Dear all,
my new Network Access Control project based on Packetfence has started
really badly.
First I installed PF 14.1 in an Almalinux 8 and now I am using the ZEN
version as a last attempt.
In both cases I made a very simple configuration; the most important
details are as follows:
I have two network cards, eth0 (management) and eth1 with some vlans:
registration, isolation, production etc;
I defined a Radius authentication backend, I configured a switch and a
network profile.
This network profile is “other” type because PF only performs
authentication, gateway (nat) and dhcp server
functions are performed by another server (10.25.0.254).
With this setup I'd like to manage access to the wired network via
802.1x. While the client connects, PF is unable
to read the IP Address assigned by the DHCP server. This is a big
problem that I have to solve, otherwise I can't
follow up with this project.
If you have some time for me I'll send you the following information:
The Packetfence configuration file, the active
dhcp processes, the configuration of the network cards, the tcpdump
session with which you can see that the
server receives information via vlan 25 on DHCP sessions, and finally
the packetfence.log file.
Do you think there is a bug in PF 14.1 or is it a mistake in my
configuration ?
Thanks for your attention.
Enrico
.—————————————————————————————————
1) pf.conf
# general.dhcpservers
#
# Comma-delimited list of DHCP servers. Passthroughs are created to
allow DHCP transactions from even "trapped" no
des.
dhcpservers=127.0.0.1,10.25.0.254
[interface eth1.25]
type=dhcp-listener,portal
ip=10.25.0.1
mask=255.255.0.0
# ps axf | grep -i dhc
11044 pts/0 S+ 0:00 \_ grep -i dhc
3057 ? S 0:00 \_ pfqueue - Queue:pfdhcplistener_external
3088 ? S 0:00 \_ pfqueue - Queue:pfdhcplistener
# ip link
5: eth1.25@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:ad:60:dc brd ff:ff:ff:ff:ff:ff
6: eth1.26@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP mode DEFAULT group default qlen 1000
5: eth1.25@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP group default qlen 1000
link/ether 52:54:00:ad:60:dc brd ff:ff:ff:ff:ff:ff
inet 10.25.0.1/16 brd 10.25.255.255 scope global eth1.25
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fead:60dc/64 scope link
valid_lft forever preferred_lft forever
# tcpdump -i eth1.25 -n -vv port 67 or port 68
tcpdump: listening on eth1.25, link-type EN10MB (Ethernet), snapshot
length 262144 bytes
15:27:26.576206 IP (tos 0x0, ttl 255, id 10108, offset 0, flags [none],
proto UDP (17), length 328)
0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request
from ac:87:a3:12:81:47, length 300, xid 0x9370cc2
c, secs 4, Flags [none] (0x0000)
Client-Ethernet-Address ac:87:a3:12:81:47
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Parameter-Request (55), length 12:
Subnet-Mask (1), Classless-Static-Route (121),
Default-Gateway (3), Domain-Name-Server (6)
Domain-Name (15), Unknown (108), URL (114), Unknown (119)
Unknown (252), LDAP (95), Netbios-Name-Server (44),
Netbios-Node (46)
MSZ (57), length 2: 1500
Client-ID (61), length 7: ether ac:87:a3:12:81:47
Requested-IP (50), length 4: 10.25.1.1
Lease-Time (51), length 4: 7776000
Hostname (12), length 12: "becchetti-nb"
1 packet captured
1 packet received by filter
0 packets dropped by kernel
# tail packetfence.log
2025-03-13T15:27:22.145042+01:00 pfsrv httpd.aaa-docker-wrapper[2255]:
httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] handl
ing radius autz request: from switch_ip => (10.0.0.111), connection_type
=> Ethernet-EAP, switch_mac => (6c:c2:17:af:31
:20), mac => [ac:87:a3:12:81:47], port => 3, username =>
"becch...@pg.infn.it" (pf::radius::authorize)
2025-03-13T15:27:22.214895+01:00 pfsrv httpd.aaa-docker-wrapper[2255]:
httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Insta
ntiate profile INFN-WIRED (pf::Connection::ProfileFactory::_from_profile)
2025-03-13T15:27:22.299418+01:00 pfsrv httpd.aaa-docker-wrapper[2255]:
httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Found
authentication source(s) : 'RADIUS-AAI' for realm 'default'
(pf::config::util::filter_authentication_sources)
2025-03-13T15:27:22.336171+01:00 pfsrv pfqueue-backend[3072]:
pfqueue(2158) INFO: [mac:[undef]] Running task person_loo
kup (main::process_data)
2025-03-13T15:27:22.305635+01:00 pfsrv httpd.aaa-docker-wrapper[2255]:
httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Using
sources RADIUS-AAI for matching (pf::authentication::match2)
2025-03-13T15:27:22.310250+01:00 pfsrv httpd.aaa-docker-wrapper[2255]:
httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Match
ed rule (catchall) in source RADIUS-AAI, returning actions.
