Hello Helen,
fist you need to configure the WLC to send mac:ssid in the
Called-Station-Id (Security -> Radius -> Authentication : Call Station
ID Type).
Next your redirection url is wrong, set this instead:
http://10.1.254.126/Cisco::WLC
Next untick Role by Vlan id in PacketFence switch config, you don't need
that, (just be sure that the ssid is linked on the vlan 51).
Do that and it should work
Regards
Fabrice
Le 2017-03-13 à 05:07, Helen Chen a écrit :
>
> Hi All,
>
>
>
> I’m totally new to Packet fence, especially to out-of-band. We are now
> using WLC 2504 + AIR2702i to achieve guest wireless authentication
> through packetfence. However, our problem the endpoint will say
> “unable to join network SSID” and there’s no redirection to captive
> portal.
>
>
>
> Packetfence management IP address and captive portal 10.1.254.126/24.
> Registration IP is 172.17.0.0/16 while isolation IP is 172.18.0.0/16.
> We want to use PF packetfence to enable DHCP.
>
>
>
> Please review the packetfence.log:
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb] Unable
> to extract MAC from Called-Station-Id: 10.1.5.50
> (pf::radius::extractApMacFromRadiusRequest)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb] Memory
> configuration is not valid anymore for key config::Switch in local
> cached_hash (pfconfig::cached::is_valid)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb] Memory
> configuration is not valid anymore for key resource::stats_levels in
> local cached_hash (pfconfig::cached::is_valid)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb] Unable
> to extract SSID of Called-Station-Id: 10.1.5.50 (pf::Switch::extractSsid)
>
> Mar 13 04:55:46 httpd.aaa(1857) WARN: [mac:7c:01:91:25:f9:eb] Unable
> to extract SSID for module pf::Switch::Cisco::WLC_2500. SSID-based
> VLAN assignments won't work. Please let us know so we can add support
> for it. (pf::Switch::extractSsid)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb] handling
> radius autz request: from switch_ip => (10.1.5.50), connection_type =>
> Wireless-802.11-NoEAP,switch_mac => (Unknown), mac =>
> [7c:01:91:25:f9:eb], port => 1, username => "7c019125f9eb"
> (pf::radius::authorize)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb]
> Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb] Memory
> configuration is not valid anymore for key config::Pf in local
> cached_hash (pfconfig::cached::is_valid)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb] is of
> status unreg; belongs into registration VLAN
> (pf::role::getRegistrationRole)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb]
> (10.1.5.50) Added VLAN 51 to the returned RADIUS Access-Accept
> (pf::Switch::returnRadiusAccessAccept)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb]
> (10.1.5.50) Added role Pre-Auth-For-WebRedirect to the returned RADIUS
> Access-Accept (pf::Switch::returnRadiusAccessAccept)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb] Adding
> web authentication redirection to reply using role:
> 'Pre-Auth-For-WebRedirect' and URL:
> 'https://10.1.254.126/$session_id/sida4e83b'
> (pf::Switch::Cisco::WLC::returnRadiusAccessAccept)
>
>
>
>
>
> Radius debug:
>
> (0) Received Access-Request Id 53 from 10.1.5.50:32771 to
> 10.1.254.126:1812 length 241
>
> (0) User-Name = "7c019125f9eb"
>
> (0) Called-Station-Id = "10.1.5.50"
>
> (0) Calling-Station-Id = "7c-01-91-25-f9-eb"
>
> (0) NAS-Port = 1
>
> (0) NAS-IP-Address = 10.1.5.50
