Thanks Peter, again very helpful. What I have managed to do is get the SmartZone controller to work as the RADIUS proxy. This is now set up and working. What I am seeing is a Disconnect-NAK packet being returned from the SmartZone controller to PF.
"Unable to perform RADIUS Disconnect-Request. Disconnect-NAK received with Error-Cause: Missing-Attribute." A tcpdump on the PF server on the CoA port (3799) shows the packets: [root@A3 ~]# tcpdump udp port 3799 -vvv tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 17:01:15.018790 IP (tos 0x0, ttl 64, id 28503, offset 0, flags [DF], proto UDP (17), length 73) A3.65122 > ec2-3-9-193-153.eu-west-2.compute.amazonaws.com.radius-dynauth: [bad udp cksum 0xfb41 -> 0xeb34!] RADIUS, length: 45 Disconnect-Request (40), id: 0x15, Authenticator: 0e8903ad95ae41766f4614d83978b9b0 Calling-Station-Id Attribute (31), length: 19, Value: 60-70-C0-4C-6C-F6 0x0000: 3630 2d37 302d 4330 2d34 432d 3643 2d46 0x0010: 36 NAS-IP-Address Attribute (4), length: 6, Value: 10.5.100.120 0x0000: 0a05 6478 17:01:15.021186 IP (tos 0x0, ttl 55, id 49424, offset 0, flags [none], proto UDP (17), length 54) ec2-3-9-193-153.eu-west-2.compute.amazonaws.com.radius-dynauth > A3.65122: [udp sum ok] RADIUS, length: 26 Disconnect-NAK (42), id: 0x15, Authenticator: b72de2c780f2b5d240e0786f148e1a9e Unknown Attribute (101), length: 6, Value: 0x0000: 0000 0192 I am now trying to investigate what attributes are missing from the Disconnect-Request which are leading to the Disconnect-NAK message being returned. I'm struggling to interpret this but I will keep sleuthing..! Kind regards, Jonathan On Thu, Mar 5, 2020 at 4:30 PM Truax, Peter <ptr...@stmartin.edu> wrote: > > Ruckus gear supports COA. Maybe that would help? Not sure. > > Also, the way we have our Ruckus Virtual Smartzone connected, each AP is > configured as a switch in PF, but I think you can use the controller as a > proxy. There's settings for that in Wireless LANs - WLAN - Configure - > Authentication Server or Accounting Server - Use Controller as Proxy in > Ruckus Virtual Smartzone. I've never tested that, but it looks like it might > work. We have each AP configured as its own switch so that it is easier to > track locations. When someone connects to the network, Packetfence then > records which AP the user connected. With it configured as proxy, you would > still get MAC address info for each AP, but in Packetfence it would show the > location as just the controller address. You'd have to keep track of > locations outside of Packetfence. > > Would it be possible to set up a static VPN to the Ruckus APs management > addresses through the NAT and firewall? Or maybe set a 1 to 1 NAT for each > AP? The other possibility, besides using the controller as a proxy, is to put > a Packetfence server behind the firewall to serve the wireless users. > > Regards, > > Peter Truax > Network Administrator > Saint Martin’s University > 5000 Abbey Way E > Lacey, WA 98503 > > > > > -----Original Message----- > From: Jonathan Nathanson <jmhnathan...@gmail.com> > Sent: Thursday, March 5, 2020 7:22 AM > To: packetfence-users@lists.sourceforge.net > Cc: Truax, Peter <ptr...@stmartin.edu> > Subject: Re: [PacketFence-users] [External] Re-assigning network via DHCP > across routed network > > Hi all, > > Many thanks for your responses, really helpful. > > We are using Ruckus APs, with a Virtual SmartZone controller hosted in AWS. > > What I have found is the following: > > My device configuration is set up to process requests from the Ruckus > wireless access points, identifying them by their local IP address CIDR (/24 > subnet). Between the APs and PacketFence, there is a firewall, so the APs > local IP addresses are not locally routable from PacketFence. > > [10.5.100.0/24] > RoleMap=Y > VlanMap=N > description=Ruckus APs > Widget-CompanyRole=widget-company > group=Ruckus-APs > isolationRole=isolation > defaultRole=default > deauthMethod=RADIUS > registrationRole=registration > type=Ruckus::SmartZone > radiusSecret=[**asecret**] > guestRole=guest > VoIPDHCPDetect=N > ExcellSalesRole=excellsales > ExcellEngineeringRole=excellengineering > OpenRole=open > useCoA=N > > So when I check packetfence.log I see this: > > Mar 5 15:13:29 A3 packetfence_httpd.portal: httpd.portal(22727) INFO: > [mac:c0:a6:00:e6:57:c1] User default has authenticated on the portal. > (Class::MOP::Class:::after) > Mar 5 15:13:29 A3 packetfence_httpd.portal: httpd.portal(22727) INFO: > [mac:c0:a6:00:e6:57:c1] Reevaluating access of device. > (captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state) > Mar 5 15:13:29 A3 packetfence_httpd.portal: httpd.portal(22727) INFO: > [mac:c0:a6:00:e6:57:c1] re-evaluating access (manage_register