subject:"Re\: \[PacketFence\-users\] VLAN Assignment for MAB clients"

Re: [PacketFence-users] VLAN Assignment for MAB clients

2018-12-11 Thread Tobias Friede via PacketFence-users

Hi,

>
> *Just go into the Audit Log or Node Tab, select the device, set the State
> to registered  and choose the desired role :) *
> *Reevaluate access or restart Switchport => You should got the specified
> rule. *
>
> I had tried this before and it was not working. Maybe because it was a
> VoIP device PacketFence did not assign the VLAN. When I tried it on another
> device that is not VoIP, it worked.
>

correct, if a device is detected as voice device, packetfence only sends
the VSA and the switch put the device in the configured voice vlan.

Thanks for the help!
>

You are welcome :)

--
> *From:* Tobias Friede 
> *Sent:* Tuesday, December 11, 2018 12:39:20 AM
> *To:* Anton Castelli
> *Cc:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] VLAN Assignment for MAB clients
>
>
>
>
> Thanks for the information on the switch config. We are considering a
> support subscription, however we are still in the demo/testing/evaluation
> phase.
>
>
>  You are welcome :)
>
> Fabrice,
>
>
> Thanks for the patch.
>
>
> I think the critical part was the "getVoipVsa" function returning the
> "device-traffic-class=voice" RADIUS attribute. I had also been in contact
> with Dell support about the VoIP phone being assigned to the default (data)
> VLAN. They suggested sending this attribute. Apparently it is supported
> since the 6.5 version of DNOS. I was actually working on a pull request
> with this added to the Dell::N1500 object. Should I continue with that pull
> request or will the update be included in the next version of PacketFence?
> Also, see issue 3479
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_inverse-2Dinc_packetfence_issues_3479=DwMFaQ=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY=XjHnVomNNeKIfZ2SIXEDYOg-V3pu2OFALxsTAluEDvI=0hL-A2wIPHZv0g6wCssqiDzBfRIx1wSrJSDhZpRV0kI=>
> on Github. I did not submit it, but it seems relevant.
>
>
> I thought that this is already included in GutHub 
> It's my post.
>
>
>
> Although this solves the issue with VoIP devices, we still would like to
> be able to assign VLANs to other non-802.1x devices. There are many types
> of devices that do not support 802.1x, but we still want to be able to
> assign a VLAN to them, even if we have to set the role manually. For
> example, printers/scanners/copiers, network TVs, game consoles, etc.
>
>
> So, the question still remains: How do we assign a VLAN to a MAB device?
>
>
> Just go into the Audit Log or Node Tab, select the device, set the State
> to registered  and choose the desired role :)
> Reevaluate access or restart Switchport => You should got the specified
> rule.
>
>
> Tobias
>
>
>
> *From:* Tobias Friede via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Sent:* Saturday, December 8, 2018 3:47:48 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Tobias Friede
> *Subject:* Re: [PacketFence-users] VLAN Assignment for MAB clients
>
> I can say that the N2000 Serie from DELL should work pretty well with
> PacketFence.
> We had tested exactly that switch model with packetfence and solved some
> issues together with inverse a few month ago (Support Subscription is
> pretty usefull ;) )
>
> The config written in the PacketFence documentation doesn't fit to the
> actually Dell OS... especially the MAB Config.
>
> *Here is my well tested DELL Config:*
> aaa accounting dot1x default start-stop radius
> authentication enable
> dot1x system-auth-control
> aaa authentication dot1x default radius
> aaa authorization network default radius
> dot1x dynamic-vlan enable
>
> aaa server radius dynamic-author
> client  server-key 7 "XXX"
> exit
>
> radius server auth 
> name "PacketFence"
> usage 802.1x
> key 7 "XXX"
> exit
>
> radius server acct 
> name "Default-RADIUS-Server"
> key 7 "XXX"
> exit
>
> radius server vsa send authentication
> ip ssh server
>
> *AND ON ALL NAC INTERFACES *
>
> switchport mode general
> dot1x port-control mac-based
> dot1x reauthentication
> dot1x timeout guest-vlan-period 10
> dot1x unauth-vlan 931
> mab
> default mab pap
> authentication order dot1x mab
> authentication priority dot1x
> lldp tlv-select system-description system-capabilities
> lldp notification
> lldp med confignotification
> switchport voice vlan 205
>
>
>
>
> Am Fr., 7. Dez. 2018 um 16:50 Uhr schrieb Anton Castelli via
> PacketFence-users :
>
> Fabrice,
>
>
> I've attached the relevant part of t

