Untick Role by Switch Role and it should work.
Le 2017-02-01 à 13:43, Philip Damian-Grint a écrit :
> Thanks for the speedy response Fabrice....
>
> In my role tab for the switch I have Role by VLAN ID ticked and Role
> by Switch Role ticked (was on by default)
> The ACL and Web Auth Roles are not ticked.
>
> Regards
> Philip
>
> On 1 February 2017 at 18:33, Fabrice Durand <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hello Philip,
>
> it's probably your acl the issue.
>
> remove in the switch config (pf side -> config -> switch -> role
> tab and in role bu role) registration
>
> Regards
> Fabrice
>
> Le 2017-02-01 à 13:29, Philip Damian-Grint a écrit :
>> Hello mailing list,
>>
>> I have installed a fresh Packetfence 6.4.0-1 on Centos 7.3.1611
>> for testing
>>
>> Test switch is a Cisco 2960 running 15.0(1)SE3
>>
>> PF is configured for registration vlan 820
>>
>> When I manually configure a port on the test switch to vlan 820 I
>> can access the portal from PF
>>
>> I configured the switchport for MAB from Packetfence and Cisco
>> documentation
>>
>> With aaa and radius debug enabled, I can see radius
>> authentication starting, the port being set to vlan 820, then
>> immediately failing authorization and starting again. This loops
>> forever until the port is shut, or until I register the mac
>> address in the PF Administration console, at which point a
>> production VLAN is allocated as expected.
>>
>> While the looping is going on, the Registration VLAN never stays
>> configured on the port long enough for the workstation to get an
>> IP and reach the guest portal
>>
>> When radiusd -X is run, an access-accept message is sent, and the
>> process loops every time the switch loops.
>>
>> otherwise, I can never get the guest portal, and the logs fill up
>> incredibly quickly just from one port.
>>
>> Does anyone have any suggestions? I primarily suspect my switch
>> config is faulty or missing some key element...
>>
>> SWITCH CONFIG:
>>
>> aaa new-model
>>
>> aaa group server radius pf
>> server name SVVNMS03
>> ip radius source-interface Vlan100
>>
>> aaa authentication dot1x default group pf
>> aaa authorization network default group pf
>>
>> aaa server radius dynamic-author
>> client 10.216.9.72 server-key 7 XXXXXXXXXXXXXXXXXXXXXXXX
>> port 3799
>>
>> interface FastEthernet0/2
>> description MAB-NO-VOIP
>> switchport mode access
>> logging event link-status
>> authentication order mab
>> authentication priority mab
>> authentication port-control auto
>> authentication periodic
>> authentication timer restart 10800
>> authentication timer reauthenticate 10800
>> mab
>> no snmp trap link-status
>> dot1x pae authenticator
>> dot1x timeout quiet-period 2
>> dot1x timeout tx-period 3
>> spanning-tree portfast
>> spanning-tree bpduguard enable
>>
>> radius-server retransmit 1
>> radius-server timeout 2
>> radius-server vsa send authentication
>>
>> radius server SVVNMS03
>> address ipv4 10.216.9.72 auth-port 1812 acct-port 1813
>> timeout 2
>> retransmit 1
>> key 7 XXXXXXXXXXXXXXXXXXXXXXXX
>> =====================================
>>
>> SWITCH DEBUG:
>>
>> Feb 1 18:05:39.072 GMT: AAA/BIND(0000004B): Bind i/f
>> Feb 1 18:05:39.072 GMT: AAA/ACCT/HC(0000004B): Register
>> Dot1X/5400003F 64 bit counter support not configured
>> Feb 1 18:05:39.072 GMT: AAA/ACCT/HC(0000004B): Update
>> Dot1X/5400003F
>> Feb 1 18:05:39.072 GMT: AAA/ACCT/HC(0000004B): no HC Dot1X/5400003F
>> Feb 1 18:05:39.072 GMT: AAA/ACCT/EVENT/(0000004B): CALL START
>> Feb 1 18:05:39.072 GMT: Getting session id for NET(0000004B) :
>> db=39078C4
>> Feb 1 18:05:39.072 GMT: AAA/ACCT(00000000): add node, session 65
>> Feb 1 18:05:39.072 GMT: AAA/ACCT/NET(0000004B): add, count 1
>> Feb 1 18:05:39.072 GMT: Getting session id for NET(0000004B) :
