Re: [PacketFence-users] MAC Authentication Bypass on Aruba CX 6300

[Mark Okuno via PacketFence-users]

Thank you Mr. Weber!

The information is much appreciated!

Best,
mark okuno
Mark Okuno
UCSB Library, IT Operations
University of California, Santa Barbara


On Thu, May 11, 2023 at 1:03 AM Michael Weber 
wrote:

> Hello,
>
>
>
> the Aruba 6300 Series can 820.1x and Mac Authentication bypass the same
> way like the 5400 Series.
>
> So based on packetfence features and the Switch capabilities the 6300 can
> replace the 5400 without any disadvantages.
>
>
>
> We are currently not using 6300 with packetfence but a customer is using
> 6300 with a other NAC solution and I configured it with the following:
>
>- 802.1x (TLS)
>- MAB (Mac Authentication bypass)
>
>
>
> Long story short: we will replace the 5400 with 6300 and keep packetfence
> with the same features that are used on 5400.
>
>
>
> Best Regards
>
> Michael
>
> *Von:* Mark Okuno via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Gesendet:* Donnerstag, 11. Mai 2023 00:19
> *An:* packetfence-users@lists.sourceforge.net
> *Cc:* Mark Okuno 
> *Betreff:* [PacketFence-users] MAC Authentication Bypass on Aruba CX 6300
>
>
>
> Hello PacketFence users,
>
>
>
> I currently have PacketFence configured to do dynamic VLAN assignment on a
> fleet of HP/Aruba Procurve 5400s using MAC authentication bypass.  I was
> wondering if anyone could confirm that they have been able to do the same
> on the Aruba CX 6xxx switches.  Apparently the AOS Procurves are going EOL
> in June 2024, and the sales reps are suggesting the CX 6xxx switches which
> use a different OS.
>
>
>
> Thank you!
>
>
>
> Best,
>
> mark okuno
>
>
>
>
> Mark Okuno
>
> UCSB Library, IT Operations
> University of California, Santa Barbara
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MAC Authentication Bypass on Aruba CX 6300

[Michael Weber via PacketFence-users]

Hello,

 

the Aruba 6300 Series can 820.1x and Mac Authentication bypass the same way 
like the 5400 Series.

So based on packetfence features and the Switch capabilities the 6300 can 
replace the 5400 without any disadvantages.

 

We are currently not using 6300 with packetfence but a customer is using 6300 
with a other NAC solution and I configured it with the following:

*   802.1x (TLS)
*   MAB (Mac Authentication bypass)

 

Long story short: we will replace the 5400 with 6300 and keep packetfence with 
the same features that are used on 5400. 

 

Best Regards

Michael

Von: Mark Okuno via PacketFence-users  
Gesendet: Donnerstag, 11. Mai 2023 00:19
An: packetfence-users@lists.sourceforge.net
Cc: Mark Okuno 
Betreff: [PacketFence-users] MAC Authentication Bypass on Aruba CX 6300

 

Hello PacketFence users,

 

I currently have PacketFence configured to do dynamic VLAN assignment on a 
fleet of HP/Aruba Procurve 5400s using MAC authentication bypass.  I was 
wondering if anyone could confirm that they have been able to do the same on 
the Aruba CX 6xxx switches.  Apparently the AOS Procurves are going EOL in June 
2024, and the sales reps are suggesting the CX 6xxx switches which use a 
different OS.

 

Thank you!

 

Best,

mark okuno

 




Mark Okuno

UCSB Library, IT Operations
University of California, Santa Barbara



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] MAC Authentication Bypass on Aruba CX 6300

[Mark Okuno via PacketFence-users]

Hello PacketFence users,

I currently have PacketFence configured to do dynamic VLAN assignment on a
fleet of HP/Aruba Procurve 5400s using MAC authentication bypass.  I was
wondering if anyone could confirm that they have been able to do the same
on the Aruba CX 6xxx switches.  Apparently the AOS Procurves are going EOL
in June 2024, and the sales reps are suggesting the CX 6xxx switches which
use a different OS.

Thank you!

Best,
mark okuno


Mark Okuno
UCSB Library, IT Operations
University of California, Santa Barbara
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MAC Authentication

[Schneider Lukas via PacketFence-users]

I found the error myself:
I missed a setting in the switch config > 

radius scheme packetfence
   primary authentication 192.168.1.5 1812 key useStrongerSecret
   primary accounting 192.168.1.5 1813 key useStrongerSecret
   user-name-format without-domain   <   this one I missed

Best,
Lukas

Von: Schneider Lukas via PacketFence-users 
 
Gesendet: Freitag, 1. Juli 2022 12:36
An: packetfence-users@lists.sourceforge.net
Cc: Schneider Lukas 
Betreff: [PacketFence-users] MAC Authentication

Hi!
I set up PacketFence 11.2 from the ZEN according to the installation guide and 
got 802.1X authentication working on my H3C S5120 switch. But now I am 
struggling to get MAC authentication working for my non-802.1X capable devices 
like printers an phones.

I create a node with the device's MAC address, select a role and set the status 
to "Registered". Afterwards I connect the device it to the network port. In the 
RADIUS Audit Logs I can see a new entry coming in, but the Auth Status remains 
"Reject" and the Node Status "Unregistered". This is what the RADIUS request 
looks like according to the RADIUS Audit Logs:

User-Name = "000fd502a3f2@packetfence"
User-Password = "**"
NAS-IP-Address = 10.1.1.237
NAS-Identifier = "pf-testswitch"
NAS-Port = 33562626
NAS-Port-Id = "slot=2;subslot=0;port=2;vlanid=2"
NAS-Port-Type = Ethernet
Service-Type = Call-Check
Framed-Protocol = PPP
Calling-Station-Id = "00:0f:d5:02:a3:f2"
Acct-Session-Id = "122060110272a5020"
Attr-26.43.230 = 0x4769676162697445746865726e6574322f302f32
FreeRADIUS-Client-IP-Address = 10.1.1.237
PacketFence-Radius-Ip = "10.3.1.22"
PacketFence-KeyBalanced = "4560a08fa197220c3e77d14559e310dc"
Module-Failure-Message = "Rejected: Realm does not have at least one dot 
separator"
SQL-User-Name = "000fd502a3f2@packetfence"

The RADIUS reply remains empty.

Can someone help me on this?

Best,
Lukas


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MAC Authentication

[Zammit, Ludovic via PacketFence-users]

Hello Lukas,

I’m no expert but it says:

"Module-Failure-Message = "Rejected: Realm does not have at least one dot 
separator””

For Mac authentication the username = Mac address of the device only.

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Jul 1, 2022, at 6:35 AM, Schneider Lukas via PacketFence-users 
>  wrote:
> 
> Hi!
> I set up PacketFence 11.2 from the ZEN according to the installation guide 
> and got 802.1X authentication working on my H3C S5120 switch. But now I am 
> struggling to get MAC authentication working for my non-802.1X capable 
> devices like printers an phones.
>  
> I create a node with the device’s MAC address, select a role and set the 
> status to „Registered“. Afterwards I connect the device it to the network 
> port. In the RADIUS Audit Logs I can see a new entry coming in, but the Auth 
> Status remains „Reject“ and the Node Status „Unregistered“. This is what the 
> RADIUS request looks like according to the RADIUS Audit Logs:
>  
> User-Name = "000fd502a3f2@packetfence"
> User-Password = "**"
> NAS-IP-Address = 10.1.1.237
> NAS-Identifier = "pf-testswitch"
> NAS-Port = 33562626
> NAS-Port-Id = "slot=2;subslot=0;port=2;vlanid=2"
> NAS-Port-Type = Ethernet
> Service-Type = Call-Check
> Framed-Protocol = PPP
> Calling-Station-Id = "00:0f:d5:02:a3:f2"
> Acct-Session-Id = "122060110272a5020"
> Attr-26.43.230 = 0x4769676162697445746865726e6574322f302f32
> FreeRADIUS-Client-IP-Address = 10.1.1.237
> PacketFence-Radius-Ip = "10.3.1.22"
> PacketFence-KeyBalanced = "4560a08fa197220c3e77d14559e310dc"
> Module-Failure-Message = "Rejected: Realm does not have at least one dot 
> separator"
> SQL-User-Name = "000fd502a3f2@packetfence"
>  
> The RADIUS reply remains empty.
>  
> Can someone help me on this?
>  
> Best,
> Lukas
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RuYDUg3pVxBdRieiex_CHm7KqUSb7rkHOUPTwHupfSAeyyqLNe7cjDkGgMJR0RqJnpLTOk7j-kcc5qCoswJjByD7Yfj9JS2mPY65bQ$
>  
> 


smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MAC Authentication

[Schneider Lukas via PacketFence-users]

Thanks!

