Thank you Johannes, I'd like to give a shout-out to a former member of the packetfence-users group who also offered their configurations and thoughts, Jeremy Plumley.
The configuration commands from the GitHub site look to be for some other platform of Aruba switches. I don't think they work for CX-OS. I did try the configurations that you've provided, and I still cannot get RADIUS communication to push to PacketFence v9.0. I enabled tracking on the RADIUS server configuration, and you can see that the switch claims it to be unreachable. *sw-5543-aruba-6300m(config)# show radius-server detail* ******** Global RADIUS Configuration ******** *Shared-Secret: None* *Timeout: 5* *Auth-Type: pap* *Retries: 1* *Initial TLS Connection Timeout: 30* *TLS Timeout: 5* *Tracking Time Interval (seconds): 60* *Tracking Retries: 1* *Tracking User-name: radius-tracking-user* *Tracking Password: None* *Status-Server Time Interval (seconds): 300* *Number of Servers: 1* *AAA Server Status Trap: Disabled* ******* RADIUS Server Information ******* *Server-Name : ************** *Auth-Port : 1812* *Accounting-Port : 1813* *VRF : default* *TLS Enabled : No* *Shared-Secret : AQBapel/kzL87c0/Q30ElPeMbbHcRJed2vrDm1zZ68ViM0+SEgAAAP3GZAevEUCGnQWsACTGTIOOJA==* *Timeout : 5* *Retries : 1* *Auth-Type : chap* *Server-Group : packetfence* *Group-Priority : 1* *ClearPass-Username :* *ClearPass-Password : None* *Tracking : enabled* *Tracking-Mode : any* *Reachability-Status : unreachable, Since Fri Dec 15 13:21:38 PST 2023* *Tracking-Last-Attempted : Fri Dec 15 14:53:44 PST 2023* *Next-Tracking-Request : 25 seconds* *sw-5543-aruba-6300m(config)#* I've tried both CHAP and PAP protocols. What's interesting is that in the logs, I can see that the switch resolves the route to the IP address of the PacketFence server. 2023-12-15T13:18:14.701289-08:00 sw-5543-aruba-6300m radius-srv-trkd[4423]: Event|2306|LOG_INFO|CDTR|1|Route is "resolved" for RADIUS Server with Address:**.**.**.**, VRF_ID:0 However, the switch fails to reach the RADIUS service on PacketFence over the default authport 1812, which almost suggests an issue at layer 4 somewhere in the communication pipe. 2023-12-15T13:21:38.603197-08:00 sw-5543-aruba-6300m radius-srv-trkd[4423]: Event|2304|LOG_INFO|CDTR|1|RADIUS Server with Address:**.**.**.**, Authport:1812, VRF_ID:0 is "unreachable" What's also curious to me is that, even though I've associated AAA authentication for dot1x and mac-auth with the packetfence server-group, when I execute a show aaa authentication, I only see the local group associated. The following are the configs I mention. *aaa authentication port-access dot1x authenticator* * radius server-group packetfence* * enable* *aaa authentication port-access mac-auth* * radius server-group packetfence* * enable* Here is the output of a show aaa authentication. *sw-5543-aruba-6300m(config)# show aaa authentication* *AAA Authentication:* * Fail-through : Enabled* * Limit Login Attempts : Not set* * Lockout Time : 300* * Console Login Attempts : Not set* * Console Lockout Time : 300* *Authentication for default channel:* *--------------------------------------------------------------------------------------------------------------------------------------------* *GROUP NAME | GROUP PRIORITY* *--------------------------------------------------------------------------------------------------------------------------------------------* *local | 0* *--------------------------------------------------------------------------------------------------------------------------------------------* *sw-5543-aruba-6300m(config)#* I've also tried using Aruba Networks and Aruba Switches in the PacketFence switch configuration module as well. Thank you for the suggestions Jeremy and Johannes! My next step may be trying to build a test environment of the latest version of PacketFence and see if that works. Happy Holidays! Best, Mark Okuno UCSB Library, IT Operations University of California, Santa Barbara On Tue, Dec 12, 2023 at 11:32 PM Mudrich, J. <j.mudr...