>> db=39078C4
>> Feb 1 18:05:39.400 GMT: %AUTHMGR-5-START: Starting 'mab' for
>> client (40a8.f0a9.e051) on Interface Fa0/2 AuditSessionID
>> 0AD800A70000003E00125D6B
>> Feb 1 18:05:39.400 GMT: AAA/AUTHEN/8021X (0000004B): Pick method
>> list 'default'
>> Feb 1 18:05:39.400 GMT: RADIUS/ENCODE(0000004B):Orig. component
>> type = Dot1X
>> Feb 1 18:05:39.400 GMT: RADIUS/ENCODE(0000004B): Unsupported AAA
>> attribute hwidb
>> Feb 1 18:05:39.400 GMT: RADIUS/ENCODE(0000004B): Unsupported AAA
>> attribute auth-profile
>> Feb 1 18:05:39.400 GMT: RADIUS(0000004B): Config NAS IP:
>> 10.216.0.167
>> Feb 1 18:05:39.400 GMT: RADIUS(0000004B): Config NAS IPv6: ::
>> Feb 1 18:05:39.400 GMT: Getting session id for DOT1X(0000004B) :
>> db=39078C4
>> Feb 1 18:05:39.400 GMT: RADIUS/ENCODE(0000004B): acct_session_id: 65
>> Feb 1 18:05:39.400 GMT: RADIUS(0000004B): sending
>> Feb 1 18:05:39.400 GMT: RADIUS(0000004B): Send Access-Request to
>> 10.216.9.72:1812 <http://10.216.9.72:1812> id 1645/60, len 237
>> Feb 1 18:05:39.400 GMT: RADIUS: authenticator B4 28 20 EC F8 7C
>> B8 2A - 47 C0 78 E6 3B 63 CB E1
>> Feb 1 18:05:39.400 GMT: RADIUS: User-Name [1] 14
>> "40a8f0a9e051"
>> Feb 1 18:05:39.400 GMT: RADIUS: User-Password [2] 18 *
>> Feb 1 18:05:39.400 GMT: RADIUS: Service-Type [6] 6
>> Call Check [10]
>> Feb 1 18:05:39.400 GMT: RADIUS: Vendor, Cisco [26] 31
>> Feb 1 18:05:39.400 GMT: RADIUS: Cisco AVpair [1] 25
>> "service-type=Call Check"
>> Feb 1 18:05:39.400 GMT: RADIUS: Framed-MTU [12] 6
>> 1500
>> Feb 1 18:05:39.400 GMT: RADIUS: Called-Station-Id [30] 19
>> "30-37-A6-7E-82-82"
>> Feb 1 18:05:39.400 GMT: RADIUS: Calling-Station-Id [31] 19
>> "40-A8-F0-A9-E0-51"
>> Feb 1 18:05:39.408 GMT: RADIUS: Message-Authenticato[80] 18
>> Feb 1 18:05:39.408 GMT: RADIUS: 59 05 27 15 EB D2 EF 21 00 97
>> C8 79 9B 29 2E DE [ Y'!y).]
>> Feb 1 18:05:39.408 GMT: RADIUS: EAP-Key-Name [102] 2 *
>> Feb 1 18:05:39.408 GMT: RADIUS: Vendor, Cisco [26] 49
>> Feb 1 18:05:39.408 GMT: RADIUS: Cisco AVpair [1] 43
>> "audit-session-id=0AD800A70000003E00125D6B"
>> Feb 1 18:05:39.408 GMT: RADIUS: NAS-Port-Type [61] 6
>> Ethernet [15]
>> Feb 1 18:05:39.408 GMT: RADIUS: NAS-Port [5] 6
>> 50002
>> Feb 1 18:05:39.408 GMT: RADIUS: NAS-Port-Id [87] 17
>> "FastEthernet0/2"
>> Feb 1 18:05:39.408 GMT: RADIUS: NAS-IP-Address [4] 6
>> 10.216.0.167
>> Feb 1 18:05:39.408 GMT: RADIUS(0000004B): Sending a IPv4 Radius
>> Packet
>> Feb 1 18:05:39.408 GMT: RADIUS(0000004B): Started 2 sec timeout
>> Feb 1 18:05:39.433 GMT: RADIUS: Received from id 1645/60
>> 10.216.9.72:1812 <http://10.216.9.72:1812>, Access-Accept, len 67
>> Feb 1 18:05:39.433 GMT: RADIUS: authenticator 20 58 F8 39 9F 12
>> BD A9 - E1 E5 BE 66 EE 73 CE F9
>> Feb 1 18:05:39.433 GMT: RADIUS: Tunnel-Type [64] 6
>> 00:VLAN [13]
>> Feb 1 18:05:39.433 GMT: RADIUS: Tunnel-Private-Group[81] 5 "820"
>> Feb 1 18:05:39.433 GMT: RADIUS: Filter-Id [11] 17
>> Feb 1 18:05:39.433 GMT: RADIUS: 72 65 67 69 73 74 72 61 74 69
>> 6F 6E 2E 69 6E [ registration.in <http://registration.in>]
>> Feb 1 18:05:39.433 GMT: RADIUS: Tunnel-Medium-Type [65] 6
>> 00:ALL_802 [6]
>> Feb 1 18:05:39.433 GMT: RADIUS: Vendor, Unknown [26] 13
>> Feb 1 18:05:39.433 GMT: RADIUS: Session-Timeout [27] 7
>> Feb 1 18:05:39.433 GMT: RADIUS: 61 6C 6C 6F 77 [
>> allow]
>> Feb 1 18:05:39.433 GMT: RADIUS(0000004B): Received from id 1645/60
>> Feb 1 18:05:39.433 GMT: %MAB-5-SUCCESS: Authentication
>> successful for client (40a8.f0a9.e051) on Interface Fa0/2
>> AuditSessionID 0AD800A70000003E00125D6B
>> Feb 1 18:05:39.433 GMT: %AUTHMGR-7-RESULT: Authentication result
>> 'success' from 'mab' for client (40a8.f0a9.e051) on Interface
>> Fa0/2 AuditSessionID 0AD800A70000003E00125D6B
>> Feb 1 18:05:39.433 GMT: %AUTHMGR-5-VLANASSIGN: VLAN 820 assigned
