subject:"Re\: \[PacketFence\-users\] auth request from wrong switch"

Re: [PacketFence-users] auth request from wrong switch

2017-11-17 Thread Fabrice Durand via PacketFence-users

Hum ok, really weird.

It looks that first when the device connect on the port 2/43 802.1x
failed so it start mac auth but just after that the port goes down and a
new request is coming from the port 5/3.

When this happen, can you check in the mac-address-table where is the
mac address (before and after) ?

Is it a stack of switches ?

Does the issue occur all the time on the same physical switch ?


Le 2017-11-16 à 22:52, Sokolowski, Darryl a écrit :
> Hi Fabrice,
> Yes, those ports are switchports plugged directly to pcs. Not uplink.
> Show cdp neighbors returns expected ports, but none of those in
> question here.
>
> Thanks
> Darryl
>
>
>
>  Original message 
> From: Durand fabrice via PacketFence-users
> <packetfence-users@lists.sourceforge.net>
> Date: 11/16/17 7:48 PM (GMT-05:00)
> To: packetfence-users@lists.sourceforge.net
> Cc: Durand fabrice <fdur...@inverse.ca>
> Subject: Re: [PacketFence-users] auth request from wrong switch
>
> Just to be sure, the port 5/3 and 2/43 are switch port , no uplink ?
>
> Does "show cdp neighbors" return one of these ports ?
>
>
>
> Le 2017-11-16 à 17:46, Sokolowski, Darryl via PacketFence-users a écrit :
>>
>> Another thing I noticed is that if I go into PF and restart the
>> switchport from the node details, it will authenticate as dot1x.
>>
>> When it fails, it seems it is trying wired mac auth. When it does
>> wired mac auth, it says it’s successful, but on a port that is
>> something other than where it is really plugged in, so no network access.
>>
>> If I unplug the nic, and plug it back in, it does not work, only when
>> I restart the port from PF does it work properly and authenticate as
>> dot1x.
>>
>>  
>>
>>  
>>
>>  
>>
>> *From:*Sokolowski, Darryl via PacketFence-users
>> [mailto:packetfence-users@lists.sourceforge.net]
>> *Sent:* Thursday, November 16, 2017 10:34 AM
>> *To:* packetfence-users@lists.sourceforge.net; Jason Sloan
>> <jason.a.sl...@gmail.com>
>> *Cc:* Sokolowski, Darryl <ds...@earthcolor.com>
>> *Subject:* Re: [PacketFence-users] auth request from wrong switch
>>
>>  
>>
>> Hi again,
>>
>> This is weird, I don’t know what it means.
>>
>> A machine starts up, shows up on port 2/43, then it appears for some
>> reason it gets authorized on a different port right after that. The
>> first port it appears on, 2/43 is the real port it’s plugged into.
>> Then right after that, it appears on 5/3, and that’s when I think it
>> gets kicked off the network, since now the switch thinks it’s on 5/3.
>> There are no minihubs in the way, these machines plug directly into
>> their respective ports.
>>
>>  
>>
>> I attached a good bit of the debug log, but didn’t want to send the
>> whole thing, it’s very long. Let me know if I need to send more.
>> There is more in the attachment than I pasted below.
>>
>> I can’t figure out why these machines are getting seen on multiple ports.
>>
>>  
>>
>> Thanks for any insight.
>>
>> Darryl
>>
>>  
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350287: 350087: Nov 16
>> 12:53:00.279: dot1x-packet:[0026.2d15.049b, Gi2/43] EAPOL canned
>> status packet sent to client 0xAC94"
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350288: 350088: Nov 16
>> 12:53:00.279: dot1x-ev:[0026.2d15.049b, Gi2/43] Deleting client
>> 0xAC94 (0026.2d15.049b)"
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350289: 350089: Nov 16
>> 12:53:00.279: dot1x-ev:[0026.2d15.049b, Gi2/43] Delete auth client
>> (0xAC94) message"
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350290: 350090: Nov 16
>> 12:53:00.279: dot1x-ev:Auth client ctx destroyed
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350291: 350091: Nov 16
>> 12:53:00.279: RADIUS/ENCODE():Orig. component type = Invalid
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350292: 350092: Nov 16
>> 12:53:00.279: RADIUS(): Config NAS IP: 172.16.0.200
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350293: 350093: Nov 16
>> 12:53:00.279: RADIUS(): Config NAS IPv6: ::
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350294: 350094: Nov 16
>> 12:53:00.279: RADIUS(): sending
>>
>> 2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350295: 350095: Nov 16
>> 12:53:00.279: RADIUS(): Send Access-Request to
>> 172.16.1.73:1812 onvrf(0) id 1645/251,

Re: [PacketFence-users] auth request from wrong switch

2017-11-16 Thread Sokolowski, Darryl via PacketFence-users




Hi Fabrice,
Yes, those ports are switchports plugged directly to pcs. Not uplink.
Show cdp neighbors returns expected ports, but none of those in question here.


Thanks
Darryl






 Original message 
From: Durand fabrice via PacketFence-users <packetfence-users@lists.sourceforge.net>

Date: 11/16/17 7:48 PM (GMT-05:00) 
To: packetfence-users@lists.sourceforge.net 
Cc: Durand fabrice <fdur...@inverse.ca> 
Subject: Re: [PacketFence-users] auth request from wrong switch 



Just to be sure, the port 5/3 and 2/43 are switch port , no uplink ?
Does "show cdp neighbors" return one of these ports ?



Le 2017-11-16 à 17:46, Sokolowski, Darryl via PacketFence-users a écrit :





Another thing I noticed is that if I go into PF and restart the switchport from the node details, it will authenticate as dot1x.

When it fails, it seems it is trying wired mac auth. When it does wired mac auth, it says it’s successful, but on a port that is something other than where
 it is really plugged in, so no network access.
If I unplug the nic, and plug it back in, it does not work, only when I restart the port from PF does it work properly and authenticate as dot1x.
 
