0001843: Huawei 801.x not changing pvid. - PacketFence

Notes
(0003608) ccaaajf (reporter) 2014-11-27 06:34	Forgot to mention using DOT1x todo MAC authentication. RADIUS debug mode output: rad_recv: Access-Request packet from host 192.168.142.129 port 1812, id=71, length=259 User-Name = "041e64fc3d4d" User-Password = "041e64fc3d4d" NAS-Port = 57348 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 128.40.70.175 Calling-Station-Id = "041e-64fc-3d4d" NAS-Identifier = "MSSL8K" NAS-Port-Type = Ethernet NAS-Port-Id = "slot=0;subslot=0;port=14;vlanid=4" NAS-IP-Address = 192.168.142.129 Acct-Session-Id = "MSSL8K00014000000004f4b1ac000950" Huawei-Startup-Stamp = 1416936934 Huawei-IPHost-Addr = "128.40.70.175 04:1e:64:fc:3d:4d" Huawei-Connect-ID = 950 Huawei-Version = "Huawei S5700" Huawei-Product-ID = "S5700" Huawei-Attr-153 = 0x00000002 server packetfence { # Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence +group authorize { [suffix] No '@' in User-Name = "041e64fc3d4d", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++[preprocess] = ok [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] users: Matched entry DEFAULT at line 1 ++[files] = ok ++[expiration] = noop ++[logintime] = noop ++update request { expand: %{Packet-Src-IP-Address} -> 192.168.142.129 ++} # update request = noop ++update control { ++} # update control = noop rlm_perl: Added pair NAS-Port-Type = Ethernet rlm_perl: Added pair Acct-Session-Id = MSSL8K00014000000004f4b1ac000950 rlm_perl: Added pair Huawei-Attr-153 = 0x00000002 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Huawei-Product-ID = S5700 rlm_perl: Added pair NAS-IP-Address = 192.168.142.129 rlm_perl: Added pair NAS-Port-Id = slot=0;subslot=0;port=14;vlanid=4 rlm_perl: Added pair Huawei-Startup-Stamp = 1416936934 rlm_perl: Added pair Huawei-Version = Huawei S5700 rlm_perl: Added pair Calling-Station-Id = 041e-64fc-3d4d rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.142.129 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Huawei-Connect-ID = 950 rlm_perl: Added pair User-Name = 041e64fc3d4d rlm_perl: Added pair Huawei-IPHost-Addr = 128.40.70.175 04:1e:64:fc:3d:4d rlm_perl: Added pair NAS-Identifier = MSSL8K rlm_perl: Added pair User-Password = 041e64fc3d4d rlm_perl: Added pair Framed-IP-Address = 128.40.70.175 rlm_perl: Added pair NAS-Port = 57348 rlm_perl: Added pair PacketFence-RPC-Pass = rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1 rlm_perl: Added pair PacketFence-RPC-Proto = http rlm_perl: Added pair PacketFence-RPC-User = rlm_perl: Added pair Auth-Type = Accept rlm_perl: Added pair PacketFence-RPC-Port = 9090 ++[packetfence] = noop +} # group authorize = ok Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [041e64fc3d4d] (from client 192.168.142.129 port 57348 cli 041e-64fc-3d4d) } # server packetfence # Executing section post-auth from file /usr/local/pf/raddb//sites-enabled/packetfence +group post-auth { ++[exec] = noop ++? if (!EAP-Type \|\| (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) ? Evaluating !(EAP-Type ) -> TRUE ?? Skipping (EAP-Type != EAP-TTLS ) ?? Skipping (EAP-Type != PEAP) ++? if (!EAP-Type \|\| (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) -> TRUE ++if (!EAP-Type \|\| (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) { +++update control { +++} # update control = noop rlm_perl: Returning vlan 1 to request from 04:1e:64:fc:3d:4d port 57348 rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK) rlm_perl: Added pair NAS-Port-Type = Ethernet rlm_perl: Added pair Acct-Session-Id = MSSL8K00014000000004f4b1ac000950 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Huawei-Attr-153 = 0x00000002 rlm_perl: Added pair Huawei-Product-ID = S5700 rlm_perl: Added pair NAS-IP-Address = 192.168.142.129 rlm_perl: Added pair NAS-Port-Id = slot=0;subslot=0;port=14;vlanid=4 rlm_perl: Added pair Huawei-Startup-Stamp = 1416936934 rlm_perl: Added pair Huawei-Version = Huawei S5700 rlm_perl: Added pair Calling-Station-Id = 041e-64fc-3d4d rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.142.129 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Huawei-Connect-ID = 950 rlm_perl: Added pair User-Name = 041e64fc3d4d rlm_perl: Added pair Huawei-IPHost-Addr = 128.40.70.175 04:1e:64:fc:3d:4d rlm_perl: Added pair NAS-Identifier = MSSL8K rlm_perl: Added pair User-Password = 041e64fc3d4d rlm_perl: Added pair Framed-IP-Address = 128.40.70.175 rlm_perl: Added pair NAS-Port = 57348 rlm_perl: Added pair