>
> (0) NAS-Identifier = "QD-G5-2504-3F-1"
>
> (0) Airespace-Wlan-Id = 4
>
> (0) User-Password = "žo\310P-Sh\234\234>\276\210Lw\271"
>
> (0) Service-Type = Call-Check
>
> (0) Framed-MTU = 1300
>
> (0) NAS-Port-Type = Wireless-802.11
>
> (0) Tunnel-Type:0 = VLAN
>
> (0) Tunnel-Medium-Type:0 = IEEE-802
>
> (0) Tunnel-Private-Group-Id:0 = "51"
>
> (0) Cisco-AVPair = "audit-session-id=0a0105320001bf5958c65e96"
>
> (0) Acct-Session-Id = "58c65e96/7c:01:91:25:f9:eb/161430"
>
> (0) # Executing section authorize from file
> /usr/local/pf/raddb/sites-enabled/packetfence
>
> (0) authorize {
>
> (0) update {
>
> (0) EXPAND %{Packet-Src-IP-Address}
>
> (0) --> 10.1.5.50
>
> (0) &request:FreeRADIUS-Client-IP-Address := 10.1.5.50
>
> (0) &control:PacketFence-RPC-Server = 127.0.0.1
>
> (0) &control:PacketFence-RPC-Port = 7070
>
> (0) &control:PacketFence-RPC-User =
>
> (0) &control:PacketFence-RPC-Pass =
>
> (0) &control:PacketFence-RPC-Proto = http
>
> (0) EXPAND %l
>
> (0) --> 1489395346
>
> (0) &control:Tmp-Integer-0 := 1489395346
>
> (0) &control:PacketFence-Request-Time := 0
>
> (0) } # update = noop
>
> (0) policy rewrite_calling_station_id {
>
> (0) if (&Calling-Station-Id && (&Calling-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> {
>
> (0) if (&Calling-Station-Id && (&Calling-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>
> -> TRUE
>
> (0) if (&Calling-Station-Id && (&Calling-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>
> {
>
> (0) update request {
>
> (0) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
>
> (0) --> 7c:01:91:25:f9:eb
>
> (0) &Calling-Station-Id := 7c:01:91:25:f9:eb
>
> (0) } # update request = noop
>
> (0) [updated] = updated
>
> (0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>
> = updated
>
> (0) ... skipping else: Preceding "if" was taken
>
> (0) } # policy rewrite_calling_station_id = updated
>
> (0) policy rewrite_called_station_id {
>
> (0) if ((&Called-Station-Id) && (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/
>
> i)) {
>
> (0) if ((&Called-Station-Id) && (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/
>
> i)) -> FALSE
>
> (0) else {
>
> (0) [noop] = noop
>
> (0) } # else = noop
>
> (0) } # policy rewrite_called_station_id = noop
>
> (0) policy filter_username {
>
> (0) if (&User-Name) {
>
> (0) if (&User-Name) -> TRUE
>
> (0) if (&User-Name) {
>
> (0) if (&User-Name =~ / /) {
>
> (0) if (&User-Name =~ / /) -> FALSE
>
> (0) if (&User-Name =~ /@[^@]*@/ ) {
>
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>
> (0) if (&User-Name =~ /\.\./ ) {
>
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
>
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
>
> (0) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) -> FALSE
>
> (0) if (&User-Name =~ /\.$/) {
>
> (0) if (&User-Name =~ /\.$/) -> FALSE
>
> (0) if (&User-Name =~ /@\./) {
>
> (0) if (&User-Name =~ /@\./) -> FALSE
>
> (0) } # if (&User-Name) = updated
>
> (0) } # policy filter_username = updated
>
> (0) policy filter_password {
>
> (0) if (&User-Password && (&User-Password !=
> "%{string:User-Password}")) {
>
> (0) EXPAND %{string:User-Password}
>
> (0) --> žo?P-Sh??>??Lw?
>
> (0) if (&User-Password && (&User-Password !=
> "%{string:User-Password}")) -> FALSE
>
> (0) } # policy filter_password = updated
>
> (0) [preprocess] = ok
>
> (0) suffix: Checking for suffix after "@"
>
> (0) suffix: No '@' in User-Name = "7c019125f9eb", skipping NULL due to
> config.
