Physical is TP-Link TL-SG5428
Packetfence is Cisco 2960 object (per our conversation last week)
On December 8, 2016 9:24:18 AM EST, Fabrice Durand <[email protected]> wrote:
>Quick question, on which type of switch are you trying to achieve that
>?
>
>
>
>Le 2016-12-07 à 21:54, [email protected] a écrit :
>> Thanks Fabrice. Using the newly created user with the new access
>> level I get the same results as before with same log entries.
>>
>> On 12/07/2016 08:04 PM, Durand fabrice wrote:
>>>
>>> Hello,
>>>
>>>
>>> Le 2016-12-06 à 22:45, [email protected] a écrit :
>>>> Thanks Fabrice.
>>>>
>>>> I configured per instruction (see below) but had no better luck.
>>>> Any further thoughts?
>>>>
>>>> 1. I created a new admin role via:
>>>> /admin/configuration#config/adminroles
>>>> 2. set the action to "Switches CLI - Write"
>>>> 3. Saved the new role
>>>> 4. Created a new source (internal radius) via:
>>>> admin/configuration#config/authentication
>>>>
>>> Hum not sure it will work like that, let's create instead a user in
>>> packetfence (user tab) assign a password and assign the access level
>>> to the one you created before.
>>>>
>>>> 1. Added a new set the ip to 127.0.0.1 and port 18120
>>>> 2. set secret to packet
>>>> 3. added rule
>>>> 4. set class to administration
>>>> 5. add action to access level and selected the radius role i
>>>> created in step 1-3
>>>> 6. created another source (same as 4-9) with ip set to management
>>>> interface and port 1812
>>>> 7. verified that cliAccess=Y
>>>> 8. restart all services
>>>>
>>>> radtest on localhost fails auth with:
>>>>
>>>> radtest -t mschap -x test2 packet localhost:18120 12 testing123
>>>> Sent Access-Request Id 107 from 0.0.0.0:58720 to 127.0.0.1:18120
>>>> length 131
>>>> User-Name = "test2"
>>>> MS-CHAP-Password = "packet"
>>>> NAS-IP-Address = 192.168.14.60
>>>> NAS-Port = 12
>>>> Message-Authenticator = 0x00
>>>> Cleartext-Password = "packet"
>>>> MS-CHAP-Challenge = 0xd9fdad2e36fdd618
>>>> MS-CHAP-Response =
>>>>
>0x00010000000000000000000000000000000000000000000000007678409312f6c2d67f0671bf77b643cf60d6e7cc5583e533
>>>> Received Access-Reject Id 107 from 127.0.0.1:18120 to 0.0.0.0:0
>>>> length 20
>>>> (0) -: Expected Access-Accept got Access-Reject
>>>>
>>>> packetfence.log
>>>>
>>>> Dec 06 22:34:04 httpd.aaa(3965) WARN: [mac:[undef]] CLI Access is
>>>> not permit on this switch 192.168.14.60 (pf::radius::switch_access)
>>>>
>>>>
>>>> radtest on management interface times/retry out
>>>>
>>>> radtest on management interface times/retry out from remote client.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 12/06/2016 07:25 PM, Durand fabrice wrote:
>>>>>
>>>>> Hello,
>>>>>
>>>>> can you check in packetfence.log to see what wrong ?
>>>>>
>>>>> Also here what you have to do:
>>>>>
>>>>> in configuration -> Admin access, create a new admin access with
>>>>> Switch CLI - Write
>>>>>
>>>>> In Configuration source -> A internal source -> assign an
>>>>> administration rule and set access level (the admin access you
>>>>> created before).
>>>>>
>>>>> Then enable cli access on the switch.(cliAccess=Y)
>>>>>
>>>>>
>>>>> Now when PacketFence will receive a radius request for cli access,
>>>>> it will test the username and password on the internal source and
>>>>> if it succeeded and if it match the rule then the access will be
>>>>> allowed.