>> to Interface Fa0/2 AuditSessionID 0AD800A70000003E00125D6B
>> Feb 1 18:05:39.467 GMT: %AUTHMGR-5-FAIL: Authorization failed
>> for client (40a8.f0a9.e051) on Interface Fa0/2 AuditSessionID
>> 0AD800A70000003E00125D6B
>> Feb 1 18:05:39.467 GMT: AUTH-SYNC (Fa0/2) Syncing update for
>> context (40a8.f0a9.e051)
>> Feb 1 18:05:39.509 GMT: AUTH-SYNC (Fa0/2) Syncing delete for
>> context (40a8.f0a9.e051)
>> Feb 1 18:05:39.509 GMT: AAA/ACCT/HC(0000004B): Update
>> Dot1X/5400003F
>> Feb 1 18:05:39.509 GMT: AAA/ACCT/HC(0000004B): no HC Dot1X/5400003F
>> Feb 1 18:05:39.509 GMT: AAA/ACCT/HC(0000004B): Update
>> Dot1X/5400003F
>> Feb 1 18:05:39.509 GMT: AAA/ACCT/HC(0000004B): no HC Dot1X/5400003F
>> Feb 1 18:05:39.517 GMT: AAA/ACCT/EVENT/(0000004B): CALL STOP
>> Feb 1 18:05:39.517 GMT: AAA/ACCT/CALL STOP(0000004B): Sending
>> stop requests
>> Feb 1 18:05:39.517 GMT: AAA/ACCT(0000004B): Send all stops
>> Feb 1 18:05:39.517 GMT: AAA/ACCT/NET(0000004B): STOP
>> Feb 1 18:05:39.517 GMT: AAA/ACCT/NET(0000004B): Method list not
>> found
>> Feb 1 18:05:39.517 GMT: AAA/ACCT(0000004B): del node, session 65
>> Feb 1 18:05:39.517 GMT: AAA/ACCT/NET(0000004B): free_rec, count 0
>> Feb 1 18:05:39.517 GMT: /AAA/ACCTNET(0000004B) reccnt 0, csr
>> TRUE, osr 0
>> Feb 1 18:05:39.517 GMT: AAA/ACCT/NET(0000004B): Last rec in db,
>> intf not enqueued
>> Feb 1 18:05:39.718 GMT: AAA/BIND(0000004C): Bind i/f
>> ***this continues to loop as above
>>
>> ======================================
>>
>> RADIUSD DEBUG
>>
>> Listening on auth address 127.0.0.1 port 1812 bound to server
>> packetfence
>> Listening on auth address 10.216.9.72 port 1812 bound to server
>> packetfence
>> Listening on command file /usr/local/pf/var/run/radiusd.sock
>> Listening on proxy address * port 39363
>> Ready to process requests
>> (0) Received Access-Request Id 35 from 10.216.0.167:1645
>> <http://10.216.0.167:1645> to 10.216.9.72:1812
>> <http://10.216.9.72:1812> length 237
>> (0) User-Name = "40a8f0a9e051"
>> (0) User-Password = "40a8f0a9e051"
>> (0) Service-Type = Call-Check
>> (0) Cisco-AVPair = "service-type=Call Check"
>> (0) Framed-MTU = 1500
>> (0) Called-Station-Id = "30-37-A6-7E-82-82"
>> (0) Calling-Station-Id = "40-A8-F0-A9-E0-51"
>> (0) Message-Authenticator = 0x2f390957e15d061946d59dd43a49016c
>> (0) Cisco-AVPair = "audit-session-id=0AD800A700000023000A2070"
>> (0) NAS-Port-Type = Ethernet
>> (0) NAS-Port = 50002
>> (0) NAS-Port-Id = "FastEthernet0/2"
>> (0) NAS-IP-Address = 10.216.0.167
>> (0) # Executing section authorize from file
>> raddb//sites-enabled/packetfence
>> (0) authorize {
>> (0) update {
>> (0) EXPAND %{Packet-Src-IP-Address}
>> (0) --> 10.216.0.167
>> (0) &request:FreeRADIUS-Client-IP-Address := 10.216.0.167
>> (0) &control:PacketFence-RPC-Server = 127.0.0.1
>> (0) &control:PacketFence-RPC-Port = 7070
>> (0) &control:PacketFence-RPC-User =
>> (0) &control:PacketFence-RPC-Pass =
>> (0) &control:PacketFence-RPC-Proto = http
>> (0) EXPAND %l
>> (0) --> 1485971799
>> (0) &control:Tmp-Integer-0 := 1485971799
>> (0) &control:PacketFence-Request-Time := 0
>> (0) } # update = noop
>> (0) policy rewrite_calling_station_id {
>> (0) if (&Calling-Station-Id && (&Calling-Station-Id =~
>>
>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>> {
>> (0) if (&Calling-Station-Id && (&Calling-Station-Id =~
>>
>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>>
>> -> TRUE
>> (0) if (&Calling-Station-Id && (&Calling-Station-Id =~
>>
>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>>
>> {
>> (0) update request {
>> (0) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
>> (0) --> 40:a8:f0:a9:e0:51
>> (0) &Calling-Station-Id := 40:a8:f0:a9:e0:51
>> (0) } # update request = noop
>> (0) [updated] = updated
>> (0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
>>
