Hi all, we are using pf 5.7 here and dot1x authentication. We enabled soh and found out that, if a windows pc has not NAP enabled then dot1x authentication does not go on as usual, in packetfence.log it shows that nothing happens after this line:
Mar 17 11:38:01 httpd.aaa(6536) ERROR: [mac:2c:41:38:0a:56:03] No operating system vendor specified at /usr/local/pf/lib/pf/soh.pm line 574. (pf::soh::__ANON__) while, if soh is disabled (through conf/radiusd/eap.conf) it works as usual, e.g. in packetfence.log we got: Mar 17 12:17:01 httpd.aaa(8452) INFO: [mac:2c:41:38:0a:56:03] handling radius autz request: from switch_ip => (10.18.101.16), connection_type => Ethernet-EAP,switch_mac => (Unknown), mac => [2c:41:38:0a:56:03], port => 1001, username => "host/NB75144.pc.istat.it" (pf::radius::authorize) Mar 17 12:17:01 httpd.aaa(8452) INFO: [mac:2c:41:38:0a:56:03] is doing machine auth with account 'host/NB75144.pc.istat.it'. (pf::radius::authorize) Mar 17 12:17:01 httpd.aaa(8452) INFO: [mac:2c:41:38:0a:56:03] Match rule 1:EthernetEAP (pf::access_filter::test) Mar 17 12:17:01 httpd.aaa(8452) WARN: [mac:2c:41:38:0a:56:03] No parameter noroleVlan found in conf/switches.conf for the switch 10.18.101.16 (pf::Switch::getVlanByName) Mar 17 12:17:01 httpd.aaa(8452) INFO: [mac:2c:41:38:0a:56:03] violation 1500000 force-closed for 2c:41:38:0a:56:03 (pf::violation::violation_force_close) Mar 17 12:17:01 httpd.aaa(8452) INFO: [mac:2c:41:38:0a:56:03] Instantiate profile dot1x (pf::Portal::ProfileFactory::_from_profile) Mar 17 12:17:01 httpd.aaa(8452) WARN: [mac:2c:41:38:0a:56:03] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match) Mar 17 12:17:01 httpd.aaa(8452) INFO: [mac:2c:41:38:0a:56:03] Matched rule (AccessoRete) in source MachineAuth, returning actions. (pf::Authentication::Source::match) Mar 17 12:17:01 httpd.aaa(8452) INFO: [mac:2c:41:38:0a:56:03] Matched rule (AccessoRete) in source MachineAuth, returning actions. (pf::Authentication::Source::match) Mar 17 12:17:01 httpd.aaa(8452) INFO: [mac:2c:41:38:0a:56:03] Instantiate profile captive-portal (pf::Portal::ProfileFactory::_from_profile) Mar 17 12:17:01 httpd.aaa(8452) INFO: [mac:2c:41:38:0a:56:03] Instantiate profile dot1x (pf::Portal::ProfileFactory::_from_profile) Mar 17 12:17:02 httpd.aaa(8452) INFO: [mac:2c:41:38:0a:56:03] Role has already been computed and we don't want to recompute it. Getting role from node_info (pf::role::g etRegisteredRole) Mar 17 12:17:02 httpd.aaa(8452) INFO: [mac:2c:41:38:0a:56:03] Username was defined "host/NB75144.pc.istat.it" - returning role 'dominio' (pf::role::getRegisteredRole) Mar 17 12:17:02 httpd.aaa(8452) INFO: [mac:2c:41:38:0a:56:03] PID: "host/NB75144.pc.istat.it", Status: reg Returned VLAN: (undefined), Role: dominio (pf::role::fetchRoleForNode) Mar 17 12:17:02 httpd.aaa(8452) INFO: [mac:2c:41:38:0a:56:03] (10.18.101.16) Added VLAN 20 to the returned RADIUS reply (pf::Switch::returnRadiusAccessAccept) Mar 17 12:17:02 httpd.aaa(8452) INFO: [mac:2c:41:38:0a:56:03] (10.18.101.16) Returning ACCEPT with VLAN 20 (pf::Switch::returnRadiusAccessAccept) so the question is: is it the right behavior? If that's the case, it could be a problem because since Windows 10 NAP is no longer supported and we cannot enforce NAP configuration in all of our clients. Diego -- Dr. Diego Bonfigli tel: 366 5898323 email: [email protected] Laboratori Guglielmo Marconi - www.labs.it ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140 _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
