Thanks Peter, again very helpful.
What I have managed to do is get the SmartZone controller to work as
the RADIUS proxy. This is now set up and working. What I am seeing is
a Disconnect-NAK packet being returned from the SmartZone controller
to PF.
"Unable to perform RADIUS Disconnect-Request. Disconnect-NAK received
with Error-Cause: Missing-Attribute."
A tcpdump on the PF server on the CoA port (3799) shows the packets:
[root@A3 ~]# tcpdump udp port 3799 -vvv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
262144 bytes
17:01:15.018790 IP (tos 0x0, ttl 64, id 28503, offset 0, flags [DF],
proto UDP (17), length 73)
A3.65122 > ec2-3-9-193-153.eu-west-2.compute.amazonaws.com.radius-dynauth:
[bad udp cksum 0xfb41 -> 0xeb34!] RADIUS, length: 45
Disconnect-Request (40), id: 0x15, Authenticator:
0e8903ad95ae41766f4614d83978b9b0
Calling-Station-Id Attribute (31), length: 19, Value:
60-70-C0-4C-6C-F6
0x0000: 3630 2d37 302d 4330 2d34 432d 3643 2d46
0x0010: 36
NAS-IP-Address Attribute (4), length: 6, Value: 10.5.100.120
0x0000: 0a05 6478
17:01:15.021186 IP (tos 0x0, ttl 55, id 49424, offset 0, flags [none],
proto UDP (17), length 54)
ec2-3-9-193-153.eu-west-2.compute.amazonaws.com.radius-dynauth >
A3.65122: [udp sum ok] RADIUS, length: 26
Disconnect-NAK (42), id: 0x15, Authenticator:
b72de2c780f2b5d240e0786f148e1a9e
Unknown Attribute (101), length: 6, Value:
0x0000: 0000 0192
I am now trying to investigate what attributes are missing from the
Disconnect-Request which are leading to the Disconnect-NAK message
being returned.
I'm struggling to interpret this but I will keep sleuthing..!
Kind regards,
Jonathan
On Thu, Mar 5, 2020 at 4:30 PM Truax, Peter <ptr...@stmartin.edu> wrote:
>
> Ruckus gear supports COA. Maybe that would help? Not sure.
>
> Also, the way we have our Ruckus Virtual Smartzone connected, each AP is
> configured as a switch in PF, but I think you can use the controller as a
> proxy. There's settings for that in Wireless LANs - WLAN - Configure -
> Authentication Server or Accounting Server - Use Controller as Proxy in
> Ruckus Virtual Smartzone. I've never tested that, but it looks like it might
> work. We have each AP configured as its own switch so that it is easier to
> track locations. When someone connects to the network, Packetfence then
> records which AP the user connected. With it configured as proxy, you would
> still get MAC address info for each AP, but in Packetfence it would show the
> location as just the controller address. You'd have to keep track of
> locations outside of Packetfence.
>
> Would it be possible to set up a static VPN to the Ruckus APs management
> addresses through the NAT and firewall? Or maybe set a 1 to 1 NAT for each
> AP? The other possibility, besides using the controller as a proxy, is to put
> a Packetfence server behind the firewall to serve the wireless users.
>
> Regards,
>
> Peter Truax
> Network Administrator
> Saint Martin’s University
> 5000 Abbey Way E
> Lacey, WA 98503
>
>
>
>
> -----Original Message-----
> From: Jonathan Nathanson <jmhnathan...@gmail.com>
> Sent: Thursday, March 5, 2020 7:22 AM
> To: packetfence-users@lists.sourceforge.net
> Cc: Truax, Peter <ptr...@stmartin.edu>
> Subject: Re: [PacketFence-users] [External] Re-assigning network via DHCP
> across routed network
>
> Hi all,
>
> Many thanks for your responses, really helpful.
>
> We are using Ruckus APs, with a Virtual SmartZone controller hosted in AWS.
>
> What I have found is the following:
>
> My device configuration is set up to process requests from the Ruckus
> wireless access points, identifying them by their local IP address CIDR (/24
> subnet). Between the APs and PacketFence, there is a firewall, so the APs
> local IP addresses are not locally routable from PacketFence.
>
> [10.5.100.0/24]
> RoleMap=Y
> VlanMap=N
> description=Ruckus APs
> Widget-CompanyRole=widget-company
> group=Ruckus-APs
> isolationRole=isolation
> defaultRole=default
> deauthMethod=RADIUS
> registrationRole=registration
> type=Ruckus::SmartZone
> radiusSecret=[**asecret**]
> guestRole=guest
> VoIPDHCPDetect=N
> ExcellSalesRole=excellsales
> ExcellEngineeringRole=excellengineering
> OpenRole=open
> useCoA=N
>
> So when I check packetfence.log I see this:
>
> Mar 5 15:13:29 A3 packetfence_httpd.portal: httpd.portal(22727) INFO:
> [mac:c0:a6:00:e6:57:c1] User default has authenticated on the portal.
> (Class::MOP::Class:::after)
> Mar 5 15:13:29 A3 packetfence_httpd.portal: httpd.portal(22727) INFO:
> [mac:c0:a6:00:e6:57:c1] Reevaluating access of device.