@altmark-klinikum.de> wrote: > Hi Again, > > > > I just had a look into the Github repository and found something: > > packetfence/docs/network/networkdevice/aruba_switchs.asciidoc at devel · > inverse-inc/packetfence · GitHub > <https://github.com/inverse-inc/packetfence/blob/devel/docs/network/networkdevice/aruba_switchs.asciidoc> > > Maybe this helps. Going to test this myself. > > > > Kind regards > > Johannes > > > > > *Johannes Mudrich* > Mitarbeiter > Verwaltung, IT > > Altmark-Klinikum gGmbH > Ernst-von-Bergmann-Straße 22 > 39638 Gardelegen > > Tel.: 03907 791229 > Fax.: 03907 791248 > Mail: j.mudr...@altmark-klinikum.de > > *Von:* Mudrich, J. > *Gesendet:* Mittwoch, 13. Dezember 2023 08:19 > *An:* 'packetfence-users@lists.sourceforge.net' < > packetfence-users@lists.sourceforge.net> > *Cc:* Mark Okuno <mark.ok...@ucsb.edu> > *Betreff:* AW: [PacketFence-users] Compatibility with PacketFence v9.0.0 > and Aruba 6300M CX-OS > > > > Hi Mark, > > > > I was also testing Aruba CX switches some month ago. I used PF12 and the > “Aruba Networks” type in my test environment. So I’m not sure if this > applies to you. > > That’s what I did: > > > > (config)# radius-server host [Radius IP] key [Radius PW] > > (config)# radius dyn-authorization enable > > (config)# aaa authentication allow-fail-through > > > > ## SNMPV1 / not using traps > > (config)# snmp-server community [SNMP-Community] > > (config-community)# access-level rw > > > > ## Mac-Auth > > (config)# Interface [Ports/Port-Range] > > (config-if) # aaa authentication port-access mac-auth > > (config-if-macauth)# enable > > > > (config)# aaa authentication port-access mac-auth enable > > > > ## 802.1x > > (config)# Interface [Ports/Port-Range] > > (config-if)# aaa authentication port-access dot1x authenticator > > (config-if)# cached-reauth > > (config-if)# cached-reauth-period 60 > > (config-if)# max-eapol-requests 1 > > (config-if)# max-retries 1 > > (config-if)# quiet-period 5 > > (config-if)# discovery-period 10 > > (config-if)# enable > > > > (config)# aaa authentication port-access dot1x authenticator enable > > > > At least authentication was working. CoA did not work, SNMP did not work. > Meaning even manual port resetting in the GUI did not work. I had to > physically disconnect the Port for reauthentication. > > I put this project on hold since I could not find any more documentation. > > > > kind regards > > Johannes > > > > *Von:* Mark Okuno via PacketFence-users [ > mailto:packetfence-users@lists.sourceforge.net > <packetfence-users@lists.sourceforge.net>] > *Gesendet:* Montag, 11. Dezember 2023 22:38 > *An:* packetfence-users@lists.sourceforge.net > *Cc:* Mark Okuno <mark.ok...@ucsb.edu> > *Betreff:* [PacketFence-users] Compatibility with PacketFence v9.0.0 and > Aruba 6300M CX-OS > > > > Hello packetfence-users, > > > > I am looking to replace a fleet of HP Procurve and Cisco Catalyst switches > with Aruba CX-OS switches. I was wondering if anyone can confirm whether > they have successfully configured RADIUS communication between an Aruba > CX-OS switch and PacketFence version 9.0.0 (I'm attempting to configure MAC > Authentication Bypass). I do see SNMP traffic with the switch in the > /usr/local/pf/logs logs, but I do not see any RADIUS communication > traffic. I know I'm on a significantly older version of PF, and there