>>>>>
>>>>>
>>>>> Regards
>>>>>
>>>>> Fabrice
>>>>>
>>>>>
>>>>>
>>>>> Le 2016-12-06 à 12:13, [email protected] a écrit :
>>>>>> When I attempt to test FreeRadius with a test user in
>>>>>> /usr/local/pf/raddb/users I get a failure that states "CLI Access
>>>>>> is not permit on this switch". I have "cliAccess=Y" in
>>>>>> switches.conf. Is there somewhere else I need to enable CLI
>access?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>>
>>>>>>
>>>>>> packetfence.log:
>>>>>> Dec 06 12:04:36 httpd.aaa(24559) WARN: [mac:[undef]] CLI Access
>is not permit on this switch 192.168.14.60 (pf::radius::switch_access)
>>>>>>
>>>>>> This occurs as a repsonse to:
>>>>>>
>>>>>> radtest -t mschap -x test2 packet localhost:18120 12 testing123
>>>>>>
>>>>>> radtest responds with:
>>>>>>
>>>>>> Sent Access-Request Id 224 from 0.0.0.0:50101 to 127.0.0.1:18120
>length 131
>>>>>> User-Name = "test2"
>>>>>> MS-CHAP-Password = "packet"
>>>>>> NAS-IP-Address = 192.168.14.60
>>>>>> NAS-Port = 12
>>>>>> Message-Authenticator = 0x00
>>>>>> Cleartext-Password = "packet"
>>>>>> MS-CHAP-Challenge = 0x7d970590bf9b3c20
>>>>>> MS-CHAP-Response =
>0x00010000000000000000000000000000000000000000000000001d61ecc9a3fc6222a13bccde625540a3048270707271bf1c
>>>>>> Received Access-Reject Id 224 from 127.0.0.1:18120 to 0.0.0.0:0
>length 20
>>>>>> (0) -: Expected Access-Accept got Access-Reject
>>>>>>
>>>>>> I have the following entry in |/usr/local/pf/raddb/users
>>>>>>
>>>>>> |||
>>>>>> test2 Cleartext-Password := "packet"
>>>>>>
>>>>>>
>>>>>>
>------------------------------------------------------------------------------
>>>>>> Developer Access Program for Intel Xeon Phi Processors
>>>>>> Access to Intel Xeon Phi processor-based developer platforms.
>>>>>> With one year of Intel Parallel Studio XE.
>>>>>> Training and support from Colfax.
>>>>>> Order your platform today.http://sdm.link/xeonphi
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> PacketFence-users mailing list
>>>>>> [email protected]
>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>>
>>>>>
>------------------------------------------------------------------------------
>>>>> Developer Access Program for Intel Xeon Phi Processors
>>>>> Access to Intel Xeon Phi processor-based developer platforms.
>>>>> With one year of Intel Parallel Studio XE.
>>>>> Training and support from Colfax.
>>>>> Order your platform today.http://sdm.link/xeonphi
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> PacketFence-users mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>>
>>>>
>>>>
>------------------------------------------------------------------------------
>>>> Developer Access Program for Intel Xeon Phi Processors
>>>> Access to Intel Xeon Phi processor-based developer platforms.
>>>> With one year of Intel Parallel Studio XE.
>>>> Training and support from Colfax.
>>>> Order your platform today.http://sdm.link/xeonphi
>>>>
>>>>
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>>
>------------------------------------------------------------------------------
>>> Developer Access Program for Intel Xeon Phi Processors
>>> Access to Intel Xeon Phi processor-based developer platforms.
>>> With one year of Intel Parallel Studio XE.
>>> Training and support from Colfax.
>>> Order your platform today.http://sdm.link/xeonphi
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>>
>>
>------------------------------------------------------------------------------
>> Developer Access Program for Intel Xeon Phi Processors
>> Access to Intel Xeon Phi processor-based developer platforms.
>> With one year of Intel Parallel Studio XE.
>> Training and support from Colfax.
>> Order your platform today.http://sdm.link/xeonphi
>>
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>--
>Fabrice Durand
>[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
>Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>PacketFence (http://packetfence.org)
>
>
>
>------------------------------------------------------------------------
>
>------------------------------------------------------------------------------
>Developer Access Program for Intel Xeon Phi Processors
>Access to Intel Xeon Phi processor-based developer platforms.
>With one year of Intel Parallel Studio XE.
>Training and support from Colfax.
>Order your platform today.http://sdm.link/xeonphi
>
>------------------------------------------------------------------------
>
>_______________________________________________
>PacketFence-users mailing list
>[email protected]
>https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
