Re: [PacketFence-users] Unknown Switch - Rejected User
(73) Wed Mar 7 22:33:50 2018: Debug: # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(73) Wed Mar 7 22:33:50 2018: Debug: Post-Auth-Type REJECT {
(73) Wed Mar 7 22:33:50 2018: Debug: update {
(73) Wed Mar 7 22:33:50 2018: Debug: } # update = noop
(73) Wed Mar 7 22:33:50 2018: Debug: if (! EAP-Type || (EAP-Type !=
TTLS && EAP-Type != PEAP) ) {
(73) Wed Mar 7 22:33:50 2018: Debug: if (! EAP-Type || (EAP-Type !=
TTLS && EAP-Type != PEAP) ) -> TRUE
(73) Wed Mar 7 22:33:50 2018: Debug: if (! EAP-Type || (EAP-Type !=
TTLS && EAP-Type != PEAP) ) {
(73) Wed Mar 7 22:33:50 2018: Debug: policy
packetfence-audit-log-reject {
(73) Wed Mar 7 22:33:50 2018: Debug: if ( != "dummy") {
(73) Wed Mar 7 22:33:50 2018: Debug: if ( !=
"dummy") -> FALSE
(73) Wed Mar 7 22:33:50 2018: Debug: } # policy
packetfence-audit-log-reject = noop
(73) Wed Mar 7 22:33:50 2018: Debug: } # if (! EAP-Type ||
(EAP-Type != TTLS && EAP-Type != PEAP) ) = noop
(73) Wed Mar 7 22:33:50 2018: Debug: attr_filter.access_reject: EXPAND
%{User-Name}
(73) Wed Mar 7 22:33:50 2018: Debug: attr_filter.access_reject: -->
dummy
(73) Wed Mar 7 22:33:50 2018: Debug: attr_filter.access_reject: Matched
entry DEFAULT at line 11
(73) Wed Mar 7 22:33:50 2018: Debug: [attr_filter.access_reject] = updated
(73) Wed Mar 7 22:33:50 2018: Debug: attr_filter.packetfence_post_auth:
EXPAND %{User-Name}
(73) Wed Mar 7 22:33:50 2018: Debug:
attr_filter.packetfence_post_auth: --> dummy
(73) Wed Mar 7 22:33:50 2018: Debug: attr_filter.packetfence_post_auth:
Matched entry DEFAULT at line 10
(73) Wed Mar 7 22:33:50 2018: Debug:
[attr_filter.packetfence_post_auth] = updated
(73) Wed Mar 7 22:33:50 2018: Debug: [eap] = noop
(73) Wed Mar 7 22:33:50 2018: Debug: policy
remove_reply_message_if_eap {
(73) Wed Mar 7 22:33:50 2018: Debug: if (:EAP-Message &&
:Reply-Message) {
(73) Wed Mar 7 22:33:50 2018: Debug: if (:EAP-Message &&
:Reply-Message) -> FALSE
(73) Wed Mar 7 22:33:50 2018: Debug: else {
(73) Wed Mar 7 22:33:50 2018: Debug: [noop] = noop
(73) Wed Mar 7 22:33:50 2018: Debug: } # else = noop
(73) Wed Mar 7 22:33:50 2018: Debug: } # policy
remove_reply_message_if_eap = noop
(73) Wed Mar 7 22:33:50 2018: Debug: linelog: EXPAND
messages.%{%{reply:Packet-Type}:-default}
(73) Wed Mar 7 22:33:50 2018: Debug: linelog: --> messages.Access-Reject
(73) Wed Mar 7 22:33:50 2018: Debug: linelog: EXPAND
[mac:%{Calling-Station-Id}] Rejected user: %{User-Name}
(73) Wed Mar 7 22:33:50 2018: Debug: linelog: --> [mac:] Rejected
user: dummy
(73) Wed Mar 7 22:33:50 2018: Debug: [linelog] = ok
(73) Wed Mar 7 22:33:50 2018: Debug: } # Post-Auth-Type REJECT = updated
(73) Wed Mar 7 22:33:50 2018: Debug: Delaying response for 1.00 seconds
(73) Wed Mar 7 22:33:51 2018: Debug: Sending delayed response
(73) Wed Mar 7 22:33:51 2018: Debug: Sent Access-Reject Id 133 from
192.168.56.101:1812 to 192.168.56.100:1645 length 20
(73) Wed Mar 7 22:33:55 2018: Debug: Cleaning up request packet ID 133
with timestamp +8995
Regards.
Ebrar.
On 07-03-2018 05:27, Durand fabrice via PacketFence-users wrote:
Hello Ebrar,
This should work:
[192.168.56.100]
description=IOUvL2
type=Cisco::Catalyst_2960
radiusSecret=useStrongerSecret
deauthMethod=RADIUS
Regards
Fabrice
Le 2018-03-06 à 08:49, ebrar via PacketFence-users a écrit :
Hi All,
I have set up PF on a virtual machine whose OS is Centos and i have
set up a switch on GNS3 by using the image below :
i86bi-linux-l2-adventerprisek9-15.1a
This SW lets me do all the configurations mentioned on PacketFence
Out-of-Band Deployment Quick Guide. You can see the related
configurations on the SW below :
username ebrar privilege 0 password 0 eleb
aaa new-model
!
!
aaa group server radius packetfence
server name pfnac
!
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
!
!
!
!
aaa server radius dynamic-author
client 192.168.56.101 server-key useStrongerSecret
port 3799
!
aaa session-id common
no ip icmp rate-limit unreachable
!
ip cef
!
!
no ip domain-lookup
no ipv6 cef
ipv6 multicast rpf use-bgp
!