(pf::Authentication::Source::match_rule)
2025-03-13T15:27:22.310250+01:00 pfsrv httpd.aaa-docker-wrapper[2255]:
httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Match
ed rule (catchall) in source RADIUS-AAI, returning actions.
(pf::Authentication::Source::match)
2025-03-13T15:27:22.355955+01:00 pfsrv httpd.aaa-docker-wrapper[2255]:
httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Found
authentication source(s) : 'RADIUS-AAI' for realm 'default'
(pf::config::util::filter_authentication_sources)
2025-03-13T15:27:22.355955+01:00 pfsrv httpd.aaa-docker-wrapper[2255]:
httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Role
has already been computed and we don't want to recompute it. Getting
role from node_info (pf::role::getRegisteredRole)
2025-03-13T15:27:22.355955+01:00 pfsrv httpd.aaa-docker-wrapper[2255]:
httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Usern
ame was defined "becch...@pg.infn.it" - returning role 'default'
(pf::role::getRegisteredRole)
2025-03-13T15:27:22.355955+01:00 pfsrv httpd.aaa-docker-wrapper[2255]:
httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] PID:
"becch...@pg.infn.it", Status: reg Returned VLAN: (undefined), Role:
default (pf::role::fetchRoleForNode)
2025-03-13T15:27:22.370303+01:00 pfsrv httpd.aaa-docker-wrapper[2255]:
httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] (10.0
.0.111) Added VLAN 25 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
2025-03-13T15:27:22.384950+01:00 pfsrv httpd.aaa-docker-wrapper[2255]:
httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] secur
ity_event 1300003 force-closed for ac:87:a3:12:81:47
(pf::security_event::security_event_force_close)
2025-03-13T15:27:22.385595+01:00 pfsrv httpd.aaa-docker-wrapper[2255]:
httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Insta
ntiate profile INFN-WIRED (pf::Connection::ProfileFactory::_from_profile)
2025-03-13T15:27:22.401686+01:00 pfsrv httpd.aaa-docker-wrapper[2255]:
httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] grace
expired on security event 1200004 for node ac:87:a3:12:81:47
(pf::security_event::security_event_add)
2025-03-13T15:27:22.409662+01:00 pfsrv httpd.aaa-docker-wrapper[2255]:
httpd.aaa(6) ERROR: [mac:ac:87:a3:12:81:47] Data
base query failed with non retryable error: Cannot add or update a child
row: a foreign key constraint fails (`pf`.`sec
urity_event`, CONSTRAINT `security_event_id_fkey_class` FOREIGN KEY
(`security_event_id`) REFERENCES `class` (`security
_event_id`) ON DELETE CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT
INTO `security_event` ( `mac`, `notes`, `release
_date`, `security_event_id`, `start_date`, `status`, `ticket_ref`)
VALUES ( ?, ?, ?, ?, ?, ?, ? )]{ac:87:a3:12:81:47, ,
0000-00-00 00:00:00, 1200004, 2025-03-13 15:27:22, open, }
(pf::dal::db_execute)
2025-03-13T15:27:22.410532+01:00 pfsrv httpd.aaa-docker-wrapper[2255]:
httpd.aaa(6) ERROR: [mac:ac:87:a3:12:81:47] unkn
own error adding security event 1200004 for ac:87:a3:12:81:47
(pf::security_event::security_event_add)
Enrico
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
