Hello Kenny, I did open a bug for it, thanks for reporting it.
https://github.com/inverse-inc/packetfence/issues/5930 <https://github.com/inverse-inc/packetfence/issues/5930> Thanks, Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Oct 20, 2020, at 9:58 AM, Kenny Wallrath <[email protected]> wrote: > > Here you go: > > [root@packetfence ~]# netstat -nlp | grep 1813 > udp 0 0 10.0.21.20:1813 0.0.0.0:* > 1660/pfacct > > > It seems that pfacct is only bound towards my management interface and > not my "radius interface" > If I check the udp-1812 port I can see following: > > [root@packetfence ~]# netstat -nlp | grep 1812 > udp 0 0 127.0.0.1:18121 0.0.0.0:* > 2651/radiusd > udp 0 0 10.0.21.20:1812 0.0.0.0:* > 2651/radiusd > udp 0 0 10.0.20.14:1812 0.0.0.0:* > 2651/radiusd > > my radius network interface is following: > --> pf.conf > [interface eth1] > ip=10.0.20.14 > type=none,radius,dhcp-listener > mask=255.255.255.0 > > On raddb/acct.conf > I found a listen block for the radius interface > > listen { > ipaddr = 10.0.20.14 > port = 0 > type = acct > virtual_server = packetfence > } > this explains why I receive accounting-replies at my switch, when I > enable the radiusd-acct service. > But I couldn't find any conf files for pfacct > > Is my interface correctly configured? > > If I restart pfacct service over the GUI I can see the deamon > listening on the right interface > [root@packetfence raddb]# netstat -nlp | grep 1813 > udp 0 0 10.0.21.20:1813 0.0.0.0:* > 4133/pfacct > udp 4352 0 10.0.20.14:1813 0.0.0.0:* > 4133/pfacct > > But if I power cycle my device or reevaluate switchport the netstat > looks the same like in the beginning... > > Best regards > > Am Di., 20. Okt. 2020 um 14:41 Uhr schrieb Ludovic Zammit > <[email protected]>: >> >> Hello, >> >> Can you show me the output of: >> >> netstat -nlp | grep 1813 >> >> Thanks, >> >> >> Ludovic Zammit >> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> >> >> >> >> On Oct 18, 2020, at 5:21 AM, Kenny Wallrath <[email protected]> wrote: >> >> Hi Ludovic, >> >> I took another debug on the switch and packetfence. It seems that >> Radius Accounting Start Packets are sent from >> the switch to PF, anyways the online/offline state still is not >> getting updated and PF is not sending accounting-response. >> Also the pfacct.log remains empty >> I attached the radsniff and my cisco debug below. >> >> This is what I configured on the switch side: >> >> aaa new-model >> aaa group server radius PACKETFENCE >> server name PACKETFENCE >> aaa authentication login default local group radius >> aaa authentication enable default enable >> aaa authentication dot1x default group PACKETFENCE >> aaa authorization console >> aaa authorization exec default local group radius if-authenticated >> aaa authorization network default group PACKETFENCE >> aaa accounting update newinfo >> aaa accounting dot1x default start-stop group PACKETFENCE >> aaa accounting network default start-stop group PACKETFENCE >> aaa accounting connection default start-stop group PACKETFENCE >> aaa server