Re: [PacketFence-users] R: R: R: Switch Compatibility

2017-11-13 Thread Fabrice Durand via PacketFence-users 
Hello Alessandro,

i saw that cisco attributes are also compatible with the Zyxel switches.

So if you choose Cisco_2960 as switch type to make a test.

Regards

Fabrice



Le 2017-11-13 à 07:06, Alessandro Canella a écrit :
>
> Hello All,
>
>  
>
> I’ ve created new switch under PF\ folder.
>
>  
>
> All seems fine, but no cli login.
>
>  
>
> Switch Log reports
>
>  
>
>    1 Nov 13 12:44:23 NO authentication: SSH authentication failure
> [username: newuser, IP address = 153.47.30.125]
>
>    2 Nov 13 12:44:23 WA authentication: Invalid Service Type: USER
> [   newuser]
>
>  
>
> PF GUI Reports
>
>  
>
>  
>
> RADIUS Request
>
>   
>
> User-Name = "newuser"
>
> User-Password = "**"
>
> NAS-IP-Address = 10.206.1.136
>
> NAS-Identifier = "K873MUXSW1"
>
> Event-Timestamp = "Nov 13 2017 11:45:37 UTC"
>
> Stripped-User-Name = "newuser"
>
> Realm = "null"
>
> FreeRADIUS-Client-IP-Address = 10.206.1.136
>
> SQL-User-Name = "newuser"
>
> RADIUS Reply
>
>   
>
> Reply-Message = "Switch enable access granted by PacketFence"
>
> Zyxel-Privilege-AVPair = "shell:priv-lvl=15"
>
>  
>
> PF LOG respond :
>
>  
>
> Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712)
> INFO: [mac:[undef]] Authentication successful for newuser in source
> file1 (Htpasswd) (pf::authentication::authenticate)
>
> Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712)
> INFO: [mac:[undef]] Using sources file1 for matching
> (pf::authentication::match2)
>
> Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712)
> INFO: [mac:[undef]] Matched rule (admins) in source file1, returning
> actions. (pf::Authentication::Source::match)
>
> Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712)
> INFO: [mac:[undef]] User newuser logged in 10.206.1.136 with write
> access (pf::Switch::Zyxel::returnAuthorizeWrite)
>
> Nov 13 11:44:21 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712)
> INFO: [mac:[undef]] Authentication successful for newuser in source
> file1 (Htpasswd) (pf::authentication::authenticate)
>
> * *
>
> *Da:*Alessandro Canella via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* domenica 12 novembre 2017 23.26
> *A:* Durand fabrice ;
> packetfence-users@lists.sourceforge.net
> *Cc:* Alessandro Canella 
> *Oggetto:* [PacketFence-users] R: R: Switch Compatibility
>
>  
>
> I will try tomorrow.
>
>  
>
> Don’t sure where is file, I will check documentation.
>
>  
>
>  
>
> *Da:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Inviato:* sabato 11 novembre 2017 13.51
> *A:* Alessandro Canella  >;
> packetfence-users@lists.sourceforge.net
> 
> *Oggetto:* Re: R: [PacketFence-users] Switch Compatibility
>
>  
>
> Hello Alessandro,
>
>  
>
> you will need to edit the switch module and add this:
>
> =item returnAuthorizeWrite
> Return radius attributes to allow write access
> =cut
>
> sub returnAuthorizeWrite {
>     my ($self, $args) = @_;
>     my $logger = $self->logger;
>     my $radius_reply_ref;
>     my $status;
>     $radius_reply_ref->{'Zyxel-Privilege-AVPair'} = 'shell:priv-lvl=15';
>     $radius_reply_ref->{'Reply-Message'} = "Switch enable access
> granted by PacketFence";
>     $logger->info("User $args->{'user_name'} logged in
> $args->{'switch'}{'_id'} with write access");
>     my $filter = pf::access_filter::radius->new;
>     my $rule = $filter->test('returnAuthorizeWrite', $args);
>     ($radius_reply_ref, $status) =
> $filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
>     return [$status, %$radius_reply_ref];
>
> }
>
> =item returnAuthorizeRead
> Return radius attributes to allow read access
> =cut
>
> sub returnAuthorizeRead {
>     my ($self, $args) = @_;
>     my $logger = $self->logger;
>     my $radius_reply_ref;
>     my $status;
>     $radius_reply_ref->{'Zyxel-Privilege-AVPair'} = 'shell:priv-lvl=3';
>     $radius_reply_ref->{'Reply-Message'} = "Switch read access granted
> by PacketFence";
>     $logger->info("User $args->{'user_name'} logged in
> $args->{'switch'}{'_id'} with read access");
>     my $filter = pf::access_filter::radius->new;
>     my $rule = $filter->test('returnAuthorizeRead', $args);
>     ($radius_reply_ref, $status) =
> $filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
>     return [$status, %$radius_reply_ref];
> }
>
> Then restart PacketFence.
>
> Let me know if it works.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-11-11 à 02:41, Alessandro Canella a écrit :
>
> Zyxel GS 2210.
>
>  
>
> I need only AAA for switch login (if you remember I use captive
> portal for wifi in inline mode)
>
>  
>
> Zyxel provide
> 
> https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=009451=EN
> 
>

[PacketFence-users] R: R: R: Switch Compatibility

2017-11-13 Thread Alessandro Canella via PacketFence-users 
Hello All,

I' ve created new switch under PF\ folder.

