Menu
▾
▴
Re: [PacketFence-users] Nortel 5600 Series Switches, EAP working and NEAP is not
|
From: Chris C. <Chr...@un...> - 2020-02-20 12:56:02
|
I still am having the issues as described below. But, I figured out how the Avaya IDE is authenticating NEAP and PacketFence is not. They’re pulling the MAC Address from the username, and thus forcing it to NEAP as opposed to requiring a standard NEAP authentication. Can PacketFence do a similar change? CHRIS CRAWFORD Network Analyst • Information Technology Services T 506 453-4695 C 506 260-8795 [University of New Brunswick] [Facebook]/uofnb<https://www.facebook.com/uofnb> [Twitter] @unb<https://twitter.com/UNB> [Instagram] @discoverunb<https://instagram.com/discoverunb/> UNB.ca<http://www.unb.ca/> Confidentiality Note: This email and the information contained in it is confidential, may be privileged and is intended for the exclusive use of the addressee(s). Any other person is strictly prohibited from using, disclosing, distributing or reproducing it. If you have received this communication in error, please reply by email to the sender and delete or destroy all copies of this message. From: Chris Crawford via PacketFence-users <pac...@li...> Sent: Wednesday, February 19, 2020 3:26 PM To: pac...@li... Cc: Chris Crawford <Chr...@un...> Subject: [PacketFence-users] Nortel 5600 Series Switches, EAP working and NEAP is not ⚠External message: Use caution. Good afternoon everyone, I’m working on a replacement PacketFence installation to replace our VERY, VERY old PacketFence 3.5.0. In doing so, we’re looking to increase our security from MAC Based Security to EAP and NEAP. We have a manufacture homogeneous environment in which we use only Avaya/Nortel/Extreme switches of the 3500, 4800, 5500, 5600 and 5900 Series switches. I’ve been able to get the 4800s and 5900s working using both EAP and NEAP. However, I’m having a terrible time getting NEAP to work on the 5600s and 5500s Below is a working NEAP and EAP connection on an ERS4800 complete with RADIUS printouts and logs from the server. *** 4850 *** *** NEAP *** httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] handling radius autz request: from switch_ip => (172.16.75.48), connection_type => Ethernet-NoEAP,switch_mac => (SWITCH), mac => [a8:20:66:29:95:85], port => 29, username => "a8:20:66:29:95:85" (pf::radius::authorize) httpd.aaa(52738) WARN: [mac:a8:20:66:29:95:85] Switch type 'pf::Switch::Avaya::ERS5000_6x' does not support Cdp (pf::SwitchSupports::__ANON__) httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] Could not find any IP phones through discovery protocols for ifIndex 29 (pf::Switch::getPhonesDPAtIfIndex) httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) httpd.aaa(52738) WARN: [mac:a8:20:66:29:95:85] Switch type 'pf::Switch::Avaya::ERS5000_6x' does not support MABFloatingDevices (pf::SwitchSupports::__ANON__) httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] Found authentication source(s) : 'UNBDOMAIN' for realm 'null' (pf::config::util::filter_authentication_sources) httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] Connection type is MAC-AUTH. Getting role from Authorization source (pf::role::getRegisteredRole) httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] Username was defined "a8:20:66:29:95:85" - returning role 'BuildingNet' (pf::role::getRegisteredRole) httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] PID: "g018r", Status: reg Returned VLAN: (undefined), Role: BuildingNet (pf::role::fetchRoleForNode) httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] (172.16.75.48) Added VLAN 75 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] Match rule 1:all&vlan_75 (pf::access_filter::radius::test) RADIUS Request User-Name = "a8:20:66:29:95:85" User-Password = "******" NAS-IP-Address = 172.16.75.48 NAS-Port = 29 Service-Type = Login-User Called-Station-Id = "SWITCH" Calling-Station-Id = "a8:20:66:29:95:85" NAS-Port-Type = Ethernet Event-Timestamp = "Feb 18 2020 14:53:11 AST" NAS-Port-Id = "0/29" Stripped-User-Name = "a8:20:66:29:95:85" Realm = "null" FreeRADIUS-Client-IP-Address = 172.16.75.48 PacketFence-KeyBalanced = "27976f2388778312dd4908cee7499d95" PacketFence-Radius-Ip = "10.5.13.25" Attr-26.562.180 = 0x00000000 SQL-User-Name = "a8:20:66:29:95:85" RADIUS Reply Reply-Message = "Request processed by PacketFence" Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = "75" Egress-VLANID = 838860875 Tunnel-Type = VLAN *** EAP *** httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] handling radius autz request: from switch_ip => (172.16.75.48), connection_type => Ethernet-EAP,switch_mac => (SWITCH), mac => [24:b6:fd:fc:39:ed], port => 23, username => "host/FR-ITS-28381.ad.unb.ca" (pf::radius::authorize) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] is doing machine auth with account 'host/FR-ITS-28381.ad.unb.ca'. (pf::radius::authorize) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Instantiate profile DomainMachines (pf::Connection::ProfileFactory::_from_profile) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Found authentication source(s) : 'UNBDOMAIN-Machines' for realm 'ad.unb.ca' (pf::config::util::filter_authentication_sources) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Using sources UNBDOMAIN-Machines for matching (pf::authentication::match2) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Matched rule (Everyone) in source UNBDOMAIN-Machines, returning actions. (pf::Authentication::Source::match_rule) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Matched rule (Everyone) in source UNBDOMAIN-Machines, returning actions. (pf::Authentication::Source::match) httpd.aaa(52738) WARN: [mac:24:b6:fd:fc:39:ed] Switch type 'pf::Switch::Avaya::ERS5000_6x' does not support MABFloatingDevices (pf::SwitchSupports::__ANON__) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Found authentication source(s) : 'UNBDOMAIN-Machines' for realm 'ad.unb.ca' (pf::config::util::filter_authentication_sources) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Role has already been computed and we don't want to recompute it. Getting role from node_info (pf::role::getRegisteredRole) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Username was defined "host/FR-ITS-28381.ad.unb.ca" - returning role 'BuildingNet' (pf::role::getRegisteredRole) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] PID: "host/FR-ITS-28381.ad.unb.ca", Status: reg Returned VLAN: (undefined), Role: BuildingNet (pf::role::fetchRoleForNode) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] (172.16.75.48) Added VLAN 75 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) pfqueue(104870) INFO: [mac:unknown] Already did a person lookup for host/FR-ITS-28381.ad.unb.ca (pf::lookup::person::lookup_person) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Match rule 1:all&vlan_75 (pf::access_filter::radius::test) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] security_event 1300003 force-closed for 24:b6:fd:fc:39:ed (pf::security_event::security_event_force_close) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Instantiate profile DomainMachines (pf::Connection::ProfileFactory::_from_profile) RADIUS Request User-Name = "host/FR-ITS-28381.ad.unb.ca" NAS-IP-Address = 172.16.75.48 NAS-Port = 23 Service-Type = Framed-User Framed-MTU = 1490 State = 0x25920796249b1d65694ece287ebe464c Called-Station-Id = "SWITCH" Calling-Station-Id = "24b6fdfc39ed" NAS-Port-Type = Ethernet Event-Timestamp = "Feb 18 2020 14:17:28 AST" EAP-Message = 0x020900061a03 NAS-Port-Id = "0/23" FreeRADIUS-Proxied-To = 127.0.0.1 EAP-Type = MSCHAPv2 Realm = "ad.unb.ca" PacketFence-Domain = "UNBDOMAIN" PacketFence-KeyBalanced = "911d2640025aa742fc8890e3c5a50b6e" PacketFence-Radius-Ip = "10.5.13.25" PacketFence-NTLMv2-Only = "" Attr-26.562.180 = 0x00000000 Attr-26.562.183 = 0x00000000 User-Password = "******" SQL-User-Name = "host/FR-ITS-28381.ad.unb.ca" RADIUS Reply MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4 MS-MPPE-Send-Key = 0x504e36e78a213b69bb8a1c570a21ee13 MS-MPPE-Recv-Key = 0x1202abbe75113721a5e78f6620d117cd EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "host/FR-ITS-28381.ad.unb.ca" Reply-Message = "Request processed by PacketFence" Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = "75" Egress-VLANID = 838860875 Tunnel-Type = VLAN The 4850's configuration for EAP is as follows: eapol multihost allow-non-eap-enable eapol multihost radius-non-eap-enable eapol multihost use-radius-assigned-vlan eapol multihost non-eap-use-radius-assigned-vlan eapol multihost eap-packet-mode unicast eapol multihost multivlan enable eapol multihost non-eap-reauthentication-enable interface Ethernet ALL eapol multihost port 1-47 enable eap-mac-max 3 non-eap-mac-max 3 radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-a ssigned-vlan eap-packet-mode unicast mac-max 3 exit interface Ethernet ALL eapol port 1-47 status auto re-authentication enable re-authentication-period 3300 exit eapol multihost voip-vlan 1 enable vid 2075 ! eapol enable *** 5650 *** *** NEAP *** httpd.aaa(52738) WARN: [mac:a8:20:66:29:95:85] Switch type 'pf::Switch::Avaya::ERS5000_6x' does not support VPN (pf::SwitchSupports::__ANON__) httpd.aaa(52738) WARN: [mac:a8:20:66:29:95:85] CLI Access is not permit on this switch 172.16.75.56 (pf::radius::switch_access) RADIUS Request User-Name = "a82066299585" User-Password = "******" NAS-IP-Address = 172.16.75.56 NAS-Port = 19 Service-Type = Login-User NAS-Port-Type = Ethernet Event-Timestamp = "Feb 19 2020 14:57:39 AST" Stripped-User-Name = "a82066299585" Realm = "null" FreeRADIUS-Client-IP-Address = 172.16.75.56 PacketFence-KeyBalanced = "e8ef48faa82ab19678f69f55f5f8a242" PacketFence-Radius-Ip = "10.5.13.25" Attr-26.562.180 = 0x00000000 Module-Failure-Message = "rest: Server returned:" Module-Failure-Message = "rest: {\"control:PacketFence-Authorization-Status\":\"allow\",\"Reply-Message\":\"CLI or VPN Access is not allowed by PacketFence on this switch\"}" SQL-User-Name = "a82066299585" RADIUS Reply NIL *** EAP *** httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] handling radius autz request: from switch_ip => (172.16.75.56), connection_type => Ethernet-EAP,switch_mac => (Unknown), mac => [24:b6:fd:fc:39:ed], port => 27, username => "host/FR-ITS-28381.ad.unb.ca" (pf::radius::authorize) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] is doing machine auth with account 'host/FR-ITS-28381.ad.unb.ca'. (pf::radius::authorize) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Instantiate profile DomainMachines (pf::Connection::ProfileFactory::_from_profile) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Found authentication source(s) : 'UNBDOMAIN-Machines' for realm 'ad.unb.ca' (pf::config::util::filter_authentication_sources) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Using sources UNBDOMAIN-Machines for matching (pf::authentication::match2) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Matched rule (Everyone) in source UNBDOMAIN-Machines, returning actions. (pf::Authentication::Source::match_rule) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Matched rule (Everyone) in source UNBDOMAIN-Machines, returning actions. (pf::Authentication::Source::match) httpd.aaa(52738) WARN: [mac:24:b6:fd:fc:39:ed] Switch type 'pf::Switch::Avaya::ERS5000_6x' does not support MABFloatingDevices (pf::SwitchSupports::__ANON__) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Found authentication source(s) : 'UNBDOMAIN-Machines' for realm 'ad.unb.ca' (pf::config::util::filter_authentication_sources) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Role has already been computed and we don't want to recompute it. Getting role from node_info (pf::role::getRegisteredRole) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Username was