Menu
▾
▴
Re: [PacketFence-users] Dynamic VLAN Assignment Issue - Authentication Works, but VLAN Assignment Fails
|
From: Peter J. <pac...@sc...> - 2024-09-18 14:04:43
|
Why SNMP ? That should not be needed for assignment VLANs through radius responses. I cannot find the log where where the full radius parameters are present, more of this futher down in this mail. Only the radius.log, which contains the following, which is telling me that i am authenticated. 2024-09-18T15:49:35.306664+02:00 packetfence-14 auth[148051]: (132) Login OK: [test03@mydomain.local] (from client 10.249.179.179/32 port 50102 cli 50:00:00:04:00:00 via TLS tunnel) 2024-09-18T15:49:35.316789+02:00 packetfence-14 auth[148051]: (133) Login OK: [test03@mydomain.local] (from client 10.249.179.179/32 port 50102 cli 50:00:00:04:00:00) 2024-09-18T15:50:22.978230+02:00 packetfence-14 auth[148051]: (145) Login OK: [test03@mydomain.local] (from client 10.249.179.179/32 port 50102 cli 50:00:00:04:00:00 via TLS tunnel) 2024-09-18T15:50:22.987215+02:00 packetfence-14 auth[148051]: (146) Login OK: [test03@mydomain.local] (from client 10.249.179.179/32 port 50102 cli 50:00:00:04:00:00) 2024-09-18T15:51:11.071693+02:00 packetfence-14 auth[148051]: (159) Login OK: [test03@mydomain.local] (from client 10.249.179.179/32 port 50102 cli 50:00:00:04:00:00 via TLS tunnel) 2024-09-18T15:51:11.080839+02:00 packetfence-14 auth[148051]: (160) Login OK: [test03@mydomain.local] (from client 10.249.179.179/32 port 50102 cli 50:00:00:04:00:00) 2024-09-18T15:51:58.847027+02:00 packetfence-14 auth[148051]: Adding client 10.249.179.179/32 2024-09-18T15:51:58.983924+02:00 packetfence-14 auth[148051]: (172) Login OK: [test03@mydomain.local] (from client 10.249.179.179/32 port 50102 cli 50:00:00:04:00:00 via TLS tunnel) 2024-09-18T15:51:58.992849+02:00 packetfence-14 auth[148051]: (173) Login OK: [test03@mydomain.local] (from client 10.249.179.179/32 port 50102 cli 50:00:00:04:00:00) The Packetfence.log states that i am hitting realm default. In realm default i have selected the, and there are no rules, and the role has already been computed. and the Returned vlan is undefined. So even though i have the Role by vlan id, i have made the connection profile with the following and selected the correct authentication source under sources. And the user bind has is being validated through the test button under the connection profile and the authentication rules are simpel: i am still not getting the role selected. 2024-09-18T15:51:11.039159+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) INFO: [mac:50:00:00:04:00:00] Instantiate profile mydomain-Users (pf::Connection::ProfileFactory::_from_profile) 2024-09-18T15:51:11.054188+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) INFO: [mac:50:00:00:04:00:00] Found authentication source(s) : '' for realm 'default' (pf::config::util::filter_authentication_sources) 2024-09-18T15:51:11.054188+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) INFO: [mac:50:00:00:04:00:00] No rules matches or no category defined for the node, set it as unreg. (pf::role::getNodeInfoForAutoReg) 2024-09-18T15:51:11.054188+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) WARN: [mac:50:00:00:04:00:00] No category computed for autoreg (pf::role::getNodeInfoForAutoReg) 2024-09-18T15:51:11.059552+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) INFO: [mac:50:00:00:04:00:00] Found authentication source(s) : '' for realm 'default' (pf::config::util::filter_authentication_sources) 2024-09-18T15:51:11.059552+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) INFO: [mac:50:00:00:04:00:00] Role has already been computed and we don't want to recompute it. Getting role from node_info (pf::role::getRegisteredRole) 2024-09-18T15:51:11.059552+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) WARN: [mac:50:00:00:04:00:00] Use of uninitialized value $role in concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. 2024-09-18T15:51:11.059552+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) INFO: [mac:50:00:00:04:00:00] Username was NOT defined or unable to match a role - returning node based role '' (pf::role::getRegisteredRole) 2024-09-18T15:51:11.059552+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) INFO: [mac:50:00:00:04:00:00] PID: "default", Status: reg Returned VLAN: (undefined), Role: (undefined) (pf::role::fetchRoleForNode) 2024-09-18T15:51:11.060664+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) WARN: [mac:50:00:00:04:00:00] Use of uninitialized value $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 683. 