subject:"\[PacketFence\-users\] Mac auth"

[PacketFence-users] mac auth with ldap as source for mac addresses

2021-12-15 Thread Sebastian Gille via PacketFence-users

Hi,
 
i have a question regarding mab and packetfence.
My idea is to check allowed mac-addresses against ldap instead of import the 
macs by csv to the database.
Because our ldap is the only valid and complete source of information.
My understanding is that i must configure an authentication source --> done
Also an auth rule to map a role to the client. --> done
Second a connection profiles which utilizes this auth source. --> done
So far so good, but if i understood correctly, this should also configured in 
the files at mods and sites-enabled?
This is what i understood after reading through the guide and noticed that the 
profile was triggered by a radius request but the auth source wasn't touched
 
my questions:
 
Is this a valid configuration option on packetfence and how can i accomplish 
this task?
Maybe someone did it before and can push me in the right direction.
 
Thx,
 
Sebastian___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mac auth

2018-11-08 Thread Tomasz Karczewski via PacketFence-users

Hi,

 

You have to create vlan filters for that or manually assign roles that put 
devices in proper vlan.

 

From: Wifi Guy via PacketFence-users  
Sent: Thursday, November 8, 2018 12:01 PM
To: packetfence-users@lists.sourceforge.net
Cc: Wifi Guy 
Subject: [PacketFence-users] Mac auth

 

Hi

 

Can someone tell me where I need to fill in MAC addresses of Clients into PF 
when I only want to do basic MAC authentication without AD integration.

So what we want to setup is a local database of MAC addresses which will be 
authenticated via Radius with our switches and ideally get dynamically mapped 
to the configured VLAN. I can´t find that in the documentation.

 

Thanks



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mac auth

2018-11-08 Thread Ludovic Zammit via PacketFence-users

Hello Wifi Guy,

You don’t need to use the bypass role/vlan to do that.

You import your node in PacketFence with a CSV file or you create it manually.

The node has to be registered and set a proper role. That role has a VLAN id 
under the switch configuration in PacketFence.

Once the port will be up or you connect to an Open SSID, the equipment will 
send a Mac authentication request to PF and because the node is registered and 
has a role, PacketFence will return the VLAN id for that role.

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Nov 8, 2018, at 7:03 AM, Murilo Calegari via PacketFence-users 
>  wrote:
> 
> Hi,
> 
> I'm no PacketFence expert, but I believe you have to create a Node (this 
> function was just corrected in PF 8.2) and set its Bypass Role. If this 
> doesn't work, try to set it to Registered, with a specific role, and an 
> Unregistration date set to something before January 18th 2038.
> 
> Regards,
> 
>   
> Murilo Calegari de Souza
> Estagiário da TI
> Coordenadoria de Tecnologia da Informação
> Instituto Federal do Espírito Santo – Campus Nova Venécia
> 27 3752 4311 ramal 43112
> 
> 
> Em qui, 8 de nov de 2018 às 09:21, Wifi Guy via PacketFence-users 
>  > escreveu:
> Hi
> 
> Can someone tell me where I need to fill in MAC addresses of Clients into PF 
> when I only want to do basic MAC authentication without AD integration.
> So what we want to setup is a local database of MAC addresses which will be 
> authenticated via Radius with our switches and ideally get dynamically mapped 
> to the configured VLAN. I can´t find that in the documentation.
> 
> Thanks
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Mac auth

2018-11-08 Thread Murilo Calegari via PacketFence-users

Hi,

I'm no PacketFence expert, but I believe you have to create a Node (this
function was just corrected in PF 8.2) and set its Bypass Role. If this
doesn't work, try to set it to Registered, with a specific role, and an
Unregistration date set to something before January 18th 2038.

Regards,


Murilo Calegari de Souza
Estagiário da TI
Coordenadoria de Tecnologia da Informação
Instituto Federal do Espírito Santo – Campus Nova Venécia
27 3752 4311 ramal 43112


Em qui, 8 de nov de 2018 às 09:21, Wifi Guy via PacketFence-users <
packetfence-users@lists.sourceforge.net> escreveu:

> Hi
>
> Can someone tell me where I need to fill in MAC addresses of Clients into
> PF when I only want to do basic MAC authentication without AD integration.
>
> So what we want to setup is a local database of MAC addresses which will
> be authenticated via Radius with our switches and ideally get dynamically
> mapped to the configured VLAN. I can´t find that in the documentation.
>
>
> Thanks
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Mac auth

2018-11-08 Thread Wifi Guy via PacketFence-users

Hi

Can someone tell me where I need to fill in MAC addresses of Clients into
PF when I only want to do basic MAC authentication without AD integration.