>
> (0) [suffix] = noop
>
> (0) ntdomain: Checking for prefix before "\"
>
> (0) ntdomain: No '\' in User-Name = "7c019125f9eb", looking up realm NULL
>
> (0) ntdomain: Found realm "null"
>
> (0) ntdomain: Adding Stripped-User-Name = "7c019125f9eb"
>
> (0) ntdomain: Adding Realm = "null"
>
> (0) ntdomain: Authentication realm is LOCAL
>
> (0) [ntdomain] = ok
>
> (0) eap: No EAP-Message, not doing EAP
>
> (0) [eap] = noop
>
> (0) if ( !EAP-Message ) {
>
> (0) if ( !EAP-Message ) -> TRUE
>
> (0) if ( !EAP-Message ) {
>
> (0) update {
>
> (0) &control:Auth-Type := Accept
>
> (0) } # update = noop
>
> (0) } # if ( !EAP-Message ) = noop
>
> (0) policy packetfence-eap-mac-policy {
>
> (0) if ( &EAP-Type ) {
>
> (0) if ( &EAP-Type ) -> FALSE
>
> (0) [noop] = noop
>
> (0) } # policy packetfence-eap-mac-policy = noop
>
> (0) pap: WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> (0) pap: WARNING: !!! Ignoring control:User-Password. Update
> your !!!
>
> (0) pap: WARNING: !!! configuration so that the "known good" clear
> text !!!
>
> (0) pap: WARNING: !!! password is in Cleartext-Password and NOT
> in !!!
>
> (0) pap: WARNING: !!!
> User-Password. !!!
>
> (0) pap: WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> (0) pap: WARNING: Auth-Type already set. Not setting to PAP
>
> (0) [pap] = noop
>
> (0) } # authorize = updated
>
> (0) Found Auth-Type = Accept
>
> (0) Auth-Type = Accept, accepting the user
>
> (0) # Executing section post-auth from file
> /usr/local/pf/raddb/sites-enabled/packetfence
>
> (0) post-auth {
>
> (0) update {
>
> (0) EXPAND %{Packet-Src-IP-Address}
>
> (0) --> 10.1.5.50
>
> (0) &request:FreeRADIUS-Client-IP-Address := 10.1.5.50
>
> (0) &control:PacketFence-RPC-Server = 127.0.0.1
>
> (0) &control:PacketFence-RPC-Port = 7070
>
> (0) &control:PacketFence-RPC-User =
>
> (0) &control:PacketFence-RPC-Pass =
>
> (0) &control:PacketFence-RPC-Proto = http
>
> (0) } # update = noop
>
> (0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) {
>
> (0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) )
> -> TRUE
>
> (0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) {
>
> rlm_rest (rest): Reserved connection (0)
>
> (0) rest: Expanding URI components
>
> (0) rest: EXPAND http://127.0.0.1:7070
>
> (0) rest: --> http://127.0.0.1:7070
>
> (0) rest: EXPAND //radius/rest/authorize
>
> (0) rest: --> //radius/rest/authorize
>
> (0) rest: Sending HTTP POST to
> "http://127.0.0.1:7070//radius/rest/authorize";
>
> (0) rest: Encoding attribute "User-Name"
>
> (0) rest: Encoding attribute "User-Password"
>
> (0) rest: Encoding attribute "NAS-IP-Address"
>
> (0) rest: Encoding attribute "NAS-Port"
>
> (0) rest: Encoding attribute "Service-Type"
>
> (0) rest: Encoding attribute "Framed-MTU"
>
> (0) rest: Encoding attribute "Called-Station-Id"
>
> (0) rest: Encoding attribute "Calling-Station-Id"
>
> (0) rest: Encoding attribute "NAS-Identifier"
>
> (0) rest: Encoding attribute "NAS-Port-Type"
>
> (0) rest: Encoding attribute "Acct-Session-Id"
>
> (0) rest: Encoding attribute "Tunnel-Type"
>
> (0) rest: Encoding attribute "Tunnel-Medium-Type"
>
> (0) rest: Encoding attribute "Tunnel-Private-Group-Id"
>
> (0) rest: Encoding attribute "Event-Timestamp"
>
> (0) rest: Encoding attribute "Airespace-Wlan-Id"
>
> (0) rest: Encoding attribute "Cisco-AVPair"
>
> (0) rest: Returning 1000 bytes of JSON data (buffer full or chunk
> exceeded)
>
> (0) rest: Encoding attribute "Cisco-AVPair"
>
> (0) rest: Encoding attribute "Stripped-User-Name"
>
> (0) rest: Encoding attribute "Realm"
>
> (0) rest: Encoding attribute "FreeRADIUS-Client-IP-Address"
>
> (0) rest: Processing response header
>
> (0) rest: Status : 100 (Continue)
>
> (0) rest: Continuing...
