Re: [PacketFence-users] Unknown Switch - Rejected User
Do you have a complete radius request ? because this one is just to test the if the radius server is still alive. Regards Fabrice Le 2018-03-07 à 11:42, ebrar via PacketFence-users a écrit : > > Hi Fabrice, > > But it doesn't. I'm trying to solve the problem for hours but could > not find anything. > > I read Administrator guide and run raddebug to find any clue. Still > trying to find. I'm sending the output to you. May be you can see > something that i did not see. > > (73) Wed Mar 7 22:33:50 2018: Debug: Received Access-Request Id 133 > from 192.168.56.100:1645 to 192.168.56.101:1812 length 51 > (73) Wed Mar 7 22:33:50 2018: Debug: User-Password = "cisco" > (73) Wed Mar 7 22:33:50 2018: Debug: User-Name = "dummy" > (73) Wed Mar 7 22:33:50 2018: Debug: NAS-IP-Address = 192.168.56.100 > (73) Wed Mar 7 22:33:50 2018: Debug: # Executing section authorize > from file /usr/local/pf/raddb/sites-enabled/packetfence > (73) Wed Mar 7 22:33:50 2018: Debug: authorize { > (73) Wed Mar 7 22:33:50 2018: Debug: update { > (73) Wed Mar 7 22:33:50 2018: Debug: EXPAND > %{Packet-Src-IP-Address} > (73) Wed Mar 7 22:33:50 2018: Debug: --> 192.168.56.100 > (73) Wed Mar 7 22:33:50 2018: Debug: EXPAND %l > (73) Wed Mar 7 22:33:50 2018: Debug: --> 1520451230 > (73) Wed Mar 7 22:33:50 2018: Debug: } # update = noop > (73) Wed Mar 7 22:33:50 2018: Debug: policy > rewrite_calling_station_id { > (73) Wed Mar 7 22:33:50 2018: Debug: if (&Calling-Station-Id && > (&Calling-Station-Id =~ > /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) > { > (73) Wed Mar 7 22:33:50 2018: Debug: if (&Calling-Station-Id && > (&Calling-Station-Id =~ > /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) > > -> FALSE > (73) Wed Mar 7 22:33:50 2018: Debug: else { > (73) Wed Mar 7 22:33:50 2018: Debug: [noop] = noop > (73) Wed Mar 7 22:33:50 2018: Debug: } # else = noop > (73) Wed Mar 7 22:33:50 2018: Debug: } # policy > rewrite_calling_station_id = noop > (73) Wed Mar 7 22:33:50 2018: Debug: policy > rewrite_called_station_id { > (73) Wed Mar 7 22:33:50 2018: Debug: if ((&Called-Station-Id) > && (&Called-Station-Id =~ > /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) > { > (73) Wed Mar 7 22:33:50 2018: Debug: if ((&Called-Station-Id) > && (&Called-Station-Id =~ > /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) > > -> FALSE > (73) Wed Mar 7 22:33:50 2018: Debug: else { > (73) Wed Mar 7 22:33:50 2018: Debug: [noop] = noop > (73) Wed Mar 7 22:33:50 2018: Debug: } # else = noop > (73) Wed Mar 7 22:33:50 2018: Debug: } # policy > rewrite_called_station_id = noop > (73) Wed Mar 7 22:33:50 2018: Debug: policy filter_username { > (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name) { > (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name) -> TRUE > (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name) { > (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ / /) { > (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ / /) > -> FALSE > (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ > /@[^@]*@/ ) { > (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ > /@[^@]*@/ ) -> FALSE > (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ /\.\./ ) { > (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ /\.\./ > ) -> FALSE > (73) Wed Mar 7 22:33:50 2018: Debug: if ((&User-Name =~ /@/) > && (&User-Name !~ /@(.+)\.(.+)$/)) { > (73) Wed Mar 7 22:33:50 2018: Debug: if ((&User-Name =~ /@/) > && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE > (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ /\.$/) { > (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ > /\.$/) -> FALSE > (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ /@\./) { > (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ > /@\./) -> FALSE > (73) Wed Mar 7 22:33:50 2018: Debug: } # if (&User-Name) = noop > (73) Wed Mar 7 22:33:50 2018: Debug: } # policy filter_username = > noop > (73) Wed Mar 7 22:33:50 2018: Debug: policy filter_password { > (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Password && > (&User-Password != "%{string:User-Password}")) { > (73) Wed Mar 7 22:33:50 2018: Debug: EXPAND %{string:User-Password} > (73) Wed Mar 7 22:33:50 2018: Debug: --> cisco > (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Password && > (&User-Password != "%{string:User-Password}"))
Re: [PacketFence-users] Unknown Switch - Rejected User
