Re: [PacketFence-users] MikroTik dot1x (Ethernet not WiFi)

2021-05-18 Thread David Herselman via PacketFence-users 
Hi again,

Enabling debugging on the router appears to reveal my problem:
22:18:30 radius,debug,packet received Access-Accept with id 128 from 
192.168.55.55:1812
22:18:30 radius,debug,packet Signature = 0x
22:18:30 radius,debug,packet User-Name = "REDACTED\davidh"
22:18:30 radius,debug,packet MT-Wireless-VLAN-ID-Type = 0
22:18:30 radius,debug,packet MT-Wireless-VLAN-ID = 666
22:18:30 radius,debug,packet MS-MPPE-Recv-Key = 
0x
22:18:30 radius,debug,packet   
22:18:30 radius,debug,packet   
22:18:30 radius,debug,packet   6abe
22:18:30 radius,debug,packet MS-MPPE-Send-Key = 
0x
22:18:30 radius,debug,packet   
22:18:30 radius,debug,packet   
22:18:30 radius,debug,packet   6cbc
22:18:30 radius,debug,packet EAP-Message = 0x030b0004
22:18:30 radius,debug,packet Message-Authenticator = 
0x
22:18:30 radius,debug received reply for 82:3e
22:18:30 dot1x,packet s ether4 tx EAPOL-Packet EAP-Success id:11
22:18:30 dot1x,debug s ether4 "REDACTED\davidh" authorized
22:18:30 dot1x,debug s ether4 UNBLOCK

I had very simply added the following to the Mikrotik.pm file in 
/usr/local/pf/lib/Switch:
[admin@packetfence2 ~]# diff -uNr Mikrotik.pm.orig 
/usr/local/pf/lib/pf/Switch/Mikrotik.pm;
--- Mikrotik.pm.orig2021-05-08 07:38:14.976719201 +0200
+++ /usr/local/pf/lib/pf/Switch/Mikrotik.pm 2021-05-18 21:57:33.528217009 
+0200
@@ -46,6 +46,8 @@
# CAPABILITIES
# access technology supported
use pf::SwitchSupports qw(
+WiredMacAuth
+WiredDot1x
 WirelessMacAuth
 ExternalPortal
 WebFormRegistration


According to documentation wired 802.1x does not use custom attribute names so 
I need to figure out how to send standard attributes when using wired 802.1x 
(example below) and the existing custom attributes when using wireless 802.1x:
09:51:45 radius,debug,packet received Access-Accept with id 64 from 
10.1.2.3:1812
09:51:45 radius,debug,packet Tunnel-Type = 13
09:51:45 radius,debug,packet Tunnel-Medium-Type = 6
09:51:45 radius,debug,packet Tunnel-Private-Group-ID = "666"
(..)
09:51:45 radius,debug,packet User-Name = "dot1x-user"


Regards
David Herselman

From: David Herselman
Sent: Tuesday, 18 May 2021 9:27 PM
To: Quiniou-Briand, Nicolas ; 
packetfence-users@lists.sourceforge.net
Subject: RE: MikroTik dot1x (Ethernet not WiFi)

Hi Nicolas,

MikroTik have at least 3 integration options with their products. Most people 
appear to want to integrate their centrally managed WiFi solutions called 
CAPsMAN, but most of my integration to Packet Fence has been with individual 
MikroTik routers with wireless interfaces. We have RADIUS disconnect working 
well in this scenario, after making the following subtle change. VLAN 
assignment has been reliable and RADIUS accounting is working perfectly for 
single sign on to a Check Point security gateway:
--- Mikrotik.pm.orig2021-05-08 07:38:14.976719201 +0200
+++ /usr/local/pf/lib/pf/Switch/Mikrotik.pm 2021-05-16 09:39:14.703284401 
+0200
@@ -139,7 +139,8 @@
sub deauthTechniques {
 my ($self, $method, $connection_type) = @_;
 my $logger = $self->logger;
-my $default = $SNMP::SSH;
+my $default = $SNMP::RADIUS;
 my %tech = (
 $SNMP::SSH=> 'deauthenticateMacSSH',
 $SNMP::RADIUS => 'deauthenticateMacRadius',
@@ -257,8 +258,8 @@