>
> (0) rest: Processing response header
>
> (0) rest: Status : 200 (OK)
>
> (0) rest: Type : json (application/json)
>
> (0) rest: Parsing attribute "control:PacketFence-Role"
>
> (0) rest: EXPAND registration
>
> (0) rest: --> registration
>
> (0) rest: PacketFence-Role := "registration"
>
> (0) rest: Parsing attribute "control:PacketFence-Eap-Type"
>
> (0) rest: EXPAND 0
>
> (0) rest: --> 0
>
> (0) rest: PacketFence-Eap-Type := "0"
>
> (0) rest: Parsing attribute "Tunnel-Type"
>
> (0) rest: EXPAND 13
>
> (0) rest: --> 13
>
> (0) rest: Tunnel-Type := VLAN
>
> (0) rest: Parsing attribute "control:PacketFence-AutoReg"
>
> (0) rest: EXPAND 0
>
> (0) rest: --> 0
>
> (0) rest: PacketFence-AutoReg := "0"
>
> (0) rest: Parsing attribute "Tunnel-Private-Group-ID"
>
> (0) rest: EXPAND 51
>
> (0) rest: --> 51
>
> (0) rest: Tunnel-Private-Group-Id := "51"
>
> (0) rest: Parsing attribute "control:PacketFence-Request-Time"
>
> (0) rest: EXPAND 1489395346
>
> (0) rest: --> 1489395346
>
> (0) rest: PacketFence-Request-Time := 1489395346
>
> (0) rest: Parsing attribute "control:PacketFence-Switch-Ip-Address"
>
> (0) rest: EXPAND 10.1.5.50
>
> (0) rest: --> 10.1.5.50
>
> (0) rest: PacketFence-Switch-Ip-Address := "10.1.5.50"
>
> (0) rest: Parsing attribute "control:PacketFence-UserName"
>
> (0) rest: EXPAND 7c019125f9eb
>
> (0) rest: --> 7c019125f9eb
>
> (0) rest: PacketFence-UserName := "7c019125f9eb"
>
> (0) rest: Parsing attribute "control:PacketFence-IsPhone"
>
> (0) rest: EXPAND 0
>
> (0) rest: --> 0
>
> (0) rest: PacketFence-IsPhone := "0"
>
> (0) rest: Parsing attribute "control:PacketFence-Switch-Id"
>
> (0) rest: EXPAND 10.1.5.50
>
> (0) rest: --> 10.1.5.50
>
> (0) rest: PacketFence-Switch-Id := "10.1.5.50"
>
> (0) rest: Parsing attribute "Tunnel-Medium-Type"
>
> (0) rest: EXPAND 6
>
> (0) rest: --> 6
>
> (0) rest: Tunnel-Medium-Type := IEEE-802
>
> (0) rest: Parsing attribute "control:PacketFence-Computer-Name"
>
> (0) rest: PacketFence-Computer-Name := ""
>
> (0) rest: Parsing attribute "Cisco-AVPair"
>
> (0) rest: EXPAND url-redirect-acl=Pre-Auth-For-WebRedirect
>
> (0) rest: --> url-redirect-acl=Pre-Auth-For-WebRedirect
>
> (0) rest: Cisco-AVPair := "url-redirect-acl=Pre-Auth-For-WebRedirect"
>
> (0) rest: EXPAND url-redirect=https://10.1.254.126/$session_id/sida4e83b
>
> (0) rest: --> url-redirect=https://10.1.254.126/$session_id/sida4e83b
>
> (0) rest: Cisco-AVPair +=
> "url-redirect=https://10.1.254.126/$session_id/sida4e83b";
>
> (0) rest: Parsing attribute "control:PacketFence-Mac"
>
> (0) rest: EXPAND 7c:01:91:25:f9:eb
>
> (0) rest: --> 7c:01:91:25:f9:eb
>
> (0) rest: PacketFence-Mac := "7c:01:91:25:f9:eb"
>