Re: [PacketFence-users] VLAN Assignment for MAB clients

2018-12-11 Thread Anton Castelli via PacketFence-users

Tobias,


Just go into the Audit Log or Node Tab, select the device, set the State to 
registered  and choose the desired role :)
Reevaluate access or restart Switchport => You should got the specified rule.

I had tried this before and it was not working. Maybe because it was a VoIP 
device PacketFence did not assign the VLAN. When I tried it on another device 
that is not VoIP, it worked.


Thanks for the help!


--
ANTON CASTELLI
Network Engineer IV

INFORMATION TECHNOLOGY
MAIL CODE 4622
SOUTHERN ILLINOIS UNIVERSITY
625 WHAM DRIVE
CARBONDALE, ILLINOIS 62901

anton.caste...@siu.edu<mailto:ac14...@siu.edu>
P: 618/453-6424
OIT.SIU.EDU<http://oit.siu.edu/networkengineering>

From: Tobias Friede 
Sent: Tuesday, December 11, 2018 12:39:20 AM
To: Anton Castelli
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] VLAN Assignment for MAB clients





Thanks for the information on the switch config. We are considering a support 
subscription, however we are still in the demo/testing/evaluation phase.


 You are welcome :)

Fabrice,


Thanks for the patch.


I think the critical part was the "getVoipVsa" function returning the 
"device-traffic-class=voice" RADIUS attribute. I had also been in contact with 
Dell support about the VoIP phone being assigned to the default (data) VLAN. 
They suggested sending this attribute. Apparently it is supported since the 6.5 
version of DNOS. I was actually working on a pull request with this added to 
the Dell::N1500 object. Should I continue with that pull request or will the 
update be included in the next version of PacketFence? Also, see issue 
3479<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_inverse-2Dinc_packetfence_issues_3479=DwMFaQ=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY=XjHnVomNNeKIfZ2SIXEDYOg-V3pu2OFALxsTAluEDvI=0hL-A2wIPHZv0g6wCssqiDzBfRIx1wSrJSDhZpRV0kI=>
 on Github. I did not submit it, but it seems relevant.

I thought that this is already included in GutHub 
It's my post.



Although this solves the issue with VoIP devices, we still would like to be 
able to assign VLANs to other non-802.1x devices. There are many types of 
devices that do not support 802.1x, but we still want to be able to assign a 
VLAN to them, even if we have to set the role manually. For example, 
printers/scanners/copiers, network TVs, game consoles, etc.


So, the question still remains: How do we assign a VLAN to a MAB device?

Just go into the Audit Log or Node Tab, select the device, set the State to 
registered  and choose the desired role :)
Reevaluate access or restart Switchport => You should got the specified rule.


Tobias



From: Tobias Friede via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
Sent: Saturday, December 8, 2018 3:47:48 AM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Tobias Friede
Subject: Re: [PacketFence-users] VLAN Assignment for MAB clients

I can say that the N2000 Serie from DELL should work pretty well with 
PacketFence.
We had tested exactly that switch model with packetfence and solved some issues 
together with inverse a few month ago (Support Subscription is pretty usefull 
;) )

The config written in the PacketFence documentation doesn't fit to the actually 
Dell OS... especially the MAB Config.

