Menu
▾
▴
Re: [PacketFence-users] Nortel 5600 Series Switches, EAP working and NEAP is not
|
From: Chris C. <Chr...@un...> - 2020-02-20 17:23:23
|
I ended up editing the RADIUS Hints file and added in this filter:
DEFAULT User-Name !~ "([0-9a-f]{2}:){5}([0-9a-f]{2})"
Called-Station-Id := "FakeEAP",
Calling-Station-Id := "%{User-Name}"
This adds in the Calling-Station-ID and allows the machine to EAP with success.
CHRIS CRAWFORD
Network Analyst • Information Technology Services
T 506 453-4695 C 506 260-8795
[University of New Brunswick]
[Facebook]/uofnb<https://www.facebook.com/uofnb> [Twitter] @unb<https://twitter.com/UNB> [Instagram] @discoverunb<https://instagram.com/discoverunb/> UNB.ca<http://www.unb.ca/>
Confidentiality Note: This email and the information contained in it is confidential, may be privileged and is intended for the exclusive use of the addressee(s). Any other person is strictly prohibited from using, disclosing, distributing or reproducing it. If you have received this communication in error, please reply by email to the sender and delete or destroy all copies of this message.
From: Chris Crawford via PacketFence-users <pac...@li...>
Sent: Thursday, February 20, 2020 8:56 AM
To: pac...@li...
Cc: Chris Crawford <Chr...@un...>
Subject: Re: [PacketFence-users] Nortel 5600 Series Switches, EAP working and NEAP is not
⚠External message: Use caution.
I still am having the issues as described below. But, I figured out how the Avaya IDE is authenticating NEAP and PacketFence is not. They’re pulling the MAC Address from the username, and thus forcing it to NEAP as opposed to requiring a standard NEAP authentication.
Can PacketFence do a similar change?
CHRIS CRAWFORD
Network Analyst • Information Technology Services
T 506 453-4695 C 506 260-8795
[University of New Brunswick]
[Facebook]/uofnb<https://www.facebook.com/uofnb> [Twitter] @unb<https://twitter.com/UNB> [Instagram] @discoverunb<https://instagram.com/discoverunb/> UNB.ca<http://www.unb.ca/>
Confidentiality Note: This email and the information contained in it is confidential, may be privileged and is intended for the exclusive use of the addressee(s). Any other person is strictly prohibited from using, disclosing, distributing or reproducing it. If you have received this communication in error, please reply by email to the sender and delete or destroy all copies of this message.
From: Chris Crawford via PacketFence-users <pac...@li...>
Sent: Wednesday, February 19, 2020 3:26 PM
To: pac...@li...
Cc: Chris Crawford <Chr...@un...>
Subject: [PacketFence-users] Nortel 5600 Series Switches, EAP working and NEAP is not
⚠External message: Use caution.
Good afternoon everyone,
I’m working on a replacement PacketFence installation to replace our VERY, VERY old PacketFence 3.5.0. In doing so, we’re looking to increase our security from MAC Based Security to EAP and NEAP.
We have a manufacture homogeneous environment in which we use only Avaya/Nortel/Extreme switches of the 3500, 4800, 5500, 5600 and 5900 Series switches. I’ve been able to get the 4800s and 5900s working using both EAP and NEAP. However, I’m having a terrible time getting NEAP to work on the 5600s and 5500s
Below is a working NEAP and EAP connection on an ERS4800 complete with RADIUS printouts and logs from the server.
