Thanks for the recommendation to look in pfqueue.log. Seems like it is
failing. I’ve changed ports to 3799 and 1700 and neither works. I’ve also
tried changing the shared secret.
Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29]
[28:cf:e9:14:7a:29] DesAssociating mac on switch (10.0.12.2)
(pf::api::desAssociate)
Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] deauthenticating
(pf::Switch::Cisco::WLC::radiusDisconnect)
Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] controllerIp is
set, we will use controller 10.0.12.2 to perform deauth
(pf::Switch::Cisco::WLC::radiusDisconnect)
Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] Memory
configuration is not valid anymore for key interfaces::management_network in
local cached_hash (pfconfig::cached::is_valid)
Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] Returning ACCEPT
with Role: Authorize_any (pf::Switch::Cisco::WLC::try {...} )
Feb 14 13:05:01 pfqueue(10131) WARN: [mac:28:cf:e9:14:7a:29] Unable to perform
RADIUS CoA-Request on (10.0.12.2): Timeout waiting for a reply from 10.0.12.2
on port 1700 at /usr/local/pf/lib/pf/util/radius.pm line 162.
(pf::Switch::Cisco::WLC::catch {...} )
Feb 14 13:05:01 pfqueue(10131) ERROR: [mac:28:cf:e9:14:7a:29] Wrong RADIUS
secret or unreachable network device (10.0.12.2)... On some Cisco Wireless
Controllers you might have to set disconnectPort=1700 as some versions ignore
the CoA requests on port 3799 (pf::Switch::Cisco::WLC::catch {...} )
Feb 14 13:05:06 pfqueue(9465) ERROR: [mac:18:66:da:81:67:01] Can't bind :
IO::Socket::INET: connect: Connection refused
Eric Koons
Sr. Network Engineer | CCNA: Routing and Switching
Service Electric Cable TV and Communications | www.sectv.com
<http://www.sectv.com/>
[email protected] <mailto:[email protected]>
Office: 610-841-8355
Mobile: 610-533-6834
Fax: 610-797-2445
> On Feb 14, 2017, at 11:24 AM, [email protected]
> wrote:
>
> Send PacketFence-users mailing list submissions to
> [email protected]
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> or, via email, send a message with subject or body 'help' to
> [email protected]
>
> You can reach the person managing the list at
> [email protected]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of PacketFence-users digest..."
>
>
> Today's Topics:
>
> 1. Re: Issue with Guest network on Packetfence 6.5 and Cisco WLC
> controller (Antoine Amacher)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 14 Feb 2017 11:24:21 -0500
> From: Antoine Amacher <[email protected]>
> Subject: Re: [PacketFence-users] Issue with Guest network on
> Packetfence 6.5 and Cisco WLC controller
> To: [email protected]
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset="windows-1252"
>
> Hello Eric,
>
> While upgrading from 6.1.2 to 6.5 there are multiples changes to
> WebAuth, did you follow the UPGRADE.asciidoc? For instance your WLC(in
> Switches) need to have "External Portal Enforcement" checked.
>
> If everything has been applied, make sure you are still sending the CoA
> on the right port. On the WLC it should be 3799 or 1700(depending on the
> version of the WLC).
>
> Also have a look in logs/pfqueue.log it should tell you if the CoA has
> been received and taken into account by the WLC.
>
> Thanks
>
>
> On 02/14/2017 10:40 AM, Eric Koons wrote:
>> So, the scenario I?m about to explain worked fine on PacketFence
>> 6.1.2. The only thing that changed was I upgraded Packetfence to 6.5.
>> I have an open SSID guest wifi network. It?s authenticated with an
>> SMS pin via packetfence. The issue is that it appears after
>> successful authentication Packetfence is not sending the COA or Radius
>> notification to the cisco WLC to change the ACL for the client. The
>> only way to get it work is to disassociate from the wireless network
>> on the client and than re-associate, than I get full network access.
>>
>> I?ve attached the packetfence log file. Any help is appreciated.
>>
>> Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
>> Instantiate profile SEGuestPortal
>> (pf::Portal::ProfileFactory::_from_profile)
>> Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
>> [28:cf:e9:14:7a:29] Activation code sent to email 6105336834 from
>> 6105336834 successfully verified. for activation type: sms
>> (pf::activation::validate_code)
>> Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] User
>> 6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
>> Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] User
>> 6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
>> Feb 13 13:31:30 httpd.portal(1301) WARN: [mac:28:cf:e9:14:7a:29]
>> Calling match with empty/invalid rule class. Defaulting to
>> 'authentication' (pf::authentication::match)
>> Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Using
>> sources sms for matching (pf::authentication::match)
>> Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
>> Matched rule (catchall) in source sms, returning actions.