Here is my well tested DELL Config:
aaa accounting dot1x default start-stop radius
authentication enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
dot1x dynamic-vlan enable

aaa server radius dynamic-author
client  server-key 7 "XXX"
exit

radius server auth 
name "PacketFence"
usage 802.1x
key 7 "XXX"
exit

radius server acct 
name "Default-RADIUS-Server"
key 7 "XXX"
exit

radius server vsa send authentication
ip ssh server

AND ON ALL NAC INTERFACES

switchport mode general
dot1x port-control mac-based
dot1x reauthentication
dot1x timeout guest-vlan-period 10
dot1x unauth-vlan 931
mab
default mab pap
authentication order dot1x mab
authentication priority dot1x
lldp tlv-select system-description system-capabilities
lldp notification
lldp med confignotification
switchport voice vlan 205




Am Fr., 7. Dez. 2018 um 16:50 Uhr schrieb Anton Castelli via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>:

Fabrice,


I've attached the relevant part of the packetfence.log. Some of the information 
has been masked. The MAC "35:aa" is a laptop with the 802.1x supplicant 
configured with a username and password from our Active Directory. The MAC 
"39:46" is a VoIP phone with no 802.1x capability that is falling back to MAB 
authentication.


Ludovic,

In this case it is a Dell N2024P and I'm using the "Dell::N1500" type when I 
added it to

Re: [PacketFence-users] VLAN Assignment for MAB clients

2018-12-11 Thread Anton Castelli via PacketFence-users

Tobias,


Thanks for the information on the switch config. We are considering a support 
subscription, however we are still in the demo/testing/evaluation phase.



Fabrice,


Thanks for the patch.


I think the critical part was the "getVoipVsa" function returning the 
"device-traffic-class=voice" RADIUS attribute. I had also been in contact with 
Dell support about the VoIP phone being assigned to the default (data) VLAN. 
They suggested sending this attribute. Apparently it is supported since the 6.5 
version of DNOS. I was actually working on a pull request with this added to 
the Dell::N1500 object. Should I continue with that pull request or will the 
update be included in the next version of PacketFence? Also, see issue 
3479<https://github.com/inverse-inc/packetfence/issues/3479> on Github. I did 
not submit it, but it seems relevant.


Although this solves the issue with VoIP devices, we still would like to be 
able to assign VLANs to other non-802.1x devices. There are many types of 
devices that do not support 802.1x, but we still want to be able to assign a 
VLAN to them, even if we have to set the role manually. For example, 
printers/scanners/copiers, network TVs, game consoles, etc.


So, the question still remains: How do we assign a VLAN to a MAB device?


Thanks,


--
ANTON CASTELLI
Network Engineer IV

INFORMATION TECHNOLOGY
MAIL CODE 4622
SOUTHERN ILLINOIS UNIVERSITY
625 WHAM DRIVE
CARBONDALE, ILLINOIS 62901

anton.caste...@siu.edu<mailto:ac14...@siu.edu>
P: 618/453-6424
OIT.SIU.EDU<http://oit.siu.edu/networkengineering>

From: Tobias Friede via PacketFence-users 

Sent: Saturday, December 8, 2018 3:47:48 AM
To: packetfence-users@lists.sourceforge.net
Cc: Tobias Friede
Subject: Re: [PacketFence-users] VLAN Assignment for MAB clients

I can say that the N2000 Serie from DELL should work pretty well with 
PacketFence.
We had tested exactly that switch model with packetfence and solved some issues 
together with inverse a few month ago (Support Subscription is pretty usefull 
;) )

The config written in the PacketFence documentation doesn't fit to the actually 
Dell OS... especially the MAB Config.

