Discussion:
[PacketFence-users] Radius Server Authentication
Daniel Germann
2017-05-15 08:37:57 UTC
Permalink
Hello Packetfence Users,

i've got a Problem with Packetfence. I'm using the Packetfence Zero
Effort NAC v7 on a Server with an HP2500 Switch in Hybrid Enforcement. I
want to use Bandwith Limitation and therefore i need the Radius
Accounting. I set up a new Authentication Sources Radius with the
localhost Address and set the secret on both Packetfence and Switch. I
created a local User in the users file from radius and want to sign in
but the radius server rejected. The log radius logs says:

May 15 08:14:02 PacketFence-ZEN auth[4384]: Need 1 more connections to
reach min connections (3)
May 15 08:14:02 PacketFence-ZEN auth[4384]: rlm_rest (rest): Opening
additional connection (11), 1 of 62 pending slots used
May 15 08:14:02 PacketFence-ZEN auth[4384]: Need 1 more connections to
reach min connections (3)
May 15 08:14:02 PacketFence-ZEN auth[4384]: rlm_sql (sql): Opening
additional connection (13), 1 of 62 pending slots used
May 15 08:14:02 PacketFence-ZEN auth[4384]: (12) Rejected in post-auth:
[steve] (from client localhost port 12)
May 15 08:14:16 PacketFence-ZEN auth[4384]: (13) rest: ERROR: Server
returned:
May 15 08:14:16 PacketFence-ZEN auth[4384]: (13) rest: ERROR:
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"CLI
Access is not allowed by PacketFence on this switch"}


Regards,

Daniel
Fabrice Durand
2017-05-16 13:10:19 UTC
Permalink
Hello Daniel,

you don't have to create a radius Authentication source but you need to
configure the switch in PacketFence (with a radius secret).

Next you need to configure the switch to use PacketFence as a radius
accounting server.

Regards

Fabrice
Post by Daniel Germann
Hello Packetfence Users,
i've got a Problem with Packetfence. I'm using the Packetfence Zero
Effort NAC v7 on a Server with an HP2500 Switch in Hybrid Enforcement. I
want to use Bandwith Limitation and therefore i need the Radius
Accounting. I set up a new Authentication Sources Radius with the
localhost Address and set the secret on both Packetfence and Switch. I
created a local User in the users file from radius and want to sign in
May 15 08:14:02 PacketFence-ZEN auth[4384]: Need 1 more connections to
reach min connections (3)
May 15 08:14:02 PacketFence-ZEN auth[4384]: rlm_rest (rest): Opening
additional connection (11), 1 of 62 pending slots used
May 15 08:14:02 PacketFence-ZEN auth[4384]: Need 1 more connections to
reach min connections (3)
May 15 08:14:02 PacketFence-ZEN auth[4384]: rlm_sql (sql): Opening
additional connection (13), 1 of 62 pending slots used
[steve] (from client localhost port 12)
May 15 08:14:16 PacketFence-ZEN auth[4384]: (13) rest: ERROR: Server
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"CLI
Access is not allowed by PacketFence on this switch"}
Regards,
Daniel
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
***@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
Daniel Germann
2017-05-17 11:19:14 UTC
Permalink
Hello Fabrice,

i configured the switch and packetfence with the secret and the switch
with the accounting Details.

Is there in packetfence any possibility to configure radius accounting?

Although i have a other Question: Using radtest with a local user in
/raddb/users with "steve cleartext-password := testing" get an
Accesss-Reject.

Sent Access-Request Id 64 from 0.0.0.0:44840 to 127.0.0.1:18120 length 75
User-Name = "steve"
User-Password = "bob"
NAS-IP-Address = 192.168.100.44
NAS-Port = 12
Message-Authenticator = 0x00
Cleartext-Password = "bob"
Received Access-Reject Id 64 from 127.0.0.1:18120 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject

Maybe the Radius Server isn't configured probably?