I was able to solve the problem by sticking to the documentation. I missed 
adding „user-name-format without-domain“ to the „radius scheme packetfence“.

Now the username comes in as Mac address only.

Best,
Lukas

Von: Zammit, Ludovic 
Gesendet: Montag, 4. Juli 2022 18:04
An: PacketFence-users 
Cc: Schneider Lukas 
Betreff: Re: [PacketFence-users] MAC Authentication

Hello Lukas,

I’m no expert but it says:

"Module-Failure-Message = "Rejected: Realm does not have at least one dot 
separator””

For Mac authentication the username = Mac address of the device only.

Thanks,

Ludovic Zammit
Product Support Engineer Principal

[https://www.akamai.com/us/en/multimedia/images/custom/2019/logo-no-tag-93x45.png]


Cell: +1.613.670.8432

Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142


Connect with Us:

[https://www.akamai.com/us/en/multimedia/images/custom/community.jpg]<https://community.akamai.com>[https://www.akamai.com/us/en/multimedia/images/custom/rss.png]<http://blogs.akamai.com>[https://www.akamai.com/us/en/multimedia/images/custom/twitter.png]<https://twitter.com/akamai>[https://www.akamai.com/us/en/multimedia/images/custom/fb.png]<http://www.facebook.com/AkamaiTechnologies>[https://www.akamai.com/us/en/multimedia/images/custom/in.png]<http://www.linkedin.com/company/akamai-technologies>[https://www.akamai.com/us/en/multimedia/images/custom/youtube.png]<http://www.youtube.com/user/akamaitechnologies?feature=results_main>



On Jul 1, 2022, at 6:35 AM, Schneider Lukas via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:

Hi!
I set up PacketFence 11.2 from the ZEN according to the installation guide and 
got 802.1X authentication working on my H3C S5120 switch. But now I am 
struggling to get MAC authentication working for my non-802.1X capable devices 
like printers an phones.

I create a node with the device’s MAC address, select a role and set the status 
to „Registered“. Afterwards I connect the device it to the network port. In the 
RADIUS Audit Logs I can see a new entry coming in, but the Auth Status remains 
„Reject“ and the Node Status „Unregistered“. This is what the RADIUS request 
looks like according to the RADIUS Audit Logs:

User-Name = "000fd502a3f2@packetfence"
User-Password = "**"
NAS-IP-Address = 10.1.1.237
NAS-Identifier = "pf-testswitch"
NAS-Port = 33562626
NAS-Port-Id = "slot=2;subslot=0;port=2;vlanid=2"
NAS-Port-Type = Ethernet
Service-Type = Call-Check
Framed-Protocol = PPP
Calling-Station-Id = "00:0f:d5:02:a3:f2"
Acct-Session-Id = "122060110272a5020"
Attr-26.43.230 = 0x4769676162697445746865726e6574322f302f32
FreeRADIUS-Client-IP-Address = 10.1.1.237
PacketFence-Radius-Ip = "10.3.1.22"
PacketFence-KeyBalanced = "4560a08fa197220c3e77d14559e310dc"
Module-Failure-Message = "Rejected: Realm does not have at least one dot 
separator"
SQL-User-Name = "000fd502a3f2@packetfence"

The RADIUS reply remains empty.

Can someone help me on this?

Best,
Lukas
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RuYDUg3pVxBdRieiex_CHm7KqUSb7rkHOUPTwHupfSAeyyqLNe7cjDkGgMJR0RqJnpLTOk7j-kcc5qCoswJjByD7Yfj9JS2mPY65bQ$<https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RuYDUg3pVxBdRieiex_CHm7KqUSb7rkHOUPTwHupfSAeyyqLNe7cjDkGgMJR0RqJnpLTOk7j-kcc5qCoswJjByD7Yfj9JS2mPY65bQ$>

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MAC Authentication

[Zammit, Ludovic via PacketFence-users]

Perfect!

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com/>  
<http://blogs.akamai.com/>  <https://twitter.com/akamai>  
<http://www.facebook.com/AkamaiTechnologies>  
<http://www.linkedin.com/company/akamai-technologies>  
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>

> On Jul 5, 2022, at 1:44 AM, Schneider Lukas  wrote:
> 
> Thanks!
>  
> I was able to solve the problem by sticking to the documentation. I missed 
> adding „user-name-format without-domain“ to the „radius scheme packetfence“. 
>  
> Now the username comes in as Mac address only.
>  
> Best,
> Lukas
>  
> Von: Zammit, Ludovic  
> Gesendet: Montag, 4. Juli 2022 18:04
> An: PacketFence-users 
> Cc: Schneider Lukas 
> Betreff: Re: [PacketFence-users] MAC Authentication
>  
> Hello Lukas,
>  
> I’m no expert but it says:
>  
> "Module-Failure-Message = "Rejected: Realm does not have at least one dot 
> separator””
>  
> For Mac authentication the username = Mac address of the device only.
>  
> Thanks,
>  
> Ludovic Zammit
> Product Support Engineer Principal
> 
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:
>  <https://community.akamai.com/> <http://blogs.akamai.com/> 
> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!QSv_C1c1I9rsEjK3cSWwykLisi9ijjHGLKrS-ndSKQbpF6ksRaPu1crwQF7K4alkdOzu-tr7szUz37mlmCV_Jip5_vk$>
>  
> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!QSv_C1c1I9rsEjK3cSWwykLisi9ijjHGLKrS-ndSKQbpF6ksRaPu1crwQF7K4alkdOzu-tr7szUz37mlmCV_dzXLKzg$>
>  
> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!QSv_C1c1I9rsEjK3cSWwykLisi9ijjHGLKrS-ndSKQbpF6ksRaPu1crwQF7K4alkdOzu-tr7szUz37mlmCV_2Hi_-wk$>
>  
> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!QSv_C1c1I9rsEjK3cSWwykLisi9ijjHGLKrS-ndSKQbpF6ksRaPu1crwQF7K4alkdOzu-tr7szUz37mlmCV_BFWgnMQ$>
>  
> 
> 
> On Jul 1, 2022, at 6:35 AM, Schneider Lukas via PacketFence-users 
>  <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>  
> Hi!
> I set up PacketFence 11.2 from the ZEN according to the installation guide 
> and got 802.1X authentication working on my H3C S5120 switch. But now I am 
> struggling to get MAC authentication working for my non-802.1X capable 
> devices like printers an phones.
>  
> I create a node with the device’s MAC address, select a role and set the 
> status to „Registered“. Afterwards I connect the device it to the network 
> port. In the RADIUS Audit Logs I can see a new entry coming in, but the Auth 
> Status remains „Reject“ and the Node Status „Unregistered“. This is what the 
> RADIUS request looks like according to the RADIUS Audit Logs:
>  
> User-Name = "000fd502a3f2@packetfence"
> User-Password = "**"
> NAS-IP-Address = 10.1.1.237
> NAS-Identifier = "pf-testswitch"
> NAS-Port = 33562626
> NAS-Port-Id = "slot=2;subslot=0;port=2;vlanid=2"
> NAS-Port-Type = Ethernet
> Service-Type = Call-Check
> Framed-Protocol = PPP
> Calling-Station-Id = "00:0f:d5:02:a3:f2"
> Acct-Session-Id = "122060110272a5020"
> Attr-26.43.230 = 0x4769676162697445746865726e6574322f302f32
> FreeRADIUS-Client-IP-Address = 10.1.1.237
> PacketFence-Radius-Ip = "10.3.1.22"
> PacketFence-KeyBalanced = "4560a08fa197220c3e77d14559e310dc"
> Module-Failure-Message = "Rejected: Realm does not have at least one dot 
> separator"
> SQL-User-Name = "000fd502a3f2@packetfence"
>  
> The RADIUS reply remains empty.
>  
> Can someone help me on this?
>  
> Best,
> Lukas
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> <mailto:PacketFence-users@lists.sourceforge.net>
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RuYDUg3pVxBdRieiex_CHm7KqUSb7rkHOUPTwHupfSAeyyqLNe7cjDkGgMJR0RqJnpLTOk7j-kcc5qCoswJjByD7Yfj9JS2mPY65bQ$
>  
> <https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RuYDUg3pVxBdRieiex_CHm7KqUSb7rkHOUPTwHupfSAeyyqLNe7cjDkGgMJR0RqJnpLTOk7j-kcc5qCoswJjByD7Yfj9JS2mPY65bQ$>


smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] MAC Authentication

[Schneider Lukas via PacketFence-users]

Hi!
I set up PacketFence 11.2 from the ZEN according to the installation guide and 
got 802.1X authentication working on my H3C S5120 switch. But now I am 
struggling to get MAC authentication working for my non-802.1X capable devices 
like printers an phones.

