I have a Cisco 3750 switch and I want to make it work with PacketFence NAC. I have configured the switch according to their network configuration document here, but the switch is still not communicating with the server – I can ping the server and keys are the same.
Here is my running-config (stripped of non-related things)
Current configuration : 8496 bytes
!
aaa new-model
!
!
aaa group server radius packetfence
server name pfnac
!
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization exec default local
aaa authorization network default group packetfence
!
!
aaa server radius dynamic-author
client 147.32.232.117 server-key 7 0311480E351B3343400E1C172417081E013E
port 3799
!
aaa session-id common
!
!
!
dot1x system-auth-control
!
!
!
interface GigabitEthernet1/0/1
description 10.D16
switchport access vlan 40
switchport mode access
switchport port-security maximum 1 vlan access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0200.0001.0101
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 7200
authentication violation replace
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
!
interface Vlan40
ip address 172.16.40.1 255.255.255.0
no ip proxy-arp
!
no ip http server
no ip http secure-server
!
snmp-server community lauer RW
snmp-server community public RO
snmp-server community private RW
snmp-server trap-source Vlan40
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps flowmon
snmp-server enable traps transceiver all
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps license
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps cluster
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan
snmp-server enable traps energywise
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps power-ethernet police
snmp-server enable traps cpu threshold
snmp-server enable traps ipsla
snmp-server enable traps vstack
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps port-security trap-rate 1
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps stackwise
snmp-server enable traps errdisable
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server host 147.32.232.117 version 2c public port-security
snmp-server host 172.16.40.2 v2c
snmp-server host 172.16.40.2 version 2c write
!
radius-server vsa send authentication
!
radius server pfnac
address ipv4 147.32.232.117 auth-port 1812 acct-port 1813
automate-tester username myuser idle-time 2
key 7 071A32497D1D0B0A19150E1E372F28362D27
!
!
end
Also here are some other outputs :
show aaa servers
RADIUS: id 1, priority 1, host 147.32.232.117, auth-port 1812, acct-port 1813
State: current UP, duration 633s, previous duration 0s
Dead: total time 605813s, count 11
Quarantined: No
Authen: request 30438, timeouts 30438, failover 0, retransmission 22834
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 7604
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 1w1h2m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 0 hours, 30 minutes ago: 20
low - 0 hours, 43 minutes ago: 0
average: 2
show aaa command handler
AAA Command Handler Statistics:
account-logon: 0, account-logoff: 0
account-query: 0, pod: 0
service-logon: 0, service-logoff: 0
user-profile-push: 0, session-state-log: 0
reauthenticate: 0, bounce-host-port: 0
disable-host-port: 0, update-rbacl: 0
update-sgt: 0, update-cts-policies: 0
invalid commands: 0
async message not sent: 0
show radius statistics
Auth. Acct. Both
Maximum inQ length: NA NA 1
Maximum waitQ length: NA NA 5
Maximum doneQ length: NA NA 2
Total responses seen: 0 0 0
Packets with responses: 0 0 0
Packets without responses: 7604 0 7604
Access Rejects : 0
Average response delay(ms): 0 0 0
Maximum response delay(ms): 0 0 0
Number of Radius timeouts: 30438 0 30438
Duplicate ID detects: 0 0 0
Buffer Allocation Failures: 0 0 0
Maximum Buffer Size (bytes): 260 0 260
Malformed Responses : 0 0 0
Bad Authenticators : 0 0 0
Unknown Responses : 0 0 0
Source Port Range: (2 ports only)
1645 - 1646
Last used Source Port/Identifier:
1645/180
1646/0
Elapsed time since counters last cleared: 3w3d7h3m
Radius Latency Distribution:
<= 2ms : 0 0
3-5ms : 0 0
5-10ms : 0 0
10-20ms: 0 0
20-50ms: 0 0
50-100m: 0 0
>100ms : 0 0
Current inQ length : 0
Current doneQ length: 0
show radius server-group all
Server group radius
Sharecount = 1 sg_unconfigured = FALSE
Type = standard Memlocks = 1
Server(147.32.232.117:1812,1813) Transactions:
Authen: 0 Author: 0 Acct: 0
Server_auto_test_enabled: TRUE
Keywrap enabled: FALSE
Server group packetfence
Sharecount = 1 sg_unconfigured = FALSE
Type = standard Memlocks = 1
Server(147.32.232.117:1812,1813) Transactions:
Authen: 198 Author: 0 Acct: 0
Server_auto_test_enabled: TRUE
Keywrap enabled: FALSE
Server group private_sg-7560
Server(147.32.232.117:1812,1813) Successful Transactions:
Authen: 0 Author: 0 Acct: 0
Server_auto_test_enabled: TRUE
Keywrap enabled: FALSE
show aaa clients
Dynamic Author Client 147.32.232.117
CoA: requests: 0, transactions: 0
retransmissions: 0, active transactions: 0
Ack responses: 0, Nak reponses: 0
invalid requests: 0, errors: 0
PoD: requests: 0, transactions: 0
retransmissions: 0, active transactions: 0
Ack responses: 0, Nak reponses: 0
invalid requests: 0, errors: 0
Average Ack response time: 0 msec
Requests per minute past 24 hours:
high - 0 hours, 50 minutes ago: 0
low - 0 hours, 50 minutes ago: 0
average: 0
Dropped request packets: 0
show aaa sessions (last one)
Session Id: 2293
Unique Id: 1864
User Name: *not available*
IP Address: 0.0.0.0
Idle Time: 0
CT Call Handle: 0
show aaa user all (last one)
--------------------------------------------------
Unique id 1865 is currently in use.
