Re: [PacketFence-users] PF 14.1 DHPCD Listener .. bug or wrong setup ?!?!

Mon, 17 Mar 2025 04:38:28 -0700 

 Hi Enrico, 
i see, i saw via tcpdump you get also the dhcp traffic. 
if the packetfence is listening on the interface :
netstat -anu | grep :67
and similar output comes out:
udp  0  0 10.25.0.1:67   0.0.0.0:*   LISTEN

then you might be facing a bug. sorry i cant think of something else and cant 
help further. hope someone in the community comes up with a solution.


Best Regards
Farbod


    On Friday, March 14, 2025 at 08:17:42 AM GMT+1, Enrico Becchetti 
<enrico.becche...@pg.infn.it> wrote:  
 
    Hi Farbod,
no because my network profile is enforcement and PF server and DHCP Server
are on the same vlan.

/[INFN-WIRED]
filter_match_style=all
sources=RADIUS-AAI
locale=
advanced_filter=
autoregister=enabled
filter=connection_type:Ethernet-EAP
scans=OpenVAS-WIRED
/
So PF would see all dhcp sessions. Is it true ?

Best Regards
Enrico

Il 14/03/2025 01:42, jafarsalehi.far...@outlook.de ha scritto:
> Hi Enrico,
> Have you configured DHCP relay to forward the DHCP messages to packet 
> fence too ?
>
>
> Best regards
> Farbod
> Yahoo Mail - E-Mail vereinfacht 
> <https://mail.onelink.me/107872968?pid=nativeplacement&c=US_Acquisition_YMktg_315_EmailSimplified_EmailSignature⁡_sub1=Acquisition⁡_sub2=US_YMktg⁡_sub3=⁡_sub4=100002040⁡_sub5=T01_Email_Static_⁡_ios_store_cpp=80931d61-93be-4737-af43-90b13f374168⁡_android_url=https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mail&listing=email_simplified>
>
>    Am Do., März 13, 2025 at 21:43 schrieb Enrico Becchetti via
>    PacketFence-users
>    <packetfence-users@lists.sourceforge.net>:
>       Dear all,
>    my new Network Access Control project based on Packetfence has
>    started
>    really badly.
>
>    First I installed PF 14.1 in an Almalinux 8 and now I am using the
>    ZEN
>    version as a last attempt.
>
>    In both cases I made a very simple configuration; the most important
>    details are as follows:
>
>    I have two network cards, eth0 (management) and eth1 with some vlans:
>    registration, isolation, production etc;
>
>    I defined a Radius authentication backend, I configured a switch
>    and a
>    network profile.
>    This network profile is “other” type because PF only performs
>    authentication, gateway (nat) and dhcp server
>    functions are performed by another server (10.25.0.254).
>
>    With this setup I'd like to manage access to the wired network via
>    802.1x. While the client connects, PF is unable
>    to read the IP Address assigned by the DHCP server. This is a big
>    problem that I have to solve, otherwise I can't
>    follow up with this project.
>
>    If you have some time for me I'll send you the following information:
>    The Packetfence configuration file, the active
>    dhcp processes, the configuration of the network cards, the tcpdump
>    session with which you can see that the
>    server receives information via vlan 25 on DHCP sessions, and finally
>    the packetfence.log file.
>
>    Do you think there is a bug in PF 14.1 or is it a mistake in my
>    configuration ?
>
>    Thanks for your attention.
>
>    Enrico
>
>    .—————————————————————————————————
>
>
>    1) pf.conf
>
>    # general.dhcpservers
>    #
>    # Comma-delimited list of DHCP servers. Passthroughs are created to
>    allow DHCP transactions from even "trapped" no
>    des.
>    dhcpservers=127.0.0.1,10.25.0.254
>
>    [interface eth1.25]
>    type=dhcp-listener,portal
>    ip=10.25.0.1
>    mask=255.255.0.0
>
>
>    # ps axf | grep -i dhc
>      11044 pts/0    S+ 0:00                      \_ grep -i dhc
>       3057 ?        S      0:00  \_ pfqueue -
>    Queue:pfdhcplistener_external
>       3088 ?        S      0:00  \_ pfqueue - Queue:pfdhcplistener
>
>    # ip link
>
>    5: eth1.25@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