>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>>
>> = updated
>> (0) ... skipping else: Preceding "if" was taken
>> (0) } # policy rewrite_calling_station_id = updated
>> (0) policy rewrite_called_station_id {
>> (0) if ((&Called-Station-Id) && (&Called-Station-Id =~
>>
>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
>> {
>> (0) if ((&Called-Station-Id) && (&Called-Station-Id =~
>>
>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
>>
>> -> TRUE
>> (0) if ((&Called-Station-Id) && (&Called-Station-Id =~
>>
>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
>>
>> {
>> (0) update request {
>> (0) &Called-Station-Id !* ANY
>> (0) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
>> (0) --> 30:37:a6:7e:82:82
>> (0) &Called-Station-Id := 30:37:a6:7e:82:82
>> (0) } # update request = noop
>> (0) if ("%{8}") {
>> (0) EXPAND %{8}
>> (0) -->
>> (0) if ("%{8}") -> FALSE
>> (0) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
>> /^ssid=(.*)$/i) {
>> (0) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
>> /^ssid=(.*)$/i) -> FALSE
>> (0) elsif (Aruba-Essid-Name) {
>> (0) elsif (Aruba-Essid-Name) -> FALSE
>> (0) elsif ( (Cisco-AVPair) && "%{Cisco-AVPair}" =~
>> /^ssid=(.*)$/i) {
>> (0) EXPAND %{Cisco-AVPair}
>> (0) --> service-type=Call Check
>> (0) elsif ( (Cisco-AVPair) && "%{Cisco-AVPair}" =~
>> /^ssid=(.*)$/i) -> FALSE
>> (0) [updated] = updated
>> (0) } # if ((&Called-Station-Id) && (&Called-Station-Id =~
>>
>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
>>
>> = updated
>> (0) ... skipping else: Preceding "if" was taken
>> (0) } # policy rewrite_called_station_id = updated
>> (0) policy filter_username {
>> (0) if (&User-Name) {
>> (0) if (&User-Name) -> TRUE
>> (0) if (&User-Name) {
>> (0) if (&User-Name =~ / /) {
>> (0) if (&User-Name =~ / /) -> FALSE
>> (0) if (&User-Name =~ /@[^@]*@/ ) {
>> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>> (0) if (&User-Name =~ /\.\./ ) {
>> (0) if (&User-Name =~ /\.\./ ) -> FALSE
>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>> /@(.+)\.(.+)$/)) {
>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>> /@(.+)\.(.+)$/)) -> FALSE
>> (0) if (&User-Name =~ /\.$/) {
>> (0) if (&User-Name =~ /\.$/) -> FALSE
>> (0) if (&User-Name =~ /@\./) {
>> (0) if (&User-Name =~ /@\./) -> FALSE
>> (0) } # if (&User-Name) = updated
>> (0) } # policy filter_username = updated
>> (0) policy filter_password {
>> (0) if (&User-Password && (&User-Password !=
>> "%{string:User-Password}")) {
>> (0) EXPAND %{string:User-Password}
>> (0) --> 40a8f0a9e051
>> (0) if (&User-Password && (&User-Password !=
>> "%{string:User-Password}")) -> FALSE
>> (0) } # policy filter_password = updated
>> (0) [preprocess] = ok
>> (0) suffix: Checking for suffix after "@"
>> (0) suffix: No '@' in User-Name = "40a8f0a9e051", skipping NULL
>> due to config.
>> (0) [suffix] = noop
>> (0) ntdomain: Checking for prefix before "\"
>> (0) ntdomain: No '\' in User-Name = "40a8f0a9e051", looking up
>> realm NULL
>> (0) ntdomain: Found realm "null"
>> (0) ntdomain: Adding Stripped-User-Name = "40a8f0a9e051"
>> (0) ntdomain: Adding Realm = "null"
>> (0) ntdomain: Authentication realm is LOCAL
>> (0) [ntdomain] = ok
>> (0) eap: No EAP-Message, not doing EAP
>> (0) [eap] = noop
>> (0) if ( !EAP-Message ) {
>> (0) if ( !EAP-Message ) -> TRUE
>> (0) if ( !EAP-Message ) {
>> (0) update {
>> (0) &control:Auth-Type := Accept
>> (0) } # update = noop
>> (0) } # if ( !EAP-Message ) = noop
>> (0) policy packetfence-eap-mac-policy {
>> (0) if ( &EAP-Type ) {
>> (0) if ( &EAP-Type ) -> FALSE
>> (0) [noop] = noop
>> (0) } # policy packetfence-eap-mac-policy = noop
>> (0) pap: WARNING:
>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> (0) pap: WARNING: !!! Ignoring control:User-Password. Update
>> your !!!
