Hello Erik,
you should try to look for the logs on the WLC side, you might have more
information of why the CoA is not accepted, at least see if the CoA is
received by the WLC.
Can you also link the 10.0.12.2 and the default section of
conf/switches.conf ?
Thanks
On 02/14/2017 01:06 PM, Eric Koons wrote:
Thanks for the recommendation to look in pfqueue.log. Seems like it
is failing. I’ve changed ports to 3799 and 1700 and neither works.
I’ve also tried changing the shared secret.
Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29]
[28:cf:e9:14:7a:29] DesAssociating mac on switch (10.0.12.2)
(pf::api::desAssociate)
Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29]
deauthenticating (pf::Switch::Cisco::WLC::radiusDisconnect)
Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29]
controllerIp is set, we will use controller 10.0.12.2 to perform
deauth (pf::Switch::Cisco::WLC::radiusDisconnect)
Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] Memory
configuration is not valid anymore for key
interfaces::management_network in local cached_hash
(pfconfig::cached::is_valid)
Feb 14 13:04:51 pfqueue(10131) INFO: [mac:28:cf:e9:14:7a:29] Returning
ACCEPT with Role: Authorize_any (pf::Switch::Cisco::WLC::try {...} )
Feb 14 13:05:01 pfqueue(10131) WARN: [mac:28:cf:e9:14:7a:29] Unable to
perform RADIUS CoA-Request on (10.0.12.2): Timeout waiting for a reply
from 10.0.12.2 on port 1700 at /usr/local/pf/lib/pf/util/radius.pm
line 162. (pf::Switch::Cisco::WLC::catch {...} )
Feb 14 13:05:01 pfqueue(10131) ERROR: [mac:28:cf:e9:14:7a:29] Wrong
RADIUS secret or unreachable network device (10.0.12.2)... On some
Cisco Wireless Controllers you might have to set disconnectPort=1700
as some versions ignore the CoA requests on port 3799
(pf::Switch::Cisco::WLC::catch {...} )
Feb 14 13:05:06 pfqueue(9465) ERROR: [mac:18:66:da:81:67:01] Can't
bind : IO::Socket::INET: connect: Connection refused
Eric Koons
Sr. Network Engineer | CCNA: Routing and Switching
Service Electric Cable TV and Communications | www.sectv.com
<http://www.sectv.com>
[email protected] <mailto:[email protected]>
Office: 610-841-8355
Mobile: 610-533-6834
Fax: 610-797-2445
On Feb 14, 2017, at 11:24 AM,
[email protected]
<mailto:[email protected]> wrote:
Send PacketFence-users mailing list submissions to
[email protected]
<mailto:[email protected]>
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/packetfence-users
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of PacketFence-users digest..."
Today's Topics:
1. Re: Issue with Guest network on Packetfence 6.5 and Cisco WLC
controller (Antoine Amacher)
----------------------------------------------------------------------
Message: 1
Date: Tue, 14 Feb 2017 11:24:21 -0500
From: Antoine Amacher <[email protected]>
Subject: Re: [PacketFence-users] Issue with Guest network on
Packetfence 6.5 and Cisco WLC controller
To: [email protected]
Message-ID: <[email protected]>
Content-Type: text/plain; charset="windows-1252"
Hello Eric,
While upgrading from 6.1.2 to 6.5 there are multiples changes to
WebAuth, did you follow the UPGRADE.asciidoc? For instance your WLC(in
Switches) need to have "External Portal Enforcement" checked.
If everything has been applied, make sure you are still sending the CoA
on the right port. On the WLC it should be 3799 or 1700(depending on the
version of the WLC).
Also have a look in logs/pfqueue.log it should tell you if the CoA has
been received and taken into account by the WLC.
Thanks
On 02/14/2017 10:40 AM, Eric Koons wrote:
So, the scenario I?m about to explain worked fine on PacketFence
6.1.2. The only thing that changed was I upgraded Packetfence to 6.5.
I have an open SSID guest wifi network. It?s authenticated with an
SMS pin via packetfence. The issue is that it appears after
successful authentication Packetfence is not sending the COA or Radius
notification to the cisco WLC to change the ACL for the client. The
only way to get it work is to disassociate from the wireless network
on the client and than re-associate, than I get full network access.
I?ve attached the packetfence log file. Any help is appreciated.
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
Instantiate profile SEGuestPortal
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
[28:cf:e9:14:7a:29] Activation code sent to email 6105336834 from
6105336834 successfully verified. for activation type: sms
(pf::activation::validate_code)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] User
6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] User
6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1301) WARN: [mac:28:cf:e9:14:7a:29]
Calling match with empty/invalid rule class. Defaulting to
'authentication' (pf::authentication::match)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Using
sources sms for matching (pf::authentication::match)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
Matched rule (catchall) in source sms, returning actions.
(pf::Authentication::Source::match)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] User
6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1301) WARN: [mac:28:cf:e9:14:7a:29]
Calling match with empty/invalid rule class. Defaulting to
'authentication' (pf::authentication::match)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] Using
sources sms for matching (pf::authentication::match)
Feb 13 13:31:30 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
Matched rule (catchall) in source sms, returning actions.
(pf::Authentication::Source::match)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29]
External captive portal detected !
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29]
Detected external portal client. Using the IP 192.168.200.26 address
in it's session.
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIp)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29]
Instantiate profile SEGuestPortal
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] User
6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] No
provisioner found for 28:cf:e9:14:7a:29. Continuing.
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] User
6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29] User
6105336834 has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29]
violation 1300003 force-closed for 28:cf:e9:14:7a:29
(pf::violation::violation_force_close)
Feb 13 13:31:30 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29]
Instantiate profile SEGuestPortal
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
External captive portal detected !
