Menu
▾
▴
Re: [PacketFence-users] radtest, 802.1x and users file
|
From: <nsp...@ly...> - 2016-12-08 14:40:16
|
Physical is TP-Link TL-SG5428 Packetfence is Cisco 2960 object (per our conversation last week) On December 8, 2016 9:24:18 AM EST, Fabrice Durand <fd...@in...> wrote: >Quick question, on which type of switch are you trying to achieve that >? > > > >Le 2016-12-07 à 21:54, nsp...@ly... a écrit : >> Thanks Fabrice. Using the newly created user with the new access >> level I get the same results as before with same log entries. >> >> On 12/07/2016 08:04 PM, Durand fabrice wrote: >>> >>> Hello, >>> >>> >>> Le 2016-12-06 à 22:45, nsp...@ly... a écrit : >>>> Thanks Fabrice. >>>> >>>> I configured per instruction (see below) but had no better luck. >>>> Any further thoughts? >>>> >>>> 1. I created a new admin role via: >>>> /admin/configuration#config/adminroles >>>> 2. set the action to "Switches CLI - Write" >>>> 3. Saved the new role >>>> 4. Created a new source (internal radius) via: >>>> admin/configuration#config/authentication >>>> >>> Hum not sure it will work like that, let's create instead a user in >>> packetfence (user tab) assign a password and assign the access level >>> to the one you created before. >>>> >>>> 1. Added a new set the ip to 127.0.0.1 and port 18120 >>>> 2. set secret to packet >>>> 3. added rule >>>> 4. set class to administration >>>> 5. add action to access level and selected the radius role i >>>> created in step 1-3 >>>> 6. created another source (same as 4-9) with ip set to management >>>> interface and port 1812 >>>> 7. verified that cliAccess=Y >>>> 8. restart all services >>>> >>>> radtest on localhost fails auth with: >>>> >>>> radtest -t mschap -x test2 packet localhost:18120 12 testing123 >>>> Sent Access-Request Id 107 from 0.0.0.0:58720 to 127.0.0.1:18120 >>>> length 131 >>>> User-Name = "test2" >>>> MS-CHAP-Password = "packet" >>>> NAS-IP-Address = 192.168.14.60 >>>> NAS-Port = 12 >>>> Message-Authenticator = 0x00 >>>> Cleartext-Password = "packet" >>>> MS-CHAP-Challenge = 0xd9fdad2e36fdd618 >>>> MS-CHAP-Response = >>>> >0x00010000000000000000000000000000000000000000000000007678409312f6c2d67f0671bf77b643cf60d6e7cc5583e533 >>>> Received Access-Reject Id 107 from 127.0.0.1:18120 to 0.0.0.0:0 >>>> length 20 >>>> (0) -: Expected Access-Accept got Access-Reject >>>> >>>> packetfence.log >>>> >>>> Dec 06 22:34:04 httpd.aaa(3965) WARN: [mac:[undef]] CLI Access is >>>> not permit on this switch 192.168.14.60 (pf::radius::switch_access) >>>> >>>> >>>> radtest on management interface times/retry out >>>> >>>> radtest on management interface times/retry out from remote client. >>>> >>>> >>>> >>>> >>>> >>>> On 12/06/2016 07:25 PM, Durand fabrice wrote: >>>>> >>>>> Hello, >>>>> >>>>> can you check in packetfence.log to see what wrong ? >>>>> >>>>> Also here what you have to do: >>>>> >>>>> in configuration -> Admin access, create a new admin access with >>>>> Switch CLI - Write >>>>> >>>>> In Configuration source -> A internal source -> assign an >>>>> administration rule and set access level (the admin access you >>>>> created before). >>>>> >>>>> Then enable cli access on the switch.(cliAccess=Y) >>>>> >>>>> >>>>> Now when PacketFence will receive a radius request for cli access, >>>>> it will test the username and password on the internal source and >>>>> if it succeeded and if it match the rule then the access will be >>>>> allowed. >>>>> >>>>> >>>>> Regards >>>>> >>>>> Fabrice >>>>> >>>>> >>>>> >>>>> Le 2016-12-06 à 12:13, nsp...@ly... a écrit : >>>>>> When I attempt to test FreeRadius with a test user in >>>>>> /usr/local/pf/raddb/users I get a failure that states "CLI Access >>>>>> is not permit on this switch". I have "cliAccess=Y" in >>>>>> switches.conf. Is there somewhere else I need to enable CLI >access? >>>>>> >>>>>> Thanks >>>>>> >>>>>> >>>>>> >>>>>> packetfence.log: >>>>>> Dec 06 12:04:36 httpd.aaa(24559) WARN: [mac:[undef]] CLI Access >is not permit on this switch 192.168.14.60 (pf::radius::switch_access) >>>>>> >>>>>> This occurs as a repsonse to: >>>>>> >>>>>> radtest -t mschap -x test2 packet localhost:18120 12 testing123 >>>>>> >>>>>> radtest