Re: [PacketFence-users] VLAN Enforcement with MAC address authentication

[Thapeli Matsabu via PacketFence-users]

Hi Nicolas,

I will install a new certificate. I thought when you install PF, it installs 
with certificate.

 

 

Kind regards,

Thapeli

 

 

From: Quiniou-Briand, Nicolas  
Sent: 12 July 2021 11:22 AM
To: Thapeli Matsabu ; 
packetfence-users@lists.sourceforge.net; 'Fabrice Durand' 
Subject: RE: [PacketFence-users] VLAN Enforcement with MAC address 
authentication

 

Hello Thapeli,

 

According to radius.log, it looks like you have a SSL issue.

Your node needs to have CA certificate that signed PacketFence RADIUS 
certificate in its certificate store or directly PacketFence RADIUS certificate.

 


Nicolas Quiniou-Briand
Product Support Engineer






Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142




Connect with Us:

 <https://community.akamai.com/>   <http://blogs.akamai.com/>   
<https://twitter.com/akamai>   <http://www.facebook.com/AkamaiTechnologies>   
<http://www.linkedin.com/company/akamai-technologies>   
<http://www.youtube.com/user/akamaitechnologies?feature=results_main> 



 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN Enforcement with MAC address authentication

[Quiniou-Briand, Nicolas via PacketFence-users]

Hello Thapeli,

According to radius.log, it looks like you have a SSL issue.
Your node needs to have CA certificate that signed PacketFence RADIUS 
certificate in its certificate store or directly PacketFence RADIUS certificate.

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D77710.2615BD60]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D77710.2615BD60] 
[cid:image003.png@01D77710.2615BD60]   
[cid:image004.png@01D77710.2615BD60]   
[cid:image005.png@01D77710.2615BD60] 
  
[cid:image006.png@01D77710.2615BD60] 
  
[cid:image007.png@01D77710.2615BD60] 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN Enforcement with MAC address authentication

[Quiniou-Briand, Nicolas via PacketFence-users]

Hello,

In packetfence.log you provided, I didn’t see any RADIUS request processed.
Are you sure your PacketFence server received traffic from your switch ?

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image002.png@01D774D1.CA2CCEC0]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image003.jpg@01D774D1.CA2CCEC0] 
[cid:image004.png@01D774D1.CA2CCEC0]   
[cid:image005.png@01D774D1.CA2CCEC0]   
[cid:image006.png@01D774D1.CA2CCEC0] 
  
[cid:image007.png@01D774D1.CA2CCEC0] 
  
[cid:image008.png@01D774D1.CA2CCEC0] 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN Enforcement with MAC address authentication

[Fabrice Durand via PacketFence-users]

Hello Thapeli,

i can see that you have multiples issues in your config.

First the switch config doesn't looks to be correct.

If the packetfence server is plugged on the port Fa/01 only the vlan 1 is
allowed.
Next you don't have to enable 802.1x on this port.

interface FastEthernet0/1
 switchport trunk allowed vlan 1
 switchport mode trunk dot1x port-control auto
 dot1x host-mode multi-host
 dot1x timeout quiet-period 2
 dot1x timeout tx-period 3
 dot1x reauthentication


Port where you plug your testing device should be like that:


switchport mode access
dot1x port-control auto
dot1x host-mode multi-host
dot1x reauthentication



Also on the pf side it looks that you have an interface interface
eno1636.1 which is useless since the native vlan looks to be 1 ,
so eno1636 is already in the vlan 1.



Other thing, you can't return the vlan id 1 if the native vlan on the
switchport is already the 1, you should return nothing.


[172.16.251.2]
description=Test Switch
guestVlan=
defaultVlan=
type=Cisco::Catalyst_2950
VoIPLLDPDetect=N
uplink=23,24
radiusSecret=useStrongerSecret
MachineVlan=
UserVlan=


 And verify that you are able to ping the switch ip from packetfence :
172.16.251.2