Tunnel-Private-Group-ID = 1 rlm_perl: Added pair Tunnel-Type = 13 rlm_perl: Added pair Tunnel-Medium-Type = 6 rlm_perl: Added pair PacketFence-RPC-Pass = rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1 rlm_perl: Added pair PacketFence-RPC-User = rlm_perl: Added pair PacketFence-RPC-Proto = http rlm_perl: Added pair Auth-Type = Accept rlm_perl: Added pair PacketFence-RPC-Port = 9090 +++[packetfence] = ok ++} # if (!EAP-Type \|\| (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) = ok +} # group post-auth = ok Sending Access-Accept of id 71 to 192.168.142.129 port 1812 Tunnel-Private-Group-Id:0 = "1" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Accounting-Request packet from host 192.168.142.129 port 1812, id=46, length=226 User-Name = "041e64fc3d4d" NAS-IP-Address = 192.168.142.129 NAS-Port = 57348 Framed-IP-Address = 128.40.70.175 NAS-Identifier = "MSSL8K" Acct-Status-Type = Start Acct-Session-Id = "MSSL8K00014000000004f4b1ac000950" Acct-Authentic = RADIUS Event-Timestamp = "Nov 27 2014 11:32:39 GMT" NAS-Port-Type = Ethernet Calling-Station-Id = "041e-64fc-3d4d" NAS-Port-Id = "slot=0;subslot=0;port=14;vlanid=4" Framed-Protocol = PPP Huawei-IPHost-Addr = "128.40.70.175 04:1e:64:fc:3d:4d" Huawei-Connect-ID = 950 Huawei-Attr-153 = 0x00000002 server packetfence { # Executing section preacct from file /usr/local/pf/raddb//sites-enabled/packetfence +group preacct { ++[preprocess] = ok [acct_unique] Hashing 'NAS-Port = 57348,Client-IP-Address = 192.168.142.129,NAS-IP-Address = 192.168.142.129,Acct-Session-Id = "MSSL8K00014000000004f4b1ac000950",User-Name = "041e64fc3d4d"' [acct_unique] Acct-Unique-Session-ID = "e138959c26d8c2e6". ++[acct_unique] = ok [suffix] No '@' in User-Name = "041e64fc3d4d", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++[files] = noop +} # group preacct = ok # Executing section accounting from file /usr/local/pf/raddb//sites-enabled/packetfence +group accounting { [sql] expand: %{User-Name} -> 041e64fc3d4d [sql] sql_set_user escaped user --> '041e64fc3d4d' [sql] expand: %{Acct-Delay-Time} -> [sql] ... expanding second conditional [sql] expand: CALL acct_start ( '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', REPLACE(REPLACE('%{Called-Station-Id}','-',''),':',''), REPLACE(REPLACE('%{Calling-Station-Id}','-',''),':',''), '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}', '%{Acct-Status-Type}') -> CALL acct_start ( 'MSSL8K00014000000004f4b1ac000950', 'e138959c26d8c2e6', '041e64fc3d4d', '', '192.168.142.129', '57348', 'Ethernet', '2014-11-27 11:32:39', NULL, '0', 'RADIUS', '', '', '0', '0', REPLACE(REPLACE('','-',''),':',''), REPLACE(REPLACE('041e-64fc-3d4d','-',''),':',''), '', 'Framed-Us rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 ++[sql] = ok [attr_filter.accounting_response] expand: %{User-Name} -> 041e64fc3d4d attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] = updated ++update control { ++} # update control = noop rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK) rlm_perl: Added pair NAS-Port-Type = Ethernet rlm_perl: Added pair Acct-Session-Id = MSSL8K00014000000004f4b1ac000950 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Huawei-Attr-153 = 0x00000002 rlm_perl: Added pair Acct-Unique-Session-Id = e138959c26d8c2e6 rlm_perl: Added pair Acct-Authentic = RADIUS rlm_perl: Added pair Acct-Status-Type = Start rlm_perl: Added pair NAS-IP-Address = 192.168.142.129 rlm_perl: Added pair NAS-Port-Id = slot=0;subslot=0;port=14;vlanid=4 rlm_perl: Added pair SQL-User-Name = 041e64fc3d4d rlm_perl: Added pair Calling-Station-Id = 041e-64fc-3d4d rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Huawei-Connect-ID = 950 rlm_perl: Added pair User-Name = 041e64fc3d4d rlm_perl: Added pair Huawei-IPHost-Addr = 128.40.70.175 04:1e:64:fc:3d:4d rlm_perl: Added pair NAS-Identifier = MSSL8K rlm_perl: Added pair Event-Timestamp = Nov 27 2014 11:32:39 GMT rlm_perl: Added pair Framed-IP-Address = 128.40.70.175 rlm_perl: Added pair NAS-Port = 57348 rlm_perl: Added pair PacketFence-RPC-Pass = rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1 rlm_perl: Added pair PacketFence-RPC-Proto = http rlm_perl: Added pair PacketFence-RPC-User = rlm_perl: Added pair PacketFence-RPC-Port = 9090 ++[packetfence] = ok +} # group accounting = updated } # server packetfence Sending Accounting-Response of id 46 to 192.168.142.129 port 1812 Finished request 5. Cleaning up request 5 ID 46 with timestamp +353 Going to the next request Waking up in 4.6 seconds.

