Re: [PacketFence-users] SSH not passing interface enable/disable commands

2016-05-13 Thread Dustin Berube 
Good morning patch 1472 worked and successfully deauthenicated the port on
my switch. Later today I hope to test this patch against the following
Junos versions and report back, Junos 12.3, 13.2 (working), and 14.1.
Thanks for the help.
-dustin

On Thu, May 12, 2016 at 5:03 PM, Louis Munro  wrote:

>
>
> On May 12, 2016, at 11:50 , Dustin Berube  wrote:
>
> I downloaded the patch and applied the EX4200 module to the switch after
> restarting the services. After logging into the captive portal it is still
> failing to disconnect.
>
>
> Please try the following patch which addresses an issue with the session
> lookup in radacct:
>
>
> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/1472.diff
>
> Let us know if it fixes the disconnect problem.
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
>
> --
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSH not passing interface enable/disable commands

2016-05-12 Thread Louis Munro 


> On May 12, 2016, at 11:50 , Dustin Berube  wrote:
> 
> I downloaded the patch and applied the EX4200 module to the switch after 
> restarting the services. After logging into the captive portal it is still 
> failing to disconnect. 

Please try the following patch which addresses an issue with the session lookup 
in radacct:

https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/1472.diff

Let us know if it fixes the disconnect problem.

Regards,
--
Louis Munro
lmu...@inverse.ca  ::  www.inverse.ca 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSH not passing interface enable/disable commands

2016-05-12 Thread Louis Munro 


> On May 12, 2016, at 11:50 , Dustin Berube  wrote:
> 
> I downloaded the patch and applied the EX4200 module to the switch after 
> restarting the services. After logging into the captive portal it is still 
> failing to disconnect. Here's the output from radsniff
> 
> 
> 2016-05-12 11:25:19.932865 (5) Disconnect-Request Id 149 
> eth0:172.30.40.10:60670  -> 172.22.0.201:3799 
>  +823.260
> Authenticator-Field = 0xbe8ecea40c13feee52394a61c0df5236
> 2016-05-12 11:25:19.934181 (6) Disconnect-NAK Id 149 eth0:172.30.40.10:60670 
>  <- 172.22.0.201:3799  
> +823.262 +0.001
> Error-Cause = Missing-Attribute
> Authenticator-Field = 0x18a30256c1e27ec723d00645bb00a98a
> 2016-05-12 11:25:25.134181 (5) Cleaning up request packet ID 149
> 

It looks like the error may be that we don’t correctly lookup the sessionid in 
the radacct table.

Give a few hours to come up with a fix for that.

Regards,
--
Louis Munro
lmu...@inverse.ca  ::  www.inverse.ca 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSH not passing interface enable/disable commands

2016-05-12 Thread Dustin Berube 
I downloaded the patch and applied the EX4200 module to the switch after
restarting the services. After logging into the captive portal it is still
failing to disconnect. Here's the output from radsniff


2016-05-12 11:25:19.932865 (5) Disconnect-Request Id 149 eth0:
172.30.40.10:60670 -> 172.22.0.201:3799 +823.260
Authenticator-Field = 0xbe8ecea40c13feee52394a61c0df5236
2016-05-12 11:25:19.934181 (6) Disconnect-NAK Id 149 eth0:172.30.40.10:60670
<- 172.22.0.201:3799 +823.262 +0.001
Error-Cause = Missing-Attribute
Authenticator-Field = 0x18a30256c1e27ec723d00645bb00a98a
2016-05-12 11:25:25.134181 (5) Cleaning up request packet ID 149


Successful request: - manually sent through radclient

2016-05-12 10:41:08.831102 (3) Disconnect-Request Id 67 eth0:
172.30.40.10:41123 -> 172.22.0.201:3799
+153.383
Acct-Session-Id = "8O2.1x819e0127000343a2"
Authenticator-Field = 0x13d5b6cd6b7bd756bab4e476327b0ebf
2016-05-12 10:41:08.848685 (4) Disconnect-ACK Id 67 eth0:172.30.40.10:41123
<- 172.22.0.201:3799 +153.401 +0.017
Authenticator-Field = 0x630aa3c2cd8f60842772b630a8bd3a5a
2016-05-12 10:41:14.486850 (3) Cleaning up request packet ID 67


On Thu, May 12, 2016 at 11:00 AM, Louis Munro  wrote:

>
>
> Dustin Berube wrote:
>
>
> Sending just the acctsessionid worked.
>
> Please try the following patch then.
>
>
> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/1469.diff
>
> Download it using wget (or whatever you prefer), and apply it like this:
>
> # cd /usr/local/pf;  patch -p1 < $PATH_TO_PATCHFILE
>
> It will create a new EX4200 module under lib/pf/Switch/Juniper/.
>
> You will have to restart httpd.aaa and httpd.admin and then reconfigure
> the switch to use that type.
>
> It may not be perfect.
> I am not at the office and don't have access to my test system at the
> moment.
>
> Regards,
>
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
>
>
> --
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSH not passing interface enable/disable commands

2016-05-12 Thread Louis Munro 



Dustin Berube wrote:


Sending just the acctsessionid worked.


Please try the following patch then.

https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/1469.diff

Download it using wget (or whatever you prefer), and apply it like this:

# cd /usr/local/pf;  patch -p1 < $PATH_TO_PATCHFILE

It will create a new EX4200 module under lib/pf/Switch/Juniper/.

You will have to restart httpd.aaa and httpd.admin and then reconfigure 
the switch to use that type.


It may not be perfect.
I am not at the office and don't have access to my test system at the 
moment.


