Hello James, cool it works, i will add the support of 802.1x for the Mserie in the main code.
Regards Fabrice Le 2017-11-02 à 09:15, James Garcellano via PacketFence-users a écrit : > Hello Fabrice, > > Adding the line "sub supportsWiredDot1x { return $TRUE; }" to > /usr/local/pf/lib/pf/Switch/Netgear/MSeries.pm and then rebooting PacketFence > has worked. > > Here are the latest entries from the /usr/local/pf/logs/packetfence.log file: > > Nov 2 12:46:30 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2908) INFO: > [mac:00:21:70:d8:ac:45] handling radius autz request: from switch_ip => > (192.168.1.12), connection_type => Ethernet-EAP,switch_mac => > (b0:b9:8a:46:3d:0e), mac => [00:21:70:d8:ac:45], port => 1, username => > "PFDOMAIN\testme" (pf::radius::authorize) > Nov 2 12:46:30 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2908) INFO: > [mac:00:21:70:d8:ac:45] Instantiate profile default > (pf::Connection::ProfileFactory::_from_profile) > Nov 2 12:46:30 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2908) INFO: > [mac:00:21:70:d8:ac:45] is of status unreg; belongs into registration VLAN > (pf::role::getRegistrationRole) > Nov 2 12:46:30 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2908) INFO: > [mac:00:21:70:d8:ac:45] (192.168.1.12) Added VLAN 20 to the returned RADIUS > Access-Accept (pf::Switch::returnRadiusAccessAccept) > Nov 2 12:46:30 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2908) INFO: > [mac:[undef]] Updating locationlog from accounting request > (pf::api::handle_accounting_metadata) > > > Thank you, Fabrice, for your time and assistance in helping to troubleshoot > my issue! > > James Garcellano > >> Ok so you need to add support of 802.1x in the switch module. >> >> In this file, >> https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Netgear/MSeries.pm#L19 >> >> add that: >> >> sub supportsWiredDot1x { return $TRUE; } >> >> Then restart packetfence. >> >> Paste me the packetfence.log after that. >> Regards >> Fabrice >> >> Le 2017-11-01 à 18:04, James Garcellano via PacketFence-users a écrit : >>> Hello Fabrice, >>> >>> Here is the last few entries from the /usr/local/pf/logs/packetfence.log >>> file: >>> >>> Nov 1 22:03:06 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2852) >>> INFO: [mac:00:21:70:d8:ac:45] handling radius autz request: from switch_ip >>> => (192.168.1.12), connection_type => Ethernet-EAP,switch_mac => >>> (b0:b9:8a:46:3d:0e), mac => [00:21:70:d8:ac:45], port => 1, username => >>> "PFDOMAIN\testme" (pf::radius::authorize) >>> Nov 1 22:03:06 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2852) >>> ERROR: [mac:00:21:70:d8:ac:45] Wired 802.1X is not supported on switch type >>> pf::Switch::Netgear::MSeries. Please let us know what hardware you are >>> using. (pf::Switch::supportsWiredDot1x) >>> Nov 1 22:03:06 packetfence-zen packetfence_httpd.aaa: httpd.aaa(2852) >>> WARN: [mac:00:21:70:d8:ac:45] (192.168.1.12) Sending REJECT since switch is >>> unsupported (pf::radius::_switchUnsupportedReply) >>> Nov 1 22:03:07 packetfence-zen packetfence_httpd.aaa: httpd.aaa(3730) >>> INFO: [mac:00:21:70:d8:ac:45] Updating locationlog from accounting request >>> (pf::api::handle_accounting_metadata) >>> >>> >>>> Ok it's better now. >>>> >>>> Now can you check on the packetfence.log, you are suppose to see >>>> different messages now. >>>> >>>> >>>> Le 2017-11-01 à 17:27, James Garcellano via PacketFence-users a écrit : >>>>> It looks like the other test still showed the NAS IP as 192.168.1.5. >>>>> >>>>> I rebooted the switch and did another test. >>>>> >>>>> Here is the raddebug from that... >>>>> >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Received Access-Request Id 201 from >>>>> 192.168.1.12:42371 to 192.168.1.5:1812 length 158 >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: User-Name = "PFDOMAIN\\testme" >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Called-Station-Id = >>>>> "b0-b9-8a-46-3d-0e" >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Calling-Station-Id = >>>>> "00:21:70:d8:ac:45" >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: NAS-Identifier = >>>>> "b0-b9-8a-46-3d-0c" >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: NAS-IP-Address = 192.168.1.12 >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: NAS-Port = 1 >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Framed-MTU = 1500 >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: NAS-Port-Type = Ethernet >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: EAP-Message = >>>>> 0x02000014015046444f4d41494e5c746573746d65 >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Message-Authenticator = >>>>> 0x935d535299b823f31e7748c9271d6225 >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: # Executing section authorize from >>>>> file /usr/local/pf/raddb/sites-enabled/packetfence >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: authorize { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: update { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: EXPAND >>>>> %{Packet-Src-IP-Address} >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: --> 192.168.1.12 >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: EXPAND %l >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: --> 1509570793 >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # update = noop >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: policy >>>>> rewrite_calling_station_id { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&Calling-Station-Id && >>>>> (&Calling-Station-Id =~ >>>>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) >>>>> { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&Calling-Station-Id && >>>>> (&Calling-Station-Id =~ >>>>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) >>>>> -> TRUE >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&Calling-Station-Id && >>>>> (&Calling-Station-Id =~ >>>>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) >>>>> { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: update request { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: EXPAND >>>>> %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: --> 00:21:70:d8:ac:45 >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # update request = noop >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: [updated] = updated >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # if (&Calling-Station-Id >>>>> && (&Calling-Station-Id =~ >>>>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) >>>>> = updated >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: ... skipping else: Preceding >>>>> "if" was taken >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # policy >>>>> rewrite_calling_station_id = updated >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: policy >>>>> rewrite_called_station_id { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if ((&Called-Station-Id) && >>>>> (&Called-Station-Id =~ >>>>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) >>>>> { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if ((&Called-Station-Id) && >>>>> (&Called-Station-Id =~ >>>>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) >>>>> -> TRUE >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if ((&Called-Station-Id) && >>>>> (&Called-Station-Id =~ >>>>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) >>>>> { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: update request { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: EXPAND >>>>> %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: --> b0:b9:8a:46:3d:0e >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # update request = noop >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if ("%{8}") { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: EXPAND %{8} >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: --> >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if ("%{8}") -> FALSE >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: elsif ( (Colubris-AVPair) >>>>> && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: elsif ( (Colubris-AVPair) >>>>> && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: elsif (Aruba-Essid-Name) { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: elsif (Aruba-Essid-Name) >>>>> -> FALSE >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: elsif ( (Cisco-AVPair) && >>>>> "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: elsif ( (Cisco-AVPair) && >>>>> "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: [updated] = updated >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # if ((&Called-Station-Id) >>>>> && (&Called-Station-Id =~ >>>>> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) >>>>> = updated >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: ... skipping else: Preceding >>>>> "if" was taken >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # policy >>>>> rewrite_called_station_id = updated >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: policy filter_username { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name) { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name) -> TRUE >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name) { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ / /) { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ / /) -> >>>>> FALSE >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ /@[^@]*@/ >>>>> ) { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ /@[^@]*@/ >>>>> ) -> FALSE >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ /\.\./ ) { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ /\.\./ ) >>>>> -> FALSE >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if ((&User-Name =~ /@/) && >>>>> (&User-Name !~ /@(.+)\.(.+)$/)) { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if ((&User-Name =~ /@/) && >>>>> (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ /\.$/) { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ /\.$/) >>>>> -> FALSE >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ /@\./) { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Name =~ /@\./) >>>>> -> FALSE >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # if (&User-Name) = updated >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # policy filter_username = >>>>> updated >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: policy filter_password { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Password && >>>>> (&User-Password != "%{string:User-Password}")) { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: if (&User-Password && >>>>> (&User-Password != "%{string:User-Password}")) -> FALSE >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # policy filter_password = >>>>> updated >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: [preprocess] = ok >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: suffix: Checking for suffix after >>>>> "@" >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: suffix: No '@' in User-Name = >>>>> "PFDOMAIN\testme", skipping NULL due to config. >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: [suffix] = noop >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: ntdomain: Checking for prefix >>>>> before "\" >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: ntdomain: Looking up realm >>>>> "PFDOMAIN" for User-Name = "PFDOMAIN\testme" >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: ntdomain: Found realm "pfdomain" >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: ntdomain: Adding Stripped-User-Name >>>>> = "testme" >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: ntdomain: Adding Realm = "pfdomain" >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: ntdomain: Authentication realm is >>>>> LOCAL >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: [ntdomain] = ok >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: eap: Peer sent EAP Response (code >>>>> 2) ID 0 length 20 >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: eap: EAP-Identity reply, returning >>>>> 'ok' so we can short-circuit the rest of authorize >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: [eap] = ok >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # authorize = ok >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Found Auth-Type = eap >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: # Executing group from file >>>>> /usr/local/pf/raddb/sites-enabled/packetfence >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: authenticate { >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: eap: Peer sent packet with method >>>>> EAP Identity (1) >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: eap: Calling submodule eap_peap to >>>>> process data >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: eap_peap: Initiating new EAP-TLS >>>>> session >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: eap_peap: [eaptls start] = request >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: eap: Sending EAP Request (code 1) >>>>> ID 1 length 6 >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: eap: EAP session adding >>>>> &reply:State = 0x3e2077383e216e13 >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: [eap] = handled >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: } # authenticate = handled >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Using Post-Auth-Type Challenge >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Post-Auth-Type sub-section not >>>>> found. Ignoring. >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: # Executing group from file >>>>> /usr/local/pf/raddb/sites-enabled/packetfence >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Sent Access-Challenge Id 201 from >>>>> 192.168.1.5:1812 to 192.168.1.12:42371 length 0 >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: EAP-Message = 0x010100061920 >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Message-Authenticator = >>>>> 0x00000000000000000000000000000000 >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: State = >>>>> 0x3e2077383e216e134e967a956fd013fe >>>>> (38) Wed Nov 1 21:13:13 2017: Debug: Finished request >>>>> >>>>> James Garcellano >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> PacketFence-users mailing list >>>>> PacketFence-users@... >>> James Garcellano >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> PacketFence-users mailing list >>> PacketFence-users@... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users