(0003609) ccaaajf (reporter) 2014-11-27 06:39	packetfence.log Nov 27 11:32:39 httpd.webservices(3020) INFO: Can't find provisioner for 04:1e:64:fc:3d:4d (pf::vlan::getNormalVlan) Nov 27 11:32:39 httpd.webservices(3020) INFO: [04:1e:64:fc:3d:4d] Connection type is WIRED_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan) Nov 27 11:32:39 httpd.webservices(3020) INFO: [04:1e:64:fc:3d:4d] Username was defined "041e64fc3d4d" - returning user based role 'default' (pf::vlan::getNormalVlan) Nov 27 11:32:39 httpd.webservices(3020) INFO: [04:1e:64:fc:3d:4d] PID: "admin", Status: reg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode) Nov 27 11:32:39 httpd.webservices(3020) INFO: [04:1e:64:fc:3d:4d] (192.168.142.129) Returning ACCEPT with VLAN 1 and role (pf::Switch::returnRadiusAccessAccept) Nov 27 11:36:07 pfcmd.pl(4160) INFO: pidof -x memcached returned 2852 (pf::services::manager::pidFromFile) Nov 27 11:36:07 pfcmd.pl(4160) INFO: verifying process 2852 (pf::services::manager::removeStalePid) Nov 27 11:36:07 pfcmd.pl(4160) INFO: pidof -x memcached returned 2852 (pf::services::manager::pidFromFile) Nov 27 11:36:07 pfcmd.pl(4160) INFO: pidof -x memcached returned 2852 (pf::services::manager::pidFromFile) Nov 27 11:36:07 pfcmd.pl(4160) INFO: pidof -x httpd.admin returned 2861 (pf::services::manager::pidFromFile) Nov 27 11:36:07 pfcmd.pl(4160) INFO: verifying process 2861 (pf::services::manager::removeStalePid) Nov 27 11:36:07 pfcmd.pl(4160) INFO: pidof -x httpd.admin returned 2861 (pf::services::manager::pidFromFile) Nov 27 11:36:07 pfcmd.pl(4160) INFO: pidof -x httpd.admin returned 2861 (pf::services::manager::pidFromFile) Nov 27 11:36:09 pfcmd.pl(4160) INFO: Daemon radiusd took 0.237 seconds to start. (pf::services::manager::launchService) Nov 27 11:37:31 httpd.webservices(3020) INFO: [04:1e:64:fc:3d:4d] handling radius autz request: from switch_ip => (192.168.142.129), connection_type => WIRED_MAC_AUTH,switch_mac => (), mac => [04:1e:64:fc:3d:4d], port => 57348, username => "041e64fc3d4d" (pf::radius::authorize) Nov 27 11:37:31 httpd.webservices(3020) WARN: VoIP is not supported on this network module (pf::Switch::isVoIPEnabled) Nov 27 11:37:31 httpd.webservices(3020) INFO: Can't find provisioner for 04:1e:64:fc:3d:4d (pf::vlan::getNormalVlan) Nov 27 11:37:31 httpd.webservices(3020) INFO: [04:1e:64:fc:3d:4d] Connection type is WIRED_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan) Nov 27 11:37:31 httpd.webservices(3020) INFO: [04:1e:64:fc:3d:4d] Username was defined "041e64fc3d4d" - returning user based role 'default' (pf::vlan::getNormalVlan) Nov 27 11:37:31 httpd.webservices(3020) INFO: [04:1e:64:fc:3d:4d] PID: "admin", Status: reg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode) Nov 27 11:37:32 httpd.webservices(3020) INFO: [04:1e:64:fc:3d:4d] (192.168.142.129) Returning ACCEPT with VLAN 1 and role (pf::Switch::returnRadiusAccessAccept)

