[PacketFence-users] R: R: R: R: Switch Compatibility

2017-11-17 Thread Alessandro Canella via PacketFence-users 
Hi,


I've tested with Cisco 2960, same error.

I've found some difference in log:

correct auth credentials
1 Nov 17 10:03:37 NO authentication: SSH authentication failure [username: 
newuser, IP address = 153.47.30.125]
  2 Nov 17 10:03:37 WA authentication: Invalid Service Type: USER [ 
  newuser]


wrong auth credentials
   1 Nov 17 10:04:44 NO authentication: SSH authentication failure [username: 
root, IP address = 153.47.30.125]


I've find another thing : in a conf, switch is still listed as nastype "other" 
corrected, no change. I've checked also for Typo or Uppercase.




Da: Fabrice Durand [mailto:fdur...@inverse.ca]
Inviato: lunedì 13 novembre 2017 14.37
A: Alessandro Canella ; 
packetfence-users@lists.sourceforge.net
Oggetto: Re: R: [PacketFence-users] R: R: Switch Compatibility


Hello Alessandro,

i saw that cisco attributes are also compatible with the Zyxel switches.

So if you choose Cisco_2960 as switch type to make a test.

Regards

Fabrice



Le 2017-11-13 à 07:06, Alessandro Canella a écrit :
Hello All,

I' ve created new switch under PF\ folder.

All seems fine, but no cli login.

Switch Log reports

   1 Nov 13 12:44:23 NO authentication: SSH authentication failure [username: 
newuser, IP address = 153.47.30.125]
   2 Nov 13 12:44:23 WA authentication: Invalid Service Type: USER [
   newuser]

PF GUI Reports


RADIUS Request

User-Name = "newuser"
User-Password = "**"
NAS-IP-Address = 10.206.1.136
NAS-Identifier = "K873MUXSW1"
Event-Timestamp = "Nov 13 2017 11:45:37 UTC"
Stripped-User-Name = "newuser"
Realm = "null"
FreeRADIUS-Client-IP-Address = 10.206.1.136
SQL-User-Name = "newuser"

RADIUS Reply

Reply-Message = "Switch enable access granted by PacketFence"
Zyxel-Privilege-AVPair = "shell:priv-lvl=15"


PF LOG respond :

Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712) INFO: 
[mac:[undef]] Authentication successful for newuser in source file1 (Htpasswd) 
(pf::authentication::authenticate)
Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712) INFO: 
[mac:[undef]] Using sources file1 for matching (pf::authentication::match2)
Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712) INFO: 
[mac:[undef]] Matched rule (admins) in source file1, returning actions. 
(pf::Authentication::Source::match)
Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712) INFO: 
[mac:[undef]] User newuser logged in 10.206.1.136 with write access 
(pf::Switch::Zyxel::returnAuthorizeWrite)
Nov 13 11:44:21 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(2712) INFO: 
[mac:[undef]] Authentication successful for newuser in source file1 (Htpasswd) 
(pf::authentication::authenticate)

Da: Alessandro Canella via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Inviato: domenica 12 novembre 2017 23.26
A: Durand fabrice ; 
packetfence-users@lists.sourceforge.net
Cc: Alessandro Canella 

Oggetto: [PacketFence-users] R: R: Switch Compatibility

I will try tomorrow.

Don't sure where is file, I will check documentation.


Da: Durand fabrice [mailto:fdur...@inverse.ca]
Inviato: sabato 11 novembre 2017 13.51
A: Alessandro Canella 
>; 
packetfence-users@lists.sourceforge.net
Oggetto: Re: R: [PacketFence-users] Switch Compatibility


Hello Alessandro,



you will need to edit the switch module and add this:

=item returnAuthorizeWrite
Return radius attributes to allow write access
=cut

sub returnAuthorizeWrite {
my ($self, $args) = @_;
my $logger = $self->logger;
my $radius_reply_ref;
my $status;
$radius_reply_ref->{'Zyxel-Privilege-AVPair'} = 'shell:priv-lvl=15';
$radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by 
PacketFence";
$logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} 
with write access");
my $filter = pf::access_filter::radius->new;
my $rule = $filter->test('returnAuthorizeWrite', $args);
($radius_reply_ref, $status) = 
$filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
return [$status, %$radius_reply_ref];

}

=item returnAuthorizeRead
Return radius attributes to allow read access
=cut

sub returnAuthorizeRead {
my ($self, $args) = @_;
my $logger = $self->logger;
my $radius_reply_ref;
my $status;
$radius_reply_ref->{'Zyxel-Privilege-AVPair'} = 'shell:priv-lvl=3';
$radius_reply_ref->{'Reply-Message'} = "Switch read access granted by 
PacketFence";
$logger->info("User $args->{'user_name'} logged in $args->{'switch'}{'_id'} 
with read access");
my $filter = pf::access_filter::radius->new;
my $rule = $filter->test('returnAuthorizeRead', $args);

Re: [PacketFence-users] R: R: R: R: Switch Compatibility

2017-11-17 Thread Fabrice Durand via PacketFence-users 
Hello Alessandro,

retry by removing this line:

$radius_reply_ref->{'Reply-Message'} = "Switch enable access granted by
PacketFence";

and also try with this line:

$radius_reply_ref->{'Zyxel-Privilege-AVPair'} = 'shell:priv-lvl=14';

cf:
https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=011559=EN

Regards
Fabrice

Le 2017-11-17 à 04:39, Alessandro Canella a écrit :
>
> Hi,
>
>  
>
>  
>
> I’ve tested with Cisco 2960, same error.
>
>  
>
> I’ve found some difference in log:
>
>  
>
> correct auth credentials
>
> 1 Nov 17 10:03:37 NO authentication: SSH authentication failure
> [username: newuser, IP address = 153.47.30.125]
>
>   2 Nov 17 10:03:37 WA authentication: Invalid Service Type: USER
> [   newuser]
>
>  
>
>  
>
> wrong auth credentials
>
>    1 Nov 17 10:04:44 NO authentication: SSH authentication failure
> [username: root, IP address = 153.47.30.125]
>
>  
>
>  
>
> I’ve find another thing : in a conf, switch is still listed as nastype
> “other” corrected, no change. I’ve checked also for Typo or Uppercase.
>
>  
>
>  
>
>  
>
>  
>
> *Da:*Fabrice Durand [mailto:fdur...@inverse.ca]
> *Inviato:* lunedì 13 novembre 2017 14.37
> *A:* Alessandro Canella ;
> packetfence-users@lists.sourceforge.net
> *Oggetto:* Re: R: [PacketFence-users] R: R: Switch Compatibility
>
>  
>
> Hello Alessandro,
>
> i saw that cisco attributes are also compatible with the Zyxel switches.
>
> So if you choose Cisco_2960 as switch type to make a test.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2017-11-13 à 07:06, Alessandro Canella a écrit :
>
> Hello All,
>
>  
>
> I’ ve created new switch under PF\ folder.
>
>  
>
> All seems fine, but no cli login.
>
>  
>
> Switch Log reports
>
>  
>
>    1 Nov 13 12:44:23 NO authentication: SSH authentication failure
> [username: newuser, IP address = 153.47.30.125]
>
>    2 Nov 13 12:44:23 WA authentication: Invalid Service Type: USER
> [   newuser]
>
>  
>
> PF GUI Reports
>
>  
>
>  
>
> RADIUS Request
>
>   
>
> User-Name = "newuser"
>
> User-Password = "**"
>
> NAS-IP-Address = 10.206.1.136
>
> NAS-Identifier = "K873MUXSW1"
>
> Event-Timestamp = "Nov 13 2017 11:45:37 UTC"
>
> Stripped-User-Name = "newuser"
>
> Realm = "null"
>
> FreeRADIUS-Client-IP-Address = 10.206.1.136
>
> SQL-User-Name = "newuser"
>
> RADIUS Reply
>
>   
>
> Reply-Message = "Switch enable access granted by PacketFence"
>
> Zyxel-Privilege-AVPair = "shell:priv-lvl=15"
>
>  
>
> PF LOG respond :
>
>  
>
> Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2712) INFO: [mac:[undef]] Authentication successful for
> newuser in source file1 (Htpasswd) (pf::authentication::authenticate)
>
> Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2712) INFO: [mac:[undef]] Using sources file1 for
> matching (pf::authentication::match2)
>
> Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2712) INFO: [mac:[undef]] Matched rule (admins) in
> source file1, returning actions. (pf::Authentication::Source::match)
>
> Nov 13 11:44:18 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2712) INFO: [mac:[undef]] User newuser logged in
> 10.206.1.136 with write access
> (pf::Switch::Zyxel::returnAuthorizeWrite)
>
> Nov 13 11:44:21 PacketFence-ZEN packetfence_httpd.aaa:
> httpd.aaa(2712) INFO: [mac:[undef]] Authentication successful for
> newuser in source file1 (Htpasswd) (pf::authentication::authenticate)
>
> * *
>
> *Da:*Alessandro Canella via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Inviato:* domenica 12 novembre 2017 23.26
> *A:* Durand fabrice 
> ;
> packetfence-users@lists.sourceforge.net
> 
> *Cc:* Alessandro Canella 
> 
> *Oggetto:* [PacketFence-users] R: R: Switch Compatibility
>
>  
>
> I will try tomorrow.
>
>  
>
> Don’t sure where is file, I will check documentation.
>
>  
>
>  
>
> *Da:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Inviato:* sabato 11 novembre 2017 13.51
> *A:* Alessandro Canella  >;
> packetfence-users@lists.sourceforge.net
> 
> *Oggetto:* Re: R: [PacketFence-users] Switch Compatibility
>
>  
>
> Hello Alessandro,
>
>  
>
> you will need to edit the switch module and add this:
>
> =item returnAuthorizeWrite
> Return radius attributes to allow write access
> =cut
>
> sub returnAuthorizeWrite {
>     my ($self, $args) = @_;
>