subject:"\[PacketFence\-users\] Aruba IAP radius CoA failing"

[PacketFence-users] Aruba IAP radius CoA failing

2016-06-25 Thread Adam Smith

I'm having an issue with aruba IAP and CoA

It seems like the Packetfence server is not using the correct secret when
passig the CoA,  it sends the disconnect fine, but that does not fully
disconnect the clients on the ap and so they do not get a full radius auth
request again

I have tried recreating the packet with radclient and successfully send the
CoA and the only thing that I think has changed is the radius secret, does
anyone else know anything about this issue?

*Adam Smith*
Network Administrator
[image: Inline image 1][image: Inline image 2]
Sundance Institute
O:435.658.3456
E:adam_sm...@sundance.org
www.sundance.org

--
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aruba IAP radius CoA failing

2016-06-25 Thread Adam Smith

Just an update on the system. I am using version 6.0.1 zen.
On Jun 24, 2016 5:07 PM, "Adam Smith"  wrote:

> I'm having an issue with aruba IAP and CoA
>
> It seems like the Packetfence server is not using the correct secret when
> passig the CoA,  it sends the disconnect fine, but that does not fully
> disconnect the clients on the ap and so they do not get a full radius auth
> request again
>
> I have tried recreating the packet with radclient and successfully send
> the CoA and the only thing that I think has changed is the radius secret,
> does anyone else know anything about this issue?
>
> *Adam Smith*
> Network Administrator
> [image: Inline image 1][image: Inline image 2]
> Sundance Institute
> O:435.658.3456
> E:adam_sm...@sundance.org
> www.sundance.org
> 
>
--
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aruba IAP radius CoA failing

2016-06-25 Thread Tim DeNike

I use it with Aruba controller but j had to make some slight adjustments to
the pf module.  I don't recall the exact reason but it works good now for
changing the role in an external captive portal situation and also for
doing disconnects for 802.1x devices.  Iirc it was something to do with
Aruba not matching the session properly so I'm doing the coa/disconnect
based on the MAC address and not the accounting session.

Sent from my iPhone

On Jun 25, 2016, at 9:12 AM, Adam Smith  wrote:

I'm having an issue with aruba IAP and CoA

It seems like the Packetfence server is not using the correct secret when
passig the CoA,  it sends the disconnect fine, but that does not fully
disconnect the clients on the ap and so they do not get a full radius auth
request again

I have tried recreating the packet with radclient and successfully send the
CoA and the only thing that I think has changed is the radius secret, does
anyone else know anything about this issue?

*Adam Smith*
Network Administrator

Sundance Institute
O:435.658.3456
E:adam_sm...@sundance.org
www.sundance.org


--
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aruba IAP radius CoA failing

2016-06-26 Thread Adam Smith

Thanks for the input.  Do you have any suggestions of what to look for or
where to make the changes.  I tried to do the radius debug, but I don't
think coa or DM messages seem to show up when using raddebug.
--
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aruba IAP radius CoA failing

2016-06-26 Thread Tim DeNike

I'll try to grab you a diff of my module tomorrow. It was a really minor
change.

Sent from my iPhone

On Jun 26, 2016, at 8:35 AM, Adam Smith  wrote:

Thanks for the input.  Do you have any suggestions of what to look for or
where to make the changes.  I tried to do the radius debug, but I don't
think coa or DM messages seem to show up when using raddebug.

--
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aruba IAP radius CoA failing

2016-06-28 Thread Adam Smith

Tim,

Just wondering if you were able to get that module diff?

*Adam Smith*
Network Administrator
[image: Inline image 1][image: Inline image 2]
Sundance Institute
O:435.658.3456
E:adam_sm...@sundance.org
www.sundance.org


On Sun, Jun 26, 2016 at 9:06 AM, Tim DeNike  wrote:

> I'll try to grab you a diff of my module tomorrow. It was a really minor
> change.
>
> Sent from my iPhone
>
> On Jun 26, 2016, at 8:35 AM, Adam Smith  wrote:
>
> Thanks for the input.  Do you have any suggestions of what to look for or
> where to make the changes.  I tried to do the radius debug, but I don't
> think coa or DM messages seem to show up when using raddebug.
>
>
> --
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aruba IAP radius CoA failing

2016-06-28 Thread Tim DeNike

Crap. Totally forgot. Sorry. I the middle of replacing all the edge
switches in our network. :)

I'll try to remember tomorrow morning.

