PacketFence - BTS - PacketFence
View Issue Details
0001843PacketFence802.1xpublic2014-11-27 06:202015-02-18 10:49
ccaaajf 
lmunro 
highmajoralways
closedwon't fix 
LinuxRHEL / CentOS6
4.5.0 
 
0001843: Huawei 801.x not changing pvid.
I'm using version 4.5.1 (it's not in the drop down menu yet)
Switch: Huawei - S5700-28C-PWR-SI

The port is being enable as expected but it's not changing the VLAN. The radius log suggests it's is sending the correct vlan.

Is there an extra instruction I've missed? I'm happy to produce logs etc.

PVID is 9 and I was trying to switch to VAN1.

Follow instructions in description.

Wed Nov 26 13:52:24 2014 : Auth: Login OK: [041e64fc3d4d] (from client 192.168.142.129 port 57348 cli 041e-64fc-3d4d)
Wed Nov 26 13:52:26 2014 : Auth: rlm_perl: Returning vlan 1 to request from 04:1e:64:fc:3d:4d port 57348
Wed Nov 26 13:52:37 2014 : Auth: Login OK: [041e64fc3d4d] (from client 192.168.142.129 port 57348 cli 041e-64fc-3d4d)
No tags attached.
Issue History
2014-11-27 06:20ccaaajfNew Issue
2014-11-27 06:34ccaaajfNote Added: 0003608
2014-11-27 06:39ccaaajfNote Added: 0003609
2014-11-28 11:13ccaaajfNote Added: 0003614
2014-11-28 11:14ccaaajfNote Added: 0003615
2014-12-04 17:17lzammitNote Added: 0003620
2014-12-09 05:10ccaaajfNote Added: 0003621
2015-02-18 10:49lmunroNote Added: 0003852
2015-02-18 10:49lmunroStatusnew => closed
2015-02-18 10:49lmunroAssigned To => lmunro
2015-02-18 10:49lmunroResolutionopen => won't fix

Notes
(0003608)
ccaaajf   
2014-11-27 06:34   
Forgot to mention using DOT1x todo MAC authentication.


RADIUS debug mode output:

rad_recv: Access-Request packet from host 192.168.142.129 port 1812, id=71, length=259
        User-Name = "041e64fc3d4d"
        User-Password = "041e64fc3d4d"
        NAS-Port = 57348
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 128.40.70.175
        Calling-Station-Id = "041e-64fc-3d4d"
        NAS-Identifier = "MSSL8K"
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "slot=0;subslot=0;port=14;vlanid=4"
        NAS-IP-Address = 192.168.142.129
        Acct-Session-Id = "MSSL8K00014000000004f4b1ac000950"
        Huawei-Startup-Stamp = 1416936934
        Huawei-IPHost-Addr = "128.40.70.175 04:1e:64:fc:3d:4d"
        Huawei-Connect-ID = 950
        Huawei-Version = "Huawei S5700"
        Huawei-Product-ID = "S5700"
        Huawei-Attr-153 = 0x00000002
server packetfence {
# Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence
+group authorize {
[suffix] No '@' in User-Name = "041e64fc3d4d", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++[preprocess] = ok
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
++update request {
        expand: %{Packet-Src-IP-Address} -> 192.168.142.129
++} # update request = noop
++update control {
++} # update control = noop
rlm_perl: Added pair NAS-Port-Type = Ethernet
rlm_perl: Added pair Acct-Session-Id = MSSL8K00014000000004f4b1ac000950
rlm_perl: Added pair Huawei-Attr-153 = 0x00000002
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Huawei-Product-ID = S5700
rlm_perl: Added pair NAS-IP-Address = 192.168.142.129
rlm_perl: Added pair NAS-Port-Id = slot=0;subslot=0;port=14;vlanid=4
rlm_perl: Added pair Huawei-Startup-Stamp = 1416936934
rlm_perl: Added pair Huawei-Version = Huawei S5700
rlm_perl: Added pair Calling-Station-Id = 041e-64fc-3d4d
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.142.129
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Huawei-Connect-ID = 950
rlm_perl: Added pair User-Name = 041e64fc3d4d
rlm_perl: Added pair Huawei-IPHost-Addr = 128.40.70.175 04:1e:64:fc:3d:4d
rlm_perl: Added pair NAS-Identifier = MSSL8K
rlm_perl: Added pair User-Password = 041e64fc3d4d
rlm_perl: Added pair Framed-IP-Address = 128.40.70.175
rlm_perl: Added pair NAS-Port = 57348
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair Auth-Type = Accept
rlm_perl: Added pair PacketFence-RPC-Port = 9090
++[packetfence] = noop
+} # group authorize = ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [041e64fc3d4d] (from client 192.168.142.129 port 57348 cli 041e-64fc-3d4d)
} # server packetfence
# Executing section post-auth from file /usr/local/pf/raddb//sites-enabled/packetfence
+group post-auth {
++[exec] = noop
++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP))
? Evaluating !(EAP-Type ) -> TRUE
?? Skipping (EAP-Type != EAP-TTLS )
?? Skipping (EAP-Type != PEAP)
++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) -> TRUE
++if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) {
+++update control {
+++} # update control = noop
rlm_perl: Returning vlan 1 to request from 04:1e:64:fc:3d:4d port 57348
rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK)
rlm_perl: Added pair NAS-Port-Type = Ethernet
rlm_perl: Added pair Acct-Session-Id = MSSL8K00014000000004f4b1ac000950
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Huawei-Attr-153 = 0x00000002
rlm_perl: Added pair Huawei-Product-ID = S5700
rlm_perl: Added pair NAS-IP-Address = 192.168.142.129
rlm_perl: Added pair NAS-Port-Id = slot=0;subslot=0;port=14;vlanid=4
rlm_perl: Added pair Huawei-Startup-Stamp = 1416936934
rlm_perl: Added pair Huawei-Version = Huawei S5700
rlm_perl: Added pair Calling-Station-Id = 041e-64fc-3d4d
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.142.129
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Huawei-Connect-ID = 950
rlm_perl: Added pair User-Name = 041e64fc3d4d
rlm_perl: Added pair Huawei-IPHost-Addr = 128.40.70.175 04:1e:64:fc:3d:4d
rlm_perl: Added pair NAS-Identifier = MSSL8K
rlm_perl: Added pair User-Password = 041e64fc3d4d
rlm_perl: Added pair Framed-IP-Address = 128.40.70.175
rlm_perl: Added pair NAS-Port = 57348
rlm_perl: Added pair Tunnel-Private-Group-ID = 1
rlm_perl: Added pair Tunnel-Type = 13
rlm_perl: Added pair Tunnel-Medium-Type = 6
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair Auth-Type = Accept
rlm_perl: Added pair PacketFence-RPC-Port = 9090
+++[packetfence] = ok
++} # if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) = ok
+} # group post-auth = ok
Sending Access-Accept of id 71 to 192.168.142.129 port 1812
        Tunnel-Private-Group-Id:0 = "1"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Accounting-Request packet from host 192.168.142.129 port 1812, id=46, length=226
        User-Name = "041e64fc3d4d"
        NAS-IP-Address = 192.168.142.129
        NAS-Port = 57348
        Framed-IP-Address = 128.40.70.175
        NAS-Identifier = "MSSL8K"
        Acct-Status-Type = Start
        Acct-Session-Id = "MSSL8K00014000000004f4b1ac000950"
        Acct-Authentic = RADIUS
        Event-Timestamp = "Nov 27 2014 11:32:39 GMT"
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "041e-64fc-3d4d"
        NAS-Port-Id = "slot=0;subslot=0;port=14;vlanid=4"
        Framed-Protocol = PPP
        Huawei-IPHost-Addr = "128.40.70.175 04:1e:64:fc:3d:4d"
        Huawei-Connect-ID = 950
        Huawei-Attr-153 = 0x00000002
server packetfence {
# Executing section preacct from file /usr/local/pf/raddb//sites-enabled/packetfence
+group preacct {
++[preprocess] = ok
[acct_unique] Hashing 'NAS-Port = 57348,Client-IP-Address = 192.168.142.129,NAS-IP-Address = 192.168.142.129,Acct-Session-Id = "MSSL8K00014000000004f4b1ac000950",User-Name = "041e64fc3d4d"'
[acct_unique] Acct-Unique-Session-ID = "e138959c26d8c2e6".
++[acct_unique] = ok
[suffix] No '@' in User-Name = "041e64fc3d4d", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++[files] = noop
+} # group preacct = ok
# Executing section accounting from file /usr/local/pf/raddb//sites-enabled/packetfence
+group accounting {
[sql] expand: %{User-Name} -> 041e64fc3d4d
[sql] sql_set_user escaped user --> '041e64fc3d4d'
[sql] expand: %{Acct-Delay-Time} ->
[sql] ... expanding second conditional
[sql] expand: CALL acct_start ( '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', REPLACE(REPLACE('%{Called-Station-Id}','-',''),':',''), REPLACE(REPLACE('%{Calling-Station-Id}','-',''),':',''), '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}', '%{Acct-Status-Type}') -> CALL acct_start ( 'MSSL8K00014000000004f4b1ac000950', 'e138959c26d8c2e6', '041e64fc3d4d', '', '192.168.142.129', '57348', 'Ethernet', '2014-11-27 11:32:39', NULL, '0', 'RADIUS', '', '', '0', '0', REPLACE(REPLACE('','-',''),':',''), REPLACE(REPLACE('041e-64fc-3d4d','-',''),':',''), '', 'Framed-Us
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
++[sql] = ok
[attr_filter.accounting_response] expand: %{User-Name} -> 041e64fc3d4d
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] = updated
++update control {
++} # update control = noop
rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK)
rlm_perl: Added pair NAS-Port-Type = Ethernet
rlm_perl: Added pair Acct-Session-Id = MSSL8K00014000000004f4b1ac000950
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Huawei-Attr-153 = 0x00000002
rlm_perl: Added pair Acct-Unique-Session-Id = e138959c26d8c2e6
rlm_perl: Added pair Acct-Authentic = RADIUS
rlm_perl: Added pair Acct-Status-Type = Start
rlm_perl: Added pair NAS-IP-Address = 192.168.142.129
rlm_perl: Added pair NAS-Port-Id = slot=0;subslot=0;port=14;vlanid=4
rlm_perl: Added pair SQL-User-Name = 041e64fc3d4d
rlm_perl: Added pair Calling-Station-Id = 041e-64fc-3d4d
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Huawei-Connect-ID = 950
rlm_perl: Added pair User-Name = 041e64fc3d4d
rlm_perl: Added pair Huawei-IPHost-Addr = 128.40.70.175 04:1e:64:fc:3d:4d
rlm_perl: Added pair NAS-Identifier = MSSL8K
rlm_perl: Added pair Event-Timestamp = Nov 27 2014 11:32:39 GMT
rlm_perl: Added pair Framed-IP-Address = 128.40.70.175
rlm_perl: Added pair NAS-Port = 57348
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair PacketFence-RPC-Port = 9090
++[packetfence] = ok
+} # group accounting = updated
} # server packetfence
Sending Accounting-Response of id 46 to 192.168.142.129 port 1812
Finished request 5.
Cleaning up request 5 ID 46 with timestamp +353
Going to the next request
Waking up in 4.6 seconds.
(0003609)
ccaaajf   
2014-11-27 06:39   
packetfence.log