Regards,

--
Louis Munro
lmu...@inverse.ca   :: www.inverse.ca 


+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) 
and PacketFence (www.packetfence.org )


--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSH not passing interface enable/disable commands

2016-05-12 Thread Dustin Berube 
On Thu, May 12, 2016 at 10:15 AM, Louis Munro  wrote:

>
> Could you try and see if the same works when providing only the
> acctsessionid?
>
> Sending just the acctsessionid worked.
--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSH not passing interface enable/disable commands

2016-05-12 Thread Louis Munro 


Dustin Berube wrote:
Using the value of the acctsessionid column in the radacct table worked. 
Could you try and see if the same works when providing only the 
acctsessionid?


The patch would be simpler if I didn't need to handle both User-Name and 
session id.

The session id should be unique anyway.

Regards,

--
Louis Munro
lmu...@inverse.ca   :: www.inverse.ca 


+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) 
and PacketFence (www.packetfence.org )


--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSH not passing interface enable/disable commands

2016-05-11 Thread Dustin Berube 
Hi Fabrice

We tried the EX2200 module this afternoon which finally gave me a
disocnnect-nak during the radius disconnect. After working back and forth
with Louis this afternoon it looks like a patch might be required to fully
support the EX4200.

I have an EX2200 in the lab I am going to test tomorrow as well.

Robin - what version of Junos are you running on the EX3300? I don't have a
3300 available to me but I can match versions and test against the base
software.

-dustin

On Wed, May 11, 2016 at 8:05 PM Durand fabrice <fdur...@inverse.ca> wrote:

> Quick question, did you tried with this module ( Juniper EX 2200 Series)
> because the CoA is there:
>
>
> https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Juniper/EX2200.pm#L137
>
> Regards
>
> Fabrice
>
>
>
> Le 2016-05-11 18:09, Kundert, Robin a écrit :
>
> I’ve been watching this as we are starting to use Juniper EX series
> switches and I hope this will also solve the same issues I’ve encountered
> with EX3300 switches on 5.3.1.
>
>
>
> *-- Robin Kundert*
>Sr. Network Analyst/Administrator
>Seattle Pacific University
>
>
>
>
>
> *From:* Dustin Berube [mailto:dustin.ber...@gmail.com
> <dustin.ber...@gmail.com>]
> *Sent:* Wednesday, May 11, 2016 14:06
> *To:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] SSH not passing interface
> enable/disable commands
>
>
>
> Using the value of the acctsessionid column in the radacct table worked.
>
>
>
> Here's the attributes I used.
>
> User-Name=0021ccbea13f
>
> Acct-Session-ID=8O2.1x819e0122000d26f7
>
>
>
> Output of radclient:
>
>
>
> [root@PacketFence-ZEN-6-0-0 ~]# cat radcl | radclient -c1 -r1 -x
> 172.22.0.201:3799 disconnect 
>
> Sent Disconnect-Request Id 236 from 0.0.0.0:35766 to 172.22.0.201:3799
> length 58
>
> User-Name = "0021ccbea13f"
>
> Acct-Session-Id = "8O2.1x819e0122000d26f7"
>
> Received Disconnect-ACK Id 236 from 172.22.0.201:3799 to 0.0.0.0:0 length
> 20
>
>
>
>
>
> Output of radsniff:
>
>
>
> [root@PacketFence-ZEN-6-0-0 ~]# radsniff -x -f 'host 172.22.0.201 and
> port 3799'
>
> Logging all events
>
> Defaulting to capture on all interfaces
>
> Sniffing on (eth0 eth0.97 eth0.98 fcc-radius-b lo)
>
> 2016-05-11 16:55:16.415405 (1) Disconnect-Request Id 94 eth0:
> 172.30.40.10:47301 -> 172.22.0.201:3799 +0.000
>
> User-Name = "0021ccbea13f"
>
> Acct-Session-Id = "8O2.1x819e011f000f153a"
>
> Authenticator-Field = 0x406c6d6f4cf316df00401cce3f728990
>
> 2016-05-11 16:55:16.454810 (2) Disconnect-ACK Id 94 eth0:
> 172.30.40.10:47301 <- 172.22.0.201:3799 +0.039 +0.039
>
> Authenticator-Field = 0xfc1ca69d92808dd0ac29bb28cd303799
>
> 2016-05-11 16:55:21.654810 (1) Cleaning up request packet ID 94
>
>
>
>
>
> Successfully removed the port from the vlan and reset the auth status on
> the switch.
>
>
>
> root# run show dot1x interface ge-0/0/2.0
>
> 802.1X Information:
>
> Interface Role   State   MAC address  User
>
> ge-0/0/2.0Authenticator  Connecting
>
>
>
> Thanks for the help Louis. Let me know if you need anymore information to
> create the patch.
>
> -dustin
>
>
>
> On Wed, May 11, 2016 at 4:33 PM, Louis Munro <lmu...@inverse.ca> wrote:
>
>
>
>
>
> On May 11, 2016, at 16:10 , Dustin Berube <dustin.ber...@gmail.com> wrote:
>
>
>
> [root@PacketFence-ZEN-6-0-0 ~]# radsniff -x -f 'host 172.22.0.201 and
> port 3799'
>
> Logging all events
>
> Defaulting to capture on all interfaces
>
> Sniffing on (eth0 eth0.97 eth0.98 fcc-radius-b lo)
>
> 2016-05-11 16:03:58.379930 (1) Disconnect-Request Id 78 eth0:
> 172.30.40.10:34211 -> 172.22.0.201:3799 +0.000
>
> NAS-IP-Address = 172.22.0.201
>
> Calling-Station-Id = "00:21:cc:be:a1:3f"
>
> Authenticator-Field = 0xff41af5cfacbac548dfd8b5455700340
>
> 2016-05-11 16:03:58.396590 (2) Disconnect-NAK Id 78 eth0:
> 172.30.40.10:34211 <- 172.22.0.201:3799 +0.001 +0.001
>
> Error-Cause = Missing-Attribute
>
> Authenticator-Field = 0x372a2a7088936bad8ace3669bc09cbcc
>
> 2016-05-11 16:04:03.239659 (1) Cleaning up request packet ID 78
>
>
>
> So the switch rejects (NAKs) our disconnect request.
>
>
>
> We need to find which attribute to send it to ask it to disconnect you.
>
> This is where it gets “fun”.
>
> Each vendor seems to have it’s own idea about that.
>
>
>
> If I read this correctl