 
 


From: Sokolowski, Darryl via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net]

Sent: Thursday, November 16, 2017 10:34 AM
To: 
packetfence-users@lists.sourceforge.net; Jason Sloan 
<jason.a.sl...@gmail.com>
Cc: Sokolowski, Darryl 
<ds...@earthcolor.com>
Subject: Re: [PacketFence-users] auth request from wrong switch


 
Hi again,
This is weird, I don’t know what it means.
A machine starts up, shows up on port 2/43, then it appears for some reason it gets authorized on a different port right after that. The first port it appears
 on, 2/43 is the real port it’s plugged into. Then right after that, it appears on 5/3, and that’s when I think it gets kicked off the network, since now the switch thinks it’s on 5/3. There are no minihubs in the way, these machines plug directly into their
 respective ports.
 
I attached a good bit of the debug log, but didn’t want to send the whole thing, it’s very long. Let me know if I need to send more. There is more in the attachment
 than I pasted below.
I can’t figure out why these machines are getting seen on multiple ports.
 
Thanks for any insight.
Darryl
 
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350287: 350087: Nov 16 12:53:00.279: dot1x-packet:[0026.2d15.049b, Gi2/43] EAPOL canned status packet sent to
 client 0xAC94"
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350288: 350088: Nov 16 12:53:00.279: dot1x-ev:[0026.2d15.049b, Gi2/43] Deleting client 0xAC94 (0026.2d15.049b)"
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350289: 350089: Nov 16 12:53:00.279: dot1x-ev:[0026.2d15.049b, Gi2/43] Delete auth client (0xAC94) message"
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350290: 350090: Nov 16 12:53:00.279: dot1x-ev:Auth client ctx destroyed
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350291: 350091: Nov 16 12:53:00.279: RADIUS/ENCODE():Orig. component type = Invalid
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350292: 350092: Nov 16 12:53:00.279: RADIUS(): Config NAS IP: 172.16.0.200
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350293: 350093: Nov 16 12:53:00.279: RADIUS(): Config NAS IPv6: ::
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350294: 350094: Nov 16 12:53:00.279: RADIUS(): sending
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350295: 350095: Nov 16 12:53:00.279: RADIUS(): Send Access-Request to 172.16.1.73:1812 onvrf(0) id 1645/251,
 len 259"
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350296: 350096: Nov 16 12:53:00.279: RADIUS:  authenticator 7A 07 65 33 17 CD 20 47 - 3C 6A 23 4C 46 19 31 B0
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350297: 350097: Nov 16 12:53:00.279: RADIUS:  User-Name   [1]   14  "00262d15049b"
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350298: 350098: Nov 16 12:53:00.279: RADIUS:  User-Password   [2]   18  *
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350299: 350099: Nov 16 12:53:00.279: RADIUS:  Service-Type    [6]   6   Call Check    [10]
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350300: 350100: Nov 16 12:53:00.279: RADIUS:  Vendor, Cisco   [26]  31  "
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350301: 350101: Nov 16 12:53:00.279: RADIUS:   Cisco AVpair   [1]   25  "service-type=Call Check"
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350302: 350102: Nov 16 12:53:00.279: RADIUS:  Framed-MTU  [12]  6   1500 

2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350303: 350103: Nov 16 12:53:00.279: RADIUS:  Called-Station-Id   [30]  19  "2C-54-2D-A5-A4-D2"
2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350304: 350104: Nov 16 12:53:00.279: RADIUS:  Calling-Station-Id  [31]  19  "00-26-2D-15-04-

Re: [PacketFence-users] auth request from wrong switch

2017-11-16 Thread Durand fabrice via PacketFence-users


Just to be sure, the port 5/3 and 2/43 are switch port , no uplink ?

Does "show cdp neighbors" return one of these ports ?



Le 2017-11-16 à 17:46, Sokolowski, Darryl via PacketFence-users a écrit :


Another thing I noticed is that if I go into PF and restart the 
switchport from the node details, it will authenticate as dot1x.


When it fails, it seems it is trying wired mac auth. When it does 
wired mac auth, it says it’s successful, but on a port that is 
something other than where it is really plugged in, so no network access.


If I unplug the nic, and plug it back in, it does not work, only when 
I restart the port from PF does it work properly and authenticate as 
dot1x.


*From:*Sokolowski, Darryl via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]

*Sent:* Thursday, November 16, 2017 10:34 AM
*To:* packetfence-users@lists.sourceforge.net; Jason Sloan 
<jason.a.sl...@gmail.com>

*Cc:* Sokolowski, Darryl <ds...@earthcolor.com>
*Subject:* Re: [PacketFence-users] auth request from wrong switch

Hi again,

This is weird, I don’t know what it means.

A machine starts up, shows up on port 2/43, then it appears for some 
reason it gets authorized on a different port right after that. The 
first port it appears on, 2/43 is the real port it’s plugged into. 
Then right after that, it appears on 5/3, and that’s when I think it 
gets kicked off the network, since now the switch thinks it’s on 5/3. 
There are no minihubs in the way, these machines plug directly into 
their respective ports.


I attached a good bit of the debug log, but didn’t want to send the 
whole thing, it’s very long. Let me know if I need to send more. There 
is more in the attachment than I pasted below.


I can’t figure out why these machines are getting seen on multiple ports.

Thanks for any insight.