> (0) rest: Parsing attribute "control:PacketFence-IfIndex"
>
> (0) rest: EXPAND 1
>
> (0) rest: --> 1
>
> (0) rest: PacketFence-IfIndex := "1"
>
> (0) rest: Parsing attribute "reply:PacketFence-Authorization-Status"
>
> (0) rest: EXPAND allow
>
> (0) rest: --> allow
>
> (0) rest: PacketFence-Authorization-Status := "allow"
>
> (0) rest: Parsing attribute "control:PacketFence-Connection-Type"
>
> (0) rest: EXPAND Wireless-802.11-NoEAP
>
> (0) rest: --> Wireless-802.11-NoEAP
>
> (0) rest: PacketFence-Connection-Type := "Wireless-802.11-NoEAP"
>
> (0) rest: Parsing attribute "control:PacketFence-Status"
>
> (0) rest: EXPAND unreg
>
> (0) rest: --> unreg
>
> (0) rest: PacketFence-Status := "unreg"
>
> rlm_rest (rest): Released connection (0)
>
> rlm_rest (rest): Need 5 more connections to reach 10 spares
>
> rlm_rest (rest): Opening additional connection (5), 1 of 59 pending
> slots used
>
> rlm_rest (rest): Connecting to "http://127.0.0.1:7070/";
>
> (0) [rest] = updated
>
> (0) update {
>
> (0) &request:User-Password := "******"
>
> (0) } # update = noop
>
> (0) if (&reply:PacketFence-Authorization-Status == "deny") {
>
> (0) if (&reply:PacketFence-Authorization-Status == "deny") -> FALSE
>
> (0) else {
>
> (0) policy packetfence-audit-log-accept {
>
> (0) if (&User-Name != "dummy") {
>
> (0) if (&User-Name != "dummy") -> TRUE
>
> (0) if (&User-Name != "dummy") {
>
> (0) policy request-timing {
>
> (0) if (control:PacketFence-Request-Time != 0) {
>
> (0) if (control:PacketFence-Request-Time != 0) -> TRUE
>
> (0) if (control:PacketFence-Request-Time != 0) {
>
> (0) update control {
>
> (0) EXPAND %{expr:
> %{control:PacketFence-Request-Time} - %{control:Tmp-Integer-0}}
>
> (0) --> 0
>
> (0) &PacketFence-Request-Time := 0
>
> (0) } # update control = noop
>
> (0) } # if (control:PacketFence-Request-Time != 0) = noop
>
> (0) } # policy request-timing = noop
>
> (0) sql: EXPAND type.accept.query
>
> (0) sql: --> type.accept.query
>
> (0) sql: Using query template 'query'
>
> rlm_sql (sql): Reserved connection (1)
>
> (0) sql: EXPAND %{User-Name}
>
> (0) sql: --> 7c019125f9eb
>
> (0) sql: SQL-User-Name set to '7c019125f9eb'
>
> (0) sql: EXPAND INSERT INTO radius_audit_log ( mac, ip,
> computer_name, user_name, stripped_user_name, realm,
> event_type, switch_id, switch_mac,
> switch_ip_ad dress,
> radius_source_ip_address, called_station_id,
> calling_station_id, nas_port_type, ssid,
> nas_port_id, ifindex, nas_port,
> connection_type,
> nas_ip_address, nas_identifier, auth_status, reason,
> auth_type, eap_type, role, node_status,
> profile, source, auto_reg, is_phone,
> pf_domain, uuid,
> radius_request, radius_reply,
> request_time) VALUES (
