| Anonymous | Login | 2024-05-05 19:48 EDT |  |
| Main | My View | View Issues | Change Log | Roadmap |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | |||
| 0001128 | PacketFence | tests | public | 2010-11-25 14:16 | 2011-01-26 15:43 | |||
| Reporter | obilodeau | |||||||
| Assigned To | fgaudreault | |||||||
| Priority | high | Severity | block | Reproducibility | have not tried | |||
| Status | closed | Resolution | fixed | |||||
| Platform | OS | OS Version | ||||||
| Product Version | ||||||||
| Target Version | 2.0.1 | Fixed in Version | ||||||
| Summary | 0001128: 802.1X / MAC Authentication tests | |||||||
| Description | - 802.1X is activated and we receive a security or a up/down trap. What happens? - test the RLM_MODULE_USERLOCK return if user must be kicked out (does this work?) -- versus returning -1 VLAN (test on wired, wireless, 802.1X and MAC Auth) - Switch doesn't exist in switches.conf: what happens? - Switch doesn't exist in /etc/raddb/clients.conf: what happens? | |||||||
| Tags | No tags attached. | |||||||
| fixed in git revision | ||||||||
| fixed in mtn revision | ||||||||
| Attached Files | ||||||||
 Relationships |
|||||||||||
|
|||||||||||
 Relationships |
|
Notes |
|
|
(0001778) obilodeau (reporter) 2010-11-25 14:17 |
Reminder sent to: fgaudreault We will have to look at these eventually in the future. Maybe you'll be able to give me a hand? |
|
(0001814) fgaudreault (viewer) 2011-01-18 11:34 edited on: 2011-01-18 11:36 |
- 802.1X is activated and we receive a security or a up/down trap. What happens? ** PF is setting the port to the MAC Detection VLAN, and tries to get the MAC address on the ifIndex, but fails : Jan 18 11:19:26 pfsetvlan(1) INFO: up trap received on 10.0.0.2 ifIndex 10004 (main::handleTrap) Jan 18 11:19:26 pfsetvlan(1) INFO: setting 10.0.0.2 port 10004 to MAC detection VLAN (main::handleTrap) Jan 18 11:21:33 pfsetvlan(5) WARN: couldn't get MAC at ifIndex 10004. This is a problem. (pf::SNMP::_getMacAtIfIndex) Jan 18 11:21:33 pfsetvlan(5) WARN: Tried to grab MAC address at ifIndex 10004 on switch 10.0.0.2 30 times and failed (main::handleTrap) Jan 18 11:21:33 pfsetvlan(5) INFO: cannot find MAC (maybe we found a VoIP, but they don't count here). Do nothing (main::handleTrap) Jan 18 11:21:33 pfsetvlan(5) INFO: finished (main::cleanupAfterThread) - test the RLM_MODULE_USERLOCK return if user must be kicked out (does this work?) Yes. The device is not able to login, and doesn't retry. On Wired (802.1X) ++[perl] returns userlock } # server inner-tunnel [peap] Got tunneled reply code 3 Tunnel-Private-Group-Id:0 = "10" User-Name = "username" EAP-Message = 0x03080004 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 Tunnel-Private-Group-Id:0 = "10" User-Name = "username" EAP-Message = 0x03080004 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE On Wireless : ++[perl] returns userlock Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 00-23-6c-db-b2-81 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_re - Switch doesn't exist in switches.conf: what happens? ** The VLAN could not be determined by the rlm_perl script, so the status returned by PF is 1 : Odd number of elements in hash assignment at /etc/raddb/packetfence.pm line 173 (0000001) (W misc) You specified an odd number of elements to initialize a hash, which is odd, because hashes come in key/value pairs. Use of uninitialized value in list assignment at /etc/raddb/packetfence.pm line 173 (0000002) (W uninitialized) An undefined value was used as if it were already defined. It was interpreted as a "" or a 0, but maybe it was a mistake. To suppress this warning assign a defined value to your variables. To help you figure out what was undefined, perl tells you what operation you used the undefined value in. Note, however, that perl optimizes your program and the operation displayed in the warning may not necessarily appear literally in your program. For example, "that $foo" is usually optimized into "that " . $foo, and the warning will refer to the concatenation (.) operator, even though there is no . in your program. rlm_perl: PacketFence RESULT VLAN COULD NOT BE DETERMINED rlm_perl: PacketFence RESULT RESPONSE CODE: 1 (2 means OK) - Switch doesn't exist in /etc/raddb/clients.conf: what happens? ** Radius denies the connection, and the user get authentication failed |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2010-11-25 14:16 | obilodeau | New Issue | |
| 2010-11-25 14:17 | obilodeau | Note Added: 0001778 | |
| 2011-01-18 09:42 | obilodeau | Status | new => assigned |
| 2011-01-18 09:42 | obilodeau | Assigned To | => fgaudreault |
| 2011-01-18 09:47 | obilodeau | Target Version | 2.0.0 => 2.0.1 |
| 2011-01-18 11:34 | fgaudreault | Note Added: 0001814 | |
| 2011-01-18 11:36 | fgaudreault | Note Edited: 0001814 | |
| 2011-01-18 11:36 | fgaudreault | Status | assigned => resolved |
| 2011-01-18 11:36 | fgaudreault | Resolution | open => fixed |
| 2011-01-26 15:43 | obilodeau | Status | resolved => closed |
| 2011-02-03 15:22 | obilodeau | Relationship added | related to 0001174 |
| 2011-02-03 15:26 | obilodeau | Relationship added | related to 0001176 |
|
Issue History |
| Copyright © 2000 - 2012 MantisBT Group |
 |