Hi,
I'm testing PacketFence 9.0.1 on Debian 9.
When I try to authenticate from an Ubuntu with PEAP and MSCHAPv2,
without certificate, I get an error on the switch (Cisco Catalyst
2960-s):
%DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign
non-existent or shutdown VLAN 14.0 to 802.1x
In the RADIUS audit log I see that the VLAN ID in
Tunnel-Private-Grup-Id has a decimal point and a decimal zero, but I
don't know why.
For instance, if I set on role mapping in PacketFence the VLAN 14 as
the default VLAN, then the field Tunnel-Private-Grup-Id is set as
"14.0". So the switch cannot understand than it has to assign the VLAN
ID 14 to this port.
I have sniffed the traffic between the PacketFence server and the
switch, and I have checked that in the field Tunnel-Private-Grup-Id
there is a decimal point and a final zero character ("14.0" for VLAN
ID 14).
On PacketFence the switch is set to type "Cisco Catalyst 2960", mode
"Production", deauthentication Method "RADIUS", "Use CoA" is checked,
and checked "role mapping by VLAN ID", with VLAN IDs as numbers
(without decimals).
On the switch I have checked that VLAN 14 is created:
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- ---------
-------------------------------
1 default active
Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7,
Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14,
Gi1/0/15, Gi1/0/16
Gi1/0/17, Gi1/0/18, Gi1/0/19, Gi1/0/20, Gi1/0/21, Gi1/0/22, Gi1/0/23,
Gi1/0/24, Gi1/0/25, Gi1/0/26, Gi1/0/27, Gi1/0/28, Gi1/0/29, Gi1/0/30,
Gi1/0/31
Gi1/0/32, Gi1/0/33, Gi1/0/34, Gi1/0/35, Gi1/0/36, Gi1/0/37, Gi1/0/38,
Gi1/0/39, Gi1/0/40, Gi1/0/41, Gi1/0/42, Gi1/0/43, Gi1/0/44, Gi1/0/45,
Gi1/0/46
Gi1/0/47, Gi1/0/48, Gi1/0/49, Gi1/0/50, Gi1/0/51, Gi1/0/52
14 ResearchSecurity active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp
BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ----
-------- ------ ------
1 enet 100001 1500 - - - -
- 0 0
14 enet 100014 1500 - - - -
- 0 0
1002 fddi 101002 1500 - - - -
- 0 0
1003 tr 101003 1500 - - - -
- 0 0
1004 fdnet 101004 1500 - - - ieee
- 0 0
1005 trnet 101005 1500 - - - ibm
- 0 0
This is the RADIUS audit log on PacketFence:
RADIUS Request
User-Name = "test01"
NAS-IP-Address = 10.0.2.1
NAS-Port = 50113
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e4fc0ce0f46da4725a1e2d11530c979
Called-Station-Id = "c0:25:5c:9f:9d:0d"
Calling-Station-Id = "50:7b:9d:34:bf:4b"
NAS-Port-Type = Ethernet
Event-Timestamp = "jun 28 2019 10:24:34 CEST"
EAP-Message = 0x020900061a03
NAS-Port-Id = "GigabitEthernet1/0/13"
Cisco-AVPair = "audit-session-id=0A000201000001830FCBCADF"
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
Stripped-User-Name = "test01"
Realm = "null"
PacketFence-Domain = "testdomain"
User-Password = "******"
SQL-User-Name = "test01"
RADIUS Reply
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "test01"
Tunnel-Type = VLAN
Filter-Id = "ResearchSecurity.in"
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = "14.0"
This is the log on the switch:
*Mar 4 01:36:42.275: %AUTHMGR-5-START: Starting
'dot1x' for client (507b.9d34.bf4b) on Interface Gi1/0/13
AuditSessionID 0A000201000001820FCB6963