I create a node with the device's MAC address, select a role and set the status 
to "Registered". Afterwards I connect the device it to the network port. In the 
RADIUS Audit Logs I can see a new entry coming in, but the Auth Status remains 
"Reject" and the Node Status "Unregistered". This is what the RADIUS request 
looks like according to the RADIUS Audit Logs:

User-Name = "000fd502a3f2@packetfence"
User-Password = "**"
NAS-IP-Address = 10.1.1.237
NAS-Identifier = "pf-testswitch"
NAS-Port = 33562626
NAS-Port-Id = "slot=2;subslot=0;port=2;vlanid=2"
NAS-Port-Type = Ethernet
Service-Type = Call-Check
Framed-Protocol = PPP
Calling-Station-Id = "00:0f:d5:02:a3:f2"
Acct-Session-Id = "122060110272a5020"
Attr-26.43.230 = 0x4769676162697445746865726e6574322f302f32
FreeRADIUS-Client-IP-Address = 10.1.1.237
PacketFence-Radius-Ip = "10.3.1.22"
PacketFence-KeyBalanced = "4560a08fa197220c3e77d14559e310dc"
Module-Failure-Message = "Rejected: Realm does not have at least one dot 
separator"
SQL-User-Name = "000fd502a3f2@packetfence"

The RADIUS reply remains empty.

Can someone help me on this?

Best,
Lukas
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MAC Authentication help pls

[Zammit, Ludovic via PacketFence-users]

Hello Jose,

I think you are correct.

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 25, 2022, at 8:09 AM, José Ramos via PacketFence-users 
>  wrote:
> 
> I tried with an other switch (Cisco SMB) and this worked so I think that this 
> is a switch problem. Maybe this is because it is a virtualized switch.
> 
> 
> On Sun, Apr 24, 2022 at 7:15 PM José Ramos  > wrote:
> Here is the switch configuration (testing so almost empty :))
> aaa new-model
> !
> !
> aaa group server radius packetfence
>  server 192.168.1.100 auth-port 1812 acct-port 1813
> !
> aaa authentication login default local
> aaa authentication dot1x default group packetfence
> aaa authorization network default group packetfence
> !
> !
> !
> !
> aaa server radius dynamic-author
>  client 192.168.1.100 server-key x
>  port 3799
> !
> aaa session-id common
> no ip icmp rate-limit unreachable
> !
> ip cef
> !
> !
> no ip domain-lookup
> no ipv6 cef
> ipv6 multicast rpf use-bgp
> !
> !
> dot1x system-auth-control
> !
> !
> !
> !
> !
> spanning-tree mode pvst
> spanning-tree extend system-id
> !
> !
> !
> !
> vlan internal allocation policy ascending
> !
> ip tcp synwait-time 5
> !
> !
> !
> !
> !
> !
> !
> !
> !
> interface Ethernet0/0
>  switchport trunk encapsulation dot1q
>  switchport mode trunk
>  duplex auto
> !
> interface Ethernet0/1
>  duplex auto
> !
> interface Ethernet0/2
>  switchport mode access
>  duplex auto
>  authentication order mab dot1x
>  authentication priority mab dot1x
>  authentication port-control auto
>  authentication periodic
>  authentication timer restart 10800
>  authentication timer reauthenticate 10800
>  mab
>  no snmp trap link-status
>  dot1x pae authenticator
>  dot1x timeout quiet-period 10
>  dot1x timeout tx-period 10
> !
> interface Ethernet0/3
>  duplex auto
> !
> interface Ethernet1/0
>  duplex auto
> !
> interface Ethernet1/1
>  duplex auto
> !
> interface Ethernet1/2
>  duplex auto
> !
> interface Ethernet1/3
>  duplex auto
> !
> interface Ethernet2/0
>  duplex auto
> !
> interface Ethernet2/1
>  duplex auto
> !
> interface Ethernet2/2
>  duplex auto
> !
> interface Ethernet2/3
>  duplex auto
> !
> interface Ethernet3/0
>  duplex auto
> !
> interface Ethernet3/1
>  duplex auto
> !
> interface Ethernet3/2
>  duplex auto
> !
> interface Ethernet3/3
>  duplex auto
> !
> interface Vlan1
>  ip address 192.168.10.10 255.255.255.0
> !
> interface Vlan20
>  no ip address
>  ip helper-address 192.168.1.100
>  shutdown
> !
> !
> no ip http server
> !
> ip route 0.0.0.0 0.0.0.0 192.168.10.254
> !
> !
> !
> snmp-server community public RO
> snmp-server community private RW
> !
> radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 timeout 2 key 
> x
> radius-server vsa send authentication
> !
> !
> control-plane
> !
> !
> line con 0
>  exec-timeout 0 0
>  privilege level 15
>  logging synchronous
> line aux 0
>  exec-timeout 0 0
>  privilege level 15
>  logging synchronous
> line vty 0 4
> !
> end
> 
> 
> On Sun, Apr 24, 2022 at 2:11 PM rein--- via PacketFence-users 
>  > wrote:
> please paste your config on the switchport and the general settings on the 
> switch. 
> 
> you can also use the log (sh log) to see what happens when you plug in 
> something in the switch.
> 
> April 21, 2022 8:30 AM, "José Ramos via PacketFence-users" 
>  >
>  wrote:
> Hello dear PacketFence users and developers !
> I have successfully configured PacketFence with 802.1x (PF directly connected 
> on the switch to manage).
> But I can't figure out how to to MAC authentication. I have enabled MAB on my 
> Cisco switch and registered the MAC address in the node tab. But nothing 
> happens when I connect the device. I'm not put in the registration/isolation 
> vlan and have no access to corporate network (which is logical since I 
> enabled MAB).
> Can someone help me pls ?
> Thank you in advance !
> José Ramos.
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> 
> 

Re: [PacketFence-users] MAC Authentication help pls

[José Ramos via PacketFence-users]

I tried with an other switch (Cisco SMB) and this worked so I think that
this is a switch problem. Maybe this is because it is a virtualized switch.


On Sun, Apr 24, 2022 at 7:15 PM José Ramos 
wrote:

> Here is the switch configuration (testing so almost empty :))
> *aaa new-model*
> *!*
> *!*
> *aaa group server radius packetfence*
> * server 192.168.1.100 auth-port 1812 acct-port 1813*
> *!*
> *aaa authentication login default local*
> *aaa authentication dot1x default group packetfence*
> *aaa authorization network default group packetfence*
> *!*
> *!*
> *!*
> *!*
> *aaa server radius dynamic-author*
> * client 192.168.1.100 server-key x*
> * port 3799*
> *!*
> *aaa session-id common*
> *no ip icmp rate-limit unreachable*
> *!*
> *ip cef*
> *!*
> *!*
> *no ip domain-lookup*
> *no ipv6 cef*
> *ipv6 multicast rpf use-bgp*
> *!*
> *!*
> *dot1x system-auth-control*
> *!*
> *!*
> *!*
> *!*
> *!*
> *spanning-tree mode pvst*
> *spanning-tree extend system-id*
> *!*
> *!*
> *!*
> *!*
> *vlan internal allocation policy ascending*
> *!*
> *ip tcp synwait-time 5*
> *!*
> *!*
> *!*
> *!*
> *!*
> *!*
> *!*
> *!*
> *!*
> *interface Ethernet0/0*
> * switchport trunk encapsulation dot1q*
> * switchport mode trunk*
> * duplex auto*
> *!*
> *interface Ethernet0/1*
> * duplex auto*
> *!*
> *interface Ethernet0/2*
> * switchport mode access*
> * duplex auto*
> * authentication order mab dot1x*
> * authentication priority mab dot1x*
> * authentication port-control auto*
> * authentication periodic*
> * authentication timer restart 10800*
> * authentication timer reauthenticate 10800*
> * mab*
> * no snmp trap link-status*
> * dot1x pae authenticator*
> * dot1x timeout quiet-period 10*
> * dot1x timeout tx-period 10*
> *!*
> *interface Ethernet0/3*
> * duplex auto*
> *!*
> *interface Ethernet1/0*
> * duplex auto*
> *!*
> *interface Ethernet1/1*
> * duplex auto*
> *!*
> *interface Ethernet1/2*
> * duplex auto*
> *!*
> *interface Ethernet1/3*
> * duplex auto*
> *!*
> *interface Ethernet2/0*
> * duplex auto*
> *!*
> *interface Ethernet2/1*
> * duplex auto*
> *!*
> *interface Ethernet2/2*
> * duplex auto*
> *!*
> *interface Ethernet2/3*
> * duplex auto*
> *!*
> *interface Ethernet3/0*
> * duplex auto*
> *!*
> *interface Ethernet3/1*
> * duplex auto*
> *!*
> *interface Ethernet3/2*
> * duplex auto*
> *!*
> *interface Ethernet3/3*
> * duplex auto*
> *!*
> *interface Vlan1*
> * ip address 192.168.10.10 255.255.255.0*
> *!*
> *interface Vlan20*
> * no ip address*
> * ip helper-address 192.168.1.100*
> * shutdown*
> *!*
> *!*
> *no ip http server*
> *!*
> *ip route 0.0.0.0 0.0.0.0 192.168.10.254*
> *!*
> *!*
> *!*
> *snmp-server community public RO*
> *snmp-server community private RW*
> *!*
> *radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 timeout 2
> key x*
> *radius-server vsa send authentication*
> *!*
> *!*
> *control-plane*
> *!*
> *!*
> *line con 0*
> * exec-timeout 0 0*
> * privilege level 15*
> * logging synchronous*
> *line aux 0*
> * exec-timeout 0 0*
> * privilege level 15*
> * logging synchronous*
> *line vty 0 4*
> *!*
> *end*
>
>
> On Sun, Apr 24, 2022 at 2:11 PM rein--- via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> please paste your config on the switchport and the general settings on
>> the switch.
>>
>> you can also use the log (sh log) to see what happens when you plug in
>> something in the switch.
>>
>> April 21, 2022 8:30 AM, "José Ramos via PacketFence-users" <
>> packetfence-users@lists.sourceforge.net
>> >
>> wrote:
>>
>> Hello dear PacketFence users and developers !
>> I have successfully configured PacketFence with 802.1x (PF directly
>> connected on the switch to manage).
>> But I can't figure out how to to MAC authentication. I have enabled MAB
>> on my Cisco switch and registered the MAC address in the node tab. But
>> nothing happens when I connect the device. I'm not put in the
>> registration/isolation vlan and have no access to corporate network (which
>> is logical since I enabled MAB).
>> Can someone help me pls ?
>> Thank you in advance !
>> José Ramos.
>>
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MAC Authentication help pls

[José Ramos via PacketFence-users]

Here is the switch configuration (testing so almost empty :))
*aaa new-model*
*!*
*!*
*aaa group server radius packetfence*
* server 192.168.1.100 auth-port 1812 acct-port 1813*
*!*
*aaa authentication login default local*
*aaa authentication dot1x default group packetfence*
*aaa authorization network default group packetfence*
*!*
*!*
*!*
*!*
*aaa server radius dynamic-author*
* client 192.168.1.100 server-key x*
* port 3799*
*!*
*aaa session-id common*
*no ip icmp rate-limit unreachable*
*!*
*ip cef*
*!*
*!*
*no ip domain-lookup*
*no ipv6 cef*
*ipv6 multicast rpf use-bgp*
*!*
*!*
*dot1x system-auth-control*
*!*
*!*
*!*
*!*
*!*
*spanning-tree mode pvst*
*spanning-tree extend system-id*
*!*
*!*
*!*
*!*
*vlan internal allocation policy ascending*
*!*
*ip tcp synwait-time 5*
*!*
*!*
*!*
*!*
*!*
*!*
*!*
*!*
*!*
*interface Ethernet0/0*
* switchport trunk encapsulation dot1q*
* switchport mode trunk*
* duplex auto*
*!*
*interface Ethernet0/1*
* duplex auto*
*!*
*interface Ethernet0/2*
* switchport mode access*
* duplex auto*
* authentication order mab dot1x*
* authentication priority mab dot1x*
* authentication port-control auto*
* authentication periodic*
* authentication timer restart 10800*
* authentication timer reauthenticate 10800*
* mab*
* no snmp trap link-status*
* dot1x pae authenticator*
* dot1x timeout quiet-period 10*
* dot1x timeout tx-period 10*
*!*
*interface Ethernet0/3*
* duplex auto*
*!*
*interface Ethernet1/0*
* duplex auto*
*!*
*interface Ethernet1/1*
* duplex auto*
*!*
*interface Ethernet1/2*
* duplex auto*
*!*
*interface Ethernet1/3*
* duplex auto*
*!*
*interface Ethernet2/0*
* duplex auto*
*!*
*interface Ethernet2/1*
* duplex auto*
*!*
*interface Ethernet2/2*
* duplex auto*
*!*
*interface Ethernet2/3*
* duplex auto*
*!*
*interface Ethernet3/0*
* duplex auto*
*!*
*interface Ethernet3/1*
* duplex auto*
*!*
*interface Ethernet3/2*
* duplex auto*
*!*
*interface Ethernet3/3*
* duplex auto*
*!*
*interface Vlan1*
* ip address 192.168.10.10 255.255.255.0*
*!*
*interface Vlan20*
* no ip address*
* ip helper-address 192.168.1.100*
* shutdown*
*!*
*!*
*no ip http server*
*!*
*ip route 0.0.0.0 0.0.0.0 192.168.10.254*
*!*
*!*
*!*
*snmp-server community public RO*
*snmp-server community private RW*
*!*
*radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 timeout 2
key x*
*radius-server vsa send authentication*
*!*
*!*
*control-plane*
*!*
*!*
*line con 0*
* exec-timeout 0 0*
* privilege level 15*
* logging synchronous*
*line aux 0*
* exec-timeout 0 0*
* privilege level 15*
* logging synchronous*
*line vty 0 4*
*!*
*end*


On Sun, Apr 24, 2022 at 2:11 PM rein--- via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> please paste your config on the switchport and the general settings on the
> switch.
>
> you can also use the log (sh log) to see what happens when you plug in
> something in the switch.
>
> April 21, 2022 8:30 AM, "José Ramos via PacketFence-users" <
> packetfence-users@lists.sourceforge.net
> >
> wrote:
>
> Hello dear PacketFence users and developers !
> I have successfully configured PacketFence with 802.1x (PF directly
> connected on the switch to manage).
> But I can't figure out how to to MAC authentication. I have enabled MAB on
> my Cisco switch and registered the MAC address in the node tab. But nothing
> happens when I connect the device. I'm not put in the
> registration/isolation vlan and have no access to corporate network (which
> is logical since I enabled MAB).
> Can someone help me pls ?
> Thank you in advance !
> José Ramos.
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MAC Authentication help pls

[rein--- via PacketFence-users]

please paste your config on the switchport and the general settings on the 
switch. 

you can also use the log (sh log) to see what happens when you plug in 
something in the switch.

April 21, 2022 8:30 AM, "José Ramos via PacketFence-users" 
mailto:packetfence-users@lists.sourceforge.net?to=%22Jos%C3%A9%20Ramos%20via%20PacketFence-users%22%20)>
 wrote:
Hello dear PacketFence users and developers !
I have successfully configured PacketFence with 802.1x (PF directly connected 
on the switch to manage). 
But I can't figure out how to to MAC authentication. I have enabled MAB on my 
Cisco switch and registered the MAC address in the node tab. But nothing 
happens when I connect the device. I'm not put in the registration/isolation 
vlan and have no access to corporate network (which is logical since I enabled 
MAB). 
Can someone help me pls ? 
Thank you in advance ! 
José Ramos.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MAC Authentication help pls

[Zammit, Ludovic via PacketFence-users]

Hello Jose,

Please post here the switch port configuration.

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 21, 2022, at 2:30 AM, José Ramos via PacketFence-users 
>  wrote:
> 
> Hello dear PacketFence users and developers !
> I have successfully configured PacketFence with 802.1x (PF directly connected 
> on the switch to manage).
> 
> But I can't figure out how to to MAC authentication. I have enabled MAB on my 
> Cisco switch and registered the MAC address in the node tab. But nothing 
> happens when I connect the device. I'm not put in the registration/isolation 
> vlan and have no access to corporate network (which is logical since I 
> enabled MAB).
> 
> Can someone help me pls ?
> Thank you in advance !
> 
> José Ramos.
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!WJG8JBWQf9ac5fessO3xwDxM770E13Y-CGj3FZN-GAi3dEat1h1xqg1E5s41Ynk3iBw3Zig443P6McZtRUsdCjksE7ANdECUy15CAg$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] MAC Authentication help pls

[José Ramos via PacketFence-users]

Hello dear PacketFence users and developers !
I have successfully configured PacketFence with 802.1x (PF directly
connected on the switch to manage).