defined "host/FR-ITS-28381.ad.unb.ca" - returning role 'BuildingNet' (pf::role::getRegisteredRole) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] PID: "host/FR-ITS-28381.ad.unb.ca", Status: reg Returned VLAN: (undefined), Role: BuildingNet (pf::role::fetchRoleForNode) pfqueue(104870) INFO: [mac:unknown] Already did a person lookup for host/FR-ITS-28381.ad.unb.ca (pf::lookup::person::lookup_person) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] (172.16.75.56) Added VLAN 75 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Match rule 1:all&vlan_75 (pf::access_filter::radius::test) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] security_event 1300003 force-closed for 24:b6:fd:fc:39:ed (pf::security_event::security_event_force_close) httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Instantiate profile DomainMachines (pf::Connection::ProfileFactory::_from_profile) RADIUS Request User-Name = "host/FR-ITS-28381.ad.unb.ca" NAS-IP-Address = 172.16.75.56 NAS-Port = 27 Service-Type = Framed-User Framed-MTU = 1490 State = 0x0f6e5adf0e674092fcd27d9f3dcc219d Calling-Station-Id = "24:b6:fd:fc:39:ed" NAS-Port-Type = Ethernet Event-Timestamp = "Feb 19 2020 15:00:15 AST" EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 EAP-Type = MSCHAPv2 Realm = "ad.unb.ca" PacketFence-Domain = "UNBDOMAIN" PacketFence-KeyBalanced = "911d2640025aa742fc8890e3c5a50b6e" PacketFence-Radius-Ip = "10.5.13.25" PacketFence-NTLMv2-Only = "" Attr-26.562.180 = 0x00000000 User-Password = "******" SQL-User-Name = "host/FR-ITS-28381.ad.unb.ca" RADIUS Reply MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4 MS-MPPE-Send-Key = 0xf22767034318ab508c8f1147408aecfd MS-MPPE-Recv-Key = 0x6101d7aca23e0af2f49dd04a85e1aecd EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "host/FR-ITS-28381.ad.unb.ca" Reply-Message = "Request processed by PacketFence" Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = "75" Egress-VLANID = 838860875 Tunnel-Type = VLAN The 5698's configuration for EAP is as follows: eapol multihost allow-non-eap-enable eapol multihost radius-non-eap-enable eapol multihost use-radius-assigned-vlan eapol multihost non-eap-use-radius-assigned-vlan eapol multihost eap-packet-mode unicast eapol multihost multivlan enable eapol multihost non-eap-reauthentication-enable interface Ethernet ALL eapol multihost port 1-47 enable eap-mac-max 3 non-eap-mac-max 3 radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-a ssigned-vlan eap-packet-mode unicast mac-max 3 eapol multihost port 48-98 mac-max 2 exit interface Ethernet ALL eapol port 1-47 status auto re-authentication enable re-authentication-period 3300 exit eapol multihost voip-vlan 1 enable vid 2075 ! eapol enable If I had to guess, the 5600 series switches are either not sending the Calling-Station-ID, which it should be for both EAP and NEAP. Anyone have any guesses where to go from here? Anyone have any ideas? A working installation that uses both NEAP and EAP on Avaya/Nortel/Extreme 5500 and 5600 series switches? To make matters more interesting, I have a working switch that used the Avaya IDE for both NEAP and EAP, and it works great. Copying the configuration from one to the other does not work. Any information would be helpful. Cheers, CHRIS CRAWFORD Network Analyst • Information Technology Services T 506 453-4695 C 506 260-8795 [University of New Brunswick] [Facebook]/uofnb<https://www.facebook.com/uofnb> [Twitter] @unb<https://twitter.com/UNB> [Instagram] @discoverunb<https://instagram.com/discoverunb/> UNB.ca<http://www.unb.ca/> Confidentiality Note: This email and the information contained in it is confidential, may be privileged and is intended for the exclusive use of the addressee(s). Any other person is strictly prohibited from using, disclosing, distributing or reproducing it. If you have received this communication in error, please reply by email to the sender and delete or destroy all copies of this message. |
