Hello Enrique,
use_tunneled_reply is a freeradius attribute but i don't think it's
related to the issue (it's the authentication part).
(https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/eap.conf.example)
The issue is when the CoA is sent.
Regards
Fabrice
Le 21-01-08 à 11 h 36, Enrique Gross a écrit :
Fabrice, Adrian, PF users
Happy 2021!
I have received feedback from Mikrotik Support regarding Error-Cause =
Unsupported-Extension:
Hello,
Thank you for contacting MikroTik Support and sorry for the late
reply.
Yes, it seems that's the case, with using wrong attributes, as
Error 406 means an unsupported extension.
As a test, you could try enabling "use_tunneled_reply" on your
RADIUS server.
If it still doesn't work, please let us know and send us a
Supout.rif made while the issue is present - like in your screenshot.
Best regards,
Guntis G.
Where i can enable "use_tunneled_reply" on packetfence so i can test
this?
My TK support on Mikrotik is still open, a good opportunity to send
them any testing.
Thanks, Enrique.
El dom, 20 dic 2020 a las 19:27, Adrian D'Atri-Guiran via
PacketFence-users (<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>>) escribió:
Hi Fabrice,
It seems to me that mikrotik also requires the IP address. When I
submit anything that doesn't have the Framed-Ip-Address as part of
the query, i see "Radius disconnect with no ip provided" in radius
logs (see attached).
https://forum.mikrotik.com/viewtopic.php?t=6672
On Tue, Dec 15, 2020 at 11:55 AM Fabrice Durand
<fdur...@inverse.ca <mailto:fdur...@inverse.ca>> wrote:
Hello Adrian,
if you can try with other mac format to see if one works.
like:
5c:e0:c5:c1:d6:fd
5C:E0:C5:C1:D6:FD
5c-e0-c5-c1-d6-fd
5C-E0-C5-C1-D6-FD
5ce0c5c1d6fd
5CE0C5C1D6FD
Regards
Fabrice
Le 20-12-15 à 13 h 06, Adrian D'Atri-Guiran a écrit :
Hi Fabrice,
I played around with it a bit further, and here's a working test:
echo "Framed-IP-Address=10.5.50.2" | radclient -x
10.2.2.1:3799 <http://10.2.2.1:3799> disconnect secret
Sent Disconnect-Request Id 44 from 0.0.0.0:37354
<http://0.0.0.0:37354> to 10.2.2.1:3799
<http://10.2.2.1:3799> length 26
Framed-IP-Address = 10.5.50.2
Received Disconnect-ACK Id 44 from 10.2.2.1:3799
<http://10.2.2.1:3799> to 10.2.2.254:37354
<http://10.2.2.254:37354> length 30
NAS-Identifier = "MikroTik"
Where 10.5.50.2 is the client IP. and 10.2.2.1 is the ip of
my main mikrotik router that manages the hotspot. This
command instantly deauthenticated the client, but did not
remove the client's Cookie. For this reason I believe that
we should have "cookie" disabled under Hotspot -> Server
Profiles -> Login -> Login By (uncheck Cookie).
My problem is I don't know how to fix Mikrotik.pm how do I
access the client IP? I want to do something like:
'Framed-IP-Address' => "$client_ip_address",
on:
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Mikrotik.pm#L230
<https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Mikrotik.pm#L230>
Also I guess we must be careful here because in some
scenarios if the client has been assigned a new IP and
packetfence is not yet aware of it, this could break. MAC
address would probably be better for deauthenticating, but I
haven't managed to get that working yet.
Thanks!
-Adrian
On Mon, Dec 14, 2020 at 6:02 PM Adrian D'Atri-Guiran
<adrian.datri.gui...@gmail.com
<mailto:adrian.datri.gui...@gmail.com>> wrote:
Thank you,
>btw you can try to add:
>'Calling-Station-Id' => $mac,
I have attempted this and the result was a new error (and
client remains authenticated on the mikrotik hotspot):
Dec 14 20:58:08 radius pfqueue: pfqueue(4868) WARN:
[mac:5c:e0:c5:c1:d6:fd] Unable to pull accounting history
for device 5c:e0:c5:c1:d6:fd. The history set doesn't
exist yet.
(pf::accounting_events_history::latest_mac_history)
Dec 14 20:58:08 radius pfqueue: pfqueue(4868) WARN:
[mac:5c:e0:c5:c1:d6:fd] Unable to pull accounting history
for device 5c:e0:c5:c1:d6:fd. The history set doesn't
exist yet.