> (captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
> Mar 5 15:13:29 A3 packetfence_httpd.portal: httpd.portal(22727) INFO:
> [mac:c0:a6:00:e6:57:c1] re-evaluating access (manage_register called)
> (pf::enforcement::reevaluate_access)
> Mar 5 15:13:29 A3 packetfence_httpd.portal: httpd.portal(22727) INFO:
> [mac:c0:a6:00:e6:57:c1] VLAN reassignment is forced.
> (pf::enforcement::_should_we_reassign_vlan)
> Mar 5 15:13:29 A3 packetfence_httpd.portal: httpd.portal(22727) INFO:
> [mac:c0:a6:00:e6:57:c1] switch port is (10.5.100.120) ifIndex unknown
> connection type: WiFi MAC Auth (pf::enforcement::_vlan_reevaluation)
> Mar 5 15:13:30 A3 packetfence_httpd.portal: httpd.portal(30941) INFO:
> [mac:c0:a6:00:e6:57:c1] Instantiate profile hana-test
> (pf::Connection::ProfileFactory::_from_profile)
> Mar 5 15:13:30 A3 pfqueue: pfqueue(31120) WARN:
> [mac:c0:a6:00:e6:57:c1] Unable to perform RADIUS Disconnect-Request:
> Timeout waiting for a reply from 10.5.100.120 on port 3799 at
> /usr/local/pf/lib/pf/util/radius.pm line 166.
> (pf::Switch::Ruckus::SmartZone::catch {...} ) Mar 5 15:13:30 A3 pfqueue:
> pfqueue(31120) ERROR:
> [mac:c0:a6:00:e6:57:c1] Wrong RADIUS secret or unreachable network device...
> (pf::Switch::Ruckus::SmartZone::catch {...} )
>
> It looks like it's trying to send the RADIUS Disconnect-Request to
> 10.5.100.120, which is just an arbitrary IP address as I'm trying to just
> allow APs within the /24 CIDR (10.5.10.120/24) to communicate with PF.
>
> So I guess my question is, do I need to provide a statically assigned IP
> address to each Ruckus AP which is routable from PF and then in PF create
> device configurations for each individual AP? If that's the case, I will
> probably be pretty stuck as it doesn't really fit with the network design
> that I have in place (PF is hosted centrally in our DC, and is intended to
> provide NAC services to APs which are NAT'd behind a firewall - we've
> deployed PF to enforce captive portal via DNS on the registration VLAN, doing
> the routing via DHCP Relays).
>
> Is there an alternative? I have looked at using the Ruckus Virtual SmartZone
> controller as an AAA proxy instead and I am still testing to see if I can get
> this working. I wonder if anyone has any experience with this?
>
> Thanks again for any input, it's all greatly appreciated.
>
> Jonathan
>
> On Thu, Mar 5, 2020 at 6:14 AM Truax, Peter via PacketFence-users
> <packetfence-users@lists.sourceforge.net> wrote:
> >
> > Hi Jonathan,
> >
> > It all depends on how you have deauthenication set up and what your
> > switching gear supports. Here, we use snmp as a deauthentication method for
> > our switches. But, you can choose from a few different methods.
> >
> > Look in here to see what your switch or wireless supports:
> >
> > https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_
> > Guide.html
> >
> > Regards,
> >
> > Peter Truax
> > Network Administrator
> > Saint Martin’s University
> > 5000 Abbey Way E
> > Lacey, WA 98503
> >
> >
> >
> >
> > -----Original Message-----
> > From: Jonathan Nathanson via PacketFence-users
> > <packetfence-users@lists.sourceforge.net>
> > Sent: Tuesday, March 3, 2020 3:02 AM
> > To: packetfence-users@lists.sourceforge.net
> > Cc: Jonathan Nathanson <jmhnathan...@gmail.com>
> > Subject: [External] [PacketFence-users] Re-assigning network via DHCP
> > across routed network
> >
> > CAUTION: This email is from an outside sender. Do not click on links or
> > open attachments unless you recognize the sender and know the content is
> > safe.
> >
> >
> >
> >
> > Hi there,
> >
> > I am using PacketFence configured to provide services over a routed
> > network. The issue I am seeing is the client device connects to an SSID,
> > they are presented with the captive portal, the client authenticates and is
> > presented with the “Your network access is being set up” screen.
> >
> > However, at this point I would expect PacketFence to use DHCP to move
> > the client from the registration VLAN in to whatever VLAN has been
> > provided via radius-filter-id. However, this isn’t happening, instead
> > the screen just says in red text “Your network access should be
> > enabled within the next couple of minutes”…
> >
> > The only way to get the client device to pick up the new VLAN/IP address is
> > to turn Wi-Fi off and on again, forcing the client to make a DHCP request.
> >
> > Has anyone seen this before, and can provide advice on how to enable the
> > correct behaviour post-authentication?
> >
> > Many thanks
> > Jonathan
> >
> >
> > _______________________________________________
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> > _______________________________________________
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
