Fabrice,
Thank you for your quick response. I disabled md5 authentication, and that did
not work. The switch did not communicate at all with the radius server.
Raddebug did not capture anything at all and no entries appeared in the radius
log file. Anything else I can try?
Regards,
Peter
From: Durand fabrice via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Tuesday, January 9, 2018 4:44 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice <fdur...@inverse.ca>
Subject: Re: [PacketFence-users] Help with Dell 3500 and PacketFence
Hello Peter,
try to remove md5 in
https://pf_mgmt:1443/admin/configuration#configuration/radius_authentication_methods
as i remember the Dell switch try to negotiate md5 first.
Regards
Fabrice
Le 2018-01-09 à 19:19, Truax, Peter via PacketFence-users a écrit :
Hello,
First, I want to say that I love PacketFence! All the things it can do are
wonderful and make my life so much easier. I am having trouble trying to get a
Dell 3500 Switch to work with PacketFence. It is capable of performing mac auth
bypass and dynamic VLAN assignment. Half of our wired network uses these
devices, and we cannot upgrade to newer equipment yet.
These switches will successfully do mac-auth-bypass and dynamic vlan
assignment with a vanilla install of FreeRadius. They should be able to work
with PacketFence.
Using the Dell N1500 series Switch Module, it works up to a point. I also tried
the Dell Force 10 Switch Module as well, but with no difference.
Below are various log file snippets of relevant information.
>From Raddebug:
Jan 9 13:12:22 netreg auth[2276]: Adding client 10.10.0.130/32 with shared
secret "xxxxxx"
Jan 9 13:12:22 netreg auth[2276]: (277) eap: ERROR: Response appears to match
a previous request, but the EAP type is wrong
Jan 9 13:12:22 netreg auth[2276]: (277) eap: ERROR: We expected EAP type PEAP,
but received type MD5
Jan 9 13:12:22 netreg auth[2276]: (277) eap: ERROR: Your Supplicant or NAS is
probably broken
Jan 9 13:12:22 netreg auth[2276]: (277) Login incorrect (eap: Response appears
to match a previous request, but the EAP type is wrong): [782bcbe1350b] (from
client 10.10.0.130 port 1 cli 78:2b:cb:e1:35:0b)
Jan 9 13:12:22 netreg auth[2276]: (277) eap: ERROR: rlm_eap (EAP): No EAP
session matching state 0x281b6642281a7f83
Jan 9 13:12:22 netreg auth[2276]: [mac:78:2b:cb:e1:35:0b] Rejected user:
782bcbe1350b
>From Radius.Log:
(268) Mon Jan 8 14:04:01 2018: ERROR: eap: Response appears to match a
previous request, but the EAP type is wrong
(268) Mon Jan 8 14:04:01 2018: ERROR: eap: We expected EAP type PEAP, but
received type MD5
(268) Mon Jan 8 14:04:01 2018: ERROR: eap: Your Supplicant or NAS is probably
broken
(268) Mon Jan 8 14:04:01 2018: Debug: eap: Failed in handler
(268) Mon Jan 8 14:04:01 2018: Debug: [eap] = invalid
I found the source code for this error in FreeRadius:
1117 /*
1118 * Even more paranoia. Without this, some weird
1119 * clients could do crazy things.
1120 *
1121 * It's ok to send EAP sub-type NAK in response
1122 * to a request for a particular type, but it's NOT
1123 * OK to blindly return data for another type.
1124 */
1125 if
((eap_packet->data<https://doc.freeradius.org/eap__types_8h.html#aa7cc073025022d94c87cfec0358aaf3f>[0]
!=
PW_EAP_NAK<https://doc.freeradius.org/eap__types_8h.html#a492a186ed73931736f0e2bd7a63ebfd5a1b2f59161e5d9801d9949e4548d37f2b>)
&&
1126
(eap_packet->data<https://doc.freeradius.org/eap__types_8h.html#aa7cc073025022d94c87cfec0358aaf3f>[0]
!=
eap_session->type<https://doc.freeradius.org/eap_8h.html#a928dd3fb263d69080e9dea5865a5933c>))
{
1127
RERROR<https://doc.freeradius.org/log_8h.html#a54d63b732521caba733f2d624dc6c04a>("Response
appears to match a previous request, but the EAP type is wrong");
1128
RERROR<https://doc.freeradius.org/log_8h.html#a54d63b732521caba733f2d624dc6c04a>("We
expected EAP type %s, but received type %s",
1129
eap_type2name<https://doc.freeradius.org/eap__types_8h.html#a8377cc0098fbc33aab9bbab907f5232b>(eap_session->type<https://doc.freeradius.org/eap_8h.html#a928dd3fb263d69080e9dea5865a5933c>),
1130
eap_type2name<https://doc.freeradius.org/eap__types_8h.html#a8377cc0098fbc33aab9bbab907f5232b>(eap_packet->data<https://doc.freeradius.org/eap__types_8h.html#aa7cc073025022d94c87cfec0358aaf3f>[0]));
1131
RERROR<https://doc.freeradius.org/log_8h.html#a54d63b732521caba733f2d624dc6c04a>("Your
Supplicant or NAS is probably broken");
1132 goto error;
1133 }
It appears this error is produced by FreeRadius but that doesn't make sense, as
I have a working instance of FreeRadius. Any help or guidance would be
appreciated.
Peter Truax
Network Administrator
(360) 688-2240
St. Martin's University
5000 Abbey Way E
Lacey, WA 98503
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