>    noqueue state UP mode DEFAULT group default qlen 1000
>        link/ether 52:54:00:ad:60:dc brd ff:ff:ff:ff:ff:ff
>    6: eth1.26@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
>    noqueue state UP mode DEFAULT group default qlen 1000
>
>    5: eth1.25@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
>    noqueue state UP group default qlen 1000
>        link/ether 52:54:00:ad:60:dc brd ff:ff:ff:ff:ff:ff
>        inet 10.25.0.1/16 brd 10.25.255.255 scope global eth1.25
>           valid_lft forever preferred_lft forever
>        inet6 fe80::5054:ff:fead:60dc/64 scope link
>           valid_lft forever preferred_lft forever
>
>    # tcpdump -i eth1.25 -n -vv port 67 or port 68
>    tcpdump: listening on eth1.25, link-type EN10MB (Ethernet), snapshot
>    length 262144 bytes
>    15:27:26.576206 IP (tos 0x0, ttl 255, id 10108, offset 0, flags
>    [none],
>    proto UDP (17), length 328)
>        0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request
>    from ac:87:a3:12:81:47, length 300, xid 0x9370cc2
>    c, secs 4, Flags [none] (0x0000)
>              Client-Ethernet-Address ac:87:a3:12:81:47
>              Vendor-rfc1048 Extensions
>                Magic Cookie 0x63825363
>                DHCP-Message (53), length 1: Request
>                Parameter-Request (55), length 12:
>                  Subnet-Mask (1), Classless-Static-Route (121),
>    Default-Gateway (3), Domain-Name-Server (6)
>                  Domain-Name (15), Unknown (108), URL (114), Unknown
>    (119)
>                  Unknown (252), LDAP (95), Netbios-Name-Server (44),
>    Netbios-Node (46)
>                MSZ (57), length 2: 1500
>                Client-ID (61), length 7: ether ac:87:a3:12:81:47
>                Requested-IP (50), length 4: 10.25.1.1
>                Lease-Time (51), length 4: 7776000
>                Hostname (12), length 12: "becchetti-nb"
>
>    1 packet captured
>    1 packet received by filter
>    0 packets dropped by kernel
>
>    # tail packetfence.log
>
>    2025-03-13T15:27:22.145042+01:00 pfsrv
>    httpd.aaa-docker-wrapper[2255]:
>    httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] handl
>    ing radius autz request: from switch_ip => (10.0.0.111),
>    connection_type
>    => Ethernet-EAP, switch_mac => (6c:c2:17:af:31
>    :20), mac => [ac:87:a3:12:81:47], port => 3, username =>
>    "becch...@pg.infn.it" (pf::radius::authorize)
>    2025-03-13T15:27:22.214895+01:00 pfsrv
>    httpd.aaa-docker-wrapper[2255]:
>    httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Insta
>    ntiate profile INFN-WIRED
>    (pf::Connection::ProfileFactory::_from_profile)
>    2025-03-13T15:27:22.299418+01:00 pfsrv
>    httpd.aaa-docker-wrapper[2255]:
>    httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Found
>     authentication source(s) : 'RADIUS-AAI' for realm 'default'
>    (pf::config::util::filter_authentication_sources)
>    2025-03-13T15:27:22.336171+01:00 pfsrv pfqueue-backend[3072]:
>    pfqueue(2158) INFO: [mac:[undef]] Running task person_loo
>    kup (main::process_data)
>    2025-03-13T15:27:22.305635+01:00 pfsrv
>    httpd.aaa-docker-wrapper[2255]:
>    httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Using
>     sources RADIUS-AAI for matching (pf::authentication::match2)
>    2025-03-13T15:27:22.310250+01:00 pfsrv
>    httpd.aaa-docker-wrapper[2255]:
>    httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Match
>    ed rule (catchall) in source RADIUS-AAI, returning actions.
>    (pf::Authentication::Source::match_rule)
>    2025-03-13T15:27:22.310250+01:00 pfsrv
>    httpd.aaa-docker-wrapper[2255]:
>    httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Match
>    ed rule (catchall) in source RADIUS-AAI, returning actions.
>    (pf::Authentication::Source::match)
>    2025-03-13T15:27:22.355955+01:00 pfsrv