Here is my well tested DELL Config:
aaa accounting dot1x default start-stop radius
authentication enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
dot1x dynamic-vlan enable

aaa server radius dynamic-author
client  server-key 7 "XXX"
exit

radius server auth 
name "PacketFence"
usage 802.1x
key 7 "XXX"
exit

radius server acct 
name "Default-RADIUS-Server"
key 7 "XXX"
exit

radius server vsa send authentication
ip ssh server

AND ON ALL NAC INTERFACES

switchport mode general
dot1x port-control mac-based
dot1x reauthentication
dot1x timeout guest-vlan-period 10
dot1x unauth-vlan 931
mab
default mab pap
authentication order dot1x mab
authentication priority dot1x
lldp tlv-select system-description system-capabilities
lldp notification
lldp med confignotification
switchport voice vlan 205




Am Fr., 7. Dez. 2018 um 16:50 Uhr schrieb Anton Castelli via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>:

Fabrice,


I've attached the relevant part of the packetfence.log. Some of the information 
has been masked. The MAC "35:aa" is a laptop with the 802.1x supplicant 
configured with a username and password from our Active Directory. The MAC 
"39:46" is a VoIP phone with no 802.1x capability that is falling back to MAB 
authentication.


Ludovic,

In this case it is a Dell N2024P and I'm using the "Dell::N1500" type when I 
added it to Packetfence. I also have a Cisco 2960 that I can test with.

Thanks,


--
ANTON CASTELLI
Network Engineer IV

INFORMATION TECHNOLOGY
MAIL CODE 4622
SOUTHERN ILLINOIS UNIVERSITY
625 WHAM DRIVE
CARBONDALE, ILLINOIS 62901

anton.caste...@siu.edu<mailto:ac14...@siu.edu>
P: 618/453-6424
OIT.SIU.EDU<http://oit.siu.edu/networkengineering>

From: Ludovic Zammit mailto:lzam...@inverse.ca>>
Sent: Friday, December 7, 2018 6:46:07 AM
To: Anton Castelli
Cc: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] VLAN Assignment for MAB clients

Hello Anton,

Which kind of switch / network equipment are you using for the authentication ?

Thanks,

Ludovic Zammit
lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.inverse.ca=DwMFAg=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw=AfwUE_8XXB6ecZ9iBn_O8K-QsYjZT_qKmorQrFs66es=>
Inverse inc. :: Leaders behind SOGo 
(http://www.sogo.nu<https://urldefense.proofpoint.com/v2/url?u=ht

Re: [PacketFence-users] VLAN Assignment for MAB clients

2018-12-08 Thread Tobias Friede via PacketFence-users

I can say that the N2000 Serie from DELL should work pretty well with
PacketFence.
We had tested exactly that switch model with packetfence and solved some
issues together with inverse a few month ago (Support Subscription is
pretty usefull ;) )

The config written in the PacketFence documentation doesn't fit to the
actually Dell OS... especially the MAB Config.

*Here is my well tested DELL Config:*
aaa accounting dot1x default start-stop radius
authentication enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
dot1x dynamic-vlan enable

aaa server radius dynamic-author
client  server-key 7 "XXX"
exit

radius server auth 
name "PacketFence"
usage 802.1x
key 7 "XXX"
exit

radius server acct 
name "Default-RADIUS-Server"
key 7 "XXX"
exit

radius server vsa send authentication
ip ssh server

*AND ON ALL NAC INTERFACES *

switchport mode general
dot1x port-control mac-based
dot1x reauthentication
dot1x timeout guest-vlan-period 10
dot1x unauth-vlan 931
mab
default mab pap
authentication order dot1x mab
authentication priority dot1x
lldp tlv-select system-description system-capabilities
lldp notification
lldp med confignotification
switchport voice vlan 205




Am Fr., 7. Dez. 2018 um 16:50 Uhr schrieb Anton Castelli via
PacketFence-users :