So what we want to setup is a local database of MAC addresses which will be
authenticated via Radius with our switches and ideally get dynamically
mapped to the configured VLAN. I can´t find that in the documentation.


Thanks
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MAC Auth issues

2018-08-22 Thread Durand fabrice via PacketFence-users


Hello Ali,

just edit the node and set a role.

It should be good.

regards

Fabrice



Le 2018-08-22 à 22:07, Amjad Ali a écrit :

Fabrice,

Many thanks for your input.

I have created a radius rule with mac equals this then return role 
VOICE but its not returning that vlan somehow.

Can you please shed some light on these log mesages.

Aug 22 09:35:55 packetfence packetfence_httpd.aaa: httpd.aaa(12659) 
WARN: [mac:00:02:09:00:01:00] Use of uninitialized value $role in 
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm 
 line 478.

 (pf::role::getRegisteredRole)
Aug 22 09:35:55 packetfence packetfence_httpd.aaa: httpd.aaa(12659) 
INFO: [mac:00:02:09:00:01:00] Username was NOT defined or unable to 
match a role - returning node based role '' (pf::role::getRegisteredRole)
Aug 22 09:35:55 packetfence packetfence_httpd.aaa: httpd.aaa(12659) 
INFO: [mac:00:02:09:00:01:00] PID: "default", Status: reg Returned 
VLAN: (undefined), Role: (undefined) (pf::role::fetchRoleForNode)


Thank you
Ali

On Thu, Aug 23, 2018 at 9:58 AM Durand fabrice via PacketFence-users 
> wrote:


Hello Ali,

You don't have to create a user with the mac address as username
and password.

Btw it looks that the mac auth works, the only issue you have is
that the device is reg but there is no role assigned to it.

Just fix that and it should be ok.

Regards

Fabrice



Le 2018-08-21 à 22:35, Amjad Ali via PacketFence-users a écrit :

Hi All,

I have an unsupported switch that I want to test with packetfence.

Earlier I was successful with authenticating dot1x linux clients
with this switch and vlan enforcement worked just fine. The
switch is added to packetfence as generic type and production mode.

Now I want to try MAC AUTH to enable some printers or other such
devices that lack the suplicant. But i'm getting some strange
results.

It is a simple case where the switch sends an auth request to
packetfence with MAC address of the client as username and
password. I added the MAC as a user in the Pf db (create user)
and configured it to return vlan 5 (Voice vlan).

On the web UI of packetfence, I can see the device as registered
but strangely the Username which is the MAC address of the device
do not have any node registered against it. It does not return
the proper vlan id. Also, even if a change the client MAC address
that is not even added to packetfence the result in the same
access-accept with undefined role and vlan.

Please check the logs below and advise, i'm sure i'm missing some
configuration, thank you.
Ali

