I have the radius shared secret in the switch config and it matches the secret in both auth and accounting in Smart zone.
On Fri, Sep 26, 2025, 8:45 AM Zammit, Ludovic <[email protected]> wrote: > Hello Jason, > > It looks like you are missing a radius shared in your switch config in PF. > > Make sure it set every where. > > Thanks, > > > > *Ludovic Zammit* > *Product Support Engineer Principal Lead* > *Cell:* +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > <https://www.google.com/maps/search/145+Broadway+Cambridge,+MA+02142?entry=gmail&source=g> > Cambridge, MA 02142 > <https://www.google.com/maps/search/145+Broadway+Cambridge,+MA+02142?entry=gmail&source=g> > Connect with Us: <https://community.akamai.com> <http://blogs.akamai.com> > <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> > <http://www.linkedin.com/company/akamai-technologies> > <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > > On Sep 25, 2025, at 2:18 PM, Jason Maxfield <[email protected]> > wrote: > > This Message Is From an Untrusted Sender > You have not previously corresponded with this sender. > Hi Ludovic, > > Yes I do see the Acct-Session-Id. I also see it in all other connections > as well. > > Here is some more info: > > radsniff log: > > Accounting-Request Id 111 eth0:172.17.1.6:42214 > <https://urldefense.com/v3/__http://172.17.1.6:42214__;!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w3M81tIJA$> > -> 172.17.1.9:1813 > <https://urldefense.com/v3/__http://172.17.1.9:1813__;!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w2oy9Wlog$> > +0.028 > User-Name = "aa:90:2d:xx:xx:xx" > NAS-IP-Address = 172.17.1.6 > NAS-Port = 72 > Framed-IP-Address = 172.17.2.48 > Called-Station-Id = "C8-84-8C-xx-xx-xx:xxxxx" > Calling-Station-Id = "AA-90-2D-xx-xx-xx" > NAS-Identifier = "C8-84-8C-xx-xx-xx" > Proxy-State = 0x323533 > NAS-Port-Type = Wireless-802.11 > Acct-Status-Type = Interim-Update > Acct-Input-Octets = 2286535 > Acct-Output-Octets = 71838619 > Acct-Session-Id = "68D580B5-3765D001" > Acct-Authentic = Local > Acct-Session-Time = 300 > Acct-Input-Packets = 6893 > Acct-Output-Packets = 140404 > Acct-Multi-Session-Id = "c88x" > Acct-Link-Count = 1 > Event-Timestamp = "Sep 25 2025 10:54:41 PDT" > Connect-Info = "CONNECT 802.11a/n/ac/ax" > Ruckus-Sta-RSSI = 37 > Ruckus-SSID = "xxxxxx" > Ruckus-Location = "xxxxx" > Ruckus-SCG-CBlade-IP = xxxxxxx > Ruckus-VLAN-ID = 1 > Ruckus-BSSID = 0xc88x > Authenticator-Field = 0x4f2x > 2025-09-25 10:54:41.708585 (4) Accounting-Response Id 111 eth0: > 172.17.1.6:42214 > <https://urldefense.com/v3/__http://172.17.1.6:42214__;!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w3M81tIJA$> > <- 172.17.1.9:1813 > <https://urldefense.com/v3/__http://172.17.1.9:1813__;!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w2oy9Wlog$> > +0.029 +0.000 > Reply-Message = "Accounting OK" > Proxy-State = 0x323533 > Authenticator-Field = 0x73bx > > RADIUS Audit log in PF: > RADIUS > RADIUS Request > Called-Station-Id = "c8:84:8c:xx:xx:xx:xxxxx", > Called-Station-SSID = "xxxxx", > Calling-Station-Id = "aa:90:2d:xx:xx:xx", > Event-Timestamp = "Sep 25 2025 10:49:41 PDT", > FreeRADIUS-Client-IP-Address = "172.17.1.6", > Location-Data = "0x313x", > Location-Data = "0x323x", > Message-Authenticator = "0x355x", > NAS-IP-Address = "172.17.1.6", > NAS-Identifier = "C8-84-8C-xx-xx-xx", > NAS-Port-Type = "Wireless-802.11", > PacketFence-KeyBalanced = "cb9x", > PacketFence-Radius-Ip = "172.17.1.9", > Proxy-State = "0x313x", > Realm = "null", > Ruckus-BSSID = "0xc88x", > Ruckus-Cluster-Name = "xxxxxx", > Ruckus-Domain-Name = "xxxxxxx", > Ruckus-Location = "xxxxxxx", > Ruckus-SCG-CBlade-IP = "2.88x", > Ruckus-SSID = "xxxxxx", > Ruckus-VLAN-ID = "1", > Ruckus-Wlan-Name = "xxxxx", > Ruckus-Zone-Name = "xxxxxxx", > Service-Type = "Framed-User", > Stripped-User-Name = "aa:90:2d:xx:xx:xx", > User-Name = "aa:90:2d:xx:xx:xx", > User-Password = "******" > RADIUS Reply > Proxy-State = "0x313x", > REST-HTTP-Status-Code = "200", > Tunnel-Medium-Type = "IEEE-802", > Tunnel-Private-Group-Id = "1", > Tunnel-Type = "VLAN" > > Node Information > MAC Address aa:90:2d:xx:xx:xx > Auth Status Accept > Auth Type Accept > Auto Registration No > Calling Station Identifier aa:90:2d:xx:xx:xx > Computer Name N/A > EAP Type > Event Type Radius-Access-Request > IP Address N/A > Is a Phone No > Created at 2025-09-25T10:49:45-07:00 > Node Status reg > Domain > Profile Wireless > Realm null > Reason > Role Faculty > Source N/A > Stripped User Name aa:90:2d:xx:xx:xx > User Name aa:90:2d:xx:xx:xx > Unique Identifier > > > This is the code that errors (specific lines bolded): > > sub node_accounting_dynauth_attr { > my ($mac) = @_; > *if(my $entry = pf::accounting->cache->get($mac)){* > * return {username => $entry->{'User-Name'}, acctsessionid => > $entry->{'Acct-Session-Id'}};* > * }* > return _db_item( > -columns => [qw(username acctsessionid)], > -where => { > acctstoptime => undef, > callingstationid => $mac, > }, > -limit => 1, > -order_by => {-desc => 'acctstarttime'}, > ); > } > > > > On Wed, Sep 24, 2025, 11:58 AM Zammit, Ludovic <[email protected]> wrote: > >> Hello Jason, >> >> Try that: >> >> radnsiff -x -p 1813 >> >> Disconnect and reconnect. >> >> Do you see the accounting start packet with the Session Id? >> >> Thanks, >> >> *Ludovic Zammit* >> *Product Support Engineer Principal Lead* >> *Cell:* +1.613.670.8432 >> Akamai Technologies - Inverse >> 145 Broadway >> <https://urldefense.com/v3/__https://www.google.com/maps/search/145*Broadway*Cambridge,*MA*02142?entry=gmail&source=g__;KysrKw!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w298blN9A$> >> Cambridge, MA 02142 >> <https://urldefense.com/v3/__https://www.google.com/maps/search/145*Broadway*Cambridge,*MA*02142?entry=gmail&source=g__;KysrKw!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w298blN9A$> >> Connect with Us: <https://community.akamai.com/> >> <http://blogs.akamai.com/> >> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w3qG1FIog$> >> >> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w0QWYboog$> >> >> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w3YQi1aXg$> >> >> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!UiGLp9h2kQzM2iepMELVQhU1lTM9dDX9gAyw-tn-dIHw32JR6nGhEPSI1PYED5tQtYlIdFp99fV43QQb8w0YoGLTQA$> >> >> On Sep 12, 2025, at 12:14 PM, Jason Maxfield via PacketFence-users < >> [email protected]> wrote: >> >> This Message Is From an External Sender >> This message came from outside your organization. >> I realize now that I'm not getting Acct-Session-Id. Anyone have any >> insight on this? >> >> This is what shows up in RADIUS Audit Logs: >> <Screenshot_20250912-090220.png> >> >> I'm getting online/offline status of nodes so accounting is working. I >> feel like there's a config setting somewhere that I'm missing. >> >> On Wed, Jul 9, 2025, 1:56 PM Jason Maxfield <[email protected]> >> wrote: >> >>> PF version: 14.1 >>> SmartZone version: 6.1.2 >>> >>> >>> >>> I can't figure out why PF isn't sending the deauth to SmartZone. >>> >>> Here is the log during a successful authentication: >>> >>> 2025-07-09T09:57:40.411141-07:00 packetfence >>> httpd.portal-docker-wrapper[3640743]: httpd.portal(16) INFO: >>> [mac:b6:28:df:72:70:17] User test has authenticated on the portal. >>> (captiveportal::PacketFence::DynamicRouting::Module::_username_set) >>> 