Sent from my iPhone

On Jun 28, 2016, at 6:55 PM, Adam Smith  wrote:

Tim,

Just wondering if you were able to get that module diff?

*Adam Smith*
Network Administrator

Sundance Institute
O:435.658.3456
E:adam_sm...@sundance.org
www.sundance.org


On Sun, Jun 26, 2016 at 9:06 AM, Tim DeNike  wrote:

> I'll try to grab you a diff of my module tomorrow. It was a really minor
> change.
>
> Sent from my iPhone
>
> On Jun 26, 2016, at 8:35 AM, Adam Smith  wrote:
>
> Thanks for the input.  Do you have any suggestions of what to look for or
> where to make the changes.  I tried to do the radius debug, but I don't
> think coa or DM messages seem to show up when using raddebug.
>
>
> --
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aruba IAP radius CoA failing

2016-06-28 Thread Adam Smith

Np I understand, get what you need done and you can get it back to me when
you're done. I'll check back in a week if I don't hear from you.
On Jun 28, 2016 5:17 PM, "Tim DeNike"  wrote:

Crap. Totally forgot. Sorry. I the middle of replacing all the edge
switches in our network. :)

I'll try to remember tomorrow morning.

Sent from my iPhone

On Jun 28, 2016, at 6:55 PM, Adam Smith  wrote:

Tim,

Just wondering if you were able to get that module diff?

*Adam Smith*
Network Administrator

Sundance Institute
O:435.658.3456
E:adam_sm...@sundance.org
www.sundance.org

On Sun, Jun 26, 2016 at 9:06 AM, Tim DeNike  wrote:

> I'll try to grab you a diff of my module tomorrow. It was a really minor
> change.
>
> Sent from my iPhone
>
> On Jun 26, 2016, at 8:35 AM, Adam Smith  wrote:
>
> Thanks for the input.  Do you have any suggestions of what to look for or
> where to make the changes.  I tried to do the radius debug, but I don't
> think coa or DM messages seem to show up when using raddebug.
>
>
> --
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aruba IAP radius CoA failing

2016-07-05 Thread Adam Smith

Tim,
How is the change out going?  If you aren't too busy I was wondering if I
could get the diff info from you, if you aren't able to get it for me,
that's ok too.  Our PF server isn't in production yet, I'm mostly testing
it to see if it could replace the functionality that we were using on an
evaluation of another system.

*Adam Smith*
Network Administrator
[image: Inline image 1][image: Inline image 2]
Sundance Institute
O:435.658.3456
E:adam_sm...@sundance.org
www.sundance.org


On Tue, Jun 28, 2016 at 5:53 PM, Adam Smith  wrote:

> Np I understand, get what you need done and you can get it back to me when
> you're done. I'll check back in a week if I don't hear from you.
> On Jun 28, 2016 5:17 PM, "Tim DeNike"  wrote:
>
> Crap. Totally forgot. Sorry. I the middle of replacing all the edge
> switches in our network. :)
>
> I'll try to remember tomorrow morning.
>
> Sent from my iPhone
>
> On Jun 28, 2016, at 6:55 PM, Adam Smith  wrote:
>
> Tim,
>
> Just wondering if you were able to get that module diff?
>
> *Adam Smith*
> Network Administrator
> 
> Sundance Institute
> O:435.658.3456
> E:adam_sm...@sundance.org
> www.sundance.org
>
> On Sun, Jun 26, 2016 at 9:06 AM, Tim DeNike  wrote:
>
>> I'll try to grab you a diff of my module tomorrow. It was a really minor
>> change.
>>
>> Sent from my iPhone
>>
>> On Jun 26, 2016, at 8:35 AM, Adam Smith  wrote:
>>
>> Thanks for the input.  Do you have any suggestions of what to look for or
>> where to make the changes.  I tried to do the radius debug, but I don't
>> think coa or DM messages seem to show up when using raddebug.
>>
>>
>> --
>> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
>> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
>> present their vision of the future. This family event has something for
>> everyone, including kids. Get more information and register today.
>> http://sdm.link/attshape
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> --
>> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
>> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
>> present their vision of the future. This family event has something for
>> everyone, including kids. Get more information and register today.
>> http://sdm.link/attshape
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
> --
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Aruba IAP radius CoA failing