raddebug

(11) Wed Aug 22 09:35:55 2018: Debug: Received Access-Request Id
1 from 10.10.51.169:1812  to
10.10.50.204:1812  length 153
(11) Wed Aug 22 09:35:55 2018: Debug:   User-Name =
"00:02:09:00:01:00"
(11) Wed Aug 22 09:35:55 2018: Debug:  User-Password =
"00:02:09:00:01:00"
(11) Wed Aug 22 09:35:55 2018: Debug:  Framed-MTU = 1500
(11) Wed Aug 22 09:35:55 2018: Debug:  Called-Station-Id =
"CC-37-AB-4F-B1-C1"
(11) Wed Aug 22 09:35:55 2018: Debug:  Calling-Station-Id =
"00-02-09-00-01-00"
(11) Wed Aug 22 09:35:55 2018: Debug:  NAS-IP-Address = 0.0.0.0
(11) Wed Aug 22 09:35:55 2018: Debug:  NAS-Port-Type = Ethernet
(11) Wed Aug 22 09:35:55 2018: Debug:   NAS-Port = 25
(11) Wed Aug 22 09:35:55 2018: Debug:  Message-Authenticator =
0x175584cbbaa167dc3be140dc927b2079
(11) Wed Aug 22 09:35:55 2018: Debug: # Executing section
authorize from file /usr/local/pf/raddb/sites-enabled/packetfence
(11) Wed Aug 22 09:35:55 2018: Debug:   authorize {
(11) Wed Aug 22 09:35:55 2018: Debug:     update {
(11) Wed Aug 22 09:35:55 2018: Debug:  EXPAND
%{Packet-Src-IP-Address}
(11) Wed Aug 22 09:35:55 2018: Debug: --> 10.10.51.169
(11) Wed Aug 22 09:35:55 2018: Debug:  EXPAND %l
(11) Wed Aug 22 09:35:55 2018: Debug: --> 1534901755
(11) Wed Aug 22 09:35:55 2018: Debug:     } # update = noop
(11) Wed Aug 22 09:35:55 2018: Debug:     policy
packetfence-set-tenant-id {
(11) Wed Aug 22 09:35:55 2018: Debug:       if (
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(11) Wed Aug 22 09:35:55 2018: Debug:  EXPAND
%{%{control:PacketFence-Tenant-Id}:-0}
(11) Wed Aug 22 09:35:55 2018: Debug: --> 0
(11) Wed Aug 22 09:35:55 2018: Debug:       if (
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE
(11) Wed Aug 22 09:35:55 2018: Debug:       if (
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  {
(11) Wed Aug 22 09:35:55 2018: Debug:  update control {
(11) Wed Aug 22 09:35:55 2018: Debug:  EXPAND %{User-Name}
(11) Wed Aug 22 09:35:55 2018: Debug:   --> 00:02:09:00:01:00
(11) Wed Aug 22 09:35:55 2018: Debug:  SQL-User-Name set to

Re: [PacketFence-users] MAC Auth issues

2018-08-22 Thread Amjad Ali via PacketFence-users

Fabrice,

Many thanks for your input.

I have created a radius rule with mac equals this then return role VOICE
but its not returning that vlan somehow.
Can you please shed some light on these log mesages.

Aug 22 09:35:55 packetfence packetfence_httpd.aaa: httpd.aaa(12659) WARN:
[mac:00:02:09:00:01:00] Use of uninitialized value $role in concatenation
(.) or string at /usr/local/pf/lib/pf/role.pm line 478.
 (pf::role::getRegisteredRole)
Aug 22 09:35:55 packetfence packetfence_httpd.aaa: httpd.aaa(12659) INFO:
[mac:00:02:09:00:01:00] Username was NOT defined or unable to match a role
- returning node based role '' (pf::role::getRegisteredRole)
Aug 22 09:35:55 packetfence packetfence_httpd.aaa: httpd.aaa(12659) INFO:
[mac:00:02:09:00:01:00] PID: "default", Status: reg Returned VLAN:
(undefined), Role: (undefined) (pf::role::fetchRoleForNode)