2025-07-09T09:57:40.422941-07:00 packetfence >>> httpd.portal-docker-wrapper[3640743]: httpd.portal(16) INFO: >>> [mac:b6:28:df:72:70:17] security_event 1300003 force-closed for >>> b6:28:df:72:70:17 (pf::security_event::security_event_force_close) >>> 2025-07-09T09:57:40.427742-07:00 packetfence >>> httpd.portal-docker-wrapper[3640743]: httpd.portal(16) INFO: >>> [mac:b6:28:df:72:70:17] Instantiate profile Wireless (pf::Connection:: >>> ProfileFactory::_from_profile) >>> 2025-07-09T09:57:40.557972-07:00 packetfence >>> httpd.portal-docker-wrapper[3640743]: httpd.portal(14) INFO: >>> [mac:b6:28:df:72:70:17] Instantiate profile Wireless (pf::Connection:: >>> ProfileFactory::_from_profile) >>> 2025-07-09T09:57:40.558489-07:00 packetfence >>> httpd.portal-docker-wrapper[3640743]: httpd.portal(14) WARN: >>> [mac:b6:28:df:72:70:17] locale from the URL is not supported >>> (captiveportal::PacketFence::Controller::Root::getLanguages) >>> 2025-07-09T09:57:40.569495-07:00 packetfence >>> httpd.portal-docker-wrapper[3640743]: httpd.portal(14) INFO: >>> [mac:b6:28:df:72:70:17] Releasing device (captiveportal::PacketFence:: >>> DynamicRouting::Module::Root::release) >>> 2025-07-09T09:57:40.581710-07:00 packetfence >>> httpd.portal-docker-wrapper[3640743]: httpd.portal(14) INFO: >>> [mac:b6:28:df:72:70:17] re-evaluating access (manage_register called) >>> (pf::enforcement::reevaluate_access) >>> 2025-07-09T09:57:40.592158-07:00 packetfence >>> httpd.portal-docker-wrapper[3640743]: httpd.portal(14) INFO: >>> [mac:b6:28:df:72:70:17] Instantiate profile Wireless (pf::Connection:: >>> ProfileFactory::_from_profile) >>> 2025-07-09T09:57:40.592478-07:00 packetfence >>> httpd.portal-docker-wrapper[3640743]: httpd.portal(14) INFO: >>> [mac:b6:28:df:72:70:17] VLAN reassignment is forced. >>> (pf::enforcement::_should_we_reassign_vlan) >>> 2025-07-09T09:57:40.592478-07:00 packetfence >>> httpd.portal-docker-wrapper[3640743]: httpd.portal(14) INFO: >>> [mac:b6:28:df:72:70:17] switch port is (172.17.1.6) ifIndex 0connection >>> type: WiFi MAC Auth (pf::enforcement::_vlan_reevaluation) >>> 2025-07-09T09:57:41.712067-07:00 packetfence pfqueue-backend[3698633]: >>> pfqueue(3698633) INFO: [mac:b6:28:df:72:70:17] [b6:28:df:72:70:17] >>> DesAssociating mac on switch (172.17.1.6) (pf::api::desAssociate) >>> 2025-07-09T09:57:41.716073-07:00 packetfence pfqueue-backend[3698633]: >>> pfqueue(3698633) ERROR: [mac:b6:28:df:72:70:17] Error handling desAssociate >>> : must specify key at /usr/local/pf/lib/pf/accounting.pm >>> <https://urldefense.com/v3/__http://accounting.pm/__;!!GjvTz_vk!QHNi8l-XARQZocBjU-SwsD7cboLke1x1Xp-NyQsIyBRTxLI9FmR3Rqp-UrsBfYRKQXwbwqWSbviJtHHFfWEGgfgruxpdtX22aah2Cg$> >>> line >>> 262. >>> >>> >>> As you can see something is getting hung when trying to get the session >>> from accounting. The line in question leads me to believe it's not sending >>> the MAC properly? >>> >>> if(my $entry = pf::accounting->cache->get($mac)){ >>> >>> >>> >>> Here is my switches.conf: >>> >>> [172.17.1.6] >>> FacultyVlan=1 >>> group=Wireless >>> radiusSecret=PF_ENC[data:xxxx,tag:xxxx,iv:xxxx,ad:] >>> defaultVlan=1 >>> >>> [group Wireless] >>> description=Wireless Controllers >>> isolationVlan=107 >>> defaultVlan=3 >>> registrationVlan=105 >>> type=Ruckus::SmartZone >>> >>> I've tried clearing accounting cache: pmcmd cache accounting clear >>> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> >> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QHNi8l-XARQZocBjU-SwsD7cboLke1x1Xp-NyQsIyBRTxLI9FmR3Rqp-UrsBfYRKQXwbwqWSbviJtHHFfWEGgfgruxpdtX3eAzxp-w$ >> >> >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
