Hi everyone,
I'm using multiple juniper switches and wanted to implement packefence with
802.1x and MAC Auth failback. VLAN assignment is working as intended but
having issues with the CoA.
This are the models I have in-house:
EX2200 - Junos OS 12.3R12.4
EX2300 - Junos OS 15.1X53-D59.3
EX3400 - Junos OS 15.1X53-D59.3
EX4300 - Junos OS 14.1X53.D42.3
With the EX2200 and using the EX2200 packetfence module it works fine but
I'm having errors using that module in all other modules, this is the logs
when the error occours:
============ CoA/Disconnect Callback =================
Sep 17 17:25:13.306097 dyn_req_disconnect_cb attributes
remote_addr:(10.110.0.200) remote_port:(56208), rtbl_idx:(0)
Sep 17 17:25:13.306150 authd_extract_identifier_avps received AVP type:44
val:8O2.1x816300140002e872 len:22
Sep 17 17:25:13.306194 authd_extract_identifier_avps:
Acct-Session-Id=8O2.1x816300140002e872
Sep 17 17:25:13.306228 authd_extract_identifier_avps received AVP type:31
val:30:9c:23:45:73:77 len:17
Sep 17 17:25:13.306363 authd_extract_identifier_avps received AVP type:4
val:
nÿô len:4
Sep 17 17:25:13.306472 findSession: AST-Table couldn't find the session-id:8
Sep 17 17:25:13.306527 authd_lookup_session_entry: No session entry found
for acct-session-id:8O2.1x816300140002e872
Sep 17 17:25:13.307308 received in AVP disconnect req type:44
val:8O2.1x816300140002e872 len:22
Sep 17 17:25:13.307401 Parsing AVPs: session-id:0
Acct-Session-Id=8O2.1x816300140002e872
Sep 17 17:25:13.307454 received in AVP disconnect req type:31
val:30:9c:23:45:73:77 len:17
Sep 17 17:25:13.307493 received in AVP disconnect req type:4 val:
nÿô len:4
Sep 17 17:25:13.307573 SEQ SendClientMsg: session-id:0 reply-code=0
(UNKNOWN), result-subopcode=49 (AUTHD_LITE_DISCONNECRT_REQ), cookie=23,
rply_len=3976, num_tlv_blocks=3
Sep 17 17:25:13.307642 authd_auth_send_answer,tlv_begin:13f3dd0
tot_tlv_buf_len:55 num_tlv_blocks:3
Sep 17 17:25:13.307685 authd_auth_send_answer, rply_len:4031
Sep 17 17:25:13.307723 authd_auth_send_answer: conn is 2f31000 response is
2041000 result is 0, cookie = 23 rply_len:4031 num_tlv_block = 3
Sep 17 17:25:13.307893 authd_auth_aaa_msg_destroy
Sep 17 17:25:13.307956 authd_auth_get_conn: Bad connection ID .
Sep 17 17:25:13.308023 authd_auth_aaa_msg_destructauth_aaa_msg: 0x106c074
Sep 17 17:25:13.308066 authd_write_conn: response is 0x2f3105c, total len
is 4031 and sent is 0
Sep 17 17:25:13.308141 authd_write_conn: response is 0x2f3105c, wrote 4031
bytes
Sep 17 17:25:13.310823 authd_read_msg: Fresh msg arrival. fd=51,
hdr_read=0, hdr_remnant=0, payload_read=0 payload_remnant=0
Sep 17 17:25:13.310942 fresh message conn=0x2f31000
Sep 17 17:25:13.311005 read fresh message conn=0x2f31000 hdr_remnant=0
hdr_read=32
Sep 17 17:25:13.311049 Read payload for new message. fd=51, rqst_len=40
Sep 17 17:25:13.311083 Read payload for new message. fd=51, payload_len=8,
rqst_len=40, cookie=23
Sep 17 17:25:13.311143 Process/Dispatch Client Message
Sep 17 17:25:13.311185 New Process/Dispatch Client Message
Sep 17 17:25:48.874677 jnp_radius_disconnect_udp_callback parse AVP in
disconnect req datagram_len 44 req_attributes_len 24 current_offset 0
Notice the yellow marked comment, something goes wrong there.
In the meanwhile I had some fun with the radclient command with the
acct-session-id and I found a way which is working for all models,
including EX2200. The command I'm sending:
[root@packetfence tmp]# echo Packet-Type="Disconnect-Request",
Acct-Session-Id="8O2.1x81630017000c3016" | radclient -c1 -r1 -sx
10.110.255.244 coa *xxxxxxxx*
Sent Disconnect-Request Id 54 from 0.0.0.0:43083 to 10.110.255.244:3799
length 44
Packet-Type = Disconnect-Request
Acct-Session-Id = "8O2.1x81630017000c3016"
Received Disconnect-ACK Id 54 from 10.110.255.244:3799 to 0.0.0.0:0 length
44
EAP-Message = 0x03010004
Message-Authenticator = 0x1ccbc5e31f0ef82b3d0090e67d092b60
Packet summary:
Accepted : 1
Rejected : 0
Lost : 0
Passed filter : 1
Failed filter : 0
The "disconnect" option in radclient doesn't work, I can only make it work
with "coa" and with the "Packet-Type" included in it. I noticed that the
session-id is enough but still possible to add username and
calling-station-id as well in this format.
Any chance we can adapt the module or create a new one based on this? Would
allow me to adapt to all juniper switches in-house.
Thanks!
--
José Duarte, *Senior IT-Event Specialist*
phone. +49 221 880449-336 | mobile. +49 1520 3407463
http://www.eslgaming.com
*Turtle eSports Technology GmbH*
Schanzenstraße 41a, 51063 Cologne, Germany
Managing Directors: Marcel Menge, David Neichel
Register Court: Local Court Cologne, HRB 63288
http://www.esl-tech.com
Time Zone: Central European Time (UTC+1)
*[image: 🔑] PGP Key
<https://keys.mailvelope.com/pks/lookup?op=get&search=0xFF9C59AA4391228A>*
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