Darryl

2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350287: 350087: Nov 16 
12:53:00.279: dot1x-packet:[0026.2d15.049b, Gi2/43] EAPOL canned 
status packet sent to client 0xAC94"


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350288: 350088: Nov 16 
12:53:00.279: dot1x-ev:[0026.2d15.049b, Gi2/43] Deleting client 
0xAC94 (0026.2d15.049b)"


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350289: 350089: Nov 16 
12:53:00.279: dot1x-ev:[0026.2d15.049b, Gi2/43] Delete auth client 
(0xAC94) message"


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350290: 350090: Nov 16 
12:53:00.279: dot1x-ev:Auth client ctx destroyed


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350291: 350091: Nov 16 
12:53:00.279: RADIUS/ENCODE():Orig. component type = Invalid


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350292: 350092: Nov 16 
12:53:00.279: RADIUS(): Config NAS IP: 172.16.0.200


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350293: 350093: Nov 16 
12:53:00.279: RADIUS(): Config NAS IPv6: ::


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350294: 350094: Nov 16 
12:53:00.279: RADIUS(): sending


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350295: 350095: Nov 16 
12:53:00.279: RADIUS(): Send Access-Request to 
172.16.1.73:1812 onvrf(0) id 1645/251, len 259"


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350296: 350096: Nov 16 
12:53:00.279: RADIUS:  authenticator 7A 07 65 33 17 CD 20 47 - 3C 6A 
23 4C 46 19 31 B0


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350297: 350097: Nov 16 
12:53:00.279: RADIUS:  User-Name   [1]   14 "00262d15049b"


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350298: 350098: Nov 16 
12:53:00.279: RADIUS:  User-Password   [2]   18  *


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350299: 350099: Nov 16 
12:53:00.279: RADIUS:  Service-Type    [6]   6   Call 
Check    [10]


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,"350300: 350100: Nov 16 
12:53:00.279: RADIUS:  Vendor, Cisco   [26]  31  "


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350301: 350101: Nov 16 
12:53:00.279: RADIUS:   Cisco AVpair   [1]   25 "service-type=Call 
Check"


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350302: 350102: Nov 16 
12:53:00.279: RADIUS:  Framed-MTU  [12]  6 1500


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350303: 350103: Nov 16 
12:53:00.279: RADIUS:  Called-Station-Id   [30]  19 "2C-54-2D-A5-A4-D2"


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350304: 350104: Nov 16 
12:53:00.279: RADIUS:  Calling-Station-Id  [31]  19 "00-26-2D-15-04-9B"


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350305: 350105: Nov 16 
12:53:00.279: RADIUS:  Message-Authenticato[80]  18


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350306: 350106: Nov 16 
12:53:00.279: RADIUS:   2D 71 9B 1E 20 7F 88 F3 6E D2 37 C1 40 61 D7 
1B   [ -q n7@a]


2017-11-16 07:52:59,Local5.Debug,172.16.0.200,350307: 350107: Nov 16 
12:53:00.279: RADIUS:  EAP-Key-Name    [102] 2   *


2017-11-16 07:52:59,Local5.Debug,17

Re: [PacketFence-users] auth request from wrong switch

2017-11-14 Thread Sokolowski, Darryl via PacketFence-users

This is happening to a few ports, but not all ports, I counted 12 so far.
I got some of the debug output, and looking thru it.
I set the ip radius source-interface on the 2 switches that seems to be 
crossing each other.

Thanks
Darryl

From: Jason Sloan [mailto:jason.a.sl...@gmail.com]
Sent: Tuesday, November 14, 2017 2:11 PM
To: Sokolowski, Darryl <ds...@earthcolor.com>
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] auth request from wrong switch

Depends on how the authentication request is sent. Is this happening for one 
client/port on the switch or the entire switch?

Try setting the source interface:
conf t
ip radius source-interface X (in your case you like

Since your switches are not under heavy load you can flip on some debugs and 
take a look at the authentication and make sure it is sourced as expected.

debug dot1x all
debug authentication all
debug radius authentication



On Tue, Nov 14, 2017 at 12:32 PM, Sokolowski, Darryl 
<ds...@earthcolor.com<mailto:ds...@earthcolor.com>> wrote:
Oh, ok. Since we have a ring, all interfaces comprising the ring are forwarding 
except one.
All switches are trunked to each other over the ring. I am certain there are no 
extra errant extra uplinks, since we are just beginning to use the switches and 
 not much plugged into them yet.
How could the blocking cause a machine to appear on a different port?

I did forget to include one switch is a 4507 chassis. Don’t think this should 
matter.

Thanks
Darryl


From: Jason Sloan 
[mailto:jason.a.sl...@gmail.com<mailto:jason.a.sl...@gmail.com>]
Sent: Tuesday, November 14, 2017 11:05 AM
To: Sokolowski, Darryl <ds...@earthcolor.com<mailto:ds...@earthcolor.com>>
Cc: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] auth request from wrong switch

show spanning-tree vlan X (in your case vlan 1)

Check and see if all ports are in a forwarding state, or at least the ones you 
expect to be in a forwarding state are forwarding. If left to its own devices, 
sometimes spanning tree can make the wrong decision during an election. You can 
manually set spanning tree priorities on your up-links if this is the case. If 
the switches have vlan 1 trunked to each other this may be something to look 
at, otherwise probably not an issue.

On Tue, Nov 14, 2017 at 10:10 AM, Sokolowski, Darryl 
<ds...@earthcolor.com<mailto:ds...@earthcolor.com>> wrote:
Hi thanks for the response.
Sorry, I should have offered more detail on environment.
All switches are Cisco 3560E.
172.16.0.196 is a switch, all vlans exist on all switches, all switches use 
vlan1 for management, they are trunked via 10GB ring.
I did not set radius source interface.
No NATs.

Sorry, what do you mean by reviewing spanning tree blocks?



From: Jason Sloan 
[mailto:jason.a.sl...@gmail.com<mailto:jason.a.sl...@gmail.com>]
Sent: Monday, November 13, 2017 4:23 PM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Sokolowski, Darryl <ds...@earthcolor.com<mailto:ds...@earthcolor.com>>
Subject: Re: [PacketFence-users] auth request from wrong switch

A few questions.
172.16.0.196 - is that a switch at all? If so, is that switch on the same vlan? 
Have you reviewed your spanning-tree blocks? Are you able to set a radius 
source interface? If so, is it set to the appropriate SVI / L3 link? Any NATs 
in the topology?