2024-09-18T15:51:11.060664+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) WARN: [mac:50:00:00:04:00:00] Use of uninitialized value $name in exists at /usr/local/pf/lib/pf/Switch.pm line 717. 2024-09-18T15:51:11.061122+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) WARN: [mac:50:00:00:04:00:00] Use of uninitialized value $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 690. 2024-09-18T15:51:11.061122+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) WARN: [mac:50:00:00:04:00:00] No parameter Vlan found in conf/switches.conf for the switch 10.249.179.179 (pf::Switch::getVlanByName) 2024-09-18T15:51:11.063646+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) WARN: [mac:50:00:00:04:00:00] Use of uninitialized value $roleName in hash element at /usr/local/pf/lib/pf/Switch.pm line 640. 2024-09-18T15:51:11.063646+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) WARN: [mac:50:00:00:04:00:00] Use of uninitialized value $name in exists at /usr/local/pf/lib/pf/Switch.pm line 661. 2024-09-18T15:51:11.063646+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) WARN: [mac:50:00:00:04:00:00] Use of uninitialized value $roleName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 647. 2024-09-18T15:51:11.063646+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) WARN: [mac:50:00:00:04:00:00] No parameter Role found in conf/switches.conf for the switch 10.249.179.179 (pf::Switch::getRoleByName) 2024-09-18T15:51:11.068254+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) INFO: [mac:50:00:00:04:00:00] security_event 1300003 force-closed for 50:00:00:04:00:00 (pf::security_event::security_event_force_close) 2024-09-18T15:51:11.068685+02:00 packetfence-14 httpd.aaa-docker-wrapper[2940]: httpd.aaa(7) INFO: [mac:50:00:00:04:00:00] Instantiate profile mydomain-Users (pf::Connection::ProfileFactory::_from_profile) I cannot see where i have made a mistake, but it is not working for me on both virtual and physical switches. Final note, i have tried to find the raduis request log, but without any luck. I tried to grep after the NAS-IP-Address in both OS logs and in PF logs and tested the grep command after the username i am testing with. root@packetfence-14:/usr/local/pf/logs# grep -rni 'NAS-IP-Address' /usr/local/pf/logs/* root@packetfence-14:/usr/local/pf/logs# grep -rni 'NAS-IP-Address' /var/log/* root@packetfence-14:/usr/local/pf/logs# root@packetfence-14:/usr/local/pf/logs# grep -rni 'test01' /usr/local/pf/logs/* /usr/local/pf/logs/radius.log:163:2024-09-17T19:55:31.623353+02:00 packetfence-14 auth[55935]: (2) Login incorrect (eap: rlm_eap (EAP): No EAP session matching state 0xfc3b8a28fc399384): [test01@mydomain.local] (from client 10.249.179.179/32 port 50102 cli 50:00:00:04:00:00) So any pointers would be helpful :-) Thanks in advance \Peter On 16/09/2024 20.12, Rein van ‘t Veer via PacketFence-users wrote: > A few things: check if snmp traffic is working from packetfence to the > switch. > > Also check the radius return logs to see if the vlan is returned. This > is easy in the web interface. Under auditing; RADIUS logs you can see > the full return strings from PacketFence > > Example: > > RADIUS Request > Airespace-Wlan-Id = "1", Called-Station-Id = > "d4:6d:50:e3:ae:e0:Samvaerket-guests", Called-Station-SSID = > "Samvaerket-guests", Calling-Station-Id = "e6:63:3c:fb:8a:dc", > Cisco-AVPair = "service-type=Call Check", Cisco-AVPair = > "audit-session-id=1400330A0004884BFC03D52A", Cisco-AVPair = > "method=mab", Cisco-AVPair = "client-iif-id=1073747193", Cisco-AVPair > = "vlan-id=498", Cisco-AVPair = "cisco-wlan-ssid=Samvaerket-guests", > Cisco-AVPair = "wlan-profile-name=Samvaerket-guests", Event-Timestamp > = "Sep 16 2024 20:06:35 CEST", Framed-MTU = "1485", > FreeRADIUS-Client-IP-Address = "10.51.0.20", Message-Authenticator = > "0xaf1468be12d6bb5e7c6a432fa81225ef", NAS-IP-Address = "10.51.0.20", > NAS-Identifier = "WLC", NAS-Port = "51012", NAS-Port-Id = > "capwap_90000006", NAS-Port-Type = "Wireless-802.11", > PacketFence-KeyBalanced = "c2acf8e4cbb314039e027c04672c5bd4", > PacketFence-Radius-Ip = "10.51.0.11", Realm = "null", Service-Type = > "Call-Check", Stripped-User-Name = "e6633cfb8adc", User-Name = > "e6633cfb8adc", User-Password = "******" > > RADIUS Reply > REST-HTTP-Status-Code = "200", Tunnel-Medium-Type = "IEEE-802", > Tunnel-Private-Group-Id = "500", Tunnel-Type = "VLAN" > > Once you have verified the vlan is returned you can see what the > switch is doing with the request. > Sent from my iPhone > >> On 16 Sep 2024, at 16.43, Peter Jensen via PacketFence-users >> <pac...