>> (pf::Authentication::Source::match)
>> Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] User
>> 6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
>> Feb 13 13:31:30 httpd.portal(1301) WARN: [mac:28:cf:e9:14:7a:29]
>> Calling match with empty/invalid rule class. Defaulting to
>> 'authentication' (pf::authentication::match)
>> Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Using
>> sources sms for matching (pf::authentication::match)
>> Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
>> Matched rule (catchall) in source sms, returning actions.
>> (pf::Authentication::Source::match)
>> Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29]
>> External captive portal detected !
>> (captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
>> Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29]
>> Detected external portal client. Using the IP 192.168.200.26 address
>> in it's session.
>> (captiveportal::PacketFence::Model::Portal::Session::_build_clientIp)
>> Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29]
>> Instantiate profile SEGuestPortal
>> (pf::Portal::ProfileFactory::_from_profile)
>> Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] User
>> 6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
>> Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] No
>> provisioner found for 28:cf:e9:14:7a:29. Continuing.
>> (captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
>> Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] User
>> 6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
>> Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] User
>> 6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
>> Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29]
>> violation 1300003 force-closed for 28:cf:e9:14:7a:29
>> (pf::violation::violation_force_close)
>> Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29]
>> Instantiate profile SEGuestPortal
>> (pf::Portal::ProfileFactory::_from_profile)
>> Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
>> External captive portal detected !
>> (captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
>> Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
>> Detected external portal client. Using the IP 192.168.200.26 address
>> in it's session.
>> (captiveportal::PacketFence::Model::Portal::Session::_build_clientIp)
>> Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
>> Instantiate profile SEGuestPortal
>> (pf::Portal::ProfileFactory::_from_profile)
>> Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
>> Releasing device
>> (captiveportal::PacketFence::DynamicRouting::Module::Root::release)
>> Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] User
>> default has authenticated on the portal. (Class::MOP::Class:::after)
>> Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
>> Memory configuration is not valid anymore for key config::Switch in
>> local cached_hash (pfconfig::cached::is_valid)
>> Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
>> re-evaluating access (manage_register called)
>> (pf::enforcement::reevaluate_access)
>> Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] is
>> currentlog connected at (10.0.12.2) ifIndex 1 registration
>> (pf::enforcement::_should_we_reassign_vlan)
>> Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
>> Instantiate profile SEGuestPortal
>> (pf::Portal::ProfileFactory::_from_profile)
>> Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
>> Connection type is WIRELESS_MAC_AUTH. Getting role from node_info
>> (pf::role::getRegisteredRole)
>> Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
>> Username was defined "28cfe9147a29" - returning role 'guest'
>> (pf::role::getRegisteredRole)
>> Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] PID:
>> "6105336834", Status: reg Returned VLAN: (undefined), Role: guest
>> (pf::role::fetchRoleForNode)
>> Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
>> Reassignment required (current Role = registration but should be in
>> Role guest) (pf::enforcement::_should_we_reassign_vlan)
>> Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
>> switch port is (10.0.12.2) ifIndex 1 connection type: WiFi MAC Auth
>> (pf::enforcement::_vlan_reevaluation)
>> Feb 13 13:32:06 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating
>> locationlog from accounting request (pf::api::handle_accounting_metadata)
>> Feb 13 13:32:22 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating
>> locationlog from accounting request (pf::api::handle_accounting_metadata)
>> Feb 13 13:36:33 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating
>> locationlog from accounting request (pf::api::handle_accounting_metadata)
>> Feb 13 13:37:00 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating
>> locationlog from accounting request (pf::api::handle_accounting_metadata)
>>
>> ?????Here is where I turn off the wifi on the client and than
>> re-enable it.---------------------
>>
>> Feb 13 13:37:13 httpd.portal(1306) INFO: [mac:28:cf:e9:14:7a:29] URI
>> '/Cisco::WLC/sidc7d78a' is detected as an external captive portal URI
>> (pf::web::externalportal::handle)
>> Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
>> External captive portal detected !