Hi Fabrice, But it doesn't. I'm trying to solve the problem for hours but could not find anything. I read Administrator guide and run raddebug to find any clue. Still trying to find. I'm sending the output to you. May be you can see something that i did not see. (73) Wed Mar 7 22:33:50 2018: Debug: Received Access-Request Id 133 from 192.168.56.100:1645 to 192.168.56.101:1812 length 51 (73) Wed Mar 7 22:33:50 2018: Debug: User-Password = "cisco" (73) Wed Mar 7 22:33:50 2018: Debug: User-Name = "dummy" (73) Wed Mar 7 22:33:50 2018: Debug: NAS-IP-Address = 192.168.56.100 (73) Wed Mar 7 22:33:50 2018: Debug: # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence (73) Wed Mar 7 22:33:50 2018: Debug: authorize { (73) Wed Mar 7 22:33:50 2018: Debug: update { (73) Wed Mar 7 22:33:50 2018: Debug: EXPAND %{Packet-Src-IP-Address} (73) Wed Mar 7 22:33:50 2018: Debug: --> 192.168.56.100 (73) Wed Mar 7 22:33:50 2018: Debug: EXPAND %l (73) Wed Mar 7 22:33:50 2018: Debug: --> 1520451230 (73) Wed Mar 7 22:33:50 2018: Debug: } # update = noop (73) Wed Mar 7 22:33:50 2018: Debug: policy rewrite_calling_station_id { (73) Wed Mar 7 22:33:50 2018: Debug: if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (73) Wed Mar 7 22:33:50 2018: Debug: if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> FALSE (73) Wed Mar 7 22:33:50 2018: Debug: else { (73) Wed Mar 7 22:33:50 2018: Debug: [noop] = noop (73) Wed Mar 7 22:33:50 2018: Debug: } # else = noop (73) Wed Mar 7 22:33:50 2018: Debug: } # policy rewrite_calling_station_id = noop (73) Wed Mar 7 22:33:50 2018: Debug: policy rewrite_called_station_id { (73) Wed Mar 7 22:33:50 2018: Debug: if ((&Called-Station-Id) && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) { (73) Wed Mar 7 22:33:50 2018: Debug: if ((&Called-Station-Id) && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) -> FALSE (73) Wed Mar 7 22:33:50 2018: Debug: else { (73) Wed Mar 7 22:33:50 2018: Debug: [noop] = noop (73) Wed Mar 7 22:33:50 2018: Debug: } # else = noop (73) Wed Mar 7 22:33:50 2018: Debug: } # policy rewrite_called_station_id = noop (73) Wed Mar 7 22:33:50 2018: Debug: policy filter_username { (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name) { (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name) -> TRUE (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name) { (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ / /) { (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ / /) -> FALSE (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ /@[^@]*@/ ) { (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ /@[^@]*@/ ) -> FALSE (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ /\.\./ ) { (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ /\.\./ ) -> FALSE (73) Wed Mar 7 22:33:50 2018: Debug: if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (73) Wed Mar 7 22:33:50 2018: Debug: if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ /\.$/) { (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ /\.$/) -> FALSE (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ /@\./) { (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Name =~ /@\./) -> FALSE (73) Wed Mar 7 22:33:50 2018: Debug: } # if (&User-Name) = noop (73) Wed Mar 7 22:33:50 2018: Debug: } # policy filter_username = noop (73) Wed Mar 7 22:33:50 2018: Debug: policy filter_password { (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Password && (&User-Password != "%{string:User-Password}")) { (73) Wed Mar 7 22:33:50 2018: Debug: EXPAND %{string:User-Password} (73) Wed Mar 7 22:33:50 2018: Debug: --> cisco (73) Wed Mar 7 22:33:50 2018: Debug: if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (73) Wed Mar 7 22:33:50 2018: Debug: } # policy filter_password = noop (73) Wed Mar 7 22:33:50 2018: Debug: [preprocess] = ok (73) Wed Mar 7 22:33:50 2018: Debug: suffix: Checking for suffix after "@" (73) Wed Mar 7 22:33:50 2018: Debug: suffix: No '@' in User-Name = "dummy", skipping NULL due to config. (7
Re: [PacketFence-users] Unknown Switch - Rejected User