Thank you
Ali

On Thu, Aug 23, 2018 at 9:58 AM Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Ali,
>
> You don't have to create a user with the mac address as username and
> password.
>
> Btw it looks that the mac auth works, the only issue you have is that the
> device is reg but there is no role assigned to it.
>
> Just fix that and it should be ok.
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-08-21 à 22:35, Amjad Ali via PacketFence-users a écrit :
>
> Hi All,
>
> I have an unsupported switch that I want to test with packetfence.
>
> Earlier I was successful with authenticating dot1x linux clients with this
> switch and vlan enforcement worked just fine. The switch is added to
> packetfence as generic type and production mode.
>
> Now I want to try MAC AUTH to enable some printers or other such devices
> that lack the suplicant. But i'm getting some strange results.
>
> It is a simple case where the switch sends an auth request to packetfence
> with MAC address of the client as username and password. I added the MAC as
> a user in the Pf db (create user) and configured it to return vlan 5 (Voice
> vlan).
>
> On the web UI of packetfence, I can see the device as registered but
> strangely the Username which is the MAC address of the device do not have
> any node registered against it. It does not return the proper vlan id.
> Also, even if a change the client MAC address that is not even added to
> packetfence the result in the same access-accept with undefined role and
> vlan.
>
> Please check the logs below and advise, i'm sure i'm missing some
> configuration, thank you.
> Ali
>
> raddebug
>
> (11) Wed Aug 22 09:35:55 2018: Debug: Received Access-Request Id 1 from
> 10.10.51.169:1812 to 10.10.50.204:1812 length 153
> (11) Wed Aug 22 09:35:55 2018: Debug:   User-Name = "00:02:09:00:01:00"
> (11) Wed Aug 22 09:35:55 2018: Debug:   User-Password = "00:02:09:00:01:00"
> (11) Wed Aug 22 09:35:55 2018: Debug:   Framed-MTU = 1500
> (11) Wed Aug 22 09:35:55 2018: Debug:   Called-Station-Id =
> "CC-37-AB-4F-B1-C1"
> (11) Wed Aug 22 09:35:55 2018: Debug:   Calling-Station-Id =
> "00-02-09-00-01-00"
> (11) Wed Aug 22 09:35:55 2018: Debug:   NAS-IP-Address = 0.0.0.0
> (11) Wed Aug 22 09:35:55 2018: Debug:   NAS-Port-Type = Ethernet
> (11) Wed Aug 22 09:35:55 2018: Debug:   NAS-Port = 25
> (11) Wed Aug 22 09:35:55 2018: Debug:   Message-Authenticator =
> 0x175584cbbaa167dc3be140dc927b2079
> (11) Wed Aug 22 09:35:55 2018: Debug: # Executing section authorize from
> file /usr/local/pf/raddb/sites-enabled/packetfence
> (11) Wed Aug 22 09:35:55 2018: Debug:   authorize {
> (11) Wed Aug 22 09:35:55 2018: Debug: update {
> (11) Wed Aug 22 09:35:55 2018: Debug:   EXPAND %{Packet-Src-IP-Address}
> (11) Wed Aug 22 09:35:55 2018: Debug:  --> 10.10.51.169
> (11) Wed Aug 22 09:35:55 2018: Debug:   EXPAND %l
> (11) Wed Aug 22 09:35:55 2018: Debug:  --> 1534901755
> (11) Wed Aug 22 09:35:55 2018: Debug: } # update = noop
> (11) Wed Aug 22 09:35:55 2018: Debug: policy packetfence-set-tenant-id
> {
> (11) Wed Aug 22 09:35:55 2018: Debug:   if (
> "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
> (11) Wed Aug 22 09:35:55 2018: Debug:   EXPAND
> %{%{control:PacketFence-Tenant-Id}:-0}
> (11) Wed Aug 22 09:35:55 2018: Debug:  --> 0
> (11) Wed Aug 22 09:35:55 2018: Debug:   if (
> "%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  -> TRUE
> (11) Wed Aug 22 09:35:55 2018: Debug:   if (
> "%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  {
> (11) Wed Aug 22 09:35:55 2018: Debug: update control {
> (11) Wed Aug 22 09:35:55 2018: Debug:   EXPAND %{User-Name}
> (11) Wed Aug 22 09:35:55 2018: Debug:  --> 00:02:09:00:01:00
> (11) Wed Aug 22 09:35:55 2018: Debug:   SQL-User-Name set to
> '00:02:09:00:01:00'
> (11) Wed Aug 22 09:35:55 2018: Debug:   Executing select query:
> SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname =
> '10.10.51.169'), 0)
> (11) Wed Aug 22 09:35:55 2018: Debug:   EXPAND %{sql: SELECT
> IFNULL((SELECT tenant_id

Re: [PacketFence-users] MAC Auth issues

2018-08-22 Thread Durand fabrice via PacketFence-users


Hello Ali,

You don't have to create a user with the mac address as username and 
password.


Btw it looks that the mac auth works, the only issue you have is that 
the device is reg but there is no role assigned to it.


Just fix that and it should be ok.

Regards

Fabrice



Le 2018-08-21 à 22:35, Amjad Ali via PacketFence-users a écrit :

Hi All,

I have an unsupported switch that I want to test with packetfence.

Earlier I was successful with authenticating dot1x linux clients with 
this switch and vlan enforcement worked just fine. The switch is added 
to packetfence as generic type and production mode.


Now I want to try MAC AUTH to enable some printers or other such 
devices that lack the suplicant. But i'm getting some strange results.


It is a simple case where the switch sends an auth request to 
packetfence with MAC address of the client as username and password. I 
added the MAC as a user in the Pf db (create user) and configured it 
to return vlan 5 (Voice vlan).


On the web UI of packetfence, I can see the device as registered but 
strangely the Username which is the MAC address of the device do not 
have any node registered against it. It does not return the proper 
vlan id. Also, even if a change the client MAC address that is not 
even added to packetfence the result in the same access-accept with 
undefined role and vlan.


Please check the logs below and advise, i'm sure i'm missing some 
configuration, thank you.