No data for type 0
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
Session Id=000008F6 Unique Id=00000749
Start Sent=0 Stop Only=N
stop_has_been_sent=N
Method List=0
Attribute list:
07B361DC 0 00000001 session-id(408) 4 2294(8F6)
07B36210 0 00000001 start_time(418) 4 Mar 31 2017 19:28:40
--------
No data for type CMD
No data for type SYSTEM
No data for type VRRS
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
No data for type DOT1X
No data for type CALL
No data for type VPDN-TUNNEL
No data for type VPDN-TUNNEL-LINK
No data for type IPSEC-TUNNEL
No data for type MCAST
No data for type RESOURCE
No data for type SSG
No data for type IDENTITY
No data for type ConnectedApps
Accounting:
log=0x18001
Events recorded :
CALL START
INTERIM START
INTERIM STOP
update method(s) :
NONE
update interval = 0
Outstanding Stop Records : 0
Dynamic attribute list:
07B361DC 0 00000001 connect-progress(75) 4 Auth Timeout
07B36210 0 00000001 pre-session-time(334) 4 86(56)
07B36244 0 00000001 elapsed_time(414) 4 0(0)
07B36278 0 00000001 bytes_in(146) 4 0(0)
07B362AC 0 00000001 bytes_out(311) 4 0(0)
07B39B3C 0 00000001 pre-bytes-in(330) 4 6484(1954)
07B39B70 0 00000001 pre-bytes-out(331) 4 2012(7DC)
07B39BA4 0 00000001 paks_in(147) 4 0(0)
07B39BD8 0 00000001 paks_out(312) 4 0(0)
07B39C0C 0 00000001 pre-paks-in(332) 4 25(19)
07B33ECC 0 00000001 pre-paks-out(333) 4 18(12)
Debg: No data available
Radi: No data available
Interface:
TTY Num = -1
Stop Received = 0
Byte/Packet Counts till Call Start:
Start Bytes In = 4362869 Start Bytes Out = 8971432
Start Paks In = 26485 Start Paks Out = 25251
Byte/Packet Counts till Service Up:
Pre Bytes In = 4369353 Pre Bytes Out = 8973444
Pre Paks In = 26510 Pre Paks Out = 25269
Cumulative Byte/Packet Counts :
Bytes In = 4369353 Bytes Out = 8973444
Paks In = 26510 Paks Out = 25269
StartTime = 19:28:40 UTC Mar 31 2017
Component = Dot1X
Authen: service=8021X type=EAP method=NONE Fallover-from= RADIUS
Kerb: No data available
Meth: No data available
Preauth: No Preauth data.
General:
Unique Id = 00000749
Session Id = 000008F6
Attribute List:
07B33ECC 0 00000001 port-type(225) 4 Ethernet
07B33F00 0 00000081 interface(221) 20 GigabitEthernet1/0/1
PerU: No data available
Service Profile: No Service Profile data.
Unkn: No data available
Sorry for this much output, bud I will be able to connect to the switch in about two days, so I have tried to get as much info as possible.
Thanks for any help
Best Answer
Finally got it - the problem was that PacketFence iptables rules were set for RADIUS traffic from management interface, but I had to send it from another one. So adding some iptables rules made it work ! Thanks (will accept answer when possible)