Removing the radiussecret didn't work, but commenting out the 127.0.0.1 client
entry seems to have done the trick. The radius server is no longer ignoring
the requests either.
Cheers,
Andi
From: Francois Gaudreault [mailto:[email protected]]
Sent: 09 December 2011 14:47
To: [email protected]
Subject: Re: [Packetfence-users] Radius server ignoring requests from known
switch
Andi,
Two options:
- You remove the general radiusSecret=testing123 in your switches.conf, put it
blank (radiusSecret=)
- You remove the 127.0.0.1 client entry in /etc/raddb/clients.conf
I suggest option 1.
On 11-12-09 9:39 AM, Morris, Andi wrote:
Oh this is highly confusing. I rebooted my packetfence server just now, and
now I cannot start radius at all. This is possibly due to me running a yum
update last night.
The errors I get when trying to start radiusd -X now are:
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to pf@localhost:3306/pf
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname,
type, secret FROM radius_nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Read entry
nasname=127.0.0.1,shortname=127.0.0.1,secret=testing123
rlm_sql (sql): Adding client 127.0.0.1 (127.0.0.1, server=<none>) to clients
list
Failed to add duplicate client 127.0.0.1
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): Failed to add client 127.0.0.1 (127.0.0.1) to clients list.
Maybe there's a duplicate?
Failed to load clients from SQL.
rlm_sql (sql): Closing sqlsocket 4
rlm_sql (sql): Closing sqlsocket 3
rlm_sql (sql): Closing sqlsocket 2
rlm_sql (sql): Closing sqlsocket 1
rlm_sql (sql): Closing sqlsocket 0
/etc/raddb/sql.conf[1]: Instantiation failed for module "sql"
/etc/raddb/sites-enabled/packetfence[32]: Failed to load module "sql".
/etc/raddb/sites-enabled/packetfence[29]: Errors parsing accounting section.
________________________________
From: Francois Gaudreault
[[email protected]<mailto:[email protected]>]
Sent: 09 December 2011 14:06
To:
[email protected]<mailto:[email protected]>
Subject: Re: [Packetfence-users] Radius server ignoring requests from known
switch
When you start radius in debug (radiusd -X), do you see something like the
following at the startup :
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname,
type, secret FROM radius_nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Read entry nasname=10.0.0.10,shortname=10.0.0.10,secret=a_secret
rlm_sql (sql): Adding client 10.0.0.10 (10.0.0.10, server=<none>) to clients
list
On 11-12-09 9:01 AM, Morris, Andi wrote:
Yes I do, the radtest in the admin guide works as does the ntlm_auth against a
user in my active directory.
________________________________
From: Francois Gaudreault
[[email protected]<mailto:[email protected]>]
Sent: 09 December 2011 13:53
To:
[email protected]<mailto:[email protected]>
Subject: Re: [Packetfence-users] Radius server ignoring requests from known
switch
Andi,
Do you have the packetfence-freeradius2 package installed? Did you change the
db credentials in /etc/raddb/sql.conf?
On 11-12-09 8:42 AM, Morris, Andi wrote:
I have configured a Cisco 3550 to connect via dot1x to the packetfence server
as per the network config guide, which all seemed to go well. However I'm not
getting an IP address on a client plugged into the switch.
When running radius -X on the packetfence server I see the following:
Ignoring request to authentication address * port 1812 as server packetfence
from unknown client 192.168.41.53 port 1645
Ready to process requests.
This IP address is the only switch I have defined in my switches.conf so I've
no idea why radius would say it is an unknown client and ignore the request.
Relevant parts of the switch config are:
aaa new-model
!
!
aaa group server radius packetfence
server 192.168.52.1 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication login MyVTY line
aaa authentication login myCon none
aaa authentication dot1x default group packetfence
aaa session-id common
ip subnet-zero
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
interface FastEthernet0/1
switchport access vlan 4
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 7200
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
spanning-tree portfast
snmp-server community ******** RW
snmp-server community ****** RO
snmp-server location **********
snmp-server contact *******************
snmp-server host 192.168.1.10 public-uwic config vlan-membership snmp
radius-server host 192.168.52.1 auth-port 1812 acct-port 1813 timeout 2 key 7
044F0E151B284249584B56
radius-server vsa send authentication
The line I have put in bold above I think may be significant possibly. The IP
address specified isn't the IP address of the packetfence server, it is a
different server that we have here that monitors switches via snmp.