> Fabrice,
>
>
> I've attached the relevant part of the packetfence.log. Some of the
> information has been masked. The MAC "35:aa" is a laptop with the 802.1x
> supplicant configured with a username and password from our Active
> Directory. The MAC "39:46" is a VoIP phone with no 802.1x capability that
> is falling back to MAB authentication.
>
>
>
> Ludovic,
>
> In this case it is a Dell N2024P and I'm using the "Dell::N1500" type when
> I added it to Packetfence. I also have a Cisco 2960 that I can test with.
>
> Thanks,
>
>
> --
> ANTON CASTELLI
> Network Engineer IV
>
> INFORMATION TECHNOLOGY
> MAIL CODE 4622
> SOUTHERN ILLINOIS UNIVERSITY
> 625 WHAM DRIVE
> CARBONDALE, ILLINOIS 62901
>
> anton.caste...@siu.edu 
> P: 618/453-6424
> OIT.SIU.EDU <http://oit.siu.edu/networkengineering>
> --------------
> *From:* Ludovic Zammit 
> *Sent:* Friday, December 7, 2018 6:46:07 AM
> *To:* Anton Castelli
> *Cc:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] VLAN Assignment for MAB clients
>
> Hello Anton,
>
> Which kind of switch / network equipment are you using for the
> authentication ?
>
> Thanks,
>
>
> Ludovic zammitlzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
> www.inverse.ca 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.inverse.ca=DwMFAg=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw=AfwUE_8XXB6ecZ9iBn_O8K-QsYjZT_qKmorQrFs66es=>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.sogo.nu=DwMFAg=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw=jP7WC-EZZMrcqkttkFA7Ah8rQlEVsN-7N5AveGbDi4M=>)
>  and PacketFence (http://packetfence.org 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__packetfence.org=DwMFAg=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw=0m-A3HXqeSvKmPaXjs16BrLSp4Y4BuX-5x-SXLrrbx4=>)
>
>
>
>
>
> On Dec 6, 2018, at 3:03 PM, Anton Castelli via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> I'm pretty new to Packetfence. I have a demo server set up and working. It
> authenticates 802.1x clients against our Active Directory, can assign them
> a role based on their LDAP group, and can assign them a VLAN based on their
> role.
>
> Non-802.1x devices that fall back to MAB can also authenticate once I've
> manually registered the device. I can also set a role manually for the
> device. However, the VLAN assignment for that role is not passed back to
> the switch.
>
> I've confirmed that the VLAN assignment for that role is working. I put a
> 802.1x client in that role and the VLAN assignment works. A MAB client in
> the same role on the same switch will not have a VLAN assignment passed
> back to the switch.
>
> RADIUS response for 802.1x client:
>
> <8021x.png>
>
> RADIUS response for MAB client:
>
> 
>
> Is there a way to configure Packetfence to assign a VLAN on the switch for
> a MAB client?
>
> Thanks,
>
> --
> ANTON CASTELLI
> Network Engineer IV
>
> INFORMATION TECHNOLOGY
> MAIL CODE 4622
&g

Re: [PacketFence-users] VLAN Assignment for MAB clients

2018-12-07 Thread Durand fabrice via PacketFence-users


Hello Anton,

as i can see both are doing 802.1x (Ethernet-EAP) but i suspect that the 
phone is doing eap-md5 and not pap.



Can you try to add that in the switch interface config:

default mab pap


Also i did some change with a client to have a better support with VoIP 
on the Dell switches (you need to configure snmp to allow PacketFence to 
do some requests):


https://github.com/inverse-inc/packetfence/compare/feature/DELL_lldp.diff


If you want to try you just have to do the following:

cd /usr/local/pf

curl 
https://github.com/inverse-inc/packetfence/compare/feature/DELL_lldp.diff| 
patch -p1 --dry-run


If there is no error:

curl 
https://github.com/inverse-inc/packetfence/compare/feature/DELL_lldp.diff| 
patch -p1



Then restart packetfence.

