Hello Umberto, did you configure Nac State: Radius NAC ?
Regards
Fabrice
Le 2015-12-10 07:32, Umberto Ciocca a écrit :
> Hi Antoine,
> I created two ACL :
> - Pre-Auth-For-WebRedirect, as from the guide
> - Pre-Auth_For_WebRedirect, a 'deny all' ACL (just for testing)
> To avoid misconfiguration, now I have only the first ACL. Radius
> authentication server is defined with support for RFC 3576 and WLAN
> has the option "Allow AAA override" enabled. I successfully ping WLC
> from packetfence server and vice versa.
>
> Here is the output of raddebug:
> # raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3600
> Debug: Received Access-Request packet from host 10.1.0.10 port 32770,
> id=76, length=176
> Debug: User-Name = "b0c5591cbc05"
> Called-Station-Id = "00-1b-2b-68-be-70:OnlyForTest"
> Debug: Calling-Station-Id = "b0-c5-59-1c-bc-05"
> Debug: NAS-Port = 1
> Debug: NAS-IP-Address = 10.1.0.10
> Debug: NAS-Identifier = "WLC1-RETTORATO"
> Debug: Airespace-Wlan-Id = 6
> Debug: User-Password = "b0c5591cbc05"
> Debug: Service-Type = Call-Check
> Debug: Framed-MTU = 1300
> Debug: NAS-Port-Type = Wireless-802.11
> Debug: Tunnel-Type:0 = VLAN
> Debug: Tunnel-Medium-Type:0 = IEEE-802
> Debug: Tunnel-Private-Group-Id:0 = "33"
> Debug: server packetfence {
> Debug: # Executing section authorize from file
> /usr/local/pf/raddb//sites-enabled/packetfence
> Debug: +group authorize {
> Debug: [suffix] No '@' in User-Name = "b0c5591cbc05", skipping NULL
> due to config.
> Debug: ++[suffix] = noop
> Debug: [ntdomain] No '\' in User-Name = "b0c5591cbc05", looking up
> realm NULL
> Debug: [ntdomain] No such realm "NULL"
> Debug: ++[ntdomain] = noop
> Debug: ++[preprocess] = ok
> Debug: [eap] No EAP-Message, not doing EAP
> Debug: ++[eap] = noop
> Debug: [files] users: Matched entry DEFAULT at line 5
> Debug: ++[files] = ok
> Debug: ++[expiration] = noop
> Debug: ++[logintime] = noop
> Debug: ++update request {
> Debug: expand: %{Packet-Src-IP-Address} -> 10.1.0.10
> Debug: ++} # update request = noop
> Debug: ++update control {
> Debug: ++} # update control = noop
> Debug: ++[packetfence] = noop
> Debug: +} # group authorize = ok
> Debug: Found Auth-Type = Accept
> Debug: Auth-Type = Accept, accepting the user
> Debug: } # server packetfence
> Debug: # Executing section post-auth from file
> /usr/local/pf/raddb//sites-enabled/packetfence
> Debug: +group post-auth {
> Debug: ++[exec] = noop
> Debug: ++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP))
> Debug: ? Evaluating !(EAP-Type ) -> TRUE
> Debug: ?? Skipping (EAP-Type != EAP-TTLS )
> Debug: ?? Skipping (EAP-Type != PEAP)
> Debug: ++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type !=
> PEAP)) -> TRUE
> Debug: ++if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) {
> Debug: +++update control {
> Debug: +++} # update control = noop
> Debug: +++[packetfence] = ok
> Debug: ++} # if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type !=
> PEAP)) = ok
> Debug: +} # group post-auth = ok
> Debug: Sending Access-Accept packet to host 10.1.0.10 port 32770,
> id=76, length=0
> Debug: Cisco-AVPair += "url-redirect-acl=Pre-Auth-For-WebRedirect"
> Debug: Cisco-AVPair += "url-redirect=http://10.1.212.2/cepc129f3";
> Debug: Finished request 65.
> Debug: Cleaning up request 65 ID 76 with timestamp +258443
>
> Here is the output of show client detail:
> (Cisco Controller) >show client detail b0-c5-59-1c-bc-05
> Client MAC Address............................... b0:c5:59:1c:bc:05
> Client Username ................................. N/A
> AP MAC Address................................... 00:1b:2b:68:be:70
> Client State..................................... Associated
> Wireless LAN Id.................................. 6
> BSSID............................................ 00:1b:2b:68:be:75
> Channel.......................................... 11
> IP Address....................................... 10.1.212.29
> Association Id................................... 21
> Authentication Algorithm......................... Open System
> Reason Code...................................... 0
> Status Code...................................... 0
> Session Timeout.................................. 1800
> Client CCX version............................... 4
> Client E2E version............................... No E2E support
> Mirroring........................................ Disabled
> QoS Level........................................ Silver
> Diff Serv Code Point (DSCP)...................... disabled
> 802.1P Priority Tag.............................. disabled
> WMM Support...................................... Enabled
> U-APSD Support................................... Disabled
> Mobility State................................... Local
> Mobility Move Count.............................. 0
> Security Policy Completed........................ Yes
> Policy Manager State............................. RUN
> Policy Manager Rule Created...................... Yes
> NPU Fast Fast Notified........................... Yes
> Policy Type...................................... N/A
> Encryption Cipher................................ None
> Management Frame Protection...................... No
> EAP Type......................................... Unknown
> Interface........................................ packetfence
> VLAN............................................. 33
> Client Capabilities:
> CF Pollable................................ Not implemented
> CF Poll Request............................ Not implemented
> Short Preamble............................. Implemented
> PBCC....................................... Not implemented
> Channel Agility............................ Not implemented
> Listen Interval............................ 0
> Client Statistics:
> Number of Bytes Received................... 42634
> Number of Bytes Sent....................... 202930
> Number of Packets Received................. 297
> Number of Packets Sent..................... 220
> Number of Policy Errors.................... 0
> Radio Signal Strength Indicator............ -76 dBm
> Signal to Noise Ratio...................... 16 dB
> Thanks,
> Umberto
>> Hello Umberto,
>>
>> You need to track down the device you are testing on the WLC, we can see
>> that PacketFence send the ACL for the URL redirect
>> "Pre-Auth_For_WebRedirect".
>> Does this device you are testing with have the ACL applied on the
>> WLC(client list)?
>> Does the ACL "Pre-Auth_For_WebRedirect" is written exactly the same way
>> on the WLC?
>>
>> Note: When you are using the WLC 4400 module your ACL has - instead of _
>>
>> The answer to those questions should help you to the solution.
>>
>> If it doesn't start by running "raddebug -f
>> /usr/local/pf/var/run/radiusd.sock -t 3600" on your terminal and watch
>> the RADIUS exchange between the WLC and PF you should see "Cisco-AVPair
>> = url-redirect="http://PacketFence_Portal_IP/cepXXXXXX";
>> <http://PacketFence_Portal_IP/cepXXXXXX%22>; in the radius
>> answer.
>>
>> Thank you.
>
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