Re: [PacketFence-users] SSH not passing interface enable/disable commands

2016-05-11 Thread Durand fabrice 
Quick question, did you tried with this module ( Juniper EX 2200 Series) 
because the CoA is there:


https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Juniper/EX2200.pm#L137

Regards
Fabrice


Le 2016-05-11 18:09, Kundert, Robin a écrit :


I’ve been watching this as we are starting to use Juniper EX series 
switches and I hope this will also solve the same issues I’ve 
encountered with EX3300 switches on 5.3.1.


/-- Robin Kundert/
   Sr. Network Analyst/Administrator
   Seattle Pacific University//

*From:*Dustin Berube [mailto:dustin.ber...@gmail.com]
*Sent:* Wednesday, May 11, 2016 14:06
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] SSH not passing interface 
enable/disable commands


Using the value of the acctsessionid column in the radacct table worked.

Here's the attributes I used.

User-Name=0021ccbea13f

Acct-Session-ID=8O2.1x819e0122000d26f7

Output of radclient:

[root@PacketFence-ZEN-6-0-0 ~]# cat radcl | radclient -c1 -r1 -x 
172.22.0.201:3799 <http://172.22.0.201:3799> disconnect 


Sent Disconnect-Request Id 236 from 0.0.0.0:35766 
<http://0.0.0.0:35766> to 172.22.0.201:3799 <http://172.22.0.201:3799> 
length 58


User-Name = "0021ccbea13f"

Acct-Session-Id = "8O2.1x819e0122000d26f7"

Received Disconnect-ACK Id 236 from 172.22.0.201:3799 
<http://172.22.0.201:3799> to 0.0.0.0:0 <http://0.0.0.0:0> length 20


Output of radsniff:

[root@PacketFence-ZEN-6-0-0 ~]# radsniff -x -f 'host 172.22.0.201 and 
port 3799'


Logging all events

Defaulting to capture on all interfaces

Sniffing on (eth0 eth0.97 eth0.98 fcc-radius-b lo)

2016-05-11 16:55:16.415405 (1) Disconnect-Request Id 94 
eth0:172.30.40.10:47301 <http://172.30.40.10:47301> -> 
172.22.0.201:3799 <http://172.22.0.201:3799> +0.000


User-Name = "0021ccbea13f"

Acct-Session-Id = "8O2.1x819e011f000f153a"

Authenticator-Field = 0x406c6d6f4cf316df00401cce3f728990

2016-05-11 16:55:16.454810 (2) Disconnect-ACK Id 94 
eth0:172.30.40.10:47301 <http://172.30.40.10:47301> <- 
172.22.0.201:3799 <http://172.22.0.201:3799> +0.039 +0.039


Authenticator-Field = 0xfc1ca69d92808dd0ac29bb28cd303799

2016-05-11 16:55:21.654810 (1) Cleaning up request packet ID 94

Successfully removed the port from the vlan and reset the auth status 
on the switch.


root# run show dot1x interface ge-0/0/2.0

802.1X Information:

Interface Role   State MAC address  User

ge-0/0/2.0Authenticator  Connecting

Thanks for the help Louis. Let me know if you need anymore information 
to create the patch.


-dustin

On Wed, May 11, 2016 at 4:33 PM, Louis Munro <lmu...@inverse.ca 
<mailto:lmu...@inverse.ca>> wrote:


On May 11, 2016, at 16:10 , Dustin Berube
<dustin.ber...@gmail.com <mailto:dustin.ber...@gmail.com>> wrote:

[root@PacketFence-ZEN-6-0-0 ~]# radsniff -x -f 'host
172.22.0.201 and port 3799'

Logging all events

Defaulting to capture on all interfaces

Sniffing on (eth0 eth0.97 eth0.98 fcc-radius-b lo)

2016-05-11 16:03:58.379930 (1) Disconnect-Request Id 78
eth0:172.30.40.10:34211 <http://172.30.40.10:34211/> ->
172.22.0.201:3799 <http://172.22.0.201:3799/> +0.000

  NAS-IP-Address = 172.22.0.201

  Calling-Station-Id = "00:21:cc:be:a1:3f"

  Authenticator-Field = 0xff41af5cfacbac548dfd8b5455700340

2016-05-11 16:03:58.396590 (2) Disconnect-NAK Id 78
eth0:172.30.40.10:34211 <http://172.30.40.10:34211/> <-
172.22.0.201:3799 <http://172.22.0.201:3799/> +0.001 +0.001

  Error-Cause = Missing-Attribute

  Authenticator-Field = 0x372a2a7088936bad8ace3669bc09cbcc

2016-05-11 16:04:03.239659 (1) Cleaning up request packet ID 78

So the switch rejects (NAKs) our disconnect request.

We need to find which attribute to send it to ask it to disconnect
you.

This is where it gets “fun”.

Each vendor seems to have it’s own idea about that.

