|
(0001814)
|
|
fgaudreault
|
2011-01-18 11:34
(edited on: 2011-01-18 11:36) |
|
- 802.1X is activated and we receive a security or a up/down trap. What happens?
** PF is setting the port to the MAC Detection VLAN, and tries to get the MAC address on the ifIndex, but fails :
Jan 18 11:19:26 pfsetvlan(1) INFO: up trap received on 10.0.0.2 ifIndex 10004 (main::handleTrap)
Jan 18 11:19:26 pfsetvlan(1) INFO: setting 10.0.0.2 port 10004 to MAC detection VLAN (main::handleTrap)
Jan 18 11:21:33 pfsetvlan(5) WARN: couldn't get MAC at ifIndex 10004. This is a problem. (pf::SNMP::_getMacAtIfIndex)
Jan 18 11:21:33 pfsetvlan(5) WARN: Tried to grab MAC address at ifIndex 10004 on switch 10.0.0.2 30 times and failed (main::handleTrap)
Jan 18 11:21:33 pfsetvlan(5) INFO: cannot find MAC (maybe we found a VoIP, but they don't count here). Do nothing (main::handleTrap)
Jan 18 11:21:33 pfsetvlan(5) INFO: finished (main::cleanupAfterThread)
- test the RLM_MODULE_USERLOCK return if user must be kicked out (does this work?) Yes. The device is not able to login, and doesn't retry.
On Wired (802.1X)
++[perl] returns userlock
} # server inner-tunnel
[peap] Got tunneled reply code 3
Tunnel-Private-Group-Id:0 = "10"
User-Name = "username"
EAP-Message = 0x03080004
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
Tunnel-Private-Group-Id:0 = "10"
User-Name = "username"
EAP-Message = 0x03080004
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
On Wireless :
++[perl] returns userlock
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> 00-23-6c-db-b2-81
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_re
- Switch doesn't exist in switches.conf: what happens?
** The VLAN could not be determined by the rlm_perl script, so the status returned by PF is 1 :
Odd number of elements in hash assignment at /etc/raddb/packetfence.pm line 173 (0000001)
(W misc) You specified an odd number of elements to initialize a hash,
which is odd, because hashes come in key/value pairs.
Use of uninitialized value in list assignment at /etc/raddb/packetfence.pm line
173 (0000002)
(W uninitialized) An undefined value was used as if it were already
defined. It was interpreted as a "" or a 0, but maybe it was a mistake.
To suppress this warning assign a defined value to your variables.
To help you figure out what was undefined, perl tells you what operation
you used the undefined value in. Note, however, that perl optimizes your
program and the operation displayed in the warning may not necessarily
appear literally in your program. For example, "that $foo" is
usually optimized into "that " . $foo, and the warning will refer to
the concatenation (.) operator, even though there is no . in your
program.
rlm_perl: PacketFence RESULT VLAN COULD NOT BE DETERMINED
rlm_perl: PacketFence RESULT RESPONSE CODE: 1 (2 means OK)
- Switch doesn't exist in /etc/raddb/clients.conf: what happens?
** Radius denies the connection, and the user get authentication failed
|
|