I can see the difference between the initial successful request and the
failing re-authentication. There is a duplicate value passed in the radius
request which must be tripping up packet fence.
Failed:
rad_recv: Access-Request packet from host 192.168.8.76 port 1645, id=221,
length=250
User-Name = "888717fe5e33"
User-Password = "888717fe5e33"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "00-1F-CA-87-B9-2F"
Calling-Station-Id = "88-87-17-FE-5E-33"
Message-Authenticator = 0x576988befca242c99efca217dd9f1d9d
Cisco-AVPair = "audit-session-id=AC1F084C000001590236E1F7"
NAS-Port-Type = Ethernet
NAS-Port = 50247
NAS-Port-Id = "GigabitEthernet2/0/47"
Called-Station-Id = "00-1F-CA-87-B9-2F"
Calling-Station-Id = "88-87-17-FE-5E-33"
NAS-IP-Address = 192.168.8.76
Success:
rad_recv: Access-Request packet from host 192.168.8.76 port 1645, id=89,
length=212
User-Name = "888717fe5e33"
User-Password = "888717fe5e33"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "00-1F-CA-87-B9-2F"
Calling-Station-Id = "88-87-17-FE-5E-33"
Message-Authenticator = 0x3c2a07147f5884f32d3f0ebc5c708c40
Cisco-AVPair = "audit-session-id=AC1F084C0000015B023E8A61"
NAS-Port-Type = Ethernet
NAS-Port = 50247
NAS-Port-Id = "GigabitEthernet2/0/47"
NAS-IP-Address = 192.168.8.76
On Sun, Jul 20, 2014 at 7:05 PM, David <[email protected]> wrote:
> Hey Guys,
>
> So we have recently upgraded our Cisco IOS to Version 12.2(55)SE9 and we
> are using stacked Catalyst 3750E. This config was working before
> so something in this version is causing the issue. I have also upgraded to
> latest packet fence version 4.0.3.
>
> It seem that when MAB kicks in for non 802.1x clients it authenticates
> fine the first time and gets the correct VLAN. The re-authentication
> does not work. It seems that it can't get the MAC address from the radius
> attempt even though you can see the MAC in the request.
>
> *PacketFence.log*
>
> Jul 20 18:59:03 httpd.webservices(9665) INFO: Unable to extract MAC from
> Called-Station-Id: ARRAY(0x7f1e8c5ffab0)
> (pf::radius::extractApMacFromRadiusRequest)
>
> Jul 20 18:59:03 httpd.webservices(9665) INFO: handling radius autz
> request: from switch_ip => 192.168.8.76, connection_type =>
> WIRED_MAC_AUTH,switch_mac => , mac => 0, port => 10647, username =>
> 888717fe5e33 (pf::radius::authorize)
>
> Jul 20 18:59:03 httpd.webservices(9665) INFO: node 0 does not yet exist in
> database. Adding it now (pf::radius::authorize)
>
> Jul 20 18:59:04 httpd.webservices(9665) INFO: Could not find any IP phones
> through discovery protocols for ifIndex 10647
> (pf::Switch::getPhonesDPAtIfIndex)
>
> Jul 20 18:59:04 httpd.webservices(9665) INFO: MAC: 0 doesn't have a node
> entry; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
>
> Jul 20 18:59:04 httpd.webservices(9665) WARN: Role-based Network Access
> Control is not supported on network device type
> pf::Switch::Cisco::Catalyst_3750.
> (pf::Switch::supportsRoleBasedEnforcement)
>
> Jul 20 18:59:04 httpd.webservices(9665) INFO: [192.168.8.76] Returning
> ACCEPT with VLAN 900 and role (pf::Switch::returnRadiusAccessAccept)
>
> *Radiusd.log*
>
> Sun Jul 20 19:03:11 2014 : Auth: Login OK: [888717fe5e33] (from client
> 172.31.8.76 port 50247 cli 88-87-17-FE-5E-33)
>
> Sun Jul 20 19:03:11 2014 : Auth: rlm_perl: Returning vlan 900 to request
> from 88:87:17:fe:5e:33 port 50247
>
> *Port Config:*
>
> interface GigabitEthernet2/0/48
>
> description PacketFence NAC
>
> switchport access vlan 80
>
> switchport mode access
>
> switchport voice vlan 10
>
> authentication host-mode multi-host
>
> authentication order dot1x mab
>
> authentication priority dot1x mab
>
> authentication port-control auto
>
> authentication periodic
>
> authentication timer restart 10800
>
> authentication timer reauthenticate 10800
>
> mab
>
> no snmp trap link-status
>
> dot1x pae authenticator
>
> dot1x timeout quiet-period 2
>
> dot1x timeout tx-period 3
>
> spanning-tree portfast
>
> end
>
>
> Any help would be great.
>
> Thanks
> David
>
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
