Hi David. Thx for chiming in here. Yes, by default it's enabled, but I just went back in to double check -- it's enabled.
-----Original Message----- From: Bulanda, Dave G [mailto:dgbula...@indianatech.edu] Sent: Friday, October 05, 2012 1:48 PM To: 'packetfence-users@lists.sourceforge.net' Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator Thomas, Is your WLC set to use RFC 3576? I believe when that is not enabled that is the message that the WLC returns when you send the COA/DeAuth. David Bulanda Network Services Manager dgbula...@indianatech.edu Indiana Tech -----Original Message----- From: Thomas Tsai [mailto:tt...@canyonpartners.com] Sent: Friday, October 05, 2012 3:39 PM To: 'packetfence-users@lists.sourceforge.net' Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator I'm a little lost - how can this be a radius shared secret issue if the WLC can contact the freeradius2 server to perform the initial authentication, but then fail during deauth? Are these settings separate from one another? IT does not seem like they would be. -----Original Message----- From: Francois Gaudreault [mailto:fgaudrea...@inverse.ca] Sent: Friday, October 05, 2012 12:19 PM To: packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator Well this is a shared secret issue, so make sure they are right... sometimes there is a trailing character at the end. If you run in HA, make sure the VIP is listed in the AAA server list on your WLC. On 2012-10-05 2:52 PM, Thomas Tsai wrote: > Bump - can anyone offer any suggestions as to how to troubleshoot this > particular problem? > > *From:*Thomas Tsai [mailto:tt...@canyonpartners.com] > *Sent:* Thursday, October 04, 2012 7:11 PM > *To:* 'packetfence-users@lists.sourceforge.net' > *Subject:* [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - > Invalid RADIUS message authenticator > > When packetfence attempts to deauth/COA via radius on a WLC, the > following error appears on the WLC: *Invalid RADIUS message > authenticator* > > A quick search yields some wisdom that Olivier provided with someone > with a remote similar issue. > > http://comments.gmane.org/gmane.comp.networking.packetfence.user/3908 > > I have confirmed that I am running firmware 7.2.110.0 on the WLC, so > this should work. (Radius Disconnect) > > I spot the issue below, but I am uncertain why the message > authenticator is invalid. Am I doing something wrong? > > *_PACKETFENCE.LOG:_* > > *__* > > Oct 04 18:37:39 register.cgi(0) INFO: 00:88:10:88:59:88 is currentlog > connected at <WLC IP> ifIndex 13 in VLAN REG_VLAN > (pf::enforcement::_should_we_reassign_vlan) > > Oct 04 18:37:39 register.cgi(0) INFO: [CUSTOM-NOCATCH] Defined (y/n)? > 1 > -- value = (pf::vlan::custom::getNormalVlan) > > Oct 04 18:37:39 register.cgi(0) INFO: MAC: 00:88:10:88:59:88, PID: > username, Status: reg. Returned VLAN: NORMAL_VLAN > (pf::vlan::fetchVlanForNode) > > Oct 04 18:37:39 register.cgi(0) INFO: VLAN reassignment required for > 00:88:10:88:59:88 (current VLAN = REG_VLAN but should be in VLAN > NORMAL_VLAN) (pf::enforcement::_should_we_reassign_vlan) > > Oct 04 18:37:39 register.cgi(0) INFO: switch port for > 00:88:10:88:59:88 is <WLC IP> ifIndex 13 connection type: WiFi 802.1X > (pf::enforcement::_vlan_reevaluation) > > Oct 04 18:37:39 register.cgi(0) INFO: trying to dissociate a wireless > 802.1x user, this might not work depending on hardware support. If its > your case please file a bug (pf::enforcement::_vlan_reevaluation) > > Oct 04 18:37:39 register.cgi(0) INFO: 10.0.0.39 - 00:88:10:88:59:88 on > registration page > (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_r > egister_2ecgi::handler) > > Oct 04 18:37:40 pfdhcplistener(26773) INFO: 00:88:10:88:59:88 > requested an IP. DHCP Fingerprint: OS::109 (Microsoft