Don't forget to fill /usr/share/freeradius/dictionary.mikrotik with the 
following attributes:

-ATTRIBUTE   Mikrotik-Wireless-VlanID26  integer
-ATTRIBUTE   Mikrotik-Wireless-VlanIDType27  integer
+ATTRIBUTE   Mikrotik-Wireless-VLANID26  integer
+ATTRIBUTE   Mikrotik-Wireless-VLANID-Type   27  integer

=cut

The attribute name changes are actually just comment corrections, references in 
the code appeared to have been changed relatively recently to match the 
FreeRADIUS defaults.


MikroTik RouterOS v6.45.1 (changelog 
here from 2019/07) 
introduced dot1x (manual 
here) as an implementation of 
IEEE 802.1X port-based network access control using EAPOL (EAP over LAN), as 
both supplicant (client) and authenticator (server). Supported EAP methods are 
EAP-TLS, EAP-TTLS, EAP-MSCHAPv2, PEAPv0/EAP-MSCHAPv2 and it appears to support 
MAB fallback.
PS: RouterOS is a free upgrade on any RouterBoard device and all current 
software release channels (long term, stable, testing and development) have 
this feature.

I would essentially like to hack around with the switch module to hopefully get 
both wired and wireless 802.1X working as authenticator. Perl appears to be 
readable but I have no idea where to star

Re: [PacketFence-users] MikroTik dot1x (Ethernet not WiFi)

2021-05-18 Thread David Herselman via PacketFence-users 
Hi Fabrice,

Many thanks! It appears I’ve gotten 802.1x working but the mac fallback doesn’t 
appear to work but that looks like a RouterOS issue so I’ll log a query in 
their forums.

Managed to work around the VLAN assignment issue I was having where WiFi 
requires MikroTik specific attributes and wired uses the standard ones by 
simply sending everything in the replies which works for both 802.1x wired and 
wireless connections.

Works for me, will test before trying to submit a patch:
[root@packetfence2 ~]# diff -uNr Mikrotik.pm.orig 
/usr/local/pf/lib/pf/Switch/Mikrotik.pm;
--- Mikrotik.pm.orig2021-05-08 07:38:14.976719201 +0200
+++ /usr/local/pf/lib/pf/Switch/Mikrotik.pm 2021-05-18 22:42:36.465205841 
+0200
@@ -46,6 +46,8 @@
# CAPABILITIES
# access technology supported
use pf::SwitchSupports qw(
+WiredMacAuth
+WiredDot1x
 WirelessMacAuth
 ExternalPortal
 WebFormRegistration
@@ -139,7 +141,8 @@
sub deauthTechniques {
 my ($self, $method, $connection_type) = @_;
 my $logger = $self->logger;
-my $default = $SNMP::SSH;
+my $default = $SNMP::RADIUS;
 my %tech = (
 $SNMP::SSH=> 'deauthenticateMacSSH',
 $SNMP::RADIUS => 'deauthenticateMacRadius',
@@ -257,8 +260,8 @@

Don't forget to fill /usr/share/freeradius/dictionary.mikrotik with the 
following attributes:

-ATTRIBUTE   Mikrotik-Wireless-VlanID26  integer
-ATTRIBUTE   Mikrotik-Wireless-VlanIDType27  integer
+ATTRIBUTE   Mikrotik-Wireless-VLANID26  integer
+ATTRIBUTE   Mikrotik-Wireless-VLANID-Type   27  integer

=cut

@@ -279,6 +282,9 @@
 $radius_reply_ref = {
 'Mikrotik-Wireless-VLANID' => $args->{'vlan'} . "",
 'Mikrotik-Wireless-VLANID-Type' => "0",
+'Tunnel-Type' => "13",
+'Tunnel-Medium-Type' => "6",
+'Tunnel-Private-Group-ID' => $args->{'vlan'} . "",
 };
 }

PS: RADIUS disconnect nor CoA on 802.1x wired appears to be working but this 
may also require alterations…

Regards
David Herselman

From: Fabrice Durand 
Sent: Tuesday, 18 May 2021 2:40 PM
To: packetfence-users@lists.sourceforge.net
Cc: David Herselman 
Subject: Re: [PacketFence-users] MikroTik dot1x (Ethernet not WiFi)

Hello David,

you are in the good tracks.

