From: Peter J. <pac...@sc...> - 2024-09-19 20:28:20
|
Switch still fails with getting VLAN. Authentication works on, but no VLAN. To add more info. PFTEST works as expected. root@packetfence-14:/usr/local/pf/bin# ./pftest authentication "test01" "xxxxxxxx" "mydomain-Users" Testing authentication for "test01" Authenticating against 'mydomain-Users' in context 'admin' Authentication SUCCEEDED against mydomain-Users (Authentication successful.) Matched against mydomain-Users for 'authentication' rule VLAN_111 set_role : VLAN_111 set_access_duration : 1h Did not match against mydomain-Users for 'administration' rules Authenticating against 'mydomain-Users' in context 'portal' Authentication SUCCEEDED against mydomain-Users (Authentication successful.) Matched against mydomain-Users for 'authentication' rule VLAN_111 set_role : VLAN_111 set_access_duration : 1h Did not match against mydomain-Users for 'administration' rules On 16/09/2024 20.12, Rein van ‘t Veer via PacketFence-users wrote: > A few things: check if snmp traffic is working from packetfence to the > switch. > > Also check the radius return logs to see if the vlan is returned. This > is easy in the web interface. Under auditing; RADIUS logs you can see > the full return strings from PacketFence > > Example: > > RADIUS Request > Airespace-Wlan-Id = "1", Called-Station-Id = > "d4:6d:50:e3:ae:e0:Samvaerket-guests", Called-Station-SSID = > "Samvaerket-guests", Calling-Station-Id = "e6:63:3c:fb:8a:dc", > Cisco-AVPair = "service-type=Call Check", Cisco-AVPair = > "audit-session-id=1400330A0004884BFC03D52A", Cisco-AVPair = > "method=mab", Cisco-AVPair = "client-iif-id=1073747193", Cisco-AVPair > = "vlan-id=498", Cisco-AVPair = "cisco-wlan-ssid=Samvaerket-guests", > Cisco-AVPair = "wlan-profile-name=Samvaerket-guests", Event-Timestamp > = "Sep 16 2024 20:06:35 CEST", Framed-MTU = "1485", > FreeRADIUS-Client-IP-Address = "10.51.0.20", Message-Authenticator = > "0xaf1468be12d6bb5e7c6a432fa81225ef", NAS-IP-Address = "10.51.0.20", > NAS-Identifier = "WLC", NAS-Port = "51012", NAS-Port-Id = > "capwap_90000006", NAS-Port-Type = "Wireless-802.11", > PacketFence-KeyBalanced = "c2acf8e4cbb314039e027c04672c5bd4", > PacketFence-Radius-Ip = "10.51.0.11", Realm = "null", Service-Type = > "Call-Check", Stripped-User-Name = "e6633cfb8adc", User-Name = > "e6633cfb8adc", User-Password = "******" > > RADIUS Reply > REST-HTTP-Status-Code = "200", Tunnel-Medium-Type = "IEEE-802", > Tunnel-Private-Group-Id = "500", Tunnel-Type = "VLAN" > > Once you have verified the vlan is returned you can see what the > switch is doing with the request. > Sent from my iPhone > >> On 16 Sep 2024, at 16.43, Peter Jensen via PacketFence-users >> <pac...@li...> wrote: >> >> >> >> Hello, >> >> I’m currently working on a PacketFence setup and having trouble with >> the dynamic VLAN assignment. Authentication is functioning correctly >> (verified via logs), and the switch confirms that 802.1X >> authentication is successful. However, VLAN assignment is not working >> as expected. >> >> Here’s a summary of my setup and the steps I’ve taken: >> >> • I have added the switch and enabled Role Mapping by VLAN ID, >> assigning the correct VLAN ID. >> • I created an Authentication Source with Authentication Rules >> using the memberof condition and the full DN of the LDAP group. This >> has been tested with and without any conditions, with the same result. >> • The issue persists where no VLAN is assigned after >> successful authentication. >> >> Logs >> >> Below are some logs that may help diagnose the issue: >> >> *packetfence.log* >> >> 2024-09-16T15:57:44.791790+02:00 packetfence-14 >> httpd.aaa-docker-wrapper[3036]: httpd.aaa(7) INFO: >> [mac:00:e0:4c:68:08:27] Instantiate profile 8021x >> (pf::Connection::ProfileFactory::_from_profile) >> 2024-09-16T15:57:44.809341+02:00 packetfence-14 >> httpd.aaa-docker-wrapper[3036]: httpd.aaa(7) INFO: >> [mac:00:e0:4c:68:08:27] Found authentication source(s) : '' for realm >> 'null' (pf::config::util::filter_authentication_sources) >> 2024-09-16T15:57:44.809463+02:00 packetfence-14 >> httpd.aaa-docker-wrapper[3036]: httpd.aaa(7) INFO: >> [mac:00:e0:4c:68:08:27] No rules matches or no category defined for >> the node, set it as unreg. (pf::role::getNodeInfoForAutoReg) >> 2024-09-16T15:57:44.809463+02:00 packetfence-14 >> httpd.aaa-docker-wrapper[3036]: httpd.aaa(7) WARN: >> [mac:00:e0:4c:68:08:27] No category computed for autoreg >> (pf::role::getNodeInfoForAutoReg) >> 2024-09-16T15:57:44.814522+02:00 packetfence-14 >> httpd.aaa-docker-wrapper[3036]: httpd.aaa(7) INFO: >> [mac:00:e0:4c:68:08:27] Username was NOT defined or unable to match a >> role - returning node based role '' (pf::role::getRegisteredRole) >> 2024-09-16T15:57:44.814864+02:00 packetfence-14 >> httpd.aaa-docker-wrapper[3036]: httpd.aaa(7) WARN: >> [mac:00:e0:4c:68:08:27] No parameter Vlan found in conf/switches.conf >> for the switch 192.168.188.212 (pf::Switch::getVlanByName) >> >> >> *radius.log* >> >> 2024-09-16T15:57:44.258471+02:00 packetfence-14 auth[91590]: Adding >> client 192.168.188.212/32 >> 2024-09-16T15:57:44.827353+02:00 packetfence-14 auth[91590]: (42) >> Login OK: [test01] (from client 192.168.188.212/32 port 50004 cli >> 00:e0:4c:68:08:27 via TLS tunnel) >> 2024-09-16T15:57:44.837698+02:00 packetfence-14 auth[91590]: (43) >> Login OK: [test01] (from client 192.168.188.212/32 port 50004 cli >> 00:e0:4c:68:08:27) >> >> >> What I’ve Tried: >> >> • Confirmed that the authentication source is correctly >> configured, using an LDAP group with the full DN in the rule. >> • Verified that the switch is properly configured for 802.1X >> and dynamic VLAN assignment. >> • Examined the PacketFence configuration for role mapping and >> VLAN settings, but the VLAN remains undefined after authentication. >> >> Environment: >> >> • PacketFence version: 14 >> • Switch model and firmware: >> vios_l2-ADVENTERPRISEK9-M), Experimental Version 15.2(20200924:215240 >> C3560 Software (C3560-IPBASE-M), >> Version 12.2(35)SE5 >> • Authentication source: ActiveDirecty >> • OS of PacketFence server: Debian 12 >> >> Any help or direction on how to resolve this VLAN assignment issue >> would be appreciated! Has anyone encountered something similar? >> >> Thanks in advance. >> >> Best regards, >> [Your Name] >> >> _______________________________________________ >> PacketFence-users mailing list >> Pac...@li... >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > _______________________________________________ > PacketFence-users mailing list > Pac...@li... > https://lists.sourceforge.net/lists/listinfo/packetfence-users |