Fabrice, Adrian, PF users Happy 2021!
I have received feedback from Mikrotik Support regarding Error-Cause = Unsupported-Extension: Hello, > > Thank you for contacting MikroTik Support and sorry for the late reply. > > Yes, it seems that's the case, with using wrong attributes, as Error 406 > means an unsupported extension. > > As a test, you could try enabling "use_tunneled_reply" on your RADIUS > server. > > If it still doesn't work, please let us know and send us a Supout.rif made > while the issue is present - like in your screenshot. > > Best regards, > Guntis G. > Where i can enable "use_tunneled_reply" on packetfence so i can test this? My TK support on Mikrotik is still open, a good opportunity to send them any testing. Thanks, Enrique. El dom, 20 dic 2020 a las 19:27, Adrian D'Atri-Guiran via PacketFence-users (<packetfence-users@lists.sourceforge.net>) escribió: > Hi Fabrice, > > It seems to me that mikrotik also requires the IP address. When I submit > anything that doesn't have the Framed-Ip-Address as part of the query, i > see "Radius disconnect with no ip provided" in radius logs (see attached). > > https://forum.mikrotik.com/viewtopic.php?t=6672 > > On Tue, Dec 15, 2020 at 11:55 AM Fabrice Durand <fdur...@inverse.ca> > wrote: > >> Hello Adrian, >> >> if you can try with other mac format to see if one works. >> >> like: >> >> 5c:e0:c5:c1:d6:fd >> >> 5C:E0:C5:C1:D6:FD >> >> 5c-e0-c5-c1-d6-fd >> >> 5C-E0-C5-C1-D6-FD >> >> 5ce0c5c1d6fd >> >> 5CE0C5C1D6FD >> >> Regards >> >> Fabrice >> >> >> Le 20-12-15 à 13 h 06, Adrian D'Atri-Guiran a écrit : >> >> Hi Fabrice, >> >> I played around with it a bit further, and here's a working test: >> echo "Framed-IP-Address=10.5.50.2" | radclient -x 10.2.2.1:3799 >> disconnect secret >> Sent Disconnect-Request Id 44 from 0.0.0.0:37354 to 10.2.2.1:3799 length >> 26 >> Framed-IP-Address = 10.5.50.2 >> Received Disconnect-ACK Id 44 from 10.2.2.1:3799 to 10.2.2.254:37354 >> length 30 >> NAS-Identifier = "MikroTik" >> >> Where 10.5.50.2 is the client IP. and 10.2.2.1 is the ip of my main >> mikrotik router that manages the hotspot. This command instantly >> deauthenticated the client, but did not remove the client's Cookie. For >> this reason I believe that we should have "cookie" disabled under Hotspot >> -> Server Profiles -> Login -> Login By (uncheck Cookie). >> >> My problem is I don't know how to fix Mikrotik.pm how do I access the >> client IP? I want to do something like: >> 'Framed-IP-Address' => "$client_ip_address", >> on: >> https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/ >> Mikrotik.pm#L230 >> >> Also I guess we must be careful here because in some scenarios if the >> client has been assigned a new IP and packetfence is not yet aware of it, >> this could break. MAC address would probably be better for >> deauthenticating, but I haven't managed to get that working yet. >> >> Thanks! >> -Adrian >> >> >> On Mon, Dec 14, 2020 at 6:02 PM Adrian D'Atri-Guiran < >> adrian.datri.gui...@gmail.com> wrote: >> >>> Thank you, >>> >>> >btw you can try to add: >>> >'Calling-Station-Id' => $mac, >>> I have attempted this and the result was a new error (and client remains >>> authenticated on the mikrotik hotspot): >>> >>> Dec 14 20:58:08 radius pfqueue: pfqueue(4868) WARN: >>> [mac:5c:e0:c5:c1:d6:fd] Unable to pull accounting history for device >>> 5c:e0:c5:c1:d6:fd. The history set doesn't exist yet. >>> (pf::accounting_events_history::latest_mac_history) >>> Dec 14 20:58:08 radius pfqueue: pfqueue(4868) WARN: >>> [mac:5c:e0:c5:c1:d6:fd] Unable to pull accounting history for device >>> 5c:e0:c5:c1:d6:fd. The history set doesn't exist yet. >>> (pf::accounting_events_history::latest_mac_history) >>> Dec 14 20:58:18 radius packetfence_httpd.webservices: >>> httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd] [5c:e0:c5:c1:d6:fd] >>> DesAssociating mac on switch (10.2.2.1) (pf::api::desAssociate) >>> Dec 14 20:58:18 radius packetfence_httpd.webservices: >>> httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd] deauthenticating >>> 5c:e0:c5:c1:d6:fd (pf::Switch::Mikrotik::radiusDisconnect) >>> Dec 14 20:58:18 radius packetfence_httpd.webservices: >>> httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd] controllerIp is set, >>> we will use controller 10.2.2.1 to perform deauth >>> (pf::Switch::Mikrotik::radiusDisconnect) >>> Dec 14 20:58:18 radius packetfence_httpd.webservices: >>> httpd.webservices(4444) WARN: [mac:5c:e0:c5:c1:d6:fd] Unable to perform >>> RADIUS Disconnect-Request. Disconnect-NAK received with Error-Cause: >>> Unsupported-Extension. (pf::Switch::Mikrotik::radiusDisconnect) >>> Dec 14 20:58:18 radius packetfence_httpd.webservices: >>> httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd] [5c:e0:c5:c1:d6:fd] >>> DesAssociating mac on switch (10.2.2.1) (pf::api::desAssociate) >>> Dec 14 20:58:18 radius packetfence_httpd.webservices: >>> httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd] deauthenticating >>> 5c:e0:c5:c1:d6:fd (pf::Switch::Mikrotik::radiusDisconnect) >>> Dec 14 20:58:18 radius packetfence_httpd.webservices: >>> httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd] controllerIp is set, >>> we will use controller 10.2.2.1 to perform deauth >>> (pf::Switch::Mikrotik::radiusDisconnect) >>> Dec 14 20:58:18 radius packetfence_httpd.webservices: >>> httpd.webservices(4444) WARN: [mac:5c:e0:c5:c1:d6:fd] Unable to perform >>> RADIUS Disconnect-Request. Disconnect-NAK received with Error-Cause: >>> Unsupported-Extension. (pf::Switch::Mikrotik::radiusDisconnect) >>> >>> >>> >>> On Fri, Dec 11, 2020 at 5:43 PM Durand fabrice via PacketFence-users < >>> packetfence-users@lists.sourceforge.net> wrote: >>> >>>> btw you can try to add: >>>> >>>> 'Calling-Station-Id' => $mac, >>>> >>>> here: >>>> >>>> >>>> https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Mikrotik.pm#L230 >>>> >>>> >>>> Le 20-12-11 à 20 h 31, Durand fabrice via PacketFence-users a écrit : >>>> > The code needs to be updated: >>>> > >>>> > >>>> > https://forum.mikrotik.com/viewtopic.php?t=33063 >>>> > >>>> > >>>> > Le 20-12-11 à 14 h 28, Enrique Gross via PacketFence-users a écrit : >>>> >> Hi PF users! Hope you all doing well >>>> >> >>>> >> Hi Fabrice, >>>> >> >>>> >> I have read the mail Adrian sent you regarding COA and Mikrotik. I >>>> >> have been using SSH to disconnect CAPSMAN devices, but I was >>>> >> interested in using Radius COA. >>>> >> >>>> >> This is the output of radsniff after successful registration at the >>>> >> captive-portal, role is assigned but no disconnection is made >>>> >> >>>> >> 2020-12-11 16:18:39.352569 (1) Disconnect-Request Id 219 >>>> >> any:192.168.67.86:56875 -> 192.168.67.254:3799 +0.000 >>>> >> User-Name = "C2:F7:64:FB:0E:69" >>>> >> Authenticator-Field = 0x677a789c11f3586ec7e73859e5b3080a >>>> >> 2020-12-11 16:18:39.375064 (2) Disconnect-NAK Id 219 >>>> >> any:192.168.67.86:56875 <- 192.168.67.254:3799 +0.022 +0.022 >>>> >> NAS-Identifier = "MK-IBERA2" >>>> >> Error-Cause = Unsupported-Extension >>>> >> Authenticator-Field = 0xb6261e8e06e5ecf78db2049bea689396 >>>> >> 2020-12-11 16:18:44.575064 (1) Cleaning up request packet ID 219 >>>> >> >>>> >> This is Mikrotik side of log: >>>> >> >>>> >> 16:18:39 radius,debug,packet received Disconnect-Request with id 219 >>>> >> from 192.168.67.86:56875 >>>> >> 16:18:39 radius,debug,packet Signature = >>>> >> 0x677a789c11f3586ec7e73859e5b3080a >>>> >> 16:18:39 radius,debug,packet User-Name = "C2:F7:64:FB:0E:69" >>>> >> 16:18:39 radius,debug received remote request 25 >>>> >> code=Disconnect-Request from 192.168.67.86:56875 >>>> >> 16:18:39 radius,debug sending Disconnect-NAK to remote request 25 >>>> >> 16:18:39 radius,debug,packet sending Disconnect-NAK with id 219 to >>>> >> 192.168.67.86:56875 >>>> >> 16:18:39 radius,debug,packet Signature = >>>> >> 0xb6261e8e06e5ecf78db2049bea689396 >>>> >> 16:18:39 radius,debug,packet Error-Cause = 406 >>>> >> 16:18:39 radius,debug,packet NAS-Identifier = "MK-IBERA2" >>>> >> >>>> >> Thanks for your help, >>>> >> >>>> >> Enrique >>>> >> >>>> >> >>>> >> -- >>>> >> >>>> >> >>>> >> _______________________________________________ >>>> >> PacketFence-users mailing list >>>> >> PacketFence-users@lists.sourceforge.net >>>> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> > >>>> > >>>> > _______________________________________________ >>>> > PacketFence-users mailing list >>>> > PacketFence-users@lists.sourceforge.net >>>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>>> >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> PacketFence-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>> -- >> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) :: >> www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- [image: Imágenes integradas 1]
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