On Mon, Nov 13, 2017 at 3:40 PM, Sokolowski, Darryl via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
Hi all,
I have a strange problem I can’t see the reason for,
I have machines that get “stuck” unable to access the network seems like 
because the 802.1x authentication request is coming from a switch that the 
device isn’t plugged into.
In this case, I have a computer (18:66:da:1e:06:0a) plugged into switch with IP 
172.16.0.200.
In the log it shows that the request is coming from 172.16.0.196, and 
authorizes the machine and assigns the correct vlan, but it is assigned to the 
wrong switch, so the client never can access the network.
Further, there is already the correct machine (64:00:6a:7c:34:ce) authorized on 
that port because that machine really does plug in there.

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => WIRED_MAC_AUTH,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [18:66:da:1e:06:0a], port => 10110, username => 
"1866da1e060a" (pf::radius::authorize)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06

Re: [PacketFence-users] auth request from wrong switch

2017-11-14 Thread Jason Sloan via PacketFence-users

Depends on how the authentication request is sent. Is this happening for
one client/port on the switch or the entire switch?

Try setting the source interface:
conf t
ip radius source-interface X (in your case you like

Since your switches are not under heavy load you can flip on some debugs
and take a look at the authentication and make sure it is sourced as
expected.

debug dot1x all
debug authentication all
debug radius authentication



On Tue, Nov 14, 2017 at 12:32 PM, Sokolowski, Darryl <ds...@earthcolor.com>
wrote:

> Oh, ok. Since we have a ring, all interfaces comprising the ring are
> forwarding except one.
>
> All switches are trunked to each other over the ring. I am certain there
> are no extra errant extra uplinks, since we are just beginning to use the
> switches and  not much plugged into them yet.
>
> How could the blocking cause a machine to appear on a different port?
>
>
>
> I did forget to include one switch is a 4507 chassis. Don’t think this
> should matter.
>
>
>
> Thanks
>
> Darryl
>
>
>
>
>
> *From:* Jason Sloan [mailto:jason.a.sl...@gmail.com]
> *Sent:* Tuesday, November 14, 2017 11:05 AM
> *To:* Sokolowski, Darryl <ds...@earthcolor.com>
> *Cc:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] auth request from wrong switch
>
>
>
> show spanning-tree vlan X (in your case vlan 1)
>
>
>
> Check and see if all ports are in a forwarding state, or at least the ones
> you expect to be in a forwarding state are forwarding. If left to its own
> devices, sometimes spanning tree can make the wrong decision during an
> election. You can manually set spanning tree priorities on your up-links if
> this is the case. If the switches have vlan 1 trunked to each other this
> may be something to look at, otherwise probably not an issue.
>
>
>
> On Tue, Nov 14, 2017 at 10:10 AM, Sokolowski, Darryl <ds...@earthcolor.com>
> wrote:
>
> Hi thanks for the response.
>
> Sorry, I should have offered more detail on environment.
>
> All switches are Cisco 3560E.
>
> 172.16.0.196 is a switch, all vlans exist on all switches, all switches
> use vlan1 for management, they are trunked via 10GB ring.
>
> I did not set radius source interface.
>
> No NATs.
>
>
>
> Sorry, what do you mean by reviewing spanning tree blocks?
>
>
>
>
>
>
>
> *From:* Jason Sloan [mailto:jason.a.sl...@gmail.com]
> *Sent:* Monday, November 13, 2017 4:23 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Sokolowski, Darryl <ds...@earthcolor.com>
> *Subject:* Re: [PacketFence-users] auth request from wrong switch
>
>
>
> A few questions.
>
> 172.16.0.196 - is that a switch at all? If so, is that switch on the same
> vlan? Have you reviewed your spanning-tree blocks? Are you able to set a
> radius source interface? If so, is it set to the appropriate SVI / L3 link?
> Any NATs in the topology?
>
>
>
> On Mon, Nov 13, 2017 at 3:40 PM, Sokolowski, Darryl via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Hi all,
>
> I have a strange problem I can’t see the reason for,
>
> I have machines that get “stuck” unable to access the network seems like
> because the 802.1x authentication request is coming from a switch that the
> device isn’t plugged into.
>
> In this case, I have a computer (18:66:da:1e:06:0a) plugged into switch
> with IP 172.16.0.200.
>
> In the log it shows that the request is coming from 172.16.0.196, and
> authorizes the machine and assigns the correct vlan, but it is assigned to
> the wrong switch, so the client never can access the network.
>
> Further, there is already the correct machine (64:00:6a:7c:34:ce)
> authorized on that port because that machine really does plug in there.
>
>
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] handling radius autz request: from switch_ip =>
> (172.16.0.196), connection_type => WIRED_MAC_AUTH,switch_mac =>
> (00:23:ac:d0:ca:8a), mac => [18:66:da:1e:06:0a], port => 10110, username =>
> "1866da1e060a" (pf::radius::authorize)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] Instantiate profile default (pf::Connection::
> ProfileFactory::_from_profile)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] Connection type is WIRED_MAC_AUTH. Getting role
> from node_info (pf::role::getRegisteredRole)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] Username was defined "1866da1e060a" - returning
> role 'Empl

Re: [PacketFence-users] auth request from wrong switch

2017-11-14 Thread Sokolowski, Darryl via PacketFence-users

Oh, ok. Since we have a ring, all interfaces comprising the ring are forwarding 
except one.
All switches are trunked to each other over the ring. I am certain there are no 
extra errant extra uplinks, since we are just beginning to use the switches and 
 not much plugged into them yet.
How could the blocking cause a machine to appear on a different port?

I did forget to include one switch is a 4507 chassis. Don’t think this should 
matter.