>> (0) pap: WARNING: !!! configuration so that the "known good"
>> clear text !!!
>> (0) pap: WARNING: !!! password is in Cleartext-Password and NOT
>> in !!!
>> (0) pap: WARNING: !!!
>> User-Password. !!!
>> (0) pap: WARNING:
>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> (0) pap: WARNING: Auth-Type already set. Not setting to PAP
>> (0) [pap] = noop
>> (0) } # authorize = updated
>> (0) Found Auth-Type = Accept
>> (0) Auth-Type = Accept, accepting the user
>> (0) # Executing section post-auth from file
>> raddb//sites-enabled/packetfence
>> (0) post-auth {
>> (0) update {
>> (0) EXPAND %{Packet-Src-IP-Address}
>> (0) --> 10.216.0.167
>> (0) &request:FreeRADIUS-Client-IP-Address := 10.216.0.167
>> (0) &control:PacketFence-RPC-Server = 127.0.0.1
>> (0) &control:PacketFence-RPC-Port = 7070
>> (0) &control:PacketFence-RPC-User =
>> (0) &control:PacketFence-RPC-Pass =
>> (0) &control:PacketFence-RPC-Proto = http
>> (0) } # update = noop
>> (0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) {
>> (0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP)
>> ) -> TRUE
>> (0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP)
>> ) {
>> rlm_rest (rest): Reserved connection (0)
>> (0) rest: Expanding URI components
>> (0) rest: EXPAND http://127.0.0.1:7070
>> (0) rest: --> http://127.0.0.1:7070
>> (0) rest: EXPAND //radius/rest/authorize
>> (0) rest: --> //radius/rest/authorize
>> (0) rest: Sending HTTP POST to
>> "http://127.0.0.1:7070//radius/rest/authorize
>> <http://127.0.0.1:7070//radius/rest/authorize>"
>> (0) rest: Encoding attribute "User-Name"
>> (0) rest: Encoding attribute "User-Password"
>> (0) rest: Encoding attribute "NAS-IP-Address"
>> (0) rest: Encoding attribute "NAS-Port"
>> (0) rest: Encoding attribute "Service-Type"
>> (0) rest: Encoding attribute "Framed-MTU"
>> (0) rest: Encoding attribute "Called-Station-Id"
>> (0) rest: Encoding attribute "Calling-Station-Id"
>> (0) rest: Encoding attribute "NAS-Port-Type"
>> (0) rest: Encoding attribute "Event-Timestamp"
>> (0) rest: Encoding attribute "Message-Authenticator"
>> (0) rest: Encoding attribute "NAS-Port-Id"
>> (0) rest: Encoding attribute "Cisco-AVPair"
>> (0) rest: Encoding attribute "Stripped-User-Name"
>> (0) rest: Encoding attribute "Realm"
>> (0) rest: Encoding attribute "FreeRADIUS-Client-IP-Address"
>> (0) rest: Processing response header
>> (0) rest: Status : 200 (OK)
>> (0) rest: Type : json (application/json)
>> (0) rest: Parsing attribute "control:PacketFence-Role"
>> (0) rest: EXPAND registration
>> (0) rest: --> registration
>> (0) rest: PacketFence-Role := "registration"
>> (0) rest: Parsing attribute "control:PacketFence-Eap-Type"
>> (0) rest: EXPAND 0
>> (0) rest: --> 0
>> (0) rest: PacketFence-Eap-Type := "0"
>> (0) rest: Parsing attribute "Tunnel-Type"
>> (0) rest: EXPAND 13
>> (0) rest: --> 13
>> (0) rest: Tunnel-Type := VLAN
>> (0) rest: Parsing attribute "control:PacketFence-AutoReg"
>> (0) rest: EXPAND 0
>> (0) rest: --> 0
>> (0) rest: PacketFence-AutoReg := "0"
>> (0) rest: Parsing attribute "Tunnel-Private-Group-ID"
>> (0) rest: EXPAND 820
>> (0) rest: --> 820
>> (0) rest: Tunnel-Private-Group-Id := "820"
>> (0) rest: Parsing attribute "control:PacketFence-Request-Time"
>> (0) rest: EXPAND 1485971799
>> (0) rest: --> 1485971799
>> (0) rest: PacketFence-Request-Time := 1485971799
>> (0) rest: Parsing attribute "control:PacketFence-Switch-Ip-Address"
>> (0) rest: EXPAND 10.216.0.167
>> (0) rest: --> 10.216.0.167
>> (0) rest: PacketFence-Switch-Ip-Address := "10.216.0.167"
>> (0) rest: Parsing attribute "control:PacketFence-UserName"
>> (0) rest: EXPAND 40a8f0a9e051
>> (0) rest: --> 40a8f0a9e051
>> (0) rest: PacketFence-UserName := "40a8f0a9e051"
>> (0) rest: Parsing attribute "control:PacketFence-IsPhone"
>> (0) rest: PacketFence-IsPhone := ""
>> (0) rest: Parsing attribute "control:PacketFence-Switch-Mac"
>> (0) rest: EXPAND 30:37:a6:7e:82:82
>> (0) rest: --> 30:37:a6:7e:82:82
>> (0) rest: PacketFence-Switch-Mac := "30:37:a6:7e:82:82"
>> (0) rest: Parsing attribute "control:PacketFence-Switch-Id"
>> (0) rest: EXPAND 10.216.0.167
>> (0) rest: --> 10.216.0.167
>> (0) rest: PacketFence-Switch-Id := "10.216.0.167"
>> (0) rest: Parsing attribute "Filter-Id"
>> (0) rest: EXPAND registration.in <http://registration.in>
>> (0) rest: --> registration.in <http://registration.in>
>> (0) rest: Filter-Id := "registration.in <http://registration.in>"
>> (0) rest: Parsing attribute "Tunnel-Medium-Type"
>> (0) rest: EXPAND 6
>> (0) rest: --> 6
>> (0) rest: Tunnel-Medium-Type := IEEE-802
>> (0) rest: Parsing attribute "control:PacketFence-Computer-Name"
>> (0) rest: EXPAND RXHD03099
>> (0) rest: --> RXHD03099
>> (0) rest: PacketFence-Computer-Name := "RXHD03099"
>> (0) rest: Parsing attribute "Cisco-AVPair"
>> (0) rest: WARNING: Zero length value array, skipping...
