Hello Florian, Do you have Auto-registration enabled on the WLAN_EAP connection profile?
Most of the time users don’t want to see a captive portal after a successful EAP PEAP or TLS. If you do Provisioning in any kind, it needs to be attached to an OPEN SSID or Mac-authentication Wired connection. Thanks, Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Dec 9, 2020, at 8:16 AM, Krug, Florian via PacketFence-users > <[email protected]> wrote: > > Dear Community, > > I have a strange behaviour of Packetfence, and do not find the problem. I am > using Packetfence 10.2.0 on an CentOs System. As Wireless AP’s we are Using > Unifi Pro Aps. > > Authentication through our MSI PKI for Wireless Access with Client > certificates is successful working, but after some time, I can see attached > problem in packetfence.log > The Node is than set back to pending and to registration VLAN. Only > Workaround is to set the nodes back to registered to get client vlan. > > Hope you can guide me in the right direction. > > Dec 9 08:35:09 packetfence packetfence: pfperl-api(15879) INFO: Using 300 > resolution threshold (pf::pfcron::task::cluster_check::run) > Dec 9 08:35:09 packetfence packetfence: pfperl-api(15879) INFO: All cluster > members are running the same configuration version > (pf::pfcron::task::cluster_check::run) > Dec 9 08:35:09 packetfence packetfence: pfperl-api(25991) INFO: processed 0 > security_events during security_event maintenance (1607499309.17937 > 1607499309.18552) (pf::security_event::security_event_maintenance) > Dec 9 08:35:09 packetfence packetfence_httpd.webservices: > httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] processing delayed > security_event : 98, 1300002 (pf::security_event::_security_event_run_delayed) > Dec 9 08:35:09 packetfence packetfence: pfperl-api(25991) INFO: processed 1 > security_events during security_event maintenance (1607499309.18683 > 1607499309.19435) (pf::security_event::security_event_maintenance) > Dec 9 08:35:09 packetfence packetfence_httpd.webservices: > httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] security_event for mac > 28:16:a8:56:d0:d4 security_event_id 1300002 modified > (pf::security_event::security_event_modify) > Dec 9 08:35:09 packetfence packetfence_httpd.webservices: > httpd.webservices(2559) WARN: [mac:28:16:a8:56:d0:d4] Warning: 1265: Data > truncated for column 'release_date' at row 1 (pf::dal::db_execute) > Dec 9 08:35:09 packetfence packetfence_httpd.webservices: > httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] executing action 'log' > on class 1300002 (pf::action::action_execute) > Dec 9 08:35:09 packetfence packetfence_httpd.webservices: > httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] > /usr/local/pf/logs/security_event.log 2020-12-09 08:35:09: Provisioning > Enforcement (1300002) detected on node 28:16:a8:56:d0:d4 (10.11.1.157) > (pf::action::action_log) > Dec 9 08:35:09 packetfence packetfence_httpd.webservices: > httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] executing action > 'enforce_provisioning' on class 1300002 (pf::action::action_execute) > Dec 9 08:35:09 packetfence packetfence_httpd.webservices: > httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] Instantiate profile > WLAN_EAP (pf::Connection::ProfileFactory::_from_profile) > Dec 9 08:35:09 packetfence packetfence_httpd.webservices: > httpd.webservices(2559) WARN: [mac:28:16:a8:56:d0:d4] 28:16:a8:56:d0:d4 is > not authorized anymore with it's provisionner. Putting node as pending. > (pf::action::action_enforce_provisioning) > Dec 9 08:35:09 packetfence packetfence_httpd.webservices: > httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] re-evaluating access > (manage_vopen called) (pf::enforcement::reevaluate_access) > Dec 9 08:35:09 packetfence packetfence_httpd.webservices: > httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] Instantiate profile > WLAN_EAP (pf::Connection::ProfileFactory::_from_profile) > Dec 9 08:35:09 packetfence packetfence_httpd.webservices: > httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] is currentlog connected > at (10.99.1.128) ifIndex 0 Client (pf::enforcement::_should_we_reassign_vlan) > Dec 9 08:35:09 packetfence packetfence_httpd.webservices: > httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] is of status pending; > belongs into registration VLAN (pf::role::getRegistrationRole) > Dec 9 08:35:09 packetfence packetfence_httpd.webservices: > httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] VLAN reassignment > required (current VLAN = 11 but should be in VLAN 201) > (pf::enforcement::_should_we_reassign_vlan) > Dec 9 08:35:09 packetfence packetfence_httpd.webservices: > httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] switch port is > (10.99.1.128) ifIndex 0connection type: WiFi 802.1X > (pf::enforcement::_vlan_reevaluation) > Dec 9 08:35:09 packetfence packetfence_httpd.webservices: > httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] this is a > non-reevaluate-access security_event, closing security_event entry now > (pf::action::action_execute) > Dec 9 08:35:09 packetfence packetfence_httpd.webservices: > httpd.webservices(2559) INFO: [mac:28:16:a8:56:d0:d4] security_event 1300002 > force-closed for 28:16:a8:56:d0:d4 > (pf::security_event::security_event_force_close) > Dec 9 08:35:10 packetfence pfqueue: pfqueue(20477) INFO: > [mac:28:16:a8:56:d0:d4] [28:16:a8:56:d0:d4] DesAssociating mac on switch > (10.99.1.128) (pf::api::desAssociate) > Dec 9 08:35:10 packetfence pfqueue: pfqueue(20477) INFO: > [mac:28:16:a8:56:d0:d4] Found site: Default > (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) > Dec 9 08:35:10 packetfence pfqueue: pfqueue(20477) INFO: > [mac:28:16:a8:56:d0:d4] Deauth on site: Default > (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) > Dec 9 08:35:10 packetfence pfqueue: pfqueue(20477) INFO: > [mac:28:16:a8:56:d0:d4] Switched status on the Unifi controller using command > kick-sta (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP) > Dec 9 08:35:11 packetfence packetfence_httpd.aaa: httpd.aaa(2540) INFO: > [mac:28:16:a8:56:d0:d4] handling radius autz request: from switch_ip => > (10.99.1.128), connection_type => Wireless-802.11-EAP,switch_mac => > (2a:e8:29:9a:bd:c2), mac => [28:16:a8:56:d0:d4], port => 0, username => > "host/PC102.schoepfgmbh.local", ssid => SCHOEPFINTRANET > (pf::radius::authorize) > Dec 9 08:35:11 packetfence packetfence_httpd.aaa: httpd.aaa(2540) INFO: > [mac:28:16:a8:56:d0:d4] is doing machine auth with account > 'host/PC102.schoepfgmbh.local'. (pf::radius::authorize) > Dec 9 08:35:11 packetfence packetfence_httpd.aaa: httpd.aaa(2540) INFO: > [mac:28:16:a8:56:d0:d4] Instantiate profile WLAN_EAP > (pf::Connection::ProfileFactory::_from_profile) > Dec 9 08:35:11 packetfence packetfence_httpd.aaa: httpd.aaa(2540) INFO: > [mac:28:16:a8:56:d0:d4] is of status pending; belongs into registration VLAN > (pf::role::getRegistrationRole) > Dec 9 08:35:11 packetfence packetfence_httpd.aaa: httpd.aaa(2540) INFO: > [mac:28:16:a8:56:d0:d4] (10.99.1.128) Added VLAN 201 to the returned RADIUS > Access-Accept (pf::Switch::returnRadiusAccessAccept) > Dec 9 08:35:12 packetfence pfqueue: pfqueue(20479) INFO: > [mac:28:16:a8:56:d0:d4] Instantiate profile WLAN_EAP > (pf::Connection::ProfileFactory::_from_profile) > Dec 9 08:35:12 packetfence packetfence_httpd.aaa: httpd.aaa(2540) INFO: > [mac:28:16:a8:56:d0:d4] Updating locationlog from accounting request > (pf::api::handle_accounting_metadata) > Dec 9 08:35:13 packetfence packetfence_httpd.aaa: httpd.aaa(2540) WARN: > [mac:28:16:a8:56:d0:d4] Unable to pull accounting history for device > 28:16:a8:56:d0:d4. The history set doesn't exist yet. > (pf::accounting_events_history::latest_mac_history) > Dec 9 08:35:13 packetfence packetfence_httpd.aaa: httpd.aaa(2540) WARN: > [mac:28:16:a8:56:d0:d4] Unable to pull accounting history for device > 28:16:a8:56:d0:d4. The history set doesn't exist yet. > (pf::accounting_events_history::latest_mac_history) > Dec 9 08:35:13 packetfence pfqueue: pfqueue(19974) WARN: > [mac:28:16:a8:56:d0:d4] Unable to match MAC address to IP '10.201.1.166' > (pf::ip4log::ip2mac) > Dec 9 08:35:13 packetfence pfqueue: pfqueue(19974) INFO: > [mac:28:16:a8:56:d0:d4] oldip (10.11.1.157) and newip (10.201.1.166) are > different for 28:16:a8:56:d0:d4 - closing ip4log entry > (pf::api::update_ip4log) > Dec 9 08:35:13 packetfence pfqueue: pfqueue(20480) INFO: > [mac:28:16:a8:56:d0:d4] Instantiate profile WLAN_EAP > (pf::Connection::ProfileFactory::_from_profile) > Dec 9 08:35:13 packetfence pfipset[2314]: t=2020-12-09T08:35:13+0100 > lvl=info msg="No Inline Network bypass ipsets reload" pid=2314 > > Best regards and many thanks > Florian > > E. Schoepf GmbH > Rathausstraße 18, 95236 Stammbach > Registergericht: Hof, HRB 47 > Geschäftsführer: Florian Krug _______________________________________________ > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