!
dot1x system-auth-control
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2,3,10
switchport mode trunk
duplex auto
!
interface Ethernet0/1
switchport access vlan 10
switchport mode access
duplex auto
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
authentication violation replace
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
[PacketFence-users] Unknown Switch - Rejected User
Hi All,
I have set up PF on a virtual machine whose OS is Centos and i have set
up a switch on GNS3 by using the image below :
i86bi-linux-l2-adventerprisek9-15.1a
This SW lets me do all the configurations mentioned on PacketFence
Out-of-Band Deployment Quick Guide. You can see the related
configurations on the SW below :
username ebrar privilege 0 password 0 eleb
aaa new-model
!
!
aaa group server radius packetfence
server name pfnac
!
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
!
!
!
!
aaa server radius dynamic-author
client 192.168.56.101 server-key useStrongerSecret
port 3799
!
aaa session-id common
no ip icmp rate-limit unreachable
!
ip cef
!
!
no ip domain-lookup
no ipv6 cef
ipv6 multicast rpf use-bgp
!
!
dot1x system-auth-control
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2,3,10
switchport mode trunk
duplex auto
!
interface Ethernet0/1
switchport access vlan 10
switchport mode access
duplex auto
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
authentication violation replace
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
!
interface Ethernet0/2
switchport access vlan 20
switchport mode access
duplex auto
snmp-server community public RO
snmp-server community private RW
snmp-server host 192.168.56.101 version 2c public
!
radius-server vsa send authentication
!
radius server pfnac
address ipv4 192.168.56.101 auth-port 1812 acct-port 1813
automate-tester username ebrar ignore-acct-port idle-time 3
key useStrongerSecret
When I connect a client to Ethernet 0/1 and try to connect to internet
(www.google.com) It responds "Page Not Found" and nothing is being
changed on the SW.
You can see the errors in the log files below :
packetfence.log :
[root@localhost logs]# tail -f packetfence.log
Mar 6 19:26:03 localhost packetfence_httpd.aaa: httpd.aaa(2123) ERROR:
[mac:[undef]] WARNING ! Unknown switch(es) 192.168.56.100
(pf::SwitchFactory::instantiate)
Mar 6 19:26:03 localhost packetfence_httpd.aaa: httpd.aaa(2123) WARN:
[mac:[undef]] Unknown switch (192.168.56.100). This request will be
failed. (pf::radius::switch_access)
Mar 6 19:29:02 localhost packetfence_httpd.aaa: httpd.aaa(2123) ERROR:
[mac:[undef]] WARNING ! Unknown switch(es) 192.168.56.100
(pf::SwitchFactory::instantiate)
Mar 6 19:29:02 localhost packetfence_httpd.aaa: httpd.aaa(2123) WARN:
[mac:[undef]] Unknown switch (192.168.56.100). This request will be
failed. (pf::radius::switch_access)
Mar 6 19:31:51 localhost packetfence_httpd.aaa: httpd.aaa(2123) ERROR:
[mac:[undef]] WARNING ! Unknown switch(es) 192.168.56.100
(pf::SwitchFactory::instantiate)
Mar 6 19:31:51 localhost packetfence_httpd.aaa: httpd.aaa(2123) WARN:
[mac:[undef]] Unknown switch (192.168.56.100). This request will be
failed. (pf::radius::switch_access)
Mar 6 19:34:49 localhost packetfence_httpd.aaa: httpd.aaa(2123) ERROR:
[mac:[undef]] WARNING ! Unknown switch(es) 192.168.56.100
(pf::SwitchFactory::instantiate)
Mar 6 19:34:49 localhost packetfence_httpd.aaa: httpd.aaa(2123) WARN:
[mac:[undef]] Unknown switch (192.168.56.100). This request will be
failed. (pf::radius::switch_access)
Mar 6 19:37:37 localhost packetfence_httpd.aaa: httpd.aaa(2123) ERROR:
[mac:[undef]] WARNING ! Unknown switch(es) 192.168.56.100
(pf::SwitchFactory::instantiate)
Mar 6 19:37:37 localhost packetfence_httpd.aaa: httpd.aaa(2123) WARN:
[mac:[undef]] Unknown switch (192.168.56.100). This request will be
failed. (pf::radius::switch_access)
radius.log :
Mar 6 19:37:37 localhost auth[2284]: (552) rest: ERROR:
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Switch
is not managed by PacketFence"}
Mar 6 19:37:37 localhost auth[2284]: Need 2 more connections to reach
min connections (3)
Mar 6 19:37:37 localhost auth[2284]: rlm_rest (rest): Opening
additional connection (1099), 1 of 63 pending slots used
Mar 6 19:37:37 localhost auth[2284]: rlm_sql (sql): Closing connection
(1097): Hit idle_timeout, was idle for 168 seconds
Mar 6 19:37:37 localhost auth[2284]: rlm_sql (sql): Closing connection
(1098): Hit idle_timeout, was idle for 168 seconds
Mar 6 19:37:37 localhost auth[2284]: rlm_sql (sql): Opening additional
connection (1099), 1 of 64 pending slots used
Mar 6 19:37:37 localhost auth[2284]: Need 2 more connections to reach
min connections (3)
Mar 6 19:37:37 localhost auth[2284]: rlm_sql (sql): Opening additional
connection (1100), 1 of 63 pending slots used
Mar 6 19:37:37 localhost auth[2284]: [mac:] Rejected user: ebrar
Mar 6 19:37:37 localhost auth[2284]: (552) Rejected in post-auth:
[ebrar] (from client 192.168.56.100/32 port 0)
And