If I read this correctly, we need the session id:


http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/aaa-radius-coa-overview.html

You would find that in the accounting tables of the database.

Look in the “radacct” table, under acctsessionid using the mac
address of the device (lowercase and without any delimiter).

Then what you can do as a proof of concept is to manually send a
disconnect request using radclient.

Save the attributes and values to send into a file, like this:

User-Name=$USER-NAME

Acct-Session-ID=$sessionid

and then pipe the file into radclient:

# cat file | radclient -c1 -r1 -x  172.22.0.201 disconnect
$RADIUS_SHARED_SECRET

If you can get it to disconnect,

Re: [PacketFence-users] SSH not passing interface enable/disable commands

2016-05-11 Thread Louis Munro 


> On May 11, 2016, at 14:23 , Dustin Berube  wrote:
> 
> Hi Louis,
> 
> After changing the type to Juniper::EX2200 I get the following in 
> packetfence.log
> 
> May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] Found method 
> CODE(0x7f1f30c207d8) for REST path /radius/rest/authorize 
> (pf::WebAPI::REST::handler)
> May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] handling radius 
> autz request: from switch_ip => (172.22.0.201), connection_type => 
> Ethernet-EAP,switch_mac => (54:e0:32:9c:1d:80), mac => [00:21:cc:be:a1:3f], 
> port => ge-0/0/2.0, username => "FCC\dberube" (pf::radius::authorize)
> May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] Could not find 
> any IP phones through discovery protocols for ifIndex ge-0/0/2.0 
> (pf::Switch::getPhonesDPAtIfIndex)
> May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] is of status 
> unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
> May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] (172.22.0.201) 
> Added VLAN 98 to the returned RADIUS Access-Accept 
> (pf::Switch::returnRadiusAccessAccept)
> May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] Updating 
> locationlog from accounting request (pf::api::handle_accounting_metadata)
> May 11 13:59:45 httpd.portal(2871) INFO: [mac:00:21:cc:be:a1:3f] Dealing with 
> a endpoint / browser with captive-portal detection capabilities while having 
> a self-signed SSL certificate. Using HTTP instead of HTTPS 
> (pf::web::dispatcher::handler)
> May 11 13:59:45 httpd.portal(2871) INFO: [mac:00:21:cc:be:a1:3f] Instantiate 
> a new iptables modification method. pf::ipset (pf::inline::get_technique)
> May 11 13:59:46 httpd.portal(2992) INFO: [mac:00:21:cc:be:a1:3f] Dealing with 
> a endpoint / browser with captive-portal detection capabilities while having 
> a self-signed SSL certificate. Using HTTP instead of HTTPS 
> (pf::web::dispatcher::handler)
> May 11 13:59:46 httpd.portal(2992) INFO: [mac:00:21:cc:be:a1:3f] Instantiate 
> a new iptables modification method. pf::ipset (pf::inline::get_technique)
> 
> Here's the output from raddebug: 
> https://gist.github.com/dberube1/25f9959fa769171e49bae5cacfe68b6e 
> 
> 
> Just for the sake of being through I have tried authenticating through the 
> captive portal and the port never gets moved out of the registration vlan 
> until you physically unplug and replug the cable or disable/enable the port 
> on the cli. 




Ok, so that indicates that radius itself is working properly now but you need 
to find a way to deauthenticate the device from the switch.

Since you have configured PacketFence to try radius disconnect there should be 
a radius request sent from your server to the switch.
Start by making sure that is really the case.

Try unregistering and reregistering on the portal while running 

radsniff -x -f 'host $IP_OF_YOUR_SWITCH and port 3799’ 

You should see if there are disconnection requests and replies going between 
the two.

Regards,
--
Louis Munro
lmu...@inverse.ca  ::  www.inverse.ca 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSH not passing interface enable/disable commands

2016-05-11 Thread Dustin Berube 
Hi Louis,

After changing the type to Juniper::EX2200 I get the following in
packetfence.log

May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] Found method
CODE(0x7f1f30c207d8) for REST path /radius/rest/authorize
(pf::WebAPI::REST::handler)
May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] handling
radius autz request: from switch_ip => (172.22.0.201), connection_type =>
Ethernet-EAP,switch_mac => (54:e0:32:9c:1d:80), mac => [00:21:cc:be:a1:3f],
port => ge-0/0/2.0, username => "FCC\dberube" (pf::radius::authorize)
May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] Could not
find any IP phones through discovery protocols for ifIndex ge-0/0/2.0
(pf::Switch::getPhonesDPAtIfIndex)
May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] is of status
unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f]
(172.22.0.201) Added VLAN 98 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
May 11 13:59:45 httpd.aaa(2637) INFO: [mac:00:21:cc:be:a1:3f] Updating
locationlog from accounting request (pf::api::handle_accounting_metadata)
May 11 13:59:45 httpd.portal(2871) INFO: [mac:00:21:cc:be:a1:3f] Dealing
with a endpoint / browser with captive-portal detection capabilities while
having a self-signed SSL certificate. Using HTTP instead of HTTPS
(pf::web::dispatcher::handler)
May 11 13:59:45 httpd.portal(2871) INFO: [mac:00:21:cc:be:a1:3f]
Instantiate a new iptables modification method. pf::ipset
(pf::inline::get_technique)
May 11 13:59:46 httpd.portal(2992) INFO: [mac:00:21:cc:be:a1:3f] Dealing
with a endpoint / browser with captive-portal detection capabilities while
having a self-signed SSL certificate. Using HTTP instead of HTTPS
(pf::web::dispatcher::handler)
May 11 13:59:46 httpd.portal(2992) INFO: [mac:00:21:cc:be:a1:3f]
Instantiate a new iptables modification method. pf::ipset
(pf::inline::get_technique)

Here's the output from raddebug:
https://gist.github.com/dberube1/25f9959fa769171e49bae5cacfe68b6e

Just for the sake of being through I have tried authenticating through the
captive portal and the port never gets moved out of the registration vlan
until you physically unplug and replug the cable or disable/enable the port
on the cli.

