Hello Christian, Try the Cisco 2960 switch module and try again.
Thanks, Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Jun 9, 2020, at 11:08 AM, Christian Sudec via PacketFence-users > <[email protected]> wrote: > > *Hi everybody! > > My colleagues and I are trying to setup 802.1x (Ethernet-EAP) with our newly > purchased Mikrotik-Devices > (Router OS 6.47), so that users have to type in AD-username and > domainpassword to obtain access. > > We are currently using PacketFence 9.3.0 with a config that WORKS for our HP, > Juniper and Cisco-Switches. > But we are not able to setup the new devices. Here are the the logs (only > "mikrotik-sections") for a first clance: > > radius.log: > ... > Jun 9 16:25:03 ippf auth[1644]: Adding client 10.1.99.21/32 > Jun 9 16:25:03 ippf auth[1644]: rlm_rest (rest): Closing connection (20): > Hit idle_timeout, was idle for 461123 seconds > Jun 9 16:25:03 ippf auth[1644]: rlm_rest (rest): Closing connection (21): > Hit idle_timeout, was idle for 461123 seconds > Jun 9 16:25:03 ippf auth[1644]: rlm_rest (rest): Opening additional > connection (22), 1 of 64 pending slots used > Jun 9 16:25:03 ippf auth[1644]: (99880) rest: ERROR: Server returned: > Jun 9 16:25:03 ippf auth[1644]: (99880) rest: ERROR: > {"control:PacketFence-Switch-Id":"10.1.99.21","control:PacketFence-Request-Time":1591712703,"Reply-Message":"Network > device does not support this mode of > operation","control:PacketFence-Switch-Mac":"74:4d:28:b2:e4:1b","control:PacketFence-Mac":"5c:9a:d8:66:68:75","control:PacketFence-Switch-Ip-Address":"10.1.99.21","control:PacketFence-Eap-Type":26,"control:PacketFence-Authorization-Status":"allow","control:PacketFence-Connection-Type":"Ethernet-EAP","control:PacketFence-UserName":"sv"} > Jun 9 16:25:03 ippf auth[1644]: Need 2 more connections to reach min > connections (3) > Jun 9 16:25:03 ippf auth[1644]: rlm_rest (rest): Opening additional > connection (23), 1 of 63 pending slots used > Jun 9 16:25:03 ippf auth[1644]: (99880) Rejected in post-auth: [sv] (from > client 10.1.99.21/32 port 0 cli 5c:9a:d8:66:68:75 via TLS tunnel) > Jun 9 16:25:03 ippf auth[1644]: (99880) Login incorrect (rest: Server > returned:): [sv] (from client 10.1.99.21/32 port 0 cli 5c:9a:d8:66:68:75 via > TLS tunnel) > Jun 9 16:25:03 ippf auth[1644]: [mac:5c:9a:d8:66:68:75] Rejected user: sv > Jun 9 16:25:03 ippf auth[1644]: (99881) Login incorrect (eap_peap: The users > session was previously rejected: returning reject (again.)): [sv] (from > client 10.1.99.21/32 port 0 cli 5c:9a:d8:66:68:75) > Jun 9 16:25:03 ippf auth[1644]: rlm_rest (rest): Closing connection (20): > Hit idle_timeout, was idle for 461123 seconds > Jun 9 16:25:03 ippf auth[1644]: rlm_rest (rest): Closing connection (21): > Hit idle_timeout, was idle for 461123 seconds > ... > > And packetfence.log: > ... > Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) WARN: > [mac:5c:9a:d8:66:68:75] Use of uninitialized value $nas_port in concatenation > (.) or string at /usr/local/pf/lib/pf/Switch.pm line 2375. > (pf::Switch::NasPortToIfIndex) > Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) WARN: > [mac:5c:9a:d8:66:68:75] Use of uninitialized value $port in concatenation (.) > or string at /usr/local/pf/lib/pf/radius.pm line 185. > (pf::radius::authorize) > Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) INFO: > [mac:5c:9a:d8:66:68:75] handling radius autz request: from switch_ip => > (10.1.99.21), connection_type => Ethernet-EAP,switch_mac => > (74:4d:28:b2:e4:1b), mac => [5c:9a:d8:66:68:75], port => , username => "sv" > (pf::radius::authorize) > Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) WARN: > [mac:5c:9a:d8:66:68:75] Switch type 'pf::Switch::Mikrotik' does not support > WiredDot1x (pf::SwitchSupports::__ANON__) > Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) WARN: > [mac:5c:9a:d8:66:68:75] (10.1.99.21) Sending REJECT since switch is > unsupported (pf::radius::_switchUnsupportedReply) > Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) WARN: > [mac:5c:9a:d8:66:68:75] Use of uninitialized value $nas_port in concatenation > (.) or string at /usr/local/pf/lib/pf/Switch.pm line 2375. > (pf::Switch::NasPortToIfIndex) > Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) WARN: > [mac:5c:9a:d8:66:68:75] Use of uninitialized value $port in concatenation (.) > or string at /usr/local/pf/lib/pf/radius.pm line 185. > (pf::radius::authorize) > Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) INFO: > [mac:5c:9a:d8:66:68:75] handling radius autz request: from switch_ip => > (10.1.99.21), connection_type => Ethernet-EAP,switch_mac => > (74:4d:28:b2:e4:1b), mac => [5c:9a:d8:66:68:75], port => , username => "sv" > (pf::radius::authorize) > Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) WARN: > [mac:5c:9a:d8:66:68:75] Switch type 'pf::Switch::Mikrotik' does not support > WiredDot1x (pf::SwitchSupports::__ANON__) > Jun 9 16:25:03 ippf packetfence_httpd.aaa: httpd.aaa(831) WARN: > [mac:5c:9a:d8:66:68:75] (10.1.99.21) Sending REJECT since switch is > unsupported (pf::radius::_switchUnsupportedReply) > ... > > Since our other switches work with PF and 802.1x it looks like Mikrotik is > the culprit, but our Mikrotik-reseller has > a working 802.1x-solution with their own Windows-based RADIUS-server. So my > question is: has anyone got mikrotik-switches to work with Packetfence? Or at > least some hints what to try? Our first configuration steps > were according to PFs 'Network Devices Configuration Guide' but with > mentioned no luck... > > regards > Chris > > * > > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