But I can't figure out how to to MAC authentication. I have enabled MAB on
my Cisco switch and registered the MAC address in the node tab. But nothing
happens when I connect the device. I'm not put in the
registration/isolation vlan and have no access to corporate network (which
is logical since I enabled MAB).

Can someone help me pls ?
Thank you in advance !

José Ramos.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MAC Authentication Rejected

[Ryan Radschlag via PacketFence-users]

Hmm. Pretty sure I had it disabled but I will test it again to make
sure.

Thanks!
-Ryan



This e-mail message together with any attachments or reply should not be
considered private or confidential because it may be archived and
subject to public disclosure under certain circumstances, such as
requests made pursuant to Wisconsin public records law.

The message is intended solely for the use of the individual or entity
to which they are addressed.  Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete this
e-mail from your system.  Please note that the views or opinions
presented in this e-mail are solely those of the author and do not
necessarily represent those of the School District of Hartford Jt. #1. 
Any unauthorized use, distribution, copying or disclosure by you or to
any other person is prohibited. 


>>> Durand fabrice via PacketFence-users
 1/5/2020 3:14 PM >>>
Hello Ryan,

it looks that you enabled autoregister on the connection profile.
Disable it and retry.
Regards
Fabrice

Le 19-12-25 à 10 h 08, Ryan Radschlag via PacketFence-users a écrit :


We're trying to get down to having one open ssid, having people be
dumped into the registration vlan by default, sending them to the
captive portal if not yet registered, and then having packetfence put
people in the correct vlans after registering their node. So I have
unrouted isolation and registration vlans directly attached to
packetfence/wlan controller and then the other vlans are only attached
to the wlan controller. 
I have a mac blacklist enabled on the wlan controller to force it to do
a RADIUS request to packetfence for authentication. If I disable that
I'm directed to the portal (no RADIUS requests though, which is as it
should be) so I know I'm on the correct vlan and the nodes can see the
packetfence server.

So, I connect to the wireless network. And I see the wlan controller
send the radius request with the mac address of the machine as the
username and the mac address as the password. But then I see packetfence
send a reject message to the wlan controller. When I look in the web
interface under the RADIUS audit log. All of the requests from nodes
that are supposed to be mac based authentication don't have anything in
the mac address field or the Calling-Station-Id field and you see the
[mac:[undef]] in the packetfence.log. My question is, should the fields
be populated by the mac address when doing mac auth or am I looking in
the wrong direction? Is packetfence parsing the RADIUS request
incorrectly? Is there a way to do a rewrite and graft the username into
the mac address/calling-station-id field if that is the case? If I do
802.1x auth, the mac address and calling-station-id fields are populated
correctly. I've included the packetfence and radius logs below.

RADIUS.LOG:
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing connection
(0): Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing connection
(2): Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing connection
(1): Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Opening additional
connection (3), 1 of 64 pending slots used
Dec 24 10:37:42 hsd-pf-1 auth[12979]: Need 2 more connections to reach
min connections (3)
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Opening additional
connection (4), 1 of 63 pending slots used
Dec 24 10:37:42 hsd-pf-1 auth[12979]: Adding client *REDACTED*
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Closing
connection (0): Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Closing
connection (1): Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Opening
additional connection (2), 1 of 64 pend
ing slots used
Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) rest: ERROR: Server
returned:
Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) rest:
ERROR:{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication
failed on PacketFence"}
Dec 24 10:37:42 hsd-pf-1 auth[12979]: Need 2 more connections to reach
min connections (3)
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Opening
additional connection (3), 1 of 63 pending slots used
Dec 24 10:37:42 hsd-pf-1 auth[12979]: [mac:] Rejected user:
a8:1d:16:7d:c8:11
Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) Rejected in post-auth:
[a8:1d:16:7d:c8:11] (from client *REDACTED* port 0)
Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) Login incorrect (rest:
Server returned:): [a8:1d:16:7d:c8:11] (from client *REDACTED* port 0)

PACKETFENCE.LOG
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) WARN:
[mac:[undef]] Trying to match IP address with an invalid MAC address
'undef' (pf::ip4log::mac2ip)
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) INFO:
[mac:[undef]] 

Re: [PacketFence-users] MAC Authentication Rejected

[Durand fabrice via PacketFence-users]

Hello Ryan,


it looks that you enabled autoregister on the connection profile.

Disable it and retry.

Regards

Fabrice


Le 19-12-25 à 10 h 08, Ryan Radschlag via PacketFence-users a écrit :
We're trying to get down to having one open ssid, having people be 
dumped into the registration vlan by default, sending them to the 
captive portal if not yet registered, and then having packetfence put 
people in the correct vlans after registering their node. So I have 
unrouted isolation and registration vlans directly attached to 
packetfence/wlan controller and then the other vlans are only attached 
to the wlan controller.
I have a mac blacklist enabled on the wlan controller to force it to 
do a RADIUS request to packetfence for authentication. If I disable 
that I'm directed to the portal (no RADIUS requests though, which is 
as it should be) so I know I'm on the correct vlan and the nodes can 
see the packetfence server.


So, I connect to the wireless network. And I see the wlan controller 
send the radius request with the mac address of the machine as the 
username and the mac address as the password. But then I see 
packetfence send a reject message to the wlan controller. When I look 
in the web interface under the RADIUS audit log. All of the requests 
from nodes that are supposed to be mac based authentication don't have 
anything in the mac address field or the Calling-Station-Id field and 
you see the [mac:[undef]] in the packetfence.log. My question is, 
should the fields be populated by the mac address when doing mac auth 
or am I looking in the wrong direction? Is packetfence parsing the 
RADIUS request incorrectly? Is there a way to do a rewrite and graft 
the username into the mac address/calling-station-id field if that is 
the case? If I do 802.1x auth, the mac address and calling-station-id 
fields are populated correctly. I've included the packetfence and 
radius logs below.


RADIUS.LOG:
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing 
connection (0): Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing 
connection (2): Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Closing 
connection (1): Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Opening 
additional connection (3), 1 of 64 pending slots used
Dec 24 10:37:42 hsd-pf-1 auth[12979]: Need 2 more connections to reach 
min connections (3)
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_sql (sql): Opening 
additional connection (4), 1 of 63 pending slots used

Dec 24 10:37:42 hsd-pf-1 auth[12979]: Adding client *REDACTED*
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Closing 
connection (0): Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Closing 
connection (1): Hit idle_timeout, was idle for 383 seconds
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Opening 
additional connection (2), 1 of 64 pending slots used

Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) rest: ERROR: Server returned:
Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) rest: ERROR: 
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"Authentication 
failed on PacketFence"}
Dec 24 10:37:42 hsd-pf-1 auth[12979]: Need 2 more connections to reach 
min connections (3)
Dec 24 10:37:42 hsd-pf-1 auth[12979]: rlm_rest (rest): Opening 
additional connection (3), 1 of 63 pending slots used
Dec 24 10:37:42 hsd-pf-1 auth[12979]: [mac:] Rejected user: 
a8:1d:16:7d:c8:11
Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) Rejected in post-auth: 
[a8:1d:16:7d:c8:11] (from client *REDACTED* port 0)
Dec 24 10:37:42 hsd-pf-1 auth[12979]: (28) Login incorrect (rest: 
Server returned:): [a8:1d:16:7d:c8:11] (from client *REDACTED* port 0)


PACKETFENCE.LOG
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) WARN: 
[mac:[undef]] Trying to match IP address with an invalid MAC address 
'undef' (pf::ip4log::mac2ip)
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) INFO: 
[mac:[undef]] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) INFO: 
[mac:[undef]] Found authentication source(s) : 'local,file1,LDAP-1' 
for realm 'null' (pf::config::util::filter_authentication_sources)
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) INFO: 
[mac:[undef]] LDAP testing connection (pf::LDAP::expire_if)
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) WARN: 
[mac:[undef]] [LDAP-1] No entries found (0) with filter 
(cn=a8:1d:16:7d:c8:11) from o=*REDACTED* on *REDACTED*:636 
(pf::Authentication::Source::LDAPSource::authenticate)
Dec 24 10:37:42 hsd-pf-1 packetfence_httpd.aaa: httpd.aaa(2339) INFO: 
[mac:[undef]] User a8:1d:16:7d:c8:11 tried to login in 
00:50:56:8f:b0:a6 but authentication failed (pf::radius::switch_access)



Any pointers would be 

Re: [PacketFence-users] MAC Authentication fails on hp 1920

[Oscar Nogales via PacketFence-users]

Hi Fabrice,

yes, if I configure directly the vlan 3 on the port, I receive ip address.

