Hi,
i was reading the installation Guide to find a solution for you, maybe this
section below is the key to solve your problem.
27.2.3. Interface in every VLAN
maybe can you check this please?
best Regards
Farbod
On Friday, March 14, 2025 at 07:41:21 PM GMT+1, Enrico Becchetti
<enrico.becche...@pg.infn.it> wrote:
Dear Farbood dear all,
I've checked service daemon and udp port. As you can see the service was
started ,
the daemons is running but I don't 'see any udp port listening on 67 for my
vlans.
Can DHCP listener work with vlans ?
Thank you
Enrico
1)
root@pfsrv:/home/enrico# systemctl status packetfence-pfdhcplistener.service
● packetfence-pfdhcplistener.service - PacketFence DHCP Listener Service
Loaded: loaded (/lib/systemd/system/packetfence-pfdhcplistener.service;
enabled; preset: enabled)
Active: active (running) since Fri 2025-03-14 10:32:54 CET; 9h ago
Main PID: 3058 (pfdhcplistener)
Status: "Ready"
Tasks: 9 (limit: 19134)
Memory: 198.3M
CPU: 7.455s
CGroup: /packetfence.slice/packetfence-pfdhcplistener.service
├─3058 pfdhcplistener
├─3161 "pfdhcplistener - eth1.27"
├─3162 "pfdhcplistener - eth1.28"
├─3163 "pfdhcplistener - eth1.29"
├─3164 "pfdhcplistener - eth1.30"
├─3165 "pfdhcplistener - eth0"
├─3166 "pfdhcplistener - eth1.25"
├─3167 "pfdhcplistener - eth1.26"
└─3168 "pfdhcplistener - eth1"
2)
root@pfsrv:/home/enrico# ps -axf | grep dhcp
257357 pts/3 S+ 0:00 \_ grep dhcp
3072 ? S 0:00 \_ pfqueue - Queue:pfdhcplistener
3076 ? S 0:00 \_ pfqueue - Queue:pfdhcplistener_external
3058 ? Ss 0:05 pfdhcplistener
3161 ? S 0:00 \_ pfdhcplistener - eth1.27
3162 ? S 0:00 \_ pfdhcplistener - eth1.28
3163 ? S 0:00 \_ pfdhcplistener - eth1.29
3164 ? S 0:00 \_ pfdhcplistener - eth1.30
3165 ? S 0:01 \_ pfdhcplistener - eth0
3166 ? S 0:00 \_ pfdhcplistener - eth1.25
3167 ? S 0:00 \_ pfdhcplistener - eth1.26
3168 ? S 0:00 \_ pfdhcplistener - eth1
3)
root@pfsrv:/home/enrico# netstat -apn | grep 67
tcp 0 0 127.0.0.1:7070 0.0.0.0:* LISTEN
2467/docker-proxy
tcp 0 0 0.0.0.0:1443 0.0.0.0:* LISTEN
3673/docker-proxy
tcp6 0 0 :::1443 :::* LISTEN
3679/docker-proxy
udp 0 0 127.0.0.1:35334 127.0.0.1:8125
ESTABLISHED 3167/pfdhcplistener
4)
root@pfsrv:/home/enrico# netstat -apn | grep dhcp
tcp 0 0 100.64.0.1:48482 100.64.0.1:6380
ESTABLISHED 3166/pfdhcplistener
udp 0 0 127.0.0.1:54116 127.0.0.1:8125
ESTABLISHED 3168/pfdhcplistener
udp 0 0 127.0.0.1:39095 127.0.0.1:8125
ESTABLISHED 3163/pfdhcplistener
udp 0 0 127.0.0.1:55657 127.0.0.1:8125
ESTABLISHED 3162/pfdhcplistener
udp 0 0 127.0.0.1:56824 127.0.0.1:8125
ESTABLISHED 3164/pfdhcplistener
udp 0 0 127.0.0.1:49297 127.0.0.1:8125
ESTABLISHED 3058/pfdhcplistener
udp 0 0 127.0.0.1:57578 127.0.0.1:8125
ESTABLISHED 3165/pfdhcplistener
udp 0 0 127.0.0.1:35334 127.0.0.1:8125
ESTABLISHED 3167/pfdhcplistener
udp 0 0 127.0.0.1:52514 127.0.0.1:8125
ESTABLISHED 3161/pfdhcplistener
udp 0 0 127.0.0.1:52561 127.0.0.1:8125
ESTABLISHED 3166/pfdhcplistener
Il 14/03/25 18:22, jafarsalehi.far...@outlook.de ha scritto:
Hi Enrico,
i see, i saw via tcpdump you get also the dhcp traffic.
if the packetfence is listening on the interface :
netstat -anu | grep :67
and similar output comes out:
udp 0 0 10.25.0.1:67 0.0.0.0:* LISTEN
then you might be facing a bug. sorry i cant think of something else and cant
help further. hope someone in the community comes up with a solution.