Here's the contents of packetfence.log after trying the captive portal.

May 11 14:00:40 httpd.portal(2874) INFO: [mac:00:21:cc:be:a1:3f] Dealing
with a endpoint / browser with captive-portal detection capabilities while
having a self-signed SSL certificate. Using HTTP instead of HTTPS
(pf::web::dispatcher::handler)
May 11 14:00:40 httpd.portal(2874) INFO: [mac:00:21:cc:be:a1:3f]
Instantiate a new iptables modification method. pf::ipset
(pf::inline::get_technique)
May 11 14:00:44 httpd.portal(2992) INFO: [mac:00:21:cc:be:a1:3f]
Instantiate a new iptables modification method. pf::ipset
(pf::inline::get_technique)
May 11 14:00:44 httpd.portal(2992) INFO: [mac:00:21:cc:be:a1:3f]
Instantiate a new iptables modification method. pf::ipset
(pf::inline::get_technique)
May 11 14:00:47 httpd.portal(2871) INFO: [mac:00:21:cc:be:a1:3f]
Instantiate a new iptables modification method. pf::ipset
(pf::inline::get_technique)
May 11 14:00:47 httpd.portal(2872) INFO: [mac:unknown] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
May 11 14:00:47 httpd.portal(2872) INFO: [mac:00:21:cc:be:a1:3f]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
May 11 14:00:47 httpd.portal(2872) INFO: [mac:00:21:cc:be:a1:3f]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
May 11 14:00:47 httpd.portal(2872) INFO: [mac:00:21:cc:be:a1:3f] Updating
node user_agent with useragent: 'Mozilla/5.0 (Windows NT 10.0; WOW64;
Trident/7.0; rv:11.0) like Gecko'
(captiveportal::PacketFence::DynamicRouting::Application::process_user_agent)
May 11 14:00:49 httpd.portal(2874) INFO: [mac:unknown] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
May 11 14:00:49 httpd.portal(2874) INFO: [mac:00:21:cc:be:a1:3f]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
May 11 14:00:49 httpd.portal(2874) INFO: [mac:00:21:cc:be:a1:3f]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
May 11 14:00:49 httpd.portal(2874) INFO: [mac:00:21:cc:be:a1:3f] Updating
node user_agent with useragent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows
NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET
CLR 3.0.30729; .NET CLR 3.5.30729)'
(captiveportal::PacketFence::DynamicRouting::Application::process_user_agent)
May 11 14:00:49 httpd.portal(2872) INFO: [mac:unknown] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
May 11 14:00:49 httpd.portal(2872) INFO: [mac:00:21:cc:be:a1:3f]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
May 11 14:00:49 httpd.portal(2872) INFO: [mac:00:21:cc:be:a1:3f]
Instantiate profile default

Re: [PacketFence-users] SSH not passing interface enable/disable commands

2016-05-11 Thread Dustin Berube 
Hi Holger,

Can you share which version of Junos you are running? Also if possible can
I see a sanitized copy of the config for the access stanza and the
protocols dot1x stanza?

Thanks,
Dustin

On Wed, May 11, 2016 at 2:12 PM, <holger.patz...@t-systems.com> wrote:

> Hi,
>
>
>
> this might not really help you, but we actually have 801x User Auth
> running via radius on Juniper ex3200 with the Type set to “Juniper::EX2200”
> .
>
> With the EX Type it never worked here.
>
>
>
> bye
>
> Holger
>
>
>
>
>
>
>
> *Von:* Louis Munro [mailto:lmu...@inverse.ca]
> *Gesendet:* Mittwoch, 11. Mai 2016 19:28
> *An:* packetfence-users@lists.sourceforge.net
> *Betreff:* Re: [PacketFence-users] SSH not passing interface
> enable/disable commands
>
>
>
> Hi Dustin,
>
> Try setting the type to “Juniper::EX2200”.
>
>
>
> The generic code for the EX module is very old.
>
> It may be time for us to revisit it.
>
>
>
> Regards,
>
> --
>
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
>
>
> On May 11, 2016, at 13:14 , Dustin Berube <dustin.ber...@gmail.com> wrote:
>
>
>
> Hi Louis,
>
>
>
> I'm testing this against a Juniper EX4200-48PX running Junos 13.2X51-D35.3
> (latest branch of 13.2).
>
>
>
>
>
>
>
>
>
> Here's the config from switches.conf
>
>
>
> [172.22.0.201]
>
> mode=production
>
> Technology ServicesVlan=51
>
> VoIPCDPDetect=N
>
> VoIPDHCPDetect=N
>
> AccessListMap=N
>
> description=EX 4200
>
> SNMPVersionTrap=2c
>
> cliPwd=
>
> cliTransport=SSH
>
> UrlMap=N
>
> registrationVlan=98
>
> Technology ServicesRole=techsvcs_51
>
> cliUser=packetfence
>
> deauthMethod=RADIUS
>
> type=Juniper::EX
>
> VoIPLLDPDetect=N
>
> isolationVlan=97
>
> radiusSecret=
>
> SNMPVersion=2c
>
> cliEnablePwd=
>
> voiceVlan=99
>
>
>
>
>
>
> --
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSH not passing interface enable/disable commands

2016-05-11 Thread Holger.Patzelt 
Hi,

this might not really help you, but we actually have 801x User Auth running via 
radius on Juniper ex3200 with the Type set to “Juniper::EX2200” .
With the EX Type it never worked here.

bye
Holger



Von: Louis Munro [mailto:lmu...@inverse.ca]
Gesendet: Mittwoch, 11. Mai 2016 19:28
An: packetfence-users@lists.sourceforge.net
Betreff: Re: [PacketFence-users] SSH not passing interface enable/disable 
commands

Hi Dustin,
Try setting the type to “Juniper::EX2200”.