Ali

raddebug

(11) Wed Aug 22 09:35:55 2018: Debug: Received Access-Request Id 1 
from 10.10.51.169:1812  to 10.10.50.204:1812 
 length 153

(11) Wed Aug 22 09:35:55 2018: Debug:   User-Name = "00:02:09:00:01:00"
(11) Wed Aug 22 09:35:55 2018: Debug:   User-Password = 
"00:02:09:00:01:00"

(11) Wed Aug 22 09:35:55 2018: Debug:   Framed-MTU = 1500
(11) Wed Aug 22 09:35:55 2018: Debug:   Called-Station-Id = 
"CC-37-AB-4F-B1-C1"
(11) Wed Aug 22 09:35:55 2018: Debug:  Calling-Station-Id = 
"00-02-09-00-01-00"

(11) Wed Aug 22 09:35:55 2018: Debug:   NAS-IP-Address = 0.0.0.0
(11) Wed Aug 22 09:35:55 2018: Debug:   NAS-Port-Type = Ethernet
(11) Wed Aug 22 09:35:55 2018: Debug:   NAS-Port = 25
(11) Wed Aug 22 09:35:55 2018: Debug:  Message-Authenticator = 
0x175584cbbaa167dc3be140dc927b2079
(11) Wed Aug 22 09:35:55 2018: Debug: # Executing section authorize 
from file /usr/local/pf/raddb/sites-enabled/packetfence

(11) Wed Aug 22 09:35:55 2018: Debug:   authorize {
(11) Wed Aug 22 09:35:55 2018: Debug:     update {
(11) Wed Aug 22 09:35:55 2018: Debug:       EXPAND 
%{Packet-Src-IP-Address}

(11) Wed Aug 22 09:35:55 2018: Debug:          --> 10.10.51.169
(11) Wed Aug 22 09:35:55 2018: Debug:       EXPAND %l
(11) Wed Aug 22 09:35:55 2018: Debug:          --> 1534901755
(11) Wed Aug 22 09:35:55 2018: Debug:     } # update = noop
(11) Wed Aug 22 09:35:55 2018: Debug:     policy 
packetfence-set-tenant-id {
(11) Wed Aug 22 09:35:55 2018: Debug:       if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(11) Wed Aug 22 09:35:55 2018: Debug:       EXPAND 
%{%{control:PacketFence-Tenant-Id}:-0}

(11) Wed Aug 22 09:35:55 2018: Debug:          --> 0
(11) Wed Aug 22 09:35:55 2018: Debug:       if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  -> TRUE
(11) Wed Aug 22 09:35:55 2018: Debug:       if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  {

(11) Wed Aug 22 09:35:55 2018: Debug:         update control {
(11) Wed Aug 22 09:35:55 2018: Debug:           EXPAND %{User-Name}
(11) Wed Aug 22 09:35:55 2018: Debug:              --> 00:02:09:00:01:00
(11) Wed Aug 22 09:35:55 2018: Debug:  SQL-User-Name set to 
'00:02:09:00:01:00'
(11) Wed Aug 22 09:35:55 2018: Debug:           Executing select 
query:  SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname 
= '10.10.51.169'), 0)
(11) Wed Aug 22 09:35:55 2018: Debug:           EXPAND %{sql: SELECT 
IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname = 
'%{Packet-Src-IP-Address}'), 0)}

(11) Wed Aug 22 09:35:55 2018: Debug:              --> 0
(11) Wed Aug 22 09:35:55 2018: Debug:         } # update control = noop
(11) Wed Aug 22 09:35:55 2018: Debug:       } # if ( 
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  = noop
(11) Wed Aug 22 09:35:55 2018: Debug:       if ( 
:PacketFence-Tenant-Id == 0 ) {
(11) Wed Aug 22 09:35:55 2018: Debug:       if ( 
:PacketFence-Tenant-Id == 0 )  -> TRUE
(11) Wed Aug 22 09:35:55 2018: Debug:       if ( 
:PacketFence-Tenant-Id == 0 )  {

(11) Wed Aug 22 09:35:55 2018: Debug:         update control {
(11) Wed Aug 22 09:35:55 2018: Debug:           EXPAND %{User-Name}
(11) Wed Aug 22 09:35:55 2018: Debug:              --> 00:02:09:00:01:00
(11) Wed Aug 22 09:35:55 2018: Debug:  SQL-User-Name set to 
'00:02:09:00:01:00'
(11) Wed Aug 22 09:35:55 2018: Debug:           Executing select 
query:  SELECT IFNULL((SELECT tenant_id from radius_nas WHERE start_ip 
<= INET_ATON('10.10.51.169') and INET_ATON('10.10.51.169') <= end_ip 
order by

Re: [PacketFence-users] MAC Auth issues

2018-08-22 Thread Amjad Ali via PacketFence-users

Hello again,

Anyone please help with this issue, the MAC-Auth is giving me the above
issue in Packetfence. Whats the best way to register devices that lack
802.1x support.