> '%{request:Calling-Station-Id}', '%{request:Framed-IP-Address}',
> '%{%{control:PacketFence-Computer-
> Name}:-N/A}', '%{request:User-Name}',
> '%{request:Stripped-User-Name}', '%{request:Realm}',
> 'Radius-Access-Request',
> '%{%{control:PacketFence-Switch-Id}:-N/A}',
> '%{%{contro
> l:PacketFence-Switch-Mac}:-N/A}',
> '%{%{control:PacketFence-Switch-Ip-Address}:-N/A}',
> '%{Packet-Src-IP-Address}', '%{request:Called-Station-Id}',
> '%{request:Calling-Station-Id}',
> '%{request:NAS-Port-Type}', '%{request:Called-Station-SSID}',
> '%{request:NAS-Port-Id}',
> '%{%{control:PacketFence-IfIndex}:-N/A}', '%{request:NAS-Port}',
> '%{%{control:PacketFence-
> Connection-Type}:-N/A}', '%{request:NAS-IP-Address}',
> '%{request:NAS-Identifier}', 'Accept',
> '%{request:Module-Failure-Message}', '%{control:Auth-Type}',
> '%{request:EAP-Ty
> pe}', '%{%{control:PacketFence-Role}:-N/A}',
> '%{%{control:PacketFence-Status}:-N/A}',
> '%{%{control:PacketFence-Profile}:-N/A}',
> '%{%{control:PacketFence-Source}:-N/A}',
> '%
> {%{control:PacketFence-AutoReg}:-N/A}',
> '%{%{control:PacketFence-IsPhone}:-N/A}',
> '%{request:PacketFence-Domain}', '',
> '%{pairs:&request:[*]}','%{pairs:&reply:[*]}',
> '%{control:PacketFen ce-Request-Time}')
>
> (0) sql: --> INSERT INTO radius_audit_log ( mac, ip,
> computer_name, user_name, stripped_user_name, realm,
> event_type, switch_id, switch_mac,
> switch_ip_ad dress,
> radius_source_ip_address, called_station_id,
> calling_station_id, nas_port_type, ssid,
> nas_port_id, ifindex, nas_port,
> connection_type,
> nas_ip_address, nas_identifier, auth_status, reason,
> auth_type, eap_type, role, node_status,
> profile, source, auto_reg, is_phone,
> pf_domain, uuid,
> radius_request, radius_reply,
> request_time) VALUES ( '7c:01:91:25:f9:eb',
> '', 'N/A', '7c019125f9eb', '7c019125f9eb', 'null',
> 'Radius-Acce
> ss-Request', '10.1.5.50', 'N/A',
> '10.1.5.50', '10.1.5.50', '10.1.5.50',
> '7c:01:91:25:f9:eb', 'Wireless-802.11', '',
> '', '1', '1',
> 'Wireless-8
> 02.11-NoEAP', '10.1.5.50', 'QD-G5-2504-3F-1',
> 'Accept', '', 'Accept', '',
> 'registration', 'unreg', 'N/A', 'N/A', '0',
> '0', '', '',
> 'User-Name =3D =227c019125f9eb=22=2C User-Password =3D
> =22=2A=2A=2A=2A=2A=2A=22=2C NAS-IP-Address =3D 10.1.5.50=2C NAS-Port
> =3D 1=2C Service-Type =3D Call-Check=2C Framed-MTU =3D 1300=2C
> Called-St ation-Id =3D
> =2210.1.5.50=22=2C Calling-Station-Id =3D =227c:01:91:25:f9:eb=22=2C
> NAS-Identifier =3D =22QD-G5-2504-3F-1=22=2C NAS-Port-Type =3D
> Wireless-802.11=2C Acct-Session-Id =3D
> =2258c65e96/7c:01:
> 91:25:f9:eb/161430=22=2C Tunnel-Type:0 =3D VLAN=2C
> Tunnel-Medium-Type:0 =3D IEEE-802=2C Tunnel-Private-Group-Id:0 =3D