responds with: >>>>>> >>>>>> Sent Access-Request Id 224 from 0.0.0.0:50101 to 127.0.0.1:18120 >length 131 >>>>>> User-Name = "test2" >>>>>> MS-CHAP-Password = "packet" >>>>>> NAS-IP-Address = 192.168.14.60 >>>>>> NAS-Port = 12 >>>>>> Message-Authenticator = 0x00 >>>>>> Cleartext-Password = "packet" >>>>>> MS-CHAP-Challenge = 0x7d970590bf9b3c20 >>>>>> MS-CHAP-Response = >0x00010000000000000000000000000000000000000000000000001d61ecc9a3fc6222a13bccde625540a3048270707271bf1c >>>>>> Received Access-Reject Id 224 from 127.0.0.1:18120 to 0.0.0.0:0 >length 20 >>>>>> (0) -: Expected Access-Accept got Access-Reject >>>>>> >>>>>> I have the following entry in |/usr/local/pf/raddb/users >>>>>> >>>>>> ||| >>>>>> test2 Cleartext-Password := "packet" >>>>>> >>>>>> >>>>>> >------------------------------------------------------------------------------ >>>>>> Developer Access Program for Intel Xeon Phi Processors >>>>>> Access to Intel Xeon Phi processor-based developer platforms. >>>>>> With one year of Intel Parallel Studio XE. >>>>>> Training and support from Colfax. >>>>>> Order your platform today.http://sdm.link/xeonphi >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> PacketFence-users mailing list >>>>>> Pac...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>> >>>>> >>>>> >>>>> >------------------------------------------------------------------------------ >>>>> Developer Access Program for Intel Xeon Phi Processors >>>>> Access to Intel Xeon Phi processor-based developer platforms. >>>>> With one year of Intel Parallel Studio XE. >>>>> Training and support from Colfax. >>>>> Order your platform today.http://sdm.link/xeonphi >>>>> >>>>> >>>>> _______________________________________________ >>>>> PacketFence-users mailing list >>>>> Pac...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>>> >>>> >>>> >>>> >------------------------------------------------------------------------------ >>>> Developer Access Program for Intel Xeon Phi Processors >>>> Access to Intel Xeon Phi processor-based developer platforms. >>>> With one year of Intel Parallel Studio XE. >>>> Training and support from Colfax. >>>> Order your platform today.http://sdm.link/xeonphi >>>> >>>> >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> Pac...@li... >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> >>> >------------------------------------------------------------------------------ >>> Developer Access Program for Intel Xeon Phi Processors >>> Access to Intel Xeon Phi processor-based developer platforms. >>> With one year of Intel Parallel Studio XE. >>> Training and support from Colfax. >>> Order your platform today.http://sdm.link/xeonphi >>> >>> >>> _______________________________________________ >>> PacketFence-users mailing list >>> Pac...@li... >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> >> >> >------------------------------------------------------------------------------ >> Developer Access Program for Intel Xeon Phi Processors >> Access to Intel Xeon Phi processor-based developer platforms. >> With one year of Intel Parallel Studio XE. >> Training and support from Colfax. >> Order your platform today.http://sdm.link/xeonphi >> >> >> _______________________________________________ >> PacketFence-users mailing list >> Pac...@li... >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > >-- >Fabrice Durand >fd...@in... :: +1.514.447.4918 (x135) :: www.inverse.ca >Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >PacketFence (http://packetfence.org) > > > >------------------------------------------------------------------------ > >------------------------------------------------------------------------------ >Developer Access Program for Intel Xeon Phi Processors >Access to Intel Xeon Phi processor-based developer platforms. >With one year of Intel Parallel Studio XE. >Training and support from Colfax. >Order your platform today.http://sdm.link/xeonphi > >------------------------------------------------------------------------ > >_______________________________________________ >PacketFence-users mailing list >Pac...@li... >https://lists.sourceforge.net/lists/listinfo/packetfence-users |