Hello all, I have setup Packefence to authenticate some devices using mab. My connection profile is configured not to register the devices and to match on Ethernet-NoEAP, without any source specified. The registration vlan on my switch group is set to -1. I added the node in my node list and set the Status to registered and selected a role that is mapped to Vlan 60 on my switch group.
The device is properly authenticated on the network, however packetfence is not sending the Tunnel-Private-Group-Id = "60", Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN in the radius reply as shown in the following snippet Request Time 0 RADIUS Request User-Name = "64167f1b9d17" User-Password = "******" NAS-IP-Address = 10.4.67.9 NAS-Port = 50112 Service-Type = Call-Check Framed-MTU = 1468 Called-Station-Id = "3c:57:31:fb:1f:0c" Calling-Station-Id = "64:16:7f:1b:9d:17" NAS-Port-Type = Ethernet Event-Timestamp = "Mar 26 2024 18:23:01 CET" Message-Authenticator = 0x319cf0e4ac07427813b76eb7be99b60e NAS-Port-Id = "GigabitEthernet1/0/12" Cisco-AVPair = "service-type=Call Check" Cisco-AVPair = "audit-session-id=000000000000007A7BE39091" Cisco-AVPair = "method=mab" Cisco-AVPair = "client-iif-id=423379479" Stripped-User-Name = "64167f1b9d17" Realm = "null" FreeRADIUS-Client-IP-Address = 10.4.67.9 PacketFence-KeyBalanced = "01fabe77f4b53ee984f13bde7760720f" PacketFence-Radius-Ip = "10.30.2.26" SQL-User-Name = "64167f1b9d17" RADIUS Reply REST-HTTP-Status-Code = 200 Reply-Message = "Request processed by PacketFence" I addition, the live logs indicate otherwise Mar 26 18:23:01 vpacketfence httpd.aaa-docker-wrapper[852530]: httpd.aaa(7) INFO: [mac:64:16:7f:1b:9d:17] handling radius autz request: from switch_ip => (10.4.67.9), connection_type => Ethernet-NoEAP,switch_mac => (3c:57:31:fb:1f:0c), mac => [64:16:7f:1b:9d:17], port => 50112, username => "64167f1b9d17" (pf::radius::authorize) Mar 26 18:23:01 vpacketfence httpd.aaa-docker-wrapper[852530]: httpd.aaa(7) INFO: [mac:64:16:7f:1b:9d:17] Match rule cli-reject (pf::access_filter::radius::test) Mar 26 18:23:01 vpacketfence httpd.aaa-docker-wrapper[852530]: httpd.aaa(7) INFO: [mac:64:16:7f:1b:9d:17] Instantiate profile Wired-MAB (pf::Connection::ProfileFactory::_from_profile) Mar 26 18:23:01 vpacketfence httpd.aaa-docker-wrapper[852530]: httpd.aaa(7) INFO: [mac:64:16:7f:1b:9d:17] Found authentication source(s) : 'local' for realm 'null' (pf::config::util::filter_authentication_sources) Mar 26 18:23:01 vpacketfence httpd.aaa-docker-wrapper[852530]: httpd.aaa(7) INFO: [mac:64:16:7f:1b:9d:17] Connection type is MAC-AUTH. Getting role from Authorization source (pf::role::getRegisteredRole) Mar 26 18:23:01 vpacketfence httpd.aaa-docker-wrapper[852530]: httpd.aaa(7) INFO: [mac:64:16:7f:1b:9d:17] Username was defined "64167f1b9d17" - returning role 'voice' (pf::role::getRegisteredRole) Mar 26 18:23:01 vpacketfence httpd.aaa-docker-wrapper[852530]: httpd.aaa(7) INFO: [mac:64:16:7f:1b:9d:17] PID: "default", Status: reg Returned VLAN: (undefined), Role: voice (pf::role::fetchRoleForNode) Mar 26 18:23:01 vpacketfence httpd.aaa-docker-wrapper[852530]: httpd.aaa(7) INFO: [mac:64:16:7f:1b:9d:17] (10.4.67.9) Added VLAN 60 to the returned RADIUS Access-Accept (pf::Switch::Template::returnRadiusAccessAccept) Mar 26 18:23:01 vpacketfence httpd.aaa-docker-wrapper[852530]: httpd.aaa(7) INFO: [mac:64:16:7f:1b:9d:17] Match rule cli-reject (pf::access_filter::radius::test) Could you please help to identify what am I missing? Regards, Goncalo Contente
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