Regards

Fabrice



Le 18-12-07 à 09 h 29, Anton Castelli via PacketFence-users a écrit :


Fabrice,


I've attached the relevant part of the packetfence.log. Some of the 
information has been masked. The MAC "35:aa" is a laptop with the 
802.1x supplicant configured with a username and password from our 
Active Directory. The MAC "39:46" is a VoIP phone with no 802.1x 
capability that is falling back to MAB authentication.




Ludovic,

In this case it is a Dell N2024P and I'm using the "Dell::N1500" type 
when I added it to Packetfence. I also have a Cisco 2960 that I can 
test with.


Thanks,


--
ANTON CASTELLI
Network Engineer IV

INFORMATION TECHNOLOGY
MAIL CODE 4622
SOUTHERN ILLINOIS UNIVERSITY
625 WHAM DRIVE
CARBONDALE, ILLINOIS 62901

anton.caste...@siu.edu <mailto:ac14...@siu.edu>
P: 618/453-6424
OIT.SIU.EDU <http://oit.siu.edu/networkengineering>

*From:* Ludovic Zammit 
*Sent:* Friday, December 7, 2018 6:46:07 AM
*To:* Anton Castelli
*Cc:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] VLAN Assignment for MAB clients
Hello Anton,

Which kind of switch / network equipment are you using for the 
authentication ?


Thanks,
Ludovic Zammit
lzam...@inverse.ca  <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918 (x145) ::www.inverse.ca  
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.inverse.ca=DwMFAg=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw=AfwUE_8XXB6ecZ9iBn_O8K-QsYjZT_qKmorQrFs66es=>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu  
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.sogo.nu=DwMFAg=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw=jP7WC-EZZMrcqkttkFA7Ah8rQlEVsN-7N5AveGbDi4M=>)
 and PacketFence (http://packetfence.org  
<https://urldefense.proofpoint.com/v2/url?u=http-3A__packetfence.org=DwMFAg=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw=0m-A3HXqeSvKmPaXjs16BrLSp4Y4BuX-5x-SXLrrbx4=>)




On Dec 6, 2018, at 3:03 PM, Anton Castelli via PacketFence-users 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:


I'm pretty new to Packetfence. I have a demo server set up and 
working. It authenticates 802.1x clients against our Active 
Directory, can assign them a role based on their LDAP group, and can 
assign them a VLAN based on their role.


Non-802.1x devices that fall back to MAB can also authenticate 
once I've manually registered the device. I can also set a role 
manually for the device. However, the VLAN assignment for that role 
is not passed back to the switch.


I've confirmed that the VLAN assignment for that role is working. I 
put a 802.1x client in that role and the VLAN assignment works. A MAB 
client in the same role on the same switch will not have a VLAN 
assignment passed back to the switch.


RADIUS response for 802.1x client:

<8021x.png>

RADIUS response for MAB client:



Is there a way to configure Packetfence to assign a VLAN on the 
switch for a MAB client?


Thanks,

--
ANTON CASTELLI
Network Engineer IV

INFORMATION TECHNOLOGY
MAIL CODE 4622
SOUTHERN ILLINOIS UNIVERSITY
625 WHAM DRIVE
CARBONDALE, ILLINOIS 62901

anton.caste...@siu.edu <mailto:ac14...@siu.edu>
P:618/453-6424 
OIT.SIU.EDU <http://oit.siu.edu/networkengineering>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers=DwMFAg=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw=-Lxn4fDJcg2E5fI_p0-u65wEMBwbrTMiQRgV05Hqr2E=>




___
PacketFence-users mailing li

Re: [PacketFence-users] VLAN Assignment for MAB clients

2018-12-07 Thread Anton Castelli via PacketFence-users

Fabrice,


I've attached the relevant part of the packetfence.log. Some of the information 
has been masked. The MAC "35:aa" is a laptop with the 802.1x supplicant 
configured with a username and password from our Active Directory. The MAC 
"39:46" is a VoIP phone with no 802.1x capability that is falling back to MAB 
authentication.


