Alright, I found a solution: Even though my switch is an Aruba 2530, the type templates for Aruba switches didn’t work. I switched to HP Procurve as type and now it works.
Weird things I noticed: 1: CoA was enabled in Packetfence but a disconnect request was sent instead. 2: The disconnect request was noted on the switch but was dropped without any log entry. Johannes Mudrich Mitarbeiter Verwaltung, IT Altmark-Klinikum gGmbH Ernst-von-Bergmann-Straße 22 39638 Gardelegen Tel.: 03907 791229 Fax.: 03907 791248 Mail: j.mudr...@altmark-klinikum.de Von: Mudrich, J. Gesendet: Donnerstag, 4. Mai 2023 09:31 An: packetfence-users@lists.sourceforge.net Betreff: AW: [PacketFence-users] Basic Config for Procurve Switch Hello everyone, I’m still having this CoA issue. I can see a Disconnect-Request in the Radius Logs which seems to time out: MAC Address 18:66:da:49:d6:81 Auth Status Auth Status Auto Registration Unknown Calling Station Identifier Computer Name GAIT-03 EAP Type Event Type Disconnect-Request IP Address Is a Phone No Created at 2023-05-04 08:52:29 Node Status reg Domain Profile Realm Reason Role Source Stripped User Name User Name default Unique Identifier Request Time RADIUS Request Calling-Station-Id = 18-66-DA-49-D6-81 " NAS-IP-Address = 10.9.254.9", RADIUS Reply Reply-Message = Error – Timeout There is nothing in the logs on the switch. CoA is enabled on the switch and in PF Switch config. Does anyone have an idea? Kind regards Johannes Johannes Mudrich Mitarbeiter Verwaltung, IT Altmark-Klinikum gGmbH Ernst-von-Bergmann-Straße 22 39638 Gardelegen Tel.: 03907 791229 Fax.: 03907 791248 Mail: j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de> Von: Mudrich, J. via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net] Gesendet: Mittwoch, 1. März 2023 10:29 An: PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> Cc: Mudrich, J. <j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de>> Betreff: Re: [PacketFence-users] Basic Config for Procurve Switch Hello Ludovic, thanks for your reply. So I tried to configure MAC-auth via RADUIS. It basically works but with a flaw: I have to manually reset the switch port for the changes i.e. registration/deregistration to work. What I did on the switch: radius-server host [PF-IP] key [password] aaa authentication port-access chap-radius aaa port-access mac-based 1-24 aaa port-access 1-24 when connecting a new unauthed client it’s blocked. I also tried a registration VLAN which also worked. Then I registered the client in PF but the switch Port is still blocked or stays in registration VLAN. When manually resetting the port on the switch or reconnecting the client, the port is configured correctly and unblocked. When using the “Restart Switchport” function in PF it results in an snmp Error on the switch. Looks like PF tries to do this via snmp which I didn’t configure. Is there any way this works automatically? Thanks Johannes Johannes Mudrich Mitarbeiter IT Altmark-Klinikum gGmbH Ernst-von-Bergmann-Straße 22 39638 Gardelegen Tel.: 03907 791229 Fax.: 03907 791248 Mail: j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de> Von: Zammit, Ludovic [mailto:luza...@akamai.com] Gesendet: Montag, 27. Februar 2023 13:43 An: PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> Cc: Mudrich, J. <j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de>> Betreff: Re: [PacketFence-users] Basic Config for Procurve Switch Hello Johannes, You should use RADIUS and not Port-Security if the switch is capable of it. You configure RADIUS on the switch at the general level and then the interface(s) that you want to control with PF. The role assignation would work once you get the RADIUS request sent to PF. Thanks, Ludovic Zammit Product Support Engineer Principal Lead [https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.akamai.com%2fus%2fen%2fmultimedia%2fimages%2fcustom%2f2019%2flogo%2dno%2dtag%2d93x45.png&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-20fd6d3365b2bfad0a0d69b81c9218f935f89fb4] Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: [https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.akamai.com%2fus%2fen%2fmultimedia%2fimages%2fcustom%2fcommunity.jpg&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-05f983e651c22671a04dcc1cd4d83b785221cbb1]<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fcommunity.akamai.com&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-958d011f9489d1f8c843ef561a5fb008bd9d3ca7>[https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.akamai.com%2fus%2fen%2fmultimedia%2fimages%2fcustom%2frss.png&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-c800c6af1d1f609bc9494cf6ff7203e77ba32287]<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fblogs.akamai.com&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-35e3dc6560356a859abf12e058adb7e9245ade7d>[https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.akamai.com%2fus%2fen%2fmultimedia%2fimages%2fcustom%2ftwitter.png&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-00129fa70678e5e22d6e460653ea0107974a9390]<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2ftwitter.com%2fakamai&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-7c4f56360513420871dd03ed91270a58c6028a66>[https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.akamai.com%2fus%2fen%2fmultimedia%2fimages%2fcustom%2ffb.png&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-47dc5189e2cf37da01c03a6c0209940090793536]<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.facebook.com%2fAkamaiTechnologies&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-3afa56ecae1db722a86570e612d29ef1faae729e>[https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.akamai.com%2fus%2fen%2fmultimedia%2fimages%2fcustom%2fin.png&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-a97ce86ffae36a0c4983d7244ef3cdad5f7b486c]<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.linkedin.com%2fcompany%2fakamai%2dtechnologies&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-15417ca971824e1f18c0b05f5b847c1ded9a00fe>[https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.akamai.com%2fus%2fen%2fmultimedia%2fimages%2fcustom%2fyoutube.png&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-bc90cec840c433e7c383d4564208cd3ac8946387]<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.youtube.com%2fuser%2fakamaitechnologies%3ffeature%3dresults%5fmain&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-5cce1cb4d4f2adf897e1fad814d4d99cc5f31738> On Feb 22, 2023, at 8:00 AM, Mudrich, J. via PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> wrote: Hi, I am pretty new to the NAC stuff and I am currently evaluating PackentFence. What I try to achieve: Block the Ports on my switch (procurve 2510) when an unknown MAC is detected. If the MAC is registered/known, unblock the Port. What I have done so far: PacketFence server is running with basic configuration. That means I basically didn’t touch anything except I added a Switch (ProCurve 2500 Series) and configured my SSH credentials. On my switch I disabled Link Up/Down Traps and enabled port security according to the Network Device Configuration Guide. When connecting a test client I can see the alert SNPM-traps coming in on the server and a new Node is created. I tried registering the node, assigned a role (default), but the port on the switch is still blocked. Did I miss something? How does Packetfence communicate with the switch? Is there any way I can test the communication? Thanks Johannes Johannes Mudrich Mitarbeiter IT Altmark-Klinikum gGmbH Ernst-von-Bergmann-Straße 22 39638 Gardelegen Tel.: 03907 791229 Fax.: 03907 791248 Mail: j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de> <sah.png><https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2furldefense.com%2fv3%2f%5f%5fhttps%3a%2fwww.salusaltmarkholding.de%2f%5f%5f%3b%21%21GjvTz%5fvk%21R%2dmXGoeRljOgVpOKSgH4FCF7vLAkGCbOaRRtaCI4F86Yuec%5fwYX0kXHTOolpX8PncevbwaK23Mcc0mfJmitAzRTEYARAVh7%5fCDGxAg%24&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-0caa6c45d346a706bdf618c211778fd77dccb382> Salus Altmark Holding gGmbH Tel.: +49 39325700<tel:+4939325700> Sitz der Gesellschaft: Seepark 5 | 39116 Magdeburg www.salusaltmarkholding.de<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2furldefense.com%2fv3%2f%5f%5fhttps%3a%2fwww.salusaltmarkholding.de%5f%5f%3b%21%21GjvTz%5fvk%21R%2dmXGoeRljOgVpOKSgH4FCF7vLAkGCbOaRRtaCI4F86Yuec%5fwYX0kXHTOolpX8PncevbwaK23Mcc0mfJmitAzRTEYARAVh5DhVk05A%24&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-36b0eb57fa31e460cef92ccf2766afc6b08ad171> <instagram.png><https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2furldefense.com%2fv3%2f%5f%5fhttps%3a%2fwww.instagram.com%2fsalusaltmarkholding%2f%5f%5f%3b%21%21GjvTz%5fvk%21R%2dmXGoeRljOgVpOKSgH4FCF7vLAkGCbOaRRtaCI4F86Yuec%5fwYX0kXHTOolpX8PncevbwaK23Mcc0mfJmitAzRTEYARAVh6gxYtKQA%24&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-38a6e1a418322f2d5cda531157cd58b8842f6a2a> <facebook.png><https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2furldefense.com%2fv3%2f%5f%5fhttps%3a%2fwww.facebook.com%2fSalusAltmarkHolding%5f%5f%3b%21%21GjvTz%5fvk%21R%2dmXGoeRljOgVpOKSgH4FCF7vLAkGCbOaRRtaCI4F86Yuec%5fwYX0kXHTOolpX8PncevbwaK23Mcc0mfJmitAzRTEYARAVh4etuzU6w%24&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-f26fc6b27055081272ddc8bc0981c6da96e14d9f> <linkedin.png><https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2furldefense.com%2fv3%2f%5f%5fhttps%3a%2fde.linkedin.com%2fcompany%2fsalus%2dggmbh%5f%5f%3b%21%21GjvTz%5fvk%21R%2dmXGoeRljOgVpOKSgH4FCF7vLAkGCbOaRRtaCI4F86Yuec%5fwYX0kXHTOolpX8PncevbwaK23Mcc0mfJmitAzRTEYARAVh7Pfm70Fg%24&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-defa2be6b1aad8590a2e38d0e41aee177343a921> <xing.png><https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2furldefense.com%2fv3%2f%5f%5fhttps%3a%2fwww.xing.com%2fpages%2fsalusaltmarkholdingggmbh%5f%5f%3b%21%21GjvTz%5fvk%21R%2dmXGoeRljOgVpOKSgH4FCF7vLAkGCbOaRRtaCI4F86Yuec%5fwYX0kXHTOolpX8PncevbwaK23Mcc0mfJmitAzRTEYARAVh5LvLymQQ%24&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-b7905ceba6dcf797d296eb8e0e72d1001b11b0ad> <youtube.png><https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2furldefense.com%2fv3%2f%5f%5fhttps%3a%2fwww.youtube.com%2fuser%2fSALUSgGmbH%5f%5f%3b%21%21GjvTz%5fvk%21R%2dmXGoeRljOgVpOKSgH4FCF7vLAkGCbOaRRtaCI4F86Yuec%5fwYX0kXHTOolpX8PncevbwaK23Mcc0mfJmitAzRTEYARAVh7FkJa9Rg%24&umid=4FB4F839-F5DA-8A05-BEB8-68D59CF8FFA0&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-ca7664d996658d31e514143209358a51ae1798e0> Registergericht: AG Stendal: HRB 112594 Geschäftsführer: Jürgen Richter Aufsichtsratsvorsitz: Wolfgang Beck Gemäß Art. 13 DSGVO informieren wir darüber, dass Ihre Daten elektronisch gespeichert werden. Nähere Informationen: www.salusaltmarkholding.de/datenschutz<https://urldefense.com/v3/__https:/www.salusaltmarkholding.de/datenschutz__;!!GjvTz_vk!R-mXGoeRljOgVpOKSgH4FCF7vLAkGCbOaRRtaCI4F86Yuec_wYX0kXHTOolpX8PncevbwaK23Mcc0mfJmitAzRTEYARAVh5Iuc1Tbw$> Ab Januar 2022 nehmen wir keine Mails mit doc-, xls- und ppt-Anhängen mehr an. Bitte verwenden Sie die aktuellen Office-Formate docx, xlsx, pptx oder pdf. _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!R-mXGoeRljOgVpOKSgH4FCF7vLAkGCbOaRRtaCI4F86Yuec_wYX0kXHTOolpX8PncevbwaK23Mcc0mfJmitAzRTEYARAVh7Nh5jKRQ$<https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!R-mXGoeRljOgVpOKSgH4FCF7vLAkGCbOaRRtaCI4F86Yuec_wYX0kXHTOolpX8PncevbwaK23Mcc0mfJmitAzRTEYARAVh7Nh5jKRQ$>
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users