Thanks again.
Ali

On Wed, Aug 22, 2018 at 10:35 AM Amjad Ali  wrote:

> Hi All,
>
> I have an unsupported switch that I want to test with packetfence.
>
> Earlier I was successful with authenticating dot1x linux clients with this
> switch and vlan enforcement worked just fine. The switch is added to
> packetfence as generic type and production mode.
>
> Now I want to try MAC AUTH to enable some printers or other such devices
> that lack the suplicant. But i'm getting some strange results.
>
> It is a simple case where the switch sends an auth request to packetfence
> with MAC address of the client as username and password. I added the MAC as
> a user in the Pf db (create user) and configured it to return vlan 5 (Voice
> vlan).
>
> On the web UI of packetfence, I can see the device as registered but
> strangely the Username which is the MAC address of the device do not have
> any node registered against it. It does not return the proper vlan id.
> Also, even if a change the client MAC address that is not even added to
> packetfence the result in the same access-accept with undefined role and
> vlan.
>
> Please check the logs below and advise, i'm sure i'm missing some
> configuration, thank you.
> Ali
>
> raddebug
>
> (11) Wed Aug 22 09:35:55 2018: Debug: Received Access-Request Id 1 from
> 10.10.51.169:1812 to 10.10.50.204:1812 length 153
> (11) Wed Aug 22 09:35:55 2018: Debug:   User-Name = "00:02:09:00:01:00"
> (11) Wed Aug 22 09:35:55 2018: Debug:   User-Password = "00:02:09:00:01:00"
> (11) Wed Aug 22 09:35:55 2018: Debug:   Framed-MTU = 1500
> (11) Wed Aug 22 09:35:55 2018: Debug:   Called-Station-Id =
> "CC-37-AB-4F-B1-C1"
> (11) Wed Aug 22 09:35:55 2018: Debug:   Calling-Station-Id =
> "00-02-09-00-01-00"
> (11) Wed Aug 22 09:35:55 2018: Debug:   NAS-IP-Address = 0.0.0.0
> (11) Wed Aug 22 09:35:55 2018: Debug:   NAS-Port-Type = Ethernet
> (11) Wed Aug 22 09:35:55 2018: Debug:   NAS-Port = 25
> (11) Wed Aug 22 09:35:55 2018: Debug:   Message-Authenticator =
> 0x175584cbbaa167dc3be140dc927b2079
> (11) Wed Aug 22 09:35:55 2018: Debug: # Executing section authorize from
> file /usr/local/pf/raddb/sites-enabled/packetfence
> (11) Wed Aug 22 09:35:55 2018: Debug:   authorize {
> (11) Wed Aug 22 09:35:55 2018: Debug: update {
> (11) Wed Aug 22 09:35:55 2018: Debug:   EXPAND %{Packet-Src-IP-Address}
> (11) Wed Aug 22 09:35:55 2018: Debug:  --> 10.10.51.169
> (11) Wed Aug 22 09:35:55 2018: Debug:   EXPAND %l
> (11) Wed Aug 22 09:35:55 2018: Debug:  --> 1534901755
> (11) Wed Aug 22 09:35:55 2018: Debug: } # update = noop
> (11) Wed Aug 22 09:35:55 2018: Debug: policy packetfence-set-tenant-id
> {
> (11) Wed Aug 22 09:35:55 2018: Debug:   if (
> "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
> (11) Wed Aug 22 09:35:55 2018: Debug:   EXPAND
> %{%{control:PacketFence-Tenant-Id}:-0}
> (11) Wed Aug 22 09:35:55 2018: Debug:  --> 0
> (11) Wed Aug 22 09:35:55 2018: Debug:   if (
> "%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  -> TRUE
> (11) Wed Aug 22 09:35:55 2018: Debug:   if (
> "%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  {
> (11) Wed Aug 22 09:35:55 2018: Debug: update control {
> (11) Wed Aug 22 09:35:55 2018: Debug:   EXPAND %{User-Name}
> (11) Wed Aug 22 09:35:55 2018: Debug:  --> 00:02:09:00:01:00
> (11) Wed Aug 22 09:35:55 2018: Debug:   SQL-User-Name set to
> '00:02:09:00:01:00'
> (11) Wed Aug 22 09:35:55 2018: Debug:   Executing select query:
> SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname =
> '10.10.51.169'), 0)
> (11) Wed Aug 22 09:35:55 2018: Debug:   EXPAND %{sql: SELECT
> IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname =
> '%{Packet-Src-IP-Address}'), 0)}
> (11) Wed Aug 22 09:35:55 2018: Debug:  --> 0
> (11) Wed Aug 22 09:35:55 2018: Debug: } # update control = noop
> (11) Wed Aug 22 09:35:55 2018: Debug:   } # if (
> "%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  = noop
> (11) Wed Aug 22 09:35:55 2018: Debug:   if (
> :PacketFence-Tenant-Id == 0 ) {
> (11) Wed Aug 22 09:35:55 2018: Debug:   if (
> :PacketFence-Tenant-Id == 0 )  -> TRUE
> (11) Wed Aug 22 09:35:55 2018: Debug:   if (
> :PacketFence-Tenant-Id == 0 )  {
> (11) Wed Aug 22 09:35:55 2018: Debug: update control {
> (11) Wed Aug 22 09:35:55 2018: Debug:   EXPAND %{User-Name}
> (11) Wed Aug 22 09:35:55 2018: Debug:  --> 00:02:09:00:01:00
> (11) Wed Aug 22 09:35:55 2018: Debug:   SQL-User-Name set to
> '00:02:09:00:01:00'
> (11) Wed Aug 22 09:35:55 2018: Debug:   Executing select query:
> SELECT IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <=
> INET_ATON('10.10.51.169') and INET_ATON('10.10.51.169') <= end_ip order by
> range_length