The generic code for the EX module is very old.
It may be time for us to revisit it.

Regards,
--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)

On May 11, 2016, at 13:14 , Dustin Berube 
<dustin.ber...@gmail.com<mailto:dustin.ber...@gmail.com>> wrote:

Hi Louis,

I'm testing this against a Juniper EX4200-48PX running Junos 13.2X51-D35.3 
(latest branch of 13.2).




Here's the config from switches.conf

[172.22.0.201]
mode=production
Technology ServicesVlan=51
VoIPCDPDetect=N
VoIPDHCPDetect=N
AccessListMap=N
description=EX 4200
SNMPVersionTrap=2c
cliPwd=
cliTransport=SSH
UrlMap=N
registrationVlan=98
Technology ServicesRole=techsvcs_51
cliUser=packetfence
deauthMethod=RADIUS
type=Juniper::EX
VoIPLLDPDetect=N
isolationVlan=97
radiusSecret=
SNMPVersion=2c
cliEnablePwd=
voiceVlan=99


--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSH not passing interface enable/disable commands

2016-05-11 Thread Louis Munro 
Hi Dustin,
Try setting the type to “Juniper::EX2200”.

The generic code for the EX module is very old.
It may be time for us to revisit it.

Regards,
--
Louis Munro
lmu...@inverse.ca  ::  www.inverse.ca 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On May 11, 2016, at 13:14 , Dustin Berube  wrote:
> 
> Hi Louis,
> 
> I'm testing this against a Juniper EX4200-48PX running Junos 13.2X51-D35.3 
> (latest branch of 13.2).
> 
> 
> 
> 
> Here's the config from switches.conf
> 
> [172.22.0.201]
> mode=production
> Technology ServicesVlan=51
> VoIPCDPDetect=N
> VoIPDHCPDetect=N
> AccessListMap=N
> description=EX 4200
> SNMPVersionTrap=2c
> cliPwd=
> cliTransport=SSH
> UrlMap=N
> registrationVlan=98
> Technology ServicesRole=techsvcs_51
> cliUser=packetfence
> deauthMethod=RADIUS
> type=Juniper::EX
> VoIPLLDPDetect=N
> isolationVlan=97
> radiusSecret=
> SNMPVersion=2c
> cliEnablePwd=
> voiceVlan=99
> 

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSH not passing interface enable/disable commands

2016-05-11 Thread Dustin Berube 
Hi Louis,

I'm testing this against a Juniper EX4200-48PX running Junos 13.2X51-D35.3
(latest branch of 13.2).


Here's the relevant part of packetfence.log

May 11 13:07:06 httpd.aaa(1693) INFO: [mac:00:21:cc:be:a1:3f] Found method
CODE(0x7f89ee7ba2c8) for REST path /radius/rest/authorize
(pf::WebAPI::REST::handler)
May 11 13:07:07 httpd.aaa(1693) WARN: [mac:00:21:cc:be:a1:3f] Couldn't
match interface name for NAS-Port. VLAN re-assignment and switch/port
accounting will be affected. (pf::Switch::Juniper::NasPortToIfIndex)
May 11 13:07:07 httpd.aaa(1693) INFO: [mac:00:21:cc:be:a1:3f] handling
radius autz request: from switch_ip => (172.22.0.201), connection_type =>
Ethernet-EAP,switch_mac => (54:e0:32:9c:1d:80), mac => [00:21:cc:be:a1:3f],
port => 94, username => "FCC\dberube" (pf::radius::authorize)
May 11 13:07:07 httpd.aaa(1693) WARN: [mac:00:21:cc:be:a1:3f]
(172.22.0.201) Sending REJECT since switch is unsupported
(pf::radius::_switchUnsupportedReply)
May 11 13:07:08 httpd.aaa(1693) WARN: [mac:00:21:cc:be:a1:3f] Couldn't
match interface name for NAS-Port. VLAN re-assignment and switch/port
accounting will be affected. (pf::Switch::Juniper::NasPortToIfIndex)
May 11 13:09:41 httpd.aaa(1693) WARN: [mac:00:21:cc:be:a1:3f] Couldn't
match interface name for NAS-Port. VLAN re-assignment and switch/port
accounting will be affected. (pf::Switch::Juniper::NasPortToIfIndex)
May 11 13:09:41 httpd.aaa(1693) INFO: [mac:00:21:cc:be:a1:3f] handling
radius autz request: from switch_ip => (172.22.0.201), connection_type =>
WIRED_MAC_AUTH,switch_mac => (54:e0:32:9c:1d:80), mac =>
[00:21:cc:be:a1:3f], port => 94, username => "0021ccbea13f"
(pf::radius::authorize)
May 11 13:09:41 httpd.aaa(1693) INFO: [mac:00:21:cc:be:a1:3f] is of status
unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
May 11 13:09:41 httpd.aaa(1693) INFO: [mac:00:21:cc:be:a1:3f]
(172.22.0.201) Added VLAN 98 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
May 11 13:09:41 httpd.aaa(1693) INFO: [mac:00:21:cc:be:a1:3f] Updating
locationlog from accounting request (pf::api::handle_accounting_metadata)