Ludovic,

In this case it is a Dell N2024P and I'm using the "Dell::N1500" type when I 
added it to Packetfence. I also have a Cisco 2960 that I can test with.

Thanks,


--
ANTON CASTELLI
Network Engineer IV

INFORMATION TECHNOLOGY
MAIL CODE 4622
SOUTHERN ILLINOIS UNIVERSITY
625 WHAM DRIVE
CARBONDALE, ILLINOIS 62901

anton.caste...@siu.edu<mailto:ac14...@siu.edu>
P: 618/453-6424
OIT.SIU.EDU<http://oit.siu.edu/networkengineering>

From: Ludovic Zammit 
Sent: Friday, December 7, 2018 6:46:07 AM
To: Anton Castelli
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] VLAN Assignment for MAB clients

Hello Anton,

Which kind of switch / network equipment are you using for the authentication ?

Thanks,

Ludovic Zammit
lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.inverse.ca=DwMFAg=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw=AfwUE_8XXB6ecZ9iBn_O8K-QsYjZT_qKmorQrFs66es=>
Inverse inc. :: Leaders behind SOGo 
(http://www.sogo.nu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.sogo.nu=DwMFAg=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw=jP7WC-EZZMrcqkttkFA7Ah8rQlEVsN-7N5AveGbDi4M=>)
 and PacketFence 
(http://packetfence.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__packetfence.org=DwMFAg=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw=0m-A3HXqeSvKmPaXjs16BrLSp4Y4BuX-5x-SXLrrbx4=>)




On Dec 6, 2018, at 3:03 PM, Anton Castelli via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:

I'm pretty new to Packetfence. I have a demo server set up and working. It 
authenticates 802.1x clients against our Active Directory, can assign them a 
role based on their LDAP group, and can assign them a VLAN based on their role.

Non-802.1x devices that fall back to MAB can also authenticate once I've 
manually registered the device. I can also set a role manually for the device. 
However, the VLAN assignment for that role is not passed back to the switch.

I've confirmed that the VLAN assignment for that role is working. I put a 
802.1x client in that role and the VLAN assignment works. A MAB client in the 
same role on the same switch will not have a VLAN assignment passed back to the 
switch.

RADIUS response for 802.1x client:

<8021x.png>

RADIUS response for MAB client:



Is there a way to configure Packetfence to assign a VLAN on the switch for a 
MAB client?

Thanks,

--
ANTON CASTELLI
Network Engineer IV

INFORMATION TECHNOLOGY
MAIL CODE 4622
SOUTHERN ILLINOIS UNIVERSITY
625 WHAM DRIVE
CARBONDALE, ILLINOIS 62901

anton.caste...@siu.edu<mailto:ac14...@siu.edu>
P: 618/453-6424
OIT.SIU.EDU<http://oit.siu.edu/networkengineering>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers=DwMFAg=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw=-Lxn4fDJcg2E5fI_p0-u65wEMBwbrTMiQRgV05Hqr2E=>

Dec  6 11:53:24 devpf packetfence_httpd.aaa: httpd.aaa(17323) INFO: [mac:00:00:00:00:35:aa] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile)
Dec  6 11:53:24 devpf packetfence_httpd.aaa: httpd.aaa(21301) INFO: [mac:00:00:00:00:39:46] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile)
Dec  6 11:54:00 devpf packetfence_httpd.aaa: httpd.aaa(17322) INFO: [mac:00:00:00:00:35:aa] handling radius autz request: from switch_ip => (X.X.X.X), connection_type => Ethernet-EAP,switch_mac => (00:00:00:00:91:d2), mac => [00:00:00:00:35:aa], port => 23, username => "AD_USER" (pf::radius::authorize)
Dec  6 11:54:00 devpf packetfence_httpd.aaa: httpd.aaa(17322) INFO: [mac:00:00:00:00:35:aa] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile)
Dec  6 11:54:00 devpf packetfence_httpd.aaa: httpd.aaa(17322) INFO: [mac:00:00:00:00:35:aa] Found authentication source(s) : 'local,neteng-ad,default_AD' for realm 'ad' (pf::confi

Re: [PacketFence-users] VLAN Assignment for MAB clients

2018-12-07 Thread Ludovic Zammit via PacketFence-users

Hello Anton,

Which kind of switch / network equipment are you using for the authentication ?