[PacketFence-users] MAC Auth issues

2018-08-22 Thread Amjad Ali via PacketFence-users

Hi All,

I have an unsupported switch that I want to test with packetfence.

Earlier I was successful with authenticating dot1x linux clients with this
switch and vlan enforcement worked just fine. The switch is added to
packetfence as generic type and production mode.

Now I want to try MAC AUTH to enable some printers or other such devices
that lack the suplicant. But i'm getting some strange results.

It is a simple case where the switch sends an auth request to packetfence
with MAC address of the client as username and password. I added the MAC as
a user in the Pf db (create user) and configured it to return vlan 5 (Voice
vlan).

On the web UI of packetfence, I can see the device as registered but
strangely the Username which is the MAC address of the device do not have
any node registered against it. It does not return the proper vlan id.
Also, even if a change the client MAC address that is not even added to
packetfence the result in the same access-accept with undefined role and
vlan.

Please check the logs below and advise, i'm sure i'm missing some
configuration, thank you.
Ali

raddebug

(11) Wed Aug 22 09:35:55 2018: Debug: Received Access-Request Id 1 from
10.10.51.169:1812 to 10.10.50.204:1812 length 153
(11) Wed Aug 22 09:35:55 2018: Debug:   User-Name = "00:02:09:00:01:00"
(11) Wed Aug 22 09:35:55 2018: Debug:   User-Password = "00:02:09:00:01:00"
(11) Wed Aug 22 09:35:55 2018: Debug:   Framed-MTU = 1500
(11) Wed Aug 22 09:35:55 2018: Debug:   Called-Station-Id =
"CC-37-AB-4F-B1-C1"
(11) Wed Aug 22 09:35:55 2018: Debug:   Calling-Station-Id =
"00-02-09-00-01-00"
(11) Wed Aug 22 09:35:55 2018: Debug:   NAS-IP-Address = 0.0.0.0
(11) Wed Aug 22 09:35:55 2018: Debug:   NAS-Port-Type = Ethernet
(11) Wed Aug 22 09:35:55 2018: Debug:   NAS-Port = 25
(11) Wed Aug 22 09:35:55 2018: Debug:   Message-Authenticator =
0x175584cbbaa167dc3be140dc927b2079
(11) Wed Aug 22 09:35:55 2018: Debug: # Executing section authorize from
file /usr/local/pf/raddb/sites-enabled/packetfence
(11) Wed Aug 22 09:35:55 2018: Debug:   authorize {
(11) Wed Aug 22 09:35:55 2018: Debug: update {
(11) Wed Aug 22 09:35:55 2018: Debug:   EXPAND %{Packet-Src-IP-Address}
(11) Wed Aug 22 09:35:55 2018: Debug:  --> 10.10.51.169
(11) Wed Aug 22 09:35:55 2018: Debug:   EXPAND %l
(11) Wed Aug 22 09:35:55 2018: Debug:  --> 1534901755
(11) Wed Aug 22 09:35:55 2018: Debug: } # update = noop
(11) Wed Aug 22 09:35:55 2018: Debug: policy packetfence-set-tenant-id {
(11) Wed Aug 22 09:35:55 2018: Debug:   if (
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(11) Wed Aug 22 09:35:55 2018: Debug:   EXPAND