*** 4850 ***
*** NEAP ***
httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] handling radius autz request: from switch_ip => (172.16.75.48), connection_type => Ethernet-NoEAP,switch_mac => (SWITCH), mac => [a8:20:66:29:95:85], port => 29, username => "a8:20:66:29:95:85" (pf::radius::authorize)
httpd.aaa(52738) WARN: [mac:a8:20:66:29:95:85] Switch type 'pf::Switch::Avaya::ERS5000_6x' does not support Cdp (pf::SwitchSupports::__ANON__)
httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] Could not find any IP phones through discovery protocols for ifIndex 29 (pf::Switch::getPhonesDPAtIfIndex)
httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile)
httpd.aaa(52738) WARN: [mac:a8:20:66:29:95:85] Switch type 'pf::Switch::Avaya::ERS5000_6x' does not support MABFloatingDevices (pf::SwitchSupports::__ANON__)
httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] Found authentication source(s) : 'UNBDOMAIN' for realm 'null' (pf::config::util::filter_authentication_sources)
httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] Connection type is MAC-AUTH. Getting role from Authorization source (pf::role::getRegisteredRole)
httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] Username was defined "a8:20:66:29:95:85" - returning role 'BuildingNet' (pf::role::getRegisteredRole)
httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] PID: "g018r", Status: reg Returned VLAN: (undefined), Role: BuildingNet (pf::role::fetchRoleForNode)
httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] (172.16.75.48) Added VLAN 75 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
httpd.aaa(52738) INFO: [mac:a8:20:66:29:95:85] Match rule 1:all&vlan_75 (pf::access_filter::radius::test)
RADIUS Request
User-Name = "a8:20:66:29:95:85"
User-Password = "******"
NAS-IP-Address = 172.16.75.48
NAS-Port = 29
Service-Type = Login-User
Called-Station-Id = "SWITCH"
Calling-Station-Id = "a8:20:66:29:95:85"
NAS-Port-Type = Ethernet
Event-Timestamp = "Feb 18 2020 14:53:11 AST"
NAS-Port-Id = "0/29"
Stripped-User-Name = "a8:20:66:29:95:85"
Realm = "null"
FreeRADIUS-Client-IP-Address = 172.16.75.48
PacketFence-KeyBalanced = "27976f2388778312dd4908cee7499d95"
PacketFence-Radius-Ip = "10.5.13.25"
Attr-26.562.180 = 0x00000000
SQL-User-Name = "a8:20:66:29:95:85"
RADIUS Reply
Reply-Message = "Request processed by PacketFence"
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = "75"
Egress-VLANID = 838860875
Tunnel-Type = VLAN
*** EAP ***
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] handling radius autz request: from switch_ip => (172.16.75.48), connection_type => Ethernet-EAP,switch_mac => (SWITCH), mac => [24:b6:fd:fc:39:ed], port => 23, username => "host/FR-ITS-28381.ad.unb.ca" (pf::radius::authorize)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] is doing machine auth with account 'host/FR-ITS-28381.ad.unb.ca'. (pf::radius::authorize)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Instantiate profile DomainMachines (pf::Connection::ProfileFactory::_from_profile)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Found authentication source(s) : 'UNBDOMAIN-Machines' for realm 'ad.unb.ca' (pf::config::util::filter_authentication_sources)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Using sources UNBDOMAIN-Machines for matching (pf::authentication::match2)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Matched rule (Everyone) in source UNBDOMAIN-Machines, returning actions. (pf::Authentication::Source::match_rule)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Matched rule (Everyone) in source UNBDOMAIN-Machines, returning actions. (pf::Authentication::Source::match)
httpd.aaa(52738) WARN: [mac:24:b6:fd:fc:39:ed] Switch type 'pf::Switch::Avaya::ERS5000_6x' does not support MABFloatingDevices (pf::SwitchSupports::__ANON__)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Found authentication source(s) : 'UNBDOMAIN-Machines' for realm 'ad.unb.ca' (pf::config::util::filter_authentication_sources)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Role has already been computed and we don't want to recompute it. Getting role from node_info (pf::role::getRegisteredRole)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Username was defined "host/FR-ITS-28381.ad.unb.ca" - returning role 'BuildingNet' (pf::role::getRegisteredRole)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] PID: "host/FR-ITS-28381.ad.unb.ca", Status: reg Returned VLAN: (undefined), Role: BuildingNet (pf::role::fetchRoleForNode)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] (172.16.75.48) Added VLAN 75 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