2016-07-06 Thread Tim DeNike

191 out of 240 switches down, 9 routers installed, Conversion to MPLS
done... That was the last 2.5 months... Then the datacenter

This is off PF 5.7.

I think what you are most interested in is the line where you comment out:

'Acct-Session-Id' => $acctsessionid,

Otherwise, diff below:

[root@packetfence1 Switch]# diff /root/Aruba.pm.1 Aruba.pm
73c73
< use pf::node qw(node_attributes);
---
> use pf::node;
395a396,460
> sub returnRadiusAccessAccept {
> my ($self, $args) = @_;
> my $logger = $self->logger();
>
> my $radius_reply_ref = {};
>
> # should this node be kicked out?
> my $kick = $self->handleRadiusDeny($args);
> return $kick if (defined($kick));
>
> # Inline Vs. VLAN enforcement
> my $role = "";
> my $node_info = node_attributes($args->{'mac'});
> if ( (!$args->{'wasInline'} || ($args->{'wasInline'} &&
$args->{'vlan'} != 0) ) && isenabled($self->{_VlanMap})) {
> if(defined($args->{'vlan'}) && $args->{'vlan'} ne "" &&
$args->{'vlan'} ne 0){
> $logger->info("(".$self->{'_id'}.") Added VLAN
$args->{'vlan'} to the returned RADIUS reply");
> $radius_reply_ref = {
> 'Tunnel-Medium-Type' => $RADIUS::ETHERNET,
> 'Tunnel-Type' => $RADIUS::VLAN,
> 'Tunnel-Private-Group-ID' => $args->{'vlan'},
> };
> }
> else {
> $logger->debug("(".$self->{'_id'}.") Received undefined VLAN.
No VLAN added to RADIUS Access-Accept");
> }
> }
>
> if ( isenabled($self->{_RoleMap}) &&
$self->supportsRoleBasedEnforcement()) {
> $logger->debug("Network device (".$self->{'_id'}.") supports
roles. Evaluating role to be returned");
> if ( defined($args->{'user_role'}) && $args->{'user_role'} ne ""
) {
> $role = $self->getRoleByName($args->{'user_role'});
> }
> if ( defined($role) && $role ne "" ) {
> $radius_reply_ref = {
> %$radius_reply_ref,
> $self->returnRoleAttributes($role),
> };
> $logger->info(
> "(".$self->{'_id'}.") Added role $role to the returned
RADIUS Access-Accept"
> );
> }
> else {
> $logger->debug("(".$self->{'_id'}.") Received undefined role.
No Role added to RADIUS Access-Accept");
> }
> }
> if ( defined($node_info->{'pid'}) && ( $node_info->{'pid'} ne
'default' ) && ( $node_info->{'pid'} ne 'admin' ) && ( $node_info->{'pid'}
ne '' ) ) {
> $radius_reply_ref = {
>  %$radius_reply_ref,
> 'User-Name' => $node_info->{'pid'},
> };
>
> $logger->info("(".$self->{'_id'}.") Returning ACCEPT with
User-Name: $node_info->{'pid'}");
> }
>
> $logger->info("(".$self->{'_id'}.") Returning ACCEPT with VLAN
$args->{'vlan'} ".( (defined($role) && $role ne "") ? "and role $role" : ""
));
> my $status = $RADIUS::RLM_MODULE_OK;
> if (!isenabled($args->{'unfiltered'})) {
> my $filter = pf::access_filter::radius->new;
> my $rule = $filter->test('returnRadiusAccessAccept', $args);
> ($radius_reply_ref, $status) =
$filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
> }
>
> return [$status, %$radius_reply_ref];
> }
>
491c556
< 'Acct-Session-Id' => $acctsessionid,
---
> #'Acct-Session-Id' => $acctsessionid,
498,508c563,573
< if ( defined($role) && (defined($node_info->{'status'}) &&
isenabled($self->{_RoleMap}) ) ) {
<
< $attributes_ref = {
< %$attributes_ref,
< 'Filter-Id' => $role,
< };
< $logger->info("[$self->{'_ip'}] Returning ACCEPT with role:
$role");
< $response = perform_coa($connection_info, $attributes_ref);
<
< }
< else {
---
> #if ( defined($role) && (defined($node_info->{'status'}) &&
isenabled($self->{_RoleMap}) ) ) {
> #
> #$attributes_ref = {
> #%$attributes_ref,
> #'Filter-Id' => $role,
> #};
> #$logger->info("[$self->{'_ip'}] Returning ACCEPT with role:
$role");
> #$response = perform_coa($connection_info, $attributes_ref);
> #
> #}
> #else {
510c575
< }
---
> #}