@li...> wrote: >> >> >> >> Hello, >> >> I’m currently working on a PacketFence setup and having trouble with >> the dynamic VLAN assignment. Authentication is functioning correctly >> (verified via logs), and the switch confirms that 802.1X >> authentication is successful. However, VLAN assignment is not working >> as expected. >> >> Here’s a summary of my setup and the steps I’ve taken: >> >> • I have added the switch and enabled Role Mapping by VLAN ID, >> assigning the correct VLAN ID. >> • I created an Authentication Source with Authentication Rules >> using the memberof condition and the full DN of the LDAP group. This >> has been tested with and without any conditions, with the same result. >> • The issue persists where no VLAN is assigned after >> successful authentication. >> >> Logs >> >> Below are some logs that may help diagnose the issue: >> >> *packetfence.log* >> >> 2024-09-16T15:57:44.791790+02:00 packetfence-14 >> httpd.aaa-docker-wrapper[3036]: httpd.aaa(7) INFO: >> [mac:00:e0:4c:68:08:27] Instantiate profile 8021x >> (pf::Connection::ProfileFactory::_from_profile) >> 2024-09-16T15:57:44.809341+02:00 packetfence-14 >> httpd.aaa-docker-wrapper[3036]: httpd.aaa(7) INFO: >> [mac:00:e0:4c:68:08:27] Found authentication source(s) : '' for realm >> 'null' (pf::config::util::filter_authentication_sources) >> 2024-09-16T15:57:44.809463+02:00 packetfence-14 >> httpd.aaa-docker-wrapper[3036]: httpd.aaa(7) INFO: >> [mac:00:e0:4c:68:08:27] No rules matches or no category defined for >> the node, set it as unreg. (pf::role::getNodeInfoForAutoReg) >> 2024-09-16T15:57:44.809463+02:00 packetfence-14 >> httpd.aaa-docker-wrapper[3036]: httpd.aaa(7) WARN: >> [mac:00:e0:4c:68:08:27] No category computed for autoreg >> (pf::role::getNodeInfoForAutoReg) >> 2024-09-16T15:57:44.814522+02:00 packetfence-14 >> httpd.aaa-docker-wrapper[3036]: httpd.aaa(7) INFO: >> [mac:00:e0:4c:68:08:27] Username was NOT defined or unable to match a >> role - returning node based role '' (pf::role::getRegisteredRole) >> 2024-09-16T15:57:44.814864+02:00 packetfence-14 >> httpd.aaa-docker-wrapper[3036]: httpd.aaa(7) WARN: >> [mac:00:e0:4c:68:08:27] No parameter Vlan found in conf/switches.conf >> for the switch 192.168.188.212 (pf::Switch::getVlanByName) >> >> >> *radius.log* >> >> 2024-09-16T15:57:44.258471+02:00 packetfence-14 auth[91590]: Adding >> client 192.168.188.212/32 >> 2024-09-16T15:57:44.827353+02:00 packetfence-14 auth[91590]: (42) >> Login OK: [test01] (from client 192.168.188.212/32 port 50004 cli >> 00:e0:4c:68:08:27 via TLS tunnel) >> 2024-09-16T15:57:44.837698+02:00 packetfence-14 auth[91590]: (43) >> Login OK: [test01] (from client 192.168.188.212/32 port 50004 cli >> 00:e0:4c:68:08:27) >> >> >> What I’ve Tried: >> >> • Confirmed that the authentication source is correctly >> configured, using an LDAP group with the full DN in the rule. >> • Verified that the switch is properly configured for 802.1X >> and dynamic VLAN assignment. >> • Examined the PacketFence configuration for role mapping and >> VLAN settings, but the VLAN remains undefined after authentication. >> >> Environment: >> >> • PacketFence version: 14 >> • Switch model and firmware: >> vios_l2-ADVENTERPRISEK9-M), Experimental Version 15.2(20200924:215240 >> C3560 Software (C3560-IPBASE-M), >> Version 12.2(35)SE5 >> • Authentication source: ActiveDirecty >> • OS of PacketFence server: Debian 12 >> >> Any help or direction on how to resolve this VLAN assignment issue >> would be appreciated! Has anyone encountered something similar? >> >> Thanks in advance. >> >> Best regards, >> [Your Name] >> >> _______________________________________________ >> PacketFence-users mailing list >> Pac...@li... >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > _______________________________________________ > PacketFence-users mailing list > Pac...@li... > https://lists.sourceforge.net/lists/listinfo/packetfence-users |