Thanks
Darryl


From: Jason Sloan [mailto:jason.a.sl...@gmail.com]
Sent: Tuesday, November 14, 2017 11:05 AM
To: Sokolowski, Darryl <ds...@earthcolor.com>
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] auth request from wrong switch

show spanning-tree vlan X (in your case vlan 1)

Check and see if all ports are in a forwarding state, or at least the ones you 
expect to be in a forwarding state are forwarding. If left to its own devices, 
sometimes spanning tree can make the wrong decision during an election. You can 
manually set spanning tree priorities on your up-links if this is the case. If 
the switches have vlan 1 trunked to each other this may be something to look 
at, otherwise probably not an issue.

On Tue, Nov 14, 2017 at 10:10 AM, Sokolowski, Darryl 
<ds...@earthcolor.com<mailto:ds...@earthcolor.com>> wrote:
Hi thanks for the response.
Sorry, I should have offered more detail on environment.
All switches are Cisco 3560E.
172.16.0.196 is a switch, all vlans exist on all switches, all switches use 
vlan1 for management, they are trunked via 10GB ring.
I did not set radius source interface.
No NATs.

Sorry, what do you mean by reviewing spanning tree blocks?



From: Jason Sloan 
[mailto:jason.a.sl...@gmail.com<mailto:jason.a.sl...@gmail.com>]
Sent: Monday, November 13, 2017 4:23 PM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Sokolowski, Darryl <ds...@earthcolor.com<mailto:ds...@earthcolor.com>>
Subject: Re: [PacketFence-users] auth request from wrong switch

A few questions.
172.16.0.196 - is that a switch at all? If so, is that switch on the same vlan? 
Have you reviewed your spanning-tree blocks? Are you able to set a radius 
source interface? If so, is it set to the appropriate SVI / L3 link? Any NATs 
in the topology?

On Mon, Nov 13, 2017 at 3:40 PM, Sokolowski, Darryl via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
Hi all,
I have a strange problem I can’t see the reason for,
I have machines that get “stuck” unable to access the network seems like 
because the 802.1x authentication request is coming from a switch that the 
device isn’t plugged into.
In this case, I have a computer (18:66:da:1e:06:0a) plugged into switch with IP 
172.16.0.200.
In the log it shows that the request is coming from 172.16.0.196, and 
authorizes the machine and assigns the correct vlan, but it is assigned to the 
wrong switch, so the client never can access the network.
Further, there is already the correct machine (64:00:6a:7c:34:ce) authorized on 
that port because that machine really does plug in there.

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => WIRED_MAC_AUTH,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [18:66:da:1e:06:0a], port => 10110, username => 
"1866da1e060a" (pf::radius::authorize)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Connection type is WIRED_MAC_AUTH. Getting role from 
node_info (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Username was defined "1866da1e060a" - returning role 
'Employee' (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] PID: "CORE\amblerd", Status: reg Returned VLAN: 
(undefined), Role: Employee (pf::role::fetchRoleForNode)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] (172.16.0.196) Added VLAN 18 to the returned RADIUS 
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => Ethernet-EAP,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [64:00:6a:7c:34:ce], port => 10110, username => 
"host/LoboA7.CORE.LOCAL" (pf::radius::authorize)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] is doing machine auth with account 
'host/Lob

Re: [PacketFence-users] auth request from wrong switch

2017-11-14 Thread Jason Sloan via PacketFence-users

show spanning-tree vlan X (in your case vlan 1)

Check and see if all ports are in a forwarding state, or at least the ones
you expect to be in a forwarding state are forwarding. If left to its own
devices, sometimes spanning tree can make the wrong decision during an
election. You can manually set spanning tree priorities on your up-links if
this is the case. If the switches have vlan 1 trunked to each other this
may be something to look at, otherwise probably not an issue.

On Tue, Nov 14, 2017 at 10:10 AM, Sokolowski, Darryl <ds...@earthcolor.com>
wrote:

> Hi thanks for the response.
>
> Sorry, I should have offered more detail on environment.
>
> All switches are Cisco 3560E.
>
> 172.16.0.196 is a switch, all vlans exist on all switches, all switches
> use vlan1 for management, they are trunked via 10GB ring.
>
> I did not set radius source interface.
>
> No NATs.
>
>
>
> Sorry, what do you mean by reviewing spanning tree blocks?
>
>
>
>
>
>
>
> *From:* Jason Sloan [mailto:jason.a.sl...@gmail.com]
> *Sent:* Monday, November 13, 2017 4:23 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Sokolowski, Darryl <ds...@earthcolor.com>
> *Subject:* Re: [PacketFence-users] auth request from wrong switch
>
>
>
> A few questions.
>
> 172.16.0.196 - is that a switch at all? If so, is that switch on the same
> vlan? Have you reviewed your spanning-tree blocks? Are you able to set a
> radius source interface? If so, is it set to the appropriate SVI / L3 link?
> Any NATs in the topology?
>
>
>
> On Mon, Nov 13, 2017 at 3:40 PM, Sokolowski, Darryl via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Hi all,
>
> I have a strange problem I can’t see the reason for,
>
> I have machines that get “stuck” unable to access the network seems like
> because the 802.1x authentication request is coming from a switch that the
> device isn’t plugged into.
>
> In this case, I have a computer (18:66:da:1e:06:0a) plugged into switch
> with IP 172.16.0.200.
>
> In the log it shows that the request is coming from 172.16.0.196, and
> authorizes the machine and assigns the correct vlan, but it is assigned to
> the wrong switch, so the client never can access the network.
>
> Further, there is already the correct machine (64:00:6a:7c:34:ce)
> authorized on that port because that machine really does plug in there.
>
>
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] handling radius autz request: from switch_ip =>
> (172.16.0.196), connection_type => WIRED_MAC_AUTH,switch_mac =>
> (00:23:ac:d0:ca:8a), mac => [18:66:da:1e:06:0a], port => 10110, username =>
> "1866da1e060a" (pf::radius::authorize)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] Instantiate profile default (pf::Connection::
> ProfileFactory::_from_profile)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] Connection type is WIRED_MAC_AUTH. Getting role
> from node_info (pf::role::getRegisteredRole)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] Username was defined "1866da1e060a" - returning
> role 'Employee' (pf::role::getRegisteredRole)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] PID: "CORE\amblerd", Status: reg Returned VLAN:
> (undefined), Role: Employee (pf::role::fetchRoleForNode)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] (172.16.0.196) Added VLAN 18 to the returned RADIUS
> Access-Accept (pf::Switch::returnRadiusAccessAccept)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] handling radius autz request: from switch_ip =>
> (172.16.0.196), connection_type => Ethernet-EAP,switch_mac =>
> (00:23:ac:d0:ca:8a), mac => [64:00:6a:7c:34:ce], port => 10110, username =>
> "host/LoboA7.CORE.LOCAL" (pf::radius::authorize)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] is doing machine auth with account
> 'host/LoboA7.CORE.LOCAL'. (pf::radius::authorize)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] Instantiate profile Earthcolor_Owned
> (pf::Connection::ProfileFactory::_from_profile)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] Found authentication source(s) : 'AD-Auth' for
> realm 'null' (pf::config::util::filter_authentication_sources)
>
> Nov 13 0