On Tue, Jul 5, 2016 at 12:56 PM, Adam Smith  wrote:

> Tim,
> How is the change out going?  If you aren't too busy I was wondering if I
> could get the diff info from you, if you aren't able to get it for me,
> that's ok too.  Our PF server isn't in production yet, I'm mostly testing
> it to see if it could replace the functionality that we were using on an
> evaluation of another system.
>
> *Adam Smith*
> Network Administrator
> [image: Inline image 1][image: Inline image 2]
> Sundance Institute
> O:435.658.3456
> E:adam_sm...@sundance.org
> www.sundance.org
> 
>
> On Tue, Jun 28, 2016 at 5:53 PM, Adam Smith 
> wrote:
>
>> Np I understand, get what you need done and y

Re: [PacketFence-users] Aruba IAP radius CoA failing

2016-07-06 Thread Adam Smith

Wow, That's a lot of change out, good luck on the rest of it.

Thanks for the diff, I tried that comment while I was waiting with no
success, but the server started acting strange just before I made the
change.  I have since re-installed not using the ZEN device just centOS7
and repos.  I'll look through the rest of the diff and try again and see if
I can get it to go.

Thanks again.

*Adam Smith*
Network Administrator
[image: Inline image 1][image: Inline image 2]
Sundance Institute
O:435.658.3456
E:adam_sm...@sundance.org
www.sundance.org


On Wed, Jul 6, 2016 at 1:50 PM, Tim DeNike  wrote:

> 191 out of 240 switches down, 9 routers installed, Conversion to MPLS
> done... That was the last 2.5 months... Then the datacenter
>
> This is off PF 5.7.
>
> I think what you are most interested in is the line where you comment out:
>
> 'Acct-Session-Id' => $acctsessionid,
>
> Otherwise, diff below:
>
> [root@packetfence1 Switch]# diff /root/Aruba.pm.1 Aruba.pm
> 73c73
> < use pf::node qw(node_attributes);
> ---
> > use pf::node;
> 395a396,460
> > sub returnRadiusAccessAccept {
> > my ($self, $args) = @_;
> > my $logger = $self->logger();
> >
> > my $radius_reply_ref = {};
> >
> > # should this node be kicked out?
> > my $kick = $self->handleRadiusDeny($args);
> > return $kick if (defined($kick));
> >
> > # Inline Vs. VLAN enforcement
> > my $role = "";
> > my $node_info = node_attributes($args->{'mac'});
> > if ( (!$args->{'wasInline'} || ($args->{'wasInline'} &&
> $args->{'vlan'} != 0) ) && isenabled($self->{_VlanMap})) {
> > if(defined($args->{'vlan'}) && $args->{'vlan'} ne "" &&
> $args->{'vlan'} ne 0){
> > $logger->info("(".$self->{'_id'}.") Added VLAN
> $args->{'vlan'} to the returned RADIUS reply");
> > $radius_reply_ref = {
> > 'Tunnel-Medium-Type' => $RADIUS::ETHERNET,
> > 'Tunnel-Type' => $RADIUS::VLAN,
> > 'Tunnel-Private-Group-ID' => $args->{'vlan'},
> > };
> > }
> > else {
> > $logger->debug("(".$self->{'_id'}.") Received undefined
> VLAN. No VLAN added to RADIUS Access-Accept");
> > }
> > }
> >
> > if ( isenabled($self->{_RoleMap}) &&
> $self->supportsRoleBasedEnforcement()) {
> > $logger->debug("Network device (".$self->{'_id'}.") supports
> roles. Evaluating role to be returned");
> > if ( defined($args->{'user_role'}) && $args->{'user_role'} ne ""
> ) {
> > $role = $self->getRoleByName($args->{'user_role'});
> > }
> > if ( defined($role) && $role ne "" ) {
> > $radius_reply_ref = {
> > %$radius_reply_ref,
> > $self->returnRoleAttributes($role),
> > };
> > $logger->info(
> > "(".$self->{'_id'}.") Added role $role to the returned
> RADIUS Access-Accept"
> > );
> > }
> > else {
> > $logger->debug("(".$self->{'_id'}.") Received undefined
> role. No Role added to RADIUS Access-Accept");
> > }
> > }
> > if ( defined($node_info->{'pid'}) && ( $node_info->{'pid'} ne
> 'default' ) && ( $node_info->{'pid'} ne 'admin' ) && ( $node_info->{'pid'}
> ne '' ) ) {
> > $radius_reply_ref = {
> >  %$radius_reply_ref,
> > 'User-Name' => $node_info->{'pid'},
> > };
> >
> > $logger->info("(".$self->{'_id'}.") Returning ACCEPT with
> User-Name: $node_info->{'pid'}");
> > }
> >
> > $logger->info("(".$self->{'_id'}.") Returning ACCEPT with VLAN
> $args->{'vlan'} ".( (defined($role) && $role ne "") ? "and role $role" : ""
> ));
> > my $status = $RADIUS::RLM_MODULE_OK;
> > if (!isenabled($args->{'unfiltered'})) {
> > my $filter = pf::access_filter::radius->new;
> > my $rule = $filter->test('returnRadiusAccessAccept', $args);
> > ($radius_reply_ref, $status) =
> $filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
> > }
> >
> > return [$status, %$radius_reply_ref];
> > }
> >
> 491c556
> < 'Acct-Session-Id' => $acctsessionid,
> ---
> > #'Acct-Session-Id' => $acctsessionid,
> 498,508c563,573
> < if ( defined($role) && (defined($node_info->{'status'}) &&
> isenabled($self->{_RoleMap}) ) ) {
> <
> < $attributes_ref = {
> < %$attributes_ref,
> < 'Filter-Id' => $role,
> < };
> < $logger->info("[$self->{'_ip'}] Returning ACCEPT with role:
> $role");
> < $response = perform_coa($connection_info, $attributes_ref);
> <
> < }
> < else {
> ---
> > #if ( defined($role) && (defined($node_info->{'status'}) &&
> isenabled($self->{_RoleMap}) ) ) {
> > #
> > #$attributes_ref = {
> > #%$attributes_ref,
> > #'Filter-Id' => $role,
> > #};
> > #$logger->info("[$self->{'_ip'}] Returning ACCEPT wi

Re: [PacketFence-users] Aruba IAP radius CoA failing

2016-07-06 Thread Adam Smith

Just got it to work.

Had to upgrade to 6.2 and remove the CoA feature from the switch.  I am
actually using the original Aruba.pm now.  I think this kind of mimics what
you are doing with the lines that you removed.

Thanks for your help Tim.