pfqueue(104870) INFO: [mac:unknown] Already did a person lookup for host/FR-ITS-28381.ad.unb.ca (pf::lookup::person::lookup_person)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Match rule 1:all&vlan_75 (pf::access_filter::radius::test)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] security_event 1300003 force-closed for 24:b6:fd:fc:39:ed (pf::security_event::security_event_force_close)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Instantiate profile DomainMachines (pf::Connection::ProfileFactory::_from_profile)
RADIUS Request
User-Name = "host/FR-ITS-28381.ad.unb.ca"
NAS-IP-Address = 172.16.75.48
NAS-Port = 23
Service-Type = Framed-User
Framed-MTU = 1490
State = 0x25920796249b1d65694ece287ebe464c
Called-Station-Id = "SWITCH"
Calling-Station-Id = "24b6fdfc39ed"
NAS-Port-Type = Ethernet
Event-Timestamp = "Feb 18 2020 14:17:28 AST"
EAP-Message = 0x020900061a03
NAS-Port-Id = "0/23"
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
Realm = "ad.unb.ca"
PacketFence-Domain = "UNBDOMAIN"
PacketFence-KeyBalanced = "911d2640025aa742fc8890e3c5a50b6e"
PacketFence-Radius-Ip = "10.5.13.25"
PacketFence-NTLMv2-Only = ""
Attr-26.562.180 = 0x00000000
Attr-26.562.183 = 0x00000000
User-Password = "******"
SQL-User-Name = "host/FR-ITS-28381.ad.unb.ca"
RADIUS Reply
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4
MS-MPPE-Send-Key = 0x504e36e78a213b69bb8a1c570a21ee13
MS-MPPE-Recv-Key = 0x1202abbe75113721a5e78f6620d117cd
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "host/FR-ITS-28381.ad.unb.ca"
Reply-Message = "Request processed by PacketFence"
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = "75"
Egress-VLANID = 838860875
Tunnel-Type = VLAN
The 4850's configuration for EAP is as follows:
eapol multihost allow-non-eap-enable
eapol multihost radius-non-eap-enable
eapol multihost use-radius-assigned-vlan
eapol multihost non-eap-use-radius-assigned-vlan
eapol multihost eap-packet-mode unicast
eapol multihost multivlan enable
eapol multihost non-eap-reauthentication-enable
interface Ethernet ALL
eapol multihost port 1-47 enable eap-mac-max 3 non-eap-mac-max 3 radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-a
ssigned-vlan eap-packet-mode unicast mac-max 3
exit
interface Ethernet ALL
eapol port 1-47 status auto re-authentication enable re-authentication-period 3300
exit
eapol multihost voip-vlan 1 enable vid 2075
! eapol enable
*** 5650 ***
*** NEAP ***
httpd.aaa(52738) WARN: [mac:a8:20:66:29:95:85] Switch type 'pf::Switch::Avaya::ERS5000_6x' does not support VPN (pf::SwitchSupports::__ANON__)
httpd.aaa(52738) WARN: [mac:a8:20:66:29:95:85] CLI Access is not permit on this switch 172.16.75.56 (pf::radius::switch_access)
RADIUS Request
User-Name = "a82066299585"
User-Password = "******"
NAS-IP-Address = 172.16.75.56
NAS-Port = 19
Service-Type = Login-User
NAS-Port-Type = Ethernet
Event-Timestamp = "Feb 19 2020 14:57:39 AST"
Stripped-User-Name = "a82066299585"
Realm = "null"
FreeRADIUS-Client-IP-Address = 172.16.75.56
PacketFence-KeyBalanced = "e8ef48faa82ab19678f69f55f5f8a242"
PacketFence-Radius-Ip = "10.5.13.25"
Attr-26.562.180 = 0x00000000
Module-Failure-Message = "rest: Server returned:"
Module-Failure-Message = "rest: {\"control:PacketFence-Authorization-Status\":\"allow\",\"Reply-Message\":\"CLI or VPN Access is not allowed by PacketFence on this switch\"}"
SQL-User-Name = "a82066299585"
RADIUS Reply
NIL
*** EAP ***
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] handling radius autz request: from switch_ip => (172.16.75.56), connection_type => Ethernet-EAP,switch_mac => (Unknown), mac => [24:b6:fd:fc:39:ed], port => 27, username => "host/FR-ITS-28381.ad.unb.ca" (pf::radius::authorize)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] is doing machine auth with account 'host/FR-ITS-28381.ad.unb.ca'. (pf::radius::authorize)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Instantiate profile DomainMachines (pf::Connection::ProfileFactory::_from_profile)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Found authentication source(s) : 'UNBDOMAIN-Machines' for realm 'ad.unb.ca' (pf::config::util::filter_authentication_sources)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Using sources UNBDOMAIN-Machines for matching (pf::authentication::match2)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Matched rule (Everyone) in source UNBDOMAIN-Machines, returning actions. (pf::Authentication::Source::match_rule)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Matched rule (Everyone) in source UNBDOMAIN-Machines, returning actions. (pf::Authentication::Source::match)