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
Detected external portal client. Using the IP 192.168.200.26 address
in it's session.
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIp)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
Instantiate profile SEGuestPortal
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
Releasing device
(captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] User
default has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
Memory configuration is not valid anymore for key config::Switch in
local cached_hash (pfconfig::cached::is_valid)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
re-evaluating access (manage_register called)
(pf::enforcement::reevaluate_access)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] is
currentlog connected at (10.0.12.2) ifIndex 1 registration
(pf::enforcement::_should_we_reassign_vlan)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
Instantiate profile SEGuestPortal
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
Connection type is WIRELESS_MAC_AUTH. Getting role from node_info
(pf::role::getRegisteredRole)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
Username was defined "28cfe9147a29" - returning role 'guest'
(pf::role::getRegisteredRole)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29] PID:
"6105336834", Status: reg Returned VLAN: (undefined), Role: guest
(pf::role::fetchRoleForNode)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
Reassignment required (current Role = registration but should be in
Role guest) (pf::enforcement::_should_we_reassign_vlan)
Feb 13 13:31:30 httpd.portal(1303) INFO: [mac:28:cf:e9:14:7a:29]
switch port is (10.0.12.2) ifIndex 1 connection type: WiFi MAC Auth
(pf::enforcement::_vlan_reevaluation)
Feb 13 13:32:06 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating
locationlog from accounting request
(pf::api::handle_accounting_metadata)
Feb 13 13:32:22 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating
locationlog from accounting request
(pf::api::handle_accounting_metadata)
Feb 13 13:36:33 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating
locationlog from accounting request
(pf::api::handle_accounting_metadata)
Feb 13 13:37:00 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating
locationlog from accounting request
(pf::api::handle_accounting_metadata)
?????Here is where I turn off the wifi on the client and than
re-enable it.---------------------
Feb 13 13:37:13 httpd.portal(1306) INFO: [mac:28:cf:e9:14:7a:29] URI
'/Cisco::WLC/sidc7d78a' is detected as an external captive portal URI
(pf::web::externalportal::handle)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
External captive portal detected !
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
Detected external portal client. Using the IP 192.168.200.26 address
in it's session.
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIp)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
Instantiate profile SEGuestPortal
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
Updating node user_agent with useragent: 'Mozilla/5.0 (Macintosh;
Intel Mac OS X 10.12; rv:35.0) Gecko/20100101 Firefox/35.0'
(captiveportal::PacketFence::DynamicRouting::Application::process_user_agent)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] User
default has authenticated on the portal. (Class::MOP::Class:::after)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
Memory configuration is not valid anymore for key config::Switch in
local cached_hash (pfconfig::cached::is_valid)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
Reevaluating access of device.
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
re-evaluating access (manage_register called)
(pf::enforcement::reevaluate_access)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] is
currentlog connected at (10.0.12.2) ifIndex 1 registration
(pf::enforcement::_should_we_reassign_vlan)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
Instantiate profile SEGuestPortal
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
Connection type is WIRELESS_MAC_AUTH. Getting role from node_info
(pf::role::getRegisteredRole)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
Username was defined "28cfe9147a29" - returning role 'guest'
(pf::role::getRegisteredRole)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29] PID:
"6105336834", Status: reg Returned VLAN: (undefined), Role: guest
(pf::role::fetchRoleForNode)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
Reassignment required (current Role = registration but should be in
Role guest) (pf::enforcement::_should_we_reassign_vlan)
Feb 13 13:37:13 httpd.portal(1301) INFO: [mac:28:cf:e9:14:7a:29]
switch port is (10.0.12.2) ifIndex 1 connection type: WiFi MAC Auth
(pf::enforcement::_vlan_reevaluation)
Feb 13 13:37:14 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29]
External captive portal detected !
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Feb 13 13:37:14 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29]
Detected external portal client. Using the IP 192.168.200.26 address
in it's session.
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIp)
Feb 13 13:37:14 httpd.portal(1300) INFO: [mac:28:cf:e9:14:7a:29]
Instantiate profile SEGuestPortal
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] handling
radius autz request: from switch_ip => (10.0.12.2), connection_type =>
Wireless-802.11-NoEAP,switch_mac => (2c:3f:38:f6:82:80), mac =>
[28:cf:e9:14:7a:29], port => 1, username => "28cfe9147a29", ssid =>
SEGuest (pf::radius::authorize)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29]
Instantiate profile SEGuestPortal
(pf::Portal::ProfileFactory::_from_profile)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29]
Connection type is WIRELESS_MAC_AUTH. Getting role from node_info
(pf::role::getRegisteredRole)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Username
was defined "28cfe9147a29" - returning role 'guest'
(pf::role::getRegisteredRole)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] PID:
"6105336834", Status: reg Returned VLAN: (undefined), Role: guest
(pf::role::fetchRoleForNode)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29]
(10.0.12.2) Added VLAN 154 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29]
(10.0.12.2) Added role Authorize_any to the returned RADIUS
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Feb 13 13:37:51 httpd.aaa(1100) INFO: [mac:28:cf:e9:14:7a:29] Updating
locationlog from accounting request
(pf::api::handle_accounting_metadata)
Eric Koons
Sr. Network Engineer | CCNA: Routing and Switching
Service Electric Cable TV and Communications | www.sectv.com
<http://www.sectv.com>
[email protected] <mailto:[email protected]>
Office: 610-841-8355
Mobile: 610-533-6834
Fax: 610-797-2445
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
End of PacketFence-users Digest, Vol 106, Issue 41
**************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