Regards,

Daniel
Post by Fabrice Durand
Hello Daniel,
you don't have to create a radius Authentication source but you need to
configure the switch in PacketFence (with a radius secret).
Next you need to configure the switch to use PacketFence as a radius
accounting server.
Regards
Fabrice
Post by Daniel Germann
Hello Packetfence Users,
i've got a Problem with Packetfence. I'm using the Packetfence Zero
Effort NAC v7 on a Server with an HP2500 Switch in Hybrid Enforcement. I
want to use Bandwith Limitation and therefore i need the Radius
Accounting. I set up a new Authentication Sources Radius with the
localhost Address and set the secret on both Packetfence and Switch. I
created a local User in the users file from radius and want to sign in
May 15 08:14:02 PacketFence-ZEN auth[4384]: Need 1 more connections to
reach min connections (3)
May 15 08:14:02 PacketFence-ZEN auth[4384]: rlm_rest (rest): Opening
additional connection (11), 1 of 62 pending slots used
May 15 08:14:02 PacketFence-ZEN auth[4384]: Need 1 more connections to
reach min connections (3)
May 15 08:14:02 PacketFence-ZEN auth[4384]: rlm_sql (sql): Opening
additional connection (13), 1 of 62 pending slots used
[steve] (from client localhost port 12)
May 15 08:14:16 PacketFence-ZEN auth[4384]: (13) rest: ERROR: Server
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"CLI
Access is not allowed by PacketFence on this switch"}
Regards,
Daniel
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
Fabrice Durand
2017-05-17 13:32:40 UTC
Permalink
Hello Daniel,

by default PacketFence listen for accounting on the port 1813.

For the radius configuration check the documentation there:
https://packetfence.org/doc/PacketFence_Administration_Guide.html#_freeradius_configuration

Also use raddebug to have more information to know why the connection
has been refused (raddebug -f var/run/radius.sock -t 300)


Regards

Fabrice
Post by Daniel Germann
Hello Fabrice,
i configured the switch and packetfence with the secret and the switch
with the accounting Details.
Is there in packetfence any possibility to configure radius accounting?
Although i have a other Question: Using radtest with a local user in
/raddb/users with "steve cleartext-password := testing" get an
Accesss-Reject.
Sent Access-Request Id 64 from 0.0.0.0:44840 to 127.0.0.1:18120 length 75
User-Name = "steve"
User-Password = "bob"
NAS-IP-Address = 192.168.100.44
NAS-Port = 12
Message-Authenticator = 0x00
Cleartext-Password = "bob"
Received Access-Reject Id 64 from 127.0.0.1:18120 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
Maybe the Radius Server isn't configured probably?
Regards,
Daniel
Post by Fabrice Durand
Hello Daniel,
you don't have to create a radius Authentication source but you need to
configure the switch in PacketFence (with a radius secret).
Next you need to configure the switch to use PacketFence as a radius
accounting server.
Regards
Fabrice
Post by Daniel Germann
Hello Packetfence Users,
i've got a Problem with Packetfence. I'm using the Packetfence Zero
Effort NAC v7 on a Server with an HP2500 Switch in Hybrid Enforcement. I
want to use Bandwith Limitation and therefore i need the Radius
Accounting. I set up a new Authentication Sources Radius with the
localhost Address and set the secret on both Packetfence and Switch. I
created a local User in the users file from radius and want to sign in
May 15 08:14:02 PacketFence-ZEN auth[4384]: Need 1 more connections to
reach min connections (3)
May 15 08:14:02 PacketFence-ZEN auth[4384]: rlm_rest (rest): Opening
additional connection (11), 1 of 62 pending slots used
May 15 08:14:02 PacketFence-ZEN auth[4384]: Need 1 more connections to
reach min connections (3)
May 15 08:14:02 PacketFence-ZEN auth[4384]: rlm_sql (sql): Opening
additional connection (13), 1 of 62 pending slots used
[steve] (from client localhost port 12)
May 15 08:14:16 PacketFence-ZEN auth[4384]: (13) rest: ERROR: Server
{"control:PacketFence-Authorization-Status":"allow","Reply-Message":"CLI
Access is not allowed by PacketFence on this switch"}
Regards,
Daniel
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
***@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
Continue reading on narkive:
Loading...