Here's the config from switches.conf

[172.22.0.201]
mode=production
Technology ServicesVlan=51
VoIPCDPDetect=N
VoIPDHCPDetect=N
AccessListMap=N
description=EX 4200
SNMPVersionTrap=2c
cliPwd=
cliTransport=SSH
UrlMap=N
registrationVlan=98
Technology ServicesRole=techsvcs_51
cliUser=packetfence
deauthMethod=RADIUS
type=Juniper::EX
VoIPLLDPDetect=N
isolationVlan=97
radiusSecret=
SNMPVersion=2c
cliEnablePwd=
voiceVlan=99

Thanks,
Dustin

On Wed, May 11, 2016 at 12:35 PM, Louis Munro  wrote:

> Hi Dustin,
>
> This looks like a potential connection type mismatch.
>
> Can you provide relevant parts of packetfence.log and the configuration of
> that switch as defined in conf/switches.conf?
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On May 11, 2016, at 11:59 , Dustin Berube  wrote:
>
>
> (18) Wed May 11 11:25:31 2016: ERROR: rest: {"Reply-Message":"Network
> device does not support this mode of
> operation","control:PacketFence-Eap-Type":26,"control:PacketFence-Mac":"00:21:cc:be:a1:3f","control:PacketFence-Switch-Ip-Address":"172.22.0.201","control:PacketFence-Request-Time":1462980331,"control:PacketFence-IfIndex":94,"control:PacketFence-UserName":"FCC\\dberube","control:PacketFence-Connection-Type":"Ethernet-EAP","control:PacketFence-Switch-Mac":"54:e0:32:9c:1d:80","control:PacketFence-Switch-Id":"172.22.0.201"}
>
> Here's a link to the full radius debug:
> https://gist.github.com/dberube1/47a087fa894379d87f7c4324b70b1c4c
>
>
>
>
>
> --
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

Re: [PacketFence-users] SSH not passing interface enable/disable commands

2016-05-11 Thread Louis Munro 
Hi Dustin,

This looks like a potential connection type mismatch.

Can you provide relevant parts of packetfence.log and the configuration of that 
switch as defined in conf/switches.conf? 

Regards,
--
Louis Munro
lmu...@inverse.ca  ::  www.inverse.ca 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On May 11, 2016, at 11:59 , Dustin Berube  wrote:
> 
> 
> (18) Wed May 11 11:25:31 2016: ERROR: rest: {"Reply-Message":"Network device 
> does not support this mode of 
> operation","control:PacketFence-Eap-Type":26,"control:PacketFence-Mac":"00:21:cc:be:a1:3f","control:PacketFence-Switch-Ip-Address":"172.22.0.201","control:PacketFence-Request-Time":1462980331,"control:PacketFence-IfIndex":94,"control:PacketFence-UserName":"FCC\\dberube","control:PacketFence-Connection-Type":"Ethernet-EAP","control:PacketFence-Switch-Mac":"54:e0:32:9c:1d:80","control:PacketFence-Switch-Id":"172.22.0.201"}
> 
> Here's a link to the full radius debug: 
> https://gist.github.com/dberube1/47a087fa894379d87f7c4324b70b1c4c 
> 
> 
> 

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSH not passing interface enable/disable commands

2016-05-11 Thread Dustin Berube 
Tim,

I thought from my previous testing with Packetfence (approximately a year
ago) these switches worked with radius. However, when I try to enable
802.1x on a Windows 10 client. I receive this error after the
authentication succeeds. The error below appears on line 1543.

(18) Wed May 11 11:25:31 2016: ERROR: rest: {"Reply-Message":"Network
device does not support this mode of
operation","control:PacketFence-Eap-Type":26,"control:PacketFence-Mac":"00:21:cc:be:a1:3f","control:PacketFence-Switch-Ip-Address":"172.22.0.201","control:PacketFence-Request-Time":1462980331,"control:PacketFence-IfIndex":94,"control:PacketFence-UserName":"FCC\\dberube","control:PacketFence-Connection-Type":"Ethernet-EAP","control:PacketFence-Switch-Mac":"54:e0:32:9c:1d:80","control:PacketFence-Switch-Id":"172.22.0.201"}

Here's a link to the full radius debug:
https://gist.github.com/dberube1/47a087fa894379d87f7c4324b70b1c4c


I appreciate any thoughts you may have as to a solutions.
Thanks,
Dustin

On Tue, May 10, 2016 at 3:34 PM, Tim DeNike  wrote:

> I don't run juniper switches but did evaluate them with packetfence.  they
> worked fine with radius.  Don't recall if they did coa or SNMP port
> bounce.  Didn't use the cli, though.
>
> Sent from my iPhone
>
> On May 10, 2016, at 3:25 PM, Dustin Berube 
> wrote:
>
> Hello,
>
> I'm having an issues with Packetfence 6.0.1 Zen not being able to bounce
> the ports on my Juniper switches using SSH. From the Juniper side I see the
> login was successful and all commands are processed, however the commands
> to disable/enable the interface are never sent. Below is the output of a
> trace on the Juniper side and the corresponding packetfence.log
>
> Notice the commit is sent immediately after entering configuration mode.
>
> I have tested this on a Juniper EX4200-48PX running Junos v14.1X53-D35.3
>
> Any suggestions would be appreciated. Let me know if you have any
> questions or if I can provide further information.
>
> Juniper cli-commands Debug
> ==
> May 10 18:16:30   sshd[4241]: Accepted keyboard-interactive/pam for
> packetfence from 172.30.40.10 port 54996 ssh2
> May 10 18:16:30   mgd[4246]: UI_AUTH_EVENT: Authenticated user
> 'packetfence' at permission level 'j-super-user'
> May 10 18:16:30   mgd[4246]: UI_LOGIN_EVENT: User 'packetfence' login,
> class 'j-super-user' [4246], ssh-connection '172.30.40.10 54996
> 172.22.0.201 22', client-mode 'cli'
> May 10 18:16:31   mgd[4246]: UI_CMDLINE_READ_LINE: User 'packetfence',
> command 'set cli screen-length 0 '
> May 10 18:16:31   mgd[4246]: UI_CMDLINE_READ_LINE: User 'packetfence',
> command 'configure '
> May 10 18:16:31   mgd[4246]: UI_DBASE_LOGIN_EVENT: User 'packetfence'
> entering configuration mode
> May 10 18:16:31   mgd[4246]: UI_CMDLINE_READ_LINE: User 'packetfence',
> command 'commit comment "admin link status change by PacketFence" '
> May 10 18:16:31   mgd[4246]: UI_COMMIT: User 'packetfence' requested
> 'commit' operation (comment: admin link status change by PacketFence)
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: updating commit revision
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: start loading commit script changes
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: no commit script changes
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: no transient commit script changes
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: finished loading commit script changes
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: copying juniper.db to juniper.data+
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: finished copying juniper.db to juniper.data+
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: exporting juniper.conf
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: expanding interface-ranges
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: finished expanding interface-ranges
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: expanding groups
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: finished expanding groups
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: setup foreign files
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: update license counters
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: finish license counters
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: propagating foreign files
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: complete foreign files
> May 10

Re: [PacketFence-users] SSH not passing interface enable/disable commands

2016-05-10 Thread Fabrice DURAND 
Hello Dustin,

what happen if you do directly from the switch ?:
set interfaces $port disable
delete interfaces $port disable


Regards
Fabrice

Le 2016-05-10 15:07, Dustin Berube a écrit :
> Hello,
>
> I'm having an issues with Packetfence 6.0.1 Zen not being able to
> bounce the ports on my Juniper switches using SSH. From the Juniper
> side I see the login was successful and all commands are processed,
> however the commands to disable/enable the interface are never sent.
> Below is the output of a trace on the Juniper side and the
> corresponding packetfence.log 
>
> Notice the commit is sent immediately after entering configuration mode. 
>
> I have tested this on a Juniper EX4200-48PX running Junos v14.1X53-D35.3
>
> Any suggestions would be appreciated. Let me know if you have any
> questions or if I can provide further information.
>
> Juniper cli-commands Debug
> ==
> May 10 18:16:30   sshd[4241]: Accepted keyboard-interactive/pam for
> packetfence from 172.30.40.10 port 54996 ssh2
> May 10 18:16:30   mgd[4246]: UI_AUTH_EVENT: Authenticated user
> 'packetfence' at permission level 'j-super-user'
> May 10 18:16:30   mgd[4246]: UI_LOGIN_EVENT: User 'packetfence' login,
> class 'j-super-user' [4246], ssh-connection '172.30.40.10 54996
> 172.22.0.201 22', client-mode 'cli'
> May 10 18:16:31   mgd[4246]: UI_CMDLINE_READ_LINE: User 'packetfence',
> command 'set cli screen-length 0 '
> May 10 18:16:31   mgd[4246]: UI_CMDLINE_READ_LINE: User 'packetfence',
> command 'configure '
> May 10 18:16:31   mgd[4246]: UI_DBASE_LOGIN_EVENT: User 'packetfence'
> entering configuration mode
> May 10 18:16:31   mgd[4246]: UI_CMDLINE_READ_LINE: User 'packetfence',
> command 'commit comment "admin link status change by PacketFence" '
> May 10 18:16:31   mgd[4246]: UI_COMMIT: User 'packetfence' requested
> 'commit' operation (comment: admin link status change by PacketFence)
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: updating commit revision
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: start loading commit script changes
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: no commit script changes
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: no transient commit script changes
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: finished loading commit script changes
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: copying juniper.db to juniper.data+
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: finished copying juniper.db to juniper.data+
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: exporting juniper.conf
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: expanding interface-ranges
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: finished expanding interface-ranges
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: expanding groups
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: finished expanding groups
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: setup foreign files
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: update license counters
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: finish license counters
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: propagating foreign files
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: complete foreign files
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: dropping unchanged foreign files
> May 10 18:16:31   mgd[4246]: UI_CHILD_START: Starting child
> '/usr/sbin/ffp'
> May 10 18:16:31   mgd[4246]: UI_CHILD_STATUS: Cleanup child
> '/usr/sbin/ffp', PID 4250, status 0
> May 10 18:16:31   mgd[4246]: UI_CHILD_STATUS: Cleanup child
> '/usr/sbin/ffp', PID 4250, status 0
> May 10 18:16:31   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: daemons checking new configuration
> May 10 18:16:31   mgd[4246]: UI_CHILD_START: Starting child
> '/usr/sbin/ffp'
> May 10 18:16:32   mgd[4246]: UI_CHILD_STATUS: Cleanup child
> '/usr/sbin/ffp', PID 4261, status 0
> May 10 18:16:32   mgd[4246]: UI_CHILD_STATUS: Cleanup child
> '/usr/sbin/ffp', PID 4261, status 0
> May 10 18:16:32   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: commit wrapup...
> May 10 18:16:32   mgd[4246]: UI_COMMIT_PROGRESS: Commit operation in
> progress: start ffp activate
> May 10 18:16:32   mgd[4246]: UI_CHILD_START: Starting child
> '/usr/sbin/ffp'
> May 10 18:16:32   mgd[4246]: UI_CHILD_STATUS: Cleanup child
> '/usr/sbin/ffp', PID 4262, status 0
>