*Adam Smith*
Network Administrator
[image: Inline image 1][image: Inline image 2]
Sundance Institute
O:435.658.3456
E:adam_sm...@sundance.org
www.sundance.org


On Wed, Jul 6, 2016 at 2:27 PM, Adam Smith  wrote:

> Wow, That's a lot of change out, good luck on the rest of it.
>
> Thanks for the diff, I tried that comment while I was waiting with no
> success, but the server started acting strange just before I made the
> change.  I have since re-installed not using the ZEN device just centOS7
> and repos.  I'll look through the rest of the diff and try again and see if
> I can get it to go.
>
> Thanks again.
>
> *Adam Smith*
> Network Administrator
> [image: Inline image 1][image: Inline image 2]
> Sundance Institute
> O:435.658.3456
> E:adam_sm...@sundance.org
> www.sundance.org
> 
>
> On Wed, Jul 6, 2016 at 1:50 PM, Tim DeNike  wrote:
>
>> 191 out of 240 switches down, 9 routers installed, Conversion to MPLS
>> done... That was the last 2.5 months... Then the datacenter
>>
>> This is off PF 5.7.
>>
>> I think what you are most interested in is the line where you comment out:
>>
>> 'Acct-Session-Id' => $acctsessionid,
>>
>> Otherwise, diff below:
>>
>> [root@packetfence1 Switch]# diff /root/Aruba.pm.1 Aruba.pm
>> 73c73
>> < use pf::node qw(node_attributes);
>> ---
>> > use pf::node;
>> 395a396,460
>> > sub returnRadiusAccessAccept {
>> > my ($self, $args) = @_;
>> > my $logger = $self->logger();
>> >
>> > my $radius_reply_ref = {};
>> >
>> > # should this node be kicked out?
>> > my $kick = $self->handleRadiusDeny($args);
>> > return $kick if (defined($kick));
>> >
>> > # Inline Vs. VLAN enforcement
>> > my $role = "";
>> > my $node_info = node_attributes($args->{'mac'});
>> > if ( (!$args->{'wasInline'} || ($args->{'wasInline'} &&
>> $args->{'vlan'} != 0) ) && isenabled($self->{_VlanMap})) {
>> > if(defined($args->{'vlan'}) && $args->{'vlan'} ne "" &&
>> $args->{'vlan'} ne 0){
>> > $logger->info("(".$self->{'_id'}.") Added VLAN
>> $args->{'vlan'} to the returned RADIUS reply");
>> > $radius_reply_ref = {
>> > 'Tunnel-Medium-Type' => $RADIUS::ETHERNET,
>> > 'Tunnel-Type' => $RADIUS::VLAN,
>> > 'Tunnel-Private-Group-ID' => $args->{'vlan'},
>> > };
>> > }
>> > else {
>> > $logger->debug("(".$self->{'_id'}.") Received undefined
>> VLAN. No VLAN added to RADIUS Access-Accept");
>> > }
>> > }
>> >
>> > if ( isenabled($self->{_RoleMap}) &&
>> $self->supportsRoleBasedEnforcement()) {
>> > $logger->debug("Network device (".$self->{'_id'}.") supports
>> roles. Evaluating role to be returned");
>> > if ( defined($args->{'user_role'}) && $args->{'user_role'} ne
>> "" ) {
>> > $role = $self->getRoleByName($args->{'user_role'});
>> > }
>> > if ( defined($role) && $role ne "" ) {
>> > $radius_reply_ref = {
>> > %$radius_reply_ref,
>> > $self->returnRoleAttributes($role),
>> > };
>> > $logger->info(
>> > "(".$self->{'_id'}.") Added role $role to the returned
>> RADIUS Access-Accept"
>> > );
>> > }
>> > else {
>> > $logger->debug("(".$self->{'_id'}.") Received undefined
>> role. No Role added to RADIUS Access-Accept");
>> > }
>> > }
>> > if ( defined($node_info->{'pid'}) && ( $node_info->{'pid'} ne
>> 'default' ) && ( $node_info->{'pid'} ne 'admin' ) && ( $node_info->{'pid'}
>> ne '' ) ) {
>> > $radius_reply_ref = {
>> >  %$radius_reply_ref,
>> > 'User-Name' => $node_info->{'pid'},
>> > };
>> >
>> > $logger->info("(".$self->{'_id'}.") Returning ACCEPT with
>> User-Name: $node_info->{'pid'}");
>> > }
>> >
>> > $logger->info("(".$self->{'_id'}.") Returning ACCEPT with VLAN
>> $args->{'vlan'} ".( (defined($role) && $role ne "") ? "and role $role" : ""
>> ));
>> > my $status = $RADIUS::RLM_MODULE_OK;
>> > if (!isenabled($args->{'unfiltered'})) {
>> > my $filter = pf::access_filter::radius->new;
>> > my $rule = $filter->test('returnRadiusAccessAccept', $args);
>> > ($radius_reply_ref, $status) =
>> $filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
>> > }
>> >
>> > return [$status, %$radius_reply_ref];
>> > }
>> >
>> 491c556
>> < 'Acct-Session-Id' => $acctsessionid,
>> ---
>> > #'Acct-Session-Id' => $acctsessionid,
>> 498,508c563,573
>> < if ( defined($role) && (defined($node_info->{'status'}) &&
>> isenabled($self->{_RoleMap}) ) ) {
>> <
>> < $attributes_ref = {
>