Yesterday finally I found the problem, it was the: "mac-vlan enable"
attribute on the interface. This configuration makes exactly the opposite,
if it is enabled, the switch does not assign the vlan to the port. I just
remove this configuration, and the MAB start to works. So the correct
configuration by interface is:

interface GigabitEthernet1/0/16
 port link-type hybrid
 port hybrid vlan 1 3 117 untagged
 port hybrid pvid vlan 117
 stp edged-port enable
 mac-authentication max-user 2
 mac-authentication host-mode multi-vlan
 port-security port-mode userlogin-secure-or-mac
 dot1x re-authenticate
 dot1x guest-vlan 117
 undo dot1x handshake
 undo dot1x multicast-trigger

So now I have a full 802.1x and MAC authentication failover working
perfectly on HP1920 switches.

I hope that my configuration will help others with the same problem.

Regards.
--
Oscar Nogales
Especialista en Comunicaciones y Seguridad
Gestión de Infraestructuras
Brújula
Tel. 971.433.909 – Fax. 971.433.910
Twitter: @brujula_talk

www.facebook.com/brujula.es
www.brujula.es
_
En el corazón de su negocio

Antes de imprimir este mensaje, por favor, compruebe que es verdaderamente
necesario. El medio ambiente es cosa de todos.

Aviso Legal: La información contenida en este mensaje es confidencial. Consulte
las políticas de confidencialidad, privacidad y protección de datos.



El vie., 26 oct. 2018 a las 3:27, Durand fabrice via PacketFence-users (<
packetfence-users@lists.sourceforge.net>) escribió:

> Hello Oscar,
>
> what happen if you configure a switch port in the vlan 3 and you plug a
> device in, does it receive an ip address ?
>
> Regards
>
> Fabrice
>
>
> Le 18-10-24 à 05 h 58, Oscar Nogales via PacketFence-users a écrit :
>
> Hi !
>
> anyone with this switch model that has a working 802.1x+MAB with
> packetfence ?
>
> I have a 5 floor building with this model and I need to make it work.
>
> Thanks.
>
> --
> Oscar Nogales
> Especialista en Comunicaciones y Seguridad
>
>
> El mié., 17 oct. 2018 a las 17:25, Oscar Nogales ()
> escribió:
>
>> Hi everyone,
>>
>> I'm working on a NAC deployment with Packetfence in offline mode. I have
>> working the 802.1x authentication, but I want to do the MAC address
>> authentication failover in case no 802.1x agent is connected to the switch.
>>
>> All my switches are HPE V1910-48G Switch with Software Version Release
>> 1519P03 (last version on HP website).
>>
>> Apparently all is working: the switch send to the packetfence the mac
>> address as username and password, the radius authenticates it correctly and
>> send back the response with the correct attributes:
>> Tunnel-Type = VLAN
>> Tunnel-Private-Group-Id = "3"
>> Tunnel-Medium-Type = IEEE-802
>>
>> The switch register on its log that the user is authenticated and the
>> vlan is 3. But the pc has no connection, doesn't get any IP by DHCP (there
>> is dhcp on vlan 3) or if I configure a static ip address, I cannot reach
>> any other IP on the vlan (is like if the switch blocks my packets).
>>
>> This is the configuration of the HP Switch:
>>
>> #
>>
>>  port-security enable
>>
>> #
>>
>>  dot1x timer tx-period 10
>>
>>  dot1x timer supp-timeout 10
>>
>>  dot1x authentication-method eap
>>
>> #
>>
>> #
>>
>>  mac-authentication domain macauth.local
>>
>>  mac-authentication user-name-format mac-address with-hyphen
>>
>> #
>>
>> domain macauth.local
>>
>> authentication default radius-scheme radiusnac
>>
>> authentication lan-access radius-scheme radiusnac
>>
>> authorization lan-access radius-scheme radiusnac
>>
>> access-limit disable
>>
>> state active
>>
>> idle-cut disable
>>
>> self-service-url disable
>>
>> #
>>
>> domain mydomain
>>
>>  authentication lan-access radius-scheme radiusnac
>>
>>  authorization lan-access radius-scheme radiusnac
>>
>>  access-limit disable
>>
>>  state active
>>
>>  idle-cut disable
>>
>>  self-service-url disable
>>
>> #
>>
>> radius scheme radiusnac
>>
>>  primary authentication 10.0.10.220
>>
>>  key authentication cipher
>> $c$3$ZFDWjqDlNi7UGtNNLnrRiL+w/7MTioLgW3p0Ds1617Xc
>>
>>  security-policy-server 10.0.10.220
>>
>>  user-name-format keep-original
>>
>>  nas-ip 172.18.1.19
>>
>> #
>>
>> #
>>
>> interface GigabitEthernet1/0/16
>>
>>  port link-type hybrid
>>
>>  port hybrid vlan 1 3 117 untagged
>>
>>  port hybrid pvid vlan 117
>>
>>  mac-vlan enable
>>
>>  stp edged-port enable
>>
>>  mac-authentication max-user 2
>>
>>  mac-authentication host-mode multi-vlan
>>
>>  port-security port-mode userlogin-secure-or-mac
>>
>>  dot1x re-authenticate
>>
>>  dot1x guest-vlan 117
>>
>>  undo dot1x handshake
>>
>>  undo dot1x multicast-trigger
>>
>> #
>>
>> snmp-agent community read myreadcommunity
>>
>> snmp-agent community write mywritecommunity mib-view All
>>
>> snmp-agent target-host trap address udp-domain 10.0.10.220 

Re: [PacketFence-users] MAC Authentication fails on hp 1920

[Durand fabrice via PacketFence-users]

Hello Oscar,

what happen if you configure a switch port in the vlan 3 and you plug a 
device in, does it receive an ip address ?


Regards

Fabrice


Le 18-10-24 à 05 h 58, Oscar Nogales via PacketFence-users a écrit :

Hi !

anyone with this switch model that has a working 802.1x+MAB with 
packetfence ?


I have a 5 floor building with this model and I need to make it work.

Thanks.

--
Oscar Nogales
Especialista en Comunicaciones y Seguridad


El mié., 17 oct. 2018 a las 17:25, Oscar Nogales (>) escribió:


Hi everyone,

I'm working on a NAC deployment with Packetfence in offline mode.
I have working the 802.1x authentication, but I want to do the MAC
address authentication failover in case no 802.1x agent is
connected to the switch.

All my switches are HPE V1910-48G Switch with Software Version
Release 1519P03 (last version on HP website).

Apparently all is working: the switch send to the packetfence the
mac address as username and password, the radius authenticates it
correctly and send back the response with the correct attributes:
Tunnel-Type = VLAN
Tunnel-Private-Group-Id = "3"
Tunnel-Medium-Type = IEEE-802

The switch register on its log that the user is authenticated and
the vlan is 3. But the pc has no connection, doesn't get any IP by
DHCP (there is dhcp on vlan 3) or if I configure a static ip
address, I cannot reach any other IP on the vlan (is like if the
switch blocks my packets).

This is the configuration of the HP Switch:

#

 port-security enable

#

 dot1x timer tx-period 10

 dot1x timer supp-timeout 10

 dot1x authentication-method eap

#

#

 mac-authentication domain macauth.local

 mac-authentication user-name-format mac-address with-hyphen

#

domain macauth.local

authentication default radius-scheme radiusnac

authentication lan-access radius-scheme radiusnac

authorization lan-access radius-scheme radiusnac

access-limit disable

state active

idle-cut disable

self-service-url disable

#

domain mydomain

 authentication lan-access radius-scheme radiusnac

 authorization lan-access radius-scheme radiusnac

 access-limit disable

 state active

 idle-cut disable

 self-service-url disable

#

radius scheme radiusnac

 primary authentication 10.0.10.220

 key authentication cipher
$c$3$ZFDWjqDlNi7UGtNNLnrRiL+w/7MTioLgW3p0Ds1617Xc

 security-policy-server 10.0.10.220

 user-name-format keep-original

 nas-ip 172.18.1.19

#

#

interface GigabitEthernet1/0/16

 port link-type hybrid

 port hybrid vlan 1 3 117 untagged

 port hybrid pvid vlan 117

 mac-vlan enable

 stp edged-port enable

 mac-authentication max-user 2

 mac-authentication host-mode multi-vlan

 port-security port-mode userlogin-secure-or-mac

 dot1x re-authenticate

 dot1x guest-vlan 117

 undo dot1x handshake

 undo dot1x multicast-trigger

#

snmp-agent community read myreadcommunity

snmp-agent community write mywritecommunity mib-view All

snmp-agent target-host trap address udp-domain 10.0.10.220 params
securityname NAC v2c