Regards

Fabrice



Le jeu. 8 juil. 2021 à 17:16, Thapeli Matsabu via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi,
>
> Find the attached. I only have one server. It is also working as radius.
>
>
>
>
>
> Kind regards,
>
>
>
>
>
> *From:* Zammit, Ludovic 
> *Sent:* 08 July 2021 09:28 PM
> *To:* Thapeli Matsabu 
> *Cc:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] VLAN Enforcement with MAC address
> authentication
>
>
>
> Hello there,
>
>
>
> If your Radius audit log is empty it probably means that the radius
> authentication did not work properly or you are still cached from a
> previous authentication.
>
>
>
> Can you provide the /usr/local/pf/logs/packetfence.log and the
> /usr/local/pf/logs/radius.log of the server that does the authentication ?
>
>
>
> Thanks,
>
>
>
> *Ludovic Zammit*
> *Product Support Engineer Principal*
>
> [image: Image removed by sender.]
>
> *Cell:* +1.613.670.8432
>
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
>
> Connect with Us:
>
> [image: Image removed by sender.] <https://community.akamai.com/>[image:
> Image removed by sender.] <http://blogs.akamai.com/>[image: Image removed
> by sender.] <https://twitter.com/akamai>[image: Image removed by sender.]
> <http://www.facebook.com/AkamaiTechnologies>[image: Image removed by
> sender.] <http://www.linkedin.com/company/akamai-technologies>[image:
> Image removed by sender.]
> <http://www.youtube.com/user/akamaitechnologies?feature=results_main>
>
>
>
> On Jul 8, 2021, at 3:25 PM, Thapeli Matsabu 
> wrote:
>
>
>
> Hi Ludovic,
>
> Apologies for delayed response. Due to covid restrictions I am working
> from home and my lab was still at the office. Today I went and got the
> equipment.
>
>
>
>1. My radius audit log is empty. What does that mean?
>2. Radius CoA. Is this on the switch configuration?
>
>
>
>
>
>
>
> *From:* Zammit, Ludovic 
> *Sent:* 06 July 2021 02:41 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Thapeli Matsabu 
> *Subject:* Re: [PacketFence-users] VLAN Enforcement with MAC address
> authentication
>
>
>
> Hello there,
>
>
>
> Multiple things that you can verify.
>
>
>
> 1. Make sure in Auditing that the radius reply for that Mac address
> contain the Tunnel-Private-Group-Id = “1"
>
>
>
> 2. Re-check if the radius CoA is correctly configured to disconnect user
> (radius dynamic authorization)
>
>
>
> 3. Show us your configuration / logs related to that authentication.
>
>
>
> Thanks,
>
>
>
> *Ludovic Zammit*
> *Product Support Engineer Principal*
>
> <~WRD0001.jpg>
>
> *Cell:* +1.613.670.8432
>
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
>
> Connect with Us:
>
> <~WRD0001.jpg> <https://community.akamai.com/><~WRD0001.jpg>
> <http://blogs.akamai.com/><~WRD0001.jpg>
> <https://urldefense.com/v3/__https:/twitter.com/akamai__;!!GjvTz_vk!CzKvF6LHZ-ULrWu1EQAj8A4e-zOmElpAaiRlNcH4TpiafvtKJeTPrGgFsa0B5A$>
> <~WRD0001.jpg>
> <https://urldefense.com/v3/__http:/www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!CzKvF6LHZ-ULrWu1EQAj8A4e-zOmElpAaiRlNcH4TpiafvtKJeTPrGi_VB6f5w$>
> <~WRD0001.jpg>
> <https://urldefense.com/v3/__http:/www.linkedin.com/company/akamai-technologies__;!!Gj

Re: [PacketFence-users] VLAN Enforcement with MAC address authentication

[Thapeli Matsabu via PacketFence-users]

Hi Ludovic,

Apologies for delayed response. Due to covid restrictions I am working from 
home and my lab was still at the office. Today I went and got the equipment.

 

1.  My radius audit log is empty. What does that mean?
2.  Radius CoA. Is this on the switch configuration? 

 

 

 

From: Zammit, Ludovic  
Sent: 06 July 2021 02:41 PM
To: packetfence-users@lists.sourceforge.net
Cc: Thapeli Matsabu 
Subject: Re: [PacketFence-users] VLAN Enforcement with MAC address 
authentication

 

Hello there,

 

Multiple things that you can verify.

