Any other suggestions which may help me track down this issue where I don't see CoA traffic.
So the logs are clear, not real errors other than the ones I already posted. When I do a tcpdump on the packetfence server to my WLC I see some traffic at the beginning of the captive portal session but I do not see any more traffic after I successfully authentication against one of the Social Media authentication sources. CoA is enabled on both the WLC and PacketFence. tcpdump -eni eth0 host XXX.XXX.252.242 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 09:37:05.614981 a4:10:b6:7c:9c:ad > 00:50:56:a2:74:24, ethertype IPv4 (0x0800), length 316: XXX.XXX.252.242.32772 > XXX.XXX.0.28.1812: RADIUS, Access-Request (1), id: 0xe9 length: 274 09:37:05.649687 00:50:56:a2:74:24 > a4:10:b6:7c:9c:ad, ethertype IPv4 (0x0800), length 211: XXX.XXX.0.28.1812 > XXX.XXX.252.242.32772: RADIUS, Access-Accept (2), id: 0xe9 length: 169 There are no firewalls in between the packetfence and WLC. On Fri, Mar 22, 2024 at 8:22 AM Giovanni Trapasso < giovanni.trapa...@ualberta.ca> wrote: > Thanks for the response. > > That was one of the first things I checked when I did not see any > traffic between my WLC and PF server using tcpdump. CoA and the disconnect > option are enabled. > > > On Fri, Mar 22, 2024 at 7:23 AM Zammit, Ludovic <luza...@akamai.com> > wrote: > >> Hello Giovanni, >> >> It looks like the device is not getting kicked out with a Radius >> disconnect or access changed with the CoA (Change of Authorization) and >> that’s what caused the non role assignation. >> >> Make sure that the CoA is enabled on the PF Radius authentication server >> in your WLC config. >> >> Thanks, >> >> *Ludovic Zammit* >> *Product Support Engineer Principal Lead* >> *Cell:* +1.613.670.8432 >> Akamai Technologies - Inverse >> 145 Broadway >> Cambridge, MA 02142 >> Connect with Us: <https://community.akamai.com> <http://blogs.akamai.com> >> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> >> <http://www.linkedin.com/company/akamai-technologies> >> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> >> >> On Mar 19, 2024, at 8:16 PM, Giovanni Trapasso via PacketFence-users < >> packetfence-users@lists.sourceforge.net> wrote: >> >> Hello, >> >> I am running Packetfence 13.1 ZEN. I have configured the server as a >> captive portal using social media as external sources, Windows, Facebook >> and Google. I am using a Cisco WLC as a test box, running 8.5.x code. >> >> I have the server and the WLC configured as the documentation recommended >> but I am having a slight issue after authentication. I have the 2 ACL for >> Pre-Registration and authorized-all and in the logs I can see the >> pre-registration ACL being applied as well as the registration vlan. But >> after a successful authentication to the social media external source I am >> not getting the guest role I configured in my catchall action applies, as >> well I am not getting the vlan or authorized-all ACL which I have >> configured on my WLC under switches under switch role. >> >> I attached the packetfence.log section during an authentication attempt >> and I am guessing the issue is with this error in the log: >> >> Mar 19 18:00:51 guestauthpf httpd.portal-docker-wrapper[5391]: >> httpd.portal(15) INFO: [mac:10:02:b5:3a:bd:21] person >> usern...@telusplanet.net added (pf::person::person_add) >> >> Mar 19 18:00:51 guestauthpf httpd.portal-docker-wrapper[5391]: >> httpd.portal(15) INFO: [mac:10:02:b5:3a:bd:21] OAuth2 successfull for >> username usern...@telusplanet.net >> (captiveportal::PacketFence::DynamicRouting::Module::Authentication::OAuth::handle_callback) >> >> Mar 19 18:00:51 guestauthpf httpd.portal-docker-wrapper[5391]: >> httpd.portal(15) WARN: [mac:10:02:b5:3a:bd:21] Calling match with >> empty/invalid rule class. Defaulting to 'authentication' >> (pf::authentication::match) >> >> Mar 19 18:00:51 guestauthpf httpd.portal-docker-wrapper[5391]: >> httpd.portal(15) INFO: [mac:10:02:b5:3a:bd:21] Using sources Windows_Live >> for matching (pf::authentication::match) >> >> >> I did find if I quickly bump wireless, disconnect and reconnect, it will >> assign the guest roles and assign the guest vlan. >> >> I have attached a few log files, one is during the authentication attempt >> and the other is when I bumped my wireless connection. >> >> I hope someone can help. >> -- >> _______________________________________________________________ >> Giovanni Trapasso >> University of Alberta >> _______________________________________________________________ >> <bump wireless.txt><packetfence.log> >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> >> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!R9-uOGEc7z-cCjIUtDJkeirKaua48b3OHSMSUSurB2dyIOOYNN3mtkP-0aDzUpbCElQgx_gOMteafGWZotvm12fh1updatqHeUUewg$ >> >> >> > > -- > _______________________________________________________________ > Giovanni Trapasso > Digital Networks and Data Center Services > Information Services & Technology (IST) > 269 General Services Building > University of Alberta > Edmonton, Alberta, Canada > T6G 2E5 > > Phone: (780) 492-4696 > > To open a Technical Service call with IST go to: > https://ist.ualberta.ca/ <https://otrs.srv.ualberta.ca/otrs/customer.pl> > > ** This communication is intended for the use of the recipient to whom it > is addressed, and may contain confidential, personal, and/or privileged > information. Please contact me immediately if you are not the intended > recipient of this communication, and do not copy, distribute, or take > action relying on it. Any communication received in error, or subsequent > reply, should be deleted or destroyed.** > _______________________________________________________________ > -- _______________________________________________________________ Giovanni Trapasso Digital Networks and Data Center Services Information Services & Technology (IST) 269 General Services Building University of Alberta Edmonton, Alberta, Canada T6G 2E5 Phone: (780) 492-4696 To open a Technical Service call with IST go to: https://ist.ualberta.ca/ <https://otrs.srv.ualberta.ca/otrs/customer.pl> ** This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and/or privileged information. Please contact me immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communication received in error, or subsequent reply, should be deleted or destroyed.** _______________________________________________________________
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