> =2251=22=2C Event-Timestamp =3D =22Mar 13 2017 04:55:46 EDT=22=2C
> Airespace-Wlan-Id =3D 4=2C
> Cisco-AVPair =3D =22audit-session-id=3D0a0105320001bf5958c65e96=22=2C
> Stripped-User-Name =3D =227c019125f9eb=22=2C Realm =3D =22null=22=2C
> FreeRADIUS-Client-IP-Address =3D 10.1.5.50=2C
> SQL-Us er-Name =3D
> =227c019125f9eb=22','Tunnel-Type =3D VLAN=2C Tunnel-Private-Group-Id
> =3D =2251=22=2C Tunnel-Medium-Type =3D IEEE-802=2C Cisco-AVPair =3D
> =22url-redirect-acl=3DPre-Auth-For-WebRedirect=22=2C
>
> Cisco-AVPair =3D
> =22url-redirect=3Dhttps://10.1.254.126/=24session_id/sida4e83b=22=2C
> PacketFence-Authorization-Status =3D =22allow=22', '0')
>
> (0) sql: Executing query: INSERT INTO radius_audit_log (
> mac, ip, computer_name, user_name, stripped_user_name,
> realm, event_type, switch_id, switch_mac,
> sw itch_ip_address,
> radius_source_ip_address, called_station_id,
> calling_station_id, nas_port_type, ssid,
> nas_port_id, ifindex, nas_port,
> connection_type,
> nas_ip_address, nas_identifier, auth_status, reason,
> auth_type, eap_type, role, node_status,
> profile, source, auto_reg,
> is_phone,
> pf_domain, uuid, radius_request, radius_reply,
> request_time) VALUES ( '7c:01:91:25:f9:eb',
> '', 'N/A', '7c019125f9eb', '7c019125f9eb', 'null',
> 'R
> adius-Access-Request', '10.1.5.50', 'N/A',
> '10.1.5.50', '10.1.5.50', '10.1.5.50',
> '7c:01:91:25:f9:eb', 'Wireless-802.11', '',
> '', '1', '1', '
> Wireless-802.11-NoEAP', '10.1.5.50', 'QD-G5-2504-3F-1',
> 'Accept', '', 'Accept', '',
> 'registration', 'unreg', 'N/A', 'N/A', '0',
> '0', '', '',
> 'User-Name =3D =227c019125f9eb=22=2C User-Password =3D
> =22=2A=2A=2A=2A=2A=2A=22=2C NAS-IP-Address =3D 10.1.5.50=2C NAS-Port
> =3D 1=2C Service-Type =3D Call-Check=2C Framed-MTU =3D
> 1300=2C Called-Station-Id =3D
> =2210.1.5.50=22=2C Calling-Station-Id =3D =227c:01:91:25:f9:eb=22=2C
> NAS-Identifier =3D =22QD-G5-2504-3F-1=22=2C NAS-Port-Type =3D
> Wireless-802.11=2C Acct-Session-Id =3D
> =2258c65
> e96/7c:01:91:25:f9:eb/161430=22=2C Tunnel-Type:0 =3D VLAN=2C
> Tunnel-Medium-Type:0 =3D IEEE-802=2C Tunnel-Private-Group-Id:0 =3D
> =2251=22=2C Event-Timestamp =3D =22Mar 13 2017 04:55:46 EDT=22=2C
> Airespa ce-Wlan-Id =3D 4=2C
> Cisco-AVPair =3D =22audit-session-id=3D0a0105320001bf5958c65e96=22=2C
> Stripped-User-Name =3D =227c019125f9eb=22=2C Realm =3D =22null=22=2C
> FreeRADIUS-Client-IP-Address =3D
> 10.1.5.50 =2C SQL-User-Name =3D
> =227c019125f9eb=22','Tunnel-Type =3D VLAN=2C Tunnel-Private-Group-Id
> =3D =2251=22=2C Tunnel-Medium-Type =3D IEEE-802=2C Cisco-AVPair =3D
> =22url-redirect-acl=3DPre-Auth-For-WebRedi
> rect=22=2C Cisco-AVPair =3D
> =22url-redirect=3Dhttps://10.1.254.126/=24session_id/sida4e83b=22=2C