called) > (pf::enforcement::reevaluate_access) > Mar 5 15:13:29 A3 packetfence_httpd.portal: httpd.portal(22727) INFO: > [mac:c0:a6:00:e6:57:c1] VLAN reassignment is forced. > (pf::enforcement::_should_we_reassign_vlan) > Mar 5 15:13:29 A3 packetfence_httpd.portal: httpd.portal(22727) INFO: > [mac:c0:a6:00:e6:57:c1] switch port is (10.5.100.120) ifIndex unknown > connection type: WiFi MAC Auth (pf::enforcement::_vlan_reevaluation) > Mar 5 15:13:30 A3 packetfence_httpd.portal: httpd.portal(30941) INFO: > [mac:c0:a6:00:e6:57:c1] Instantiate profile hana-test > (pf::Connection::ProfileFactory::_from_profile) > Mar 5 15:13:30 A3 pfqueue: pfqueue(31120) WARN: > [mac:c0:a6:00:e6:57:c1] Unable to perform RADIUS Disconnect-Request: > Timeout waiting for a reply from 10.5.100.120 on port 3799 at > /usr/local/pf/lib/pf/util/radius.pm line 166. > (pf::Switch::Ruckus::SmartZone::catch {...} ) Mar 5 15:13:30 A3 pfqueue: > pfqueue(31120) ERROR: > [mac:c0:a6:00:e6:57:c1] Wrong RADIUS secret or unreachable network device... > (pf::Switch::Ruckus::SmartZone::catch {...} ) > > It looks like it's trying to send the RADIUS Disconnect-Request to > 10.5.100.120, which is just an arbitrary IP address as I'm trying to just > allow APs within the /24 CIDR (10.5.10.120/24) to communicate with PF. > > So I guess my question is, do I need to provide a statically assigned IP > address to each Ruckus AP which is routable from PF and then in PF create > device configurations for each individual AP? If that's the case, I will > probably be pretty stuck as it doesn't really fit with the network design > that I have in place (PF is hosted centrally in our DC, and is intended to > provide NAC services to APs which are NAT'd behind a firewall - we've > deployed PF to enforce captive portal via DNS on the registration VLAN, doing > the routing via DHCP Relays). > > Is there an alternative? I have looked at using the Ruckus Virtual SmartZone > controller as an AAA proxy instead and I am still testing to see if I can get > this working. I wonder if anyone has any experience with this? > > Thanks again for any input, it's all greatly appreciated. > > Jonathan > > On Thu, Mar 5, 2020 at 6:14 AM Truax, Peter via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > > > Hi Jonathan, > > > > It all depends on how you have deauthenication set up and what your > > switching gear supports. Here, we use snmp as a deauthentication method for > > our switches. But, you can choose from a few different methods. > > > > Look in here to see what your switch or wireless supports: > > > > https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_ > > Guide.html > > > > Regards, > > > > Peter Truax > > Network Administrator > > Saint Martin’s University > > 5000 Abbey Way E > > Lacey, WA 98503 > > > > > > > > > > -----Original Message----- > > From: Jonathan Nathanson via PacketFence-users > > <packetfence-users@lists.sourceforge.net> > > Sent: Tuesday, March 3, 2020 3:02 AM > > To: packetfence-users@lists.sourceforge.net > > Cc: Jonathan Nathanson <jmhnathan...@gmail.com> > > Subject: [External] [PacketFence-users] Re-assigning network via DHCP > > across routed network > > > > CAUTION: This email is from an outside sender. Do not click on links or > > open attachments unless you recognize the sender and know the content is > > safe. > > > > > > > > > > Hi there, > > > > I am using PacketFence configured to provide services over a routed > > network. The issue I am seeing is the client device connects to an SSID, > > they are presented with the captive portal, the client authenticates and is > > presented with the “Your network access is being set up” screen. > > > > However, at this point I would expect PacketFence to use DHCP to move > > the client from the registration VLAN in to whatever VLAN has been > > provided via radius-filter-id. However, this isn’t happening, instead > > the screen just says in red text “Your network access should be > > enabled within the next couple of minutes”… > > > > The only way to get the client device to pick up the new VLAN/IP address is > > to turn Wi-Fi off and on again, forcing the client to make a DHCP request. > > > > Has anyone seen this before, and can provide advice on how to enable the > > correct behaviour post-authentication? > > > > Many thanks > > Jonathan > > > > > > _______________________________________________ > > PacketFence-users mailing list > > PacketFence-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > _______________________________________________ > > PacketFence-users mailing list > > PacketFence-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/packetfence-users _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users