httpd.aaa(52738) WARN: [mac:24:b6:fd:fc:39:ed] Switch type 'pf::Switch::Avaya::ERS5000_6x' does not support MABFloatingDevices (pf::SwitchSupports::__ANON__)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Found authentication source(s) : 'UNBDOMAIN-Machines' for realm 'ad.unb.ca' (pf::config::util::filter_authentication_sources)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Role has already been computed and we don't want to recompute it. Getting role from node_info (pf::role::getRegisteredRole)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Username was defined "host/FR-ITS-28381.ad.unb.ca" - returning role 'BuildingNet' (pf::role::getRegisteredRole)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] PID: "host/FR-ITS-28381.ad.unb.ca", Status: reg Returned VLAN: (undefined), Role: BuildingNet (pf::role::fetchRoleForNode)
pfqueue(104870) INFO: [mac:unknown] Already did a person lookup for host/FR-ITS-28381.ad.unb.ca (pf::lookup::person::lookup_person)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] (172.16.75.56) Added VLAN 75 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Match rule 1:all&vlan_75 (pf::access_filter::radius::test)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] security_event 1300003 force-closed for 24:b6:fd:fc:39:ed (pf::security_event::security_event_force_close)
httpd.aaa(52738) INFO: [mac:24:b6:fd:fc:39:ed] Instantiate profile DomainMachines (pf::Connection::ProfileFactory::_from_profile)
RADIUS Request
User-Name = "host/FR-ITS-28381.ad.unb.ca"
NAS-IP-Address = 172.16.75.56
NAS-Port = 27
Service-Type = Framed-User
Framed-MTU = 1490
State = 0x0f6e5adf0e674092fcd27d9f3dcc219d
Calling-Station-Id = "24:b6:fd:fc:39:ed"
NAS-Port-Type = Ethernet
Event-Timestamp = "Feb 19 2020 15:00:15 AST"
EAP-Message = 0x020900061a03
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
Realm = "ad.unb.ca"
PacketFence-Domain = "UNBDOMAIN"
PacketFence-KeyBalanced = "911d2640025aa742fc8890e3c5a50b6e"
PacketFence-Radius-Ip = "10.5.13.25"
PacketFence-NTLMv2-Only = ""
Attr-26.562.180 = 0x00000000
User-Password = "******"
SQL-User-Name = "host/FR-ITS-28381.ad.unb.ca"
RADIUS Reply
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4
MS-MPPE-Send-Key = 0xf22767034318ab508c8f1147408aecfd
MS-MPPE-Recv-Key = 0x6101d7aca23e0af2f49dd04a85e1aecd
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "host/FR-ITS-28381.ad.unb.ca"
Reply-Message = "Request processed by PacketFence"
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = "75"
Egress-VLANID = 838860875
Tunnel-Type = VLAN
The 5698's configuration for EAP is as follows:
eapol multihost allow-non-eap-enable
eapol multihost radius-non-eap-enable
eapol multihost use-radius-assigned-vlan
eapol multihost non-eap-use-radius-assigned-vlan
eapol multihost eap-packet-mode unicast
eapol multihost multivlan enable
eapol multihost non-eap-reauthentication-enable
interface Ethernet ALL
eapol multihost port 1-47 enable eap-mac-max 3 non-eap-mac-max 3 radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-a
ssigned-vlan eap-packet-mode unicast mac-max 3
eapol multihost port 48-98 mac-max 2
exit
interface Ethernet ALL
eapol port 1-47 status auto re-authentication enable re-authentication-period 3300
exit
eapol multihost voip-vlan 1 enable vid 2075
! eapol enable
If I had to guess, the 5600 series switches are either not sending the Calling-Station-ID, which it should be for both EAP and NEAP. Anyone have any guesses where to go from here? Anyone have any ideas? A working installation that uses both NEAP and EAP on Avaya/Nortel/Extreme 5500 and 5600 series switches?
To make matters more interesting, I have a working switch that used the Avaya IDE for both NEAP and EAP, and it works great. Copying the configuration from one to the other does not work.
Any information would be helpful.
Cheers,
CHRIS CRAWFORD
Network Analyst • Information Technology Services
T 506 453-4695 C 506 260-8795
[University of New Brunswick]
[Facebook]/uofnb<https://www.facebook.com/uofnb> [Twitter] @unb<https://twitter.com/UNB> [Instagram] @discoverunb<https://instagram.com/discoverunb/> UNB.ca<http://www.unb.ca/>
Confidentiality Note: This email and the information contained in it is confidential, may be privileged and is intended for the exclusive use of the addressee(s). Any other person is strictly prohibited from using, disclosing, distributing or reproducing it. If you have received this communication in error, please reply by email to the sender and delete or destroy all copies of this message.
|