(pf::accounting_events_history::latest_mac_history)
Dec 14 20:58:18 radius packetfence_httpd.webservices:
httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd]
[5c:e0:c5:c1:d6:fd] DesAssociating mac on switch
(10.2.2.1) (pf::api::desAssociate)
Dec 14 20:58:18 radius packetfence_httpd.webservices:
httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd]
deauthenticating 5c:e0:c5:c1:d6:fd
(pf::Switch::Mikrotik::radiusDisconnect)
Dec 14 20:58:18 radius packetfence_httpd.webservices:
httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd]
controllerIp is set, we will use controller 10.2.2.1 to
perform deauth (pf::Switch::Mikrotik::radiusDisconnect)
Dec 14 20:58:18 radius packetfence_httpd.webservices:
httpd.webservices(4444) WARN: [mac:5c:e0:c5:c1:d6:fd]
Unable to perform RADIUS Disconnect-Request.
Disconnect-NAK received with Error-Cause:
Unsupported-Extension.
(pf::Switch::Mikrotik::radiusDisconnect)
Dec 14 20:58:18 radius packetfence_httpd.webservices:
httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd]
[5c:e0:c5:c1:d6:fd] DesAssociating mac on switch
(10.2.2.1) (pf::api::desAssociate)
Dec 14 20:58:18 radius packetfence_httpd.webservices:
httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd]
deauthenticating 5c:e0:c5:c1:d6:fd
(pf::Switch::Mikrotik::radiusDisconnect)
Dec 14 20:58:18 radius packetfence_httpd.webservices:
httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd]
controllerIp is set, we will use controller 10.2.2.1 to
perform deauth (pf::Switch::Mikrotik::radiusDisconnect)
Dec 14 20:58:18 radius packetfence_httpd.webservices:
httpd.webservices(4444) WARN: [mac:5c:e0:c5:c1:d6:fd]
Unable to perform RADIUS Disconnect-Request.
Disconnect-NAK received with Error-Cause:
Unsupported-Extension.
(pf::Switch::Mikrotik::radiusDisconnect)
On Fri, Dec 11, 2020 at 5:43 PM Durand fabrice via
PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>> wrote:
btw you can try to add:
'Calling-Station-Id' => $mac,
here:
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Mikrotik.pm#L230
Le 20-12-11 à 20 h 31, Durand fabrice via
PacketFence-users a écrit :
> The code needs to be updated:
>
>
> https://forum.mikrotik.com/viewtopic.php?t=33063
>
>
> Le 20-12-11 à 14 h 28, Enrique Gross via
PacketFence-users a écrit :
>> Hi PF users! Hope you all doing well
>>
>> Hi Fabrice,
>>
>> I have read the mail Adrian sent you regarding COA
and Mikrotik. I
>> have been using SSH to disconnect CAPSMAN devices,
but I was
>> interested in using Radius COA.
>>
>> This is the output of radsniff after successful
registration at the
>> captive-portal, role is assigned but no
disconnection is made
>>
>> 2020-12-11 16:18:39.352569 (1) Disconnect-Request
Id 219
>> any:192.168.67.86:56875
<http://192.168.67.86:56875> -> 192.168.67.254:3799
<http://192.168.67.254:3799> +0.000
>> User-Name = "C2:F7:64:FB:0E:69"
>> Authenticator-Field =
0x677a789c11f3586ec7e73859e5b3080a
>> 2020-12-11 16:18:39.375064 (2) Disconnect-NAK Id 219
>> any:192.168.67.86:56875
<http://192.168.67.86:56875> <- 192.168.67.254:3799
<http://192.168.67.254:3799> +0.022 +0.022
>> NAS-Identifier = "MK-IBERA2"
>> Error-Cause = Unsupported-Extension
>> Authenticator-Field =
0xb6261e8e06e5ecf78db2049bea689396
>> 2020-12-11 16:18:44.575064 (1) Cleaning up request
packet ID 219
>>
>> This is Mikrotik side of log:
>>
>> 16:18:39 radius,debug,packet received
Disconnect-Request with id 219
>> from 192.168.67.86:56875 <http://192.168.67.86:56875>
>> 16:18:39 radius,debug,packet Signature =
>> 0x677a789c11f3586ec7e73859e5b3080a
>> 16:18:39 radius,debug,packet User-Name =
"C2:F7:64:FB:0E:69"
>> 16:18:39 radius,debug received remote request 25
>> code=Disconnect-Request from 192.168.67.86:56875
<http://192.168.67.86:56875>
>> 16:18:39 radius,debug sending Disconnect-NAK to
remote request 25
>> 16:18:39 radius,debug,packet sending
Disconnect-NAK with id 219 to
>> 192.168.67.86:56875 <http://192.168.67.86:56875>
>> 16:18:39 radius,debug,packet Signature =
>> 0xb6261e8e06e5ecf78db2049bea689396
>> 16:18:39 radius,debug,packet Error-Cause = 406
>> 16:18:39 radius,debug,packet NAS-Identifier =
"MK-IBERA2"
>>
>> Thanks for your help,
>>
>> Enrique
>>
>>
>> --
>>
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
>>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Imágenes integradas 1
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
