Re: [PacketFence-users] Successfully passed 802.1x auth but no network access
Hello Yan, sorry for the delay. So why don't you joined pf2 to ad2 , i think it will be simpler and probably fix your issue. Regards Fabrice ?0?2 Le 2018-01-15 ?? 11:17, Yan a ??crit?0?2: > > Yes. They have the same domain/users but on different servers. Both of > them can authenticate our all users. > > > -- Original -- > *From:* Fabrice Durand > *Date:* ,1?? 15,2018 22:13 > *To:* Yan <1136723...@qq.com>, packetfence-users > > *Subject:* Re: [PacketFence-users] Successfully passed 802.1x auth but > no network access > > Hello Yan, > > does AD1 and AD2 are the same ? (same domain/users ...) > > Regards > > Fabrice > > > > Le 2018-01-15 ?? 00:41, Yan a ??crit : >> Hi Durand, >> >> I installed a netdata in my pf server and not found any network issue >> yet(I'm learning to use it). But there is another case I'm not sure >> if it is related to the authentication issue. >> We have 2 PF servers, pf1 is in office A and pf2 is in office B. We >> also have 2 domain servers(for AD and DNS) and AD1 is in office A and >> AD2 is in office B. >> In configuration--Policy and access control--Domains--Active >> Directory Domains menu of both PF servers, I added and joined the >> same domain AD1 (domain in office A). >> But in Configuration--Policy and access control--Authentication >> Sources menu, I add domain AD1 to pf1, and AD2 to pf2. >> And for the connection profile, I choose AD1 as authentication source >> on pf1, and choose AD2 as authentication source on pf2. I don't know >> if I clearly describe it, I draw a picture to make is more clear. >> Would this cause the previous strange issue ? > > -- Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) :: > www.inverse.caInverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and > PacketFence (http://packetfence.org) -- Fabrice Durand fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Successfully passed 802.1x auth but no network access
Yes. They have the same domain/users but on different servers. Both of them can authenticate our all users. -- Original -- From: Fabrice Durand Date: ,1?? 15,2018 22:13 To: Yan <1136723...@qq.com>, packetfence-users Subject: Re: [PacketFence-users] Successfully passed 802.1x auth but no network access Hello Yan, does AD1 and AD2 are the same ? (same domain/users ...) Regards Fabrice Le 2018-01-15 ?? 00:41, Yan a ??crit : Hi Durand, I installed a netdata in my pf server and not found any network issue yet(I'm learning to use it). But there is another case I'm not sure if it is related to the authentication issue. We have 2 PF servers, pf1 is in office A and pf2 is in office B. We also have 2 domain servers(for AD and DNS) and AD1 is in office A and AD2 is in office B. In configuration--Policy and access control--Domains--Active Directory Domains menu of both PF servers, I added and joined the same domain AD1 (domain in office A). But in Configuration--Policy and access control--Authentication Sources menu, I add domain AD1 to pf1, and AD2 to pf2. And for the connection profile, I choose AD1 as authentication source on pf1, and choose AD2 as authentication source on pf2. I don't know if I clearly describe it, I draw a picture to make is more clear. Would this cause the previous strange issue ? -- Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.caInverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) 577EB6DF@92AB3266.25D45C5A Description: Binary data -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Successfully passed 802.1x auth but no network access
Hi dear users, We use PF V7.3 in our office integrated with Aruba AC. Recently our wireless behaves very strange. Some users can connected to wireless, passed the 802.1x auth and can get the correct role and IP, but they just couldn't access any network. There is no wired in PF logs. But as we check Aruba AC logs, we can see many "User miss" logs. I don't know what caused this issue but now our network team said previous ACS didn't have this issue and let us check pf's problem. Anyone ever met this issue ? Jan 10 10:49:54 172.26.2.230 Jan 10 10:49:52 2018 WHZH-7210-1 authmgr[4111]: <522050> <4111> MAC=f4:cc:89:e8:2a:d3,IP=172.26.36.202 User data downloaded to datapath, new Role=Didi-Guest-acl-prof/80, bw Contract=0/0, reason=New user IP processing, idle-timeout=300 Jan 10 10:49:54 172.26.2.230 Jan 10 10:49:52 2018 WHZH-7210-1 authmgr[4111]: <522026> <4111> MAC=f4:cc:89:e8:2a:d3 IP=172.26.36.202 User miss: ingress=0x1041e, VLAN=205 flags=0x4000c040 Jan 10 10:49:54 172.26.2.230 Jan 10 10:49:52 2018 WHZH-7210-1 authmgr[4111]: <522050> <4111> MAC=8e:85:00:80:79:ff,IP=172.26.18.2 User data downloaded to datapath, new Role=employees/78, bw Contract=0/0, reason=New user IP processing, idle-timeout=15300 Jan 10 10:49:54 172.26.2.230 Jan 10 10:49:52 2018 WHZH-7210-1 authmgr[4111]: <522026> <4111> MAC=8e:85:00:80:79:ff IP=172.26.18.2 User miss: ingress=0x1048c, VLAN=204 flags=0x4000c040 Jan 10 10:49:54 172.26.2.230 Jan 10 10:49:52 2018 WHZH-7210-1 authmgr[4111]: <522050> <4111> MAC=84:44:67:4f:57:55,IP=172.26.33.243 User data downloaded to datapath, new Role=employees/78, bw Contract=0/0, reason=New user IP processing, idle-timeout=15300 Jan 10 10:49:54 172.26.2.230 Jan 10 10:49:52 2018 WHZH-7210-1 authmgr[4111]: <522026> <4111> MAC=84:44:67:4f:57:55 IP=172.26.33.243 User miss: ingress=0x10399, VLAN=203 BTW I comment out acct-session-id in /usr/local/pf/lib/pf/Switch/Aruba.pm since we found pf can't disconnect device with acctsessionid. Not sure if this action caused error.-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users