>> (captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
>> Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
>> Detected external portal client. Using the IP 192.168.200.26 address
>> in it's session.
>> (captiveportal::PacketFence::Model::Portal::Session::_build_clientIp)
>> Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
>> Instantiate profile SEGuestPortal
>> (pf::Portal::ProfileFactory::_from_profile)
>> Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
>> Updating node user_agent with useragent: 'Mozilla/5.0 (Macintosh;
>> Intel Mac OS X 10.12; rv:35.0) Gecko/20100101 Firefox/35.0'
>> (captiveportal::PacketFence::DynamicRouting::Application::process_user_agent)
>> Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] User
>> default has authenticated on the portal. (Class::MOP::Class:::after)
>> Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
>> Memory configuration is not valid anymore for key config::Switch in
>> local cached_hash (pfconfig::cached::is_valid)
>> Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
>> Reevaluating access of device.
>> (captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
>> Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
>> re-evaluating access (manage_register called)
>> (pf::enforcement::reevaluate_access)
>> Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] is
>> currentlog connected at (10.0.12.2) ifIndex 1 registration
>> (pf::enforcement::_should_we_reassign_vlan)
>> Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
>> Instantiate profile SEGuestPortal
>> (pf::Portal::ProfileFactory::_from_profile)
>> Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
>> Connection type is WIRELESS_MAC_AUTH. Getting role from node_info
>> (pf::role::getRegisteredRole)
>> Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
>> Username was defined "28cfe9147a29" - returning role 'guest'
>> (pf::role::getRegisteredRole)
>> Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] PID:
>> "6105336834", Status: reg Returned VLAN: (undefined), Role: guest
>> (pf::role::fetchRoleForNode)
>> Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
>> Reassignment required (current Role = registration but should be in
>> Role guest) (pf::enforcement::_should_we_reassign_vlan)
>> Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
>> switch port is (10.0.12.2) ifIndex 1 connection type: WiFi MAC Auth
>> (pf::enforcement::_vlan_reevaluation)
>> Feb 13 13:37:14 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29]
>> External captive portal detected !
>> (captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
>> Feb 13 13:37:14 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29]
>> Detected external portal client. Using the IP 192.168.200.26 address
>> in it's session.
>> (captiveportal::PacketFence::Model::Portal::Session::_build_clientIp)
>> Feb 13 13:37:14 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29]
>> Instantiate profile SEGuestPortal
>> (pf::Portal::ProfileFactory::_from_profile)
>> Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] handling
>> radius autz request: from switch_ip => (10.0.12.2), connection_type =>
>> Wireless-802.11-NoEAP,switch_mac => (2c:3f:38:f6:82:80), mac =>
>> [28:cf:e9:14:7a:29], port => 1, username => "28cfe9147a29", ssid =>
>> SEGuest (pf::radius::authorize)
>> Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29]
>> Instantiate profile SEGuestPortal
>> (pf::Portal::ProfileFactory::_from_profile)
>> Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29]
>> Connection type is WIRELESS_MAC_AUTH. Getting role from node_info
>> (pf::role::getRegisteredRole)
>> Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Username
>> was defined "28cfe9147a29" - returning role 'guest'
>> (pf::role::getRegisteredRole)
>> Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] PID:
>> "6105336834", Status: reg Returned VLAN: (undefined), Role: guest
>> (pf::role::fetchRoleForNode)
>> Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29]
>> (10.0.12.2) Added VLAN 154 to the returned RADIUS Access-Accept
>> (pf::Switch::returnRadiusAccessAccept)
>> Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29]
>> (10.0.12.2) Added role Authorize_any to the returned RADIUS
>> Access-Accept (pf::Switch::returnRadiusAccessAccept)
>> Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating
>> locationlog from accounting request (pf::api::handle_accounting_metadata)
>>
>>
>> Eric Koons
>> Sr. Network Engineer | CCNA: Routing and Switching
>> Service Electric Cable TV and Communications | www.sectv.com
>> <http://www.sectv.com>
>> [email protected] <mailto:[email protected]>
>> Office: 610-841-8355
>> Mobile: 610-533-6834
>> Fax: 610-797-2445
>>
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Antoine Amacher
> [email protected] :: www.inverse.ca
> +1.514.447.4918 x130 :: +1 (866) 353-6153 x130
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
> (www.packetfence.org)
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
> ------------------------------
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> End of PacketFence-users Digest, Vol 106, Issue 41
> **************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