 

1. Make sure in Auditing that the radius reply for that Mac address contain the 
Tunnel-Private-Group-Id = “1"

 

2. Re-check if the radius CoA is correctly configured to disconnect user 
(radius dynamic authorization)

 

3. Show us your configuration / logs related to that authentication.

 

Thanks,

 


Ludovic Zammit
Product Support Engineer Principal






Cell: +1.613.670.8432

Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142




Connect with Us:

 <https://community.akamai.com/>  <http://blogs.akamai.com/>  
<https://twitter.com/akamai>  <http://www.facebook.com/AkamaiTechnologies>  
<http://www.linkedin.com/company/akamai-technologies>  
<http://www.youtube.com/user/akamaitechnologies?feature=results_main> 







On Jul 6, 2021, at 3:51 AM, Thapeli Matsabu via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > wrote:

 

Hi all,

I have been through this mailing trying to find if someone had this problem 
before, but I could not find anything similar.

 

I am trying to configure VLAN Enforcement with MAC address authentication:

*   I am using Cisco 2950 with PF 10 on Centos 7
*   I have configured 4 networks: see network.conf attached

*   Management and Normal– default VLAN (1)
*   Registration – VLAN 2
*   Isolation – VLAN 3
*   MAC detection – VLAN 4 (no configured on PF, only on the router)

*   I have configured my router and PF can see  and manage the VLANs. See 
my router config attached
*   I have manually registered a device on PF
*   I want to manually register devices and all registered devices should 
go to VLAN 1 (Normal and management) and unregistered  devices to just sit in 
registration VLAN, and in future registered devices that does not meet the 
requirements to go to ISOLATION VLAN.

 

My problem is that when I connect a device to port 16, it get stuck in VLAN 2 
and it never gets moved to VLAN 1, which is my default VLAN, even though on PF 
the device is already registered. If I connect to any other port, it get moved 
to VLA 1 even if it’s not registered.

 

 

 

Regards,

 



 

 

 

 

___
PacketFence-users mailing list
 <mailto:PacketFence-users@lists.sourceforge.net> 
PacketFence-users@lists.sourceforge.net
 
<https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!ACAuMID8HF8M7MWrECip8SKCJsDnEDPVqDheOMjtajjM5b2OVVoVmgtKHao_CfOi$>
 
https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!ACAuMID8HF8M7MWrECip8SKCJsDnEDPVqDheOMjtajjM5b2OVVoVmgtKHao_CfOi$

 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN Enforcement with MAC address authentication

[Zammit, Ludovic via PacketFence-users]

Hello there,

If your Radius audit log is empty it probably means that the radius 
authentication did not work properly or you are still cached from a previous 
authentication.

Can you provide the /usr/local/pf/logs/packetfence.log and the 
/usr/local/pf/logs/radius.log of the server that does the authentication ?

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com/>  
<http://blogs.akamai.com/>  <https://twitter.com/akamai>  
<http://www.facebook.com/AkamaiTechnologies>  
<http://www.linkedin.com/company/akamai-technologies>  
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>