Hello Ebrar, This should work: [192.168.56.100] description=IOUvL2 type=Cisco::Catalyst_2960 radiusSecret=useStrongerSecret deauthMethod=RADIUS Regards Fabrice Le 2018-03-06 à 08:49, ebrar via PacketFence-users a écrit : Hi All, I have set up PF on a virtual machine whose OS is Centos and i have set up a switch on GNS3 by using the image below : i86bi-linux-l2-adventerprisek9-15.1a This SW lets me do all the configurations mentioned on PacketFence Out-of-Band Deployment Quick Guide. You can see the related configurations on the SW below : username ebrar privilege 0 password 0 eleb aaa new-model ! ! aaa group server radius packetfence server name pfnac ! aaa authentication login default local aaa authentication dot1x default group packetfence aaa authorization network default group packetfence ! ! ! ! aaa server radius dynamic-author client 192.168.56.101 server-key useStrongerSecret port 3799 ! aaa session-id common no ip icmp rate-limit unreachable ! ip cef ! ! no ip domain-lookup no ipv6 cef ipv6 multicast rpf use-bgp ! ! dot1x system-auth-control interface Ethernet0/0 switchport trunk encapsulation dot1q switchport trunk allowed vlan 2,3,10 switchport mode trunk duplex auto ! interface Ethernet0/1 switchport access vlan 10 switchport mode access duplex auto authentication order mab dot1x authentication priority mab dot1x authentication port-control auto authentication periodic authentication timer restart 10800 authentication timer reauthenticate 10800 authentication violation replace mab no snmp trap link-status dot1x pae authenticator dot1x timeout quiet-period 2 dot1x timeout tx-period 3 ! interface Ethernet0/2 switchport access vlan 20 switchport mode access duplex auto snmp-server community public RO snmp-server community private RW snmp-server host 192.168.56.101 version 2c public ! radius-server vsa send authentication ! radius server pfnac address ipv4 192.168.56.101 auth-port 1812 acct-port 1813 automate-tester username ebrar ignore-acct-port idle-time 3 key useStrongerSecret When I connect a client to Ethernet 0/1 and try to connect to internet (www.google.com) It responds "Page Not Found" and nothing is being changed on the SW. You can see the errors in the log files below : packetfence.log : [root@localhost logs]# tail -f packetfence.log Mar 6 19:26:03 localhost packetfence_httpd.aaa: httpd.aaa(2123) ERROR: [mac:[undef]] WARNING ! Unknown switch(es) 192.168.56.100 (pf::SwitchFactory::instantiate) Mar 6 19:26:03 localhost packetfence_httpd.aaa: httpd.aaa(2123) WARN: [mac:[undef]] Unknown switch (192.168.56.100). This request will be failed. (pf::radius::switch_access) Mar 6 19:29:02 localhost packetfence_httpd.aaa: httpd.aaa(2123) ERROR: [mac:[undef]] WARNING ! Unknown switch(es) 192.168.56.100 (pf::SwitchFactory::instantiate) Mar 6 19:29:02 localhost packetfence_httpd.aaa: httpd.aaa(2123) WARN: [mac:[undef]] Unknown switch (192.168.56.100). This request will be failed. (pf::radius::switch_access) Mar 6 19:31:51 localhost packetfence_httpd.aaa: httpd.aaa(2123) ERROR: [mac:[undef]] WARNING ! Unknown switch(es) 192.168.56.100 (pf::SwitchFactory::instantiate) Mar 6 19:31:51 localhost packetfence_httpd.aaa: httpd.aaa(2123) WARN: [mac:[undef]] Unknown switch (192.168.56.100). This request will be failed. (pf::radius::switch_access) Mar 6 19:34:49 localhost packetfence_httpd.aaa: httpd.aaa(2123) ERROR: [mac:[undef]] WARNING ! Unknown switch(es) 192.168.56.100 (pf::SwitchFactory::instantiate) Mar 6 19:34:49 localhost packetfence_httpd.aaa: httpd.aaa(2123) WARN: [mac:[undef]] Unknown switch (192.168.56.100). This request will be failed. (pf::radius::switch_access) Mar 6 19:37:37 localhost packetfence_httpd.aaa: httpd.aaa(2123) ERROR: [mac:[undef]] WARNING ! Unknown switch(es) 192.168.56.100 (pf::SwitchFactory::instantiate) Mar 6 19:37:37 localhost packetfence_httpd.aaa: httpd.aaa(2123) WARN: [mac:[undef]] Unknown switch (192.168.56.100). This request will be failed. (pf::radius::switch_access) radius.log : Mar 6 19:37:37 localhost auth[2284]: (552) rest: ERROR: {"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Switch is not managed by PacketFence"} Mar 6 19:37:37 localhost auth[2284]: Need 2 more connections to reach min connections (3) Mar 6 19:37:37 localhost auth[2284]: rlm_rest (rest): Opening additional connection (1099), 1 of 63 pending slots used Mar 6 19:37:37 localhost auth[2284]: rlm_sql (sql): Closing connection (1097): Hit idle_timeout, was idle for 168 seconds Mar 6 19:37:37 localhost auth[2284]: rlm_sql (sql): Closing connection (1098): Hit idle_timeout, was idle for 168 seconds Mar 6 19:37:37 localhost auth[2284]: rlm_sql (sql): Opening additional connection (1099), 1 of 64 pending slots used Mar 6 19:37:37 localhost auth[2284]: Need 2 more connections to reach min connections (3) Mar 6 19:37:37 localhost auth[2284]: rlm_sql (sql): Opening additional connection