Re: [PacketFence-users] Aruba IAP radius CoA failing

2016-07-06 Thread Tim DeNike

I'm still using coa. Just based on Mac not session id.

Of course I'm using a controller not the iap.

Sent from my iPhone

On Jul 6, 2016, at 7:49 PM, Adam Smith  wrote:

Just got it to work.

Had to upgrade to 6.2 and remove the CoA feature from the switch.  I am
actually using the original Aruba.pm now.  I think this kind of mimics what
you are doing with the lines that you removed.

Thanks for your help Tim.

*Adam Smith*
Network Administrator

Sundance Institute
O:435.658.3456
E:adam_sm...@sundance.org
www.sundance.org


On Wed, Jul 6, 2016 at 2:27 PM, Adam Smith  wrote:

> Wow, That's a lot of change out, good luck on the rest of it.
>
> Thanks for the diff, I tried that comment while I was waiting with no
> success, but the server started acting strange just before I made the
> change.  I have since re-installed not using the ZEN device just centOS7
> and repos.  I'll look through the rest of the diff and try again and see if
> I can get it to go.
>
> Thanks again.
>
> *Adam Smith*
> Network Administrator
> 
> Sundance Institute
> O:435.658.3456
> E:adam_sm...@sundance.org
> www.sundance.org
> 
>
> On Wed, Jul 6, 2016 at 1:50 PM, Tim DeNike  wrote:
>
>> 191 out of 240 switches down, 9 routers installed, Conversion to MPLS
>> done... That was the last 2.5 months... Then the datacenter
>>
>> This is off PF 5.7.
>>
>> I think what you are most interested in is the line where you comment out:
>>
>> 'Acct-Session-Id' => $acctsessionid,
>>
>> Otherwise, diff below:
>>
>> [root@packetfence1 Switch]# diff /root/Aruba.pm.1 Aruba.pm
>> 73c73
>> < use pf::node qw(node_attributes);
>> ---
>> > use pf::node;
>> 395a396,460
>> > sub returnRadiusAccessAccept {
>> > my ($self, $args) = @_;
>> > my $logger = $self->logger();
>> >
>> > my $radius_reply_ref = {};
>> >
>> > # should this node be kicked out?
>> > my $kick = $self->handleRadiusDeny($args);
>> > return $kick if (defined($kick));
>> >
>> > # Inline Vs. VLAN enforcement
>> > my $role = "";
>> > my $node_info = node_attributes($args->{'mac'});
>> > if ( (!$args->{'wasInline'} || ($args->{'wasInline'} &&
>> $args->{'vlan'} != 0) ) && isenabled($self->{_VlanMap})) {
>> > if(defined($args->{'vlan'}) && $args->{'vlan'} ne "" &&
>> $args->{'vlan'} ne 0){
>> > $logger->info("(".$self->{'_id'}.") Added VLAN
>> $args->{'vlan'} to the returned RADIUS reply");
>> > $radius_reply_ref = {
>> > 'Tunnel-Medium-Type' => $RADIUS::ETHERNET,
>> > 'Tunnel-Type' => $RADIUS::VLAN,
>> > 'Tunnel-Private-Group-ID' => $args->{'vlan'},
>> > };
>> > }
>> > else {
>> > $logger->debug("(".$self->{'_id'}.") Received undefined
