Re: [PacketFence-users] Issue with Guest network on Packetfence 6.5 and Cisco WLC controller

Tue, 14 Feb 2017 08:26:59 -0800 

Hello Eric,
While upgrading from 6.1.2 to 6.5 there are multiples changes to WebAuth, did you follow the UPGRADE.asciidoc? For instance your WLC(in Switches) need to have "External Portal Enforcement" checked. 


If everything has been applied, make sure you are still sending the CoA 
on the right port. On the WLC it should be 3799 or 1700(depending on the 
version of the WLC).



Also have a look in logs/pfqueue.log it should tell you if the CoA has 
been received and taken into account by the WLC.


Thanks


On 02/14/2017 10:40 AM, Eric Koons wrote:

So, the scenario I’m about to explain worked fine on PacketFence 
6.1.2.  The only thing that changed was I upgraded Packetfence to 6.5. 
  I have an open SSID guest wifi network.  It’s authenticated with an 
SMS pin via packetfence.  The issue is that it appears after 
successful authentication Packetfence is not sending the COA or Radius 
notification to the cisco WLC to change the ACL for the client.  The 
only way to get it work is to disassociate from the wireless network 
on the client and than re-associate, than I get full network access.


I’ve attached the packetfence log file.  Any help is appreciated.


Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] 
Instantiate profile SEGuestPortal 
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] 
[28:cf:e9:14:7a:29] Activation code sent to email 6105336834 from 
6105336834 successfully verified.  for activation type: sms 
(pf::activation::validate_code)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] User 
6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] User 
6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1301) WARN: [mac:28:cf:e9:14:7a:29] 
Calling match with empty/invalid rule class. Defaulting to 
'authentication' (pf::authentication::match)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Using 
sources sms for matching (pf::authentication::match)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] 
Matched rule (catchall) in source sms, returning actions. 
(pf::Authentication::Source::match)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] User 
6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1301) WARN: [mac:28:cf:e9:14:7a:29] 
Calling match with empty/invalid rule class. Defaulting to 
'authentication' (pf::authentication::match)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Using 
sources sms for matching (pf::authentication::match)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] 
Matched rule (catchall) in source sms, returning actions. 
(pf::Authentication::Source::match)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] 
External captive portal detected ! 
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] 
Detected external portal client. Using the IP 192.168.200.26 address 
in it's session. 
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIp)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] 
Instantiate profile SEGuestPortal 
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] User 
6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] No 
provisioner found for 28:cf:e9:14:7a:29. Continuing. 
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] User 
6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] User 
6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] 
violation 1300003 force-closed for 28:cf:e9:14:7a:29 
(pf::violation::violation_force_close)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] 
Instantiate profile SEGuestPortal 
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] 
External captive portal detected ! 
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] 
Detected external portal client. Using the IP 192.168.200.26 address 
in it's session. 
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIp)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] 
Instantiate profile SEGuestPortal 
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] 
Releasing device 
(captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] User 
default has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] 
Memory configuration is not valid anymore for key config::Switch in 
local cached_hash (pfconfig::cached::is_valid)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] 
re-evaluating access (manage_register called) 
(pf::enforcement::reevaluate_access)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] is 
currentlog connected at (10.0.12.2) ifIndex 1 registration 
(pf::enforcement::_should_we_reassign_vlan)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] 
Instantiate profile SEGuestPortal 
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] 
Connection type is WIRELESS_MAC_AUTH. Getting role from node_info 
(pf::role::getRegisteredRole)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] 
Username was defined "28cfe9147a29" - returning role 'guest' 
(pf::role::getRegisteredRole)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] PID: 
"6105336834", Status: reg Returned VLAN: (undefined), Role: guest 
(pf::role::fetchRoleForNode)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] 
Reassignment required (current Role = registration but should be in 
Role guest) (pf::enforcement::_should_we_reassign_vlan)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] 
switch port is (10.0.12.2) ifIndex 1 connection type: WiFi MAC Auth 
(pf::enforcement::_vlan_reevaluation)
Feb 13 13:32:06 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating 
locationlog from accounting request (pf::api::handle_accounting_metadata)
Feb 13 13:32:22 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating 
locationlog from accounting request (pf::api::handle_accounting_metadata)
Feb 13 13:36:33 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating 
locationlog from accounting request (pf::api::handle_accounting_metadata)
Feb 13 13:37:00 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating 
locationlog from accounting request (pf::api::handle_accounting_metadata)