>> (0) rest: Parsing attribute "control:PacketFence-Mac"
>> (0) rest: EXPAND 40:a8:f0:a9:e0:51
>> (0) rest: --> 40:a8:f0:a9:e0:51
>> (0) rest: PacketFence-Mac := "40:a8:f0:a9:e0:51"
>> (0) rest: Parsing attribute "control:PacketFence-IfIndex"
>> (0) rest: EXPAND 10002
>> (0) rest: --> 10002
>> (0) rest: PacketFence-IfIndex := "10002"
>> (0) rest: Parsing attribute "reply:PacketFence-Authorization-Status"
>> (0) rest: EXPAND allow
>> (0) rest: --> allow
>> (0) rest: PacketFence-Authorization-Status := "allow"
>> (0) rest: Parsing attribute "control:PacketFence-Connection-Type"
>> (0) rest: EXPAND WIRED_MAC_AUTH
>> (0) rest: --> WIRED_MAC_AUTH
>> (0) rest: PacketFence-Connection-Type := "WIRED_MAC_AUTH"
>> (0) rest: Parsing attribute "control:PacketFence-Status"
>> (0) rest: EXPAND unreg
>> (0) rest: --> unreg
>> (0) rest: PacketFence-Status := "unreg"
>> rlm_rest (rest): Released connection (0)
>> rlm_rest (rest): Need 5 more connections to reach 10 spares
>> rlm_rest (rest): Opening additional connection (5), 1 of 59
>> pending slots used
>> rlm_rest (rest): Connecting to "http://127.0.0.1:7070/";
>> (0) [rest] = updated
>> (0) if (&reply:PacketFence-Authorization-Status == "deny") {
>> (0) if (&reply:PacketFence-Authorization-Status == "deny")
>> -> FALSE
>> (0) else {
>> (0) policy packetfence-audit-log-accept {
>> (0) if (&User-Name != "dummy") {
>> (0) if (&User-Name != "dummy") -> TRUE
>> (0) if (&User-Name != "dummy") {
>> (0) policy request-timing {
>> (0) if (control:PacketFence-Request-Time != 0) {
>> (0) if (control:PacketFence-Request-Time != 0) -> TRUE
>> (0) if (control:PacketFence-Request-Time != 0) {
>> (0) update control {
>> (0) EXPAND %{expr:
>> %{control:PacketFence-Request-Time} - %{control:Tmp-Integer-0}}
>> (0) --> 0
>> (0) &PacketFence-Request-Time := 0
>> (0) } # update control = noop
>> (0) } # if (control:PacketFence-Request-Time != 0)
>> = noop
>> (0) } # policy request-timing = noop
>> (0) sql: EXPAND type.accept.query
>> (0) sql: --> type.accept.query
>> (0) sql: Using query template 'query'
>> rlm_sql (sql): Reserved connection (1)
>> (0) sql: EXPAND %{User-Name}
>> (0) sql: --> 40a8f0a9e051
>> (0) sql: SQL-User-Name set to '40a8f0a9e051'
>> (0) sql: EXPAND INSERT INTO radius_audit_log ( mac,
>> ip, computer_name, user_name, stripped_user_name,
>> realm, event_type, switch_id, switch_mac,
>> switch_ip_address, radius_source_ip_address,
>> called_station_id, calling_station_id,
>> nas_port_type, ssid, nas_port_id, ifindex,
>> nas_port, connection_type, nas_ip_address,
>> nas_identifier, auth_status, reason, auth_type,
>> eap_type, role, node_status,
>> profile, source, auto_reg,
>> is_phone, pf_domain, uuid,
>> radius_request, radius_reply,
>> request_time) VALUES (
>> '%{request:Calling-Station-Id}', '%{request:Framed-IP-Address}',
>> '%{%{control:PacketFence-Computer-Name}:-N/A}',
>> '%{request:User-Name}',
>> '%{request:Stripped-User-Name}', '%{request:Realm}',
>> 'Radius-Access-Request',
>> '%{%{control:PacketFence-Switch-Id}:-N/A}',
>> '%{%{control:PacketFence-Switch-Mac}:-N/A}',
>> '%{%{control:PacketFence-Switch-Ip-Address}:-N/A}',
>> '%{Packet-Src-IP-Address}', '%{request:Called-Station-Id}',
>> '%{request:Calling-Station-Id}',
>> '%{request:NAS-Port-Type}', '%{request:Called-Station-SSID}',
>> '%{request:NAS-Port-Id}',
>> '%{%{control:PacketFence-IfIndex}:-N/A}', '%{request:NAS-Port}',
>> '%{%{control:PacketFence-Connection-Type}:-N/A}',