*Mar 4 01:36:42.505: %DOT1X-5-SUCCESS: Authentication
successful for client (507b.9d34.bf4b) on Interface Gi1/0/13
AuditSessionID
*Mar 4 01:36:42.505: %AUTHMGR-7-RESULT: Authentication
result 'success' from 'dot1x' for client (507b.9d34.bf4b) on Interface
Gi1/0/13 AuditSessionID 0A000201000001820FCB6963
*Mar 4 01:36:42.510:
%DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-existent or
shutdown VLAN 14.0 to 802.1x port GigabitEthernet1/0/13 AuditSessionID
0A000201000001820FCB6963
*Mar 4 01:36:42.510: %AUTHMGR-5-FAIL: Authorization
failed for client (507b.9d34.bf4b) on Interface Gi1/0/13
AuditSessionID 0A000201000001820FCB6963
*Mar 4 01:36:42.510: %DOT1X-5-RESULT_OVERRIDE:
Authentication result overridden for client (507b.9d34.bf4b) on
Interface Gi1/0/13 AuditSessionID 0A000201000001820FCB6963
*Mar 4 01:36:42.516: %AUTHMGR-5-FAIL: Authorization
failed for client (507b.9d34.bf4b) on Interface Gi1/0/13
AuditSessionID 0A000201000001820FCB6963
*Mar 4 01:36:53.777: %DOT1X-5-FAIL: Authentication
failed for client (507b.9d34.bf4b) on Interface Gi1/0/13
AuditSessionID
*Mar 4 01:36:53.777: %AUTHMGR-7-RESULT: Authentication
result 'timeout' from 'dot1x' for client (507b.9d34.bf4b) on Interface
Gi1/0/13 AuditSessionID 0A000201000001820FCB6963
*Mar 4 01:37:03.241: %DOT1X-5-FAIL: Authentication
failed for client (Unknown MAC) on Interface Gi1/0/13 AuditSessionID
^A
*Mar 4 01:37:03.241: %AUTHMGR-7-RESULT: Authentication
result 'no-response' from 'dot1x' for client (Unknown MAC) on
Interface Gi1/0/13 AuditSessionID 0A000201000001830FCBCADF
*Mar 4 01:37:03.241: %AUTHMGR-7-FAILOVER: Failing over
from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/13
AuditSessionID 0A000201000001830FCBCADF
*Mar 4 01:37:07.262: %AUTHMGR-5-START: Starting 'mab'
for client (507b.9d34.bf4b) on Interface Gi1/0/13 AuditSessionID
0A000201000001830FCBCADF
*Mar 4 01:37:07.262: %AUTHMGR-7-FAILOVER: Failing over
from 'mab' for client (507b.9d34.bf4b) on Interface Gi1/0/13
AuditSessionID 0A000201000001830FCBCADF
*Mar 4 01:37:07.262: %AUTHMGR-5-START: Starting
'dot1x' for client (507b.9d34.bf4b) on Interface Gi1/0/13
AuditSessionID 0A000201000001830FCBCADF
*Mar 4 01:37:07.535: %DOT1X-5-SUCCESS: Authentication
successful for client (507b.9d34.bf4b) on Interface Gi1/0/13
AuditSessionID
*Mar 4 01:37:07.535: %AUTHMGR-7-RESULT: Authentication
result 'success' from 'dot1x' for client (507b.9d34.bf4b) on Interface
Gi1/0/13 AuditSessionID 0A000201000001830FCBCADF
*Mar 4 01:37:07.535:
%DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-existent or
shutdown VLAN 14.0 to 802.1x port GigabitEthernet1/0/13 AuditSessionID
0A000201000001830FCBCADF
*Mar 4 01:37:07.535: %AUTHMGR-5-FAIL: Authorization
failed for client (507b.9d34.bf4b) on Interface Gi1/0/13
AuditSessionID 0A000201000001830FCBCADF
*Mar 4 01:37:07.540: %DOT1X-5-RESULT_OVERRIDE:
Authentication result overridden for client (507b.9d34.bf4b) on
Interface Gi1/0/13 AuditSessionID 0A000201000001830FCBCADF
*Mar 4 01:37:07.550: %AUTHMGR-5-FAIL: Authorization
failed for client (507b.9d34.bf4b) on Interface Gi1/0/13
AuditSessionID 0A000201000001830FCBCADF
Thank you,
Jordi
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