—————Here is where I turn off the wifi on the client and than 
re-enable it.---------------------



Feb 13 13:37:13 httpd.portal(1306) INFO: [mac:28:cf:e9:14:7a:29] URI 
'/Cisco::WLC/sidc7d78a' is detected as an external captive portal URI 
(pf::web::externalportal::handle)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] 
External captive portal detected ! 
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] 
Detected external portal client. Using the IP 192.168.200.26 address 
in it's session. 
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIp)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] 
Instantiate profile SEGuestPortal 
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] 
Updating node user_agent with useragent: 'Mozilla/5.0 (Macintosh; 
Intel Mac OS X 10.12; rv:35.0) Gecko/20100101 Firefox/35.0' 
(captiveportal::PacketFence::DynamicRouting::Application::process_user_agent)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] User 
default has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] 
Memory configuration is not valid anymore for key config::Switch in 
local cached_hash (pfconfig::cached::is_valid)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] 
Reevaluating access of device. 
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] 
re-evaluating access (manage_register called) 
(pf::enforcement::reevaluate_access)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] is 
currentlog connected at (10.0.12.2) ifIndex 1 registration 
(pf::enforcement::_should_we_reassign_vlan)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] 
Instantiate profile SEGuestPortal 
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] 
Connection type is WIRELESS_MAC_AUTH. Getting role from node_info 
(pf::role::getRegisteredRole)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] 
Username was defined "28cfe9147a29" - returning role 'guest' 
(pf::role::getRegisteredRole)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] PID: 
"6105336834", Status: reg Returned VLAN: (undefined), Role: guest 
(pf::role::fetchRoleForNode)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] 
Reassignment required (current Role = registration but should be in 
Role guest) (pf::enforcement::_should_we_reassign_vlan)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] 
switch port is (10.0.12.2) ifIndex 1 connection type: WiFi MAC Auth 
(pf::enforcement::_vlan_reevaluation)
Feb 13 13:37:14 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] 
External captive portal detected ! 
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Feb 13 13:37:14 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] 
Detected external portal client. Using the IP 192.168.200.26 address 
in it's session. 
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIp)
Feb 13 13:37:14 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] 
Instantiate profile SEGuestPortal 
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] handling 
radius autz request: from switch_ip => (10.0.12.2), connection_type => 
Wireless-802.11-NoEAP,switch_mac => (2c:3f:38:f6:82:80), mac => 
[28:cf:e9:14:7a:29], port => 1, username => "28cfe9147a29", ssid => 
SEGuest (pf::radius::authorize)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] 
Instantiate profile SEGuestPortal 
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] 
Connection type is WIRELESS_MAC_AUTH. Getting role from node_info 
(pf::role::getRegisteredRole)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Username 
was defined "28cfe9147a29" - returning role 'guest' 
(pf::role::getRegisteredRole)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] PID: 
"6105336834", Status: reg Returned VLAN: (undefined), Role: guest 
(pf::role::fetchRoleForNode)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] 
(10.0.12.2) Added VLAN 154 to the returned RADIUS Access-Accept 
(pf::Switch::returnRadiusAccessAccept)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] 
(10.0.12.2) Added role Authorize_any to the returned RADIUS 
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating 
locationlog from accounting request (pf::api::handle_accounting_metadata)



Eric Koons
Sr. Network Engineer | CCNA: Routing and Switching

Service Electric Cable TV and Communications | www.sectv.com 
<http://www.sectv.com>

[email protected] <mailto:[email protected]>
Office: 610-841-8355
Mobile: 610-533-6834
Fax: 610-797-2445








------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
[email protected]  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to