Hallo everybody,
some one can help or give me some suggestion about this implementation?
Many regards
Matteo
2014-11-11 12:12 GMT+01:00 Matteo Pidalà <matteo.pid...@gmail.com>:
> Here some code in add:
>
> *CISCO ASA:*
> ASA-LAB/pri/act(config)# sh run aaa-server PACKETFENCE
> aaa-server PACKETFENCE protocol radius
> aaa-server PACKETFENCE (inside) host 10.129.187.216
> key *****
> authentication-port 1812
> accounting-port 1813
>
> *LOG CISCO ASA:*
> ASA-LAB/pri/act(config)# test aaa-server authentication PACKETFENCE
> USername t$
> Server IP Address or name: 10.129.187.216
> INFO: Attempting Authentication test to IP address <10.129.187.216>
> (timeout: 12 seconds)
> radius mkreq: 0x80000043
> alloc_rip 0xcc683d08
> new request 0x80000043 --> 227 (0xcc683d08)
> got user 'test'
> got password
> add_req 0xcc683d08 session 0x80000043 id 227
> RADIUS_REQUEST
> radius.c: rad_mkpkt
>
> *RADIUS packet decode (authentication request)*
>
> --------------------------------------
> Raw packet data (length = 62).....
> 01 e3 00 3e 61 8e 8e ba f9 47 db d5 c2 ed f0 15 | ...>a....G......
> 71 c2 cf b7 01 06 74 65 73 74 02 12 14 92 60 4d | q.....test....`M
> 2b 39 34 c0 33 f0 11 ed a8 ca 61 af 04 06 0a 81 | +94.3.....a.....
> bb 03 05 06 00 00 01 0a 3d 06 00 00 00 05 | ........=.....
>
> Parsed packet data.....
> Radius: Code = 1 (0x01)
> Radius: Identifier = 227 (0xE3)
> Radius: Length = 62 (0x003E)
> Radius: Vector: 618E8EBAF947DBD5C2EDF01571C2CFB7
> Radius: Type = 1 (0x01) User-Name
> Radius: Length = 6 (0x06)
> Radius: Value (String) =
> 74 65 73 74 | test
> Radius: Type = 2 (0x02) User-Password
> Radius: Length = 18 (0x12)
> Radius: Value (String) =
> 14 92 60 4d 2b 39 34 c0 33 f0 11 ed a8 ca 61 af | ..`M+94.3.....a.
> Radius: Type = 4 (0x04) NAS-IP-Address
> Radius: Length = 6 (0x06)
> Radius: Value (IP Address) = 10.129.187.3 (0x0A81BB03)
> Radius: Type = 5 (0x05) NAS-Port
> Radius: Length = 6 (0x06)
> Radius: Value (Hex) = 0x10A
> Radius: Type = 61 (0x3D) NAS-Port-Type
> Radius: Length = 6 (0x06)
> Radius: Value (Hex) = 0x5
> send pkt 10.129.187.216/1812
> rip 0xcc683d08 state 7 id 227
> rad_vrfy() : response message verified
> rip 0xcc683d08
> : chall_state ''
> : state 0x7
> : reqauth:
> 61 8e 8e ba f9 47 db d5 c2 ed f0 15 71 c2 cf b7
> : info 0xcc683e40
> session_id 0x80000043
> request_id 0xe3
> user 'test'
> response '***'
> app 0
> reason 0
> skey 'cisco'
> sip 10.129.187.216
> type 1
>
> *RADIUS packet decode (response)*
>
> --------------------------------------
> Raw packet data (length = 20).....
> 03 e3 00 14 7e 58 89 e0 be 69 a1 76 6c de 19 24 | ....~X...i.vl..$
> 56 bf 24 8b | V.$.
>
> Parsed packet data.....
> Radius: Code = 3 (0x03)
> Radius: Identifier = 227 (0xE3)
> Radius: Length = 20 (0x0014)
> Radius: Vector: 7E5889E0BE69A1766CDE192456BF248B
> rad_procpkt: REJECT
> RADIUS_DELETE
> remove_req 0xcc683d08 session 0x80000043 id 227
> free_rip 0xcc683d08
> radius: send queue empty
> *ERROR: Authentication Rejected: AAA failure*
>
> *PACKETFENCE:*
>
> [10.129.187.3]
> RoleMap=N
> mode=production
> VlanMap=N
> AccessListMap=N
> description=ASA
> *type=Cisco::Catalyst_3560 --> invented... cause cisco ASA doesn't exit.*
> VoIPEnabled=N
> radiusSecret=cisco
> deauthMethod=RADIUS
>
>
> *LOG PACKETFENCE:*
> Tue Nov 11 05:47:40 2014 : Info: Ready to process requests.
> Tue Nov 11 05:48:13 2014 : Auth: Login OK: [test] (from client
> 10.129.187.3 port 266)
> Tue Nov 11 05:48:13 2014 : Info: rlm_perl: MAC address is empty or invalid
> in this request. It could be normal on certain radius calls
>
>
>
> If you need some other information, let me know.
>
> regards
>
> Matteo
>
> 2014-11-10 18:31 GMT+01:00 Matteo Pidalà <matteo.pid...@gmail.com>:
>
>> Hallo everybody.
>> I used a lot packetfence with registration, isolation vlans (NAC dot1x
>> etc..) in big network environment with great satisfaction.
>>
>> Now, for one another project, I need to install one packetfence
>> environment, (the already prepared image OVM one) for one "simple" scenario.
>> Packetfence infact, should works as "radius service" with accounting for
>> user authentication sending by one Cisco ASA.
>>
>> Summarize scenario is:
>> - Cisco ASA --> Cut-Through --> with aaa-server radius configured pointed
>> to Packetfence
>> - Packetfence manage the authentication and statistics for radius users
>> created statically.
>> - I don't wanna use project like "daloradius" or something like this...
>> For me is really better packetfence also without NAC implementation... ;-)
>>
>> Now...I don't know precisely how to build this environment, in
>> particularly:
>> - Can i create the user directly from the static users menu with the
>> attributes about expired data, users limit simultaneous logged, etc..?
>> - and the most important thing that I didn't find... In which way can I
>> configure the "nas" system for grant the packetfence able to speak with my
>> ASA?
>>
>>
>> I will forward some script configuration, (maybe usefully also for other
>> users, not so much in internet for now), but from now, for now I need just
>> some feedback and information from you.
>>
>>
>> Many regards in advance
>>
>> Matteo
>>
>
>
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
