Hey Guys,
So we have recently upgraded our Cisco IOS to Version 12.2(55)SE9 and we
are using stacked Catalyst 3750E. This config was working before
so something in this version is causing the issue. I have also upgraded to
latest packet fence version 4.0.3.
It seem that when MAB kicks in for non 802.1x clients it authenticates fine
the first time and gets the correct VLAN. The re-authentication does not
work. It seems that it can't get the MAC address from the radius attempt
even though you can see the MAC in the request.
*PacketFence.log*
Jul 20 18:59:03 httpd.webservices(9665) INFO: Unable to extract MAC from
Called-Station-Id: ARRAY(0x7f1e8c5ffab0)
(pf::radius::extractApMacFromRadiusRequest)
Jul 20 18:59:03 httpd.webservices(9665) INFO: handling radius autz request:
from switch_ip => 192.168.8.76, connection_type =>
WIRED_MAC_AUTH,switch_mac => , mac => 0, port => 10647, username =>
888717fe5e33 (pf::radius::authorize)
Jul 20 18:59:03 httpd.webservices(9665) INFO: node 0 does not yet exist in
database. Adding it now (pf::radius::authorize)
Jul 20 18:59:04 httpd.webservices(9665) INFO: Could not find any IP phones
through discovery protocols for ifIndex 10647
(pf::Switch::getPhonesDPAtIfIndex)
Jul 20 18:59:04 httpd.webservices(9665) INFO: MAC: 0 doesn't have a node
entry; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
Jul 20 18:59:04 httpd.webservices(9665) WARN: Role-based Network Access
Control is not supported on network device type
pf::Switch::Cisco::Catalyst_3750.
(pf::Switch::supportsRoleBasedEnforcement)
Jul 20 18:59:04 httpd.webservices(9665) INFO: [192.168.8.76] Returning
ACCEPT with VLAN 900 and role (pf::Switch::returnRadiusAccessAccept)
*Radiusd.log*
Sun Jul 20 19:03:11 2014 : Auth: Login OK: [888717fe5e33] (from client
172.31.8.76 port 50247 cli 88-87-17-FE-5E-33)
Sun Jul 20 19:03:11 2014 : Auth: rlm_perl: Returning vlan 900 to request
from 88:87:17:fe:5e:33 port 50247
*Port Config:*
interface GigabitEthernet2/0/48
description PacketFence NAC
switchport access vlan 80
switchport mode access
switchport voice vlan 10
authentication host-mode multi-host
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
spanning-tree portfast
end
Any help would be great.
Thanks
David
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
