Hello Joffrey,
first i think you need to upgrade the switch firmware to the latest
version (they fix stuff about mab/802.1x).
https://www.dell.com/support/home/en-ca/product-support/product/networking-n1500-series/drivers
Next you will need to patch packetfence to have the latest dev on the
Dell switches module, to do that, go in /usr/local/pf/ then do:
curl
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/4968.diff
| patch -p1 --dry-run
if no errrors:
curl
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/4968.diff
| patch -p1
then restart packetfence.
Also it looks that you didn't set the switch in production mode, fix
that in the switch config (pf side).
Let me know if it helps.
Regards
Fabrice
Le 20-05-20 à 13 h 23, Joffrey Bienvenue via PacketFence-users a écrit :
sorry - Dell version is 6.6.0.13
On Wed, 20 May 2020 at 13:23, Joffrey Bienvenue
<[email protected] <mailto:[email protected]>>
wrote:
Hello
Sorry for the output and sorry for the delay replying; we upgraded
to V10.1 after a reboot crashed our pf due to package updates.
Our switch is a Dell N2048 v.6.6.0.
raddebug fails to run
radmin: Failed connecting to /usr/local/pf/var/run/radiusd.log: No
such file or directory
packetfence.log upon authentication
May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) INFO:
[mac:00:1d:72:e2:64:30] handling radius autz request: from
switch_ip => (10.10.224.199), connection_type =>
Ethernet-EAP,switch_mac => (e4:f0:04:ff:b2:55), mac =>
[00:1d:72:e2:64:30], port => 3, username => "SAPACC\joffrey"
(pf::radius::authorize)
May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) INFO:
[mac:00:1d:72:e2:64:30] Instantiate profile 8021x
(pf::Connection::ProfileFactory::_from_profile)
May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) INFO:
[mac:00:1d:72:e2:64:30] Found authentication source(s) :
'PeerlessAD' for realm 'sapacc'
(pf::config::util::filter_authentication_sources)
May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) INFO:
[mac:00:1d:72:e2:64:30] Using sources PeerlessAD for matching
(pf::authentication::match2)
May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) INFO:
[mac:00:1d:72:e2:64:30] LDAP testing connection (pf::LDAP::expire_if)
May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) INFO:
[mac:00:1d:72:e2:64:30] Matched rule (admin) in source PeerlessAD,
returning actions. (pf::Authentication::Source::match_rule)
May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) INFO:
[mac:00:1d:72:e2:64:30] Matched rule (admin) in source PeerlessAD,
returning actions. (pf::Authentication::Source::match)
May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) WARN:
[mac:00:1d:72:e2:64:30] Should perform access control on switch
(10.10.224.199) but the switch is not in production -> Returning
ACCEPT (pf::radius::authorize)
May 20 13:12:37 pf pfqueue: pfqueue(8791) INFO: [mac:unknown]
Already did a person lookup for SAPACC\joffrey
(pf::lookup::person::lookup_person)
May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) INFO:
[mac:00:1d:72:e2:64:30] security_event 1300003 force-closed for
00:1d:72:e2:64:30 (pf::security_event::security_event_force_close)
May 20 13:12:37 pf packetfence_httpd.aaa: httpd.aaa(31665) INFO:
[mac:00:1d:72:e2:64:30] Instantiate profile 8021x
(pf::Connection::ProfileFactory::_from_profile)
Thank you
Joffrey
On Thu, 7 May 2020 at 23:04, Durand fabrice via PacketFence-users
<[email protected]
<mailto:[email protected]>> wrote:
Hello Joffrey,
the output is a little bit messy.
What is the switch ? (Dell ?)
Can you run raddebug -f /usr/local/pf/var/run/radiusd.log -t 3000
Can you post the content of packetfence.log when you
authenticate ?
Regards
Fabrice
Le 20-05-07 à 12 h 48, Joffrey Bienvenue via PacketFence-users
a écrit :
Hello
We are able to login through radius but our switch doesn't
seem to configure the vlan on the user port:
Auditing output from packetfence
MAC Address
00:1d:72:e2:64:30
Auth Status
Accept
Auth Status
eap
Auto Registration
1
Calling Station Identifier
00:1d:72:e2:64:30
Computer Name
joffreydebian
EAP Type
MSCHAPv2
Event Type
Radius-Access-Request
IP Address
Is a Phone
0
Node Status
reg
Domain
SAPACC
Profile
8021x
Realm
sapacc
Reason
Role
N/A
Source
PeerlessAD
Stripped User Name
joffrey
User Name
SAPACC\joffrey
Unique Identifier
Created at
2020-05-07 12:37:43
PF VLAN onfig for switch:
registrationVlan=164
isolationVlan=165
voiceVlan=93
inlineVlan=233
mode=testing
EmployeeVlan=98
guestVlan=19
always_trigger=1
AdminVlan=5
Our switch config:
aaa authentication login "defaultList" local
authentication enable
authentication dynamic-vlan enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
aaa server radius dynamic-author
Our port config:
show running-config interface gigabitethernet 1/0/3
switchport mode general
switchport general allowed vlan add 5,19,98,164-165
authentication event fail action authorize vlan164
authentication order dot1x mab
authentication priority dot1x mab
Are we missing anything?
--
Joffrey Bienvenue | CTO | Peerless Clothing Inc. | 8888
Boul. Pie IX Montréal, QC H1Z 4J5 | 514-723-7887
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Joffrey Bienvenue | CTO | Peerless Clothing Inc. | 8888 Boul.
Pie IX Montréal, QC H1Z 4J5 | 514-723-7887
--
Joffrey Bienvenue | CTO | Peerless Clothing Inc. | 8888 Boul. Pie
IX Montréal, QC H1Z 4J5 | 514-723-7887
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