radius dynamic-author >> client 10.0.20.14 server-key xxxxxxxxxxxxxxxx >> port 3799 >> aaa session-id common >> radius-server vsa send accounting >> radius-server vsa send authentication >> >> >> >> Cisco "debug aaa accounting" >> Oct 18 11:00:02.554: AAA/ACCT/DOT1X(0000005A): Pick method list 'default' >> Oct 18 11:00:02.554: AAA/ACCT/SETMLIST(0000005A): Handle 0, mlist >> 05861080, Name default >> Oct 18 11:00:02.554: Getting session id for DOT1X(0000005A) : db=55391F0 >> Oct 18 11:00:02.554: AAA/ACCT/DOT1X(0000005A): add, count 2 >> Oct 18 11:00:03.513: AAA/ACCT/EVENT/(0000005A): ATTR REPLACE >> Oct 18 11:00:03.513: AAA/ACCT(0000005A): Accounting response status = FAILURE >> Oct 18 11:00:03.513: AAA/ACCT(0000005A): Send NEWINFO accounting >> notification to EM failed >> >> Oct 18 11:00:03.550: %AUTHMGR-5-SUCCESS: Authorization succeeded for >> client (b827.eb3f.01c8) on Interface Gi1/0/2 Aud itSessionID >> 0A0014FD0000002ED5397B59 >> Oct 18 11:00:03.550: AAA/ACCT/EVENT/(0000005A): NET UP >> Oct 18 11:00:03.550: AAA/ACCT/HC(0000005A): Update Dot1X/2E00002F >> Oct 18 11:00:03.550: AAA/ACCT/HC(0000005A): no HC Dot1X/2E00002F >> Oct 18 11:00:03.550: AAA/ACCT/DOT1X(0000005A): Queueing record is START >> Oct 18 11:00:03.550: AAA/ACCT(0000005A): Accounting method=PACKETFENCE >> (RADIUS) >> Oct 18 11:00:15.011: AAA/ACCT/EVENT/(0000005A): ATTR REPLACE >> Oct 18 11:00:15.011: AAA/ACCT/HC(0000005A): Update Dot1X/2E00002F >> Oct 18 11:00:15.011: AAA/ACCT/HC(0000005A): no HC Dot1X/2E00002F >> Oct 18 11:00:15.011: AAA/ACCT/DOT1X(0000005A): Queueing record is NEWINFO >> Oct 18 11:00:15.011: AAA/ACCT/EVENT/(0000005A): SESSION INFO >> Oct 18 11:00:15.011: AAA/ACCT/HC(0000005A): Update Dot1X/2E00002F >> Oct 18 11:00:15.011: AAA/ACCT/HC(0000005A): no HC Dot1X/2E00002F >> Oct 18 11:00:15.011: AAA/ACCT/DOT1X(0000005A): Queueing record is UPDATE >> Oct 18 11:00:15.016: AAA/ACCT(0000005A): Accounting method=PACKETFENCE >> (RADIUS) >> Oct 18 11:00:15.016: AAA/ACCT(0000005A): Accounting method=PACKETFENCE >> (RADIUS) >> Oct 18 11:00:23.719: AAA/ACCT/DOT1X(0000005A): START protocol reply FAIL >> Oct 18 11:00:23.719: AAA/ACCT(0000005A): Accounting method=NOT_SET >> Oct 18 11:00:23.719: AAA/ACCT(0000005A): Accounting response status = FAILURE >> Oct 18 11:00:23.719: AAA/ACCT(0000005A): Send START accounting >> notification to EM failed >> Oct 18 11:00:23.719: AAA/ACCT(0000005A): mlist_periodic is not set, interval >> 0 >> Oct 18 11:00:30.095: %RADIUS-4-RADIUS_DEAD: RADIUS server >> 10.0.20.14:1812,1813 is not responding. >> Oct 18 11:00:30.152: %RADIUS-4-RADIUS_ALIVE: RADIUS server >> 10.0.20.14:1812,1813 is being marked alive. >> Oct 18 11:00:35.107: AAA/ACCT/DOT1X(0000005A): NEWINFO protocol reply FAIL >> Oct 18 11:00:35.107: AAA/ACCT(0000005A): Accounting method=NOT_SET >> Oct 18 11:00:35.107: AAA/ACCT(0000005A): mlist_periodic is not set, interval >> 0 >> >> >> Packetfence radsniff: >> 2020-10-18 11:00:32.445522 (5) Accounting-Request Id 158 >> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 +23.614 >> User-Name = "b8:27:eb:3f:01:c8" >> NAS-IP-Address = 10.0.20.253 >> NAS-Port = 50102 >> Service-Type = Framed-User >> Framed-IP-Address = 169.254.118.80 >> Called-Station-Id = "3C-0E-23-5A-3E-02" >> Calling-Station-Id = "B8-27-EB-3F-01-C8" >> NAS-Port-Type = Ethernet >> Acct-Status-Type = Start >> Acct-Delay-Time = 0 >> Acct-Session-Id = "00000050" >> Acct-Authentic = RADIUS >> NAS-Port-Id = "GigabitEthernet1/0/2" >> PMIP6-Home-HN-Prefix = 3039:4330:3842::/56 >> Cisco-AVPair = "audit-session-id=0A0014FD0000002ED5397B59" >> Cisco-AVPair = "connect-progress=Call Up" >> Authenticator-Field = 0x603bc2274431edd546dc9c758d86191f >> 2020-10-18 11:00:37.497158 (6) Accounting-Request Id 159 >> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 +28.665 >> User-Name = "b8:27:eb:3f:01:c8" >> NAS-IP-Address = 10.0.20.253 >> NAS-Port = 50102 >> Service-Type = Framed-User >> Framed-IP-Address = 169.254.118.80 >> Called-Station-Id = "3C-0E-23-5A-3E-02" >> Calling-Station-Id = "B8-27-EB-3F-01-C8" >> NAS-Port-Type = Ethernet >> Acct-Status-Type = Start >> Acct-Delay-Time = 5 >> Acct-Session-Id = "00000050" >> Acct-Authentic = RADIUS >> NAS-Port-Id = "GigabitEthernet1/0/2" >> PMIP6-Home-HN-Prefix = 3039:4330:3842::/56 >> Cisco-AVPair = "audit-session-id=0A0014FD0000002ED5397B59" >> Cisco-AVPair = "connect-progress=Call Up" >> Authenticator-Field = 0xfb92fbb9cc7ef65439c9c4e49d8283c6 >> 2020-10-18 11:00:37.645522 (5) ** norsp ** Accounting-Request Id 158 >> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 >> 2020-10-18 11:00:37.645522 (5) Cleaning up request packet ID 158 >> 2020-10-18 11:00:42.551582 (7) Accounting-Request Id 160 >> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 +33.720 >> User-Name = "b8:27:eb:3f:01:c8" >> NAS-IP-Address = 10.0.20.253 >> NAS-Port = 50102 >> Service-Type = Framed-User >> Framed-IP-Address = 169.254.118.80 >> Called-Station-Id = "3C-0E-23-5A-3E-02" >> Calling-Station-Id = "B8-27-EB-3F-01-C8" >> NAS-Port-Type = Ethernet >> Acct-Status-Type = Start >> Acct-Delay-Time = 10 >> Acct-Session-Id = "00000050" >> Acct-Authentic = RADIUS >> NAS-Port-Id = "GigabitEthernet1/0/2" >> PMIP6-Home-HN-Prefix = 3039:4330:3842::/56 >> Cisco-AVPair = "audit-session-id=0A0014FD0000002ED5397B59" >> Cisco-AVPair = "connect-progress=Call Up" >> Authenticator-Field = 0x42233d99f083a7639d3684208165238f >> 2020-10-18 11:00:42.697158 (6) ** norsp ** Accounting-Request Id 159 >> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 >> 2020-10-18 11:00:42.697158 (6) Cleaning up request packet ID 159 >> 2020-10-18 11:00:43.911491 (8) Accounting-Request Id 161 >> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 +35.080 >> User-Name = "b8:27:eb:3f:01:c8" >> NAS-IP-Address = 10.0.20.253 >> NAS-Port = 50102 >> Service-Type = Framed-User >> Framed-IP-Address = 10.0.40.61 >> Called-Station-Id = "3C-0E-23-5A-3E-02" >> Calling-Station-Id = "B8-27-EB-3F-01-C8" >> NAS-Port-Type = Ethernet >> Acct-Status-Type = Interim-Update >> Acct-Delay-Time = 0 >> Acct-Input-Octets = 2857 >> Acct-Output-Octets = 9508 >> Acct-Session-Id = "00000050" >> Acct-Authentic = RADIUS >> Acct-Session-Time = 12 >> Acct-Input-Packets = 17 >> Acct-Output-Packets = 35 >> NAS-Port-Id = "GigabitEthernet1/0/2" >> PMIP6-Home-HN-Prefix = 3039:4330:3842::/56 >> Cisco-AVPair = "audit-session-id=0A0014FD0000002ED5397B59" >> Cisco-AVPair = "connect-progress=Call Up" >> Authenticator-Field = 0x2dbd87095bebf4a1b6ee64255131b410 >> 2020-10-18 11:00:43.912010 (9) Accounting-Request Id 162 >> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 +35.080 >> User-Name = "b8:27:eb:3f:01:c8" >> NAS-IP-Address = 10.0.20.253 >> NAS-Port = 50102 >> Service-Type = Framed-User >> Framed-IP-Address = 10.0.40.61 >> Called-Station-Id = "3C-0E-23-5A-3E-02" >> Calling-Station-Id = "B8-27-EB-3F-01-C8" >> NAS-Port-Type = Ethernet >> Acct-Status-Type = Interim-Update >> Acct-Delay-Time = 0 >> Acct-Input-Octets = 2857 >> Acct-Output-Octets = 9508 >> Acct-Session-Id = "00000050" >> Acct-Authentic = RADIUS >> Acct-Session-Time = 12 >> Acct-Input-Packets = 17 >> Acct-Output-Packets = 35 >> NAS-Port-Id = "GigabitEthernet1/0/2" >> PMIP6-Home-HN-Prefix = 3039:4330:3842::/56 >> Cisco-AVPair = "audit-session-id=0A0014FD0000002ED5397B59" >> Cisco-AVPair = "connect-progress=Call Up" >> Authenticator-Field = 0xb0a63e46552c8152ef507257f9e10b72 >> 2020-10-18 11:00:47.595411 (10) Accounting-Request Id 163 >> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 +38.763 >> User-Name = "b8:27:eb:3f:01:c8" >> NAS-IP-Address = 10.0.20.253 >> NAS-Port = 50102 >> Service-Type = Framed-User >> Framed-IP-Address = 169.254.118.80 >> Called-Station-Id = "3C-0E-23-5A-3E-02" >> Calling-Station-Id = "B8-27-EB-3F-01-C8" >> NAS-Port-Type = Ethernet >> Acct-Status-Type = Start >> Acct-Delay-Time = 15 >> Acct-Session-Id = "00000050" >> Acct-Authentic = RADIUS >> NAS-Port-Id = "GigabitEthernet1/0/2" >> PMIP6-Home-HN-Prefix = 3039:4330:3842::/56 >> Cisco-AVPair = "audit-session-id=0A0014FD0000002ED5397B59" >> Cisco-AVPair = "connect-progress=Call Up" >> Authenticator-Field = 0xdc631f70c7df87de580a8d5c38561393 >> 2020-10-18 11:00:47.751582 (7) ** norsp ** Accounting-Request Id 160 >> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 >> 2020-10-18 11:00:47.751582 (7) Cleaning up request packet ID 160 >> >> Am Fr., 16. Okt. 2020 um 14:30 Uhr schrieb Ludovic Zammit >> <[email protected]>: >> >> >> Hello Kenny, >> >> PacketFence is looking for Accouting start / stop packet for the online >> offline. >> >> It looks like the device does not send the Acct-Status-Type: Start or Stop. >> >> Thanks, >> >> >> Ludovic Zammit >> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> >> >> >> >> On Oct 15, 2020, at 5:52 AM, Kenny Wallrath via PacketFence-users >> <[email protected]> wrote: >> >> Hi everyone, >> >> I am currently trying to get the online/offline state working. It >> seems that the state is working if requests are coming from Wireless >> AccessPoints (My device gets registered when online and unregistered >> when offline) >> But if I try the same with my Cisco 2960S switches the nodes remain >> "unknown". >> >> From what I understood pfacct supersedes