Dear Farbood dear all,
I've checked service daemon and udp port. As you can see the service was
started ,
the daemons is running but I don't 'see any udp port listening on 67 for
my vlans.
Can DHCP listener work with vlans ?
Thank you
Enrico
1)
root@pfsrv:/home/enrico# systemctl status packetfence-pfdhcplistener.service
● packetfence-pfdhcplistener.service - PacketFence DHCP Listener Service
Loaded: loaded
(/lib/systemd/system/packetfence-pfdhcplistener.service; enabled;
preset: enabled)
Active: active (running) since Fri 2025-03-14 10:32:54 CET; 9h ago
Main PID: 3058 (pfdhcplistener)
Status: "Ready"
Tasks: 9 (limit: 19134)
Memory: 198.3M
CPU: 7.455s
CGroup: /packetfence.slice/packetfence-pfdhcplistener.service
├─3058 pfdhcplistener
├─3161 "pfdhcplistener - eth1.27"
├─3162 "pfdhcplistener - eth1.28"
├─3163 "pfdhcplistener - eth1.29"
├─3164 "pfdhcplistener - eth1.30"
├─3165 "pfdhcplistener - eth0"
├─3166 "pfdhcplistener - eth1.25"
├─3167 "pfdhcplistener - eth1.26"
└─3168 "pfdhcplistener - eth1"
2)
root@pfsrv:/home/enrico# ps -axf | grep dhcp
257357 pts/3 S+ 0:00 \_ grep dhcp
3072 ? S 0:00 \_ pfqueue - Queue:pfdhcplistener
3076 ? S 0:00 \_ pfqueue - Queue:pfdhcplistener_external
3058 ? Ss 0:05 pfdhcplistener
3161 ? S 0:00 \_ pfdhcplistener - eth1.27
3162 ? S 0:00 \_ pfdhcplistener - eth1.28
3163 ? S 0:00 \_ pfdhcplistener - eth1.29
3164 ? S 0:00 \_ pfdhcplistener - eth1.30
3165 ? S 0:01 \_ pfdhcplistener - eth0
3166 ? S 0:00 \_ pfdhcplistener - eth1.25
3167 ? S 0:00 \_ pfdhcplistener - eth1.26
3168 ? S 0:00 \_ pfdhcplistener - eth1
3)
root@pfsrv:/home/enrico# netstat -apn | grep 67
tcp 0 0 127.0.0.1:7070 0.0.0.0:* LISTEN
2467/docker-proxy
tcp 0 0 0.0.0.0:1443 0.0.0.0:* LISTEN
3673/docker-proxy
tcp6 0 0 :::1443 :::* LISTEN
3679/docker-proxy
udp 0 0 127.0.0.1:35334 127.0.0.1:8125 ESTABLISHED
3167/pfdhcplistener
4)
root@pfsrv:/home/enrico# netstat -apn | grep dhcp
tcp 0 0 100.64.0.1:48482 100.64.0.1:6380 ESTABLISHED
3166/pfdhcplistener
udp 0 0 127.0.0.1:54116 127.0.0.1:8125 ESTABLISHED
3168/pfdhcplistener
udp 0 0 127.0.0.1:39095 127.0.0.1:8125 ESTABLISHED
3163/pfdhcplistener
udp 0 0 127.0.0.1:55657 127.0.0.1:8125 ESTABLISHED
3162/pfdhcplistener
udp 0 0 127.0.0.1:56824 127.0.0.1:8125 ESTABLISHED
3164/pfdhcplistener
udp 0 0 127.0.0.1:49297 127.0.0.1:8125 ESTABLISHED
3058/pfdhcplistener
udp 0 0 127.0.0.1:57578 127.0.0.1:8125 ESTABLISHED
3165/pfdhcplistener
udp 0 0 127.0.0.1:35334 127.0.0.1:8125 ESTABLISHED
3167/pfdhcplistener
udp 0 0 127.0.0.1:52514 127.0.0.1:8125 ESTABLISHED
3161/pfdhcplistener
udp 0 0 127.0.0.1:52561 127.0.0.1:8125 ESTABLISHED
3166/pfdhcplistener
Il 14/03/25 18:22, jafarsalehi.far...@outlook.de ha scritto:
Hi Enrico,
i see, i saw via tcpdump you get also the dhcp traffic.
if the packetfence is listening on the interface :
netstat -anu | grep :67
and similar output comes out:
udp 0 0 10.25.0.1:67 0.0.0.0:* LISTEN
then you might be facing a bug. sorry i cant think of something else
and cant help further. hope someone in the community comes up with a
solution.
Best Regards
Farbod
On Friday, March 14, 2025 at 08:17:42 AM GMT+1, Enrico Becchetti
<enrico.becche...@pg.infn.it> wrote:
Hi Farbod,
no because my network profile is enforcement and PF server and DHCP Server
are on the same vlan.
/[INFN-WIRED]
filter_match_style=all
sources=RADIUS-AAI
locale=
advanced_filter=
autoregister=enabled
filter=connection_type:Ethernet-EAP
scans=OpenVAS-WIRED
/
So PF would see all dhcp sessions. Is it true ?
