Dear list,
I've been fighting with this all day, so excuse the brain fart..
Recently added another cisco 3750x to my fleet. The only difference is that
it's on IOS 15.2(4), where the others which work are on 15.0.
I've cloned the config of a functioning install, and cross referenced it
against the network config guide, also attempted re-entering my RADIUS
password into the radius server section. As far as packetfence is
concerned they use the common RADIUS values/switch defaults.
radius server pfnac
address ipv4 10.23.5.150 auth-port 1812 acct-port 1813
automate-tester username keepalive ignore-acct-port idle-time 3
key 7 SOMEVALUE
!
and the aaa server in case the encrypted versions were mangled.
aaa server radius dynamic-author
client 10.23.5.150 server-key 7 SOMEVALUE
port 3799
!
I've also tried "#no radius-server vsa send accounting " as it is on by
default in 15.2 (fails either way)
Now what I'm trying to get my head around, is why on the cisco console I
get:
%DOT1X-5-FAIL: Authentication failed for client (b6c3.97fe.c2c2) on
Interface Gi1/0/17 AuditSessionID 0A1705080000002F014
But in pf it all looks sane with eithe MAC or 802.1x auth:
Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
[mac:b6:c3:97:fe:c2:c2] handling radius autz request: from switch_ip =>
(10.23.5.8), connection_type => WIRED_MAC_AUTH,switch_mac =>
(6c:20:56:ad:70:93), mac => [b6:c3:97:fe:c2:c2], port => 10119, username =>
"b6c397fec2c2" (pf::radius::authorize)
Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
[mac:b6:c3:97:fe:c2:c2] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
[mac:b6:c3:97:fe:c2:c2] Connection type is WIRED_MAC_AUTH. Getting role
from node_info (pf::role::getRegisteredRole)
Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
[mac:b6:c3:97:fe:c2:c2] Username was defined "b6c397fec2c2" - returning
role 'developer' (pf::role::getRegisteredRole)
Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
[mac:b6:c3:97:fe:c2:c2] PID: "david-tm00035-laptop.thomac.net", Status: reg
Returned VLAN: (undefined), Role: developer (pf::role::fetchRoleForNode)
Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
[mac:b6:c3:97:fe:c2:c2] (10.23.5.8) Added VLAN 70 to the returned RADIUS
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
[mac:b6:c3:97:fe:c2:c2] (10.23.5.8) Added role developer to the returned
RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
[mac:b6:c3:97:fe:c2:c2] (10.23.5.8) Adding access list : permit ip any any
to the RADIUS reply
(pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)
Mar 14 17:15:19 pf packetfence_httpd.aaa: httpd.aaa(1337) INFO:
[mac:b6:c3:97:fe:c2:c2] (10.23.5.8) Added access lists to the RADIUS reply.
(pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)
I'd love to understand some potential causes - I suspected: replies not
being received by switch, replies being misinterpreted by switch, but my
attempts to make sense of it have so far failed!
Any help much appreciated.
David
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