First you need to append that:

use pf::SwitchSupports qw(
WiredMacAuth
WiredDot1x
...
);


Then retry.
Also can you provide a raddebug output when you connect ?

raddebug -f /usr/local/pf/var/run/radiusd.sock

Regards
Fabrice


Le mar. 18 mai 2021 à 01:22, David Herselman via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 a écrit :
Hi,

I'm hoping someone could point me at some documentation which may provide 
necessary steps to extend the MikroTik module to additionally support 802.1x 
for ethernet.

I tried adding 'WiredDot1x' and 'WiredMacAuth' to 
/usr/local/pf/lib/pf/Switch/Mikrotik.pm in the pf::SwitchSupports stansa but 
still received the following warnings:

May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) WARN: 
[mac:38:60:77:2f:73:f5] Use of uninitialized value $nas_port in concatenation 
(.) or string at /usr/local/pf/lib/pf/Switch.pm line 2468.
 (pf::Switch::NasPortToIfIndex)
May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) WARN: 
[mac:38:60:77:2f:73:f5] Use of uninitialized value $port in concatenation (.) 
or string at /usr/local/pf/lib/pf/radius.pm line 188.
 (pf::radius::authorize)
May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) INFO: 
[mac:38:60:77:2f:73:f5] handling radius autz request: from switch_ip => 
(100.127.255.10), connection_type => Ethernet-EAP,switch_mac => 
(6c:3b:6b:18:bc:0b), mac => [38:60:77:2f:73:f5], port => , username => 
"DOMAIN-01\davidh" (pf::radius::authorize)
May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) WARN: 
[mac:38:60:77:2f:73:f5] (100.127.255.10) Sending REJECT since switch is 
unsupported (pf::radius::_switchUnsupportedReply)


When I review the Pica8 module I see the following, but have no reference as to 
what they do and whether or not I'm missing something which is possibly clearly 
documented.

Pica8 switch module:
use pf::config qw(
$ROLE_API_LEVEL
$MAC
$PORT
$WIRED_802_1X
$WIRED_MAC_AUTH

MikroTik switch module:
use pf::config qw(
$MAC
$SSID
$WIRELESS_MAC_AUTH
$WEBAUTH_WIRELESS


Regards
David Herselman
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MikroTik dot1x (Ethernet not WiFi)

2021-05-18 Thread David Herselman via PacketFence-users 
Hi Nicolas,

MikroTik have at least 3 integration options with their products. Most people 
appear to want to integrate their centrally managed WiFi solutions called 
CAPsMAN, but most of my integration to Packet Fence has been with individual 
MikroTik routers with wireless interfaces. We have RADIUS disconnect working 
well in this scenario, after making the following subtle change. VLAN 
assignment has been reliable and RADIUS accounting is working perfectly for 
single sign on to a Check Point security gateway:
--- Mikrotik.pm.orig2021-05-08 07:38:14.976719201 +0200
+++ /usr/local/pf/lib/pf/Switch/Mikrotik.pm 2021-05-16 09:39:14.703284401 
+0200
@@ -139,7 +139,8 @@
sub deauthTechniques {
 my ($self, $method, $connection_type) = @_;
 my $logger = $self->logger;
-my $default = $SNMP::SSH;
+my $default = $SNMP::RADIUS;
 my %tech = (
 $SNMP::SSH=> 'deauthenticateMacSSH',
 $SNMP::RADIUS => 'deauthenticateMacRadius',
@@ -257,8 +258,8 @@