> PacketFence-Authorization-Status =3D =22allow=22', '0')
>
> (0) sql: SQL query returned: success
>
> (0) sql: 1 record(s) updated
>
> rlm_sql (sql): Released connection (1)
>
> rlm_sql (sql): Need 4 more connections to reach 10 spares
>
> rlm_sql (sql): Opening additional connection (6), 1 of 58 pending
> slots used
>
> rlm_sql_mysql: Starting connect to MySQL server
>
> rlm_sql_mysql: Connected to database 'pf' on Localhost via UNIX
> socket, server version 5.5.5-10.0.29-MariaDB, protocol version 10
>
> (0) [sql] = ok
>
> (0) } # if (&User-Name != "dummy") = ok
>
> (0) } # policy packetfence-audit-log-accept = ok
>
> (0) } # else = ok
>
> (0) } # if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP)
> ) = updated
>
> (0) attr_filter.packetfence_post_auth: EXPAND %{User-Name}
>
> (0) attr_filter.packetfence_post_auth: --> 7c019125f9eb
>
> (0) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
>
> (0) [attr_filter.packetfence_post_auth] = updated
>
> (0) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
>
> (0) linelog: --> messages.Access-Accept
>
> (0) linelog: EXPAND %t : [mac:%{Calling-Station-Id}] Accepted user:
> %{reply:User-Name} and returned VLAN %{reply:Tunnel-Private-Group-ID}
>
> (0) linelog: --> Mon Mar 13 04:55:46 2017 : [mac:7c:01:91:25:f9:eb]
> Accepted user: and returned VLAN 51
>
> (0) linelog: EXPAND /usr/local/pf/logs/radius.log
>
> (0) linelog: --> /usr/local/pf/logs/radius.log
>
> (0) [linelog] = ok
>
> (0) } # post-auth = updated
>
> (0) Login OK: [7c019125f9eb] (from client 10.1.5.50 port 1 cli
> 7c:01:91:25:f9:eb)
>
> (0) Sent Access-Accept Id 53 from 10.1.254.126:1812 to 10.1.5.50:32771
> length 0
>
> (0) Tunnel-Type = VLAN
>
> (0) Tunnel-Private-Group-Id = "51"
>
> (0) Tunnel-Medium-Type = IEEE-802
>
> (0) Cisco-AVPair = "url-redirect-acl=Pre-Auth-For-WebRedirect"
>
> (0) Cisco-AVPair =
> "url-redirect=https://10.1.254.126/$session_id/sida4e83b";
>
> (0) PacketFence-Authorization-Status = "allow"
>
> (0) Finished request
>
> Waking up in 4.9 seconds.
>
> (0) Cleaning up request packet ID 53 with timestamp +8
>
>
>
> WLC configuration please refer to the attachment.
>
>
>
>
>
> Thank you so so much for the help.
>
>
>
> ---
>
> * *
>
> * *
>
> *Helen*
>
>
>
> ------------------------------------------------------------------------------
> Announcing the Oxford Dictionaries API! The API offers world-renowned
> dictionary content that is easy and intuitive to access. Sign up for an
> account today to start using our lexical data to power your apps and
> projects. Get started today and enter our developer competition.
> http://sdm.link/oxford
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