does > not seem to be any Aruba CX-OS option to choose from when selecting the > switch type when configuring the network switch in PF. I've selected the > general option of *Aruba Switches*. > > > I also do not see any documentation for an Aruba CX-OS configuration setup > in PacketFence documentation. There is an Aruba section, however it looks > like these configurations are for the older Aruba OS syntax. > > > > Network Devices Configuration Guide (packetfence.org) > <https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.packetfence.org%2fdoc%2fPacketFence%5fNetwork%5fDevices%5fConfiguration%5fGuide.html&umid=75CD6BC8-0C51-4906-8F1B-2FBC826BC91E&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-704dd72a2e85c5537cb06f5ff6350ca4d4a066f1> > > > > > > In case anyone else is using Aruba CX-OS and can point out where I've gone > wrong, the following are my general RADIUS and SNMP configurations. > > > > *radius-server host <PacketFence IP Address> key ciphertext > *********************** > > > > *aaa group server radius packetfence* > > * server <PacketFence IP Address>* > > > > *aaa accounting all-mgmt default start-stop group radius packetfence* > > > > *aaa accounting port-access start-stop group packetfence* > > > > *radius dyn-authorization enable* > > > > *aaa authentication port-access dot1x authenticator* > > * radius server-group packetfence* > > * enable* > > > > *aaa authentication port-access mac-auth* > > * radius server-group packetfence* > > * enable* > > > > *snmp-server community **************************** > > * access-level rw* > > > > *snmp-server community **************** > > > > *snmp-server host <PacketFence IP Address> inform version v2c* > > > > *snmp-server host <PacketFence IP Address> trap version v2c* > > > > The following is the interface configuration. The access VLAN specified > is a blackhole VLAN, and is not tagged across trunk interfaces. > > > > *interface 1/1/48* > > * no shutdown* > > * no routing* > > * vlan access 666* > > * aaa authentication port-access auth-precedence mac-auth dot1x* > > * aaa authentication port-access dot1x authenticator* > > * reauth* > > * reauth-period 14400* > > * enable* > > * aaa authentication port-access mac-auth* > > * reauth* > > * reauth-period 14400* > > * enable* > > > > > > Thank you packetfence-users! > > > > > > Best, > > > Mark Okuno > > UCSB Library, IT Operations > University of California, Santa Barbara > > > > > > <https://www.salusaltmarkholding.de> <https://www.salusaltmarkholding.de/> > > Salus Altmark Holding gGmbH > Tel.: +49 39325700 > Sitz der Gesellschaft: > Seepark 5 | 39116 Magdeburg > www.salusaltmarkholding.de > <https://www.instagram.com/salusaltmarkholding/> > <https://www.instagram.com/salusaltmarkholding/> > <https://www.facebook.com/SalusAltmarkHolding> > <https://www.facebook.com/SalusAltmarkHolding> > <https://de.linkedin.com/company/salus-ggmbh> > <https://de.linkedin.com/company/salus-ggmbh> > <https://www.xing.com/pages/salusaltmarkholdingggmbh> > <https://www.xing.com/pages/salusaltmarkholdingggmbh> > <https://www.youtube.com/user/SALUSgGmbH> > <https://www.youtube.com/user/SALUSgGmbH> > Registergericht: AG Stendal: HRB 112594 > Geschäftsführer: Jürgen Richter > Aufsichtsratsvorsitz: Wolfgang Beck > Gemäß Art. 13 DSGVO informieren wir darüber, dass Ihre Daten elektronisch > gespeichert werden. Nähere Informationen: > www.salusaltmarkholding.de/datenschutz > > Ab Januar 2022 nehmen wir keine Mails mit doc-, xls- und ppt-Anhängen mehr > an. > Bitte verwenden Sie die aktuellen Office-Formate docx, xlsx, pptx oder pdf. > [image: Finanziert von der Europäischen Union] >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