Re: [PacketFence-users] auth request from wrong switch

2017-11-14 Thread Sokolowski, Darryl via PacketFence-users

Hi Fabrice,
Thanks for the response.
Weird, I’m not seeing the machine in raddebug.
Today, I have a similar situation with multiple machines, but all these are on 
the same switch, just reporting incorrect ports.
Port 5/2 is the correct port, which after multiple attempts to restart the 
switchport seems to finally have returned the correct assignment.
Strange thing is that other ports with the same issue began working properly 
all at the same time.
The screenshot shows it suddenly began using mab instead of dot1x, then when 
dot1x took over, it was right again.
I do have both configured on the ports, with “authentication order dot1x mab”

[cid:image001.png@01D35D31.7EC7F290]

The only reference I see is in packetfence.log for the mac address is:

Nov 14 14:58:41 pf1 pfqueue: pfqueue(4152) INFO: [mac:00:26:2d:17:e4:bf] 
deauthenticating (pf::Switch::Cisco::Catalyst_2960::radiusDisconnect)
Nov 14 14:58:41 pf1 pfqueue: pfqueue(4152) WARN: [mac:00:26:2d:17:e4:bf] 
Unknown vendor attribute 9/252 for unpack()
(Net::Radius::Packet::unpack)
Nov 14 14:58:41 pf1 pfqueue: Unknown vendor attribute 9/252 for unpack()

I don’t see the mac in radius.log
I’m checking AD with “chroot /chroots/ wbinfo –u” and it returns the 
users.

Thanks


From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Monday, November 13, 2017 6:33 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice <fdur...@inverse.ca>
Subject: Re: [PacketFence-users] auth request from wrong switch


Hi Darryl,

can you also run radius in debug mode to see all the details ?

Regards

Fabrice



Le 2017-11-13 à 16:22, Jason Sloan via PacketFence-users a écrit :
A few questions.
172.16.0.196 - is that a switch at all? If so, is that switch on the same vlan? 
Have you reviewed your spanning-tree blocks? Are you able to set a radius 
source interface? If so, is it set to the appropriate SVI / L3 link? Any NATs 
in the topology?

On Mon, Nov 13, 2017 at 3:40 PM, Sokolowski, Darryl via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
Hi all,
I have a strange problem I can’t see the reason for,
I have machines that get “stuck” unable to access the network seems like 
because the 802.1x authentication request is coming from a switch that the 
device isn’t plugged into.
In this case, I have a computer (18:66:da:1e:06:0a) plugged into switch with IP 
172.16.0.200.
In the log it shows that the request is coming from 172.16.0.196, and 
authorizes the machine and assigns the correct vlan, but it is assigned to the 
wrong switch, so the client never can access the network.
Further, there is already the correct machine (64:00:6a:7c:34:ce) authorized on 
that port because that machine really does plug in there.

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => WIRED_MAC_AUTH,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [18:66:da:1e:06:0a], port => 10110, username => 
"1866da1e060a" (pf::radius::authorize)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Connection type is WIRED_MAC_AUTH. Getting role from 
node_info (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Username was defined "1866da1e060a" - returning role 
'Employee' (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] PID: "CORE\amblerd", Status: reg Returned VLAN: 
(undefined), Role: Employee (pf::role::fetchRoleForNode)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] (172.16.0.196) Added VLAN 18 to the returned RADIUS 
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => Ethernet-EAP,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [64:00:6a:7c:34:ce], port => 10110, username => 
"host/LoboA7.CORE.LOCAL" (pf::radius::authorize)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] is doing machine auth with account 
'host/LoboA7.CORE.LOCAL'. (pf::radius::authorize)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Instantiate profile Earthcolor_Owned 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Found authentication source(s) : 'AD-Auth' for realm 
'nul

Re: [PacketFence-users] auth request from wrong switch

2017-11-14 Thread Sokolowski, Darryl via PacketFence-users

Hi thanks for the response.
Sorry, I should have offered more detail on environment.
All switches are Cisco 3560E.
172.16.0.196 is a switch, all vlans exist on all switches, all switches use 
vlan1 for management, they are trunked via 10GB ring.
I did not set radius source interface.
No NATs.

Sorry, what do you mean by reviewing spanning tree blocks?



From: Jason Sloan [mailto:jason.a.sl...@gmail.com]
Sent: Monday, November 13, 2017 4:23 PM
To: packetfence-users@lists.sourceforge.net
Cc: Sokolowski, Darryl <ds...@earthcolor.com>
Subject: Re: [PacketFence-users] auth request from wrong switch

A few questions.
172.16.0.196 - is that a switch at all? If so, is that switch on the same vlan? 
Have you reviewed your spanning-tree blocks? Are you able to set a radius 
source interface? If so, is it set to the appropriate SVI / L3 link? Any NATs 
in the topology?

