Hi all, I am trying to configure switch CLI access using packetfence local users and for some reason I cannot seem to understand how it works.
I have a connection profile to match on "connection type=CLI-Access" and source set to local, then on the user regardless of which access level I assign packetfence always allow CLI access The followings logs show that the user is found in the local sql database but has no switch role assigned, therefore to my understanding access should not be allowed Oct 18 10:31:44 vpacketfence httpd.aaa-docker-wrapper[7673]: httpd.aaa(8) INFO: [mac:[undef]] handling radius autz request: from switch_ip => (10.4.73.24), connection_type => CLI-Access,switch_mac => (Unknown), mac => [0], port => (2), username => "test_adm" (pf::radius::switch_access) Oct 18 10:31:45 vpacketfence httpd.aaa-docker-wrapper[7673]: httpd.aaa(8) WARN: [mac:[undef]] Trying to match IP address with an invalid MAC address 'undef' (pf::ip4log::mac2ip) Oct 18 10:31:45 vpacketfence httpd.aaa-docker-wrapper[7673]: httpd.aaa(8) INFO: [mac:[undef]] Instantiate profile NoEAP (pf::Connection::ProfileFactory::_from_profile) Oct 18 10:31:45 vpacketfence httpd.aaa-docker-wrapper[7673]: httpd.aaa(8) INFO: [mac:[undef]] Found authentication source(s) : 'local' for realm 'null' (pf::config::util::filter_authentication_sources) Oct 18 10:31:45 vpacketfence httpd.aaa-docker-wrapper[7673]: httpd.aaa(8) INFO: [mac:[undef]] MFA Pre Authentication (pf::radius::mfa_pre_auth) Oct 18 10:31:45 vpacketfence httpd.aaa-docker-wrapper[7673]: httpd.aaa(8) INFO: [mac:[undef]] Instantiate profile NoEAP (pf::Connection::ProfileFactory::_from_profile) Oct 18 10:31:45 vpacketfence httpd.aaa-docker-wrapper[7673]: httpd.aaa(8) INFO: [mac:[undef]] Found authentication source(s) : 'local' for realm 'null' (pf::config::util::filter_authentication_sources) Oct 18 10:31:45 vpacketfence httpd.aaa-docker-wrapper[7673]: httpd.aaa(8) INFO: [mac:[undef]] Using sources local for matching (pf::authentication::match2) Oct 18 10:31:45 vpacketfence httpd.aaa-docker-wrapper[7673]: httpd.aaa(8) INFO: [mac:[undef]] Authentication successful for test_adm in source local (SQL) (pf::authentication::authenticate) Oct 18 10:31:45 vpacketfence httpd.aaa-docker-wrapper[7673]: httpd.aaa(8) INFO: [mac:[undef]] MFA Post Authentication (pf::radius::mfa_post_auth) Oct 18 10:31:45 vpacketfence httpd.aaa-docker-wrapper[7673]: httpd.aaa(8) INFO: [mac:[undef]] Using sources local for matching (pf::authentication::match2) Oct 18 10:31:45 vpacketfence httpd.aaa-docker-wrapper[7673]: httpd.aaa(8) INFO: [mac:[undef]] Using sources local for matching (pf::authentication::match2) Oct 18 10:31:45 vpacketfence httpd.aaa-docker-wrapper[7673]: httpd.aaa(8) INFO: [mac:[undef]] Using sources local for matching (pf::authentication::match2) Oct 18 10:31:45 vpacketfence httpd.aaa-docker-wrapper[7673]: httpd.aaa(8) INFO: [mac:[undef]] User test_adm has no role (Switches CLI - Read or Switches CLI - Write or Switches Probe) to permit to login in 10.4.73.24 (pf::radius::returnRadiusCli) on the radius audit logs i can see the same message but with a http code 200 RADIUS Reply REST-HTTP-Status-Code = 200 Reply-Message = "User has no role defined in PacketFence to allow switch login (SWITCH_LOGIN_READ or SWITCH_LOGIN_WRITE or SWITCH_PROBE)" and on the switch access is allowed again with the same message Using username "test_adm". Keyboard-interactive authentication prompts from server: | User has no role defined in PacketFence to allow switch login (SWITCH_LOGIN_R > EAD or SWITCH_LOGIN_WRITE or SWITCH_PROBE) End of keyboard-interactive prompts from server LAB> Has anyone been able to make this work with packetfence?? Regards Gonçalo Contente Senior Network & Security engineer Devoteam goncalo.conte...@devoteam.com [image: Infinite Hyper Automation] [image: Devoteam at Linkedin] <https://www.linkedin.com/company/devoteam> [image: Devoteam at Twitter] <https://twitter.com/devoteam>
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