Switches.conf is:
#
# Copyright 2006-2008 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[default]
vlans=4,301,308,309
normalVlan=301
registrationVlan=308
isolationVlan=309
macDetectionVlan=4
guestVlan=
customVlan1=
customVlan2=
customVlan3=
customVlan4=
customVlan5=
VoIPEnabled=no
voiceVlan=
mode=testing
macSearchesMaxNb=30
macSearchesSleepInterval=2
uplink=dynamic
#
# Command Line Interface
#
# cliTransport could be: Telnet, SSH or Serial
cliTransport=Telnet
cliUser=
cliPwd=
cliEnablePwd=
#
# SNMP section
#
# PacketFence -> Switch
SNMPVersion=2c
SNMPCommunityRead=*****
SNMPCommunityWrite=***********
#SNMPEngineID = 0000000000000
#SNMPUserNameRead = readUser
#SNMPAuthProtocolRead = MD5
#SNMPAuthPasswordRead = authpwdread
#SNMPPrivProtocolRead = DES
#SNMPPrivPasswordRead = privpwdread
#SNMPUserNameWrite = writeUser
#SNMPAuthProtocolWrite = MD5
#SNMPAuthPasswordWrite = authpwdwrite
#SNMPPrivProtocolWrite = DES
#SNMPPrivPasswordWrite = privpwdwrite
# Switch -> PacketFence
SNMPVersionTrap=2c
SNMPCommunityTrap=allegro
#SNMPAuthProtocolTrap = MD5
#SNMPAuthPasswordTrap = authpwdread
#SNMPPrivProtocolTrap = DES
#SNMPPrivPasswordTrap = privpwdread
#
# Web Services Interface
#
# wsTransport could be: http or https
wsTransport=http
wsUser=
wsPwd=
#
# RADIUS NAS Client config
#
# RADIUS shared secret with switch
radiusSecret=testing123
type=
controllerIp=192.168.52.1
SNMPUserNameTrap=
SNMPAuthProtocolTrap=
SNMPAuthPasswordTrap=
SNMPPrivProtocolTrap=
SNMPPrivPasswordTrap=
SNMPEngineID=
SNMPUserNameRead=
SNMPAuthProtocolRead=
SNMPAuthPasswordRead=
SNMPPrivProtocolRead=
SNMPPrivPasswordRead=
SNMPUserNameWrite=
SNMPAuthProtocolWrite=
SNMPAuthPasswordWrite=
SNMPPrivProtocolWrite=
SNMPPrivPasswordWrite=
[127.0.0.1]
type=PacketFence
mode=production
uplink=dynamic
[192.168.41.53]
type=Cisco::Catalyst_3550
radiusSecret=testing123
controllerIp=192.168.52.1
SNMPVersion=2c
#SNMPVersion = 3
#SNMPEngineID = 0000000000000
#SNMPUserNameRead = readUser
#SNMPAuthProtocolRead = MD5
#SNMPAuthPasswordRead = authpwdread
#SNMPPrivProtocolRead = DES
#SNMPPrivPasswordRead = privpwdread
#SNMPUserNameWrite = writeUser
#SNMPAuthProtocolWrite = MD5
#SNMPAuthPasswordWrite = authpwdwrite
#SNMPPrivProtocolWrite = DES
#SNMPPrivPasswordWrite = privpwdwrite
#SNMPVersionTrap = 3
#SNMPUserNameTrap = readUser
#SNMPAuthProtocolTrap = MD5
#SNMPAuthPasswordTrap = authpwdread
#SNMPPrivProtocolTrap = DES
#SNMPPrivPasswordTrap = privpwdread
Can anyone help as to why the radius requests are reaching the PF server, but
being ignored?
---------------------------------------------------------------
Andi Morris
Technical Security Analyst
Systems and Communications Services
Information Services Division
UWIC
Cardiff
Wales
CF5 2YB
02920 205720
--------------------------------------------------------------
________________________________
>From 1st November 2011 UWIC changed its title to Cardiff Metropolitan
>University. From the 6th December, as part of this change, all email addresses
>which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent
>from Cardiff Metropolitan University will now be sent from the new
>@cardiffmet.ac.uk address. Please could you ensure that all of your contact
>records and databases are updated to reflect this change. Further information
>can be found on the website
>here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected]<mailto:[email protected]> :: +1.514.447.4918
(x130) :: www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected]<mailto:[email protected]> :: +1.514.447.4918
(x130) :: www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected]<mailto:[email protected]> :: +1.514.447.4918
(x130) :: www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