Nov 27 11:32:39 httpd.webservices(3020) INFO: Can't find provisioner for 04:1e:64:fc:3d:4d (pf::vlan::getNormalVlan)
Nov 27 11:32:39 httpd.webservices(3020) INFO: [04:1e:64:fc:3d:4d] Connection type is WIRED_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
Nov 27 11:32:39 httpd.webservices(3020) INFO: [04:1e:64:fc:3d:4d] Username was defined "041e64fc3d4d" - returning user based role 'default' (pf::vlan::getNormalVlan)
Nov 27 11:32:39 httpd.webservices(3020) INFO: [04:1e:64:fc:3d:4d] PID: "admin", Status: reg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode)
Nov 27 11:32:39 httpd.webservices(3020) INFO: [04:1e:64:fc:3d:4d] (192.168.142.129) Returning ACCEPT with VLAN 1 and role (pf::Switch::returnRadiusAccessAccept)
Nov 27 11:36:07 pfcmd.pl(4160) INFO: pidof -x memcached returned 2852 (pf::services::manager::pidFromFile)
Nov 27 11:36:07 pfcmd.pl(4160) INFO: verifying process 2852 (pf::services::manager::removeStalePid)
Nov 27 11:36:07 pfcmd.pl(4160) INFO: pidof -x memcached returned 2852 (pf::services::manager::pidFromFile)
Nov 27 11:36:07 pfcmd.pl(4160) INFO: pidof -x memcached returned 2852 (pf::services::manager::pidFromFile)
Nov 27 11:36:07 pfcmd.pl(4160) INFO: pidof -x httpd.admin returned 2861 (pf::services::manager::pidFromFile)
Nov 27 11:36:07 pfcmd.pl(4160) INFO: verifying process 2861 (pf::services::manager::removeStalePid)
Nov 27 11:36:07 pfcmd.pl(4160) INFO: pidof -x httpd.admin returned 2861 (pf::services::manager::pidFromFile)
Nov 27 11:36:07 pfcmd.pl(4160) INFO: pidof -x httpd.admin returned 2861 (pf::services::manager::pidFromFile)
Nov 27 11:36:09 pfcmd.pl(4160) INFO: Daemon radiusd took 0.237 seconds to start. (pf::services::manager::launchService)
Nov 27 11:37:31 httpd.webservices(3020) INFO: [04:1e:64:fc:3d:4d] handling radius autz request: from switch_ip => (192.168.142.129), connection_type => WIRED_MAC_AUTH,switch_mac => (), mac => [04:1e:64:fc:3d:4d], port => 57348, username => "041e64fc3d4d" (pf::radius::authorize)
Nov 27 11:37:31 httpd.webservices(3020) WARN: VoIP is not supported on this network module (pf::Switch::isVoIPEnabled)
Nov 27 11:37:31 httpd.webservices(3020) INFO: Can't find provisioner for 04:1e:64:fc:3d:4d (pf::vlan::getNormalVlan)
Nov 27 11:37:31 httpd.webservices(3020) INFO: [04:1e:64:fc:3d:4d] Connection type is WIRED_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan)
Nov 27 11:37:31 httpd.webservices(3020) INFO: [04:1e:64:fc:3d:4d] Username was defined "041e64fc3d4d" - returning user based role 'default' (pf::vlan::getNormalVlan)
Nov 27 11:37:31 httpd.webservices(3020) INFO: [04:1e:64:fc:3d:4d] PID: "admin", Status: reg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode)
Nov 27 11:37:32 httpd.webservices(3020) INFO: [04:1e:64:fc:3d:4d] (192.168.142.129) Returning ACCEPT with VLAN 1 and role (pf::Switch::returnRadiusAccessAccept)
(0003614)
ccaaajf   
2014-11-28 11:13   
WORKING SWITCH CONFIGURATION FOUND!

