you must not use, print,
>> copy, distribute or disclose it to anyone other than the addressee. If you
>> have received this message in error please return the message to the sender
>> by replying to it and then delete the message from your computer.
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
