Quick question, on which type of switch are you trying to achieve that ?
Le 2016-12-07 à 21:54, [email protected] a écrit :
> Thanks Fabrice. Using the newly created user with the new access
> level I get the same results as before with same log entries.
>
> On 12/07/2016 08:04 PM, Durand fabrice wrote:
>>
>> Hello,
>>
>>
>> Le 2016-12-06 à 22:45, [email protected] a écrit :
>>> Thanks Fabrice.
>>>
>>> I configured per instruction (see below) but had no better luck.
>>> Any further thoughts?
>>>
>>> 1. I created a new admin role via:
>>> /admin/configuration#config/adminroles
>>> 2. set the action to "Switches CLI - Write"
>>> 3. Saved the new role
>>> 4. Created a new source (internal radius) via:
>>> admin/configuration#config/authentication
>>>
>> Hum not sure it will work like that, let's create instead a user in
>> packetfence (user tab) assign a password and assign the access level
>> to the one you created before.
>>>
>>> 1. Added a new set the ip to 127.0.0.1 and port 18120
>>> 2. set secret to packet
>>> 3. added rule
>>> 4. set class to administration
>>> 5. add action to access level and selected the radius role i
>>> created in step 1-3
>>> 6. created another source (same as 4-9) with ip set to management
>>> interface and port 1812
>>> 7. verified that cliAccess=Y
>>> 8. restart all services
>>>
>>> radtest on localhost fails auth with:
>>>
>>> radtest -t mschap -x test2 packet localhost:18120 12 testing123
>>> Sent Access-Request Id 107 from 0.0.0.0:58720 to 127.0.0.1:18120
>>> length 131
>>> User-Name = "test2"
>>> MS-CHAP-Password = "packet"
>>> NAS-IP-Address = 192.168.14.60
>>> NAS-Port = 12
>>> Message-Authenticator = 0x00
>>> Cleartext-Password = "packet"
>>> MS-CHAP-Challenge = 0xd9fdad2e36fdd618
>>> MS-CHAP-Response =
>>> 0x00010000000000000000000000000000000000000000000000007678409312f6c2d67f0671bf77b643cf60d6e7cc5583e533
>>> Received Access-Reject Id 107 from 127.0.0.1:18120 to 0.0.0.0:0
>>> length 20
>>> (0) -: Expected Access-Accept got Access-Reject
>>>
>>> packetfence.log
>>>
>>> Dec 06 22:34:04 httpd.aaa(3965) WARN: [mac:[undef]] CLI Access is
>>> not permit on this switch 192.168.14.60 (pf::radius::switch_access)
>>>
>>>
>>> radtest on management interface times/retry out
>>>
>>> radtest on management interface times/retry out from remote client.
>>>
>>>
>>>
>>>
>>>
>>> On 12/06/2016 07:25 PM, Durand fabrice wrote:
>>>>
>>>> Hello,
>>>>
>>>> can you check in packetfence.log to see what wrong ?
>>>>
>>>> Also here what you have to do:
>>>>
>>>> in configuration -> Admin access, create a new admin access with
>>>> Switch CLI - Write
>>>>
>>>> In Configuration source -> A internal source -> assign an
>>>> administration rule and set access level (the admin access you
>>>> created before).
>>>>
>>>> Then enable cli access on the switch.(cliAccess=Y)
>>>>
>>>>
>>>> Now when PacketFence will receive a radius request for cli access,
>>>> it will test the username and password on the internal source and
>>>> if it succeeded and if it match the rule then the access will be
>>>> allowed.
>>>>
>>>>
>>>> Regards
>>>>
>>>> Fabrice
>>>>
>>>>
>>>>
>>>> Le 2016-12-06 à 12:13, [email protected] a écrit :
>>>>> When I attempt to test FreeRadius with a test user in
>>>>> /usr/local/pf/raddb/users I get a failure that states "CLI Access
>>>>> is not permit on this switch". I have "cliAccess=Y" in
>>>>> switches.conf. Is there somewhere else I need to enable CLI access?
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>>
>>>>> packetfence.log:
>>>>> Dec 06 12:04:36 httpd.aaa(24559) WARN: [mac:[undef]] CLI Access is not
>>>>> permit on this switch 192.168.14.60 (pf::radius::switch_access)
>>>>>
>>>>> This occurs as a repsonse to:
>>>>>
>>>>> radtest -t mschap -x test2 packet localhost:18120 12 testing123
>>>>>
>>>>> radtest responds with:
>>>>>
>>>>> Sent Access-Request Id 224 from 0.0.0.0:50101 to 127.0.0.1:18120 length
>>>>> 131
>>>>> User-Name = "test2"
>>>>> MS-CHAP-Password = "packet"
>>>>> NAS-IP-Address = 192.168.14.60
>>>>> NAS-Port = 12
>>>>> Message-Authenticator = 0x00
>>>>> Cleartext-Password = "packet"
>>>>> MS-CHAP-Challenge = 0x7d970590bf9b3c20
>>>>> MS-CHAP-Response =
>>>>> 0x00010000000000000000000000000000000000000000000000001d61ecc9a3fc6222a13bccde625540a3048270707271bf1c
>>>>> Received Access-Reject Id 224 from 127.0.0.1:18120 to 0.0.0.0:0 length 20
>>>>> (0) -: Expected Access-Accept got Access-Reject
>>>>>
>>>>> I have the following entry in |/usr/local/pf/raddb/users
>>>>>
>>>>> |||
>>>>> test2 Cleartext-Password := "packet"
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Developer Access Program for Intel Xeon Phi Processors
>>>>> Access to Intel Xeon Phi processor-based developer platforms.
>>>>> With one year of Intel Parallel Studio XE.
>>>>> Training and support from Colfax.
>>>>> Order your platform today.http://sdm.link/xeonphi
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> PacketFence-users mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Developer Access Program for Intel Xeon Phi Processors
>>>> Access to Intel Xeon Phi processor-based developer platforms.
>>>> With one year of Intel Parallel Studio XE.
>>>> Training and support from Colfax.
>>>> Order your platform today.http://sdm.link/xeonphi
>>>>
>>>>
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Developer Access Program for Intel Xeon Phi Processors
>>> Access to Intel Xeon Phi processor-based developer platforms.
>>> With one year of Intel Parallel Studio XE.
>>> Training and support from Colfax.
>>> Order your platform today.http://sdm.link/xeonphi
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Developer Access Program for Intel Xeon Phi Processors
>> Access to Intel Xeon Phi processor-based developer platforms.
>> With one year of Intel Parallel Studio XE.
>> Training and support from Colfax.
>> Order your platform today.http://sdm.link/xeonphi
>>
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today.http://sdm.link/xeonphi
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