All seems fine, but no cli login.

Switch Log reports

   1 Nov 13 12:44:23 NO authentication: SSH authentication failure [username: 
newuser, IP address = 153.47.30.125]
   2 Nov 13 12:44:23 WA authentication: Invalid Service Type: USER [
   newuser]

PF GUI Reports


RADIUS Request

User-Name = "newuser"
User-Password = "**"
NAS-IP-Address = 10.206.1.136
NAS-Identifier = "K873MUXSW1"
Event-Timestamp = "Nov 13 2017 11:45:37 UTC"
Stripped-User-Name = "newuser"
Realm = "null"
FreeRADIUS-Client-IP-Address = 10.206.1.136
SQL-User-Name = "newuser"

RADIUS Reply

Reply-Message = "Switch enable access granted by PacketFence"
Zyxel-Privilege-AVPair = "shell:priv-lvl=15"


PF LOG respond :

Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712) INFO: 
[mac:[undef]] Authentication successful for newuser in source file1 (Htpasswd) 
(pf::authentication::authenticate)
Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712) INFO: 
[mac:[undef]] Using sources file1 for matching (pf::authentication::match2)
Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712) INFO: 
[mac:[undef]] Matched rule (admins) in source file1, returning actions. 
(pf::Authentication::Source::match)
Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712) INFO: 
[mac:[undef]] User newuser logged in 10.206.1.136 with write access 
(pf::Switch::Zyxel::returnAuthorizeWrite)
Nov 13 11:44:21 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712) INFO: 
[mac:[undef]] Authentication successful for newuser in source file1 (Htpasswd) 
(pf::authentication::authenticate)

Da: Alessandro Canella via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Inviato: domenica 12 novembre 2017 23.26
A: Durand fabrice ; packetfence-users@lists.sourceforge.net
Cc: Alessandro Canella 
Oggetto: [PacketFence-users] R: R: Switch Compatibility

I will try tomorrow.

Don't sure where is file, I will check documentation.


Da: Durand fabrice [mailto:fdur...@inverse.ca]
Inviato: sabato 11 novembre 2017 13.51
A: Alessandro Canella 
>; 
packetfence-users@lists.sourceforge.net
Oggetto: Re: R: [PacketFence-users] Switch Compatibility


Hello Alessandro,



you will need to edit the switch module and add this:

=item returnAuthorizeWrite
Return radius attributes to allow write access
=cut

sub returnAuthorizeWrite {
my ($self, $args) = @_;
my $logger = $self->logger;
my $radius_reply_ref;
my $status;
$radius_reply_ref->{'Zyxel-Privilege-AVPair'} = 'shell:priv-lvl=15';
$radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by 
PacketFence";
$logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} 
with write access");
my $filter = pf::access_filter::radius->new;
my $rule = $filter->test('returnAuthorizeWrite', $args);
($radius_reply_ref, $status) = 
$filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
return [$status, %$radius_reply_ref];

}

=item returnAuthorizeRead
Return radius attributes to allow read access
=cut

sub returnAuthorizeRead {
my ($self, $args) = @_;
my $logger = $self->logger;
my $radius_reply_ref;
my $status;
$radius_reply_ref->{'Zyxel-Privilege-AVPair'} = 'shell:priv-lvl=3';
$radius_reply_ref->{'Reply-Message'} = "Switch read access granted by 
PacketFence";
$logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} 
with read access");
my $filter = pf::access_filter::radius->new;
my $rule = $filter->test('returnAuthorizeRead', $args);
($radius_reply_ref, $status) = 
$filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
return [$status, %$radius_reply_ref];
}

Then restart PacketFence.

Let me know if it works.

Regards

Fabrice



Le 2017-11-11 à 02:41, Alessandro Canella a écrit :
Zyxel GS 2210.

I need only AAA for switch login (if you remember I use captive portal for wifi 
in inline mode)

Zyxel provide 
https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=009451=EN

I've done all as wrote in this doc (dictionary and so on)

Da: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Inviato: venerdì 10 novembre 2017 21.35
A: 
packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand 
Oggetto: Re: [PacketFence-users] Switch Compatibility


Hello Alessandro,

what is the type of the switch ?

Regards

Fabrice



Le 2017-11-10 à 09:44, Alessandro Canella via PacketFence-users a écrit :
Hello all,

I solved everything (thanks to all..) ando now I0m investigating about