>    httpd.aaa-docker-wrapper[2255]:
>    httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Found
>     authentication source(s) : 'RADIUS-AAI' for realm 'default'
>    (pf::config::util::filter_authentication_sources)
>    2025-03-13T15:27:22.355955+01:00 pfsrv
>    httpd.aaa-docker-wrapper[2255]:
>    httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Role
>    has already been computed and we don't want to recompute it. Getting
>    role from node_info (pf::role::getRegisteredRole)
>    2025-03-13T15:27:22.355955+01:00 pfsrv
>    httpd.aaa-docker-wrapper[2255]:
>    httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Usern
>    ame was defined "becch...@pg.infn.it" - returning role 'default'
>    (pf::role::getRegisteredRole)
>    2025-03-13T15:27:22.355955+01:00 pfsrv
>    httpd.aaa-docker-wrapper[2255]:
>    httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] PID:
>    "becch...@pg.infn.it", Status: reg Returned VLAN: (undefined), Role:
>    default (pf::role::fetchRoleForNode)
>    2025-03-13T15:27:22.370303+01:00 pfsrv
>    httpd.aaa-docker-wrapper[2255]:
>    httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] (10.0
>    .0.111) Added VLAN 25 to the returned RADIUS Access-Accept
>    (pf::Switch::returnRadiusAccessAccept)
>    2025-03-13T15:27:22.384950+01:00 pfsrv
>    httpd.aaa-docker-wrapper[2255]:
>    httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] secur
>    ity_event 1300003 force-closed for ac:87:a3:12:81:47
>    (pf::security_event::security_event_force_close)
>    2025-03-13T15:27:22.385595+01:00 pfsrv
>    httpd.aaa-docker-wrapper[2255]:
>    httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Insta
>    ntiate profile INFN-WIRED
>    (pf::Connection::ProfileFactory::_from_profile)
>    2025-03-13T15:27:22.401686+01:00 pfsrv
>    httpd.aaa-docker-wrapper[2255]:
>    httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] grace
>     expired on security event 1200004 for node ac:87:a3:12:81:47
>    (pf::security_event::security_event_add)
>    2025-03-13T15:27:22.409662+01:00 pfsrv
>    httpd.aaa-docker-wrapper[2255]:
>    httpd.aaa(6) ERROR: [mac:ac:87:a3:12:81:47] Data
>    base query failed with non retryable error: Cannot add or update a
>    child
>    row: a foreign key constraint fails (`pf`.`sec
>    urity_event`, CONSTRAINT `security_event_id_fkey_class` FOREIGN KEY
>    (`security_event_id`) REFERENCES `class` (`security
>    _event_id`) ON DELETE CASCADE ON UPDATE CASCADE) (errno: 1452)
>    [INSERT
>    INTO `security_event` ( `mac`, `notes`, `release
>    _date`, `security_event_id`, `start_date`, `status`, `ticket_ref`)
>    VALUES ( ?, ?, ?, ?, ?, ?, ? )]{ac:87:a3:12:81:47, ,
>     0000-00-00 00:00:00, 1200004, 2025-03-13 15:27:22, open, }
>    (pf::dal::db_execute)
>    2025-03-13T15:27:22.410532+01:00 pfsrv
>    httpd.aaa-docker-wrapper[2255]:
>    httpd.aaa(6) ERROR: [mac:ac:87:a3:12:81:47] unkn
>    own error adding security event 1200004 for ac:87:a3:12:81:47
>    (pf::security_event::security_event_add)
>
>
>
>
>
>
>    Enrico
>
>
>    _______________________________________________
>    PacketFence-users mailing list
>    PacketFence-users@lists.sourceforge.net
>    https://lists.sourceforge.net/lists/listinfo/packetfence-users
>

-- 
__________________________________________________________________________

Enrico Becchetti                        Servizio di Calcolo e Reti

Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica  06123 Perugia (ITALY)
Phone:+39 075 5852777             Mobile: +39 075 9696225
FAX: +39 075 5847296                    Microsoft Teams: becch...@infn.it
Mail: Enrico.Becchetti<at>pg.infn.it    Skype:enrico_becchetti
Pagina web personale: https://www.pg.infn.it/home/enrico-becchetti
_________________________________________________________________________

  
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to