%{%{control:PacketFence-Tenant-Id}:-0}
(11) Wed Aug 22 09:35:55 2018: Debug:  --> 0
(11) Wed Aug 22 09:35:55 2018: Debug:   if (
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  -> TRUE
(11) Wed Aug 22 09:35:55 2018: Debug:   if (
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  {
(11) Wed Aug 22 09:35:55 2018: Debug: update control {
(11) Wed Aug 22 09:35:55 2018: Debug:   EXPAND %{User-Name}
(11) Wed Aug 22 09:35:55 2018: Debug:  --> 00:02:09:00:01:00
(11) Wed Aug 22 09:35:55 2018: Debug:   SQL-User-Name set to
'00:02:09:00:01:00'
(11) Wed Aug 22 09:35:55 2018: Debug:   Executing select query:
SELECT IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname =
'10.10.51.169'), 0)
(11) Wed Aug 22 09:35:55 2018: Debug:   EXPAND %{sql: SELECT
IFNULL((SELECT tenant_id FROM radius_nas WHERE nasname =
'%{Packet-Src-IP-Address}'), 0)}
(11) Wed Aug 22 09:35:55 2018: Debug:  --> 0
(11) Wed Aug 22 09:35:55 2018: Debug: } # update control = noop
(11) Wed Aug 22 09:35:55 2018: Debug:   } # if (
"%{%{control:PacketFence-Tenant-Id}:-0}" == "0")  = noop
(11) Wed Aug 22 09:35:55 2018: Debug:   if (
:PacketFence-Tenant-Id == 0 ) {
(11) Wed Aug 22 09:35:55 2018: Debug:   if (
:PacketFence-Tenant-Id == 0 )  -> TRUE
(11) Wed Aug 22 09:35:55 2018: Debug:   if (
:PacketFence-Tenant-Id == 0 )  {
(11) Wed Aug 22 09:35:55 2018: Debug: update control {
(11) Wed Aug 22 09:35:55 2018: Debug:   EXPAND %{User-Name}
(11) Wed Aug 22 09:35:55 2018: Debug:  --> 00:02:09:00:01:00
(11) Wed Aug 22 09:35:55 2018: Debug:   SQL-User-Name set to
'00:02:09:00:01:00'
(11) Wed Aug 22 09:35:55 2018: Debug:   Executing select query:
SELECT IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <=
INET_ATON('10.10.51.169') and INET_ATON('10.10.51.169') <= end_ip order by
range_length limit 1), 1)
(11) Wed Aug 22 09:35:55 2018: Debug:   EXPAND %{sql: SELECT
IFNULL((SELECT tenant_id from radius_nas WHERE start_ip <=
INET_ATON('%{Packet-Src-IP-Address}') and
INET_ATON('%{Packet-Src-IP-Address}') <= end_ip order by range_length limit
1), 1)}
(11) Wed Aug 22 09:35:55 2018: Debug:  --> 1
(11) Wed Aug 22 09:35:55 2018: Debug: } # update control = noop
(11) Wed Aug 22 09:35:55

[PacketFence-users] mac auth with ldap as source for mac addresses

Re: [PacketFence-users] Mac auth

Re: [PacketFence-users] Mac auth

Re: [PacketFence-users] Mac auth

[PacketFence-users] Mac auth

Re: [PacketFence-users] MAC Auth issues

Re: [PacketFence-users] MAC Auth issues

Re: [PacketFence-users] MAC Auth issues

Re: [PacketFence-users] MAC Auth issues

[PacketFence-users] MAC Auth issues

10 matches

Site Navigation

Mail list logo

Footer information