Don't forget to fill /usr/share/freeradius/dictionary.mikrotik with the 
following attributes:

-ATTRIBUTE   Mikrotik-Wireless-VlanID26  integer
-ATTRIBUTE   Mikrotik-Wireless-VlanIDType27  integer
+ATTRIBUTE   Mikrotik-Wireless-VLANID26  integer
+ATTRIBUTE   Mikrotik-Wireless-VLANID-Type   27  integer

=cut
The attribute name changes are actually just comment corrections, references in 
the code appeared to have been changed relatively recently to match the 
FreeRADIUS defaults.


MikroTik RouterOS v6.45.1 (changelog 
here from 2019/07) 
introduced dot1x (manual 
here) as an implementation of 
IEEE 802.1X port-based network access control using EAPOL (EAP over LAN), as 
both supplicant (client) and authenticator (server). Supported EAP methods are 
EAP-TLS, EAP-TTLS, EAP-MSCHAPv2, PEAPv0/EAP-MSCHAPv2 and it appears to support 
MAB fallback.
PS: RouterOS is a free upgrade on any RouterBoard device and all current 
software release channels (long term, stable, testing and development) have 
this feature.

I would essentially like to hack around with the switch module to hopefully get 
both wired and wireless 802.1X working as authenticator. Perl appears to be 
readable but I have no idea where to start looking at what variables and 
functions I need to possibly copy to support both wired 802.1x and wired MAC 
auth.


Regards
David Herselman


From: Quiniou-Briand, Nicolas 
Sent: Tuesday, 18 May 2021 2:24 PM
To: packetfence-users@lists.sourceforge.net
Cc: David Herselman 
Subject: RE: MikroTik dot1x (Ethernet not WiFi)

Hello David,

1. Which features do you use on Mikrotik module: Wireless MAC Auth ? Webauth 
Wireless ? Or both ?

If you only use Wireless MAC Auth, you can try to create your own switch 
template [1] to support features you need ('WiredDot1x' and 'WiredMacAuth').

[1] 
https://www.packetfence.org/doc/PacketFence_Developers_Guide.html#_creating_a_new_switch_via_a_template

It looks like current switch module returned following attribute:
#v+
'Mikrotik-Wireless-VLANID' => $args->{'vlan'} . "",
'Mikrotik-Wireless-VLANID-Type' => "0",
};
#v-
You certainly need to adapt switch template to return something similar for 
wired.

Nicolas Quiniou-Briand
Product Support Engineer
[cid:image001.png@01D74BF2.179A3570]
Office: +33156696210
Akamai Technologies
145 Broadway
Cambridge, MA 02142
Connect with Us:
[cid:image002.jpg@01D74BF2.179A3570] 
[cid:image003.png@01D74BF2.179A3570]   
[cid:image004.png@01D74BF2.179A3570]   
[cid:image005.png@01D74BF2.179A3570] 
  
[cid:image006.png@01D74BF2.179A3570] 
  
[cid:image007.png@01D74BF2.179A3570] 


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MikroTik dot1x (Ethernet not WiFi)

2021-05-18 Thread Fabrice Durand via PacketFence-users 
Hello David,

you are in the good tracks.

First you need to append that:

use pf::SwitchSupports qw(
WiredMacAuth
WiredDot1x ... );
Then retry.
Also can you provide a raddebug output when you connect ?

