Greetings,
I troubleshooted some more and found out, that I receive the following message
in packetfence.log:
Dec 2 10:19:42 packetfence httpd.aaa-docker-wrapper[110944]: httpd.aaa(1855)
INFO: [mac:a0:51:0b:6a:47:b2] handling radius autz request: from switch_ip =>
(10.255.20.19), connection_type => CLI-Access,switch_mac =>
(d4:76:a0:d2:b9:50), mac => [a0:51:0b:6a:47:b2], port => external, username =>
"group\matthieh" (pf::radius::authorize)
Dec 2 10:19:42 packetfence httpd.aaa-docker-wrapper[110944]: httpd.aaa(1855)
WARN: [mac:a0:51:0b:6a:47:b2] (10.255.20.19) Sending REJECT since switch is
unsupported (pf::radius::_switchUnsupportedReply)
I then checked the code in /usr/local/pf/lib/pf/radius.pm and found the
following lines:
sub _isSwitchSupported {
my ($self, $args) = @_;
my $logger = $self->logger;
if ($args->{'connection_type'} == $WIRED_MAC_AUTH) {
return $args->{'switch'}->supportsWiredMacAuth();
} elsif ($args->{'connection_type'} == $WIRED_802_1X) {
return $args->{'switch'}->supportsWiredDot1x();
} elsif ($args->{'connection_type'} == $WIRELESS_MAC_AUTH) {
# TODO implement supportsWirelessMacAuth (or supportsWireless)
$logger->trace("Wireless doesn't have a supports...() call for now,
always say it's supported");
return $TRUE;
} elsif ($args->{'connection_type'} == $WIRELESS_802_1X) {
# TODO implement supportsWirelessMacAuth (or supportsWireless)
$logger->trace("Wireless doesn't have a supports...() call for now,
always say it's supported");
return $TRUE;
}
}
=item * _switchUnsupportedReply - what is sent to RADIUS when a switch is
unsupported
=cut
sub _switchUnsupportedReply {
my ($self, $args) = @_;
my $logger = $self->logger;
$logger->warn("(" . $args->{'switch'}->{_id} . ") Sending REJECT since
switch is unsupported");
$args->{'switch'}->disconnectRead();
$args->{'switch'}->disconnectWrite();
return [$RADIUS::RLM_MODULE_FAIL, ('Reply-Message' => "Network device does
not support this mode of operation")];
}
If I read this correctly, the FortiAP sends CLI-Access as connection type but
as it seems, this is not supported in radius.pm. Is this a bug?
Kind Regards,
Heiko Matthies
ASAP Engineering GmbH Sachsstraße 1A | 85080 Gaimersheim
Tel. +49 8458 3389 252 | Fax. +49 (8458) 3389 399 |
heiko.matth...@asap.de | www.asap.de
Geschäftsführer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz der
Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408
Datenschutz: Ausführliche Informationen zum Umgang mit Ihren personenbezogenen
Daten bei ASAP erhalten Sie auf unserer Website unter
www.asap.de\datenschutz.Von: Matthies, Heiko via PacketFence-users
<packetfence-users@lists.sourceforge.net>
Gesendet: Donnerstag, 1. Dezember 2022 17:42
An: packetfence-users@lists.sourceforge.net
Cc: Matthies, Heiko <heiko.matth...@asap.de>
Betreff: [PacketFence-users] Issues doing captive-portal auth with FortiGate
and FortiAPs
Greetings,
we are currently testing out packetfence captive-portal auth in connection with
FortiGate and FortiAPs. I followed the instructions from the following mailing
list post:
https://sourceforge.net/p/packetfence/mailman/packetfence-users/thread/0b65c462-4c0c-24fe-5e10-405102e8de36%40inverse.ca/#msg36349338
The redirection from the access-point to the captive portal works just fine and
I successfully log in and get my role. Afterwards (as described in the post
above), the FortiGate/FortiAP is trying to authenticate against PacketFence but
fails with the following log message:
User-Name = "a0:51:0b:6a:47:b2"
User-Password = "******"
NAS-IP-Address = 10.255.20.19
Service-Type = Login-User
Framed-IP-Address = 10.23.87.5
Called-Station-Id = "d4:76:a0:d2:b9:50:ASAP-Gast (Testing)"
Calling-Station-Id = "a0:51:0b:6a:47:b2"
NAS-Identifier = "IN19FW-0015"
NAS-Port-Type = Virtual
Acct-Session-Id = "7676961b"
Event-Timestamp = "Dec 1 2022 17:29:05 CET"
Connect-Info = "web-auth"
Fortinet-Vdom-Name = "root"
Fortinet-SSID = "ASAP-Gast (Testing)"
Fortinet-AP-Name = "PU221ETF21002253"
Stripped-User-Name = "a0:51:0b:6a:47:b2"
Realm = "null"
FreeRADIUS-Client-IP-Address = 10.255.20.19
Called-Station-SSID = "ASAP-Gast (Testing)"
PacketFence-KeyBalanced = "82ca871f42fbfecb44407d06a8699cd7"
PacketFence-Radius-Ip = "10.20.10.55"
Module-Failure-Message = "rest: Server returned:"
Module-Failure-Message = "rest:
{\"control:PacketFence-Request-Time\":1669912145,\"control:PacketFence-IfIndex\":\"external\",\"control:PacketFence-Connection-Type\":\"CLI-Access\",\"control:PacketFence-Switch-Id\":\"10.255.20.19\",\"control:PacketFence-Authorization-Status\":\"allow\",\"control:PacketFence-Switch-Mac\":\"d4:76:a0:d2:b9:50\",\"control:PacketFence-Switch-Ip-Address\":\"10.255.20.19\",\"Reply-Message\":\"Network
device does not support this mode of
operation\",\"control:PacketFence-Eap-Type\":0,\"control:PacketFence-UserName\":\"a0:51:0b:6a:47:b2\",\"control:PacketFence-Mac\":\"a0:51:0b:6a:47:b2\"}"
SQL-User-Name = "a0:51:0b:6a:47:b2"
I first thought that this has something to do with the CLI-Access not enabled
on the corresponding switch but I double checked, both flags (for External
Portal Enforcement and CLI/VPN Access) are enabled. Is there something I'm
missing? The debug log from radiusd didn't yield any results either.
Thank you in advance!
Kind Regards,
Heiko Matthies
ASAP Engineering GmbH Sachsstraße 1A | 85080 Gaimersheim
Tel. +49 8458 3389 252 | Fax. +49 (8458) 3389 399 |
mailto:heiko.matth...@asap.de | http://www.asap.de
Geschäftsführer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz der
Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408
Datenschutz: Ausführliche Informationen zum Umgang mit Ihren personenbezogenen
Daten bei ASAP erhalten Sie auf unserer Website unter
http://www.asap.de/datenschutz/
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