Windows 8). > Modified node with last_dhcp = 2012-10-04 18:37:40,computername = > LAPTOPNAME,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,252,43 > (main::listen_dhcp) > > Oct 04 18:37:40 pfdhcplistener(26773) INFO: DHCPACK from 10.0.0.254 > (00:99:56:99:00:99) to host 00:88:10:88:59:88 (10.0.0.39) for 20 > seconds > (main::parse_dhcp_ack) > > Oct 04 18:37:42 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch > <WLC IP> (main::parseTrap) > > Oct 04 18:37:42 pfsetvlan(1) INFO: nb of items in queue: 1; nb of > threads running: 0 (main::startTrapHandlers) > > Oct 04 18:37:42 pfsetvlan(1) INFO: desAssociate trap received on <WLC > IP> for wireless client 00:88:10:88:59:88 (main::handleTrap) > > Oct 04 18:37:42 pfcmd_vlan(26918) INFO: wireless deauthentication of a > 802.1x MAC (main::) > > Oct 04 18:37:50 pfdhcplistener(26773) INFO: 00:88:10:88:59:88 > requested an IP. DHCP Fingerprint: OS::109 (Microsoft Windows 8). > Modified node with last_dhcp = 2012-10-04 18:37:50,computername = > LAPTOPNAME,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,252,43 > (main::listen_dhcp) > > Oct 04 18:37:50 pfdhcplistener(26773) INFO: DHCPACK from 10.0.0.254 > (00:99:56:99:00:99) to host 00:88:10:88:59:88 (10.0.0.39) for 20 > seconds > (main::parse_dhcp_ack) > > *Oct 04 18:37:52 pfcmd_vlan(26918) WARN: Unable to perform RADIUS > Disconnect-Request: Timeout waiting for a reply from <WLC IP> on port > 3799 at /usr/local/pf/lib/pf/util/radius.pm line 160. > (pf::SNMP::__ANON__)* > > *Oct 04 18:37:52 pfcmd_vlan(26918) ERROR: Wrong RADIUS secret or > unreachable network device... (pf::SNMP::__ANON__)* > > Oct 04 18:37:52 pfsetvlan(1) INFO: finished (main::cleanupAfterThread) > > *_WLC5508 radius debug log:_* > > *radiusTransportThread: Oct 05 02:05:02.680: ****Enter > processIncomingMessages: response code=5 > > *radiusTransportThread: Oct 05 02:05:02.680: ****Enter > processRadiusResponse: response code=5 > > *radiusTransportThread: Oct 05 02:05:02.680: 00:27:10:41:59:60 > Accounting-Response received from RADIUS server <PACKETFENCE IP> for > mobile 00:88:10:88:59:88 receiveId = 0 > > **radiusRFC3576TransportThread: Oct 05 02:05:29.134: Invalid RADIUS > message authenticator* > > **radiusRFC3576TransportThread: Oct 05 02:05:29.134: Invalid message > authenticator received in 'RFC-3576 Disconnect-Request' from > <PACKETFENCE IP>* > > > > ********************************************** > > Email Disclaimer: > > > > This email, including attachments, may contain > > proprietary, confidential or privileged information. If you > > are not the intended recipient, please (i) do not use, > > disclose, save or retransmit this message or any > > attachments, (ii) alert the sender by reply email and (iii) > > destroy or delete this message and any attachments. > > Delivery of this email to a person other than the intended > > recipient(s) shall not constitute a waiver of privilege or > > confidentiality. > > > > CP Investments, member FINRA and SIPC, serves as > > placement agent for investment products advised by > > Canyon Capital Advisors LLC. This email is not intended to > > be an offer to sell or a solicitation of an offer to buy any > > security in any jurisdiction. We review and retain > > electronic communications traveling through our network. > > > > ********************************************** > > > > ---------------------------------------------------------------------- > -------- Don't let slow site performance ruin your business. Deploy > New Relic APM Deploy New Relic app performance management and know > exactly what is happening inside your Ruby, Python, PHP, Java, and > .NET app Try New Relic at no cost today and get our sweet Data Nerd > shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