(0003614) ccaaajf (reporter) 2014-11-28 11:13	WORKING SWITCH CONFIGURATION FOUND! Using the method below of setting to hybrid ports rather than access port this is now working on our S5700. Could this be added to the manual? The response I got from Huawei: To be able to assign VLANs dynamically from the RADIUS server you can use one of the following standard attributes to deliver the VLAN attribute(RFC2865, RFC2866, and RFC3576 define standard RADIUS attributes, which are supported by all mainstream vendors): Attribute No. Attribute Name Description 64 Tunnel-Type Protocol type of the tunnel. The value is fixed as 13, indicating VLAN. 65 Tunnel-Medium-Type Medium type used on the tunnel. The value is fixed as 6, indicating Ethernet. 81 Tunnel-Private-Group-ID Tunnel private group ID, which is used to deliver user VLAN IDs. Please check this. Have a look into below example, this is configuration that works fine for dynamic vlan association. # interface GigabitEthernet0/0/3 description Test-port port hybrid pvid vlan 710 undo port hybrid vlan 1 port hybrid untagged vlan 301 501 710 dot1x enable dot1x max-user 10 dot1x authentication-method eap Communication will work on any of 301, 501 or 710. For your specific configuration, you can try to adjust port link-type configuration to hybrid and add dynamic vlans as above. The rest of configuration should remain the same. interface GigabitEthernet0/0/14 flow-control negotiation port hybrid pvid vlan 710 undo port hybrid vlan 1 port hybrid untagged vlan 301 501 710 dot1x mac-bypass mac-auth-first dot1x mac-bypass dot1x max-user 1 dot1x reauthenticate dot1x authentication-method eap jumboframe enable 10224

(0003615) ccaaajf (reporter) 2014-11-28 11:14	I forgot to credit Huawei tech support for a super fast response and the right answer first time!

(0003620) lzammit (manager) 2014-12-04 17:17	Thanks for the configuration, I will implement it in our network manual, but can I have the radius configuration also ? Thanks a lot, we appreciate this.

(0003621) ccaaajf (reporter) 2014-12-09 05:10	system view l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 dot1x enable dot1x dhcp-trigger dot1x authentication-method eap radius-server template packetfence radius-server shared-key cipher SECRET radius-server authentication 192.168.142.253 1812 radius-server accounting 192.168.142.253 1813 radius-server retransmit 2 aaa authentication-scheme abc authentication-mode radius accounting-scheme abc accounting-mode radius domain pf authentication-scheme abc accounting-scheme abc radius-server packetfence q domain pf Happy to help :)

(0003852) lmunro (administrator) 2015-02-18 10:49	Not a bug. Please use the mailing list for support questions.

Issue History
Date Modified	Username	Field	Change
2014-11-27 06:20	ccaaajf	New Issue
2014-11-27 06:34	ccaaajf	Note Added: 0003608
2014-11-27 06:39	ccaaajf	Note Added: 0003609
2014-11-28 11:13	ccaaajf	Note Added: 0003614
2014-11-28 11:14	ccaaajf	Note Added: 0003615
2014-12-04 17:17	lzammit	Note Added: 0003620
2014-12-09 05:10	ccaaajf	Note Added: 0003621
2015-02-18 10:49	lmunro	Note Added: 0003852
2015-02-18 10:49	lmunro	Status	new => closed
2015-02-18 10:49	lmunro	Assigned To	=> lmunro
2015-02-18 10:49	lmunro	Resolution	open => won't fix

Relationships