Hello James,
cool it works, i will add the support of 802.1x for the Mserie in the
main code.
Regards
Fabrice
Le 2017-11-02 à 09:15, James Garcellano via PacketFence-users a écrit :
> Hello Fabrice,
>
> Adding the line "sub supportsWiredDot1x { return $TRUE; }" to
> /usr/local/pf/lib/pf/Switch/Netgear/MSeries.pm and then rebooting PacketFence
> has worked.
>
> Here are the latest entries from the /usr/local/pf/logs/packetfence.log file:
>
> Nov 2 12:46:30 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2908) INFO:
> [mac:00:21:70:d8:ac:45] handling radius autz request: from switch_ip =>
> (192.168.1.12), connection_type => Ethernet-EAP,switch_mac =>
> (b0:b9:8a:46:3d:0e), mac => [00:21:70:d8:ac:45], port => 1, username =>
> "PFDOMAIN\testme" (pf::radius::authorize)
> Nov 2 12:46:30 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2908) INFO:
> [mac:00:21:70:d8:ac:45] Instantiate profile default
> (pf::Connection::ProfileFactory::_from_profile)
> Nov 2 12:46:30 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2908) INFO:
> [mac:00:21:70:d8:ac:45] is of status unreg; belongs into registration VLAN
> (pf::role::getRegistrationRole)
> Nov 2 12:46:30 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2908) INFO:
> [mac:00:21:70:d8:ac:45] (192.168.1.12) Added VLAN 20 to the returned RADIUS
> Access-Accept (pf::Switch::returnRadiusAccessAccept)
> Nov 2 12:46:30 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2908) INFO:
> [mac:[undef]] Updating locationlog from accounting request
> (pf::api::handle_accounting_metadata)
>
>
> Thank you, Fabrice, for your time and assistance in helping to troubleshoot
> my issue!
>
> James Garcellano
>
>> Ok so you need to add support of 802.1x in the switch module.
>>
>> In this file,
>> https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Netgear/MSeries.pm#L19
>>
>> add that:
>>
>> sub supportsWiredDot1x { return $TRUE; }
>>
>> Then restart packetfence.
>>
>> Paste me the packetfence.log after that.
>> Regards
>> Fabrice
>>
>> Le 2017-11-01 à 18:04, James Garcellano via PacketFence-users a écrit :
>>> Hello Fabrice,
>>>
>>> Here is the last few entries from the /usr/local/pf/logs/packetfence.log
>>> file:
>>>
>>> Nov 1 22:03:06 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2852)
>>> INFO: [mac:00:21:70:d8:ac:45] handling radius autz request: from switch_ip
>>> => (192.168.1.12), connection_type => Ethernet-EAP,switch_mac =>
>>> (b0:b9:8a:46:3d:0e), mac => [00:21:70:d8:ac:45], port => 1, username =>
>>> "PFDOMAIN\testme" (pf::radius::authorize)
>>> Nov 1 22:03:06 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2852)
>>> ERROR: [mac:00:21:70:d8:ac:45] Wired 802.1X is not supported on switch type
>>> pf::Switch::Netgear::MSeries. Please let us know what hardware you are
>>> using. (pf::Switch::supportsWiredDot1x)
>>> Nov 1 22:03:06 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2852)
>>> WARN: [mac:00:21:70:d8:ac:45] (192.168.1.12) Sending REJECT since switch is
>>> unsupported (pf::radius::_switchUnsupportedReply)
>>> Nov 1 22:03:07 packetfence-zen packetfence_httpd.aaa: httpd.aaa(3730)
>>> INFO: [mac:00:21:70:d8:ac:45] Updating locationlog from accounting request
>>> (pf::api::handle_accounting_metadata)
>>>
>>>
>>>> Ok it's better now.
>>>>
>>>> Now can you check on the packetfence.log, you are suppose to see
>>>> different messages now.
>>>>
>>>>
>>>> Le 2017-11-01 à 17:27, James Garcellano via PacketFence-users a écrit :
>>>>> It looks like the other test still showed the NAS IP as 192.168.1.5.
>>>>>
>>>>> I rebooted the switch and did another test.
>>>>>
>>>>> Here is the raddebug from that...