> On Jul 8, 2021, at 3:25 PM, Thapeli Matsabu  wrote:
> 
> Hi Ludovic,
> Apologies for delayed response. Due to covid restrictions I am working from 
> home and my lab was still at the office. Today I went and got the equipment.
>  
> My radius audit log is empty. What does that mean?
> Radius CoA. Is this on the switch configuration? 
>  
>  
>  
> From: Zammit, Ludovic mailto:luza...@akamai.com>> 
> Sent: 06 July 2021 02:41 PM
> To: packetfence-users@lists.sourceforge.net 
> <mailto:packetfence-users@lists.sourceforge.net>
> Cc: Thapeli Matsabu mailto:thap...@dataproof.co.za>>
> Subject: Re: [PacketFence-users] VLAN Enforcement with MAC address 
> authentication
>  
> Hello there,
>  
> Multiple things that you can verify.
>  
> 1. Make sure in Auditing that the radius reply for that Mac address contain 
> the Tunnel-Private-Group-Id = “1"
>  
> 2. Re-check if the radius CoA is correctly configured to disconnect user 
> (radius dynamic authorization)
>  
> 3. Show us your configuration / logs related to that authentication.
>  
> Thanks,
>  
> Ludovic Zammit
> Product Support Engineer Principal
> <~WRD0001.jpg>
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:
> <~WRD0001.jpg> <https://community.akamai.com/><~WRD0001.jpg> 
> <http://blogs.akamai.com/><~WRD0001.jpg> 
> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!CzKvF6LHZ-ULrWu1EQAj8A4e-zOmElpAaiRlNcH4TpiafvtKJeTPrGgFsa0B5A$><~WRD0001.jpg>
>  
> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!CzKvF6LHZ-ULrWu1EQAj8A4e-zOmElpAaiRlNcH4TpiafvtKJeTPrGi_VB6f5w$><~WRD0001.jpg>
>  
> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!CzKvF6LHZ-ULrWu1EQAj8A4e-zOmElpAaiRlNcH4TpiafvtKJeTPrGhG6wwm0w$><~WRD0001.jpg>
>  
> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!CzKvF6LHZ-ULrWu1EQAj8A4e-zOmElpAaiRlNcH4TpiafvtKJeTPrGhWd5JvhA$>
>  
> 
> 
>> On Jul 6, 2021, at 3:51 AM, Thapeli Matsabu via PacketFence-users 
>> > <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>>  
>> Hi all,
>> I have been through this mailing trying to find if someone had this problem 
>> before, but I could not find anything similar.
>>  
>> I am trying to configure VLAN Enforcement with MAC address authentication:
>> I am using Cisco 2950 with PF 10 on Centos 7
>> I have configured 4 networks: see network.conf attached
>> Management and Normal– default VLAN (1)
>> Registration – VLAN 2
>> Isolation – VLAN 3
>> MAC detection – VLAN 4 (no configured on PF, only on the router)
>> I have configured my router and PF can see  and manage the VLANs. See my 
>> router config attached
>> I have manually registered a device on PF
>> I want to manually register devices and all registered devices should go to 
>> VLAN 1 (Normal and management) and unregistered  devices to just sit in 
>> registration VLAN, and in future registered devices that does not meet the 
>> requirements to go to ISOLATION VLAN.
>>  
>> My problem is that when I connect a device to port 16, it get stuck in VLAN 
>> 2 and it never gets moved to VLAN 1, which is my default VLAN, even though 
>> on PF the device is already registered. If I connect to any other port, it 
>> get moved to VLA 1 even if it’s not registered.
>>  
>>  
>>  
>> Regards,
>>  
>> 
>>  
>>  
>>  
>>  
>> > config.txt>___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net 
>> <mailto:PacketFence-users@lists.sourceforge.net>
>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!ACAuMID8HF8M7MWrECip8SKCJsDnEDPVqDheOMjtajjM5b2OVVoVmgtKHao_CfOi$
>>  
>> <https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!ACAuMID8HF8M7MWrECip8SKCJsDnEDPVqDheOMjtajjM5b2OVVoVmgtKHao_CfOi$>


smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN Enforcement with MAC address authentication

[Zammit, Ludovic via PacketFence-users]

Hello there,

Multiple things that you can verify.

1. Make sure in Auditing that the radius reply for that Mac address contain the 
Tunnel-Private-Group-Id = “1"

2. Re-check if the radius CoA is correctly configured to disconnect user 
(radius dynamic authorization)

3. Show us your configuration / logs related to that authentication.

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Jul 6, 2021, at 3:51 AM, Thapeli Matsabu via PacketFence-users 
>  wrote:
> 
> Hi all,
> I have been through this mailing trying to find if someone had this problem 
> before, but I could not find anything similar.
>  
> I am trying to configure VLAN Enforcement with MAC address authentication:
> I am using Cisco 2950 with PF 10 on Centos 7
> I have configured 4 networks: see network.conf attached
> Management and Normal– default VLAN (1)
> Registration – VLAN 2
> Isolation – VLAN 3
> MAC detection – VLAN 4 (no configured on PF, only on the router)
> I have configured my router and PF can see  and manage the VLANs. See my 
> router config attached
> I have manually registered a device on PF
> I want to manually register devices and all registered devices should go to 
> VLAN 1 (Normal and management) and unregistered  devices to just sit in 
> registration VLAN, and in future registered devices that does not meet the 
> requirements to go to ISOLATION VLAN.
>  
> My problem is that when I connect a device to port 16, it get stuck in VLAN 2 
> and it never gets moved to VLAN 1, which is my default VLAN, even though on 
> PF the device is already registered. If I connect to any other port, it get 
> moved to VLA 1 even if it’s not registered.
>  
>  
>  
> Regards,
>  
> 
>  
>  
>  
>  
>  config.txt>___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!ACAuMID8HF8M7MWrECip8SKCJsDnEDPVqDheOMjtajjM5b2OVVoVmgtKHao_CfOi$
>  
> 


smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users