On Mon, Nov 13, 2017 at 3:40 PM, Sokolowski, Darryl via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
Hi all,
I have a strange problem I can’t see the reason for,
I have machines that get “stuck” unable to access the network seems like 
because the 802.1x authentication request is coming from a switch that the 
device isn’t plugged into.
In this case, I have a computer (18:66:da:1e:06:0a) plugged into switch with IP 
172.16.0.200.
In the log it shows that the request is coming from 172.16.0.196, and 
authorizes the machine and assigns the correct vlan, but it is assigned to the 
wrong switch, so the client never can access the network.
Further, there is already the correct machine (64:00:6a:7c:34:ce) authorized on 
that port because that machine really does plug in there.

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => WIRED_MAC_AUTH,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [18:66:da:1e:06:0a], port => 10110, username => 
"1866da1e060a" (pf::radius::authorize)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Connection type is WIRED_MAC_AUTH. Getting role from 
node_info (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] Username was defined "1866da1e060a" - returning role 
'Employee' (pf::role::getRegisteredRole)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] PID: "CORE\amblerd", Status: reg Returned VLAN: 
(undefined), Role: Employee (pf::role::fetchRoleForNode)
Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:18:66:da:1e:06:0a] (172.16.0.196) Added VLAN 18 to the returned RADIUS 
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] handling radius autz request: from switch_ip => 
(172.16.0.196), connection_type => Ethernet-EAP,switch_mac => 
(00:23:ac:d0:ca:8a), mac => [64:00:6a:7c:34:ce], port => 10110, username => 
"host/LoboA7.CORE.LOCAL" (pf::radius::authorize)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] is doing machine auth with account 
'host/LoboA7.CORE.LOCAL'. (pf::radius::authorize)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Instantiate profile Earthcolor_Owned 
(pf::Connection::ProfileFactory::_from_profile)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Found authentication source(s) : 'AD-Auth' for realm 
'null' (pf::config::util::filter_authentication_sources)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) WARN: 
[mac:64:00:6a:7c:34:ce] Calling match with empty/invalid rule class. Defaulting 
to 'authentication' (pf::authentication::match2)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Using sources AD-Auth for matching 
(pf::authentication::match2)
Nov 13 03:12:52 pf1 pfqueue: pfqueue(9628) INFO: [mac:unknown] undefined source 
id provided (pf::lookup::person::lookup_person)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Found authentication source(s) : 'AD-Auth' for realm 
'null' (pf::config::util::filter_authentication_sources)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Using sources AD-Auth for matching 
(pf::authentication::match2)
Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO: 
[mac:64:00:6a:7c:34:ce] Username was NOT defined or unable to match a role - 
returning node based role 'Employee' (pf::role::ge

Re: [PacketFence-users] auth request from wrong switch

2017-11-13 Thread Durand fabrice via PacketFence-users


Hi Darryl,

can you also run radius in debug mode to see all the details ?

Regards

Fabrice



Le 2017-11-13 à 16:22, Jason Sloan via PacketFence-users a écrit :

A few questions.
172.16.0.196 - is that a switch at all? If so, is that switch on the 
same vlan? Have you reviewed your spanning-tree blocks? Are you able 
to set a radius source interface? If so, is it set to the appropriate 
SVI / L3 link? Any NATs in the topology?


On Mon, Nov 13, 2017 at 3:40 PM, Sokolowski, Darryl via 
PacketFence-users > wrote:


Hi all,

I have a strange problem I can’t see the reason for,

I have machines that get “stuck” unable to access the network
seems like because the 802.1x authentication request is coming
from a switch that the device isn’t plugged into.

In this case, I have a computer (18:66:da:1e:06:0a) plugged into
switch with IP 172.16.0.200.

In the log it shows that the request is coming from 172.16.0.196,
and authorizes the machine and assigns the correct vlan, but it is
assigned to the wrong switch, so the client never can access the
network.

Further, there is already the correct machine (64:00:6a:7c:34:ce)
authorized on that port because that machine really does plug in
there.

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
[mac:18:66:da:1e:06:0a] handling radius autz request: from
switch_ip => (172.16.0.196), connection_type =>
WIRED_MAC_AUTH,switch_mac => (00:23:ac:d0:ca:8a), mac =>
[18:66:da:1e:06:0a], port => 10110, username => "1866da1e060a"
(pf::radius::authorize)

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
[mac:18:66:da:1e:06:0a] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
[mac:18:66:da:1e:06:0a] Connection type is WIRED_MAC_AUTH. Getting
role from node_info (pf::role::getRegisteredRole)

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
[mac:18:66:da:1e:06:0a] Username was defined "1866da1e060a" -
returning role 'Employee' (pf::role::getRegisteredRole)

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
[mac:18:66:da:1e:06:0a] PID: "CORE\amblerd", Status: reg Returned
VLAN: (undefined), Role: Employee (pf::role::fetchRoleForNode)

Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
[mac:18:66:da:1e:06:0a] (172.16.0.196) Added VLAN 18 to the
returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)

Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
[mac:64:00:6a:7c:34:ce] handling radius autz request: from
switch_ip => (172.16.0.196), connection_type =>
Ethernet-EAP,switch_mac => (00:23:ac:d0:ca:8a), mac =>
[64:00:6a:7c:34:ce], port => 10110, username =>
"host/LoboA7.CORE.LOCAL" (pf::radius::authorize)

Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
[mac:64:00:6a:7c:34:ce] is doing machine auth with account
'host/LoboA7.CORE.LOCAL'. (pf::radius::authorize)

Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
[mac:64:00:6a:7c:34:ce] Instantiate profile Earthcolor_Owned
(pf::Connection::ProfileFactory::_from_profile)

Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
[mac:64:00:6a:7c:34:ce] Found authentication source(s) : 'AD-Auth'
for realm 'null' (pf::config::util::filter_authentication_sources)

Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) WARN:
[mac:64:00:6a:7c:34:ce] Calling match with empty/invalid rule
class. Defaulting to 'authentication' (pf::authentication::match2)

Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
[mac:64:00:6a:7c:34:ce] Using sources AD-Auth for matching
(pf::authentication::match2)

Nov 13 03:12:52 pf1 pfqueue: pfqueue(9628) INFO: [mac:unknown]
undefined source id provided (pf::lookup::person::lookup_person)

Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
[mac:64:00:6a:7c:34:ce] Found authentication source(s) : 'AD-Auth'
for realm 'null' (pf::config::util::filter_authentication_sources)

Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
[mac:64:00:6a:7c:34:ce] Using sources AD-Auth for matching
(pf::authentication::match2)

Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
[mac:64:00:6a:7c:34:ce] Username was NOT defined or unable to
match a role - returning node based role 'Employee'
(pf::role::getRegisteredRole)

Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
[mac:64:00:6a:7c:34:ce] PID: "host/LoboA7.CORE.LOCAL", Status: reg
Returned VLAN: (undefined), Role: Employee
(pf::role::fetchRoleForNode)

Nov 13 03:12:52 pf1

Re: [PacketFence-users] auth request from wrong switch

2017-11-13 Thread Jason Sloan via PacketFence-users

A few questions.
172.16.0.196 - is that a switch at all? If so, is that switch on the same
vlan? Have you reviewed your spanning-tree blocks? Are you able to set a
radius source interface? If so, is it set to the appropriate SVI / L3 link?
Any NATs in the topology?

On Mon, Nov 13, 2017 at 3:40 PM, Sokolowski, Darryl via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hi all,
>
> I have a strange problem I can’t see the reason for,
>
> I have machines that get “stuck” unable to access the network seems like
> because the 802.1x authentication request is coming from a switch that the
> device isn’t plugged into.
>
> In this case, I have a computer (18:66:da:1e:06:0a) plugged into switch
> with IP 172.16.0.200.
>
> In the log it shows that the request is coming from 172.16.0.196, and
> authorizes the machine and assigns the correct vlan, but it is assigned to
> the wrong switch, so the client never can access the network.
>
> Further, there is already the correct machine (64:00:6a:7c:34:ce)
> authorized on that port because that machine really does plug in there.
>
>
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] handling radius autz request: from switch_ip =>
> (172.16.0.196), connection_type => WIRED_MAC_AUTH,switch_mac =>
> (00:23:ac:d0:ca:8a), mac => [18:66:da:1e:06:0a], port => 10110, username =>
> "1866da1e060a" (pf::radius::authorize)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] Instantiate profile default (pf::Connection::
> ProfileFactory::_from_profile)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] Connection type is WIRED_MAC_AUTH. Getting role
> from node_info (pf::role::getRegisteredRole)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] Username was defined "1866da1e060a" - returning
> role 'Employee' (pf::role::getRegisteredRole)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] PID: "CORE\amblerd", Status: reg Returned VLAN:
> (undefined), Role: Employee (pf::role::fetchRoleForNode)
>
> Nov 13 03:12:37 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:18:66:da:1e:06:0a] (172.16.0.196) Added VLAN 18 to the returned RADIUS
> Access-Accept (pf::Switch::returnRadiusAccessAccept)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] handling radius autz request: from switch_ip =>
> (172.16.0.196), connection_type => Ethernet-EAP,switch_mac =>
> (00:23:ac:d0:ca:8a), mac => [64:00:6a:7c:34:ce], port => 10110, username =>
> "host/LoboA7.CORE.LOCAL" (pf::radius::authorize)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] is doing machine auth with account
> 'host/LoboA7.CORE.LOCAL'. (pf::radius::authorize)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] Instantiate profile Earthcolor_Owned
> (pf::Connection::ProfileFactory::_from_profile)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] Found authentication source(s) : 'AD-Auth' for
> realm 'null' (pf::config::util::filter_authentication_sources)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) WARN:
> [mac:64:00:6a:7c:34:ce] Calling match with empty/invalid rule class.
> Defaulting to 'authentication' (pf::authentication::match2)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] Using sources AD-Auth for matching
> (pf::authentication::match2)
>
> Nov 13 03:12:52 pf1 pfqueue: pfqueue(9628) INFO: [mac:unknown] undefined
> source id provided (pf::lookup::person::lookup_person)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] Found authentication source(s) : 'AD-Auth' for
> realm 'null' (pf::config::util::filter_authentication_sources)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] Using sources AD-Auth for matching
> (pf::authentication::match2)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] Username was NOT defined or unable to match a role
> - returning node based role 'Employee' (pf::role::getRegisteredRole)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] PID: "host/LoboA7.CORE.LOCAL", Status: reg Returned
> VLAN: (undefined), Role: Employee (pf::role::fetchRoleForNode)
>
> Nov 13 03:12:52 pf1 packetfence_httpd.aaa: httpd.aaa(24173) INFO:
> [mac:64:00:6a:7c:34:ce] (172.16.0.196) Added VLAN 18 to the returned RADIUS
> Access-Accept (pf::Switch::returnRadiusAccessAccept)
>
>
>
> I can’t figure out what’s going on here.
>
> Anyone seen this and can you point me how to make it right?
>
>
>
> Thanks
>
> Darryl
>
>
>
>

Re: [PacketFence-users] auth request from wrong switch

Re: [PacketFence-users] auth request from wrong switch

Re: [PacketFence-users] auth request from wrong switch

Re: [PacketFence-users] auth request from wrong switch

Re: [PacketFence-users] auth request from wrong switch

Re: [PacketFence-users] auth request from wrong switch

Re: [PacketFence-users] auth request from wrong switch

Re: [PacketFence-users] auth request from wrong switch

Re: [PacketFence-users] auth request from wrong switch

Re: [PacketFence-users] auth request from wrong switch

Re: [PacketFence-users] auth request from wrong switch

11 matches

Site Navigation

Mail list logo

Footer information