So, the scenario I’m about to explain worked fine on PacketFence 6.1.2. The
only thing that changed was I upgraded Packetfence to 6.5. I have an open
SSID guest wifi network. It’s authenticated with an SMS pin via packetfence.
The issue is that it appears after successful authentication Packetfence is not
sending the COA or Radius notification to the cisco WLC to change the ACL for
the client. The only way to get it work is to disassociate from the wireless
network on the client and than re-associate, than I get full network access.
I’ve attached the packetfence log file. Any help is appreciated.
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Instantiate
profile SEGuestPortal (pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
[28:cf:e9:14:7a:29] Activation code sent to email 6105336834 from 6105336834
successfully verified. for activation type: sms (pf::activation::validate_code)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] User
6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] User
6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1301) WARN: [mac:28:cf:e9:14:7a:29] Calling match
with empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Using sources
sms for matching (pf::authentication::match)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Matched rule
(catchall) in source sms, returning actions. (pf::Authentication::Source::match)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] User
6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1301) WARN: [mac:28:cf:e9:14:7a:29] Calling match
with empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Using sources
sms for matching (pf::authentication::match)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Matched rule
(catchall) in source sms, returning actions. (pf::Authentication::Source::match)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] External
captive portal detected !
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] Detected
external portal client. Using the IP 192.168.200.26 address in it's session.
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIp)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] Instantiate
profile SEGuestPortal (pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] User
6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] No provisioner
found for 28:cf:e9:14:7a:29. Continuing.
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] User
6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] User
6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] violation
1300003 force-closed for 28:cf:e9:14:7a:29
(pf::violation::violation_force_close)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] Instantiate
profile SEGuestPortal (pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] External
captive portal detected !
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] Detected
external portal client. Using the IP 192.168.200.26 address in it's session.
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIp)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] Instantiate
profile SEGuestPortal (pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] Releasing
device (captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] Memory
configuration is not valid anymore for key config::Switch in local cached_hash
(pfconfig::cached::is_valid)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] re-evaluating
access (manage_register called) (pf::enforcement::reevaluate_access)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] is currentlog
connected at (10.0.12.2) ifIndex 1 registration
(pf::enforcement::_should_we_reassign_vlan)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] Instantiate
profile SEGuestPortal (pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] Connection
type is WIRELESS_MAC_AUTH. Getting role from node_info
(pf::role::getRegisteredRole)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] Username was
defined "28cfe9147a29" - returning role 'guest' (pf::role::getRegisteredRole)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] PID:
"6105336834", Status: reg Returned VLAN: (undefined), Role: guest
(pf::role::fetchRoleForNode)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] Reassignment
required (current Role = registration but should be in Role guest)
(pf::enforcement::_should_we_reassign_vlan)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] switch port is
(10.0.12.2) ifIndex 1 connection type: WiFi MAC Auth
(pf::enforcement::_vlan_reevaluation)
Feb 13 13:32:06 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating
locationlog from accounting request (pf::api::handle_accounting_metadata)
Feb 13 13:32:22 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating
locationlog from accounting request (pf::api::handle_accounting_metadata)
Feb 13 13:36:33 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating
locationlog from accounting request (pf::api::handle_accounting_metadata)
Feb 13 13:37:00 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating
locationlog from accounting request (pf::api::handle_accounting_metadata)
—————Here is where I turn off the wifi on the client and than re-enable
it.---------------------
Feb 13 13:37:13 httpd.portal(1306) INFO: [mac:28:cf:e9:14:7a:29] URI
'/Cisco::WLC/sidc7d78a' is detected as an external captive portal URI
(pf::web::externalportal::handle)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] External
captive portal detected !
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Detected
external portal client. Using the IP 192.168.200.26 address in it's session.
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIp)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Instantiate
profile SEGuestPortal (pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Updating node
user_agent with useragent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12;
rv:35.0) Gecko/20100101 Firefox/35.0'
(captiveportal::PacketFence::DynamicRouting::Application::process_user_agent)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Memory
configuration is not valid anymore for key config::Switch in local cached_hash
(pfconfig::cached::is_valid)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Reevaluating
access of device.
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] re-evaluating
access (manage_register called) (pf::enforcement::reevaluate_access)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] is currentlog
connected at (10.0.12.2) ifIndex 1 registration
(pf::enforcement::_should_we_reassign_vlan)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Instantiate
profile SEGuestPortal (pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Connection
type is WIRELESS_MAC_AUTH. Getting role from node_info
(pf::role::getRegisteredRole)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Username was
defined "28cfe9147a29" - returning role 'guest' (pf::role::getRegisteredRole)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] PID:
"6105336834", Status: reg Returned VLAN: (undefined), Role: guest
(pf::role::fetchRoleForNode)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Reassignment
required (current Role = registration but should be in Role guest)
(pf::enforcement::_should_we_reassign_vlan)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] switch port is
(10.0.12.2) ifIndex 1 connection type: WiFi MAC Auth
(pf::enforcement::_vlan_reevaluation)
Feb 13 13:37:14 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] External
captive portal detected !
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Feb 13 13:37:14 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] Detected
external portal client. Using the IP 192.168.200.26 address in it's session.
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIp)
Feb 13 13:37:14 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] Instantiate
profile SEGuestPortal (pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] handling radius
autz request: from switch_ip => (10.0.12.2), connection_type =>
Wireless-802.11-NoEAP,switch_mac => (2c:3f:38:f6:82:80), mac =>
[28:cf:e9:14:7a:29], port => 1, username => "28cfe9147a29", ssid => SEGuest
(pf::radius::authorize)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Instantiate
profile SEGuestPortal (pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Connection type
is WIRELESS_MAC_AUTH. Getting role from node_info (pf::role::getRegisteredRole)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Username was
defined "28cfe9147a29" - returning role 'guest' (pf::role::getRegisteredRole)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] PID:
"6105336834", Status: reg Returned VLAN: (undefined), Role: guest
(pf::role::fetchRoleForNode)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] (10.0.12.2) Added
VLAN 154 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] (10.0.12.2) Added
role Authorize_any to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating
locationlog from accounting request (pf::api::handle_accounting_metadata)
Eric Koons
Sr. Network Engineer | CCNA: Routing and Switching
Service Electric Cable TV and Communications | www.sectv.com
<http://www.sectv.com/>
[email protected] <mailto:[email protected]>
Office: 610-841-8355
Mobile: 610-533-6834
Fax: 610-797-2445
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