>> '%{request:NAS-IP-Address}', '%{request:NAS-Identifier}',
>> 'Accept', '%{request:Module-Failure-Message}',
>> '%{control:Auth-Type}', '%{request:EAP-Type}',
>> '%{%{control:PacketFence-Role}:-N/A}',
>> '%{%{control:PacketFence-Status}:-N/A}',
>> '%{%{control:PacketFence-Profile}:-N/A}',
>> '%{%{control:PacketFence-Source}:-N/A}',
>> '%{%{control:PacketFence-AutoReg}:-N/A}',
>> '%{%{control:PacketFence-IsPhone}:-N/A}',
>> '%{request:PacketFence-Domain}', '',
>> '%{pairs:&request:[*]}','%{pairs:&reply:[*]}',
>> '%{control:PacketFence-Request-Time}')
>> (0) sql: --> INSERT INTO radius_audit_log ( mac,
>> ip, computer_name, user_name, stripped_user_name,
>> realm, event_type, switch_id, switch_mac,
>> switch_ip_address, radius_source_ip_address,
>> called_station_id, calling_station_id,
>> nas_port_type, ssid, nas_port_id, ifindex,
>> nas_port, connection_type, nas_ip_address,
>> nas_identifier, auth_status, reason, auth_type,
>> eap_type, role, node_status,
>> profile, source, auto_reg,
>> is_phone, pf_domain, uuid,
>> radius_request, radius_reply,
>> request_time) VALUES (
>> '40:a8:f0:a9:e0:51', '', 'RXHD03099',
>> '40a8f0a9e051', '40a8f0a9e051', 'null',
>> 'Radius-Access-Request', '10.216.0.167',
>> '30:37:a6:7e:82:82', '10.216.0.167',
>> '10.216.0.167', '30:37:a6:7e:82:82',
>> '40:a8:f0:a9:e0:51', 'Ethernet', '',
>> 'FastEthernet0/2', '10002', '50002',
>> 'WIRED_MAC_AUTH', '10.216.0.167', '',
>> 'Accept', '', 'Accept', '',
>> 'registration', 'unreg', 'N/A', 'N/A', '0',
>> 'N/A', '', '', 'User-Name =3D
>> =2240a8f0a9e051=22=2C User-Password =3D =2240a8f0a9e051=22=2C
>> NAS-IP-Address =3D 10.216.0.167=2C NAS-Port =3D 50002=2C
>> Service-Type =3D Call-Check=2C Framed-MTU =3D 1500=2C
>> Called-Station-Id =3D =2230:37:a6:7e:82:82=22=2C
>> Calling-Station-Id =3D =2240:a8:f0:a9:e0:51=22=2C NAS-Port-Type
>> =3D Ethernet=2C Event-Timestamp =3D =22Feb 1 2017 17:56:39
>> GMT=22=2C Message-Authenticator =3D
>> 0x2f390957e15d061946d59dd43a49016c=2C NAS-Port-Id =3D
>> =22FastEthernet0/2=22=2C Cisco-AVPair =3D =22service-type=3DCall
>> Check=22=2C Cisco-AVPair =3D
>> =22audit-session-id=3D0AD800A700000023000A2070=22=2C
>> Stripped-User-Name =3D =2240a8f0a9e051=22=2C Realm =3D
>> =22null=22=2C FreeRADIUS-Client-IP-Address =3D 10.216.0.167=2C
>> SQL-User-Name =3D =2240a8f0a9e051=22','Tunnel-Type =3D VLAN=2C
>> Tunnel-Private-Group-Id =3D =22820=22=2C Filter-Id =3D
>> =22registration.in <http://22registration.in>=22=2C
>> Tunnel-Medium-Type =3D IEEE-802=2C
>> PacketFence-Authorization-Status =3D =22allow=22', '0')
>> (0) sql: Executing query: INSERT INTO
>> radius_audit_log ( mac, ip, computer_name,
>> user_name, stripped_user_name, realm,
>> event_type, switch_id, switch_mac,
>> switch_ip_address, radius_source_ip_address,
>> called_station_id, calling_station_id,
>> nas_port_type, ssid, nas_port_id, ifindex,
>> nas_port, connection_type, nas_ip_address,
>> nas_identifier, auth_status, reason, auth_type,
>> eap_type, role, node_status,
>> profile, source, auto_reg,
>> is_phone, pf_domain, uuid,
>> radius_request, radius_reply,
>> request_time) VALUES (
>> '40:a8:f0:a9:e0:51', '', 'RXHD03099',
>> '40a8f0a9e051', '40a8f0a9e051', 'null',
>> 'Radius-Access-Request', '10.216.0.167',
>> '30:37:a6:7e:82:82', '10.216.0.167',
>> '10.216.0.167', '30:37:a6:7e:82:82',
>> '40:a8:f0:a9:e0:51', 'Ethernet', '',
>> 'FastEthernet0/2', '10002', '50002',
>> 'WIRED_MAC_AUTH', '10.216.0.167', '',
>> 'Accept', '', 'Accept', '',
