hello,
i'm currently testing PF and i'm facing a problem with Vlan enforcement.
When I plug a laptop the captive portal is here and I can authenticate well and
I'm getting the right role
but I'm not switched to the new Vlan.
I must manually disconnect and reconnect to get the right Vlan.
My registration Vlan is 1103, my role profile is Vlan 1102
My switch in an HP5406ZL and I've enabled CoA.
When debugging radius it seems that it doesn't even send the
Disconnect_Request:
----------
(0) Received Access-Request Id 3 from 192.168.30.253:1812 to 192.168.30.21:1812
length 334
(0) Framed-MTU = 1466
(0) NAS-IP-Address = 192.168.30.253
(0) NAS-Identifier = "HP-5406"
(0) User-Name = "e4115b2e7c79"
(0) Service-Type = Call-Check
(0) Framed-Protocol = PPP
(0) NAS-Port = 118
(0) NAS-Port-Type = Ethernet
(0) NAS-Port-Id = "D22"
(0) Called-Station-Id = "70-10-6f-24-bf-8a"
(0) Calling-Station-Id = "e4-11-5b-2e-7c-79"
(0) Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
(0) CHAP-Password = 0x027358ac4f6e0a87159a127331c1dfe7df
(0) Message-Authenticator = 0x63311567e3a5cbcdaee851e066810295
(0) MS-RAS-Vendor = 11
(0) HP-Capability-Advert = 0x011a0000000b28
(0) HP-Capability-Advert = 0x011a0000000b2e
(0) HP-Capability-Advert = 0x011a0000000b30
(0) HP-Capability-Advert = 0x011a0000000b3d
(0) HP-Capability-Advert = 0x0138
(0) HP-Capability-Advert = 0x013a
(0) HP-Capability-Advert = 0x0140
(0) HP-Capability-Advert = 0x0141
(0) HP-Capability-Advert = 0x0151
(0) # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
|
|
|
(0) Sent Access-Accept Id 3 from 192.168.30.21:1812 to 192.168.30.253:1812
length 0
(0) Tunnel-Private-Group-Id = "1103"
(0) Tunnel-Medium-Type = IEEE-802
(0) PacketFence-Authorization-Status = "allow"
(0) Tunnel-Type = VLAN
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 3 with timestamp +1043
Ready to process requests
|
|
|
after manual reconnect:
(1) Sent Access-Accept Id 4 from 192.168.30.21:1812 to 192.168.30.253:1812
length 0
(1) PacketFence-Authorization-Status = "allow"
(1) Tunnel-Type = VLAN
(1) Tunnel-Medium-Type = IEEE-802
(1) Tunnel-Private-Group-Id = "1102"
(1) Finished request
--------
packetfence.log:
Mar 29 10:33:56 httpd.portal(19640) INFO: [mac:unknown] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Mar 29 10:33:56 httpd.portal(19640) INFO: [mac:e4:11:5b:2e:7c:79] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Mar 29 10:33:56 httpd.portal(19640) INFO: [mac:e4:11:5b:2e:7c:79] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Mar 29 10:33:56 httpd.portal(19640) INFO: [mac:e4:11:5b:2e:7c:79] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Mar 29 10:33:56 httpd.portal(19640) INFO: [mac:e4:11:5b:2e:7c:79] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Mar 29 10:33:56 httpd.portal(19640) INFO: [mac:e4:11:5b:2e:7c:79] Reevaluating
access of device.
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Mar 29 10:33:56 httpd.portal(19640) INFO: [mac:e4:11:5b:2e:7c:79] re-evaluating
access (manage_register called) (pf::enforcement::reevaluate_access)
Mar 29 10:33:56 httpd.portal(19640) INFO: [mac:e4:11:5b:2e:7c:79] is currentlog
connected at (192.168.30.253) ifIndex 118 registration
(pf::enforcement::_should_we_reassign_vlan)
Mar 29 10:33:56 httpd.portal(19640) INFO: [mac:e4:11:5b:2e:7c:79] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Mar 29 10:33:56 httpd.portal(19640) INFO: [mac:e4:11:5b:2e:7c:79] Connection
type is WIRED_MAC_AUTH. Getting role from node_info
(pf::role::getRegisteredRole)
Mar 29 10:33:56 httpd.portal(19640) INFO: [mac:e4:11:5b:2e:7c:79] Username was
defined "e4115b2e7c79" - returning role 'Engineer'
(pf::role::getRegisteredRole)
Mar 29 10:33:56 httpd.portal(19640) INFO: [mac:e4:11:5b:2e:7c:79] PID:
"dupond1p", Status: reg Returned VLAN: (undefined), Role: Engineer
(pf::role::fetchRoleForNode)
Mar 29 10:33:56 httpd.portal(19640) INFO: [mac:e4:11:5b:2e:7c:79] VLAN
reassignment required (current VLAN = 1103 but should be in VLAN 1102)
(pf::enforcement::_should_we_reassign_vlan)
Mar 29 10:33:56 httpd.portal(19640) INFO: [mac:e4:11:5b:2e:7c:79] switch port
is (192.168.30.253) ifIndex 118 connection type: Wired MAC Auth
(pf::enforcement::_vlan_reevaluation)
Mar 29 10:33:59 httpd.portal(20249) WARN: [mac:e4:11:5b:2e:7c:79] Use of
uninitialized value in concatenation (.) or string at
/usr/local/pf/lib/pf/web/dispatcher.pm line 210.
after manual reconnect:
Mar 29 10:35:00 httpd.portal(19770) INFO: [mac:unknown] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Mar 29 10:35:00 httpd.portal(19770) INFO: [mac:e4:11:5b:2e:7c:79] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Mar 29 10:35:00 httpd.portal(19770) INFO: [mac:e4:11:5b:2e:7c:79] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Mar 29 10:35:00 httpd.portal(19770) INFO: [mac:e4:11:5b:2e:7c:79] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Mar 29 10:35:00 httpd.portal(19770) INFO: [mac:e4:11:5b:2e:7c:79] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Mar 29 10:35:07 httpd.aaa(1437) INFO: [mac:e4:11:5b:2e:7c:79] Memory
configuration is not valid anymore for key config::Switch in local cached_hash
(pfconfig::cached::is_valid)
Mar 29 10:35:07 httpd.aaa(11932) INFO: [mac:e4:11:5b:2e:7c:79] handling radius
autz request: from switch_ip => (192.168.30.253), connection_type =>
WIRED_MAC_AUTH,switch_mac => (70:10:6f:24:bf:8a), mac => [e4:11:$
Mar 29 10:35:07 httpd.aaa(11932) INFO: [mac:e4:11:5b:2e:7c:79] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Mar 29 10:35:07 httpd.aaa(11932) INFO: [mac:e4:11:5b:2e:7c:79] Connection type
is WIRED_MAC_AUTH. Getting role from node_info (pf::role::getRegisteredRole)
Mar 29 10:35:07 httpd.aaa(11932) INFO: [mac:e4:11:5b:2e:7c:79] Username was
defined "e4115b2e7c79" - returning role 'Engineer '
(pf::role::getRegisteredRole)
Mar 29 10:35:07 httpd.aaa(11932) INFO: [mac:e4:11:5b:2e:7c:79] PID: "dupond1p",
Status: reg Returned VLAN: (undefined), Role: Engineer
(pf::role::fetchRoleForNode)
Mar 29 10:35:07 httpd.aaa(11932) INFO: [mac:e4:11:5b:2e:7c:79] (192.168.30.253)
Added VLAN 1102 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
I've tried on other switch HP2920 with same result
any advice?
thank you
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