#


And this is the configuration on packetfence:


[172.18.1.19]

description=sw19_test

group=RoverMotta-HP

deauthMethod=SNMP

GR_NAC_Rmotta_vlan20Vlan=20

GR_NAC_Rmotta_vlan3Vlan=3

type=H3C::S5120

cliPwd=supersecurepass

cliUser=admin

cliEnablePwd=megasecurepass

useCoA=N


[group RoverMotta-HP]

description=1910

SNMPCommunityRead=myreadcommunity

SNMPCommunityWrite=mywritecommunity

isolationVlan=118

radiusSecret=RadiusPassword

SNMPVersion=2c

registrationVlan=117

defaultVlan=3


And I show you the logs that shows that the MAB is working:


[radius.log]

Oct 17 15:54:00 censvnac auth[12460]: [mac:f0:de:f1:3c:7b:c3]
Accepted user: and returned VLAN 3

Oct 17 15:54:00 censvnac auth[12460]: (854) Login OK:
[f0-de-f1-3c-7b-c3@macauth.local] (from client 172.18.1.19 port
16842869 cli f0:de:f1:3c:7b:c3)


[packetfence.log]

Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262)
INFO: [mac:f0:de:f1:3c:7b:c3] handling radius autz request: from
switch_ip => (172.18.1.19), connection_type =>
WIRED_MAC_AUTH,switch_mac => (Unknown), mac =>
[f0:de:f1:3c:7b:c3], port => 16, username =>
"f0-de-f1-3c-7b-c3@macauth.local" (pf::radius::authorize)

Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262)
INFO: [mac:f0:de:f1:3c:7b:c3] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)

Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262)
INFO: [mac:f0:de:f1:3c:7b:c3] Connection type is WIRED_MAC_AUTH.
Getting role from node_info 

Re: [PacketFence-users] MAC Authentication fails on hp 1920

[Oscar Nogales via PacketFence-users]

Hi !

anyone with this switch model that has a working 802.1x+MAB with
packetfence ?

I have a 5 floor building with this model and I need to make it work.

Thanks.

--
Oscar Nogales
Especialista en Comunicaciones y Seguridad


El mié., 17 oct. 2018 a las 17:25, Oscar Nogales ()
escribió:

> Hi everyone,
>
> I'm working on a NAC deployment with Packetfence in offline mode. I have
> working the 802.1x authentication, but I want to do the MAC address
> authentication failover in case no 802.1x agent is connected to the switch.
>
> All my switches are HPE V1910-48G Switch with Software Version Release
> 1519P03 (last version on HP website).
>
> Apparently all is working: the switch send to the packetfence the mac
> address as username and password, the radius authenticates it correctly and
> send back the response with the correct attributes:
> Tunnel-Type = VLAN
> Tunnel-Private-Group-Id = "3"
> Tunnel-Medium-Type = IEEE-802
>
> The switch register on its log that the user is authenticated and the vlan
> is 3. But the pc has no connection, doesn't get any IP by DHCP (there is
> dhcp on vlan 3) or if I configure a static ip address, I cannot reach any
> other IP on the vlan (is like if the switch blocks my packets).
>
> This is the configuration of the HP Switch:
>
> #
>
>  port-security enable
>
> #
>
>  dot1x timer tx-period 10
>
>  dot1x timer supp-timeout 10
>
>  dot1x authentication-method eap
>
> #
>
> #
>
>  mac-authentication domain macauth.local
>
>  mac-authentication user-name-format mac-address with-hyphen
>
> #
>
> domain macauth.local
>
> authentication default radius-scheme radiusnac
>
> authentication lan-access radius-scheme radiusnac
>
> authorization lan-access radius-scheme radiusnac
>
> access-limit disable
>
> state active
>
> idle-cut disable
>
> self-service-url disable
>
> #
>
> domain mydomain
>
>  authentication lan-access radius-scheme radiusnac
>
>  authorization lan-access radius-scheme radiusnac
>
>  access-limit disable
>
>  state active
>
>  idle-cut disable
>
>  self-service-url disable
>
> #
>
> radius scheme radiusnac
>
>  primary authentication 10.0.10.220
>
>  key authentication cipher
> $c$3$ZFDWjqDlNi7UGtNNLnrRiL+w/7MTioLgW3p0Ds1617Xc
>
>  security-policy-server 10.0.10.220
>
>  user-name-format keep-original
>
>  nas-ip 172.18.1.19
>
> #
>
> #
>
> interface GigabitEthernet1/0/16
>
>  port link-type hybrid
>
>  port hybrid vlan 1 3 117 untagged
>
>  port hybrid pvid vlan 117
>
>  mac-vlan enable
>
>  stp edged-port enable
>
>  mac-authentication max-user 2
>
>  mac-authentication host-mode multi-vlan
>
>  port-security port-mode userlogin-secure-or-mac
>
>  dot1x re-authenticate
>
>  dot1x guest-vlan 117
>
>  undo dot1x handshake
>
>  undo dot1x multicast-trigger
>
> #
>
> snmp-agent community read myreadcommunity
>
> snmp-agent community write mywritecommunity mib-view All
>
> snmp-agent target-host trap address udp-domain 10.0.10.220 params
> securityname NAC v2c
>
> #
>
>
> And this is the configuration on packetfence:
>
>
> [172.18.1.19]
>
> description=sw19_test
>
> group=RoverMotta-HP
>
> deauthMethod=SNMP
>
> GR_NAC_Rmotta_vlan20Vlan=20
>
> GR_NAC_Rmotta_vlan3Vlan=3
>
> type=H3C::S5120
>
> cliPwd=supersecurepass
>
> cliUser=admin
>
> cliEnablePwd=megasecurepass
>
> useCoA=N
>
>
> [group RoverMotta-HP]
>
> description=1910
>
> SNMPCommunityRead=myreadcommunity
>
> SNMPCommunityWrite=mywritecommunity
>
> isolationVlan=118
>
> radiusSecret=RadiusPassword
>
> SNMPVersion=2c
>
> registrationVlan=117
>
> defaultVlan=3
>
>
> And I show you the logs that shows that the MAB is working:
>
>
> [radius.log]
>
> Oct 17 15:54:00 censvnac auth[12460]: [mac:f0:de:f1:3c:7b:c3] Accepted
> user:  and returned VLAN 3
>
> Oct 17 15:54:00 censvnac auth[12460]: (854) Login OK:
> [f0-de-f1-3c-7b-c3@macauth.local] (from client 172.18.1.19 port 16842869
> cli f0:de:f1:3c:7b:c3)
>
>
> [packetfence.log]
>
> Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO:
> [mac:f0:de:f1:3c:7b:c3] handling radius autz request: from switch_ip =>
> (172.18.1.19), connection_type => WIRED_MAC_AUTH,switch_mac => (Unknown),
> mac => [f0:de:f1:3c:7b:c3], port => 16, username =>
> "f0-de-f1-3c-7b-c3@macauth.local" (pf::radius::authorize)
>
> Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO:
> [mac:f0:de:f1:3c:7b:c3] Instantiate profile 802.1x
> (pf::Connection::ProfileFactory::_from_profile)
>
> Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO:
> [mac:f0:de:f1:3c:7b:c3] Connection type is WIRED_MAC_AUTH. Getting role
> from node_info (pf::role::getRegisteredRole)
>
> Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO:
> [mac:f0:de:f1:3c:7b:c3] Username was defined
> "f0-de-f1-3c-7b-c3@macauth.local" - returning role 'GR_NAC_Rmotta_vlan3'
> (pf::role::getRegisteredRole)
>
> Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO:
> [mac:f0:de:f1:3c:7b:c3] PID: "default", Status: reg Returned VLAN:
> (undefined), Role: 

[PacketFence-users] MAC Authentication fails on hp 1920

[Oscar Nogales via PacketFence-users]

Hi everyone,

I'm working on a NAC deployment with Packetfence in offline mode. I have
working the 802.1x authentication, but I want to do the MAC address
authentication failover in case no 802.1x agent is connected to the switch.

All my switches are HPE V1910-48G Switch with Software Version Release
1519P03 (last version on HP website).