>> 'registration', 'unreg', 'N/A', 'N/A', '0',
>> 'N/A', '', '', 'User-Name =3D
>> =2240a8f0a9e051=22=2C User-Password =3D =2240a8f0a9e051=22=2C
>> NAS-IP-Address =3D 10.216.0.167=2C NAS-Port =3D 50002=2C
>> Service-Type =3D Call-Check=2C Framed-MTU =3D 1500=2C
>> Called-Station-Id =3D =2230:37:a6:7e:82:82=22=2C
>> Calling-Station-Id =3D =2240:a8:f0:a9:e0:51=22=2C NAS-Port-Type
>> =3D Ethernet=2C Event-Timestamp =3D =22Feb 1 2017 17:56:39
>> GMT=22=2C Message-Authenticator =3D
>> 0x2f390957e15d061946d59dd43a49016c=2C NAS-Port-Id =3D
>> =22FastEthernet0/2=22=2C Cisco-AVPair =3D =22service-type=3DCall
>> Check=22=2C Cisco-AVPair =3D
>> =22audit-session-id=3D0AD800A700000023000A2070=22=2C
>> Stripped-User-Name =3D =2240a8f0a9e051=22=2C Realm =3D
>> =22null=22=2C FreeRADIUS-Client-IP-Address =3D 10.216.0.167=2C
>> SQL-User-Name =3D =2240a8f0a9e051=22','Tunnel-Type =3D VLAN=2C
>> Tunnel-Private-Group-Id =3D =22820=22=2C Filter-Id =3D
>> =22registration.in <http://22registration.in>=22=2C
>> Tunnel-Medium-Type =3D IEEE-802=2C
>> PacketFence-Authorization-Status =3D =22allow=22', '0')
>> (0) sql: SQL query returned: success
>> (0) sql: 1 record(s) updated
>> rlm_sql (sql): Released connection (1)
>> rlm_sql (sql): Need 4 more connections to reach 10 spares
>> rlm_sql (sql): Opening additional connection (6), 1 of 58 pending
>> slots used
>> rlm_sql_mysql: Starting connect to MySQL server
>> rlm_sql_mysql: Connected to database 'pf' on Localhost via UNIX
>> socket, server version 5.5.52-MariaDB, protocol version 10
>> (0) [sql] = ok
>> (0) } # if (&User-Name != "dummy") = ok
>> (0) } # policy packetfence-audit-log-accept = ok
>> (0) } # else = ok
>> (0) } # if (! EAP-Type || (EAP-Type != TTLS && EAP-Type !=
>> PEAP) ) = updated
>> (0) attr_filter.packetfence_post_auth: EXPAND %{User-Name}
>> (0) attr_filter.packetfence_post_auth: --> 40a8f0a9e051
>> (0) attr_filter.packetfence_post_auth: Matched entry DEFAULT at
>> line 10
>> (0) [attr_filter.packetfence_post_auth] = updated
>> (0) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
>> (0) linelog: --> messages.Access-Accept
>> (0) linelog: EXPAND %t : [mac:%{Calling-Station-Id}] Accepted
>> user: %{reply:User-Name} and returned VLAN
>> %{reply:Tunnel-Private-Group-ID}
>> (0) linelog: --> Wed Feb 1 17:56:39 2017 :
>> [mac:40:a8:f0:a9:e0:51] Accepted user: and returned VLAN 820
>> (0) linelog: EXPAND /usr/local/pf/logs/radius.log
>> (0) linelog: --> /usr/local/pf/logs/radius.log
>> (0) [linelog] = ok
>> (0) } # post-auth = updated
>> (0) Login OK: [40a8f0a9e051] (from client 10.216.0.167 port 50002
>> cli 40:a8:f0:a9:e0:51)
>> (0) Sent Access-Accept Id 35 from 10.216.9.72:1812
>> <http://10.216.9.72:1812> to 10.216.0.167:1645
>> <http://10.216.0.167:1645> length 0
>> (0) Tunnel-Type = VLAN
>> (0) Tunnel-Private-Group-Id = "820"
>> (0) Filter-Id = "registration.in <http://registration.in>"
>> (0) Tunnel-Medium-Type = IEEE-802
>> (0) PacketFence-Authorization-Status = "allow"
>> (0) Finished request
>> Waking up in 4.9 seconds.
>>
>> ***This continues to loop as above
>>
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> <mailto:[email protected]>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
> --
> Fabrice Durand
> [email protected] <mailto:[email protected]> :: +1.514.447.4918
> <tel:%28514%29%20447-4918> (x135) :: www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________ PacketFence-users
> mailing list [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