Best Regards
Enrico
Il 14/03/2025 01:42, jafarsalehi.far...@outlook.de ha scritto:
> Hi Enrico,
> Have you configured DHCP relay to forward the DHCP messages to packet
> fence too ?
>
>
> Best regards
> Farbod
> Yahoo Mail - E-Mail vereinfacht
>
<https://mail.onelink.me/107872968?pid=nativeplacement&c=US_Acquisition_YMktg_315_EmailSimplified_EmailSignature_sub1=Acquisition_sub2=US_YMktg_sub3=_sub4=100002040_sub5=T01_Email_Static__ios_store_cpp=80931d61-93be-4737-af43-90b13f374168_android_url=https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mail&listing=email_simplified
<https://mail.onelink.me/107872968?pid=nativeplacement&c=US_Acquisition_YMktg_315_EmailSimplified_EmailSignature&af_sub1=Acquisition&af_sub2=US_YMktg&af_sub3=&af_sub4=100002040&af_sub5=T01_Email_Static_&af_ios_store_cpp=80931d61-93be-4737-af43-90b13f374168&af_android_url=https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mail&listing=email_simplified>>
>
> Am Do., März 13, 2025 at 21:43 schrieb Enrico Becchetti via
> PacketFence-users
> <packetfence-users@lists.sourceforge.net>:
> Dear all,
> my new Network Access Control project based on Packetfence has
> started
> really badly.
>
> First I installed PF 14.1 in an Almalinux 8 and now I am using the
> ZEN
> version as a last attempt.
>
> In both cases I made a very simple configuration; the most important
> details are as follows:
>
> I have two network cards, eth0 (management) and eth1 with some vlans:
> registration, isolation, production etc;
>
> I defined a Radius authentication backend, I configured a switch
> and a
> network profile.
> This network profile is “other” type because PF only performs
> authentication, gateway (nat) and dhcp server
> functions are performed by another server (10.25.0.254).
>
> With this setup I'd like to manage access to the wired network via
> 802.1x. While the client connects, PF is unable
> to read the IP Address assigned by the DHCP server. This is a big
> problem that I have to solve, otherwise I can't
> follow up with this project.
>
> If you have some time for me I'll send you the following information:
> The Packetfence configuration file, the active
> dhcp processes, the configuration of the network cards, the tcpdump
> session with which you can see that the
> server receives information via vlan 25 on DHCP sessions, and finally
> the packetfence.log file.
>
> Do you think there is a bug in PF 14.1 or is it a mistake in my
> configuration ?
>
> Thanks for your attention.
>
> Enrico
>
> .—————————————————————————————————
>
>
> 1) pf.conf
>
> # general.dhcpservers
> #
> # Comma-delimited list of DHCP servers. Passthroughs are created to
> allow DHCP transactions from even "trapped" no
> des.
> dhcpservers=127.0.0.1,10.25.0.254
>
> [interface eth1.25]
> type=dhcp-listener,portal
> ip=10.25.0.1
> mask=255.255.0.0
>
>
> # ps axf | grep -i dhc
> 11044 pts/0 S+ 0:00 \_ grep -i dhc
> 3057 ? S 0:00 \_ pfqueue -
> Queue:pfdhcplistener_external
> 3088 ? S 0:00 \_ pfqueue - Queue:pfdhcplistener
>
> # ip link
>
> 5: eth1.25@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP mode DEFAULT group default qlen 1000
> link/ether 52:54:00:ad:60:dc brd ff:ff:ff:ff:ff:ff
> 6: eth1.26@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP mode DEFAULT group default qlen 1000
>
> 5: eth1.25@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP group default qlen 1000
> link/ether 52:54:00:ad:60:dc brd ff:ff:ff:ff:ff:ff
> inet 10.25.0.1/16 brd 10.25.255.255 scope global eth1.25
> valid_lft forever preferred_lft forever
> inet6 fe80::5054:ff:fead:60dc/64 scope link
> valid_lft forever preferred_lft forever
>
> # tcpdump -i eth1.25 -n -vv port 67 or port 68
> tcpdump: listening on eth1.25, link-type EN10MB (Ethernet), snapshot
> length 262144 bytes
> 15:27:26.576206 IP (tos 0x0, ttl 255, id 10108, offset 0, flags
> [none],
> proto UDP (17), length 328)
> 0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request
> from ac:87:a3:12:81:47, length 300, xid 0x9370cc2
> c, secs 4, Flags [none] (0x0000)
> Client-Ethernet-Address ac:87:a3:12:81:47
> Vendor-rfc1048 Extensions
> Magic Cookie 0x63825363
> DHCP-Message (53), length 1: Request
> Parameter-Request (55), length 12:
> Subnet-Mask (1), Classless-Static-Route (121),
> Default-Gateway (3), Domain-Name-Server (6)
> Domain-Name (15), Unknown (108), URL (114), Unknown
> (119)
> Unknown (252), LDAP (95), Netbios-Name-Server (44),
> Netbios-Node (46)
> MSZ (57), length 2: 1500
> Client-ID (61), length 7: ether ac:87:a3:12:81:47
> Requested-IP (50), length 4: 10.25.1.1
> Lease-Time (51), length 4: 7776000
> Hostname (12), length 12: "becchetti-nb"
>
> 1 packet captured
> 1 packet received by filter
> 0 packets dropped by kernel
>
> # tail packetfence.log
>
> 2025-03-13T15:27:22.145042+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] handl
> ing radius autz request: from switch_ip => (10.0.0.111),
> connection_type
> => Ethernet-EAP, switch_mac => (6c:c2:17:af:31
> :20), mac => [ac:87:a3:12:81:47], port => 3, username =>
> "becch...@pg.infn.it" (pf::radius::authorize)
> 2025-03-13T15:27:22.214895+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Insta
> ntiate profile INFN-WIRED
> (pf::Connection::ProfileFactory::_from_profile)
> 2025-03-13T15:27:22.299418+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Found
> authentication source(s) : 'RADIUS-AAI' for realm 'default'
> (pf::config::util::filter_authentication_sources)
> 2025-03-13T15:27:22.336171+01:00 pfsrv pfqueue-backend[3072]:
> pfqueue(2158) INFO: [mac:[undef]] Running task person_loo
> kup (main::process_data)
> 2025-03-13T15:27:22.305635+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Using
> sources RADIUS-AAI for matching (pf::authentication::match2)
> 2025-03-13T15:27:22.310250+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Match
> ed rule (catchall) in source RADIUS-AAI, returning actions.