>> VLAN. No VLAN added to RADIUS Access-Accept");
>> > }
>> > }
>> >
>> > if ( isenabled($self->{_RoleMap}) &&
>> $self->supportsRoleBasedEnforcement()) {
>> > $logger->debug("Network device (".$self->{'_id'}.") supports
>> roles. Evaluating role to be returned");
>> > if ( defined($args->{'user_role'}) && $args->{'user_role'} ne
>> "" ) {
>> > $role = $self->getRoleByName($args->{'user_role'});
>> > }
>> > if ( defined($role) && $role ne "" ) {
>> > $radius_reply_ref = {
>> > %$radius_reply_ref,
>> > $self->returnRoleAttributes($role),
>> > };
>> > $logger->info(
>> > "(".$self->{'_id'}.") Added role $role to the returned
>> RADIUS Access-Accept"
>> > );
>> > }
>> > else {
>> > $logger->debug("(".$self->{'_id'}.") Received undefined
>> role. No Role added to RADIUS Access-Accept");
>> > }
>> > }
>> > if ( defined($node_info->{'pid'}) && ( $node_info->{'pid'} ne
>> 'default' ) && ( $node_info->{'pid'} ne 'admin' ) && ( $node_info->{'pid'}
>> ne '' ) ) {
>> > $radius_reply_ref = {
>> >  %$radius_reply_ref,
>> > 'User-Name' => $node_info->{'pid'},
>> > };
>> >
>> > $logger->info("(".$self->{'_id'}.") Returning ACCEPT with
>> User-Name: $node_info->{'pid'}");
>> > }
>> >
>> > $logger->info("(".$self->{'_id'}.") Returning ACCEPT with VLAN
>> $args->{'vlan'} ".( (defined($role) && $role ne "") ? "and role $role" : ""
>> ));
>> > my $status = $RADIUS::RLM_MODULE_OK;
>> > if (!isenabled($args->{'unfiltered'})) {
>> > my $filter = pf::access_filter::radius->new;
>> > my $rule = $filter->test('returnRadiusAccessAccept', $args);
>> > ($radius_reply_ref, $status) =
>> $filter->handleAnswerInRule($rule,$args,$radius_reply_ref);
>> > }
>> >
>> > return [$status, %$radius_reply_ref];
>> > }
>> >
>> 491c556
>> < 'Acct-Session-Id' => $acctsessionid,
>> ---
>> > #'Acct-Session-Id' => $acctsessionid,
>> 498,508c563,573
>> < if ( defined($role) && (defined($node_info->{'status'}) &&
>

[PacketFence-users] Aruba IAP radius CoA failing

Re: [PacketFence-users] Aruba IAP radius CoA failing

Re: [PacketFence-users] Aruba IAP radius CoA failing

Re: [PacketFence-users] Aruba IAP radius CoA failing

Re: [PacketFence-users] Aruba IAP radius CoA failing

Re: [PacketFence-users] Aruba IAP radius CoA failing

Re: [PacketFence-users] Aruba IAP radius CoA failing

Re: [PacketFence-users] Aruba IAP radius CoA failing

Re: [PacketFence-users] Aruba IAP radius CoA failing

Re: [PacketFence-users] Aruba IAP radius CoA failing

Re: [PacketFence-users] Aruba IAP radius CoA failing

Re: [PacketFence-users] Aruba IAP radius CoA failing

Re: [PacketFence-users] Aruba IAP radius CoA failing

13 matches

Site Navigation

Mail list logo

Footer information