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Dec 6, 2018, at 3:03 PM, Anton Castelli via PacketFence-users 
>  wrote:
> 
> I'm pretty new to Packetfence. I have a demo server set up and working. It 
> authenticates 802.1x clients against our Active Directory, can assign them a 
> role based on their LDAP group, and can assign them a VLAN based on their 
> role.
> 
> Non-802.1x devices that fall back to MAB can also authenticate once I've 
> manually registered the device. I can also set a role manually for the 
> device. However, the VLAN assignment for that role is not passed back to the 
> switch.
> 
> I've confirmed that the VLAN assignment for that role is working. I put a 
> 802.1x client in that role and the VLAN assignment works. A MAB client in the 
> same role on the same switch will not have a VLAN assignment passed back to 
> the switch. 
> 
> RADIUS response for 802.1x client:
> 
> <8021x.png>
> 
> RADIUS response for MAB client:
> 
> 
> 
> Is there a way to configure Packetfence to assign a VLAN on the switch for a 
> MAB client?
> 
> Thanks,
> 
> --
> ANTON CASTELLI
> Network Engineer IV
> 
> INFORMATION TECHNOLOGY 
> MAIL CODE 4622
> SOUTHERN ILLINOIS UNIVERSITY
> 625 WHAM DRIVE
> CARBONDALE, ILLINOIS 62901
> 
> anton.caste...@siu.edu 
> P: 618/453-6424 
> OIT.SIU.EDU 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> 
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN Assignment for MAB clients

2018-12-06 Thread Durand fabrice via PacketFence-users


Hello Anton,


can you share the packetfence.log file, the answer will be in.


Regards

Fabrice


Le 18-12-06 à 15 h 03, Anton Castelli via PacketFence-users a écrit :


I'm pretty new to Packetfence. I have a demo server set up and 
working. It authenticates 802.1x clients against our Active Directory, 
can assign them a role based on their LDAP group, and can assign them 
a VLAN based on their role.



Non-802.1x devices that fall back to MAB can also authenticate 
once I've manually registered the device. I can also set a role 
manually for the device. However, the VLAN assignment for that role is 
not passed back to the switch.



I've confirmed that the VLAN assignment for that role is working. I 
put a 802.1x client in that role and the VLAN assignment works. A MAB 
client in the same role on the same switch will not have a VLAN 
assignment passed back to the switch.



RADIUS response for 802.1x client:




RADIUS response for MAB client:



Is there a way to configure Packetfence to assign a VLAN on the switch 
for a MAB client?



Thanks,


--
ANTON CASTELLI
Network Engineer IV

INFORMATION TECHNOLOGY
MAIL CODE 4622
SOUTHERN ILLINOIS UNIVERSITY
625 WHAM DRIVE
CARBONDALE, ILLINOIS 62901

anton.caste...@siu.edu 
P: 618/453-6424
OIT.SIU.EDU 


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN Assignment for MAB clients

Re: [PacketFence-users] VLAN Assignment for MAB clients

Re: [PacketFence-users] VLAN Assignment for MAB clients

Re: [PacketFence-users] VLAN Assignment for MAB clients

Re: [PacketFence-users] VLAN Assignment for MAB clients

Re: [PacketFence-users] VLAN Assignment for MAB clients

Re: [PacketFence-users] VLAN Assignment for MAB clients

Re: [PacketFence-users] VLAN Assignment for MAB clients

8 matches

Site Navigation

Mail list logo

Footer information