raddebug -f /usr/local/pf/var/run/radiusd.sock

Regards
Fabrice


Le mar. 18 mai 2021 à 01:22, David Herselman via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi,
>
> I'm hoping someone could point me at some documentation which may provide
> necessary steps to extend the MikroTik module to additionally support
> 802.1x for ethernet.
>
> I tried adding 'WiredDot1x' and 'WiredMacAuth' to
> /usr/local/pf/lib/pf/Switch/Mikrotik.pm in the pf::SwitchSupports stansa
> but still received the following warnings:
>
> May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) WARN:
> [mac:38:60:77:2f:73:f5] Use of uninitialized value $nas_port in
> concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 2468.
>  (pf::Switch::NasPortToIfIndex)
> May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) WARN:
> [mac:38:60:77:2f:73:f5] Use of uninitialized value $port in concatenation
> (.) or string at /usr/local/pf/lib/pf/radius.pm line 188.
>  (pf::radius::authorize)
> May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) INFO:
> [mac:38:60:77:2f:73:f5] handling radius autz request: from switch_ip =>
> (100.127.255.10), connection_type => Ethernet-EAP,switch_mac =>
> (6c:3b:6b:18:bc:0b), mac => [38:60:77:2f:73:f5], port => , username =>
> "DOMAIN-01\davidh" (pf::radius::authorize)
> May 16 09:19:58 packetfence2 packetfence_httpd.aaa: httpd.aaa(1992) WARN:
> [mac:38:60:77:2f:73:f5] (100.127.255.10) Sending REJECT since switch is
> unsupported (pf::radius::_switchUnsupportedReply)
>
>
> When I review the Pica8 module I see the following, but have no reference
> as to what they do and whether or not I'm missing something which is
> possibly clearly documented.
>
> Pica8 switch module:
> use pf::config qw(
> $ROLE_API_LEVEL
> $MAC
> $PORT
> $WIRED_802_1X
> $WIRED_MAC_AUTH
>
> MikroTik switch module:
> use pf::config qw(
> $MAC
> $SSID
> $WIRELESS_MAC_AUTH
> $WEBAUTH_WIRELESS
>
>
> Regards
> David Herselman
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MikroTik dot1x (Ethernet not WiFi)

2021-05-18 Thread Quiniou-Briand, Nicolas via PacketFence-users 
Hello David,

1. Which features do you use on Mikrotik module: Wireless MAC Auth ? Webauth 
Wireless ? Or both ?

If you only use Wireless MAC Auth, you can try to create your own switch 
template [1] to support features you need ('WiredDot1x' and 'WiredMacAuth').

[1] 
https://www.packetfence.org/doc/PacketFence_Developers_Guide.html#_creating_a_new_switch_via_a_template

It looks like current switch module returned following attribute:
#v+
'Mikrotik-Wireless-VLANID' => $args->{'vlan'} . "",
'Mikrotik-Wireless-VLANID-Type' => "0",
};
#v-
You certainly need to adapt switch template to return something similar for 
wired.

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D74BF0.F90668A0]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D74BF0.F90668A0] 
[cid:image003.png@01D74BF0.F90668A0]   
[cid:image004.png@01D74BF0.F90668A0]   
[cid:image005.png@01D74BF0.F90668A0] 
  
[cid:image006.png@01D74BF0.F90668A0] 
  
[cid:image007.png@01D74BF0.F90668A0] 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Migration to new version

2021-05-18 Thread Quiniou-Briand, Nicolas via PacketFence-users 
Hello Arlen,

> I'm in the process of migrating from version 4 (currently in production) to a 
> new server using version 10.

Good luck!

> I'm wondering if some switch versions are no longer supported.  I've been 
> using HP procurves on the old system, but on the new system I keep getting 
> the "Server reported: VoIP authorization over RADIUS not supported for this 
> network device".

According to PacketFence code, you got this error message because switch module 
used on PacketFence side doesn’t have ‘RadiusVoip’ capability.

HP ProCurve 2920 and 5400 series switch modules support RadiusVoip. It’s also 
the case for Aruba 5400 switch module.

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D74BF1.E6A4CAC0]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D74BF1.E6A4CAC0] 
[cid:image003.png@01D74BF1.E6A4CAC0]   
[cid:image004.png@01D74BF1.E6A4CAC0]   
[cid:image005.png@01D74BF1.E6A4CAC0] 
  
[cid:image006.png@01D74BF1.E6A4CAC0] 
  
[cid:image007.png@01D74BF1.E6A4CAC0] 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users