radiusd-acct. The service >> pfacct is running and there is no firewall in between. Switch is >> configured to send accounting to PF on port 1813. >> My switch debug tells me that there is no response from Server, which >> I also can verify on PF side. A TCPDUMP shows that Radius Accounting >> Requests arrive at the PF but no response is being generated. >> If I check the pfacct.log it is empty... I pasted a radsniff on port >> 1813 below... >> >> Interestingly, if I disable pfacct and enable radiusd-acct a >> Accounting-Reply is generated to the switch but the online/offline >> state remains unknown. >> >> 2020-10-15 11:42:21.448660 (5) Accounting-Request Id 49 >> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 +10.924 >> User-Name = "b8:27:eb:3f:01:c8" >> NAS-IP-Address = 10.0.20.253 >> NAS-Port = 50102 >> Service-Type = Framed-User >> Framed-IP-Address = 10.0.40.61 >> Called-Station-Id = "3C-0E-23-5A-3E-02" >> Calling-Station-Id = "B8-27-EB-3F-01-C8" >> NAS-Port-Type = Ethernet >> Acct-Status-Type = Interim-Update >> Acct-Delay-Time = 10 >> Acct-Input-Octets = 15178 >> Acct-Output-Octets = 1620296 >> Acct-Session-Id = "0000004B" >> Acct-Authentic = RADIUS >> Acct-Session-Time = 6229 >> Acct-Input-Packets = 225 >> Acct-Output-Packets = 9530 >> NAS-Port-Id = "GigabitEthernet1/0/2" >> PMIP6-Home-HN-Prefix = 3831:3437:4232::/57 >> Cisco-AVPair = "audit-session-id=0A0014FD0000002AC57E41EC" >> Cisco-AVPair = "connect-progress=Auth Open" >> Authenticator-Field = 0xe184ba9b392f14f26741c4f7c64c815a >> 2020-10-15 11:42:21.214706 (4) ** norsp ** Accounting-Request Id 48 >> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 >> 2020-10-15 11:42:21.214706 (4) Cleaning up request packet ID 48 >> 2020-10-15 11:42:26.606010 (6) Accounting-Request Id 50 >> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 +15.940 >> User-Name = "b8:27:eb:3f:01:c8" >> NAS-IP-Address = 10.0.20.253 >> NAS-Port = 50102 >> Service-Type = Framed-User >> Framed-IP-Address = 10.0.40.61 >> Called-Station-Id = "3C-0E-23-5A-3E-02" >> Calling-Station-Id = "B8-27-EB-3F-01-C8" >> NAS-Port-Type = Ethernet >> Acct-Status-Type = Interim-Update >> Acct-Delay-Time = 15 >> Acct-Input-Octets = 15178 >> Acct-Output-Octets = 1620296 >> Acct-Session-Id = "0000004B" >> Acct-Authentic = RADIUS >> Acct-Session-Time = 6229 >> Acct-Input-Packets = 225 >> Acct-Output-Packets = 9530 >> NAS-Port-Id = "GigabitEthernet1/0/2" >> PMIP6-Home-HN-Prefix = 3831:3437:4232::/57 >> Cisco-AVPair = "audit-session-id=0A0014FD0000002AC57E41EC" >> Cisco-AVPair = "connect-progress=Auth Open" >> Authenticator-Field = 0xe77e42cc33f62dcd1164461139b59e6d >> 2020-10-15 11:42:26.244866 (5) ** norsp ** Accounting-Request Id 49 >> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 >> 2020-10-15 11:42:26.244866 (5) Cleaning up request packet ID 49 >> 2020-10-15 11:42:31.260601 (6) ** norsp ** Accounting-Request Id 50 >> eth1:10.0.20.253:1646 -> 10.0.20.14:1813 >> 2020-10-15 11:42:31.260601 (6) Cleaning up request packet ID 50 >> >> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