Apparently all is working: the switch send to the packetfence the mac
address as username and password, the radius authenticates it correctly and
send back the response with the correct attributes:
Tunnel-Type = VLAN
Tunnel-Private-Group-Id = "3"
Tunnel-Medium-Type = IEEE-802

The switch register on its log that the user is authenticated and the vlan
is 3. But the pc has no connection, doesn't get any IP by DHCP (there is
dhcp on vlan 3) or if I configure a static ip address, I cannot reach any
other IP on the vlan (is like if the switch blocks my packets).

This is the configuration of the HP Switch:

#

 port-security enable

#

 dot1x timer tx-period 10

 dot1x timer supp-timeout 10

 dot1x authentication-method eap

#

#

 mac-authentication domain macauth.local

 mac-authentication user-name-format mac-address with-hyphen

#

domain macauth.local

authentication default radius-scheme radiusnac

authentication lan-access radius-scheme radiusnac

authorization lan-access radius-scheme radiusnac

access-limit disable

state active

idle-cut disable

self-service-url disable

#

domain mydomain

 authentication lan-access radius-scheme radiusnac

 authorization lan-access radius-scheme radiusnac

 access-limit disable

 state active

 idle-cut disable

 self-service-url disable

#

radius scheme radiusnac

 primary authentication 10.0.10.220

 key authentication cipher $c$3$ZFDWjqDlNi7UGtNNLnrRiL+w/7MTioLgW3p0Ds1617Xc

 security-policy-server 10.0.10.220

 user-name-format keep-original

 nas-ip 172.18.1.19

#

#

interface GigabitEthernet1/0/16

 port link-type hybrid

 port hybrid vlan 1 3 117 untagged

 port hybrid pvid vlan 117

 mac-vlan enable

 stp edged-port enable

 mac-authentication max-user 2

 mac-authentication host-mode multi-vlan

 port-security port-mode userlogin-secure-or-mac

 dot1x re-authenticate

 dot1x guest-vlan 117

 undo dot1x handshake

 undo dot1x multicast-trigger

#

snmp-agent community read myreadcommunity

snmp-agent community write mywritecommunity mib-view All

snmp-agent target-host trap address udp-domain 10.0.10.220 params
securityname NAC v2c

#


And this is the configuration on packetfence:


[172.18.1.19]

description=sw19_test

group=RoverMotta-HP

deauthMethod=SNMP

GR_NAC_Rmotta_vlan20Vlan=20

GR_NAC_Rmotta_vlan3Vlan=3

type=H3C::S5120

cliPwd=supersecurepass

cliUser=admin

cliEnablePwd=megasecurepass

useCoA=N


[group RoverMotta-HP]

description=1910

SNMPCommunityRead=myreadcommunity

SNMPCommunityWrite=mywritecommunity

isolationVlan=118

radiusSecret=RadiusPassword

SNMPVersion=2c

registrationVlan=117

defaultVlan=3


And I show you the logs that shows that the MAB is working:


[radius.log]

Oct 17 15:54:00 censvnac auth[12460]: [mac:f0:de:f1:3c:7b:c3] Accepted
user:  and returned VLAN 3

Oct 17 15:54:00 censvnac auth[12460]: (854) Login OK:
[f0-de-f1-3c-7b-c3@macauth.local] (from client 172.18.1.19 port 16842869
cli f0:de:f1:3c:7b:c3)


[packetfence.log]

Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO:
[mac:f0:de:f1:3c:7b:c3] handling radius autz request: from switch_ip =>
(172.18.1.19), connection_type => WIRED_MAC_AUTH,switch_mac => (Unknown),
mac => [f0:de:f1:3c:7b:c3], port => 16, username =>
"f0-de-f1-3c-7b-c3@macauth.local" (pf::radius::authorize)

Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO:
[mac:f0:de:f1:3c:7b:c3] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)

Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO:
[mac:f0:de:f1:3c:7b:c3] Connection type is WIRED_MAC_AUTH. Getting role
from node_info (pf::role::getRegisteredRole)

Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO:
[mac:f0:de:f1:3c:7b:c3] Username was defined
"f0-de-f1-3c-7b-c3@macauth.local" - returning role 'GR_NAC_Rmotta_vlan3'
(pf::role::getRegisteredRole)

Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO:
[mac:f0:de:f1:3c:7b:c3] PID: "default", Status: reg Returned VLAN:
(undefined), Role: GR_NAC_Rmotta_vlan3 (pf::role::fetchRoleForNode)

Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO:
[mac:f0:de:f1:3c:7b:c3] (172.18.1.19) Added VLAN 3 to the returned RADIUS
Access-Accept (pf::Switch::returnRadiusAccessAccept)

Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO:
[mac:f0:de:f1:3c:7b:c3] violation 133 force-closed for
f0:de:f1:3c:7b:c3 (pf::violation::violation_force_close)

Oct 17 15:54:00 censvnac packetfence_httpd.aaa: httpd.aaa(11262) INFO:
[mac:f0:de:f1:3c:7b:c3] Instantiate profile 802.1x
(pf::Connection::ProfileFactory::_from_profile)

Oct 17 15:54:09 

Re: [PacketFence-users] MAC authentication

[Fabrice Durand via PacketFence-users]

Hello Luca,

when you do mac authentication, PacketFence will return access-accept
but depending of the status of the device it will return the
registration vlan or a prod vlan.

When it return the registration vlan then the device will hit the portal
to register.

Regards

Fabrice



Le 2017-10-26 à 02:33, Luca Messori via PacketFence-users a écrit :
>
> Hi,
>
> I would like to configure mac authentication via Radius for not
> 802.11x aware devices.
>
> I don’t understand how to do it.
>
> I have Extreme Networks switches that sends mac address to the Radius
> server to try to authenticate it.
>
> I would like that PacketFence reply an access-accept or access-reject
> basing on a mac list.
>
> Is this possible?
>
> I haven’t seen PAP in “RADIUS Authentication Methods” and I haven’t
> found a place in which I can create my mac list.
>
> Have you got an howto to do this conf?
>
>  
>
> Thanks
>
>  
>
> */Luca Messori/*
>
> _
>
>  
>
>   Descrizione: mead
>
>  
>
>  
>
>    *Mead Informatica Srl*
>     *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
>     Tel. +39 0522 265800 Tel. amm.ne 0522265940 -  Fax +39 0522 393306
>     Tel. +39 049 8702540   Fax +39 049 8706249
>
>  
>
>    http://www.meadinformatica.it 
>
> ---
>
>  
>
> Questo messaggio puo' contenere informazioni di carattere riservato e
> confidenziale. Qualora non foste i destinatari, vi preghiamo di
> notificarcelo
> e di provvedere ad eliminare il messaggio, con gli eventuali allegati,
> senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del
> contenuto
> di questo mesaggio espone il responsabile alle conseguenze civili e
> penali.
>
>  
>
> This message may contain information which is confidential or
> privileged. if you are not the intended recipient, please immediately
> notify us
> and destroy this message and any attachments without retaining a copy.
> Any unauthorized use of this message can expose the responsabile party
> to civil and/or criminal penalties.
>
>  
>
> Descrizione: Descrizione: cid:696372015@22072008-1A64
>
>  
>
>  
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] MAC authentication

[Luca Messori via PacketFence-users]

Hi,
I would like to configure mac authentication via Radius for not 802.11x aware 
devices.
I don't understand how to do it.
I have Extreme Networks switches that sends mac address to the Radius server to 
try to authenticate it.
I would like that PacketFence reply an access-accept or access-reject basing on 
a mac list.
Is this possible?
I haven't seen PAP in "RADIUS Authentication Methods" and I haven't found a 
place in which I can create my mac list.
Have you got an howto to do this conf?

Thanks

Luca Messori
_

  [Descrizione: mead]


   Mead Informatica Srl
SEDE - Via G. Ferraris, 2 - 42122 Reggio Emilia
Tel. +39 0522 265800 Tel. amm.ne 0522265940 -  Fax +39 0522 393306
Tel. +39 049 8702540   Fax +39 049 8706249

   http://www.meadinformatica.it
---

Questo messaggio puo' contenere informazioni di carattere riservato e 
confidenziale. Qualora non foste i destinatari, vi preghiamo di notificarcelo
e di provvedere ad eliminare il messaggio, con gli eventuali allegati, senza 
trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto
di questo mesaggio espone il responsabile alle conseguenze civili e penali.

This message may contain information which is confidential or privileged. if 
you are not the intended recipient, please immediately notify us
and destroy this message and any attachments without retaining a copy. Any 
unauthorized use of this message can expose the responsabile party
to civil and/or criminal penalties.




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users