>>>>>
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Received Access-Request Id 201 from
>>>>> 192.168.1.12:42371 to 192.168.1.5:1812 length 158
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: User-Name = "PFDOMAIN\\testme"
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Called-Station-Id =
>>>>> "b0-b9-8a-46-3d-0e"
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Calling-Station-Id =
>>>>> "00:21:70:d8:ac:45"
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: NAS-Identifier =
>>>>> "b0-b9-8a-46-3d-0c"
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: NAS-IP-Address = 192.168.1.12
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: NAS-Port = 1
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Framed-MTU = 1500
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: NAS-Port-Type = Ethernet
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: EAP-Message =
>>>>> 0x02000014015046444f4d41494e5c746573746d65
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Message-Authenticator =
>>>>> 0x935d535299b823f31e7748c9271d6225
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: # Executing section authorize from
>>>>> file /usr/local/pf/raddb/sites-enabled/packetfence
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: authorize {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: update {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: EXPAND
>>>>> %{Packet-Src-IP-Address}
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: --> 192.168.1.12
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: EXPAND %l
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: --> 1509570793
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # update = noop
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: policy
>>>>> rewrite_calling_station_id {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&Calling-Station-Id &&
>>>>> (&Calling-Station-Id =~
>>>>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>>>>> {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&Calling-Station-Id &&
>>>>> (&Calling-Station-Id =~
>>>>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>>>>> -> TRUE
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&Calling-Station-Id &&
>>>>> (&Calling-Station-Id =~
>>>>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>>>>> {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: update request {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: EXPAND
>>>>> %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: --> 00:21:70:d8:ac:45
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # update request = noop
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: [updated] = updated
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # if (&Calling-Station-Id
>>>>> && (&Calling-Station-Id =~
>>>>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>>>>> = updated
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: ... skipping else: Preceding
>>>>> "if" was taken
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # policy
>>>>> rewrite_calling_station_id = updated
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: policy
>>>>> rewrite_called_station_id {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if ((&Called-Station-Id) &&
>>>>> (&Called-Station-Id =~
>>>>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
>>>>> {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if ((&Called-Station-Id) &&
>>>>> (&Called-Station-Id =~
>>>>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
>>>>> -> TRUE
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if ((&Called-Station-Id) &&
>>>>> (&Called-Station-Id =~
>>>>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
>>>>> {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: update request {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: EXPAND
>>>>> %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: --> b0:b9:8a:46:3d:0e
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # update request = noop
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if ("%{8}") {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: EXPAND %{8}
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: -->
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if ("%{8}") -> FALSE
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: elsif ( (Colubris-AVPair)
>>>>> && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: elsif ( (Colubris-AVPair)
>>>>> && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: elsif (Aruba-Essid-Name) {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: elsif (Aruba-Essid-Name)
>>>>> -> FALSE
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: elsif ( (Cisco-AVPair) &&
>>>>> "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: elsif ( (Cisco-AVPair) &&
>>>>> "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: [updated] = updated
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # if ((&Called-Station-Id)
>>>>> && (&Called-Station-Id =~
>>>>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
>>>>> = updated
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: ... skipping else: Preceding
>>>>> "if" was taken
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # policy
>>>>> rewrite_called_station_id = updated
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: policy filter_username {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name) {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name) -> TRUE
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name) {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ / /) {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ / /) ->
>>>>> FALSE
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ /@[^@]*@/
>>>>> ) {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ /@[^@]*@/
>>>>> ) -> FALSE
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ /\.\./ ) {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ /\.\./ )
>>>>> -> FALSE
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if ((&User-Name =~ /@/) &&
>>>>> (&User-Name !~ /@(.+)\.(.+)$/)) {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if ((&User-Name =~ /@/) &&
>>>>> (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ /\.$/) {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ /\.$/)
>>>>> -> FALSE
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ /@\./) {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ /@\./)
>>>>> -> FALSE
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # if (&User-Name) = updated
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # policy filter_username =
>>>>> updated
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: policy filter_password {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Password &&
>>>>> (&User-Password != "%{string:User-Password}")) {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Password &&
>>>>> (&User-Password != "%{string:User-Password}")) -> FALSE
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # policy filter_password =
>>>>> updated
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: [preprocess] = ok
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: suffix: Checking for suffix after
>>>>> "@"
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: suffix: No '@' in User-Name =
>>>>> "PFDOMAIN\testme", skipping NULL due to config.
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: [suffix] = noop
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: ntdomain: Checking for prefix
>>>>> before "\"
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: ntdomain: Looking up realm
>>>>> "PFDOMAIN" for User-Name = "PFDOMAIN\testme"
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: ntdomain: Found realm "pfdomain"
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: ntdomain: Adding Stripped-User-Name
>>>>> = "testme"
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: ntdomain: Adding Realm = "pfdomain"
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: ntdomain: Authentication realm is
>>>>> LOCAL
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: [ntdomain] = ok
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: eap: Peer sent EAP Response (code
>>>>> 2) ID 0 length 20
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: eap: EAP-Identity reply, returning
>>>>> 'ok' so we can short-circuit the rest of authorize
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: [eap] = ok
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # authorize = ok
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Found Auth-Type = eap
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: # Executing group from file
>>>>> /usr/local/pf/raddb/sites-enabled/packetfence
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: authenticate {
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: eap: Peer sent packet with method
>>>>> EAP Identity (1)
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: eap: Calling submodule eap_peap to
>>>>> process data
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: eap_peap: Initiating new EAP-TLS
>>>>> session
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: eap_peap: [eaptls start] = request
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: eap: Sending EAP Request (code 1)
>>>>> ID 1 length 6
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: eap: EAP session adding
>>>>> &reply:State = 0x3e2077383e216e13
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: [eap] = handled
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # authenticate = handled
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Using Post-Auth-Type Challenge
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Post-Auth-Type sub-section not
>>>>> found. Ignoring.
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: # Executing group from file
>>>>> /usr/local/pf/raddb/sites-enabled/packetfence
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Sent Access-Challenge Id 201 from
>>>>> 192.168.1.5:1812 to 192.168.1.12:42371 length 0
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: EAP-Message = 0x010100061920
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Message-Authenticator =
>>>>> 0x00000000000000000000000000000000
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: State =
>>>>> 0x3e2077383e216e134e967a956fd013fe
>>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Finished request
>>>>>
>>>>> James Garcellano
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> PacketFence-users mailing list
>>>>> PacketFence-users@...
>>> James Garcellano
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> PacketFence-users@...
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