Best Regards
Farbod
On Friday, March 14, 2025 at 08:17:42 AM GMT+1, Enrico Becchetti
<enrico.becche...@pg.infn.it> wrote:
Hi Farbod,
no because my network profile is enforcement and PF server and DHCP Server
are on the same vlan.
/[INFN-WIRED]
filter_match_style=all
sources=RADIUS-AAI
locale=
advanced_filter=
autoregister=enabled
filter=connection_type:Ethernet-EAP
scans=OpenVAS-WIRED
/
So PF would see all dhcp sessions. Is it true ?
Best Regards
Enrico
Il 14/03/2025 01:42, jafarsalehi.far...@outlook.de ha scritto:
> Hi Enrico,
> Have you configured DHCP relay to forward the DHCP messages to packet
> fence too ?
>
>
> Best regards
> Farbod
> Yahoo Mail - E-Mail vereinfacht
> <https://mail.onelink.me/107872968?pid=nativeplacement&c=US_Acquisition_YMktg_315_EmailSimplified_EmailSignature_sub1=Acquisition_sub2=US_YMktg_sub3=_sub4=100002040_sub5=T01_Email_Static__ios_store_cpp=80931d61-93be-4737-af43-90b13f374168_android_url=https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mail&listing=email_simplified>
>
>
> Am Do., März 13, 2025 at 21:43 schrieb Enrico Becchetti via
> PacketFence-users
> <packetfence-users@lists.sourceforge.net>:
> Dear all,
> my new Network Access Control project based on Packetfence has
> started
> really badly.
>
> First I installed PF 14.1 in an Almalinux 8 and now I am using the
> ZEN
> version as a last attempt.
>
> In both cases I made a very simple configuration; the most important
> details are as follows:
>
> I have two network cards, eth0 (management) and eth1 with some vlans:
> registration, isolation, production etc;
>
> I defined a Radius authentication backend, I configured a switch
> and a
> network profile.
> This network profile is “other” type because PF only performs
> authentication, gateway (nat) and dhcp server
> functions are performed by another server (10.25.0.254).
>
> With this setup I'd like to manage access to the wired network via
> 802.1x. While the client connects, PF is unable
> to read the IP Address assigned by the DHCP server. This is a big
> problem that I have to solve, otherwise I can't
> follow up with this project.
>
> If you have some time for me I'll send you the following information:
> The Packetfence configuration file, the active
> dhcp processes, the configuration of the network cards, the tcpdump
> session with which you can see that the
> server receives information via vlan 25 on DHCP sessions, and finally
> the packetfence.log file.
>
> Do you think there is a bug in PF 14.1 or is it a mistake in my
> configuration ?
>
> Thanks for your attention.
>
> Enrico
>
> .—————————————————————————————————
>
>
> 1) pf.conf
>
> # general.dhcpservers
> #
> # Comma-delimited list of DHCP servers. Passthroughs are created to
> allow DHCP transactions from even "trapped" no
> des.
> dhcpservers=127.0.0.1,10.25.0.254
>
> [interface eth1.25]
> type=dhcp-listener,portal
> ip=10.25.0.1
> mask=255.255.0.0
>
>
> # ps axf | grep -i dhc
> 11044 pts/0 S+ 0:00 \_ grep -i dhc
> 3057 ? S 0:00 \_ pfqueue -
> Queue:pfdhcplistener_external
> 3088 ? S 0:00 \_ pfqueue - Queue:pfdhcplistener
>
> # ip link
>
> 5: eth1.25@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP mode DEFAULT group default qlen 1000
> link/ether 52:54:00:ad:60:dc brd ff:ff:ff:ff:ff:ff
> 6: eth1.26@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP mode DEFAULT group default qlen 1000
>
> 5: eth1.25@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP group default qlen 1000
> link/ether 52:54:00:ad:60:dc brd ff:ff:ff:ff:ff:ff
> inet 10.25.0.1/16 brd 10.25.255.255 scope global eth1.25
> valid_lft forever preferred_lft forever
> inet6 fe80::5054:ff:fead:60dc/64 scope link
> valid_lft forever preferred_lft forever
>
> # tcpdump -i eth1.25 -n -vv port 67 or port 68
> tcpdump: listening on eth1.25, link-type EN10MB (Ethernet), snapshot
> length 262144 bytes
> 15:27:26.576206 IP (tos 0x0, ttl 255, id 10108, offset 0, flags
> [none],
> proto UDP (17), length 328)
> 0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request
> from ac:87:a3:12:81:47, length 300, xid 0x9370cc2
> c, secs 4, Flags [none] (0x0000)
> Client-Ethernet-Address ac:87:a3:12:81:47
> Vendor-rfc1048 Extensions
> Magic Cookie 0x63825363
> DHCP-Message (53), length 1: Request
> Parameter-Request (55), length 12:
> Subnet-Mask (1), Classless-Static-Route (121),
> Default-Gateway (3), Domain-Name-Server (6)
> Domain-Name (15), Unknown (108), URL (114), Unknown
> (119)
> Unknown (252), LDAP (95), Netbios-Name-Server (44),
> Netbios-Node (46)
> MSZ (57), length 2: 1500
> Client-ID (61), length 7: ether ac:87:a3:12:81:47
> Requested-IP (50), length 4: 10.25.1.1
> Lease-Time (51), length 4: 7776000
> Hostname (12), length 12: "becchetti-nb"
>
> 1 packet captured
> 1 packet received by filter