> (pf::Authentication::Source::match_rule)
> 2025-03-13T15:27:22.310250+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Match
> ed rule (catchall) in source RADIUS-AAI, returning actions.
> (pf::Authentication::Source::match)
> 2025-03-13T15:27:22.355955+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Found
> authentication source(s) : 'RADIUS-AAI' for realm 'default'
> (pf::config::util::filter_authentication_sources)
> 2025-03-13T15:27:22.355955+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Role
> has already been computed and we don't want to recompute it. Getting
> role from node_info (pf::role::getRegisteredRole)
> 2025-03-13T15:27:22.355955+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Usern
> ame was defined "becch...@pg.infn.it" - returning role 'default'
> (pf::role::getRegisteredRole)
> 2025-03-13T15:27:22.355955+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] PID:
> "becch...@pg.infn.it", Status: reg Returned VLAN: (undefined), Role:
> default (pf::role::fetchRoleForNode)
> 2025-03-13T15:27:22.370303+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] (10.0
> .0.111) Added VLAN 25 to the returned RADIUS Access-Accept
> (pf::Switch::returnRadiusAccessAccept)
> 2025-03-13T15:27:22.384950+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] secur
> ity_event 1300003 force-closed for ac:87:a3:12:81:47
> (pf::security_event::security_event_force_close)
> 2025-03-13T15:27:22.385595+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] Insta
> ntiate profile INFN-WIRED
> (pf::Connection::ProfileFactory::_from_profile)
> 2025-03-13T15:27:22.401686+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) INFO: [mac:ac:87:a3:12:81:47] grace
> expired on security event 1200004 for node ac:87:a3:12:81:47
> (pf::security_event::security_event_add)
> 2025-03-13T15:27:22.409662+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) ERROR: [mac:ac:87:a3:12:81:47] Data
> base query failed with non retryable error: Cannot add or update a
> child
> row: a foreign key constraint fails (`pf`.`sec
> urity_event`, CONSTRAINT `security_event_id_fkey_class` FOREIGN KEY
> (`security_event_id`) REFERENCES `class` (`security
> _event_id`) ON DELETE CASCADE ON UPDATE CASCADE) (errno: 1452)
> [INSERT
> INTO `security_event` ( `mac`, `notes`, `release
> _date`, `security_event_id`, `start_date`, `status`, `ticket_ref`)
> VALUES ( ?, ?, ?, ?, ?, ?, ? )]{ac:87:a3:12:81:47, ,
> 0000-00-00 00:00:00, 1200004, 2025-03-13 15:27:22, open, }
> (pf::dal::db_execute)
> 2025-03-13T15:27:22.410532+01:00 pfsrv
> httpd.aaa-docker-wrapper[2255]:
> httpd.aaa(6) ERROR: [mac:ac:87:a3:12:81:47] unkn
> own error adding security event 1200004 for ac:87:a3:12:81:47
> (pf::security_event::security_event_add)
>
>
>
>
>
>
> Enrico
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
__________________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mobile: +39 075 9696225
FAX: +39 075 5847296 Microsoft Teams: becch...@infn.it
Mail: Enrico.Becchetti<at>pg.infn.it Skype:enrico_becchetti
Pagina web personale: https://www.pg.infn.it/home/enrico-becchetti
_________________________________________________________________________
--
__________________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mobile: +39 075 9696225
FAX: +39 075 5847296 Microsoft Teams:becch...@infn.it
Mail: Enrico.Becchetti<at>pg.infn.it Skype:enrico_becchetti
Pagina web personale:https://www.pg.infn.it/home/enrico-becchetti
_________________________________________________________________________
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