Using the method below of setting to hybrid ports rather than access port this is now working on our S5700. Could this be added to the manual?


The response I got from Huawei:

To be able to assign VLANs dynamically from the RADIUS server you can use one of the following standard attributes to deliver the VLAN attribute(RFC2865, RFC2866, and RFC3576 define standard RADIUS attributes, which are supported by all mainstream vendors):

Attribute No. Attribute Name Description
64 Tunnel-Type Protocol type of the tunnel. The value is fixed as 13, indicating VLAN.
65 Tunnel-Medium-Type Medium type used on the tunnel. The value is fixed as 6, indicating Ethernet.
81 Tunnel-Private-Group-ID Tunnel private group ID, which is used to deliver user VLAN IDs.
Please check this.

Have a look into below example, this is configuration that works fine for dynamic vlan association.

#
interface GigabitEthernet0/0/3
  description Test-port
  port hybrid pvid vlan 710
  undo port hybrid vlan 1
  port hybrid untagged vlan 301 501 710
  dot1x enable
  dot1x max-user 10
  dot1x authentication-method eap

Communication will work on any of 301, 501 or 710.

For your specific configuration, you can try to adjust port link-type configuration to hybrid and add dynamic vlans as above. The rest of configuration should remain the same.

interface GigabitEthernet0/0/14
  flow-control negotiation
  port hybrid pvid vlan 710
  undo port hybrid vlan 1
  port hybrid untagged vlan 301 501 710
  dot1x mac-bypass mac-auth-first
  dot1x mac-bypass
  dot1x max-user 1
  dot1x reauthenticate
  dot1x authentication-method eap
  jumboframe enable 10224
(0003615)
ccaaajf   
2014-11-28 11:14   
I forgot to credit Huawei tech support for a super fast response and the right answer first time!
(0003620)
lzammit   
2014-12-04 17:17   
Thanks for the configuration, I will implement it in our network manual, but can I have the radius configuration also ?

Thanks a lot, we appreciate this.
(0003621)
ccaaajf   
2014-12-09 05:10   
system view

l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002

dot1x enable
dot1x dhcp-trigger
dot1x authentication-method eap

radius-server template packetfence
radius-server shared-key cipher SECRET
radius-server authentication 192.168.142.253 1812
radius-server accounting 192.168.142.253 1813
radius-server retransmit 2

aaa
authentication-scheme abc
authentication-mode radius
accounting-scheme abc
accounting-mode radius
domain pf
authentication-scheme abc
accounting-scheme abc
radius-server packetfence
q

domain pf


Happy to help :)
(0003852)
lmunro   
2015-02-18 10:49   
Not a bug.
Please use the mailing list for support questions.