> 0 packets dropped by kernel
>
> # tail packetfence.log
>
> 2025-03-13T15:27:22.145042+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] handl
> ing radius autz request: from switch_ip => (10.0.0.111),
> connection_type
> => Ethernet-EAP, switch_mac => (6c:c2:17:af:31
> :20), mac => [ac:87:a3:12:81:47], port => 3, username =>
> "becch...@pg.infn.it" (pf::radius::authorize)
> 2025-03-13T15:27:22.214895+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Insta
> ntiate profile INFN-WIRED
> (pf::Connection::ProfileFactory::_from_profile)
> 2025-03-13T15:27:22.299418+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Found
> authentication source(s) : 'RADIUS-AAI' for realm 'default'
> (pf::config::util::filter_authentication_sources)
> 2025-03-13T15:27:22.336171+01:00 pfsrv pfqueue-backend[3072]:
> pfqueue(2158) INFO: [mac:[undef]] Running task person_loo
> kup (main::process_data)
> 2025-03-13T15:27:22.305635+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Using
> sources RADIUS-AAI for matching (pf::authentication::match2)
> 2025-03-13T15:27:22.310250+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Match
> ed rule (catchall) in source RADIUS-AAI, returning actions.
> (pf::Authentication::Source::match_rule)
> 2025-03-13T15:27:22.310250+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Match
> ed rule (catchall) in source RADIUS-AAI, returning actions.
> (pf::Authentication::Source::match)
> 2025-03-13T15:27:22.355955+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Found
> authentication source(s) : 'RADIUS-AAI' for realm 'default'
> (pf::config::util::filter_authentication_sources)
> 2025-03-13T15:27:22.355955+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Role
> has already been computed and we don't want to recompute it. Getting
> role from node_info (pf::role::getRegisteredRole)
> 2025-03-13T15:27:22.355955+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Usern
> ame was defined "becch...@pg.infn.it" - returning role 'default'
> (pf::role::getRegisteredRole)
> 2025-03-13T15:27:22.355955+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] PID:
> "becch...@pg.infn.it", Status: reg Returned VLAN: (undefined), Role:
> default (pf::role::fetchRoleForNode)
> 2025-03-13T15:27:22.370303+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] (10.0
> .0.111) Added VLAN 25 to the returned RADIUS Access-Accept
> (pf::Switch::returnRadiusAccessAccept)
> 2025-03-13T15:27:22.384950+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] secur
> ity_event 1300003 force-closed for ac:87:a3:12:81:47
> (pf::security_event::security_event_force_close)
> 2025-03-13T15:27:22.385595+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Insta
> ntiate profile INFN-WIRED
> (pf::Connection::ProfileFactory::_from_profile)
> 2025-03-13T15:27:22.401686+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] grace
> expired on security event 1200004 for node ac:87:a3:12:81:47
> (pf::security_event::security_event_add)
> 2025-03-13T15:27:22.409662+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) ERROR: [mac:ac:87:a3:12:81:47] Data
> base query failed with non retryable error: Cannot add or update a
> child
> row: a foreign key constraint fails (`pf`.`sec
> urity_event`, CONSTRAINT `security_event_id_fkey_class` FOREIGN KEY
> (`security_event_id`) REFERENCES `class` (`security
> _event_id`) ON DELETE CASCADE ON UPDATE CASCADE) (errno: 1452)
> [INSERT
> INTO `security_event` ( `mac`, `notes`, `release
> _date`, `security_event_id`, `start_date`, `status`, `ticket_ref`)
> VALUES ( ?, ?, ?, ?, ?, ?, ? )]{ac:87:a3:12:81:47, ,
> 0000-00-00 00:00:00, 1200004, 2025-03-13 15:27:22, open, }
> (pf::dal::db_execute)
> 2025-03-13T15:27:22.410532+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) ERROR: [mac:ac:87:a3:12:81:47] unkn
> own error adding security event 1200004 for ac:87:a3:12:81:47
> (pf::security_event::security_event_add)
>
>
>
>
>
>
> Enrico
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
__________________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mobile: +39 075 9696225
FAX: +39 075 5847296 Microsoft Teams: becch...@infn.it
Mail: Enrico.Becchetti<at>pg.infn.it Skype:enrico_becchetti
Pagina web personale: https://www.pg.infn.it/home/enrico-becchetti
_________________________________________________________________________
--
__________________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mobile: +39 075 9696225
FAX: +39 075 5847296 Microsoft Teams: becch...@infn.it
Mail: Enrico.Becchetti<at>pg.infn.it Skype:enrico_becchetti
Pagina web personale: https://www.pg.infn.it/home/enrico-becchetti
_________________________________________________________________________
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
